Connect-MsolService -AdGraphAccessToken $token

Copper Contributor

I am planning for automation that requires to frequently fetch DELETED users using the below command line. With the collected data I perform cleanup in AzDO.

 

$deletedUsersfromAAD = (Get-MsolUser -ReturnDeletedUser -EnabledFilter EnabledOnly -MaxResults 500 | Where-Object { $_.SoftDeletionTimestamp.ToString("MM-dd-yyyy") -gt $limit }  | Sort-Object -Property $_.SoftDeletionTimestamp)
 
But when I running the pipeline it stuck at Connect-MsolService because everytime login window pop-up for authentication. How can I bypass the pop-up authentication while using ¨Connect-MsolService¨.

Or it will be great if there is alternative to fetch only deleted (soft deleted) AAD users list, instead of indexing entire AAD.
6 Replies

Last time I toyed with this, you needed to use both -AdGraphAccessToken and -MsGraphAccessToken to make it work.

...how to generate these tokens? any link for document or something that help to understand the process?

thx

@Vasil Michev after reviewing numerous articles i was able to write some code, i have no problem with MSGraphToken but it fails on ADGraphToken. i'm not sure if i create it correctly. if you managed to somehow use this method i'd appreciate if you share code.

 

i as well found that: https://github.com/Azure/azure-docs-powershell-azuread/issues/246 but i don't understand if you can logon using both tokens or it is not working any more...

 

what i was able to do:

$TenantId = '********'
$ClientId = '*********'
$ClientSecret = '**********'

$MSGraphBody = @{
    'tenant' = $TenantId
    'client_id' = $ClientId
    'client_secret' = $ClientSecret
    'grant_type' = 'client_credentials'
}

$MSParams = @{
    'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
    'Method' = 'Post'
    'Body' = $MSGraphBody
    'ContentType' = 'application/x-www-form-urlencoded'
}

$ADGraphBody = @{
    'tenant' = $TenantId
    'client_id' = $ClientId
    'client_secret' = $ClientSecret
    'grant_type' = 'client_credentials'
}

$ADParams = @{
    'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
    'Method' = 'Post'
    'Body' = $ADGraphBody
    'ContentType' = 'application/x-www-form-urlencoded'
}

$ADAuthResponse = Invoke-RestMethod @ADParams
$MSAuthResponse = Invoke-RestMethod @MSParams
Connect-MsolService -AdGraphAccessToken $ADAuthResponse.access_token -MsGraphAccessToken $MSAuthResponse.access_token
 
+ Connect-MsolService -AdGraphAccessToken $ADAuthResponse.access_token ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Connect-MsolService], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InvalidHeaderException,Microsoft.Online.Administration.Automation.ConnectMsolService

@nExoR nExoiS 

 

Did you (or anyone else) find a solution to this issue?

I'm trying to run a few msol commands in a script to collect information, and need to use a spn/access token to authenticate.

@Sgbjrn I have not, and no suppor found :(

Is this still not possible?