Thanks
CodePudding user response:
Your App Registration has the incorrect permissions. There are 2 types of permissions, delegated
(aka scope), and application
(aka role).
Reference: Permission types
For an "interactive" session, your app will be interacting on behalf of the user, therefore uses delegated
permissions.
For a "non-interactive" session, your app will be acting as itself, so it needs application
type permissions.
When connecting as an application ("non-interactive"), you also don't specify the -Scopes
parameter
CodePudding user response:
To identify the permissions needed to run a specific cmdlet of the microsoft.graph module you can use the find-mgGraphCommand
cmdlet, e.g.:
(Find-MgGraphCommand -Command get-mguser).permissions
To identify which permissions are assigned to the current session you can use the get-mgcontext
cmdlet, e.g.:
(get-mgcontext).scopes
If you run a interactive session you have to specify the scopes, e.g.:
Connect-MgGraph -Scopes user.read.all
To connect in the context of a service principal by using a certificate you can do:
#Get the certificate used as secret from the Windows certificate store
$cert = Get-ChildItem -Path 'Cert:\LocalMachine\MY' | ?{$_.thumbprint -eq $CertificateThumbprint}
#establish connection
connect-mggraph -certificate $cert -tenantid [tenantId] -clientId [clientId]
btw. clientId = objectId of the service principal