0

I have been using Graph API in Powershell using application permission for a while now and I would like to explore how delegated permissions work.

I come across the website which is great. https://morgantechspace.com/2021/10/how-to-register-and-configure-azure-ad-application-from-azure-ad-portal.html

I basically copy and run the code below after I created the app. When I ran the code, a MFA prompt popped up which is what I expected. However, I was never able to choose another account to log on. It always defaults to the account which I used to run Powershell. Is there anyway I could get around it?

enter image description here

$TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$AppClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  
 $MsalParams = @{
    ClientId = $AppClientId
    TenantId = $TenantId
    Scopes   = "https://graph.microsoft.com/User.Read"
}
 
$MsalResponse = Get-MsalToken @MsalParams
$AccessToken  = $MsalResponse.AccessToken#Provide Application (client) Id of your app
Blue Tongue
  • 23
  • 3

1 Answers1

0

We have tried the same by following the given article and can able to select our another account(Admin) and able to get the access token successfully.

Here are the workaround we have tried :-

  • Created an app registration and provided the redirect uri and given the API permission with Granted Admin consents as shown below.

enter image description here enter image description here

And created client secret and copied the value to make use of it in further steps.

So after done the above , we have open the PowerShell with run as administrator mode and providing the same code with credentials;

# Select and Connect to require account for this operation
Connect-AzAccount
#Provide your Office 365 Tenant Domain Name or Tenant Id
$TenantId = "1xxxxxxxxxxxxxxxxxxxxxxxx20"
#$TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  
#Provide Application (client) Id of your app
$AppClientId="5xxxxxxxxxxxxxxxxxx5e"
  
 $MsalParams = @{
    ClientId = $AppClientId
    TenantId = $TenantId
    Scopes   = "https://graph.microsoft.com/User.Read.All"
}
 
$MsalResponse = Get-MsalToken @MsalParams
$AccessToken  = $MsalResponse.AccessToken

And then after run it will redirect to ask you the login account default or to use another account . Then select another account and provide the credentials.

enter image description here

OUTPUT SCREENSHOT FOR REFERENCE:-

enter image description here

NOTE:- You can use Connect-AzAccount and from there select another account provide your details and when it will redirect to ask login you can select that account from the pop-up itself and provide your password and it will work. Also try to restart the PowerShell once that might help also.

For more information please refer this SO THREAD|Running PowerShell as another user, and launching a script .

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15
  • Ajay, thank you so much for your effort in trying to recreate my issue. I was able to resolve my issue when I rerun the Powershell script using an admin account which then allows me to choose another account although I don't really know why. – Blue Tongue Jul 23 '22 at 12:44
  • As far as this issue goes, there is actually no need to create a client secret and grant admin consent. My intention is I want the user to be able to consent the app request but not to access them without their consent. – Blue Tongue Jul 23 '22 at 12:46
  • For other queries you may create a new question with providing details so that we can assist you better. Thank you:) – AjayKumarGhose Jul 23 '22 at 16:44