Some exciting news today, the Microsoft Graph SDK V2 has been released and it has some changes which could cause you problems!
You can find out more about the changes here:
https://github.com/microsoftgraph/msgraph-sdk-powershell/blob/dev/docs/upgrade-to-v2.md
The key things to note from an Intune perspective:
- Select-MgProfile is no longer used
- Access token needs to be encrypted
- Beta commands are separate (for example, Select-MgUser would become Select-MgBetaUser)
To get around the connection changes, I have written a new function which detects the version and amends accordingly. So, instead of using connect-mggraph, use the function “connect-tograph” with the same parameters as normal. If you want to use managed identity, this is new to V2 so use Connect-MgGraph, but keep in mind you’ll need the V2 authentication module installed
You can find the code here:
Function Connect-ToGraph {
<#
.SYNOPSIS
Authenticates to the Graph API via the Microsoft.Graph.Authentication module.
.DESCRIPTION
The Connect-ToGraph cmdlet is a wrapper cmdlet that helps authenticate to the Intune Graph API using the Microsoft.Graph.Authentication module. It leverages an Azure AD app ID and app secret for authentication or user-based auth.
.PARAMETER Tenant
Specifies the tenant (e.g. contoso.onmicrosoft.com) to which to authenticate.
.PARAMETER AppId
Specifies the Azure AD app ID (GUID) for the application that will be used to authenticate.
.PARAMETER AppSecret
Specifies the Azure AD app secret corresponding to the app ID that will be used to authenticate.
.PARAMETER Scopes
Specifies the user scopes for interactive authentication.
.EXAMPLE
Connect-ToGraph -TenantId $tenantID -AppId $app -AppSecret $secret
-#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $false)] [string]$Tenant,
[Parameter(Mandatory = $false)] [string]$AppId,
[Parameter(Mandatory = $false)] [string]$AppSecret,
[Parameter(Mandatory = $false)] [string]$scopes
)
Process {
Import-Module Microsoft.Graph.Authentication
$version = (get-module microsoft.graph.authentication | Select-Object -expandproperty Version).major
if ($AppId -ne "") {
$body = @{
grant_type = "client_credentials";
client_id = $AppId;
client_secret = $AppSecret;
scope = "https://graph.microsoft.com/.default";
}
$response = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$Tenant/oauth2/v2.0/token -Body $body
$accessToken = $response.access_token
$accessToken
if ($version -eq 2) {
write-host "Version 2 module detected"
$accesstokenfinal = ConvertTo-SecureString -String $accessToken -AsPlainText -Force
}
else {
write-host "Version 1 Module Detected"
Select-MgProfile -Name Beta
$accesstokenfinal = $accessToken
}
$graph = Connect-MgGraph -AccessToken $accesstokenfinal
Write-Host "Connected to Intune tenant $TenantId using app-based authentication (Azure AD authentication not supported)"
}
else {
if ($version -eq 2) {
write-host "Version 2 module detected"
}
else {
write-host "Version 1 Module Detected"
Select-MgProfile -Name Beta
}
$graph = Connect-MgGraph -scopes $scopes
Write-Host "Connected to Intune tenant $($graph.TenantId)"
}
}
} I will be updating all of my scripts to use this new authentication so the change shoud not cause any outages
