Using Microsoft Graph PowerShell to create Script that is authenticated only by username & password ?

Question

Hi All,

With the deprecated Powershell methods:

https://learn.microsoft.com/en-us/powershell/module/msonline/set-msoluserlicense?view=azureadps-1.0
https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureaduserlicense?view=azureadps-2.0

What's the best solution to allow me to create a single Powershell script that can be used by all of my technicians authenticated by Username & Password only?
Each of the Technicians will be granted a User Access Administrator role.

Thank you so much for your attention and participation.

Answer 1

Hello @EnterpriseArchitect , in order to allow users to assign licenses trough PowerShell you can leverage the Set-MgUserLicense cmdlet. Users do not need to belong to an administrative role. Just ensure to use an access token with the User.ReadWrite.All scope and previously, to grant admin wide consent using the Connect-MgGraph cmdlet.

Here is an example:

Admin consent (one time):

   Get-MsalToken -ClientId <CLIENT ID. EG:  14d82eec-204b-4c2f-b7e8-296a70dab67e for 'Microsoft Graph PowerShell'> -Scope "User.ReadWrite.All" -TenantId <TENANT ID>  

Script content (Requires MSAL.PS):

   $AccessToken=(Get-MsalToken -ClientId <SAME CLIENT ID AS BEFORE> -Scope "User.ReadWrite.All" -TenantId <TENANT ID>).AccessToken  
   Connect-MgGraph -AccessToken $AccessToken  
   Set-MgUserLicense -UserId '<TARGET USER ID>' -AddLicenses @{SkuId = <SKU ID>} -RemoveLicenses @()  

As a security measure you can restrict access to the used client enterprise application to selected users.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.