Powershell automate Authentication with Intune query.

Question

Hi all, hopefully I'm just missing something here. I'm trying to automate the authentication of a script. The script doesn't really matter as I can cause this error with two simple commands.

I run connect-mggraph to authenticate using a Client ID, TenantID, and Cert like this and it works fine.

Connect-MgGraph -ClientID YOUR_APP_ID -TenantId YOUR_TENANT_ID -CertificateName YOUR_CERT_SUBJECT

Then I run Get-MgAuditLogDirectoryAudit, which returns data as expected.

However when I then run Get-IntuneManagedDevice I get the following.

PS C:\WINDOWS\system32> Get-IntuneManagedDevice
Get-IntuneManagedDevice : Not authenticated.  Please use the "Connect-MSGraph" command to authenticate.
At line:1 char:1
+ Get-IntuneManagedDevice
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : AuthenticationError: (:) [Get-DeviceManagement_ManagedDevices], InvalidOperationException
    + FullyQualifiedErrorId : PowerShellGraphSDK_NotAuthenticated,Microsoft.Intune.PowerShellGraphSDK.PowerShellCmdlets.Get_DeviceManagement_ManagedDevices

Any idea what I am doing wrong? The only way I can get this command to work is if I manually authentication or pass credentials using the old method to authenticate.

Connect-MSGraph -PSCredential $creds

I've tried this in both PowerShell 5.1 and 7 and get the same results.

Here's the version of the modules I have installed

Version    Name
-------    ----
1.27.0     Microsoft.Graph.Authentication
6.1907.1.0 Microsoft.Graph.Intune
1.27.0     Microsoft.Graph.Reports
3.1.0.0    Microsoft.PowerShell.Management
3.1.0.0    Microsoft.PowerShell.Utility
2.0.0      PSReadline

Thanks in advanced for any help or advice!

Answer 1

Yep you are going down the same rabbit hole I went down. But it doesn't work with an App registration in Azure AD for authentication for automation. But I finally figured it out.

The root of the problem is that Microsoft is transiting PowerShell commands away from anything using the "Ms" label to "Mg" label which is really confusing if the cmdlet doesn't actually have "Ms" in its name.

So here is what I learned and got working in terms of automation.

Old commands use Connect-MsGraph to authenticate new commands use Connect-MgGraph, so if you want to fully automate your logins using an App ID in Azure AD you have to use the new Connect-MgGraph like so.

Connect-MgGraph -ClientID YOUR_APP_ID -TenantId YOUR_TENANT_ID -CertificateName YOUR_CERT_SUBJECT

Then you run the associated Get-Mg* commands.

In my case the following commands, Ms based, were replaced by the following Mg commands. Event though they didn't have Ms in the cmdlet.

Get-AzureADAuditSignInLogs gets replaced with Get-MgAuditLogSignIn

Get-IntuneManagedDevice gets replaced with Get-MgDeviceManagementManagedDevice

Answer 2

@Robert Stacks Thanks for posting in our Q&A.

For this issue, I have done the test in my lab.

I install Intune module, import Intune module and connect to Microsoft Graph with the following command:

Install-Module Microsoft.Graph.Intune

Import-Module Microsoft.Graph.Intune  

Connect-MSGraph

Then a page will pop up and I use my intune global admin account to sign in.

When I use the following command, I can get device details.

Get-IntuneManagedDevice 

Hope it will help.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.