How to set scope after connecting to Microsoft Graph using non-interactive method?

Question

I've successfully connected to Microsoft Graph using non-interactive method (Client Id, Client Secret), but I'm receiving Insufficient privileges error when running Get-Mguser due to not setting the scope. I have tried running the commands mentioned in other similar GitHub issues and forum questions, but none of them seem to work.

Is there any way to set the scope via PowerShell after connecting to Microsoft Graph using non-interactive method?

Get-MgUser : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied

Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential 
Welcome to Microsoft Graph!
Connected via apponly access using 0afdcbe7-4b54-491c-8c86-15bf9a538b15
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs
NOTE: You can use the -NoWelcome parameter to suppress this message.

PS P:\> Get-MgContext
ClientId                                : 0afdcbe7-4b54-491c-8c86-15bf9a538b15
TenantId                                : 4880fa0f-81de-4d97-bcd6-0a32cda166f3
Scopes                                  :
AuthType                                : AppOnly
TokenCredentialType                     : ClientSecret
CertificateThumbprint                   :
CertificateSubjectName                  :            
SendCertificateChain                    : False
Account                                 :
AppName                                 : 
UserContextScope                        : Process
Certificate                             :
PSHostVersion                           : 5.1.19041.4894
ManagedIdentityId                       :
ClientSecret                            : System.Security.SecureString
Environment                             : Global

Answer 1

Your connection should be setting the scope and the app needs to have the consented API perms or assigned the relevant role before you connect with the app.

Guess Im confused maybe what the issue is?

Answer 2

Hello Sampath,

Thank you for reaching out to Microsoft Support!

It looks like you’re encountering an issue with insufficient privileges due to missing permissions when using the Microsoft Graph PowerShell SDK with app-only authentication. Permissions must be specified before the initial connection.

Here’s how you can specify the required permissions when connecting: Make sure that the application you registered in Azure AD has the necessary API permissions granted and admin consented for the scopes you are requesting.

If you need to add or modify permissions, you can do so in the Azure portal:

1. Go to Azure Active Directory > App registrations.
2. Select your application.
3. Under API permissions, select Microsoft Graph, Application permissions, add the required permissions. (User.Read.All). Refer to documentation.
4. Click Grant admin consent for the permissions.

After updating the permissions, try reconnecting to Graph.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 3

Hello Sampath,

Thank you for reaching out to Microsoft Support!

You need to add application permissions to your app in Azure, as shown below:

After connecting to the Graph via PowerShell, the contents of the scope parameter listed are the permissions that the application has:

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.