This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 72%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Need help with Graph API access to Azure Active Directory through Enterprise Application. Tried various PowerShell commands unable to get up.
Hi, can you provide more details on what you are trying to do and what specifically is not working?
Hey Andy. Yes, so I have a User offboarding workflow set up that runs various task, one of them is to remove any licenses assigned to the end user. I have a runbook with the following.
The enterprise app does have access to the api
I get the following on the output
Connect-MgGraph : Parameter set cannot be resolved using the specified named parameters. At line:10 char:1 + Connect-MgGraph -ManagedIdentity -Organization "redacted.onm ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Connect-MgGraph], ParameterBindingException + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph
Get-MgUser : Authentication needed. Please call Connect-MgGraph. At line:13 char:1 + $user = Get-MgUser -UserId $UPN + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-MgUser_Get], AuthenticationException + FullyQualifiedErrorId : Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_Get
I'm a novice take it easy on me lol.
(
[Parameter (Mandatory= $true)]
[string] $UPN
)
#Connect to Exchange Online
Connect-ExchangeOnline -ManagedIdentity -Organization "test.onmicrosoft.com"
# Connect to Microsoft Graph
Connect-MgGraph -ManagedIdentity -Organization "test.onmicrosoft.com" -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
# Retrieve the user's assigned licenses
$user = Get-MgUser -UserId $UPN
$assignedLicenses = $user.AssignedLicenses | Select-Object -ExpandProperty SkuId
if ($assignedLicenses.Count -gt 0) {
# Remove all licenses
Set-MgUserLicense -UserId $UPN -RemoveLicenses $assignedLicenses -AddLicenses @()
}
# Disconnect from sessions
Disconnect-ExchangeOnline -Confirm:$false
Disconnect-MgGraph
Yea sounds like you are using the newer version of mggraph that is breaking runbook compatibility.
You may need to step back to 2.25.0
https://learn.microsoft.com/en-us/answers/questions/2278135/getting-failure-with-connect-mggraph
https://office365itpros.com/2025/03/04/powershell-sdk-problems/
I'll try this. Thanks!
not seeing where to specify version in modules.
Are you referring to this? What version do you have installed?
You can run the following PowerShell commands in Azure Cloud Shell to install version 2.25.0:
PowerShellCopy
# Import Microsoft.Graph.Authentication module
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello ARC,
The error "Authentication needed. Please call Connect-MgGraph" usually occurs due to compatibility issues between newer Microsoft Graph PowerShell modules and PowerShell 7.2 runbooks in Azure Automation.
To resolve this, first delete the latest versions of any Microsoft Graph modules from your Automation Account like this:
Then install modules of version 2.25.0, which is stable for this use case by running below PowerShell script in Azure Cloud Shell:
# Import Microsoft.Graph.Authentication module
$moduleName = 'Microsoft.Graph.Authentication'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'AutAccName' -ResourceGroupName 'rgName' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
# Import Microsoft.Graph.Users module
$moduleName = 'Microsoft.Graph.Users'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'AutAccName' -ResourceGroupName 'rgName' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
# Import Microsoft.Graph.Users.Actions module
$moduleName = 'Microsoft.Graph.Users.Actions'
$moduleVersion = '2.25.0'
New-AzAutomationModule -AutomationAccountName 'sriautgraph' -ResourceGroupName 'Sri' -Name $moduleName -ContentLinkUri "https://www.powershellgallery.com/api/v2/package/$moduleName/$moduleVersion" -RuntimeVersion '7.2'
Wait until these modules show Available in the portal before testing your runbook.
Make sure to grant LicenseAssignment.ReadWrite.All and User.ReadWrite.All permissions of Application type to managed identity service principal:
You can refer below script to add required Application type permissions:
$msiName = "autaccname"
$graphAppId = "00000003-0000-0000-c000-000000000000"
$permissions = @(
"LicenseAssignment.ReadWrite.All",
"User.ReadWrite.All"
)
$graphSP = Get-AzADServicePrincipal -AppId $graphAppId
foreach ($permission in $permissions) {
$appRole = $graphSP.AppRole | Where-Object {
$_.Value -eq $permission -and $_.Origin -eq "Application"
}
if ($appRole) {
New-AzADServicePrincipalAppRoleAssignment `
-ServicePrincipalDisplayName $msiName `
-ResourceDisplayName $graphSP.DisplayName `
-AppRoleId $appRole.Id
} else {
Write-Warning "Permission '$permission' not found in Microsoft Graph"
}
}
After that, you can run the below modified script to remove any licenses assigned to the end user:
Connect-MgGraph -Identity
$UserId = "******@xxxxxxxx.onmicrosoft.com"
try {
$licenseDetails = Get-MgUserLicenseDetail -UserId $UserId
$skuIds = $licenseDetails.SkuId
if ($skuIds.Count -gt 0) {
$params = @{
addLicenses = @()
removeLicenses = $skuIds
}
$result = Set-MgUserLicense -UserId $UserId -BodyParameter $params
Write-Output "Attempted to remove licenses for user: $UserId"
} else {
Write-Output "User $UserId has no licenses assigned."
}
}
catch {
Write-Error "Failed to remove licenses for user ${UserId}: $_"
}
Disconnect-MgGraph
Response:
Let me know if you still need help with setup or testing. Happy to assist.
Hope this helps!
If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.
If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.
Hello ARC,
I just wanted to know what you have thought about my suggestions, let me know if I can be of help to you. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Modules added
Permissions added
for the runbook for removing licenses, it runs off a form and trigger power automate work flow using UNP or users email from the form. Cant seem to get the syntac correct.
Connect-MgGraph : The term 'Connect-MgGraph' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:8 char:1 + Connect-MgGraph -Identity + ~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Connect-MgGraph:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
Still cant get past this
Sorry for late response here. I will PM you.