Use app-only authentication

In this article, you learn how to use app-only access for automation scenarios using the Microsoft Entra PowerShell to manage Microsoft Entra resources.

Important

App-only access grants permissions directly to an application, and requires an administrator to consent to the required permission scopes. For more information on app-only access, see Microsoft identity platform and the OAuth 2.0 client credentials flow.

Prerequisites

To use app-only access with the Microsoft Entra PowerShell module, you need:

Use certificate-based authentication

You should have this information to authenticate using a certificate.

  • Certificate subject or thumbprint of the certificate uploaded to your Microsoft Entra app registration.
  • Application ID for your app registration. To get the Application ID, see: Create a custom application.
  • Your tenant ID.

In this section, you learn how to use a certificate to authenticate with the Microsoft Entra PowerShell module. You can use the certificate thumbprint, certificate name, or the certificate itself to authenticate. To authenticate using the given examples, you need to sign in with at least a Privileged Role Administrator role.

Use Certificate Thumbprint

$params = @{
    ClientId = 'YOUR_APP_ID'
    TenantId = 'YOUR_TENANT_ID'
    CertificateThumbprint = 'YOUR_CERT_THUMBPRINT'
}

Connect-Entra @params

To find the certificate thumbprint in the Microsoft Entra admin center, navigate to Identity > App registrations > Certificates & secrets > Certificates. Select the certificate and copy its thumbprint.

Alternatively, you can use the following PowerShell command to get your self-signed certificate:

Get-ChildItem Cert:\CurrentUser\My

Use Certificate name

$params = @{
    ClientId = 'YOUR_APP_ID'
    TenantId = 'YOUR_TENANT_ID'
    CertificateName = 'YOUR_CERT_SUBJECT'
}

Connect-Entra @params

You can find the certificate subject by running the command:

Get-ChildItem Cert:\CurrentUser\My\$CertThumbprint | Select Subject

Use a certificate

$Cert = Get-ChildItem Cert:\CurrentUser\My\$CertThumbprint
Connect-Entra -ClientId 'YOUR_APP_ID' -TenantId 'YOUR_TENANT_ID' -Certificate $Cert

To use a certificate stored in your machine's certificate store or another location when connecting to Microsoft Entra PowerShell, specify the certificate's location.

If the authentication succeeds, you see the message Welcome To Microsoft Graph!. Run Get-EntraContext to verify that you're authenticated with app-only method. The output should look like the following.

ClientId              : YOUR_APP_ID
TenantId              : YOUR_TENANT_ID
CertificateThumbprint :
Scopes                : {Group.Read.All, User.Read.All}
AuthType              : AppOnly
CertificateName       : YOUR_CERT_SUBJECT
Account               :
AppName               : {Your Awesome Application Name Here}
ContextScope          : Process
Environment           : Global

Use client secret credentials

Client credentials grant is used to authenticate and authorize the app to access resources on its own behalf. Support for client secret credentials is added by adding -ClientSecretCredential parameter to Connect-Entra. See Get-Credential on how to get or create credentials.

$ClientSecretCredential = Get-Credential -Credential 'Client_Id'
# Enter client_secret in the password prompt.
Connect-Entra -TenantId 'Tenant_Id' -ClientSecretCredential $ClientSecretCredential

To create or add a client secret, see: Add a client secret.

Note

It's recommended to use PowerShell 7 or higher when using client secret credentials authentication method.

Use managed identity

A common challenge when writing automation scripts is the management of secrets, credentials, certificates, and keys used to secure communication between services. Eliminate the need to manage credentials by allowing the module to obtain access tokens for Azure resources that are protected by Microsoft Entra ID. The Azure platform manages the identity and doesn't require you to create or rotate any secrets.

  • System-assigned managed identity - Uses an automatically managed identity on a service instance. The identity is tied to the lifecycle of a service instance.

    Connect-Entra -Identity
    
  • User-assigned managed identity - Uses a user created managed identity as a standalone Azure resource.

    Connect-Entra -Identity -ClientId 'User_Assigned_Managed_identity_Client_Id'
    

Next steps