EntraExporter icon indicating copy to clipboard operation
EntraExporter copied to clipboard
verified publisher icon microsoft

Having trouble with using an App Registration with MSAL - Is this even possible??

Open Ju5t4GuyinT3ch opened this issue 1 year ago • 3 comments

I'm trying to use an App Registration with MSAL to automate the export without needing to use credentials. It's not working for me this way. I did a lot of tinkering and found the script provided below to work with no errors. The script states that it's Connected via userprovidedaccesstoken access using the ClientID. After script is ran and completed nothing shows in the folder that was created for the backup. I have tried this with a folder that already exists as well and in different drives/ folders.

# Define variables
$backupPath = "C:\Backup\EntraBackup\$((Get-Date).ToString('yyyy-MM-dd'))"
$tenantID = 'Tenant ID'  # Replace with your actual Tenant ID
$clientID = 'Application (client) ID'  # Replace with your Application (client) ID
$clientSecret = 'Application (client) secret'  # Replace with your Application (client) secret

# Create backup folder
New-Item -ItemType Directory -Path "$backupPath"

# Scopes required for the backup operation (Microsoft Graph API)
$scopes = @('https://graph.microsoft.com/.default')

# Convert the client secret into a secure string and pass to the New-MsalClientApplication
$secureClientSecret = (ConvertTo-SecureString "$clientSecret" -AsPlainText -Force)

# Install the necessary modules if not already installed
Write-Host 'Installing required modules...'
Install-Module -Name MSAL.PS 
Install-Module -Name Microsoft.Graph.Authentication
Install-Module -Name EntraExporter

# Create the MSAL Confidential Client Application (Service Principal Authentication)
Write-Host 'Authenticating using Service Principal...'
$msalApp = New-MsalClientApplication -clientId $clientID -clientSecret $secureClientSecret -Authority "https://login.microsoftonline.com/$tenantID"

# Acquire the token for Microsoft Graph API
Write-Host 'Acquiring token for Microsoft Graph API...'
$tokenResponse = Get-MsalToken -clientID $clientID -clientSecret $secureClientSecret -tenantID $tenantID -Scopes $scopes

# Extract the access token from the response
$graphToken = (ConvertTo-SecureString $tokenResponse.AccessToken -AsPlainText -Force)

# Check if the token was retrieved successfully
if (-not $graphToken) {
    Write-Host "Failed to obtain access token. Exiting script."
    exit
}

Write-Host "Successfully authenticated. Access Token acquired."

# Connect to Microsoft Graph using the acquired token
Write-Host 'Connecting to Microsoft Graph...'
Connect-MgGraph -AccessToken $graphToken

# Connect to Entra ID and perform a full export
Write-Host 'Connecting to Entra ID...' 

# Start the backup process
Write-Host 'Starting backup...'
Export-Entra -Path "$backupPath" -All

Write-Host 'Backup complete...'

Ju5t4GuyinT3ch avatar Oct 24 '24 19:10 Ju5t4GuyinT3ch

This is most probably due to missing scopes in the token.

The readme.md has the list of scopes required for the export.

In addition you don't need to use MSAL.PS for this, the Connect-MgGraph will let you use client credentials.

See the App-only section in this doc: https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0

merill avatar Oct 29 '24 18:10 merill

Hey merill, thank you for responding so quickly. I have double checked the MSGraph permissions attached the permissions and uploaded the image here of the permissions that I have applied to the API. Do you know if there is way we can get MSAL.PS to work? We are trying to use MSAL for authentication to remove the need to input credentials and make the script easily automated for an automated backup ran daily. Image

Ju5t4GuyinT3ch avatar Oct 30 '24 20:10 Ju5t4GuyinT3ch

This is most probably due to missing scopes in the token.

The readme.md has the list of scopes required for the export.

In addition you don't need to use MSAL.PS for this, the Connect-MgGraph will let you use client credentials.

See the App-only section in this doc: https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0

Hey merill,

I am still waiting on a response and was wandering if you had any input on what I provided above. If this is not possible to implement this with MSAL is there another or more recommended way to automate this?

Ju5t4GuyinT3ch avatar Dec 13 '24 19:12 Ju5t4GuyinT3ch

Sorry for the late reply @Ju5t4GuyinT3ch

Please follow this guide to create an app and connect to graph with application permissions.

https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0#app-only-access

merill avatar Nov 16 '25 05:11 merill