msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Add Support for Managed Service Identity
Connect-MgGraph should support Managed Service Identity (MSI) for scenarios where customers need to use client secrets to authenticate in a non-interactive mode.
We currently do not support client secrets due to the security risks they pose to scripts. This is why MSAL recommends customers use certificates instead.
MSI would help bridge this gap by eliminating the security concerns that client secrets pose. See https://devblogs.microsoft.com/devops/demystifying-service-principals-managed-identities/.
Related to: #125, https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/142#issuecomment-600819834 AB#10049
Isn't this already possible by passing an accesstoken to Connect-MgGraph -AccessToken ?
@jannickoeben Yes, but that requires a user to use some other mechanism to get the token.
@adamedx I'm not sure how add-MgEnviroment could help here.
@jannickoeben @darrelmiller, this should work as a work-around while MSI is not an option:
Connect-AzAccount -Identity
$token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com"
Connect-MgGraph -AccessToken $token.Token
Closed by https://github.com/microsoftgraph/msgraph-sdk-powershell/pull/1462. The feature will be available in v2 of the SDK.
Closed by #1462. The feature will be available in v2 of the SDK.
Is there a public roadmap available to show when the release for v2 is being targeted? @peombwa @darrelmiller
An issue I've found with using Get-AzAccessToken and Connect-MgGraph's -AccessToken parameter is that the context scope is always "process" by default. So if I connect and disconnect in one script while another is running, Graph will disconnect and effectively "break" the running script.
Will the -Identity parameter solve that? Right now I'm having to work around it by checking Get-MgContext in every script to see whether the process is already connected.
