Finally, it removes the dependency on a specific signed-in account. It also means that the script uses application permissions instead of delegated permissions. This allows more precise control over the set of permissions available to the script. Use Azure AD Registered AppsĪ better and more secure approach is to use an Azure AD-registered app and connect the SDK to the app using a certificate. This is because the permissions consented for the SDK app are delegated, meaning that when the SDK cmdlets run, they can access data available to that user and nothing more. If the signed-in account holds some Azure AD administrative roles, the permissions available are more extensive than when someone else signs in. For one thing, the set of effective permissions available to run SDK cmdlets depends on the signed-in account. In effect, the task runs as if the workstation owner started PowerShell and ran the script. The Microsoft Graph PowerShell SDK automatically uses cached credentials and picks up the set of consented Graph permissions held by the service principal for the SDK app. Moving on to the credentials required to connect to a PowerShell endpoint, the script ran without a hitch because the task scheduler launched PowerShell and invoked the Connect-MgGraph cmdlet. In most cases, people stay signed into their workstations, and tasks can run successfully. You can argue that this is not a big issue. Problems started when attempting to run scripts when a user is not signed in because Task Scheduler won’t accept credentials from an Azure AD account (Figure 1).įigure 1: Properties of a task in Task Scheduler Everything ran as expected when running a task with a signed-in account. $Users | Export-CSv -NoTypeInformation c:\temp\UsersLastYear.CSVĪfter making sure that the script ran successfully in an interactive session, I created a task. $Users = $Users | Select-Object Id, UserPrincipalName, DisplayName, CreatedDateTime $Users = Get-MgUser -Filter "usertype eq 'Member' and CreatedDateTime ge $(::UtcNow.AddYears(-1).ToString("s"))Z" -All -Property Id, DisplayName, UserPrincipalName, CreatedDateTime To illustrate the points, I created a simple PowerShell script that uses the Microsoft Graph PowerShell SDK to find user accounts created in the last year and export details to a CSV file. Running Microsoft Graph PowerShell SDK Scripts A better method exists for IT Pros to use. On the other hand, the task scheduler is an old-fashioned utility that struggles to handle modern PowerShell implementations. It’s easy, built into Windows, allows scripts to run unattended (always an advantage when dealing with long-running scripts), and gets the job done. I understand the reason why people use the Task Scheduler. I am bemused when I read articles advising Microsoft 365 tenant administrators to run PowerShell scripts using the Windows Task Scheduler. Running Microsoft Graph PowerShell SDK Scriptsīetter Methods Exist to Run Microsoft 365 PowerShell Scripts.Better Methods Exist to Run Microsoft 365 PowerShell Scripts.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |