Client ID and Secret Authentication to Microsoft Graph API

Authenticating to Microsoft Graph API

In this post, I’ll demonstrate how to authenticate to the Microsoft Graph API using Client ID and Secret in PowerShell. The client secret method is suitable for server-to-server communication where a client secret is used to authenticate the application.

First off we need to create the app registration in Azure/Entra

Go to App Registrations page and click create “New registration”

Give it a new and click “Register”

On the front page of the new app also called “Overview” we need to get the “Directory (tenant) ID” and “Application (client) ID”

Go to the “Certificates & secrets” page and click “New client secret”

Now you should see your new secret (Save this for later as it will not always be visible on the app registration)

Now lets take what we just created and ask for a token

First off we need to define or variables for authentication take the tenant id, client id and the secret we made above in our instance it would be

# Tenant ID, Client ID, and Client Secret for the MS Graph API
$tenantId = "Your-tenant-id"
$clientId = "Your-client-id"
$clientSecret = "Your-Secret"

Next up we need to configure our body for authenticaton. By looking at Microsoft documentation We can see that we need to provide the following information in our body:

Parameter	Condition	Description
tenant	Required	Your tenant id
client_id	Required	Your client id
scope	Required	You only need to specify anything if you are not going to hit the default endpoint
client_secret	Required	Your client secret
grant_type	Required	client_credentials

Right now that we have an understanding of what the endpoint expects then we can form our body from that like shown here:

# Default Token Body
$tokenBody = @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $clientId
    Client_Secret = $clientSecret
}

Easy as that now all we need is to send a request to Azure/Entra for the token on the endpoint/host specified in the documentation “https://login.microsoftonline.com/tenantId/oauth2/v2.0/token”

# Request a Token
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody
# Output the token
$tokenResponse

And you are done now you have a token you can use to make api request to microsoft graph if you need assitance as to how, you can see one of my other blog posts.

Complete Script with Synopsis

<#
.SYNOPSIS
    Demonstrates how to authenticate using a client secret with Microsoft Graph API.

.DESCRIPTION
    This script shows how to authenticate an application using a client secret.
    It requests an access token using the client credentials flow.

.NOTES
    MS Docs on how to use Ms Graph API with client credentials flow:
    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

.PARAMETER tenantId
    The tenant ID of the Azure AD tenant.

.PARAMETER clientId
    The client ID of the registered application.

.PARAMETER clientSecret
    The client secret of the registered application.

.EXAMPLE
    # Set environment variables for tenantId, clientId, and clientSecret
    $env:tenantId = "your-tenant-id"
    $env:clientIdSecret = "your-client-id"
    $env:clientSecret = "your-client-secret"

    # The script will output the access token.
#>

# Tenant ID, Client ID, and Client Secret for the MS Graph API
$tenantId = $env:tenantId
$clientId = $env:clientId2
$clientSecret = $env:clientSecret

# Default Token Body
$tokenBody = @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $clientId
    Client_Secret = $clientSecret
}

# Request a Token
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody

# Output the token
$tokenResponse