In my work-life, I see often app secrets for unattended scripts are stored in the script itself or in environment variables. And this is even true for apps with high privilege permissions to Azure AD like for example User.ReadWrite.All. This is in particular dangerous for scripts running on on-premises machines in local networks without a Zero-Trust architecture.

I recommend instead using certificated based authentication (or when running in Azure -> Managed Identities)

Create a self-signed X.509 certificate

Install the Microsoft.Graph module and create a self-signed certificate:


# Create certificate
$privateCert = New-SelfSignedCertificate -Subject "MyGraphApp" -CertStoreLocation "cert:\LocalMachine" -NotAfter (Get-Date)
.AddYears(1) -KeySpec KeyExchange

# Export certificate to .cer file
$privateCert | Export-Certificate -FilePath C:\tmp\public.cer

Register and configure an Azure AD App

Next, register a new App in the Azure AD App Registration. In the example, I've called the app "MyGraphApp".

Upload the public.cert under "Certificates & secrets" and note the certificate thumbprint for later.

Assign the app the Graph permissions that you need, for example, User.ReadWrite.All.

Don't forget to grant admin consent afterward.

For your script, you need the Application (client) ID, Tenant ID, and the certificate thumbprint from the app registration.

Connect to the Microsoft Graph with the certificate


Now when can write our script:


# Install the Microsoft.Graph module
Install-Module Microsoft.Graph -Scope AllUsers

# Get certificate from the machine store. Use the thumprint from above
$cert = Get-ChildItem Cert:\LocalMachine\My\078DDE862A516845FEB7A24E431A6EAF4C188131

# Connect to the MS Graph using the client id, tenant id and the certificate
Connect-MgGraph -ClientID 936acea1-56a7-4a5a-8190-7f4dbe0d9963 -TenantId 2cc6d4d2-40f8-43d5-8a11-8986ds84b7se -Certificate $cert

# Execute Graph Cmdlets as needed
Get-MgUser

Welcome To Microsoft Graph!