Connect-MicrosoftTeams
The Connect-MicrosoftTeams cmdlet connects an authenticated account for use with cmdlets from the MicrosoftTeams module.
Syntax
Connect-MicrosoftTeams
[-TenantId ]
[-Credential ]
[-AccountId ]
[-LogLevel ]
[-LogFilePath ]
[-TeamsEnvironmentName ]
[-UseDeviceAuthentication]
[-WhatIf]
[-Confirm]
[]
Connect-MicrosoftTeams
-TenantId
-Certificate
-ApplicationId
[-LogLevel ]
[-LogFilePath ]
[-WhatIf]
[-Confirm]
[]
Connect-MicrosoftTeams
-TenantId
-CertificateThumbprint
-ApplicationId
[-LogLevel ]
[-LogFilePath ]
[-WhatIf]
[-Confirm]
[]
Connect-MicrosoftTeams
[-TenantId ]
-AccessTokens
[-LogLevel ]
[-LogFilePath ]
[-WhatIf]
[-Confirm]
[]
Description
The Connect-MicrosoftTeams cmdlet connects to Microsoft Teams with an authenticated account for use with cmdlets from the MicrosoftTeams PowerShell module. After executing this cmdlet, you can disconnect from MicrosoftTeams account using Disconnect-MicrosoftTeams.
Note: With versions 4.x.x or later, enablement of basic authentication is not needed anymore in commercial, GCC, GCC High, and DoD environments.
Examples
Example 1: Connect to MicrosoftTeams
This example connects to an Azure account. You must provide a Microsoft account or organizational ID credentials. If multi-factor authentication is enabled for your credentials, you must log in using the interactive option.
Connect-MicrosoftTeams
Account Environment Tenant TenantId
------- ----------- ------------------------------------ ------------------------------------
user@contoso.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Example 2: Connect to MicrosoftTeams
The first command prompts for user credentials and stores them in the $Credential variable. The second command connects to an Azure account using the credentials stored in $credential. This account authenticates with Azure using organizational ID credentials.
$credential = Get-Credential
Connect-MicrosoftTeams -Credential $credential
Account Environment Tenant TenantId
------- ----------- ------------------------------------ ------------------------------------
user@contoso.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Example 3: Connect to MicrosoftTeams in a specific environment
This example connects to an Azure account in a specific environment. You must provide a Microsoft account or organizational ID credentials. If multi-factor authentication is enabled for your credentials, you must log in using the interactive option.
Connect-MicrosoftTeams -TeamsEnvironmentName TeamsGCCH
Account Environment Tenant TenantId
------- ----------- ------------------------------------ ------------------------------------
user@contoso.com TeamsGCCH xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Example 4: Connect to MicrosoftTeams using a certificate thumbprint
This example demonstrates how to authenticate using a certificate thumbprint. Application-based authentication has been reintroduced with version 4.7.1-preview. For details and supported cmdlets, please see Application-based authentication in Teams PowerShell Module.
Connect-MicrosoftTeams -CertificateThumbprint "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -ApplicationId "00000000-0000-0000-0000-000000000000" -TenantId "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
Example 5: Connect to MicrosoftTeams using a certificate object
This example demonstrates how to authenticate using a certificate object. The Certificate parameter is available from Teams PowerShell Module version 4.9.2-preview or later. For details about application-based authentication and supported cmdlets, see Application-based authentication in Teams PowerShell Module.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\exampleCert.pfx",$password)
Connect-MicrosoftTeams -Certificate $cert -ApplicationId "00000000-0000-0000-0000-000000000000" -TenantId "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
Example 6: Connect to MicrosoftTeams using Application-based Access Tokens
This example demonstrates how to authenticate with an application using Access Tokens. Access Tokens can be retrieved via the login.microsoftonline.com endpoint. It requires two Access Tokens: "MS Graph" and "Skype and Teams Tenant Admin API" resources.
Application-based authentication has been reintroduced with version 4.7.1-preview. For details and supported cmdlets, see Application-based authentication in Teams PowerShell Module.
$ClientSecret = "..."
$ApplicationID = "00000000-0000-0000-0000-000000000000"
$TenantID = "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
$graphtokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $ApplicationID
Client_Secret = $ClientSecret
}
$graphToken = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method POST -Body $graphtokenBody | Select-Object -ExpandProperty Access_Token
$teamstokenBody = @{
Grant_Type = "client_credentials"
Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default"
Client_Id = $ApplicationID
Client_Secret = $ClientSecret
}
$teamsToken = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method POST -Body $teamstokenBody | Select-Object -ExpandProperty Access_Token
Connect-MicrosoftTeams -AccessTokens @("$graphToken", "$teamsToken")
Example 7: Connect to MicrosoftTeams using Access Tokens in the delegated flow
This example demonstrates how to sign in using Access Tokens. Admin can retrieve Access Tokens via the login.microsoftonline.com endpoint. It requires two tokens, MS Graph Access Token and Teams Resource token.
A delegated flow, such as Resource Owner Password Credentials (ROPC) or device code, must be used, with the following delegated app permissions required.
API | Grant type | Permission |
---|---|---|
Microsoft Graph | Delegated | User.Read.All |
Microsoft Graph | Delegated | Group.ReadWrite.All |
Microsoft Graph | Delegated | AppCatalog.ReadWrite.All |
Microsoft Graph | Delegated | TeamSettings.ReadWrite.All |
Microsoft Graph | Delegated | Channel.Delete.All |
Microsoft Graph | Delegated | ChannelSettings.ReadWrite.All |
Microsoft Graph | Delegated | ChannelMember.ReadWrite.All |
Skype and Teams Tenant Admin API | Delegated | user_impersonation |
$ClientID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$ClientSecret = "..."
$ClientSecret = [Net.WebUtility]::URLEncode($ClientSecret)
$TenantID = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$Username = "user@contoso.onmicrosoft.com"
$Password = "..."
$Password = [Net.WebUtility]::URLEncode($Password)
$URI = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token"
$Body = "client_id=$ClientID&client_secret=$ClientSecret&grant_type=password&username=$Username&password=$Password"
$RequestParameters = @{
URI = $URI
Method = "POST"
ContentType = "application/x-www-form-urlencoded"
}
$GraphToken = (Invoke-RestMethod @RequestParameters -Body "$Body&scope=https://graph.microsoft.com/.default").access_token
$TeamsToken = (Invoke-RestMethod @RequestParameters -Body "$Body&scope=48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default").access_token
Connect-MicrosoftTeams -AccessTokens @($GraphToken, $TeamsToken)
Account Environment Tenant TenantId
------- ----------- ------------------------------------ ------------------------------------
user@contoso.com AzureCloud xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Parameters
-AadAccessToken (Removed from version 2.3.2-preview)
Specifies an Azure Active Directory Graph access token.
Warning
This parameter has been removed from version 2.3.2-preview.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AccessTokens
Specifies access tokens for "MS Graph" and "Skype and Teams Tenant Admin API" resources. Both the tokens used should be of the same type.
Application-based authentication has been reintroduced with version 4.7.1-preview. For details and supported cmdlets, see Application-based authentication in Teams PowerShell Module.
Delegated flow - The following steps must be performed by Tenant Admin in the Azure portal when using your own application.
Steps to configure the Microsoft Entra application.
- Go to Azure portal and go to App Registrations.
- Create or select the existing application.
- Add the following permission to this Application.
- Click API permissions.
- Click Add a permission.
- Click on the Microsoft Graph, and then select Delegated permissions.
- Add the following permissions: "AppCatalog.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All", "TeamSettings.ReadWrite.All", "Channel.Delete.All", "ChannelSettings.ReadWrite.All", "ChannelMember.ReadWrite.All".
- Next, we need to add "Skype and Teams Tenant Admin API" resource permission. Click Add a permission.
- Navigate to "APIs my organization uses"
- Search for "Skype and Teams Tenant Admin API", and then select Delegated permissions.
- Add all the listed permissions.
- Grant admin consent to both Microsoft Graph and "Skype and Teams Tenant Admin API" name.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-AccountId
Specifies the ID of an account.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ApplicationId
Specifies the application ID of the service principal that is used in application-based authentication.
This parameter has been reintroduced with version 4.7.1-preview. For more information about Application-based authentication and supported cmdlets, see Application-based authentication in Teams PowerShell Module.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Certificate
Specifies the certificate that is used for application-based authentication. A valid value is the X509Certificate2 object value of the certificate.
This parameter has been introduced with version 4.9.2-preview. For more information about application-based authentication and supported cmdlets, see Application-based authentication in Teams PowerShell Module.
Type: | X509Certificate2 |
Aliases: | CertificateThumbprint |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CertificateThumbprint
Specifies the certificate thumbprint of a digital public key X.509 certificate of an application that has permission to perform this action.
This parameter has been reintroduced with version 4.7.1-preview. For more information about Application-based authentication and supported cmdlets, see Application-based authentication in Teams PowerShell Module.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Credential
Specifies a PSCredential object. For more information about the PSCredential object, type Get-Help Get-Credential.
The PSCredential object provides the user ID and password for organizational ID credentials.
Type: | PSCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Identity
Login using managed service identity in the current environment. For *-Cs cmdlets, this is supported from version 5.8.1-preview onwards.
Note
This is currently only supported in commercial environments. A few cmdlets that don't support application-based authentication are not supported either.
Type: | SwitchParameter |
Aliases: | MSI, ManagedService |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LogFilePath
The path where the log file for this PowerShell session is written to. Provide a value here if you need to deviate from the default PowerShell log file location.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LogLevel
Specifies the log level. The acceptable values for this parameter are:
- Info
- Error
- Warning
- None
The default value is Info.
Type: | LogLevel |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ManagedServiceHostName
Host name for managed service login.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ManagedServicePort
Port number for managed service login.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ManagedServiceSecret
Secret, used for some kinds of managed service login.
Type: | SecureString |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-MsAccessToken (Removed from version 2.3.2-preview)
Specifies a Microsoft Graph access token.
Warning
This parameter has been removed from version 2.3.2-preview.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TeamsEnvironmentName
Specifies the Teams environment. The following environments are supported:
- Commercial or GCC environments: Don't use this parameter, this is the default.
- GCC High environment: TeamsGCCH
- DoD environment: TeamsDOD
- Microsoft Teams operated by 21Vianet: TeamsChina
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TenantId
Specifies the ID of a tenant.
If you do not specify this parameter, the account is authenticated with the home tenant.
You must specify the TenantId parameter to authenticate as a service principal or when using Microsoft account.
Type: | String |
Aliases: | Domain, TenantDomain |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-UseDeviceAuthentication
Use device code authentication instead of a browser control.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |