Editar

Compartilhar via


Use delegated authentication

This article explains how to use delegated access with the Microsoft Entra PowerShell module. Delegated access allows an application to perform actions on behalf of a user who is currently signed in. This scenario is ideal for one-time management tasks and environments that require manual sign-in, like those using multifactor authentication (MFA). It also makes it easier to test scripts, learn, and manage tasks spontaneously without the need to set up service principals or other app-only authentication methods that don't involve user interaction.

While the delegated access method of authentication is the recommended sign-in method, you can also use other interactive authentication methods such as:

  • Authorization code flow
  • Device code flow
  • Access token

In this article, you learn the various ways of signing into Microsoft Entra PowerShell to manage your Microsoft Entra resources.

Prerequisites

To connect to Microsoft Entra PowerShell with delegated access, you need:

In this section, you learn how to use delegated access with a custom application to connect to module. You can tailor the custom application to your specific needs to isolate and limit the permissions granted for the module's usage.

Run the following command to connect to the module with delegated access using a custom application. You need to sign in with at least a Cloud Application Administrator role.

Connect-Entra -Scopes 'User.Read.All', 'Group.ReadWrite.All' -ClientId <your-custom-app-id>

To get the -ClientId value, referred to as your-custom-app-id in the example, follow the steps in the Create a custom application guide.

Other sign-in methods

In this section, you learn how to use other sign-in methods to connect to Microsoft Entra PowerShell.

Use authorization code flow

The module's default sign-in authentication method uses a web browser and access token to sign in. To sign in interactively, use the Connect-Entra cmdlet, which uses an interactive browser-based sign-in prompt by default.

Connect-Entra

It opens your default browser and initiates authorization code flow to load Microsoft Entra sign-in page.

For example, to get a user's details, add the -Scopes parameter to supply a list of required permissions.

Connect-Entra -Scopes 'User.Read.All', 'Group.ReadWrite.All'

Use device code flow authentication method

The device code flow instructs you to open a browser page at microsoft.com/devicelogin and enter the code displayed in your PowerShell session.

Connect-Entra -Scopes 'User.Read.All', 'Group.ReadWrite.All' -UseDeviceCode

Use your access token

The next example assumes you already have an access token. See How to get access token from the token endpoint.

$accessToken = '{my-securely-acquired-token}'
$secureString = ConvertTo-SecureString -String $accessToken -AsPlainText -Force
Connect-Entra -AccessToken $secureString

Use passwordless authentication

Passwordless authentication is a method of verifying a user’s identity without the use of a password. Passwords are a primary attack vector and passwordless authentication is a strategy to mitigate attacks where bad actors use social engineering, phishing, and spray attacks to compromise passwords.

Microsoft Entra PowerShell supports the following passwordless authentication methods:

  • Windows Hello for Business
  • Fast ID Online v2.0 (FIDO2)
  • Microsoft Authenticator app
  • Certificate-based authentication (CBA)

Note

FIDO2 security keys option is only supported on PowerShell 7 and above.

For more information, see Passwordless authentication options for Microsoft Entra ID.

Common errors and troubleshooting tips

Common authentication errors include:

  • "Insufficient privileges to complete the operation" - The error occurs if your credentials are incorrect or you lack the necessary permissions to access the Microsoft Entra resource.
  • "The term ‘cmdlet name’ is not recognized as the name of a cmdlet" - The error indicates that the Microsoft Entra PowerShell module isn't installed or loaded. Ensure you install and load the correct module for the cmdlet you wish to use

For a detailed guide on troubleshooting common errors, see: Troubleshooting guide.

Next steps