The Microsoft Graph PowerShell SDK lets you manage Entra ID, Exchange Online, Intune, SharePoint, Teams, and the rest of Microsoft 365 from a single unified API. The cmdlet you use to sign in is Connect-MgGraph, and it supports everything from a quick interactive login to fully unattended automation. This guide covers every authentication method, with working code for each.

Quick answer: Install the module with Install-Module Microsoft.Graph, then run Connect-MgGraph -Scopes "User.Read.All". A browser window opens for you to sign in and consent. For automation without a user, use a client secret, a certificate, or a managed identity (all shown below).


Install the Microsoft Graph PowerShell Module

Open PowerShell as administrator and install the SDK:

Install-Module -Name Microsoft.Graph -Scope CurrentUser

Connect-MgGraph lives in the Microsoft.Graph.Authentication module, which is installed automatically as part of Microsoft.Graph. You do not need to install both — Microsoft.Graph pulls in the full set of sub-modules. If you only need to authenticate and call the API directly with Invoke-MgGraphRequest, you can install just the lightweight authentication module instead:

Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser

Note: Use PowerShell 7 or later where possible, especially for client-secret and certificate authentication.


Method 1: Interactive Sign-In (Delegated Access)

This is the most common way to connect and the one most people are looking for. You don't need to register your own application — the SDK uses the built-in Microsoft Graph PowerShell enterprise application.

Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"

A browser window opens, you sign in, and you consent to the scopes (permissions) you requested. The session then acts as you, limited to what both you and the requested scopes allow.

If you're on a remote/headless machine where a browser can't open, use device code flow instead:

Connect-MgGraph -Scopes "User.Read.All" -UseDeviceAuthentication

This prints a code and a URL (microsoft.com/devicelogin) that you open on any device to complete the sign-in.


Verify Your Connection

After connecting, confirm who you are and which scopes you hold with Get-MgContext:

Get-MgContext

To list just the consented scopes:

Get-MgContext | Select-Object -ExpandProperty Scopes

Run a quick test query. Note that Get-MgUser with no -UserId returns all users (a collection), so use -Top for a sample:

Get-MgUser -Top 5 | Select-Object DisplayName, UserPrincipalName

Or call any Graph endpoint directly with Invoke-MgGraphRequest — useful for APIs that don't yet have a dedicated cmdlet:

Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"

Method 2: App-Only with a Client Secret (Unattended)

For scripts that run without a signed-in user — scheduled tasks, CI pipelines — use app-only authentication. This requires an app registration (see the Registering an App in Entra ID section below) with Application permissions and admin consent granted.

Connect-MgGraph does not take a raw secret string. You build a PSCredential where the user name is the client (application) ID and the password is the secret value, then pass it with -ClientSecretCredential:

# Your app registration values
$ApplicationClientId     = '<application-client-id>'
$ApplicationClientSecret = '<client-secret-value>'
$TenantId                = '<directory-tenant-id>'

# Convert the secret to a secure string and build a PSCredential
$SecureClientSecret = ConvertTo-SecureString -String $ApplicationClientSecret -AsPlainText -Force
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential `
    -ArgumentList $ApplicationClientId, $SecureClientSecret

# Connect app-only
Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $ClientSecretCredential

Security tip: Never hard-code secrets in scripts. Store them in Azure Key Vault, a credential manager, or an environment variable. Better still, use a certificate or managed identity (below) so there's no secret to leak or rotate.


Method 3: App-Only with a Certificate (Recommended for Automation)

A certificate is more secure than a client secret because the private key never leaves the machine. Upload the certificate's public key to your app registration, then connect by referencing the certificate in your local store:

# By thumbprint
Connect-MgGraph -ClientId "<application-client-id>" -TenantId "<tenant-id>" -CertificateThumbprint "<cert-thumbprint>"

# Or by subject name
Connect-MgGraph -ClientId "<application-client-id>" -TenantId "<tenant-id>" -CertificateName "CN=MyGraphApp"

The certificate must be present in Cert:\CurrentUser\My\ or Cert:\LocalMachine\My\ before you call Connect-MgGraph.


Method 4: Managed Identity (Azure Automation & Azure VMs)

If your script runs inside Azure — an Automation runbook, a Function, or an Azure VM — a managed identity removes credential management entirely. There's no secret or certificate to store or rotate.

# System-assigned managed identity
Connect-MgGraph -Identity

# User-assigned managed identity
Connect-MgGraph -Identity -ClientId "<user-assigned-managed-identity-client-id>"

Grant the managed identity the required Application permissions on Microsoft Graph first (via PowerShell or the Entra portal), the same way you would for an app registration.


Registering an App in Entra ID

App-only methods (client secret and certificate) need an application registration. Interactive sign-in does not — skip this section if you only use Method 1.

Step 1: Open App registrations

Sign in to the Microsoft Entra admin center (or the Azure portal), then go to Identity → Applications → App registrations.

Microsoft Entra ID

App Registrations Entra ID

Step 2: Register the application

Click New registration, give it a meaningful name, choose Accounts in this organizational directory only, and click Register. A redirect URI is only needed for delegated authorization-code flows; for app-only access you can leave it blank.

New App registration Entra ID

Register an Application Entra ID

Step 3: Note the Client ID and Tenant ID

On the app's Overview page, copy the Application (client) ID and Directory (tenant) ID — you need both to connect.

Tenant ID

Step 4: Add API permissions

Go to API permissions → Add a permission → Microsoft Graph. For app-only authentication, choose Application permissions (not Delegated), select the permissions your script needs (for example User.Read.All, Group.Read.All), and then click Grant admin consent for [your organization]. App-only permissions do not work until admin consent is granted.

Api Permissions

Microsoft Graph Permissions

Microsoft Graph Api Permissions

Graph Api Permissions

Step 5: Create a client secret (secret method only)

For the client-secret method, go to Certificates & secrets → New client secret, set an expiry, and copy the secret Value immediately — it's only shown once. For the certificate method, upload your certificate's public key under Certificates instead.

Microsoft Graph Certificate Secret

Secret Value in App registration Entra ID


Disconnecting

The SDK caches your token and keeps you signed in across PowerShell sessions (under the default CurrentUser context). Sign out explicitly with:

Disconnect-MgGraph

To limit a session so it doesn't persist, connect with -ContextScope Process.


Migrating from the Old AzureAD and Connect-MSGraph Modules

If you're moving older scripts over, note the legacy modules this one replaces:

  • AzureAD and MSOnline — the classic directory modules. Both are deprecated and retired; their cmdlets (Connect-AzureAD, Connect-MsolService) should be migrated to Microsoft Graph PowerShell.
  • Connect-MSGraph (note the single "M") — this was the old Intune Graph module (Microsoft.Graph.Intune). It is not the same as Connect-MgGraph. If you see Connect-MSGraph in a script, it's the legacy module.

The current, supported cmdlet is Connect-MgGraph from Microsoft.Graph.Authentication. It uses OAuth 2.0 modern authentication throughout — see our explainer on the difference between SAML and OAuth for the underlying flow.

Microsoft has also released a newer, identity-focused Microsoft Entra PowerShell module (Connect-Entra) aimed specifically at replacing the AzureAD module. For broad Microsoft 365 automation, Microsoft Graph PowerShell remains the primary SDK; Entra PowerShell is a complementary option focused on Entra ID tasks.


Frequently Asked Questions

Does Get-MgAccessToken exist?

No. There is no Get-MgAccessToken cmdlet in the Microsoft Graph PowerShell SDK. Connect-MgGraph obtains the access token for you internally using MSAL. If you already have a bearer token from another source, you can pass it with Connect-MgGraph -AccessToken — but in SDK v2 the token must be supplied as a SecureString, not a plain string.

What is the difference between Connect-MSGraph and Connect-MgGraph?

Connect-MgGraph (with "Mg") is the current Microsoft Graph PowerShell SDK cmdlet. Connect-MSGraph (with "MS") belonged to the older, now-legacy Microsoft.Graph.Intune module. Use Connect-MgGraph for all new work.

How do I connect to Microsoft Graph with a client secret?

Build a PSCredential whose user name is the application (client) ID and whose password is the secret value (as a SecureString), then run Connect-MgGraph -TenantId $TenantId -ClientSecretCredential $cred. The app registration needs Application permissions with admin consent granted. See Method 2: App-Only with a Client Secret above for the full code.

How do I connect using a managed identity?

Inside Azure (Automation, Functions, a VM), run Connect-MgGraph -Identity for a system-assigned identity, or Connect-MgGraph -Identity -ClientId "<mi-client-id>" for a user-assigned one. Assign the identity the required Graph application permissions first.

Why do I get "Authentication needed. Please call Connect-MgGraph"?

That error means you ran a Graph cmdlet (like Get-MgUser) before authenticating, or your cached session expired or was disconnected. Run Connect-MgGraph again, then verify with Get-MgContext.

Do I need to register an app to connect to Microsoft Graph?

No, not for interactive use — Connect-MgGraph -Scopes uses the built-in Microsoft Graph PowerShell application. You only need your own app registration for app-only (unattended) authentication with a client secret or certificate, or when you want to tightly control which permissions are consented.

How do I check which permissions my session has?

Run Get-MgContext | Select-Object -ExpandProperty Scopes to list every scope you've consented to in the current session.


Related: Many Microsoft Graph operations — such as managing Conditional Access policies or configuring PIM — require the right Entra ID licence. See our Microsoft Entra ID P1 vs P2 feature comparison to understand which tier you need.