Permissions Requested: Microsoft Graph PowerShell (unverified)

Microsoft Graph PowerShell Unverified Modern Authentication

You’re trying to run scripts using the new Microsoft Graph PowerShell API, and now you see this frightening message:

Microsoft Graph PowerShell OAuth Login Prompt

Unverified

The first thing you’ll probably notice is the “unverified” label. So why is Microsoft Graph PowerShell – a Microsoft-developed Azure enterprise application – carrying this label?

You’re not the only person confused regarding this:

https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/482

Apparently, this has caused a minor dispute between the Microsoft Graph PowerShell SDK team and the Microsoft Security team.

Many people have complained about this, but for now, Microsoft insists on keeping this troubling label.

Permission List

Secondly, you’ll notice a set of permissions that are requested.

With Microsoft Graph MSAL authentication, you need to submit a ‘scope’ with your authentication request that lists the permissions you’re planning to use.

The list of permissions shows the permissions included in the scope of the application’s Graph connection request. It should match what you plan to do with the application.

Consent on Behalf of Your Organization

Thirdly, there is an option to consent on behalf of your organization. Should you do so?

Depending on the configuration of the enterprise application, the option to consent on behalf of your organization is only available to Global Admins.

You should consider assigning the consent if you plan to let non-Global Admins use the application.

If you accept the permissions, you will not be given the option to consent on behalf of your organization at a later time!

For a full explanation of that, read this article.

Summary

Even though Microsoft Graph PowerShell is listed as ‘unverified’, you need to trust it if you want to use the Microsoft Graph PowerShell API.

As a matter of fact, Microsoft is retiring both the MSOnline and the AzureAD PowerShell modules, so you actually need to trust it if you want to use PowerShell to manage Azure AD resources.

As for the permission list and admin consent, you need to decide from case to case: Is the list of permissions acceptable, and do you want to consent on behalf of non-Global Admins (who can’t consent themselves).

Consolidate Azure AD and On-Premises AD Management

One example of an application that uses the Microsoft Graph PowerShell API is Easy365Manager version 1.5 and later.

With Easy365Manager, you can perform all daily user and mailbox management directly from your on-premises Active Directory:

This is a huge time saver that will eliminate the need to constantly log in to the plethora of web consoles that Microsoft invented to support Azure AD and Exchange Online management.

Simply go to user properties in your local AD and perform everything there.

Easy365Manager uses OAuth2 (moderne authentication) and will securely cache your access token, so you don’t need to login in again and again.

Download the free 30-day trial here.