Connect-Entra (Microsoft.Graph.Entra)
The Connect-Entra cmdlet is used to connect to Microsoft Entra PowerShell module. This module simplifies the migration of legacy scripts as it supports 98% of the retired Azure AD and MSOnline cmdlets. You must install Microsoft Entra PowerShell module to use this cmdlet. Else, you will receive the error: “The term ‘Connect-Entra’ is not recognized as the name of a cmdlet, function, script file, or operable Program”
NOTE: You can use the Connect-Entra cmdlet to connect both v1.0 (General Availability) and Entra beta PowerShell module.
This module supports several authentication scenarios depending on your use case such as: delegated (interactive) and app-only (noninteractive).
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
Connect-Entra [-Certificate <X509Certificate2>] [-CertificateSubjectName <System.String>] [-CertificateThumbprint <System.String>] [-ClientId <System.String>] [-ClientSecretCredential <PSCredential>] [-ClientTimeout <System.Double>] [-ContextScope {Process | CurrentUser}] [-Environment <string>] [[-Identity]] [-NoWelcome] [-ProgressAction <ActionPreference>] [[-Scopes] <System.String[]>] [-TenantId <System.String>] [-UseDeviceCode] [<CommonParameters>] |
The ‘Connect-Entra’ cmdlet connects to Microsoft Entra ID with an authenticated account. It works for accounts with or without multi-factor authentication (MFA).
Example 1: Initiate a connection
|
1 |
Connect-Entra -Scopes "User.Read.All" |
This command connects the current PowerShell session to a Microsoft Entra ID tenant using credentials.
Example 2: Delegated access: Connect to Entra ID PowerShell session with required scopes
|
1 |
Connect-Entra -Scopes 'User.Read.All', 'Group.ReadWrite.All' |
This example shows how to authenticate Microsoft Entra ID with scopes.
Example 3: Connect MS Entra with Tenant id
|
1 |
Connect-Entra – TenantId "436r2398-87e4-34y8-43r3h4drf78" |
If you don’t specify the TenantId parameter, it will create a session with the last tenant you signed in or home tenant.
Example 4: Delegated access: Using an access token
|
1 2 |
$SecureString = ConvertTo-SecureString -String $AccessToken -AsPlainText -Force Connect-Entra -AccessToken $SecureString |
This example shows how to authenticate to Microsoft Entra ID using an access token. For more information on how to get or create access token, see Request an access token
Example 5: Delegated access: Using device code flow
|
1 |
Connect-Entra -UseDeviceCode |
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code to authenticate. This example shows how to authenticate to Microsoft Entra ID with device. For more information, see Device Code flow
Example 6: App-only access: Using client credential with a Certificate thumbprint
|
1 |
Connect-Entra –TenantId <TenantId> -ApplicationId <AppId> -CertificateThumbprint <CertThumbPrint> |
This cmdlet connects Entra ID PowerShell session using a ApplicationId and CertificateThumbprint.
For more information on how to get or create CertificateThumbprint, see Authenticate with app-only access.
Example 7: App-only access: Using client credential with a certificate name
|
1 |
Connect-Entra –TenantId <TenantId> -ClientId <ClientId> -CertificateName <CertName> |
This cmdlet connects Entra ID PowerShell session using a CertificateName.
Example 8: App-only access: Using client credential with a certificate
|
1 2 |
$Cert = Get-ChildItem Cert:\LocalMachine\My\$CertThumbprint Connect-Entra –TenantId <TenantId> -ClientId <ClientId> -Certificate $Cert |
This cmdlet connects Entra ID PowerShell session using a Certificate path.
Example 9: App-only access: Using client secret credentials –
|
1 2 3 |
$ClientSecretCredential = Get-Credential -Credential <ClientId> # Enter client_secret in the password prompt. Connect-Entra -TenantId <TenantId> -ClientSecretCredential $ClientSecretCredential |
This authentication method is ideal for background interactions.
Example 10: App-only access: Using managed identity: System-assigned managed identity
|
1 |
Connect-Entra -Identity |
Uses an automatically managed identity on a service instance.
Example 11: Connecting to an environment or cloud
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Get-EntraEnvironment Name AzureADEndpoint GraphEndpoint Type ---- --------------- ------------- ---- China https://login.chinacloudapi.cn https://microsoftgraph.chinacloudapi.cn Built-in Global https://login.microsoftonline.com https://graph.microsoft.com Built-in USGov https://login.microsoftonline.us https://graph.microsoft.us Built-in USGovDoD https://login.microsoftonline.us https://dod-graph.microsoft.us Built-in |
When you use Connect-Entra, you can choose to target other environments.
|
1 |
Connect-Entra -Environment 'Global' |
By default, Connect-Entra targets the global public cloud.
Example 12: Hides the welcome message
|
1 |
Connect-Entra -NoWelcome |
This example hides the welcome message.
-CertificateThumbprint <System.String>
Specifies the certificate thumbprint of a digital public key X.509 certificate of a user account that has permission to perform this action.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-ClientId <System.String>
Specifies the application ID of the service principal.
|
1 2 3 4 5 |
Required? false Position? 1 Default value None Accept pipeline input? False Accept wildcard characters? false |
-TenantId <System.String>
Specifies the ID of a tenant. If you don’t specify this parameter, the account is authenticated with the home tenant. You must specify the TenantId parameter to authenticate as a service principal or when using Microsoft account.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-AccessToken <SecureString>
Specifies a bearer token for Microsoft Entra service. Access tokens do time out and you have to handle their refresh.
|
1 2 3 4 5 |
Required? true Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-ClientTimeout <System.Double>
Sets the HTTP client timeout in seconds.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-ContextScope <ContextScope>
Determines the scope of authentication context. This ContextScope accepts Process for the current process, or CurrentUser for all sessions started by user.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-Environment <System.String>
The name of the national cloud environment to connect to. By default global cloud is used.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-NoWelcome <System.Management.Automation.SwitchParameter>
Hides the welcome message.
|
1 2 3 4 5 |
Required? false Position? named Default value False Accept pipeline input? False Accept wildcard characters? false |
-Scopes <System.String[]>
An array of delegated permissions to consent to.
|
1 2 3 4 5 |
Required? false Position? 1 Default value None Accept pipeline input? False Accept wildcard characters? false |
-UseDeviceCode <System.Management.Automation.SwitchParameter>
Use device code authentication instead of a browser control.
|
1 2 3 4 5 |
Required? false Position? named Default value False Accept pipeline input? False Accept wildcard characters? false |
-Certificate <X509Certificate2>
An X.509 certificate supplied during invocation.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-CertificateSubjectName <System.String>
The subject distinguished name of a certificate. The certificate is retrieved from the current user’s certificate store.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-ClientSecretCredential <PSCredential>
The PSCredential object provides the application ID and client secret for service principal credentials.
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
-EnvironmentVariable <System.Management.Automation.SwitchParameter>
Allows for authentication using environment variables configured on the host machine.
|
1 2 3 4 5 |
Required? false Position? named Default value False Accept pipeline input? False Accept wildcard characters? false |
-Identity <System.Management.Automation.SwitchParameter>
Sign-in using a managed identity
|
1 2 3 4 5 |
Required? false Position? 1 Default value False Accept pipeline input? False Accept wildcard characters? false |
-ProgressAction <ActionPreference>
The ProgressAction parameter takes one of the ActionPreference enumeration values: SilentlyContinue, Stop, Continue, Inquire, Ignore,
|
1 2 3 4 5 |
Required? false Position? named Default value None Accept pipeline input? False Accept wildcard characters? false |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters.
