Connect-Entra (Microsoft.Graph.Entra)

The Connect-Entra cmdlet is used to connect to Microsoft Entra PowerShell module. You must install Microsoft Entra PowerShell module to use this cmdlet. Else, you will receive the error: “The term ‘Connect-Entra’ is not recognized as the name of a cmdlet, function, script file, or operable Program”

NOTE: You can use the Connect-Entra cmdlet to connect both v1.0 (General Availability) and Entra beta PowerShell module.

This module supports several authentication scenarios depending on your use case such as: delegated (interactive) and app-only (noninteractive).

Connect-Entra  
     [-Certificate <X509Certificate2>] 
     [-CertificateSubjectName <System.String>]  
     [-CertificateThumbprint <System.String>]  
     [-ClientId <System.String>]  
     [-ClientSecretCredential <PSCredential>] 
     [-ClientTimeout <System.Double>]   
     [-ContextScope {Process | CurrentUser}]  
     [-Environment <string>] 
     [[-Identity]] 
     [-NoWelcome] 
     [-ProgressAction <ActionPreference>]  
     [[-Scopes] <System.String[]>]
     [-TenantId <System.String>] 
     [-UseDeviceCode] 
     [<CommonParameters>]

The ‘Connect-Entra’ cmdlet connects to Microsoft Entra ID with an authenticated account. It works for accounts with or without multi-factor authentication (MFA).

Example 1: Initiate a connection

Connect-Entra -Scopes "User.Read.All" 

This command connects the current PowerShell session to a Microsoft Entra ID tenant using credentials.

Example 2: Delegated access: Connect to Entra ID PowerShell session with required scopes

Connect-Entra -Scopes 'User.Read.All', 'Group.ReadWrite.All' 

This example shows how to authenticate Microsoft Entra ID with scopes.

Example 3: Connect MS Entra with Tenant id

Connect-Entra – TenantId  "436r2398-87e4-34y8-43r3h4drf78"  

If you don’t specify the TenantId parameter, it will create a session with the last tenant you signed in or home tenant.

Example 4: Delegated access: Using an access token

$SecureString = ConvertTo-SecureString -String $AccessToken -AsPlainText -Force 
Connect-Entra -AccessToken $SecureString     

This example shows how to authenticate to Microsoft Entra ID using an access token. For more information on how to get or create access token, see Request an access token

Example 5: Delegated access: Using device code flow

Connect-Entra -UseDeviceCode 

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code to authenticate. This example shows how to authenticate to Microsoft Entra ID with device. For more information, see Device Code flow

Example 6: App-only access: Using client credential with a Certificate thumbprint

Connect-Entra –TenantId <TenantId> -ApplicationId <AppId> -CertificateThumbprint <CertThumbPrint> 

This cmdlet connects Entra ID PowerShell session using a ApplicationId and CertificateThumbprint.

For more information on how to get or create CertificateThumbprint, see Authenticate with app-only access.

Example 7: App-only access: Using client credential with a certificate name

Connect-Entra –TenantId <TenantId> -ClientId <ClientId> -CertificateName <CertName> 

This cmdlet connects Entra ID PowerShell session using a CertificateName.

Example 8: App-only access: Using client credential with a certificate

$Cert = Get-ChildItem Cert:\LocalMachine\My\$CertThumbprint 
Connect-Entra –TenantId <TenantId> -ClientId <ClientId> -Certificate $Cert 

This cmdlet connects Entra ID PowerShell session using a Certificate path.

Example 9: App-only access: Using client secret credentials –

$ClientSecretCredential = Get-Credential -Credential <ClientId> 
# Enter client_secret in the password prompt. 
Connect-Entra -TenantId <TenantId> -ClientSecretCredential $ClientSecretCredential 

This authentication method is ideal for background interactions.

Example 10: App-only access: Using managed identity: System-assigned managed identity

 Connect-Entra -Identity 

Uses an automatically managed identity on a service instance.

Example 11: Connecting to an environment or cloud

Get-EntraEnvironment 

    Name     AzureADEndpoint                   GraphEndpoint                           Type 

    ----     ---------------                   -------------                           ---- 

    China    https://login.chinacloudapi.cn    https://microsoftgraph.chinacloudapi.cn Built-in 

    Global   https://login.microsoftonline.com https://graph.microsoft.com             Built-in 

    USGov    https://login.microsoftonline.us  https://graph.microsoft.us              Built-in 

    USGovDoD https://login.microsoftonline.us  https://dod-graph.microsoft.us          Built-in 

When you use Connect-Entra, you can choose to target other environments.

Connect-Entra -Environment 'Global' 

By default, Connect-Entra targets the global public cloud.

Example 12: Hides the welcome message

Connect-Entra -NoWelcome 

This example hides the welcome message.

-CertificateThumbprint <System.String>

Specifies the certificate thumbprint of a digital public key X.509 certificate of a user account that has permission to perform this action.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false

-ClientId <System.String>

Specifies the application ID of the service principal.

Required?                    false
Position?                    1
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false

-TenantId <System.String>

Specifies the ID of a tenant. If you don’t specify this parameter, the account is authenticated with the home tenant. You must specify the TenantId parameter to authenticate as a service principal or when using Microsoft account.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false

-AccessToken <SecureString>

Specifies a bearer token for Microsoft Entra service. Access tokens do time out and you have to handle their refresh.

Required?                    true
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false         

-ClientTimeout <System.Double>

Sets the HTTP client timeout in seconds.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false        

-ContextScope <ContextScope>

Determines the scope of authentication context. This ContextScope accepts `Process` for the current process, or `CurrentUser` for all sessions started by user.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false        

-Environment <System.String>

The name of the national cloud environment to connect to. By default global cloud is used.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false       

-NoWelcome <System.Management.Automation.SwitchParameter>

Hides the welcome message.

Required?                    false
Position?                    named
Default value                False
Accept pipeline input?       False
Accept wildcard characters?  false        

-Scopes <System.String[]>

An array of delegated permissions to consent to.

Required?                    false
Position?                    1
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false       

-UseDeviceCode <System.Management.Automation.SwitchParameter>

Use device code authentication instead of a browser control.

Required?                    false
Position?                    named
Default value                False
Accept pipeline input?       False
Accept wildcard characters?  false      

-Certificate <X509Certificate2>

An X.509 certificate supplied during invocation.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false      

-CertificateSubjectName <System.String>

The subject distinguished name of a certificate. The certificate is retrieved from the current user’s certificate store.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false         

-ClientSecretCredential <PSCredential>

The PSCredential object provides the application ID and client secret for service principal credentials.

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false        

-EnvironmentVariable <System.Management.Automation.SwitchParameter>

Allows for authentication using environment variables configured on the host machine.

Required?                    false
Position?                    named
Default value                False
Accept pipeline input?       False
Accept wildcard characters?  false      

-Identity <System.Management.Automation.SwitchParameter>

Sign-in using a managed identity

Required?                    false
Position?                    1
Default value                False
Accept pipeline input?       False
Accept wildcard characters?  false        

-ProgressAction <ActionPreference>

The ProgressAction parameter takes one of the ActionPreference enumeration values: SilentlyContinue, Stop, Continue, Inquire, Ignore,

Required?                    false
Position?                    named
Default value                None
Accept pipeline input?       False
Accept wildcard characters?  false     

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters.