Through Powershell it is possible to connect to a Microsoft 365 tenant to perform operations on users, groups and any other element of the tenant. When you use this tool, Powershell presents you with the mask for entering your account and password. You can write accounts and passwords directly in the Powershell script but it would be a serious security compromise.
An alternative is to build a software that connects directly to the Tenant through customized keys present in the Tenant itself. In other words, it is necessary to communicate to the Tenant that there is a certain application that is authorized to access the Tenant. Furthermore, for each operation that you want to perform on the Tenant it is necessary to specify the appropriate permissions. To create these applications, we recommend that you follow the excellent tutorial “.Net Core console application for calling Microsoft Graph“. This post proposes the images present in the previous tutorial only to specify how the application must be prepared on the Microsoft Tenant.
Register a web application with Azure AD Portal App Registration
Open a browser and navigate to the Azure Portal. Login using your account. Select the resource “Azure Active Directory”. On the left side menu, select “App regitstration”. Click New registration from the current page.
On the Register an application page, specify the following values:
- Name = Name of your Application
- Supported account types
- Redirect URI
- Type = Web
- Value = https://localhost:8080 (*)
(*) The Redirect URI value must be unique within your domain. This value can be changed at a later time and does not need to point to a realy hosted URI.
It is now necessary to store 2 values that will be used in your application:
- Application (client) ID
- Directory (tenant) ID
Certificates & secrets
Click Certificates & secrets.
- Click New client secret.
- On the Add a client secret dialog, specify the following values:
- Description = Your secret’s description
- Expires = In 1 year (for example)
- Click Add.
After the screen has updated with the newly created client secret copy the VALUE of the client secret. This secret string is never shown again, so make sure you copy it now.
Click API permissions.
- Click Add a permission
- On the Request API permissions panel select Microsoft Graph.
- Select Application permissions.
Now you have to choose between the permissions to authorize your app. For example, to create an application to read alla information about Tenant’s users, in the “Select permissions” search box type “User”.Select User.Read.All from the filtered list. At the end, on the API permissions content blade, click Grant admin consent for the Tenant.
Summary of the data necessary for the application
Let’s see what data your application needs to connect and operate on the Microsoft Tenant.
- applicationId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
- applicationSecret = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
- tenantId = “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”;
- redirectUri = “https://localhost:8080”;
- domain = “yourtenant.onmicrosoft.com”;
- User.Read.All : Read all users’ full profiles
- User.ReadWrite.All : Read and write all users’ full profiles
- Group.ReadWrite.All : Read and write all groups
- Notes.ReadWrite.All : Read and write all OneNote notebooks