I've been experimenting with various methods to log into MS Graph using PowerShell in the M365 web interface. When I use `Connect-MsGraph` through admin.microsoft.com, it seems to use my admin credentials as a system-managed identity. But what default scopes does this method have? It appears to grant access to everything.
On the other hand, when I try `Connect-MsGraph` without any parameters, it prompts me for device login credentials via a code, instead of my username and password. I've read that this method will be deprecated due to new conditional access policies starting July 1, 2025. Personally, I feel it would be more user-friendly if it defaulted to a username and password prompt.
Additionally, there's a way to connect using specific scopes which does prompt for a username and password. I've noticed this seems necessary when I'm using PowerShell locally rather than in the cloud. I'm just trying to get clarity on why the scopes are needed when logging in with a username and password, while the system identity method doesn't seem to require them at all.
1 Answer
Your question is a bit tricky to follow, but let me break it down. In a cloud PowerShell session, the system uses the token with scopes based on the logged-in user. You can go with the default scopes or specify your own.
For local PowerShell, it generally uses interactive authentication, which prompts for user credentials, but it does have a fallback to device authentication. I get where you're coming from regarding the default method; yeah, it could be easier if it began by asking for a username and password instead of the device login.
Right? I think there should be a more straightforward way to connect, especially since the device login will be blocked due to policy changes. I had to dig deep to find alternatives just to get it to work with `Connect-MsGraph Identity`, and it’s kinda annoying.