Recently I have been working in PowerShell to access Microsoft Graph, primarily to interact with Intune. My starting point has been the Samples provided by Microsoft here: https://github.com/microsoftgraph/powershell-intune-samples while extending the samples to modify the AAD user objects I started getting Access Denied even with a Global Admin account, really weird right, well it comes down to the $clientid variable in the samples which are for the “Microsoft Intune PowerShell” Service Principal, I needed to use the “Microsoft Azure PowerShell” Service Principal.
Sounds easy enough right? After spending a little time scouring the internet I couldn’t find the “ClientID” for Azure Active Directory, in the end I got around it by finding the GUID on another blog (Don’t recall the Blog).
Which got me thinking, this information should be stored somewhere on the Tenant, and after much investigation I’ve fond the Service Principal’s via using the AzureAD PowerShell module with the “Get-AzureADServicePrincipal” command, if your tenant is look mine you will have a flash of objects fly by we have over 300+ objects in ours, luckily I have demo Tenant which I can run Get-AzureADServicePrincipal to obtain the full list of ClientID’s which are there by default, with Intune enabled we have 21 objects, in this solution we are only looking for the 2 ClientID’s for Microsoft Azure PowerShell and Microsoft Azure PowerShell, which are (The full connection scripts for PowerShell to Microsoft Graph have a look in the samples in the above link):
AAD ClientID = “1950a258-227b-4e31-a9cf-717495945fc2”
Intune ClientID = “d1ddf0e4-d672-4dae-b554-9d5bdfd93547”
To note when you return the full list of the Service Principal’s with PowerShell the ClientID is named AppID.
Depending upon how the Service Principal’s have been configured you might not be able to use the AppID in PowerShell to invoke commands on Microsoft Graph.