# LAB 02: App-Only Authentication with Microsoft Graph PowerShell SDK

This lab guides you through configuring app-only access for a simple script to list users and groups in your Microsoft 365 tenant.

## Step 0: Specify your user name

You are all working in the same tenant. Edit the following code cell to specify your user name (for example `userone`, `usertwo`...).

Don't forget to run it. That user name will be used for naming resources during the labs.

In [None]:
# Specify your user name (for example "userone", "usertwo"...)
$your_username = '<USERNAME>'

## Step 1: Create Self-Signed Certificate

Use this method to authenticate from an application running from your machine. For example, authenticate from PowerShell 7 or Windows PowerShell.

In [None]:
# Create a self-signed certificate
$cert = New-SelfSignedCertificate -Subject "CN=PSTrainingCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256

$certPath = "C:\eid-msgraphps\PSTrainingCert.cer"

Export-Certificate -Cert $cert -FilePath $certPath

## Step 2: Register the Application

First, you're using the PowerShell SDK with delegated access, logging in as an administrator, and creating the app registration. Then, using that app registration, you're able to use the PowerShell SDK with app-only access, allowing for unattended scripts.

In [None]:
# Define the certificate path
$certPath = "C:\eid-msgraphps\PSTrainingCert.cer"

# Change to the working directory
cd C:\eid-msgraphps

# Open the RegisterAppOnly.ps1 script in VS Code
# Note: In a notebook, this line will not open VS Code but is kept for reference
# code .\RegisterAppOnly.ps1

# Run the script to register the application
$appName = "PSTraining Script ({0})" -f $your_username
.\RegisterAppOnly.ps1 -AppName $appName -CertPath $certPath

## Step 3: Grant Admin Consent

Follow the instructions in the output to grant admin consent to the required permissions.

## Step 4: Test Authentication

Authenticate using the Connect-MgGraph command in the output to test if you can connect to Microsoft Graph using app-only access.

In [None]:
# Use the Connect-MgGraph command from the RegisterAppOnly.ps1 output here
# For example: Connect-MgGraph -TenantId "your-tenant-id" -ClientId "your-client-id" -CertificateName "your-certificate-name"
Connect-MgGraph -ClientId "<CLIENTID>" -TenantId "0c03307a-63d3-432f-a343-446b59eb5356" -CertificateName "CN=PSTrainingCert"

# Check the connection context
Get-MgContext

In [None]:
# Disconnect from Microsoft Graph when finished
Disconnect-MgGraph

## Step 5: Create a Script to List Users and Groups

Write a script to list users and groups in your Microsoft 365 tenant. The output should contain only users' and groups' IDs and display names.

Don't forget to:
- Authenticate in your script using the Connect-MgGraph command from RegisterAppOnly.ps1 output
- Disconnect from Microsoft Graph at the end of your script

In [None]:
# Example script to list users and groups in Microsoft 365 tenant

# Authentication - replace with your actual values from RegisterAppOnly.ps1 output
# Connect-MgGraph -TenantId "your-tenant-id" -ClientId "your-client-id" -CertificateName "your-certificate-name"
Connect-MgGraph -ClientId "<CLIENTID>" -TenantId "0c03307a-63d3-432f-a343-446b59eb5356" -CertificateName "CN=PSTrainingCert"

# List users (display only ID and DisplayName)
Write-Host "USERS:" -ForegroundColor Cyan
Write-Host "======================================================"
Get-MgUser -Top 5 | Format-Table Id, DisplayName

# List groups (display only ID and DisplayName)
Write-Host "GROUPS:" -ForegroundColor Cyan
Write-Host "======================================================"
Get-MgGroup -Top 5 | Format-Table Id, DisplayName

# Disconnect from Microsoft Graph
Disconnect-MgGraph