Introduction
If you have installed the MS Graph PowerShell module for the very first time, you may need to have the Global Admin for your tenant, and have consented to MS Graph PowerShell module. At the backend, Azure AD provides an Enterprise Application called Microsoft Graph PowerShell. The permission for this app needs to be consented by your admin before you start interacting with this PS module. More about the Graph PowerShell and the installation of the Graph PowerShell module can be found in the references section.
Below is the screen capture from the Azure AD Enterprise applications for Graph PowerShell Module.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
In this article, let’s try to understand basic identity flows involved in Graph PowerShell module. Below is the Authorization Code Grant Flow for the Graph PowerShell module.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
Below are the steps in brief that occur between User, Admin, and the Graph PowerShell module.
- User tries to interact with Graph PowerShell module by running the command connect-MgGraph
- At first, the user is taken to Oauth2.0 client login.
- After authentication, the Graph PowerShell module checks for user permissions.
- If the permissions are not defined, it asks for the user/admin consent based on the scope of operations.
- Once the admin consent is granted, user is provided with an Access token to interact with.
Interacting with Graph PowerShell Module
After installing if you try running below command for connecting to Graph PowerShell module, you would be asked for approval.
Connect-MgGraph
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
If the setup is completed successfully, you should see below login pop-up.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
For certain modules, it is required to have Global Admin consent before you start using this app. For instance, after setting up the Graph module, you cannot connect to graph module, before it will give the below message.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
It basically says that your permissions to interact with this PowerShell module is unverified and you are required to provide justification to use this App.
After providing the justification, and click on ‘Request Approval’, you will get below message.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
Once clicked on ‘Back to app’, you would get below message, saying that user declined to consent to access the app. This is normal, as you do not have consent from your admin in the first place.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
You would also see the below message from your email inbox.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
Admin Approval
Once the request is submitted by user the Tenant admin/Global Admin will receive the below message asking to review the request and provide consent.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
Once approved, the requestor will be notified and required tokens will be provided by Azure AD to interact with graph PS module.
Requestor Steps to validate and interact with Graph PS module
Once the Admin provided the required consent, the requestor will be notified via email. Below is the screen capture for reference.
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
Step 1
Validate the connection by running command
Connect-MgGraph
![Admin Consent Flow for Microsoft Graph PowerShell Module]()
Step 2
Once you got the welcome message, this confirms that required permissions are set up to interact with Graph PowerShell module.
Conclusion
Thus, in this article, we have seen how to interact with Graph PowerShell module and various steps involved to grant the Admin Consent.
References