Tying to connect to MsGraph in a 7.2 Runbook

Dave Richardson 26 Reputation points
2025-06-27T16:06:45.1133333+00:00

I have created a App registration to use to connect to MsGraph and created a self-signed certificate I created in a key vault.

User's image

I also added the certificate to the Azure Automation account.

When I run this Runbook:

$TenantId = Get-AutomationVariable -Name 'tenantId'

$SubScriptionId = Get-AutomationVariable -Name 'subscriptionId'

$appid = Get-AutomationVariable -Name 'appid'

$thumbprint = Get-AutomationVariable -Name 'thumbprint'

Disable-AzContextAutosave -Scope Process    # Ensures you do not inherit an AzContext in your runbook

$azureContext = (Connect-AzAccount -Subscription $SubScriptionId -Tenant $TenantId -Identity).context

# set and store context

Write-Output "-> Setting context"

$azureContext = Set-AzContext -SubscriptionName $azureContext.Subscription -DefaultProfile $azureContext

$tenantid = Get-AutomationVariable -Name 'tenantId'

#Connect to Graph

write-Output "Connecting to Graph"

Connect-MgGraph -TenantId $tenantid -ClientId $appid -CertificateThumbprint $thumbprint

This is the result I get, I'm not connected to MsGraph

Mode             : Process
ContextDirectory : 
ContextFile      : 
CacheDirectory   : 
CacheFile        : 
KeyStoreFile     : 
Settings         : {}
-> Setting context
Connecting to Graph
Invalid JWT access token.

This is driving me nuts.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,368 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Naveena Patlolla 3,605 Reputation points Microsoft External Staff Moderator
    2025-07-01T14:24:19.0866667+00:00

    Hi Dave Richardson
    Please use the below script in Automation Account

    Prerequisites:

    • Azure App Registration:
    • Upload certificate (.cer).
    • Add required Graph Application permissions (e.g., User.Read.All, Mail.Send, etc.)
    • Grant Admin Consent.
    • Export .pfx version of certificate and upload to:
    • Azure Automation → Shared Resources → Certificates.
    • Azure Automation Runbook (PowerShell)
    $TenantId = "<tenant_id>"
    $ClientId = "<app_id>"
    $CertName = "GraphAutomationCert"
    # Get certificate from automation account
    $cert = Get-AutomationCertificate -Name $CertName
    # Set auth and scope
    $authority = "https://login.microsoftonline.com/$TenantId"
    $scope = "https://graph.microsoft.com/.default"
    # Import MSAL module if available (optional if preloaded)
    Import-Module Microsoft.Graph.Authentication -ErrorAction SilentlyContinue
    # Get token using MSAL
    $tokenResponse = Get-MsalToken -ClientId $ClientId `
                                    -TenantId $TenantId `
                                    -ClientCertificate $cert `
                                    -Scopes $scope
    $accessToken = $tokenResponse.AccessToken
    # Sample Graph API call: List users
    $headers = @{
        Authorization = "Bearer $accessToken"
    }
    $response = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" `
                                  -Headers $headers -Method GET
    $response.value | ForEach-Object {
        Write-Output "User: $($_.displayName), UPN: $($_.userPrincipalName)"
    }
    

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    Provide your valuable Comments.

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.