Having trouble with using an App Registration with MSAL - Is this even possible??

[Ju5t4GuyinT3ch]

I'm trying to use an App Registration with MSAL to automate the export without needing to use credentials. It's not working for me this way. I did a lot of tinkering and found the script provided below to work with no errors. The script states that it's Connected via userprovidedaccesstoken access using the ClientID. After script is ran and completed nothing shows in the folder that was created for the backup. I have tried this with a folder that already exists as well and in different drives/ folders.

# Define variables
$backupPath = "C:\Backup\EntraBackup\$((Get-Date).ToString('yyyy-MM-dd'))"
$tenantID = 'Tenant ID'  # Replace with your actual Tenant ID
$clientID = 'Application (client) ID'  # Replace with your Application (client) ID
$clientSecret = 'Application (client) secret'  # Replace with your Application (client) secret

# Create backup folder
New-Item -ItemType Directory -Path "$backupPath"

# Scopes required for the backup operation (Microsoft Graph API)
$scopes = @('https://graph.microsoft.com/.default')

# Convert the client secret into a secure string and pass to the New-MsalClientApplication
$secureClientSecret = (ConvertTo-SecureString "$clientSecret" -AsPlainText -Force)

# Install the necessary modules if not already installed
Write-Host 'Installing required modules...'
Install-Module -Name MSAL.PS 
Install-Module -Name Microsoft.Graph.Authentication
Install-Module -Name EntraExporter

# Create the MSAL Confidential Client Application (Service Principal Authentication)
Write-Host 'Authenticating using Service Principal...'
$msalApp = New-MsalClientApplication -clientId $clientID -clientSecret $secureClientSecret -Authority "https://login.microsoftonline.com/$tenantID"

# Acquire the token for Microsoft Graph API
Write-Host 'Acquiring token for Microsoft Graph API...'
$tokenResponse = Get-MsalToken -clientID $clientID -clientSecret $secureClientSecret -tenantID $tenantID -Scopes $scopes

# Extract the access token from the response
$graphToken = (ConvertTo-SecureString $tokenResponse.AccessToken -AsPlainText -Force)

# Check if the token was retrieved successfully
if (-not $graphToken) {
    Write-Host "Failed to obtain access token. Exiting script."
    exit
}

Write-Host "Successfully authenticated. Access Token acquired."

# Connect to Microsoft Graph using the acquired token
Write-Host 'Connecting to Microsoft Graph...'
Connect-MgGraph -AccessToken $graphToken

# Connect to Entra ID and perform a full export
Write-Host 'Connecting to Entra ID...' 

# Start the backup process
Write-Host 'Starting backup...'
Export-Entra -Path "$backupPath" -All

Write-Host 'Backup complete...'

[merill]

This is most probably due to missing scopes in the token.

The readme.md has the list of scopes required for the export.

In addition you don't need to use MSAL.PS for this, the Connect-MgGraph will let you use client credentials.

See the App-only section in this doc: https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0

[Ju5t4GuyinT3ch]

Hey merill, thank you for responding so quickly. I have double checked the MSGraph permissions attached the permissions and uploaded the image here of the permissions that I have applied to the API. Do you know if there is way we can get MSAL.PS to work? We are trying to use MSAL for authentication to remove the need to input credentials and make the script easily automated for an automated backup ran daily.