MgGraphCommunity
1.4.0
A self-contained, community-maintained drop-in alternative to Connect-MgGraph. Pure-PowerShell OAuth 2.0 flows (PKCE, device code, client credentials, certificate, managed identity, BYO token) plus its own Invoke-MgGraphCommunityRequest for calling Graph endpoints. No required dependencies. No WAM. No MSAL.
Minimum PowerShell version
5.1
Installation Options
Owners
Copyright
(c) MgGraphCommunity contributors. Licensed under MIT.
Package Details
Author(s)
- MgGraphCommunity contributors
Tags
Microsoft Graph MgGraph Authentication OAuth PKCE Intune Entra EntraID Community
Functions
Connect-MgGraphCommunity Disconnect-MgGraphCommunity Get-MgGraphCommunityContext Select-MgGraphCommunityContext Invoke-MgGraphCommunityRequest Invoke-MgGraphCommunityBatch Add-MgGraphCommunityDefaultHeader Remove-MgGraphCommunityDefaultHeader Get-MgGraphCommunityDefaultHeader
PSEditions
Dependencies
This module has no dependencies.
Release Notes
1.4.0
- New: Invoke-MgGraphCommunityBatch (alias Invoke-MgcBatch) - combine up to 20 Graph
requests per $batch call, auto-chunking larger sets and auto-retrying throttled
sub-responses. Returns one { id, status, headers, body } per request, in order.
- New: multi-connection switching. Connect now registers every connection; switch the
active one with Select-MgGraphCommunityContext (alias Select-MgcContext) by
-TenantId / -ClientId / -Index / -CacheKey, and enumerate them with
Get-MgGraphCommunityContext -ListAvailable. No re-authentication required.
- New: binary I/O on Invoke-MgGraphCommunityRequest - -InputFilePath (upload file bytes),
-OutputFilePath (stream the raw response to disk, binary-safe across PS 5.1/7.x), and
-ContentType (send non-JSON bodies as-is). Useful for photo/$value and upload sessions.
- New: -MaxRetry on Invoke-MgGraphCommunityRequest. Transient errors (429 / 503 / 504)
are now retried up to MaxRetry times (default 3) with backoff; Retry-After is honored.
Previously 429 and 504 were retried once each and 503 was not retried.
- New: every request sends a client-request-id; Graph request-id / client-request-id are
surfaced in thrown errors for support correlation.
- Change: relative URIs now default to the /beta endpoint (more Graph surface) instead of
/v1.0. Use -V1 on Invoke-MgGraphCommunityRequest / Invoke-MgGraphCommunityBatch for the
stable /v1.0 endpoint. -Beta is retained for compatibility and now matches the default.
- Change: the AccessToken (BYO) flow derives its lifetime from the token's JWT exp claim
instead of assuming 3600 seconds (opaque tokens still fall back to 3600).
- Build: PSScriptAnalyzer now runs in CI (settings in PSScriptAnalyzerSettings.psd1).
1.3.1
- Fix: certificate auth (-Certificate / -CertificateThumbprint / -CertificateName) built
client assertions with nbf/exp skewed by the machine's UTC offset, so Entra ID rejected
them in most non-UTC timezones. Timestamps are now timezone- and culture-safe.
- Interactive flow: loopback listener retries when an OS-assigned port is grabbed in the
bind race; stray local requests (favicon.ico, preconnects) get a 404 instead of aborting
the sign-in; CSRF state now comes from a cryptographic RNG; the browser result page
reflects the state check.
- Token cache: only the refresh token (plus minimal metadata) is persisted - access tokens
no longer touch disk. On macOS/Linux, permissions (700 dir / 600 file) are applied BEFORE
the payload is written and failures warn instead of staying silent. Explicit UTF-8 I/O.
- Request layer: the Authorization header can no longer be overwritten by default or
per-call headers; Add-MgGraphCommunityDefaultHeader rejects 'Authorization'.
-FollowPagination keys on the presence of .value, so empty first pages page correctly and
single-page collections return the same merged-array shape as multi-page results.
- Managed identity (Azure Arc): the challenge-file path from WWW-Authenticate is validated
(Arc tokens directory, .key extension, size cap) before being read.
- Module load fails fast with a clear message on .NET Framework < 4.6 (PS 5.1 on Windows 7 /
Server 2008 R2), which the module's crypto/time APIs require.
1.3.0
- Cross-version support: module now runs on Windows PowerShell 5.1 in addition to PowerShell 7+.
CompatiblePSEditions = Desktop, Core. PowerShellVersion = 5.1.
- Replaced PS 7-only constructs with cross-version equivalents:
* Null-coalescing (??) -> first-non-empty helper in Set-MgcConnectionContext.
* [SHA256]::HashData / [SHA1]::HashData / [RandomNumberGenerator]::Fill (PS 7.1+ static methods)
replaced with Create()+ComputeHash / Create()+GetBytes that work in .NET Framework 4.x.
* ConvertFrom-SecureString -AsPlainText replaced with Marshal BSTR round-trip.
* ConvertFrom-Json -AsHashtable falls back to manual PSObject->Hashtable conversion on PS 5.1.
* Invoke-WebRequest -SkipHttpErrorCheck abstracted behind new private Invoke-MgcHttpRequest
helper that catches WebException on PS 5.1 and exposes a uniform response.
* $IsWindows replaced with Test-MgcIsWindows helper.
- Module auto-enables TLS 1.2 on PowerShell 5.1 (PS 5.1 still defaults to TLS 1.0/1.1).
1.2.1
- Hotfix: Invoke-MgGraphCommunityRequest crashed on PowerShell 7.4+ with
"Cannot convert ... GetString to type System.Byte[]". On PS 7.4+, Invoke-WebRequest
returns the Content property as a string for text/JSON responses, not byte[].
The cmdlet now handles both shapes so it works on PS 7.1 through 7.4+.
1.2.0
- Fix: removed -StatusCodeVariable usage in Invoke-MgGraphCommunityRequest. That parameter is
PowerShell 7.4+ only and broke the cmdlet on PS 7.0-7.3. Now reads status directly from the
response object, works on PS 7.1+.
- Change: Connect-MgGraphCommunity no longer returns the context object to the pipeline.
-NoWelcome now produces a truly silent connect. Use Get-MgGraphCommunityContext to retrieve
the active connection details.
- New: proactive token refresh. If the access token expires within 5 minutes,
Invoke-MgGraphCommunityRequest refreshes silently BEFORE the call (in addition to the
reactive 401-retry path that already existed).
- New: HTTP 504 Gateway Timeout is retried once after a 60-second sleep.
- New: Add-MgGraphCommunityDefaultHeader / Remove-MgGraphCommunityDefaultHeader /
Get-MgGraphCommunityDefaultHeader. Set sticky session headers (e.g. ConsistencyLevel) without
re-passing -Headers on every call. Aliases: Add-MgcHeader / Remove-MgcHeader / Get-MgcHeader.
- Manifest PowerShellVersion bumped from 7.0 to 7.1 to honestly document the .NET 5+ static-method
usage already present in PKCE / SHA256 helpers.
1.1.0
- New: Invoke-MgGraphCommunityRequest (alias Invoke-MgcRequest) - pure-PowerShell Graph caller.
- Removed Microsoft.Graph.Authentication as a RequiredModule. The module is now fully self-contained.
- SDK handoff is opportunistic: if Microsoft.Graph.Authentication is installed we still hand
the token to Connect-MgGraph so Microsoft.Graph.* cmdlets continue to work.
1.0.0
- Initial community release
- Interactive (PKCE + loopback), DeviceCode, ClientSecret, Certificate (X509/Thumbprint/Subject), AccessToken, ManagedIdentity flows
- Environment selection: Global, USGov, USGovDoD, China
- In-memory token cache by default; opt-in DPAPI-encrypted persistence via -PersistRefreshToken
- Pure PowerShell, no MSAL DLL hunting, no compiled C#
FileList
- MgGraphCommunity.nuspec
- CHANGELOG.md
- LICENSE
- MgGraphCommunity.psd1
- MgGraphCommunity.psm1
- Private\Auth\Invoke-MgcClientCertificateAuth.ps1
- Private\Auth\Invoke-MgcClientSecretAuth.ps1
- Private\Auth\Invoke-MgcDeviceCodeAuth.ps1
- Private\Auth\Invoke-MgcInteractiveAuth.ps1
- Private\Auth\Invoke-MgcManagedIdentityAuth.ps1
- Private\Auth\Invoke-MgcRefreshTokenAuth.ps1
- Private\Cache\Clear-MgcTokenCache.ps1
- Private\Cache\Get-MgcTokenCacheEntry.ps1
- Private\Cache\Save-MgcTokenCache.ps1
- Private\Common\ConvertFrom-MgcJwt.ps1
- Private\Common\ConvertFrom-MgcSecureString.ps1
- Private\Common\ConvertTo-MgcHashtable.ps1
- Private\Common\Get-MgcFreePort.ps1
- Private\Common\Get-MgcTokenExpiry.ps1
- Private\Common\Invoke-MgcHttpRequest.ps1
- Private\Common\Invoke-MgcTokenEndpoint.ps1
- Private\Common\New-MgcClientAssertion.ps1
- Private\Common\New-MgcPkcePair.ps1
- Private\Common\Resolve-MgcAuthority.ps1
- Private\Common\Resolve-MgcScopes.ps1
- Private\Common\Test-MgcIsWindows.ps1
- Private\Sdk\Send-MgcTokenToSdk.ps1
- Private\State\Get-MgcSessionSummary.ps1
- Private\State\Set-MgcConnectionContext.ps1
- Private\State\Show-MgcWelcomeBanner.ps1
- Public\Add-MgGraphCommunityDefaultHeader.ps1
- Public\Connect-MgGraphCommunity.ps1
- Public\Disconnect-MgGraphCommunity.ps1
- Public\Get-MgGraphCommunityContext.ps1
- Public\Get-MgGraphCommunityDefaultHeader.ps1
- Public\Invoke-MgGraphCommunityBatch.ps1
- Public\Invoke-MgGraphCommunityRequest.ps1
- Public\Remove-MgGraphCommunityDefaultHeader.ps1
- Public\Select-MgGraphCommunityContext.ps1
- README.md