From 1a1f9c8d9fda40f9510acb8b38f78b41dd4c7ecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Thu, 23 Apr 2026 00:46:00 +0200 Subject: [PATCH 1/3] Clarify WAM settings and custom app registration steps Updated the note regarding WAM and added instructions for disabling it with a custom app registration. --- docs/authentication.md | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/authentication.md b/docs/authentication.md index fe273823f7..9484e01dae 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -129,4 +129,37 @@ Set-MgGraphOption -EnableLoginByWAM $true ```PowerShell Set-MgGraphOption -EnableLoginByWAM $false ``` -#### Note: Signin by Web Account Manager (WAM) is enabled by default on Windows and cannot be disabled. Setting this option to $False will have no effect on Windows systems. + +**Note: Signin by Web Account Manager (WAM) is enabled by default on Windows and cannot be disabled. Setting this option to $False will have no effect on Windows systems. Except if you use your own app (see below)** + +To disable WAM on Windows, use `Set-MgGraphOption -DisableLoginByWAM $true` and then connect with a custom `-ClientId` (see [Custom App Registration](#custom-app-registration) below): + +```PowerShell +Set-MgGraphOption -DisableLoginByWAM $true +Connect-MgGraph -ClientId "" -TenantId "" -Scopes "User.Read" +``` + +### Custom App Registration + +By default, `Connect-MgGraph` uses Microsoft's own built-in app registration, but you can use your own app registration. + +#### 1. Register the app in the Entra admin center + +1. Go to **Entra admin center** → **App registrations** → **New registration**. +2. Give it a name (e.g., `MyGraphPowerShellApp`). +3. Set **Supported account types** to match your needs (e.g., *Single tenant*). +4. Skip the redirect URI here — you will add it in the next step. +5. Click **Register**, then copy the **Application (client) ID**. + +#### 2. Configure authentication + +In the **Authentication** blade of your new app registration: + +1. Click **Add Redirect URI** → **Mobile and desktop applications**. +2. Add the following redirect URIs: + - `https://login.microsoftonline.com/common/oauth2/nativeclient` + - `ms-appx-web://Microsoft.AAD.BrokerPlugin/` (replace with **your own app's client ID**) +3. Validate with **Configure** +4. Open the **Settings** tab +5. Set **Allow public client flows** to **Enabled**. +6. Click **Save**. From 7efec76a459f8398ab0921d9485248461966f5f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Thu, 23 Apr 2026 00:48:32 +0200 Subject: [PATCH 2/3] Add version --- docs/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/authentication.md b/docs/authentication.md index 9484e01dae..2ffd1d9cc6 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -132,7 +132,7 @@ Set-MgGraphOption -EnableLoginByWAM $false **Note: Signin by Web Account Manager (WAM) is enabled by default on Windows and cannot be disabled. Setting this option to $False will have no effect on Windows systems. Except if you use your own app (see below)** -To disable WAM on Windows, use `Set-MgGraphOption -DisableLoginByWAM $true` and then connect with a custom `-ClientId` (see [Custom App Registration](#custom-app-registration) below): +Starting with v2.35.1, to disable WAM on Windows, use `Set-MgGraphOption -DisableLoginByWAM $true` and then connect with a custom `-ClientId` (see [Custom App Registration](#custom-app-registration) below): ```PowerShell Set-MgGraphOption -DisableLoginByWAM $true From 58ee126345ceba8257491362e1d8642a64ef9cc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Thu, 23 Apr 2026 00:52:01 +0200 Subject: [PATCH 3/3] Link to official doc instead --- docs/authentication.md | 34 +++------------------------------- 1 file changed, 3 insertions(+), 31 deletions(-) diff --git a/docs/authentication.md b/docs/authentication.md index 2ffd1d9cc6..d7fae8a3c2 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -132,34 +132,6 @@ Set-MgGraphOption -EnableLoginByWAM $false **Note: Signin by Web Account Manager (WAM) is enabled by default on Windows and cannot be disabled. Setting this option to $False will have no effect on Windows systems. Except if you use your own app (see below)** -Starting with v2.35.1, to disable WAM on Windows, use `Set-MgGraphOption -DisableLoginByWAM $true` and then connect with a custom `-ClientId` (see [Custom App Registration](#custom-app-registration) below): - -```PowerShell -Set-MgGraphOption -DisableLoginByWAM $true -Connect-MgGraph -ClientId "" -TenantId "" -Scopes "User.Read" -``` - -### Custom App Registration - -By default, `Connect-MgGraph` uses Microsoft's own built-in app registration, but you can use your own app registration. - -#### 1. Register the app in the Entra admin center - -1. Go to **Entra admin center** → **App registrations** → **New registration**. -2. Give it a name (e.g., `MyGraphPowerShellApp`). -3. Set **Supported account types** to match your needs (e.g., *Single tenant*). -4. Skip the redirect URI here — you will add it in the next step. -5. Click **Register**, then copy the **Application (client) ID**. - -#### 2. Configure authentication - -In the **Authentication** blade of your new app registration: - -1. Click **Add Redirect URI** → **Mobile and desktop applications**. -2. Add the following redirect URIs: - - `https://login.microsoftonline.com/common/oauth2/nativeclient` - - `ms-appx-web://Microsoft.AAD.BrokerPlugin/` (replace with **your own app's client ID**) -3. Validate with **Configure** -4. Open the **Settings** tab -5. Set **Allow public client flows** to **Enabled**. -6. Click **Save**. +Starting with v2.35.1, to disable WAM on Windows, use `Set-MgGraphOption -DisableLoginByWAM $true` and then connect with a custom `-ClientId`. +To create your custom app, follow the guide to [Use delegated access with a custom application for Microsoft Graph PowerShell](https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0#use-delegated-access-with-a-custom-application-for-microsoft-graph-powershell +). You should also add the redirect URI of `ms-appx-web://Microsoft.AAD.BrokerPlugin/` to ensure that you can use WAM against that app registration as well.