Powershell Universal Microsoft Bookings delegation

Product: PowerShell Universal
Version: 2.9.3

Hi All,

I have an issue with Microsoft Bookings integration with Powershell Universal which I hope someone could shed some light and point me in the right direction if possible.

Basically I’ve been working on revamping some tools for our service desk and all is coming along nicely. We are starting to use Microsoft Bookings for users and wanted some way of managing and automating site creation and administration and incorporate that into the new tool set.

We want to achieve this using ‘on behalf as’ permissions using a service account so users aren’t prompted or required to use MFA (which interactive logins aren’t supported?) This service account will authenticate with the registered Azure app and retrieve delegated access for read/write msbookings.

Over the past week or so i’ve been able to build a fairly robust tool for this purpose which up until last weekend stopped working. I believe this has to do with the delegation msbookings requires. Previously, I got around the interactive login by leaving a authenticated powershell session connected to graph with the required scopes open on the server (not very secure but just for testing purposes) and this seemed to work for PSU without any problems. I think it was using device authentication but it did allow me to finish the tools I wanted. Sadly this no longer works.

Basically I’m at a point now where I can’t connect to MSBookings from PSU and a little bit stumped. I have tried using a cert with works perfectly fine to connect to graph but will not allow me to add scopes to use MSBookings without admin consent (which isn’t practical for us). I can also connect to graph without issue retrieving a token however I don’t seem be able to pass this on in PSU.

To give you a better idea of what I’m trying to achieve;

This form allows registered users to create MSBookings sites in there basic form.

Using normal PowerShell this all seems fine and works as intended so I believe the Azure side is all setup correctly and working as it should.

Has anybody had any experience with Bookings? If so would it be possible to give me some pointers?

Sorry for the long post!


This all worked perfectly previously, however, I now get this error when attempting to use this tool.

Did you end up figuring this out? If not, the error in your second post specifically has the “Interactive authentication is not supported in this session, falling back to DeviceCode”. You mentioned “leaving a[n] authenticated PowerShell session connected to Graph”. I’m wondering, how did you establish the session to Bookings? Generic Invoke-Restmethod to retrieve/store a token? Or are you using the MSGraph PowerShell module provided by Microsoft (e.g. “Connect-MsGraph”)? Not sure I can help, but we setup an App Registration in Azure, using Certificate based authentication, then have this function to connect to Graph (assumes the cert is in the certificate store of the service account running the PSU instance):

$MgGraphConnection = @{
    CertificateThumbprint = (Get-ChildItem Cert:\CurrentUser\my | Select-Object -ExpandProperty Thumbprint)
    ClientId = '<GUID>'
    TenantId = '<GUID>'
    Scopes = 'User.Read.All'
Connect-MgGraph @MgGraphConnection

Edit: Forgot to mention, we use the Microsoft Graph PowerShell modules (Microsoft.Graph.*), and we mostly use the Invoke-MgGraphRequest since it can derive the access within the PowerShell session where Connect-MgGraph was used. That said, we don’t really do this within PSU (yet! :grinning:)

1 Like

Hi OtherPeoplesCode,

Sorry for the long delay!

The Graph connection im using is pretty much exactly the same as you posted :slight_smile: I’m using certificate based authentication to initiate the connection to graph and then consenting to required permissions for Bookings etc etc. All this is using the Microsoft Graph PowerShell modules to retrieve and write data.

Currently, as far as I’m aware, there is no way around the admin consent required (until Microsoft allow application delegation) when applying the required scopes for bookings. Connecting to Graph isn’t an issue, just the permissions for bookings. Graph keeps the session open providing you have a valid token and will stay active until you have disconnected either manually or via script.

This is my current method from scratch;
*Open up a elevated PS and connect to graph with admin consent will be required for the booking scopes and obtain token/token refresh from Azure App.
*Close PS.
*In PSU any commands /actions requiring graph read/write I reconnect with the appropriate scopes added each time (for example retrieving booking sites, etc etc) - This may not be ideal but it works and allows us to use Graph and everything else requiring it without additional consent.

This would probably not be ideal for everyone (security etc) however in our case everything is locked down and the service account used allows permissions to be used to users who would normally require PIM to action tasks

Our sever is running a service account for PSU which has required permissions for Graph etc etc. This also works for SharePoint/teams etc etc

Bookings Page

Bookings Administration - List of booking sites - Can click on row to bring up details

Details of booking site - Can add/remove admins and delete site etc