Microsoft Graph Proxy for PowerShell Clients¶
Introduction¶
In enterprise environments, managing and securing API keys, application secrets, and access tokens is critical to preventing credential sprawl and unauthorized data exposure. The 12Port HTTP Proxy for Microsoft Graph introduces identity-aware HTTP interception capabilities. This feature forces all Microsoft Graph API calls through the PAM gateway, ensuring that sensitive application secrets are centralized, managed securely, and never exposed to client workstations or scripts, enabling secure, Zero Trust access to Microsoft Graph APIs for managing Microsoft Entra ID, Azure, and Microsoft 365 environments.
Technical Overview¶
The 12Port HTTP Proxy operates as a transparent proxy for incoming graph.microsoft.com traffic. When a client application initiates a request, the proxy performs TLS termination, enforces access control policies, dynamically injects OAuth access tokens, and securely forwards the authenticated payload to the Microsoft Graph endpoint.
Request and Traffic Flow¶
- Proxy Redirection & NTLM Authentication: The Windows client redirects its HTTP/HTTPS traffic to the 12Port HTTP Proxy using a .NET
WebProxyconfiguration. The client authenticates via NTLM using a structured routing username formatting convention:[user]#[target-asset-name](e.g.,user#graph). - Principal & Authorization Resolution: The proxy interceptor processes the NTLM credentials, maps the connection to an authorized 12Port user, and evaluates role-based access control (RBAC) permissions against the requested target asset.
- TLS Interception: The proxy establishes a TLS session with the client using a dynamically generated leaf certificate signed by its internal, user-trusted root CA.
- Token Swapping and Injection: The proxy captures the transmission, strips out the client's placeholder Bearer token, fetches a valid Entra ID access token from Microsoft using the application client secret securely stored in the gateway, and injects the live token into the upstream request payload.
- Upstream Forwarding & Auditing: The proxy forwards the request to
https://graph.microsoft.com. The response is channeled back through the proxy to the caller, establishing a fully audited and logged session.
Use Cases¶
- Elimination of Secret Sprawl: Prevents developers, administrators, and automated scripts from storing Entra ID Client Secrets locally on workstations, in configuration files, or within source control.
- Centralized API Auditing: Audits and streams all enterprise Microsoft Graph API requests through a single gateway for compliance, logging, and security evaluation.
- Granular Role-Based Access: Restricts access to Microsoft Graph endpoints at the gateway level. Even if an application registration has broad tenant-wide permissions, access can be restricted to specific authorized 12Port users and groups.
Before You Start¶
Before starting configuration, verify that the following environment criteria are met:
| Requirement | Details |
|---|---|
| 12Port HTTP Proxy Status | Enabled under Configuration -> HTTP Proxy Configuration with a valid key pair generated. |
| Entra ID Application Registration | An active App Registration containing the Tenant ID, Client ID, and an active Client Secret configured with appropriate application permissions (e.g., User.Read.All). |
| Windows Client Environment | PowerShell 5+ running with the Microsoft.Graph module installed. The user must possess elevated administrative permissions locally to modify the machine's Trusted Root Certification Authorities store. |
| Network Topology | Unhindered network reachability from the client host to the proxy listener IP and port (Default example: 8800). |
Configuration & Implementation Steps¶
Step 1: Download the Proxy Root CA Certificate¶
To perform TLS interception seamlessly, the client must trust the gateway's certificate chain.
- Authenticate to the 12Port Web Console with a Site Administrator account.
- Navigate to Configuration -> HTTP Proxy Configuration.
- Verify that the proxy status is Enabled and a valid cryptographic key pair is assigned.
- Click Download CA Certificate and choose the appropriate format (CER is recommended for most Windows deployments).
- Save the generated public certificate to your local client path (e.g.,
%USERPROFILE%\Documents\proxy.cer).
Note: The download payload contains only the public certificate component. The private key remains secure and never leaves the 12Port gateway.
Step 2: Establish the MS Graph Endpoint Asset¶
Create the Target Asset registry within the 12Port Asset Database to securely isolate the Entra ID application parameters.
- Navigate to the Assets database and add a new asset of type MS Graph Endpoint. Note this is a hidden, by default, asset type so it needs to be unhidden first from the Management > Asset Types page.
- Configure the resource using the parameters defined below:
| Field | Configuration Value |
|---|---|
| Name | A unique, shorthand routing identifier used by the proxy client login (e.g., graph). |
| Tenant Id | The directory / Tenant GUID of your Entra ID instance. |
| Client Id | The Application / Client GUID of your target App Registration. |
| Client Secret | The plaintext application secret. (Stored encrypted securely; locked post-save). |
| URL | https://graph.microsoft.com |
| Authentication Type | Secret |
3. Assign Access Control: Assign target users an explicit asset permission role within 12Port (Asset Viewer permission level or higher) to grant access rights through the proxy.
Routing Logic Example: When a client establishes an authentication context targeting
user#graph, the gateway uses the suffix taggraphto dynamically match the configuration asset Name designated in this step.
Step 3: Provision the CA Certificate onto the Client Workstation¶
Import the downloaded root CA into the local machine's system configuration to allow the .NET runtime environment and Microsoft Graph SDK to trust the proxy's runtime leaf certificates.
Open an elevated administrative PowerShell console on the target client and execute the following commands:
# Import the public root CA into the local machine's Trusted Root Certificate store
certutil -addstore -f Root "$env:USERPROFILE\Documents\proxy.cer"
# Verify successful installation by looking for the designated proxy identifier string using the "TenantName" of the certificate
certutil -store Root | Select-String "<TenantName>"
Warning: Trusting this root CA gives the proxy the technical capability to intercept TLS contexts matching its designated routing rules on this system. Deploy this certificate strictly on managed corporate workstations destined for proxied graph paths.
Step 4: Establish Proxy Connection via Microsoft Graph PowerShell SDK¶
Use the following script example framework to route your PowerShell Graph SDK sessions through the proxy. This script configures a global .NET proxy context, passes NTLM credentials, and initiates an SDK runtime context with a placeholder token.
- Replace $proxyUrl with your 12Port Host and HTTP Proxy Port Number (line 4 - "http://{pam.contoso.com}:8800")
- Replace $proxuAuth -UserName with your 12Port User and Target Asset Name (line 8 - "12Port-User#Asset-Name")
Functional Code Analysis¶
-
$proxyUrl = "http://...:8800": Points to the internal 12Port proxy network listener interface.
-
Get-Credential -UserName "12Port-User#Asset-Name": Generates the NTLM identity verification challenge. The #Asset-Name suffix defines the target asset created in Step 2.
-
[System.Net.WebRequest]::DefaultWebProxy = $proxy: Binds the global .NET network sub-layer, forcing downstream HTTP commands issued by the Graph SDK engine to route directly through the proxy listener.
-
Connect-MgGraph -AccessToken $secureToken: Forces the local Graph SDK module instance into passing structural requests without authenticating against Entra ID directly. The proxy drops this token value and injects the actual production Entra token payload.
-
Get-MgUser -Top 5: Standard downstream commands execute normally. All communications route directly through the auditable gateway infrastructure.
Note: After
Connect-MgGraphcompletes successfully, the PowerShell session remains connected to the configured Microsoft Graph endpoint for this current session (or untilDisconnect-MgGraphis executed). You do not need to rerun the full connection script before every Graph operation. Simply execute additional Microsoft Graph PowerShell cmdlets (for example,Get-MgGroup,Get-MgDevice, orNew-MgUser) from the existing PowerShell prompt, and they will continue to be routed through the established proxy connection using the same configured MS Graph Endpoint asset.
Expanded Proxy Connection Example Script¶
Building upon the basic connection PowerShell script from Step 4, this advanced script transforms the session into an interactive, reusable management tool. Instead of executing a single hardcoded query, it leverages Invoke-MgGraphRequest to let administrators dynamically issue GET, POST, and PATCH requests against any Microsoft Graph endpoint within a repeatable loop. It features on-the-fly JSON body ingestion for data updates, custom OData query parsing, and interactive data visualization choices (including tables, lists, and Out-GridView).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 | |
Session Reporting Behavior¶
12Port Microsoft Graph proxy activity is recorded as logical sessions within the 12Port Session Report rather than as individual HTTP proxy connections. This allows related activity from the same user to be grouped into a single auditable session, even if the underlying PowerShell process or network connection is disconnected or restarted.
A logical session is correlated using the authenticated user identity and the target Microsoft Graph Endpoint asset. The session lifecycle behaves as follows:
The Session Report statuses are reported as follows:
| Session Stage | Session Report Behavior |
|---|---|
| Session Created | A new Microsoft Graph proxy connection creates a Session Report entry with a status of Active. |
| Session Completion | After a period of inactivity, the existing Session Report entry automatically transitions to Completed. |
| Session Resumption | If the same user reconnects to the same Microsoft Graph Endpoint asset before the logical session expires, the existing Session Report entry is resumed by changing its status back to Active. |
| New Logical Session | Once the logical session has expired, the previous Session Report entry remains Completed. Any subsequent connection by the same user to the same Microsoft Graph Endpoint asset creates a new Session Report entry with a status of Active. |
Note: It is therefore normal for multiple PowerShell processes or proxy connections initiated by the same user against the same Microsoft Graph Endpoint asset to appear as a single Session Report entry when they occur within the session continuation window.
Troubleshooting¶
| Symptom | Probable Cause | Remediation Action |
|---|---|---|
| TLS / SSL Trust Errors calling Microsoft Graph | Root CA certificate not installed, invalid, or isolated inside the wrong user store scope. | Ensure the installation script is executed from an elevated (Run as Administrator) PowerShell window. Verify certificate store integration using certutil -store Root. |
| HTTP Error 407: Proxy Authentication Required | NTLM authentication parameters are invalid, or the user profile lacks the required permissions matching the asset. | Validate that the user credentials format strictly adheres to 12Port-User#Asset-Name. Verify that the caller identity has been assigned a valid Asset Viewer permission on the target asset. |
| HTTP Error 401: Unauthorized from Graph | The upstream Entra ID App Registration parameters are incorrect, or permissions are insufficient. | Access the Microsoft Entra ID admin center. Validate that the application secret is active and that your application permissions (e.g., User.Read.All) have been granted Tenant Admin Consent. |
| Requests bypass the proxy entirely | The Graph SDK fails to honor the global DefaultWebProxy context configurations. | Verify that the global system variable configs are declared prior to executing Connect-MgGraph. Ensure that local environmental system override values such as HTTP_PROXY or HTTPS_PROXY are not conflicting with script runtime declarations. |