Describe the bug
When calling Connect-IntuneAssignmentChecker with only -AppId (intending to use it for interactive/delegated sign-in with a custom app registration, without a Client Secret or Certificate Thumbprint), the supplied AppId is silently ignored. The function falls through to the interactive authentication fallback branch, which calls Connect-MgGraph -Scopes $permissionsList ... without passing -ClientId $AppId. As a result, the connection is made using the Microsoft Graph PowerShell SDK's own first-party app registration instead of the app registration the user specified.
To Reproduce
Call Connect-IntuneAssignmentChecker -AppId "" (no -TenantId, -ClientSecret, -ClientSecretCredential, or -CertificateThumbprint).
When prompted "Would you like to attempt a manual interactive connection? (y/n)", answer y.
Check which app is used for consent/sign-in (e.g. via the sign-in prompt, or Get-MgContext afterwards).
Observe that authentication proceeds using the default Microsoft Graph PowerShell app registration, not the app ID passed via -AppId.
Expected behavior
When -AppId is supplied without a Client Secret or Certificate Thumbprint, the function should still use the specified app registration for interactive/delegated sign-in, i.e. call Connect-MgGraph -ClientId $AppId -Scopes $permissionsList .... The current behaviour drops the AppId parameter entirely once it determines it doesn't have a paired secret/cert credential to go with it.
Additional context
Root cause is in the connection branching logic inside Connect-IntuneAssignmentChecker. The branches only pass AppId through to Connect-MgGraph when it's paired with a Client Secret (-ClientSecretCredential or -ClientSecret) or a Certificate Thumbprint. There's no branch for "AppId supplied, no secret/cert → interactive sign-in with that AppId," so it falls to the generic interactive fallback, which was written before -AppId-only interactive use was a supported scenario. The message shown at that point ("App ID, Tenant ID, or authentication credential ... is missing or not set correctly") is also misleading in this case, since the AppId was set correctly — it's just not being used.
Suggested fix: in the interactive fallback branch, check -not [string]::IsNullOrWhiteSpace($AppId) and, if true, call Connect-MgGraph -ClientId $AppId -Scopes $permissionsList -Environment $script:GraphEnvironment -NoWelcome, otherwise fall back to the current parameterless call.
Connect-IntuneAssignmentChecker.zip
I've let Claude rewrite the Connect-IntuneAssignmentChecker.ps1 and tested it
Describe the bug
When calling Connect-IntuneAssignmentChecker with only -AppId (intending to use it for interactive/delegated sign-in with a custom app registration, without a Client Secret or Certificate Thumbprint), the supplied AppId is silently ignored. The function falls through to the interactive authentication fallback branch, which calls Connect-MgGraph -Scopes $permissionsList ... without passing -ClientId $AppId. As a result, the connection is made using the Microsoft Graph PowerShell SDK's own first-party app registration instead of the app registration the user specified.
To Reproduce
Call Connect-IntuneAssignmentChecker -AppId "" (no -TenantId, -ClientSecret, -ClientSecretCredential, or -CertificateThumbprint).
When prompted "Would you like to attempt a manual interactive connection? (y/n)", answer y.
Check which app is used for consent/sign-in (e.g. via the sign-in prompt, or Get-MgContext afterwards).
Observe that authentication proceeds using the default Microsoft Graph PowerShell app registration, not the app ID passed via -AppId.
Expected behavior
When -AppId is supplied without a Client Secret or Certificate Thumbprint, the function should still use the specified app registration for interactive/delegated sign-in, i.e. call Connect-MgGraph -ClientId $AppId -Scopes $permissionsList .... The current behaviour drops the AppId parameter entirely once it determines it doesn't have a paired secret/cert credential to go with it.
Additional context
Root cause is in the connection branching logic inside Connect-IntuneAssignmentChecker. The branches only pass AppId through to Connect-MgGraph when it's paired with a Client Secret (-ClientSecretCredential or -ClientSecret) or a Certificate Thumbprint. There's no branch for "AppId supplied, no secret/cert → interactive sign-in with that AppId," so it falls to the generic interactive fallback, which was written before -AppId-only interactive use was a supported scenario. The message shown at that point ("App ID, Tenant ID, or authentication credential ... is missing or not set correctly") is also misleading in this case, since the AppId was set correctly — it's just not being used.
Suggested fix: in the interactive fallback branch, check -not [string]::IsNullOrWhiteSpace($AppId) and, if true, call Connect-MgGraph -ClientId $AppId -Scopes $permissionsList -Environment $script:GraphEnvironment -NoWelcome, otherwise fall back to the current parameterless call.
Connect-IntuneAssignmentChecker.zip
I've let Claude rewrite the Connect-IntuneAssignmentChecker.ps1 and tested it