PSBicep · SimonWahlin · Jul 3, 2025 · Jul 3, 2025
diff --git a/AzResourceGraph/Public/Search-AzResourceGraph.ps1 b/AzResourceGraph/Public/Search-AzResourceGraph.ps1
@@ -42,6 +42,9 @@ Allow partial scopes in the query. Only applicable for tenant and management gro
 Number of rows to request per page (1-1000).
 The function continues paging until all rows are retrieved.
 
+.PARAMETER Token
+Use to call Azure Resource Graph with a specified access token. Using this parameter will override any sign-in made with Connect-AzResourceGraph for a single command.
+
 .EXAMPLE
 # Execute a query stored in a file against two subscriptions
 Search-AzResourceGraph -QueryPath '.\vm-details.kql' `
@@ -90,15 +93,22 @@ function Search-AzResourceGraph {
         [Parameter(ParameterSetName = 'Path')]
         [Parameter(ParameterSetName = 'String')]
         [ValidateRange(1, 1000)]
-        [int]$PageSize = 1000
+        [int]$PageSize = 1000,
+
+        [Parameter(ParameterSetName = 'Path', DontShow)]
+        [Parameter(ParameterSetName = 'String', DontShow)]
+        [string]$Token
     )
 
     # Ensure only one of SubscriptionId or ManagementGroup is provided
     if ($PSBoundParameters.ContainsKey('SubscriptionId') -and $PSBoundParameters.ContainsKey('ManagementGroup')) {
         throw 'KQL Query can only be run against either a Subscription or a Management Group, not both.'
     }
 
-    Assert-AzureConnection -TokenSplat $script:TokenSplat
+    if (-not $PSBoundParameters.ContainsKey('Token')) {
+        Assert-AzureConnection -TokenSplat $script:TokenSplat
+        $Token = $script:Token.Token
+    }
 
     if ($PSCmdlet.ParameterSetName -eq 'Path') {
         $Query = Get-Content $QueryPath -Raw
@@ -120,7 +130,7 @@ function Search-AzResourceGraph {
     if ($PSBoundParameters.ContainsKey('ManagementGroup')) { $Body['managementGroups'] = @($ManagementGroup) }
 
     $Headers = @{
-        'Authorization' = "Bearer $($script:Token.Token)"
+        'Authorization' = "Bearer $Token"
         'Content-Type'  = 'application/json'
     }
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Added Token parameter to Search-AzResourceGraph function to allow specifying a token for authentication
+
 ### Changed 
 - Updated dependency on AzAuth to version 2.5.0
 

diff --git a/tests/Unit/Private/Assert-AzureConnection.tests.ps1 b/tests/Unit/Private/Assert-AzureConnection.tests.ps1
@@ -105,9 +105,6 @@ Describe 'Assert-AzureConnection' {
                     }
                 } | Should -Throw
             }
-
         }
     }
-
-
 }
diff --git a/tests/Unit/Public/Search-AzResourceGraph.tests.ps1 b/tests/Unit/Public/Search-AzResourceGraph.tests.ps1
@@ -54,4 +54,14 @@ Describe 'Search-AzResourceGraph' {
             $Body.managementGroups -contains 'myMG'
         }
     }
+
+    It 'Calls Assert-AzureConnection when not given a token' {
+        $null = Search-AzResourceGraph -QueryPath '~/foo.kql' -PageSize 10
+        Should -Invoke 'Assert-AzureConnection' -Times 1 -Exactly  -ModuleName 'AzResourceGraph'
+    }
+
+    It 'Does not call Assert-AzureConnection when given a token' {
+        $null = Search-AzResourceGraph -QueryPath '~/foo.kql' -PageSize 10 -Token 'fakeToken'
+        Should -Invoke 'Assert-AzureConnection' -Times 0 -Exactly  -ModuleName 'AzResourceGraph'
+    }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -105,9 +105,6 @@ Describe 'Assert-AzureConnection' { @@
                         }
                     } | Should -Throw
                 }
             }
         }
     }