Recently I have been looking to use Microsoft Graph to query specific information for Microsoft 365 services.
Microsoft Graph is an development tool that connects to multiple Microsoft 365 services to allow querying data and automate tasks.
There are a few steps required to start using Graph which involves creating a app registration on Azure to issue authentication tokens and API permission to view data.
Use the Microsoft Graph API – Microsoft Graph | Microsoft Docs
I also used a blog post by AlexAsplund on adamtheautomator as this was very good at explaining the process and goes more in depth.
Using the Microsoft Graph API with PowerShell (adamtheautomator.com)
In this post we will be going through configuring the app registration and query some data from Azure AD.
First step is to logon to the Azure portal > Azure AD > App registration and click on New registration.
Give the app a name and specify the support account type in this case we only want account from our tenant.
Once completed, we should now see the app has been created.
Next step we need to configure the API permissions, depending on the type of access required we will use either delegated or application permission as some data can only be access by either permission types.
below is a extract from the Microsft Docs on permission types
Microsoft identity platform developer glossary | Microsoft Docs
permissions
A client application gains access to a resource server by declaring permission requests. Two types are available:
- “Delegated” permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as “scp” claims in the client’s access token.
- “Application” permissions, which specify role-based access using the client application’s credentials/identity, are presented to the resource at run-time as “roles” claims in the client’s access token.
To assign permission go to the app registration we created earlier and go to API permissions > Add a permission and select Microsoft Graph.
To check which permissions are required I used the below Microsoft Docs .
Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs
Select the permission type and the required permission in this case I want to be able to read groups, users and directory so.
Once the required permissions are added if they required admin permission those will need to be granted using the grant admin consent option below.
There are many different way’s to connect to Microsoft Graph but in this post we will be using client secret.
We will need the application ID
We will create a client secret
Give the client secret a name and set the expire in this case we will use 1 year.
There should now be client secret and the value is used to authenticate. (Take note of the value and save in secure location like a password vault or Azure Key vault as once you leave the app blade the value will be hidden and if you lose, it will have to be recreated.)
Once we have the above configured we can connect to GraphApi to generate a token. We will used Invoke-RestMethod.
The secret can be hardcoded but I decided to use read-host so that I could add the secret manually, as it’s not recommend to have any password/secret hardcoded in script.
Below is the command I used to get the token.
$ApplicationID = ""
$TenatDomainName = ""
$AccessSecret = Read-Host "Enter Secret"
$Body = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
client_Id = $ApplicationID
Client_Secret = $AccessSecret
}
$ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" `
-Method POST -Body $Body
$token = $ConnectGraph.access_tokenTo verify we have a token run the variable $ConnectGraph to view.
Now that we have a token we can run a queries against GraphAPI.
Below we will be running a query for Azure AD groups and selecting display name.
$GrapGroupUrl = 'https://graph.microsoft.com/v1.0/Groups/'
(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GrapGroupUrl -Method Get).value.displayNameTo view some examples we can use Graph Explorer.
Graph Explorer – Microsoft Graph
In a future post we will be going through more query’s and automating tasks using GraphAPI.
TheSleepyAdmins 
hi, thanks for the article.
what is the best way to connect to graph using app id and app secret when using runbooks or certificate
LikeLike
Hi
I haven’t used GrapApi with a runbook before so I would have to try that out myself.
On certificate this is a bit more complicated setup as it requires a lot more command to generate the cert and call it to generate the access token.
You can also use the MSAL.PS PowerShell Module to generate tokens using a certificate but I haven’t done much with this module yet.
https://www.powershellgallery.com/packages/MSAL.PS/2.5.0.1
You could also use the Microsoft Graph PowerShell SDK which allows you to specify a certificate. I have a blog post on this and how to create and upload a self signed cert.
https://thesleepyadmins.com/2020/11/22/using-microsoft-graph-powershell-sdk/
LikeLike
Hi there,
Thank you so much for the article. Absolutely helpful for me.
Just one question, for some reason I can’t get the number of guest The command that I use shows all users name (member+guest). Any idea how can I have the number of guest user only(What command)?
LikeLike
Hi Mary
What command are you using. If you want to query just guest users I have used the filtering on usertype in the invoke-restmethod.
$GuestsUrl = “https://graph.microsoft.com/beta/users/?filter=usertype eq ‘Guest'”
$users = (Invoke-RestMethod -Headers @{Authorization = “Bearer $($MSToken.AccessToken)”} -Uri $GuestsUrl -Method Get).value
I did another post on getting guest users sign in logs which might be usefull.
https://thesleepyadmins.com/2021/02/27/microsoft-graph-filtering-results-powershell/
LikeLike
Thanks for the reply.
What i need is the number of guess users, I found your other post which helped me a lot. But for some reason I still can’t find the number of guest user, API might me https://graph.microsoft.com/v1.0/users/$count?$filter=userType eq ‘guest’
Not sure if it’s right or not.
LikeLike
Hi Mary
To count the Guest users you will probable need to use a variable for your results and then count the objects.
$GuestsUrl = “https://graph.microsoft.com/beta/users/?filter=usertype eq ‘Guest’”
$users = (Invoke-RestMethod -Headers @{Authorization = “Bearer $($MSToken.AccessToken)”} -Uri $GuestsUrl -Method Get).value
$users.count
The $users.count should return the number of object returned from the graph query and that should be the count of guest users.
There is a limit on the amount of results that are returned I think its was 996 the last time I did it.
You could also try the PowerShell SDK I find this is a lot easier to use than trying to do invoke-restmethod.
https://docs.microsoft.com/en-us/graph/powershell/get-started
If the results are larger than 996 there is some additional code that needs to be added to get the rest of the results.
LikeLike
Thank you so much. It worked 🙂
LikeLike
No problem glad you got it working.
LikeLike
Hi, I’m not getting the token when I run $ConnectGraph. Do you know what else should I check?
LikeLike
Hi Nina
Are you getting any error. You try just run the command without putting it in the $ConnectGraph variable and see if there is anything be returned.
LikeLike