Connecting to Microsoft GraphAPI Using PowerShell

Recently I have been looking to use Microsoft Graph to query specific information for Microsoft 365 services.

Microsoft Graph is an development tool that connects to multiple Microsoft 365 services to allow querying data and automate tasks.

There are a few steps required to start using Graph which involves creating a app registration on Azure to issue authentication tokens and API permission to view data.

Use the Microsoft Graph API – Microsoft Graph | Microsoft Docs

I also used a blog post by AlexAsplund on adamtheautomator as this was very good at explaining the process and goes more in depth.

Using the Microsoft Graph API with PowerShell (adamtheautomator.com)

In this post we will be going through configuring the app registration and query some data from Azure AD.

First step is to logon to the Azure portal > Azure AD > App registration and click on New registration.

Give the app a name and specify the support account type in this case we only want account from our tenant.

Once completed, we should now see the app has been created.

Next step we need to configure the API permissions, depending on the type of access required we will use either delegated or application permission as some data can only be access by either permission types.

below is a extract from the Microsft Docs on permission types

Microsoft identity platform developer glossary | Microsoft Docs

permissions

client application gains access to a resource server by declaring permission requests. Two types are available:

  • “Delegated” permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as “scp” claims in the client’s access token.
  • “Application” permissions, which specify role-based access using the client application’s credentials/identity, are presented to the resource at run-time as “roles” claims in the client’s access token.

To assign permission go to the app registration we created earlier and go to API permissions > Add a permission and select Microsoft Graph.

To check which permissions are required I used the below Microsoft Docs .

Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs

Select the permission type and the required permission in this case I want to be able to read groups, users and directory so.

Once the required permissions are added if they required admin permission those will need to be granted using the grant admin consent option below.

There are many different way’s to connect to Microsoft Graph but in this post we will be using client secret.

We will need the application ID

We will create a client secret

Give the client secret a name and set the expire in this case we will use 1 year.

There should now be client secret and the value is used to authenticate. (Take note of the value and save in secure location like a password vault or Azure Key vault as once you leave the app blade the value will be hidden and if you lose, it will have to be recreated.)

Once we have the above configured we can connect to GraphApi to generate a token. We will used Invoke-RestMethod.

The secret can be hardcoded but I decided to use read-host so that I could add the secret manually, as it’s not recommend to have any password/secret hardcoded in script.

Below is the command I used to get the token.

$ApplicationID = ""
$TenatDomainName = ""
$AccessSecret = Read-Host "Enter Secret"


$Body = @{    
Grant_Type    = "client_credentials"
Scope         = "https://graph.microsoft.com/.default"
client_Id     = $ApplicationID
Client_Secret = $AccessSecret


$ConnectGraph = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenatDomainName/oauth2/v2.0/token" `
-Method POST -Body $Body

$token = $ConnectGraph.access_token

To verify we have a token run the variable $ConnectGraph to view.

Now that we have a token we can run a queries against GraphAPI.

Below we will be running a query for Azure AD groups and selecting display name.

$GrapGroupUrl = 'https://graph.microsoft.com/v1.0/Groups/'
(Invoke-RestMethod -Headers @{Authorization = "Bearer $($token)"} -Uri $GrapGroupUrl -Method Get).value.displayName

To view some examples we can use Graph Explorer.

Graph Explorer – Microsoft Graph

In a future post we will be going through more query’s and automating tasks using GraphAPI.

10 thoughts on “Connecting to Microsoft GraphAPI Using PowerShell

    1. Hi

      I haven’t used GrapApi with a runbook before so I would have to try that out myself.

      On certificate this is a bit more complicated setup as it requires a lot more command to generate the cert and call it to generate the access token.

      You can also use the MSAL.PS PowerShell Module to generate tokens using a certificate but I haven’t done much with this module yet.
      https://www.powershellgallery.com/packages/MSAL.PS/2.5.0.1

      You could also use the Microsoft Graph PowerShell SDK which allows you to specify a certificate. I have a blog post on this and how to create and upload a self signed cert.
      https://thesleepyadmins.com/2020/11/22/using-microsoft-graph-powershell-sdk/

      Like

      1. Hi there,

        Thank you so much for the article. Absolutely helpful for me.
        Just one question, for some reason I can’t get the number of guest The command that I use shows all users name (member+guest). Any idea how can I have the number of guest user only(What command)?

        Like

      2. Hi Mary

        What command are you using. If you want to query just guest users I have used the filtering on usertype in the invoke-restmethod.

        $GuestsUrl = “https://graph.microsoft.com/beta/users/?filter=usertype eq ‘Guest'”
        $users = (Invoke-RestMethod -Headers @{Authorization = “Bearer $($MSToken.AccessToken)”} -Uri $GuestsUrl -Method Get).value

        I did another post on getting guest users sign in logs which might be usefull.

        https://thesleepyadmins.com/2021/02/27/microsoft-graph-filtering-results-powershell/

        Like

    1. Hi Mary

      To count the Guest users you will probable need to use a variable for your results and then count the objects.

      $GuestsUrl = “https://graph.microsoft.com/beta/users/?filter=usertype eq ‘Guest’”
      $users = (Invoke-RestMethod -Headers @{Authorization = “Bearer $($MSToken.AccessToken)”} -Uri $GuestsUrl -Method Get).value
      $users.count

      The $users.count should return the number of object returned from the graph query and that should be the count of guest users.

      There is a limit on the amount of results that are returned I think its was 996 the last time I did it.

      You could also try the PowerShell SDK I find this is a lot easier to use than trying to do invoke-restmethod.
      https://docs.microsoft.com/en-us/graph/powershell/get-started

      If the results are larger than 996 there is some additional code that needs to be added to get the rest of the results.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s