Dear Microsoft Azure and Microsoft 365 Friends,
This article continues with the topic Microsoft Graph PowerShell SDK. You can find the first part here:
Understand Naming Conventions:
- GET – Retrieve single or multiple objects
- POST – Add single or multiple objects
- PUT – Add single or multiple objects
- PATCH – Update single or multiple objects
- DELETE – Remove single or multiple objects
Graph API versus Graph PowerShell:
Finding Available cmdlets:
Import-Module Microsoft.Graph
Get-Command -Module Microsoft.Graph*
Get-Command -Module Microsoft.Graph* *Team*
Get-Command -Module Microsoft.Graph* *User*
Get-Command -Module Microsoft.Graph* -Noun *Group*
Get-Command -Module Microsoft.Graph.Authentication
Important!
By default, the Microsoft Graph PowerShell SDK uses the Microsoft Graph REST API v1.0. It can generate errors when trying to execute commands. The resolution is to change the version.
Getting Help for a cmdlet:
Get-Help Get-MgUser
Get-Help Get-MgUser -Category Cmdlet
Get-Help Get-MgUser -Category Function
Get-Help Get-MgUser -Detailed
Get-Help Get-MgUser -Full
Get-Help Get-MgUser –ShowWindow
Set the API Version:
#View the current API endpoint version
Get-MgProfile
#Set the API to the 'beta' endpoint
Select-MgProfile -Name "beta"
#Set the API to the 'v1.0' endpoint
Select-MgProfile -Name "v1.0"
What Are Scopes?
- Scopes are Microsoft Graph Permissions
- Scopes must be comma separated
- Scopes use a specific format:
- Object > Permission > Filter
- User > Read > All
Microsoft Graph Permissions:
- Delegated Permissions (Used for applications needing to access the API as the signed-in user)
- Application Permissions (Used for applications that run as a background service or daemon without a signed-in user)
Microsoft Graph Permissions Examples:
User.Read
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
User.ReadBasic.All
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.
User.ReadWrite
Allows the app to read your profile. It also allows the app to update your profile information on your behalf.
User.ReadWrite.All
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
Connect to Microsoft 365 using Scopes:
#Scopes to Manage Users and Groups with Full Read Write Access
$scopes = @(
"User.ReadWrite.All"
"Directory.ReadWrite.All"
"Group.ReadWrite.All"
)
#Scopes to Create Teams
$scopes = @("Team.Create"
"Group.ReadWrite.All"
)
#Scopes to Manage SharePoint Online Sites and Files
$scopes = @("Sites.FullControl.All"
"Sites.Manage.All"
"Sites.ReadWrite.All"
"Files.ReadWrite.All"
"Files.ReadWrite.AppFolder"
)
#Scopes to Manage Mail
$scopes = @("Mail.ReadWrite"
"Mail.ReadWrite.Shared"
"Mail.Send"
)
Finding Available Permissions:
#SharePoint Sites
Find-MgGraphPermission sites -PermissionType Delegated
#Microsoft Teams
Find-MgGraphPermission teams -PermissionType Delegated
#Users
Find-MgGraphPermission user -PermissionType Delegated
#eDiscovery
Find-MgGraphPermission ediscovery -PermissionType Delegated
Connect to Microsoft 365
#Connect Using the Standard Command and Scopes
$scopes = @("User.ReadWrite.All"
"Directory.Read.All"
"Group.Read.All"
)
Connect-MgGraph -Scopes $scopes
When establishing a connection, the additional consent must be confirmed after logging in.
#Connect Using an Azure App Registration
Connect-MgGraph -ClientId <your ClientId> -TenantId <your TenantId> -CertificateThumbprint <your CertificateThumbprint>
So that was it for the second part. In the next part you will learn how to customize an existing connection and more....!
I hope this article was useful. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler