May 04 2022 06:52 AM
May 04 2022 06:52 AM
Dear Microsoft Azure and Microsoft 365 Friends,
This article continues with the topic Microsoft Graph PowerShell SDK. You can find the first part here:
Understand Naming Conventions:
- GET – Retrieve single or multiple objects
- POST – Add single or multiple objects
- PUT – Add single or multiple objects
- PATCH – Update single or multiple objects
- DELETE – Remove single or multiple objects
Graph API versus Graph PowerShell:
Finding Available cmdlets:
Get-Command -Module Microsoft.Graph*
Get-Command -Module Microsoft.Graph* *Team*
Get-Command -Module Microsoft.Graph* *User*
Get-Command -Module Microsoft.Graph* -Noun *Group*
Get-Command -Module Microsoft.Graph.Authentication
By default, the Microsoft Graph PowerShell SDK uses the Microsoft Graph REST API v1.0. It can generate errors when trying to execute commands. The resolution is to change the version.
Getting Help for a cmdlet:
Get-Help Get-MgUser -Category Cmdlet
Get-Help Get-MgUser -Category Function
Get-Help Get-MgUser -Detailed
Get-Help Get-MgUser -Full
Get-Help Get-MgUser –ShowWindow
Set the API Version:
#View the current API endpoint version
#Set the API to the 'beta' endpoint
Select-MgProfile -Name "beta"
#Set the API to the 'v1.0' endpoint
Select-MgProfile -Name "v1.0"
What Are Scopes?
- Scopes are Microsoft Graph Permissions
- Scopes must be comma separated
- Scopes use a specific format:
- Object > Permission > Filter
- User > Read > All
Microsoft Graph Permissions:
- Delegated Permissions (Used for applications needing to access the API as the signed-in user)
- Application Permissions (Used for applications that run as a background service or daemon without a signed-in user)
Microsoft Graph Permissions Examples:
Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.
Allows the app to read your profile. It also allows the app to update your profile information on your behalf.
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
Connect to Microsoft 365 using Scopes:
#Scopes to Manage Users and Groups with Full Read Write Access
$scopes = @(
#Scopes to Create Teams
$scopes = @("Team.Create"
#Scopes to Manage SharePoint Online Sites and Files
$scopes = @("Sites.FullControl.All"
#Scopes to Manage Mail
$scopes = @("Mail.ReadWrite"
Finding Available Permissions:
Find-MgGraphPermission sites -PermissionType Delegated
Find-MgGraphPermission teams -PermissionType Delegated
Find-MgGraphPermission user -PermissionType Delegated
Find-MgGraphPermission ediscovery -PermissionType Delegated
Connect to Microsoft 365
#Connect Using the Standard Command and Scopes
$scopes = @("User.ReadWrite.All"
Connect-MgGraph -Scopes $scopes
When establishing a connection, the additional consent must be confirmed after logging in.
#Connect Using an Azure App Registration
Connect-MgGraph -ClientId <your ClientId> -TenantId <your TenantId> -CertificateThumbprint <your CertificateThumbprint>
So that was it for the second part. In the next part you will learn how to customize an existing connection and more....!
I hope this article was useful. Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler