Part 3 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!

%3CLINGO-SUB%20id%3D%22lingo-sub-3339696%22%20slang%3D%22en-US%22%3EPart%203%20-%20Manage%20Azure%20and%20Microsoft%20365%20with%20the%20Microsoft%20Graph%20PowerShell%20SDK!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3339696%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDear%20Microsoft%20Azure%20and%20Microsoft%20365%20Friends%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20article%20continues%20with%20the%20topic%20Microsoft%20Graph%20PowerShell%20SDK.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPart%201%20and%202%20can%20be%20found%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-powershell%2Fpart-1-manage-azure-and-microsoft-365-with-the-microsoft-graph%2Fm-p%2F3300352%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-powershell%2Fpart-1-manage-azure-and-microsoft-365-with-the-microsoft-graph%2Fm-p%2F3300352%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-powershell%2Fpart-2-manage-azure-and-microsoft-365-with-the-microsoft-graph%2Fm-p%2F3302366%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-powershell%2Fpart-2-manage-azure-and-microsoft-365-with-the-microsoft-graph%2Fm-p%2F3302366%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20to%20Connect%20to%20Microsoft%20365%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E1.%20With%20direct%20Command%3CBR%20%2F%3Eor%3CBR%20%2F%3E2.%20Azure%20App%20Registration%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EModifying%20an%20Existing%20Connection%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E-%20Scopes%20are%20required%20for%20each%20connection%3CBR%20%2F%3E-%20Scope%20permissions%20are%20for%20the%20current%20session%20(unless%20using%20an%20Azure%20App%20Registration)%3CBR%20%2F%3E-%20Extra%20needed%20permissions%20require%20re-connecting%20with%20the%20specified%20scopes%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EViewing%20Existing%20Connection%20Details%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%23If%20needed%3CBR%20%2F%3E%3CSTRONG%3EImport-Module%20Microsoft.Graph%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Connect%20to%20Microsoft%20365%20to%20Access%20Users%20and%20Groups%3CBR%20%2F%3E%3CSTRONG%3EConnect-MgGraph%20-Scopes%20%22User.ReadWrite.All%22%2C%22Group.ReadWrite.All%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_MSG_00.JPG%22%20style%3D%22width%3A%20598px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370027iE2281B71A7E646A1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_MSG_00.JPG%22%20alt%3D%22_MSG_00.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23View%20Current%20Connection%20Details%3CBR%20%2F%3E%3CSTRONG%3EGet-MgContext%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(Get-MgContext).AuthType%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(Get-MgContext).Scopes%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_MSG_01.JPG%22%20style%3D%22width%3A%20295px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370028i261D0299BF9E0DBC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_MSG_01.JPG%22%20alt%3D%22_MSG_01.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EReconnect%20Connection%20with%20Updated%20Scopes%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%23Original%20Connection%3CBR%20%2F%3E%3CSTRONG%3EConnect-MgGraph%20-Scopes%20%22User.ReadWrite.All%22%2C%22Group.ReadWrite.All%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Update%20Connection%20to%20Allow%20%22Group%20Members%22%3CBR%20%2F%3E%3CSTRONG%3EConnect-MgGraph%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E-Scopes%20%22User.ReadWrite.All%22%2C%22Group.ReadWrite.All%22%2C%22GroupMember.ReadWrite.All%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_MSG_03.JPG%22%20style%3D%22width%3A%20798px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370033i231C36CBB11B6D7A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_MSG_03.JPG%22%20alt%3D%22_MSG_03.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDon't%20forget%2C%20when%20updating%20the%20connection%2C%20you%20need%20to%20confirm%20the%20consent%20again.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_MSG_02.JPG%22%20style%3D%22width%3A%20391px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370031iD2B946402B911F75%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_MSG_02.JPG%22%20alt%3D%22_MSG_02.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23View%20the%20new%20Current%20Connection%20Details%3CBR%20%2F%3E%3CSTRONG%3EGet-MgContext%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(Get-MgContext).AuthType%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(Get-MgContext).Scopes%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22_MSG_04.JPG%22%20style%3D%22width%3A%20819px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F370032iDD7CFFF7CF1E0E51%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22_MSG_04.JPG%22%20alt%3D%22_MSG_04.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConnecting%20Using%20an%20Azure%20App%20Registration%20(Advantages%20of%20Azure%20App%20Registrations)%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E-%20App-only%20Access%20Grants%20Permissions%20to%20an%20Application%3CBR%20%2F%3E-%20Requires%20Administration%20Consent%3CBR%20%2F%3E-%20Predefined%20Permissions%20Control%20Access%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPrerequisites%20to%20Using%20App-only%20Authentication%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E-%20Require%20a%20Certificate%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20-%20Self-signed%20or%20from%20an%20Authority%3CBR%20%2F%3E-%20Register%20an%20Azure%20Active%20Directory%20App%3CBR%20%2F%3E-%20Assign%20Required%20Permissions%20Scopes%3CBR%20%2F%3E-%20Share%20the%20Public%20Key%20of%20the%20Certificate%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECreating%20a%20Self-signed%20Certificate%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%23Create%20the%20Certificate%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3E%24cert%20%3D%20New-SelfSignedCertificate%20-Subject%20%22CN%3D%7BGraphCertificate%7D%22%20-CertStoreLocation%20%22Cert%3A%5CCurrentUser%5CMy%22%20%60%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%20%26nbsp%3B%20-KeyExportPolicy%20Exportable%20-KeySpec%20Signature%20%60%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSTRONG%3E%26nbsp%3B%20%26nbsp%3B%20-KeyLength%204096%20-KeyAlgorithm%20RSA%20-HashAlgorithm%20SHA256%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Export%20the%20Created%20Certificate%3CBR%20%2F%3E%3CSTRONG%3EExport-Certificate%20-Cert%20%24cert%20-FilePath%20%22C%3A%5CCerts%5C%7BGraphCertificate%7D.cer%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Set%20the%20Password%20and%20Export%20as%20%22PFX%22%3CBR%20%2F%3E%3CSTRONG%3E%24pwd%20%3D%20ConvertTo-SecureString%20-String%20%22%7BPassword%7D%22%20-Force%20%E2%80%93AsPlainTextExport%20-PfxCertificate%20%60%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E-Cert%20%24cert%20-FilePath%20%22C%3A%5CCerts%5C%7BGraphCertificate%7D.pfx%22%20-Password%20%24pwd%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECreate%20the%20Azure%20App%20Registration%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E1.%20Navigate%20to%20the%20Azure%20Active%20Directory%20Admin%20Center%3CBR%20%2F%3E2.%20Register%20a%20New%20Application%20using%20Accounts%20in%20the%20Organizational%20Directory%20Only%3CBR%20%2F%3E3.%20Copy%20the%20Application%20and%20Directory%20ID%3CBR%20%2F%3E4.%20Assign%20API%20Permissions%3CBR%20%2F%3E5.%20Upload%20the%20Certificate%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConnect%20Using%20Azure%20App%20Registration%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%23Connect%20Using%20an%20Azure%20App%20Registration%3CBR%20%2F%3E%3CSTRONG%3EConnect-MgGraph%20%60%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E-ClientId%20%22YOUR%20CLIENT%20ID%22%20%60%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E-TenantId%20%22YOUR%20TENANT%20ID%22%20%60%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E-CertificateThumbprint%20%22YOUR%20CERT%20THUMBPRINT%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Check%20the%20Current%20Context%3CBR%20%2F%3E%3CSTRONG%3EGet-MgContext%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat's%20it%20for%20the%20third%20part.%20In%20the%20next%20part%2C%20we%20will%20continue%20with%20managing%20Users%20and%20Groups.%20See%20you%20soon!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20article%20was%20useful.%20Thank%20you%20for%20taking%20the%20time%20to%20read%20the%20article.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EBest%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EP.S.%20All%20scripts%20(%23PowerShell%2C%20Azure%20CLI%2C%20%23Terraform%2C%20%23ARM)%20that%20I%20use%20can%20be%20found%20on%20github!%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3339696%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAPI%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
MVP

 

Dear Microsoft Azure and Microsoft 365 Friends,

 

This article continues with the topic Microsoft Graph PowerShell SDK.

 

Part 1 and 2 can be found here:

https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with...

 

https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with...

 

How to Connect to Microsoft 365?

1. With direct Command
or
2. Azure App Registration

 

Modifying an Existing Connection:

- Scopes are required for each connection
- Scope permissions are for the current session (unless using an Azure App Registration)
- Extra needed permissions require re-connecting with the specified scopes

 

Viewing Existing Connection Details:

#If needed
Import-Module Microsoft.Graph

 

#Connect to Microsoft 365 to Access Users and Groups
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"

_MSG_00.JPG

 

#View Current Connection Details
Get-MgContext
(Get-MgContext).AuthType
(Get-MgContext).Scopes

_MSG_01.JPG

 

Reconnect Connection with Updated Scopes:

#Original Connection
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All"

 

#Update Connection to Allow "Group Members"
Connect-MgGraph

-Scopes "User.ReadWrite.All","Group.ReadWrite.All","GroupMember.ReadWrite.All"

_MSG_03.JPG

 

Don't forget, when updating the connection, you need to confirm the consent again.

_MSG_02.JPG

 

#View the new Current Connection Details
Get-MgContext
(Get-MgContext).AuthType
(Get-MgContext).Scopes

_MSG_04.JPG

 

Connecting Using an Azure App Registration (Advantages of Azure App Registrations):

- App-only Access Grants Permissions to an Application
- Requires Administration Consent
- Predefined Permissions Control Access

 

Prerequisites to Using App-only Authentication:

- Require a Certificate
        - Self-signed or from an Authority
- Register an Azure Active Directory App
- Assign Required Permissions Scopes
- Share the Public Key of the Certificate

 

Creating a Self-signed Certificate:

#Create the Certificate

$cert = New-SelfSignedCertificate -Subject "CN={GraphCertificate}" -CertStoreLocation "Cert:\CurrentUser\My" `
    -KeyExportPolicy Exportable -KeySpec Signature `
    -KeyLength 4096 -KeyAlgorithm RSA -HashAlgorithm SHA256

 

#Export the Created Certificate
Export-Certificate -Cert $cert -FilePath "C:\Certs\{GraphCertificate}.cer"

 

#Set the Password and Export as "PFX"
$pwd = ConvertTo-SecureString -String "{Password}" -Force –AsPlainTextExport -PfxCertificate `
-Cert $cert -FilePath "C:\Certs\{GraphCertificate}.pfx" -Password $pwd

 

Create the Azure App Registration:

1. Navigate to the Azure Active Directory Admin Center
2. Register a New Application using Accounts in the Organizational Directory Only
3. Copy the Application and Directory ID
4. Assign API Permissions
5. Upload the Certificate

 

Connect Using Azure App Registration:

#Connect Using an Azure App Registration
Connect-MgGraph `
-ClientId "YOUR CLIENT ID" `
-TenantId "YOUR TENANT ID" `
-CertificateThumbprint "YOUR CERT THUMBPRINT"

 

#Check the Current Context
Get-MgContext

 

That's it for the third part. In the next part, we will continue with managing Users and Groups. See you soon!

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

 

0 Replies