Forum Discussion

TomWechsler's avatar
May 29, 2022

Part 5 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!

 

Dear Microsoft Azure and Microsoft 365 Friends,

 

This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 4 can be found here:

https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352

 

https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366

 

https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696

 

https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310

 

This article is about connecting to Exchange Online. Remember: Connections to the Microsoft Graph are protected by one or more permission scopes.

 

Service Scopes:

 

Exchange Online (Focus in this article)

Mail and Calendar

 

SharePoint Online
Files and Sites

 

Microsoft Teams
Teams, Channels, Chats and Members

 

Mail Delegated Permissions:

 

Mail.Read
Allows reading mail in in user mailboxes

 

Mail.ReadBasic
Allows reading mail in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties

 

Mail.ReadWrite
Allows creating, reading, updating, and deleting mail in user mailboxes

 

Mail.Read.Shared
Allows reading mail that the user can access, including the user's own and shared mail

 

Mail.ReadWrite.Shared
Allows creating, reading, updating, and deleting mail that the user has permission to access, including the user's own and shared mail

 

Mail.Send
Allows sending mail as users in the organization

 

Mail.Send.Shared
Allows sending mail as the signed-in user, including sending on-behalf of others

 

MailboxSettings.Read
Allows reading user's mailbox settings

 

MailboxSettings.ReadWrite
Allows creating, reading, updating, and deleting user's mailbox settings

 

IMAP.AccessAsUser.All
Allows reading, updating, creating and deleting mail in user mailboxes

 

POP.AccessAsUser.All
Allows reading, updating, creating and deleting mail in user mailboxes

 

SMTP.Send
Allows sending mail as users in the organization

 

Mail Application Permissions:

 

Mail.Read
Allows reading mail in all mailboxes without a signed-in user

 

Mail.ReadBasic.All
Allows reading all users mailboxes except Body, BodyPreview, UniqueBody, Attachments, ExtendedProperties, and Extensions

 

Mail.ReadWrite
Allows creating, reading, updating, and deleting mail in all mailboxes without a signed-in user

 

Mail.Send
Allows sending mail as any user without a signed-in user

 

MailboxSettings.Read
Allows reading user's mailbox settings without a signed-in user

 

MailboxSettings.ReadWrite
Allows creating, reading, updating, and deleting user's mailbox settings without a signed-in user

 

Calendar Delegated Permissions:

 

Calendars.Read
Allows reading events in user calendars

 

Calendars.Read.Shared
Allows reading events in all calendars that the user can access, including delegate and shared calendars

 

Calendars.ReadWrite
Allows creating, reading, updating, and deleting events in user calendars

 

Calendars.ReadWrite.Shared
Allows creating, reading, updating, and deleting events in all calendars the user has permissions to access


Calendar Application Permissions:

 

Calendars.Read
Allows reading events of all calendars without a signed-in user

 

Calendars.ReadWrite
Allows creating, reading, updating, and deleting events of all calendars without a signed-in user

 

Connecting to Exchange Online:

 

Set-Location C:\
Clear-Host

 

#If needed
Import-Module Microsoft.Graph

 

#Set the API to the 'beta' endpoint
Select-MgProfile -Name "beta"

 

#We check the profile
Get-MgProfile

 

#Connection for Creating, Reading, Updating, and Deleting Mail
$scopes = @("Mail.ReadWrite")
Connect-MgGraph -Scopes $scopes

 

#We search for my a UserID
Get-MgUser

 

#An example
$User = Get-MgUser -UserId "ab8637c3-39ba-47f3-ad53-7fcd9a3f49a6"
$mailfolders = Get-MgUserMailFolder -UserId $User.Id -All
$mailfolders

 

#Connection for Sending Mail as Users in the Organization
$scopes = @("SMTP.Send")
Connect-MgGraph -Scopes $scopes

 

#Connection for Creating, Reading, Updating, and Deleting Events in User Calendars
$scopes = @("Calendars.ReadWrite")
Connect-MgGraph -Scopes $scopes

 

#An example
$User = Get-MgUser -UserId "ab8637c3-39ba-47f3-ad53-7fcd9a3f49a6"
$calendar = Get-MgUserCalendar -UserId $User.Id -All
$calendar

 

#Core Connection for Managing Mail and Calendar
$scopes = @("Mail.ReadWrite","Calendars.ReadWrite")
Connect-MgGraph -Scopes $scopes

 

So that's it again for part 5, we'll see you again in the next part! A little preview, in the next part we'll talk about SharePoint Online and Microsoft Teams in the Microsoft Graph. See you soon.

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

  • farismalaeb's avatar
    farismalaeb
    Steel Contributor
    A great topic through 1 to 5
    In MSGraph things are really presented in a new way, unlike the traditional method as the admin used to have everything by default.
    This make a new challenge for scripter to update their scripts and finding the correct scope.
    I enjoy going through your post and I guess we need to do more of that and more example
    Thanks for your time

Resources