Part 2 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. You can find the first part here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 Understand Naming Conventions: - GET – Retrieve single or multiple objects - POST – Add single or multiple objects - PUT – Add single or multiple objects - PATCH – Update single or multiple objects - DELETE – Remove single or multiple objects Graph API versus Graph PowerShell: Finding Available cmdlets: Import-Module Microsoft.Graph Get-Command -Module Microsoft.Graph* Get-Command -Module Microsoft.Graph* *Team* Get-Command -Module Microsoft.Graph* *User* Get-Command -Module Microsoft.Graph* -Noun *Group* Get-Command -Module Microsoft.Graph.Authentication Important! By default, the Microsoft Graph PowerShell SDK uses the Microsoft Graph REST API v1.0. It can generate errors when trying to execute commands. The resolution is to change the version. Getting Help for a cmdlet: Get-Help Get-MgUser Get-Help Get-MgUser -Category Cmdlet Get-Help Get-MgUser -Category Function Get-Help Get-MgUser -Detailed Get-Help Get-MgUser -Full Get-Help Get-MgUser –ShowWindow Set the API Version: #View the current API endpoint version Get-MgProfile #Set the API to the 'beta' endpoint Select-MgProfile -Name "beta" #Set the API to the 'v1.0' endpoint Select-MgProfile -Name "v1.0" What Are Scopes? - Scopes are Microsoft Graph Permissions - Scopes must be comma separated - Scopes use a specific format: - Object > Permission > Filter - User > Read > All Microsoft Graph Permissions: - Delegated Permissions (Used for applications needing to access the API as the signed-in user) - Application Permissions (Used for applications that run as a background service or daemon without a signed-in user) Microsoft Graph Permissions Examples: User.Read Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. User.ReadBasic.All Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo. User.ReadWrite Allows the app to read your profile. It also allows the app to update your profile information on your behalf. User.ReadWrite.All Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Connect to Microsoft 365 using Scopes: #Scopes to Manage Users and Groups with Full Read Write Access $scopes = @( "User.ReadWrite.All" "Directory.ReadWrite.All" "Group.ReadWrite.All" ) #Scopes to Create Teams $scopes = @("Team.Create" "Group.ReadWrite.All" ) #Scopes to Manage SharePoint Online Sites and Files $scopes = @("Sites.FullControl.All" "Sites.Manage.All" "Sites.ReadWrite.All" "Files.ReadWrite.All" "Files.ReadWrite.AppFolder" ) #Scopes to Manage Mail $scopes = @("Mail.ReadWrite" "Mail.ReadWrite.Shared" "Mail.Send" ) Finding Available Permissions: #SharePoint Sites Find-MgGraphPermission sites -PermissionType Delegated #Microsoft Teams Find-MgGraphPermission teams -PermissionType Delegated #Users Find-MgGraphPermission user -PermissionType Delegated #eDiscovery Find-MgGraphPermission ediscovery -PermissionType Delegated Connect to Microsoft 365 #Connect Using the Standard Command and Scopes $scopes = @("User.ReadWrite.All" "Directory.Read.All" "Group.Read.All" ) Connect-MgGraph -Scopes $scopes When establishing a connection, the additional consent must be confirmed after logging in. #Connect Using an Azure App Registration Connect-MgGraph -ClientId <your ClientId> -TenantId <your TenantId> -CertificateThumbprint <your CertificateThumbprint> So that was it for the second part. In the next part you will learn how to customize an existing connection and more....! I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerPart 5 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, This article continues with the topic Microsoft Graph PowerShell SDK. Part 1 to 4 can be found here: https://techcommunity.microsoft.com/t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3300352 https://techcommunity.microsoft.com/t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3302366 https://techcommunity.microsoft.com/t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3339696 https://techcommunity.microsoft.com/t5/windows-powershell/part-4-manage-azure-and-microsoft-365-with-the-microsoft-graph/m-p/3409310 This article is about connecting to Exchange Online. Remember: Connections to the Microsoft Graph are protected by one or more permission scopes. Service Scopes: Exchange Online (Focus in this article) Mail and Calendar SharePoint Online Files and Sites Microsoft Teams Teams, Channels, Chats and Members Mail Delegated Permissions: Mail.Read Allows reading mail in in user mailboxes Mail.ReadBasic Allows reading mail in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties Mail.ReadWrite Allows creating, reading, updating, and deleting mail in user mailboxes Mail.Read.Shared Allows reading mail that the user can access, including the user's own and shared mail Mail.ReadWrite.Shared Allows creating, reading, updating, and deleting mail that the user has permission to access, including the user's own and shared mail Mail.Send Allows sending mail as users in the organization Mail.Send.Shared Allows sending mail as the signed-in user, including sending on-behalf of others MailboxSettings.Read Allows reading user's mailbox settings MailboxSettings.ReadWrite Allows creating, reading, updating, and deleting user's mailbox settings IMAP.AccessAsUser.All Allows reading, updating, creating and deleting mail in user mailboxes POP.AccessAsUser.All Allows reading, updating, creating and deleting mail in user mailboxes SMTP.Send Allows sending mail as users in the organization Mail Application Permissions: Mail.Read Allows reading mail in all mailboxes without a signed-in user Mail.ReadBasic.All Allows reading all users mailboxes except Body, BodyPreview, UniqueBody, Attachments, ExtendedProperties, and Extensions Mail.ReadWrite Allows creating, reading, updating, and deleting mail in all mailboxes without a signed-in user Mail.Send Allows sending mail as any user without a signed-in user MailboxSettings.Read Allows reading user's mailbox settings without a signed-in user MailboxSettings.ReadWrite Allows creating, reading, updating, and deleting user's mailbox settings without a signed-in user Calendar Delegated Permissions: Calendars.Read Allows reading events in user calendars Calendars.Read.Shared Allows reading events in all calendars that the user can access, including delegate and shared calendars Calendars.ReadWrite Allows creating, reading, updating, and deleting events in user calendars Calendars.ReadWrite.Shared Allows creating, reading, updating, and deleting events in all calendars the user has permissions to access Calendar Application Permissions: Calendars.Read Allows reading events of all calendars without a signed-in user Calendars.ReadWrite Allows creating, reading, updating, and deleting events of all calendars without a signed-in user Connecting to Exchange Online: Set-Location C:\ Clear-Host #If needed Import-Module Microsoft.Graph #Set the API to the 'beta' endpoint Select-MgProfile -Name "beta" #We check the profile Get-MgProfile #Connection for Creating, Reading, Updating, and Deleting Mail $scopes = @("Mail.ReadWrite") Connect-MgGraph -Scopes $scopes #We search for my a UserID Get-MgUser #An example $User = Get-MgUser -UserId "ab8637c3-39ba-47f3-ad53-7fcd9a3f49a6" $mailfolders = Get-MgUserMailFolder -UserId $User.Id -All $mailfolders #Connection for Sending Mail as Users in the Organization $scopes = @("SMTP.Send") Connect-MgGraph -Scopes $scopes #Connection for Creating, Reading, Updating, and Deleting Events in User Calendars $scopes = @("Calendars.ReadWrite") Connect-MgGraph -Scopes $scopes #An example $User = Get-MgUser -UserId "ab8637c3-39ba-47f3-ad53-7fcd9a3f49a6" $calendar = Get-MgUserCalendar -UserId $User.Id -All $calendar #Core Connection for Managing Mail and Calendar $scopes = @("Mail.ReadWrite","Calendars.ReadWrite") Connect-MgGraph -Scopes $scopes So that's it again for part 5, we'll see you again in the next part! A little preview, in the next part we'll talk about SharePoint Online and Microsoft Teams in the Microsoft Graph. See you soon. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerPart 1 - Manage Azure and Microsoft 365 with the Microsoft Graph PowerShell SDK!
Dear Microsoft Azure and Microsoft 365 Friends, PowerShell can be used to manage a wide variety of cloud services from Microsoft. This starts with the Azure Active Directory, Teams up to SharePoint Online. So why should I bother with the Microsoft Graph PowerShell SDK? Very briefly, it is the one-stop shop for managing Microsoft cloud services with PowerShell. What Is the Microsoft Graph PowerShell SDK? - Application Programming Interface (API) wrapper for the Microsoft Graph APIs - Contains PowerShell commands for automation at scale - Allows connecting to single or multiple Microsoft 365 and Azure Active Directory services Microsoft Graph PowerShell SDK Features: - Provides access to all the Microsoft Graph APIs - Supports PowerShell 7 and above and cross-platform - Support for modern authentication Microsoft Graph PowerShell SDK supports PowerShell 7 and is Cross-platform: - Microsoft Graph PowerShell module works with PowerShell 7 and later - Cross-platform support for Windows, macOS, and Linux - Compatible with Windows PowerShell 5.1 Microsoft Graph API: - Published Version (v1.0) - Beta Version Let's compare it once the work with PowerShell, once "Normal" and once with the Microsoft Graph. On the left you can see that we need to install the modules for each Microsoft Cloud service. On the right, we install the Microsoft Graph and then we can manage the different services. Do not pay attention to the code, it is not complete. The point of this comparison is that on the left we have to install several modules including the different connections to the cloud services. Installing the Microsoft GraphPowerShell SDK. Installation Prerequisites: - Installed a compatible version of PowerShell - Execute on a supported operating system, either Windows, macOS, and Linux - Install the NuGet provider to interact with the PowerShell Gallery - If using Windows platforms, set the execution policy to remote signed or less restrictive You can use the following cmdlets to perform the installation (# are comments) : #Install the NuGet Provider Install-PackageProvider -Name NuGet -Force #Set the Execution Policy (Windows) Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser #Install into the Current User Scope Install-Module Microsoft.Graph -Scope CurrentUser or #Install into the All-User Scope Install-Module Microsoft.Graph -Scope AllUsers -Force -Verbose #Verify the Installation Get-InstalledModule Microsoft.Graph #Updating the Module Update-Module Microsoft.Graph Installing the main "Microsoft.Graph" module, will install additional sub modules. Installation Considerations: - Always install the "Microsoft.Graph.Authentication" module this is needed to establish the connection. - Only install necessary modules if necessary. - Installing the Microsoft Graph PowerShell SDK in one version of PowerShell does not install it for other That's it for the first part. In the second part we will talk about the scopes and connect to Microsoft 365. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
