Microsoft Graph API PowerShell AzureAD App

Microsoft Graph API PowerShell AzureAD App

Hello,

Today we’ll talk about the Microsoft Graph API, PowerShell & AzureAD application. As you may know, the Microsoft Graph API is the data source where you can find everything about Office 365 and everything that’s interacting with it.

To be able to use it in an unattended way, you have some prerequisites:

  • AzureAD Application for permissions
  • Certificate for modern authentication

AzureAD Application

First, you need to create the application in AzureAD, you can follow this link to get to the AzureAD blade where you can register your app.

Create AzureAD App
Create AzureAD App
Add AzureAD App Permissions
Add AzureAD App Permissions
Select AzureAD App API Permissions
Select AzureAD App API Permissions
Select AzureAD App API Detailed Permissions
Select AzureAD App API Detailed Permissions
Grant admin consent for AzureAD App
Grant admin consent for AzureAD App

Now, you have an AzureAD application, with the requested permissions, on all the tenant.

Certificate

You need to add a certificate to your AzureAD application to allow unattended modern authentication. You can create a certificate with the following PowerShell lines (require PowerShell 4 or newer):

$DisplayName = "Microsoft Graph PowerShell Client Credentials"
$NotAfter = $(Get-Date).AddYears(2)
$cert = New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -DnsName graph.microsoft.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $NotAfter -FriendlyName $DisplayName
Export .cer file
Export-Certificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.cer"
Export .pfx file
Export-PfxCertificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.pfx" -Password ("123+aze" | ConvertTo-SecureString -Force -AsPlainText)

You can also use a certificate from your local PKI.

Then, go to your AzureAD application an upload the certificate:

Upload certificate in AzureAD application
Upload certificate in AzureAD application

Connect to Microsoft Graph

Now, all the prerequisites are in place, you can now use it from PowerShell.

First, to make it simpler, you need to install the Microsoft’s “Microsoft.Graph” PowerShell module, from the PSGallery:

Find-Module Microsoft.Graph | Install-Module -Scope CurrentUser

The “Connect-Graph” cmdlet requires 3 parameters to be used unattended:

  • Client ID: can be retrieve in the “Overview” pane of your AzureAD application
  • Certificate thumbprint of the certificate you imported into your AzureAD app
  • Tenand ID: can be retrieve in the “Overview” pane of your AzureAD application
AzureAD Client ID & Tenant ID
AzureAD Client ID & Tenant ID
$CertificateThmbprint = Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.Issuer -eq 'CN=graph.microsoft.com'} | Select-Object -ExpandProperty Thumbprint

Then, you can connect with:

Connect-Graph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $CertificateThmbprint
Welcome to Microsoft Graph
Welcome to Microsoft Graph

Use Microsoft Graph

Now that you are connected, you can use the Microsoft Graph. Hereunder the list of cmdlet available:

Microsoft Graph Cmdlets
Microsoft Graph Cmdlets

Thanks to “Invoke-MgGraphRequest” you do not have to get the token, bearer nor you have to add it as a parameter each time you use “Invoke-WebRequest”:

Get an email through Microsoft Graph
Get an email through Microsoft Graph (truncated)
Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/v1.0/users/dumbo@itfordummies.net/messages/AQMkAGUxMGFjMTg0LTU3OWQtNDU5Yi04OWVjLWJhNDUwNzQ5NTA1NgBGAAADG35iX-3jnU_AjwRGvCkingcAZbNWqQU7lk2WqeIfOz7G5gAAAgEMAAAAZbNWqQU7lk2WqeIfOz7G5gAFE5p-DAAAAA==/

As you can see in the previous example, I known the message ID required by the graph. If you don’t know it, you can use the $filter to search for specific email, and then get the ID and call a Graph method on it:

$ID = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/dumbo@itfordummies.net/messages/?`$filter=internetMessageId eq '20201127060315.14956.153598004.swift@softcedric.activehosted.com'").value.id
Invoke-MgGraphRequest -Method DELETE -Uri "$($GraphAPIUrl)users/$UserUPN/messages/$ID"

“InternetMessageID”, for the Microsoft Graph, it’s the “Message Id” from the headers:

Message Id from headers
Message Id from headers

The “DELETE” method we just used will put the mail in the recoverable items in the “Deleted Items” folder, it will be permanently deleted after the recoverable item life time.

Microsoft Graph API PowerShell AzureAD App

You saw hos to create an AzureAD application, how to assign permission, how to create a secret, how to upload a certificate for modern unattended authentication, how to connect with Microsoft.Graph PowerShell module, how to use the module to get some information out of the Microsoft Graph.

Get 30 days email size in Exchange Online Mailbox

Get 30 days email size

Hello,

Today I wanted to share some PowerShell lines to help you calculate the size of 30 days of email inside an Exchange Online mailbox. The first approach will also work for Exchange 2010 and up, but the the second approach require Exchange Online Compliance to work. This kind of information can be handy if you migrate some mailboxes between Office 365 tenants and you have a high constraints on the network bandwidth availability.

Continue reading

Office 365 portals language PowerShell

Office 365 portals language

Hello,

When using a worldwide Office 365 tenant, you have some challenges about the portals & web pages languages. Indeed, each tenant has a “default language”, but for big companies that span through different countries, we need a more granular setting.

Microsoft offer some ways to tune the language.

Continue reading