AzureAD Graph API PowerShell

AzureAD Graph API PowerShell


I recently played with Microsoft Graph API and PowerShell. This is a great tool that Microsoft provided to us to interact with a wide range of Microsoft SaaS application:

Microsoft Graph API PowerShell - Graph API Overview

Microsoft Graph API PowerShell – Graph API Overview

There is a lot of supported platforms, PowerShell isn’t mention here, but it works ! You need to use the Invoke-RestMethod cmdlet.

AzureAD Graph API – The Token

First, we need to create an authentication token to use for our future Invoke-RestMethod. For this I wrote a simple function, you can find it on GitHub here.

Then, use it:

$TenantName = ''
$GraphToken = New-GraphToken -TenantName $TenantName
Microsoft Graph API PowerShell - AuthToken

AzureAD Graph API PowerShell – AuthToken

Note: This function require AzureRM to support the ADAL authentication, and the “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” namespace (You can also use the latest version of the MSOL module). To install this module from PS5:

Install-Module AzureRM

AzureAD Graph PowerShell – List Azure AD Users

Once you have your token, you can start using it, in this example, you will be able to list Azure AD Users:

Invoke-RestMethod -Uri "$TenantName/users/?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value
Microsoft Graph API PowerShell - Users List

AzureAD Graph PowerShell – Users List

If you want to list groups, this is the same process, you just need to change the endpoint from /users to /groups in the URL:


So basically, we invoke a REST URL with a GET method. This allow us to get requested information.

AzureAD Graph PowerShell – Reset User’s Password

To make a modification, you need to call a PATCH method on the REST URL:

$DumboObjectID = 'e74ab4e5-d93b-44d0-86f3-0329814d3c7a'
$ResetPwd = @{
    "passwordProfile" = @{
        "password" = "Test123456"
        "forceChangePasswordNextLogin" = $false
} | ConvertTo-Json
Invoke-RestMethod -Uri "$TenantName/users/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Patch -ContentType "application/json" -Body $ResetPwd
Microsoft Graph API PowerShell - Reset Password

AzureAD Graph API PowerShell – Reset Password

Note: You can get the objectID from the previous example where we listed the users.

You can use this method with the PATCH method on any writable property of any users/groups/etc.

AzureAD Graph API – Tests

Microsoft built a tool to help us test our URL:

Microsoft Graph API PowerShell - Tests

AzureAD Graph API – Tests

  1. Login with your Azure AD account
  2. Put your test URL
  3. Click on “Go”

This tools will run the URL for you without any prerequisites on your computer, it even works on a mobile phone.

A good example is to display the tenant details:

Microsoft Graph API PowerShell - Tenant Details

AzureAD Graph PowerShell – Tenant Details

This will even display the performances of your query.

AzureAD Graph API PowerShell – List a User’s Membership

Once you get the ObjectID of a user, you can also get his group membership with one special URL:

Invoke-RestMethod -Uri "$TenantName/users/$DumboObjectID/memberOf?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value
Microsoft Graph API PowerShell - Users Membership

AzureAD Graph PowerShell – Users Membership

AzureAD Graph API PowerShell – Add a Group Member

To add a user inside a group, you need to know the ObjectID of the group and the user, then create a JSON object like this one:

$UserJson = @{
  "url" =  "$TenantName/directoryObjects/$DumboObjectID"
} | ConvertTo-Json

And then, call this POST method:

Invoke-RestMethod -Uri "$TenantName/groups/$AzureADGroup/`$links/members`?api-version=1.6" -Headers $GraphToken -Method Post -ContentType "application/json" -Body $UserJson
Microsoft Graph API PowerShell - Add Group Member

AzureAD Graph PowerShell – Add Group Member

Note: To remove a group member, you can use this:

Invoke-RestMethod -Uri "$TenantName/groups/$AzureADGroup/`$links/members/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Delete


This is just a very basic usage of the Graph API on Azure AD, this tool can do many more things, but that’s a topic for another post !

You’ll be able to find all others posts related to GraphAPI here.

3 thoughts on “AzureAD Graph API PowerShell

  1. Pingback: Create a Real Time Interactive Dashboard for Office 365 Using PowerShell Universal Dashboard – The Lazy Administrator

  2. Pingback: Thirty Days of Microsoft Graph - Office 365 for IT Pros

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.