Microsoft Graph API PowerShell

Microsoft Graph API PowerShell

Hello,

I recently played with Microsoft Graph API and PowerShell. This is a great tool that Microsoft provided to us to interact with a wide range of Microsoft SaaS application:

Microsoft Graph API PowerShell - Graph API Overview

Microsoft Graph API PowerShell – Graph API Overview

There is a lot of supported platforms, PowerShell isn’t mention here, but it works ! You need to use the Invoke-RestMethod cmdlet.

Microsoft Graph API PowerShell – The Token

First, we need to create an authentication token to use for our future Invoke-RestMethod. For this I wrote a simple function, you can find it on GitHub here.

Then, use it:

$TenantName = 'itfordummies.net'
$GraphToken = New-GraphToken -TenantName $TenantName
Microsoft Graph API PowerShell - AuthToken

Microsoft Graph API PowerShell – AuthToken

Note: This function require AzureRM to support the ADAL authentication, and the “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” namespace (You can also use the latest version of the MSOL module). To install this module from PS5:

Install-Module AzureRM

Microsoft Graph API PowerShell – List Azure AD Users

Once you have your token, you can start using it, in this example, you will be able to list Azure AD Users:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value
Microsoft Graph API PowerShell - Users List

Microsoft Graph API PowerShell – Users List

If you want to list groups, this is the same process, you just need to change the endpoint from /users to /groups in the URL:

"https://graph.windows.net/$TenantName/users/?api-version=1.6"
"https://graph.windows.net/$TenantName/groups/?api-version=1.6"

So basically, we invoke a REST URL with a GET method. This allow us to get requested information.

Microsoft Graph API PowerShell – Reset User’s Password

To make a modification, you need to call a PATCH method on the REST URL:

$DumboObjectID = 'e74ab4e5-d93b-44d0-86f3-0329814d3c7a'
$ResetPwd = @{
    "passwordProfile" = @{
        "password" = "Test123456"
        "forceChangePasswordNextLogin" = $false
    }
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Patch -ContentType "application/json" -Body $ResetPwd
Microsoft Graph API PowerShell - Reset Password

Microsoft Graph API PowerShell – Reset Password

Note: You can get the objectID from the previous example where we listed the users.

You can use this method with the PATCH method on any writable property of any users/groups/etc.

Microsoft Graph API PowerShell – Tests

Microsoft built a tool to help us test our URL:

https://graphexplorer.azurewebsites.net/

Microsoft Graph API PowerShell - Tests

Microsoft Graph API PowerShell – Tests

  1. Login with your Azure AD account
  2. Put your test URL
  3. Click on “Go”

This tools will run the URL for you without any prerequisites on your computer, it even works on a mobile phone.

A good example is to display the tenant details:

https://graph.windows.net/itfordummies.net/tenantDetails

Microsoft Graph API PowerShell - Tenant Details

Microsoft Graph API PowerShell – Tenant Details

This will even display the performances of your query.

Microsoft Graph API PowerShell – List a User’s Membership

Once you get the ObjectID of a user, you can also get his group membership with one special URL:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/$DumboObjectID/memberOf?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value
Microsoft Graph API PowerShell - Users Membership

Microsoft Graph API PowerShell – Users Membership

Microsoft Graph API PowerShell – Add a Group Member

To add a user inside a group, you need to know the ObjectID of the group and the user, then create a JSON object like this one:

$UserJson = @{
  "url" =  "https://graph.windows.net/$TenantName/directoryObjects/$DumboObjectID"
} | ConvertTo-Json

And then, call this POST method:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/groups/$AzureADGroup/`$links/members`?api-version=1.6" -Headers $GraphToken -Method Post -ContentType "application/json" -Body $UserJson
Microsoft Graph API PowerShell - Add Group Member

Microsoft Graph API PowerShell – Add Group Member

Note: To remove a group member, you can use this:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/groups/$AzureADGroup/`$links/members/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Delete

Conclusion

This is just a very basic usage of the Graph API on Azure AD, this tool can do many more things, but that’s a topic for another post !

You’ll be able to find all others posts related to GraphAPI here.

Leave a Reply