Microsoft Graph API PowerShell AzureAD App

Microsoft Graph API PowerShell AzureAD App

Hello,

Today we’ll talk about the Microsoft Graph API, PowerShell & AzureAD application. As you may know, the Microsoft Graph API is the data source where you can find everything about Office 365 and everything that’s interacting with it.

To be able to use it in an unattended way, you have some prerequisites:

  • AzureAD Application for permissions
  • Certificate for modern authentication

AzureAD Application

First, you need to create the application in AzureAD, you can follow this link to get to the AzureAD blade where you can register your app.

Create AzureAD App
Create AzureAD App
Add AzureAD App Permissions
Add AzureAD App Permissions
Select AzureAD App API Permissions
Select AzureAD App API Permissions
Select AzureAD App API Detailed Permissions
Select AzureAD App API Detailed Permissions
Grant admin consent for AzureAD App
Grant admin consent for AzureAD App

Now, you have an AzureAD application, with the requested permissions, on all the tenant.

Certificate

You need to add a certificate to your AzureAD application to allow unattended modern authentication. You can create a certificate with the following PowerShell lines (require PowerShell 4 or newer):

$DisplayName = "Microsoft Graph PowerShell Client Credentials"
$NotAfter = $(Get-Date).AddYears(2)
$cert = New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -DnsName graph.microsoft.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $NotAfter -FriendlyName $DisplayName
Export .cer file
Export-Certificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.cer"
Export .pfx file
Export-PfxCertificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.pfx" -Password ("123+aze" | ConvertTo-SecureString -Force -AsPlainText)

You can also use a certificate from your local PKI.

Then, go to your AzureAD application an upload the certificate:

Upload certificate in AzureAD application
Upload certificate in AzureAD application

Connect to Microsoft Graph

Now, all the prerequisites are in place, you can now use it from PowerShell.

First, to make it simpler, you need to install the Microsoft’s “Microsoft.Graph” PowerShell module, from the PSGallery:

Find-Module Microsoft.Graph | Install-Module -Scope CurrentUser

The “Connect-Graph” cmdlet requires 3 parameters to be used unattended:

  • Client ID: can be retrieve in the “Overview” pane of your AzureAD application
  • Certificate thumbprint of the certificate you imported into your AzureAD app
  • Tenand ID: can be retrieve in the “Overview” pane of your AzureAD application
AzureAD Client ID & Tenant ID
AzureAD Client ID & Tenant ID
$CertificateThmbprint = Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.Issuer -eq 'CN=graph.microsoft.com'} | Select-Object -ExpandProperty Thumbprint

Then, you can connect with:

Connect-Graph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $CertificateThmbprint
Welcome to Microsoft Graph
Welcome to Microsoft Graph

Use Microsoft Graph

Now that you are connected, you can use the Microsoft Graph. Hereunder the list of cmdlet available:

Microsoft Graph Cmdlets
Microsoft Graph Cmdlets

Thanks to “Invoke-MgGraphRequest” you do not have to get the token, bearer nor you have to add it as a parameter each time you use “Invoke-WebRequest”:

Get an email through Microsoft Graph
Get an email through Microsoft Graph (truncated)
Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/v1.0/users/dumbo@itfordummies.net/messages/AQMkAGUxMGFjMTg0LTU3OWQtNDU5Yi04OWVjLWJhNDUwNzQ5NTA1NgBGAAADG35iX-3jnU_AjwRGvCkingcAZbNWqQU7lk2WqeIfOz7G5gAAAgEMAAAAZbNWqQU7lk2WqeIfOz7G5gAFE5p-DAAAAA==/

As you can see in the previous example, I known the message ID required by the graph. If you don’t know it, you can use the $filter to search for specific email, and then get the ID and call a Graph method on it:

$ID = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/dumbo@itfordummies.net/messages/?`$filter=internetMessageId eq '20201127060315.14956.153598004.swift@softcedric.activehosted.com'").value.id
Invoke-MgGraphRequest -Method DELETE -Uri "$($GraphAPIUrl)users/$UserUPN/messages/$ID"

“InternetMessageID”, for the Microsoft Graph, it’s the “Message Id” from the headers:

Message Id from headers
Message Id from headers

The “DELETE” method we just used will put the mail in the recoverable items in the “Deleted Items” folder, it will be permanently deleted after the recoverable item life time.

Microsoft Graph API PowerShell AzureAD App

You saw hos to create an AzureAD application, how to assign permission, how to create a secret, how to upload a certificate for modern unattended authentication, how to connect with Microsoft.Graph PowerShell module, how to use the module to get some information out of the Microsoft Graph.

Get 30 days email size in Exchange Online Mailbox

Get 30 days email size

Hello,

Today I wanted to share some PowerShell lines to help you calculate the size of 30 days of email inside an Exchange Online mailbox. The first approach will also work for Exchange 2010 and up, but the the second approach require Exchange Online Compliance to work. This kind of information can be handy if you migrate some mailboxes between Office 365 tenants and you have a high constraints on the network bandwidth availability.

Continue reading

Enable Remote Mailbox CSUser Office 365

Enable Remote Mailbox CSUser Office 365

Hello,

When you work with an hybrid deployment of Office 365, new object creation is a bit tricky, depending on where they will land. Indeed, you can’t create a user directly in Office 365 and hope for the best. This won’t work because your Active Directory is still the start of authority of your users attributes.

Continue reading

Get Mobile Device Policy Change PowerShell

Get Mobile Device Policy Change PowerShell

Hello,

Today we’ll how to measure the impact of a mobile policy change in your organization. For example, let’s say that your organization wants to harden the mobile device requirements for mailbox access and you want to see a few days later how many mobile devices stop syncing. Continue reading

Renew Active Directory User Password Without Knowing It

Renew Active Directory User Password Without Knowing It

Hello,

Today we’ll how you can renew an Active Directory user password, without knowing it. It can be very convenient when you have a service account with a password expiration but don’t want to change it for whatever reason. It can also save the day when you have one of your VIP user that is in a kind of emergency and need his mailbox access but you can’t change the password be cause he doesn’t have a secure AD access. You can have plenty of reasons to perform that kind of action. Continue reading