12 min read
Licensing with Microsoft Graph PowerShell
The Microsoft Graph SDK PowerShell module is replacing two other modules. Learn more about connecting to Graph, finding...
ScriptRunner Blog
Users will encounter one or two hurdles when they start using Graph. Damian Scoles wrote three articles provides help in three parts. Before the topics Teams and Exchange are covered, we will start with Graph SDK (Software Development Kit).
Where to start? As a long-time user of PowerShell (think Monad), this author finds Graph to be an interesting mix of security, mystery and power wrapped into one. From a security perspective, the least privileged model shows that Graph has very granular permissions that can be used to realistically keep a tighter running ship. On the other hand, those used to the less granular and more RBAC permission model may find this granularity daunting. Then there is the distinct lack of a completed Help system for all of the cmdlets available for Graph. Sometimes it can be either a treasure hunt or just sheer luck that a workable one-liner can be constructed. Then once we get past that we see the power that is available to us in the form of security, cmdlet availability and the tasks that can be performed from one module. In this article, we will explore Graph, the ways we can connect via PowerShell and guide you on how to use it in your test and production tenants (hopefully you have a test tenant?).
To connect to the Graph API, we use one of these cmdlets:
Connect-MgGraph
Or
Connect-Graph
Realistically, there is no difference between the two, however Connect-MgGraph is a cmdlet, whereas Connect-Graph is an alias, that points to Connect-MgGraph.
Remember that Graph uses a least permission model and thus when we connect with no other parameters, no permissions or roles are assigned. Base permissions will not allow us to do much other than perhaps query some basic resources and objects in Graph. To get more out of Graph, we need the correct permissions. Let's walk through how to do that next.
Here is where connecting to graph can get complicated. Scoping permissions for your task may require some work and experimentation as a task may require more or less permissions that were initially provided. If connected via an Azure application, using Certificate Based Authentication, predefined permissions may also need to be adjusted. Let's walk through a sample scenario.
For our scenario, we would like to get a list of applications that are registered in Azure for a tenant. The cmdlet to be used is:
Find-MgGraphCommand Get-MgApplication
Output
Output from the Find-MgGraphCommand cmdlet which provides us a connection URl as well as permissions required to run the cmdlet.
There is a column called permissions, which is a property of this cmdlet that stores the required permissions. Let's pull the full list of permissions for this cmdlet:
Find-MgGraphCommand (Get-MgApplication).Permissions
Permissions
Note that there are two sets of permissions and are based on the different URIs used for connection. If we want to list applications, we only need something like the Application.Read.All permissions. How do we use this?
Once we know what permissions are required, we can specify this on a new connection to Graph:
Connect-MgGraph -Scopes Application.Read.All
If this is the first time using this permission, a Permissions requested pop-up will ask to approve this change:
Make sure to read this pop-up to fully understand what permissions you are granting
To verify it was successful, we can run this cmdlet to pull our permissions:
(Get-MgContext).scopes
Our added permissions in the yellow rectangle
If the correct permissions are not assigned, then we would get an error like this:
Notice the permissions missing are listed in the yellow bracket
Now that we are connected to Graph PowerShell, we have additional options for executing cmdlets in the shell:
Examples of this are:
Get-MgReportMailboxUsageDetail
Get-MgReportMailboxUsageMailboxCount
Get-MgReportMailboxUsageQuotaStatusMailboxCount
Get-MgReportMailboxUsageStorage
Running any of these will generate output with the proper parameters or switches:
Get-MgReportMailboxUsageStorage -period 'D7' -OutFile c:\data\test.txt
Output for mailbox usage is placed in a text file for analysis/review.
Like PowerShell cmdlets, these cmdlets are run after connecting to Microsoft Graph.
$Results = (Invoke-MGGraphRequest -Method get -Uri 'https://graph.microsoft.com/v1.0/applications/?$select=id,displayName' -OutputType PSObject -Headers @{'ConsistencyLevel' = 'eventual' }).Value
Notice the URL used for the connection, pointing to the Graph API URI for Applications. We also have a 'select' action and we are pulling the ID and Display Names for apps:
When executed, we have this for output:
List of applications in a tenant with the ID and DisplayName properties as selected
A common question that occurs at this point is how do I find the right URL to use if I am new to using the Invoke‑RestMethod? We can use Microsoft Graph Explorer to discover and understand what can be retrieved. Make sure to log into your tenant first:
Sign into a tenant to explore Graph URI endpoints
Once logged in, we see the base URL at the top – https://graph.microsoft.com/v1.0/me – which is pointed to the logged in user's personal account. On the left we have a window that we can choose various endpoints to query.
On the left, in the red rectangle, we have some sample queries we can run to help learn the basics
If we were to select one of these options under Applications, we can then click on the 'Run query' button to execute this query. The URL provided for this query is:
which is similar to the query we ran before. Now, we could also get a list of groups in the tenant as well by connecting to this URL:
These four actions describe what action we would like to take when we connect to the various connection points (URLs). A quick summary for reference:
When using Graph PowerShell, it is good to know about possible limitations or just generally quirks/features compared to other PowerShell modules. In this section we will briefly explore these.
Now that we've gone through and reviewed the foundation for Graph PowerShell, where should we explore next? Well, in this series of blog articles, we will cover what we can use Graph for in terms of different workloads in Microsoft 365. First, we will start with Exchange and then move on to Teams. The focus for the articles will be on how practical it is to use Graph PowerShell to manage these workloads, what tasks can be performed in Graph and if the original module is still needed for efficient management. The end goal is to provide practical, useful advice for which method to use for either workload. Hopefully this will help administrators who may be struggling with the deprecation of the MSOL and Azure AD modules. Thanks again for reading this article.
You know this hen-and-egg problem: You would like to automate more tasks to save time, but you don’t automate because you don’t have time to start automating.
ScriptRunner ActionPacks help you solve this dilemma. The topic- and product-oriented PowerShell script collections cover typical use cases in IT operations. They are written according to Microsoft Best Practices, are continuously expanded and improved, and are ready to run with ScriptRunner immediately.
The use of the ActionPacks saves time because fewer scripts have to be re-developed. Furthermore, you can easily adapt the scripts to your specific needs and requirements.
You can find our Graph related ActionPacks here.
We also compiled a helpful overview of all the ActionPacks available here. We cover all bases, no matter if you are looking for help with Active Directory or Citrix or Exchange or VMware.
Overview: All available ActionPacks this way
Sep 14, 2023 by Damian Scoles
The Microsoft Graph SDK PowerShell module is replacing two other modules. Learn more about connecting to Graph, finding...
Mar 6, 2024 by Damian Scoles
With MS Online and Azure AD module deprecation, it's time to map previous tasks to new methods. We hope the following...
Oct 8, 2024 by Damian Scoles
Users will encounter one or two hurdles when they start using Graph. Damian Scoles wrote three articles provides help...
Damian Scoles is a ten-time Microsoft MVP specializing in Exchange, Office 365 and PowerShell who has 25 years of IT industry experience. He is based in the Chicago area and started out managing Exchange 5.5 and Windows NT. Over the years he has worked with Office 365 since BPOS and his experience has grown to include Azure AD, Security and Compliance Admin Centers, and Exchange Online. His community outreach includes contributing to TechNet forums, creating PowerShell scripts that can be found on his blogs, writing in-depth PowerShell / Office365 / Exchange blog articles, tweeting, and creating PowerShell videos on YouTube. He has written five PowerShell books and is also actively working on the book "Microsoft 365 Security for IT Pros".