Use Microsoft Graph with REST and PowerShell 7

Personally, i like REST-API´s, especially when they are the direct layer between me and the datasource i want to access. As a PowerShell MVP i often use REST and PowerShell, today i needed to get some data from Microsoft Graph.

The question i needed to answer was: „Which groups is a user member of in the Azure Active Directory.“

I also wanted to use an access method which has only read access to the Azure AD.

(It will take you around 30 minutes to read and get results. This was done using PowerShell 7.0.3 on Windows 10)

So the first step was to create an appliaction (aka ServiceAccount) in the Azure AD:

1.) Create an application in Azure AD

Appliactions are used to authenticate to Azure AD in a script or from an appliction. As an Admin, go you your Azure Portal ==> Azure AD and find „App registrations“.

App registrations menu in Azure AD

Click on „New Registration“ which leads you to this screen:

Azure AD new registration screen

Give your app a name and enter a valid URL in the „Redirect“ field (the name doesnt really matter).

After the app is created, copy the „Appliaction ID“ and store it somewhere temporarily.

The AppId offers a „copy to clipboard“ option

Now create a client secret (password). In the view for your new app, go to Certificates and secrets. At the bottom find Client secrets and create a new one.

Creating a secret (password)
Give your secret a name and a duration (avoid „Never“)
Remember (store somewhere) the secret NOW!

The secret appears and is hidden after storing it, so store it somewhere before closing the dialouge.

The last step to prepare out App is to add it to the Global Reader role. To do this, go to Roles and administrators in the Azure AD main menu.

The Roles and administrators menu in Azure AD

In the search field – enter reader and you will get a result similar to this.

Select the Global reader role, click on assignments ==> Add assignments and select your recently created appliaction. Click on the Add button and verify the change in the assignment page.

Real-world example of an assigned APP in the Global reader role

It might be enough to have the App in the Directory reader role, please test if this makes more sense to you.

2.) Authenticate to Azure and MS-Graph via REST

To read data from the Graph-API, we first need to authenticate and generate a token.

The token object has several properties, but 2 of them are needed for accessing the Graph-API, the token_type and the access_token itself. To verify that your request was working try this:

Example of an access token
Token type should be „Bearer“.

Great, now lets use the token and create a hasttable with our authentication header!

Now the world of the graph API is open to you and its a GREAT ide to read the MS-Graph documentaion https://docs.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0

I want to to give you 3 examples, which should be enough to help getting up to speed on how to accomplish more.

3.) Example 1 – List users

First, lets get a list of users in teh AAD

User listing

4.) Example 2 – Get details of a specific user

You saw that the list-user call returned also the objectID. We need this id to query a specific user.

Single user output

5.) Example 3 – Get group membership of a user

The last example i want to give you is to check the group membership of a particular user.

Group membership results

This should hopefully explain the structure of the REST calls and help to bring you up to speed. Read the MS docs in the link above for more and enjoy the Graph REST-API with PowerShell!

Cheers / Roman