Microsoft Graph - ethan's notes

**Microsoft Graph** provides a unified programmability model that you can use to access the data in [[Microsoft 365]], [[Windows]], and Enterprise Mobility + Security, and more. When dealing with graph it all about describing scope. It is important to understand what the action you are performing is and what permission you need to do so. You can ensure your token has enough permission by setting the right scope. # Graph Explorer Use [Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) to try the APIs on the default sample tenant or sign in and connect your tenant.^[https://learn.microsoft.com/en-us/graph/graph-explorer/graph-explorer-overview] # PowerShell SDK ## Install The Microsoft Graph PowerShell SDK is published on the [[PowerShell Gallery]].^[[Install the Microsoft Graph PowerShell SDK](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0)] ```powershell Install-Module Microsoft.Graph ``` Verify installation ```PowerShell Get-InstalledModule Microsoft.Graph ``` ## Using the PowerShell SDK ### Authentication module cmdlets in Microsoft Graph PowerShell Microsoft Graph PowerShell supports two types of authentication: delegated and app-only access. #### Connect-MgGraph ##### Delegated access There are three ways to allow delegated access using `Connect-MgGraph`^[[Using Microsoft Graph PowerShell authentication commands | Microsoft Learn](https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands?view=graph-powershell-1.0)]: - Using interactive authentication, where you provide the scopes that you require during your session: ```PowerShell Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All" ``` - Using device code flow: ```PowerShell Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All" -UseDeviceAuthentication ``` - Using your own access token: ```PowerShell Connect-MgGraph -AccessToken $AccessToken ``` ### Determine required permission scopes Each API in the Microsoft Graph is protected by one or more permission scopes. The user logging in must consent to one of the required scopes for the APIs you plan to use.^[[Get started with the Microsoft Graph PowerShell SDK](https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0)] The `Find-MgGraphCommand` cmdlet can be used to discover the required permissions for another cmdlet. For example, to see all permissions that can be used to call `Get-MgUser`. ```PowerShell Find-MgGraphCommand -command Get-MgUser | Select -First 1 -ExpandProperty Permissions ``` Find the identifier for a specific permission ```PowerShell Find-MgGraphPermission application.Read | Format-List ``` [Using Find-MgGraphPermission cmdlet - Microsoft Learn](https://learn.microsoft.com/en-us/powershell/microsoftgraph/find-mg-graph-permission?view=graph-powershell-1.0) [Using Find-MgGraphCommand cmdlet - Microsoft Learn](https://learn.microsoft.com/en-us/powershell/microsoftgraph/find-mg-graph-command?view=graph-powershell-1.0) ### Upgrade from Azure AD PowerShell to Microsoft Graph PowerShell Using the [Cmdlet map](https://learn.microsoft.com/en-us/powershell/microsoftgraph/azuread-msoline-cmdlet-map?view=graph-powershell-1.0), get the Microsoft Graph PowerShell equivalents for Azure AD cmdlets.