Understanding the Microsoft Graph PowerShell
The Microsoft Graph PowerShell commands for Microsoft 365 are what all Administrators should be learning.
https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta
The PowerShell module contains commands for the following categories:
- Applications – Microsoft.Graph.Applications
- Bookings – Microsoft.Graph.Bookings
- Calendar – Microsoft.Graph.Calendar
- Change Notifications – Microsoft.Graph.ChangeNotifications
- Cloud Communications – Microsoft.Graph.CloudCommunications
- Compliance – Microsoft.Graph.Compliance
- Cross-Device Experiences – Microsoft.Graph.CrossDeviceExperiences
- Device Management – Microsoft.Graph.DeviceManagement
- Device Management Actions – Microsoft.Graph.DeviceManagementActions
- Device Management Administration – Microsoft.Graph.DeviceManagementAdministration
- Device Management Enrollment – Microsoft.Graph.DeviceManagementEnrollment
- Device Management Functions – Microsoft.Graph.DeviceManagementFunctions
- Devices Cloud Print – Microsoft.Graph.Devices.CloudPrint
- Directory Objects – Microsoft.Graph.DirectoryObjects
- Education – Microsoft.Graph.Education
- Identity Directory Management – Microsoft.Graph.Identity.DirectoryManagement
- Identity Directory Governance – Microsoft.Graph.Identity.Governance
- Identity Directory Sign-ins – Microsoft.Graph.Identity.SignIns
- Mail – Microsoft.Graph.Mail
- Notes – Microsoft.Graph.Notes
- People – Microsoft.Graph.People
- Personal Contacts – Microsoft.Graph.PersonalContacts
- Planner – Microsoft.Graph.Planner
- Reports – Microsoft.Graph.Reports
- Schema Extensions – Microsoft.Graph.SchemaExtensions
- Search – Microsoft.Graph.Search
- Security – Microsoft.Graph.Security
- Sites – Microsoft.Graph.Sites
- Teams – Microsoft.Graph.Teams
- Users – Microsoft.Graph.Users
- User Actions – Microsoft.Graph.Users.Actions
- User Functions – Microsoft.Graph.Users.Functions
To review the category permissions, create an app registration within Azure Active Directory (Azure AD), and add Microsoft Graph API Permissions.
To use the categories within the Microsoft Graph, you must assign permissions as part of the connection command. Permissions required for the commands use the “Scopes” parameter. All permissions within the graph are Read or Write. For example, to manage users and groups within Azure Active Directory would require the following permission scopes.
- User.ReadWrite.All
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
To connect with these permissions, we pass these values as part of the connect command.
Connect-MgGraph -Scopes `
"User.ReadWrite.All" `
"Group.ReadWrite.All" `
"GroupMember.ReadWrite.All"
After executing the command, the consent framework allows you to apply it as a user or consent for the entire tenant.
The most interesting thing is that all the PowerShell commands are available after importing the Microsoft Graph module. The scopes on the connection allow you to execute the specific commands. If the permissions are missing or incorrect when running, it will fail.
The good news is that you can see what scopes within the current connection.
Get-MgContext | Select -ExpandProperty Scopes
Luckily, you can reconnect at any point with the added permissions to continue executing commands.
# Initial Connection
Connect-MgGraph -Scopes `
"User.ReadWrite.All"
# Updated Connection
Connect-MgGraph -Scopes `
"User.ReadWrite.All", `
"Group.ReadWrite.All", `
"GroupMember.ReadWrite.All"
The Microsoft Graph PowerShell is full of nearly all the commands you need to manage your Microsoft 365 Tenant. Now is a great time to start migrating away from the current commands to these new ones.
https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta
Liam Cleary
Liam began his career as a computer trainer. He quickly realized that programming, breaking and hacking were much more fun. Liam spent the next few years working within core infrastructure and security services. He is now the founder and owner of SharePlicity, a consulting company focusing on Microsoft 365 and Azure technology. His role within SharePlicity is to help organizations implement Microsoft 365 and Azure technology to enhance internal and external collaboration, document, and records management, automate business processes, and implement security controls and protection. He is a long-time Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security and crossing the boundary into software development. Over the past few years, his specialty has been security in Microsoft 365, Azure and its surrounding platforms. Liam also creates online training courses for Pluralsight, LinkedIn Learning and Cloud Academy, and he teaches multiple Microsoft certification courses for Opsgility and Microsoft. You can find him at user groups and conferences, teaching classes, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet, building Lego robots, or coaching soccer. You may also find him running races in the dark, hiking, or mountain biking at breakneck speeds.