Getting started with Graph API and PowerShell

graph

If you haven’t heard about Microsoft Graph API lately, you have probably been living outside of civilization. Graph API is Microsoft’s master communication service that connects and handles data between almost any Azure or Microsoft 365 service in the background. If you are already used to PowerShell and modules, the toolkits you use to work with and automate your cloud environment, the chance that its all Graph API deep inside these modules is big.

If you go here, and scroll down to Developer on the left side. Choose either v1.0 Reference or Beta reference. Here you can see what products and services you can interact with in Graph. These sites contain the URL and request you need for pulling information or update/create new objects like users or groups.

The best way to get started playing around with Graph API before starting with working on the data in PowerShell is to use the Graph Explorer. Graph Explorer is a way to interact with the Graph API in the web browser. You can construct links and requests and test them out. There are a lot of example requests. Even some you can run without being logged in.

The different types of request you can send is GET, POST, PUT, PATCH and DELETE.
You can read more about them here.

So let’s jump right into it and play with the Graph Explorer.
First, we are going to just simply get a list of Groups. Sign in on the left side of the Graph Explorer. To get all groups you simply choose method GET, and enter this URL in the query field: https://graph.microsoft.com/v1.0/Groups

ge.png

Next we are going to create a new Office 365 group. We use the same URL, but set this to be a POST request as we are creating something. Take a look here to see how to construct the request body.

ge2.png

We have now learned how to both gather group info and create new groups through the Graph Explorer.  As a little side note, the request bodies are constructed in JSON format.

Next, we will look at how we can do the same operations with Graph by using PowerShell.

First, you need a way to authenticate against Azure AD and get an access token. For production and maybe more granular security you should also create your own Azure app, but for testing purposes we will use a known PowerShell client ID.

Here you see the part that gets you an access token and lets you authenticate with Graph:

#User Logon AzureAD module

#Parameters
$clientId = "30055d02-25ec-42d3-9525-7072854ba2fd"
$redirectUri = "https://login.microsoftonline.com/common/oauth2/nativeclient"
$resourceURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/common"

#pre requisites
try {
$AadModule = Import-Module -Name AzureADPreview -ErrorAction Stop -PassThru
}
catch {
throw 'Prerequisites not installed (AzureAD PowerShell module not installed)'
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

# Get token by prompting login window.
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
$authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)

$accessToken = $authResult.result.AccessToken

$accessToken
<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;">&#65279;</span>

To query Graph and create a PowerShell variable with groups data, you run the following “code”:

$apiUrl = 'https://graph.microsoft.com/v1.0/Groups/'
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $accessToken"} -Uri $apiUrl -Method Get
$Groups = ($Data | select-object Value).Value

We can now take a look at the content of one of the groups in the $Groups variable:

GraphPS1.png

Now we know how to create a request to get information from Graph into PowerShell. The next step is to create a POST query and learn how to construct a JSON body in PowerShell so we can create a new group. The trick is to create a variable where you put @’ at the top of the query and ‘@ at the bottom.  This makes the whole request into one large ‘text’, and will not give you a lot of different errors as JSON uses different formatting than PowerShell. You can also use double quotes @” “@, then you can also put variables inside your request.

$body = @'
{
  "description": "Self help community for library",
  "displayName": "Library Assist",
  "groupTypes": [
    "Unified"
  ],
  "mailEnabled": true,
  "mailNickname": "library",
  "securityEnabled": false
}
'@

$apiUrl = 'https://graph.microsoft.com/v1.0/groups'
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $accessToken"} -Uri $apiUrl -Body $body -Method Post -ContentType 'application/json'

Now you have learned whats needed to get a jump start in using Graph API, and leveraging the power in PowerShell at the same time. As Microsoft has a high focus on Graph, I think there will be a lot more products you can work within the future through this API.

11 thoughts on “Getting started with Graph API and PowerShell

  1. Great Post!
    For some reason it was not working like that for me, i had to make 3 minor changes:

    In the credential line I replaced this:
    $AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $Office365Username,$SecurePassword
    with this:
    $AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential” -ArgumentList $Office365Username,$SecurePassword

    In the $authresult I changed this:

    $authResult = $authContext.AcquireToken($resourceURI, $clientId,$AADCredential)

    with this:
    $authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext, $resourceURI, $clientid, $AADCredential);

    and finally this:
    $accessToken = $authResult.AccessToken

    with:
    $accessToken = $authResult.result.AccessToken

    Like

    • Thanks.

      Strange one, could it be that you have a different module version or version of PowerShell? I only tested with modern auth logon popup, not by stating username/password in the script.

      Like

      • Ok, now it works. I made some cosmetics on the assembly loading too.

        #based on https://github.com/microsoftgraph/powershell-intune-samples/blob/master/Authentication/Auth_From_File.ps1

        #Parameters
        $clientId = “1950a258-227b-4e31-a9cf-717495945fc2”
        $redirectUri = “urn:ietf:wg:oauth:2.0:oob”
        $resourceURI = “https://graph.microsoft.com”
        $authority = “https://login.microsoftonline.com/common”
        $authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority
        #$Office365Username=’user@domain’
        #$Office365Password=’VeryStrongPassword’

        #pre requisites
        try {

        $AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru

        }

        catch {

        throw ‘Prerequisites not installed (AzureAD PowerShell module not installed)’

        }
        $adal = Join-Path $AadModule.ModuleBase “Microsoft.IdentityModel.Clients.ActiveDirectory.dll”
        $adalforms = Join-Path $AadModule.ModuleBase “Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll”

        [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

        [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null

        ##option without user interaction

        if (([string]::IsNullOrEmpty($Office365Username) -eq $false) -and ([string]::IsNullOrEmpty($Office365Password) -eq $false))
        {
        $SecurePassword = ConvertTo-SecureString -AsPlainText $Office365Password -Force
        #Build Azure AD credentials object
        $AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential” -ArgumentList $Office365Username,$SecurePassword
        # Get token without login prompts.
        $authResult = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext, $resourceURI, $clientid, $AADCredential);

        }
        else
        {
        # Get token by prompting login window.
        $platformParameters = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters” -ArgumentList “Always”

        $authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)

        }

        $accessToken = $authResult.result.AccessToken

        Like

  2. That’s the issue then. I only tested it with the user and pass parameters because I needed to automate.
    The Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential is used for integrated authentication while the Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential is used for passing user and password.
    merging the changes should do the trick. I’ll look into it and let you know

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s