Using Microsoft Graph API with Powershell

Microsoft Graph API gives you the ability to interact with the continually evolving Azure services through a single endpoint: https://graph.microsoft.com. We are going to connect to Graph with Powershell, OAuth 2.0 and REST.

Registering your App

To interact with Graph we need to register our app. Go to https://apps.dev.microsoft.com/portal/register-app to get started. Login with your account that is associated with your tenant. Add a new App and enter the following details:

  • Name > just give it a name
  • Application Type > Web-app/-API
  • Sign on Url > Doesn’t matter so we go for: http://localhost:8000

Then select you newly created App and goto Required permissions, here we are going to add the Graph API permission. You will need to select different permission depending on what you want to access. You can change this later, so for now we click Add on the top, select Microsoft Graph and in step 2 we just select Read and write access to user profile. 

The last step is to create a key, go to Keys and enter a Key Description and set the duration to Never Expires. When you click on Save the value (ClientSecret) will only be displayed once, so write it done when it’s displayed.

 

icon
icon

Learn Ethical Hacking From Scratch

At udemy

Become an ethical hacker that can hack computer systems like black hat hackers and secure them like security experts.

Authentication and Authorization

To access the Graph API we need to get an Access Code. If you are new to working with Rest and Graph API then there are a few things to keep in mind:

  1. To get an Access Token you need an Authorization Code. The code is only 1 hour valid, but as long as your refresh token is valid, you only need to renew this every 90 days.
  2. The Access Token, which is used in every request is only valid for 1 hour. You can renew it with the Refresh Token.
  3. The Refresh Token is valid for 14 days.

So the first step is to get the Authentication code. We use the script below for this. Run the scripts with :

It will store the Authentication code in a text file at the script root location. This way we can easily access it later.

Thanks to Darren Robinson: https://gist.github.com/darrenjrobinson/b74211f98c507c4acb3cdd81ce205b4f#file-ps2graphapi-ps1

Get the Access and Refresh Token

With the Authentication code we can get the all important Access token and the much needed refresh token. Because the Access token is only 1 hour valid, we need to check it’s age and request a new one with the refresh token if it’s expired.

The script below  stores the access and refresh token in text files in the script root location. You can always change it to store it just in variables, but keep in mind, when you close the shell it’s all gone and you need to start again with the Authorization code.

The scripts checks the last modified time of the accesstoken.txt, if it’s older than 1 hour, it will request a new access token with the refresh token. If that fails, it will request a new Authorization code and start from their again.

I use a config.json file to store my ClientId, ClientSecret and RedirectUrl, this way you can easily change it.

Config.json

ConnectTo-Graph

Getting actual date with Invoke-RestMethod from Graph

After all is done we can interact with Graph as followed:

You can download the scripts here: https://github.com/ruudmens/SysAdminScripts/tree/master/Graph

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Comments

Leave a Comment