AzureAD Graph API PowerShell

Hello,

I recently played with Microsoft Graph API and PowerShell. This is a great tool that Microsoft provided to us to interact with a wide range of Microsoft SaaS application:

There is a lot of supported platforms, PowerShell isn’t mention here, but it works ! You need to use the Invoke-RestMethod cmdlet.

AzureAD Graph API – The Token

First, we need to create an authentication token to use for our future Invoke-RestMethod. For this I wrote a simple function, you can find it on GitHub here.

Then, use it:

$TenantName = 'itfordummies.net'
$GraphToken = New-GraphToken -TenantName $TenantName

Note: This function require AzureRM to support the ADAL authentication, and the “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” namespace (You can also use the latest version of the MSOL module). To install this module from PS5:

Install-Module AzureRM

AzureAD Graph PowerShell – List Azure AD Users

Once you have your token, you can start using it, in this example, you will be able to list Azure AD Users:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value

If you want to list groups, this is the same process, you just need to change the endpoint from /users to /groups in the URL:

"https://graph.windows.net/$TenantName/users/?api-version=1.6"
"https://graph.windows.net/$TenantName/groups/?api-version=1.6"

So basically, we invoke a REST URL with a GET method. This allow us to get requested information.

AzureAD Graph PowerShell – Reset User’s Password

To make a modification, you need to call a PATCH method on the REST URL:

$DumboObjectID = 'e74ab4e5-d93b-44d0-86f3-0329814d3c7a'
$ResetPwd = @{
    "passwordProfile" = @{
        "password" = "Test123456"
        "forceChangePasswordNextLogin" = $false
    }
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Patch -ContentType "application/json" -Body $ResetPwd

Note: You can get the objectID from the previous example where we listed the users.

You can use this method with the PATCH method on any writable property of any users/groups/etc.

AzureAD Graph API – Tests

Microsoft built a tool to help us test our URL:

https://graphexplorer.azurewebsites.net/

1. Login with your Azure AD account
2. Put your test URL
3. Click on “Go”

This tools will run the URL for you without any prerequisites on your computer, it even works on a mobile phone.

A good example is to display the tenant details:

https://graph.windows.net/itfordummies.net/tenantDetails

This will even display the performances of your query.

AzureAD Graph API PowerShell – List a User’s Membership

Once you get the ObjectID of a user, you can also get his group membership with one special URL:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/$DumboObjectID/memberOf?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value

AzureAD Graph API PowerShell – Add a Group Member

To add a user inside a group, you need to know the ObjectID of the group and the user, then create a JSON object like this one:

$UserJson = @{
  "url" =  "https://graph.windows.net/$TenantName/directoryObjects/$DumboObjectID"
} | ConvertTo-Json

And then, call this POST method:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/groups/$AzureADGroup/`$links/members`?api-version=1.6" -Headers $GraphToken -Method Post -ContentType "application/json" -Body $UserJson

Note: To remove a group member, you can use this:

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/groups/$AzureADGroup/`$links/members/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Delete

Conclusion

This is just a very basic usage of the Graph API on Azure AD, this tool can do many more things, but that’s a topic for another post !

You’ll be able to find all others posts related to GraphAPI here.