Microsoft Graph API PowerShell AzureAD App

Hello,

Today we’ll talk about the Microsoft Graph API, PowerShell & AzureAD application. As you may know, the Microsoft Graph API is the data source where you can find everything about Office 365 and everything that’s interacting with it.

To be able to use it in an unattended way, you have some prerequisites:

AzureAD Application for permissions
Certificate for modern authentication

AzureAD Application

First, you need to create the application in AzureAD, you can follow this link to get to the AzureAD blade where you can register your app.

Select AzureAD App API Detailed Permissions

Now, you have an AzureAD application, with the requested permissions, on all the tenant.

Certificate

You need to add a certificate to your AzureAD application to allow unattended modern authentication. You can create a certificate with the following PowerShell lines (require PowerShell 4 or newer):

$DisplayName = "Microsoft Graph PowerShell Client Credentials"
 $NotAfter = $(Get-Date).AddYears(2)
 $cert = New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my -DnsName graph.microsoft.com -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $NotAfter -FriendlyName $DisplayName
 #Export .cer file
 Export-Certificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.cer"
 #Export .pfx file
 Export-PfxCertificate -Cert "cert:\currentuser\my\$($cert.Thumbprint)" -FilePath "c:\temp\$DisplayName.pfx" -Password ("123+aze" | ConvertTo-SecureString -Force -AsPlainText)

You can also use a certificate from your local PKI.

Then, go to your AzureAD application an upload the certificate:

Upload certificate in AzureAD application

Connect to Microsoft Graph

Now, all the prerequisites are in place, you can now use it from PowerShell.

First, to make it simpler, you need to install the Microsoft’s “Microsoft.Graph” PowerShell module, from the PSGallery:

Find-Module Microsoft.Graph | Install-Module -Scope CurrentUser

The “Connect-Graph” cmdlet requires 3 parameters to be used unattended:

Client ID: can be retrieve in the “Overview” pane of your AzureAD application
Certificate thumbprint of the certificate you imported into your AzureAD app
Tenand ID: can be retrieve in the “Overview” pane of your AzureAD application

$CertificateThmbprint = Get-ChildItem -Path cert:\currentuser\my | Where-Object -FilterScript {$_.Issuer -eq 'CN=graph.microsoft.com'} | Select-Object -ExpandProperty Thumbprint

Then, you can connect with:

Connect-Graph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $CertificateThmbprint

Use Microsoft Graph

Now that you are connected, you can use the Microsoft Graph. Hereunder the list of cmdlet available:

Thanks to “Invoke-MgGraphRequest” you do not have to get the token, bearer nor you have to add it as a parameter each time you use “Invoke-WebRequest”:

Get an email through Microsoft Graph (truncated)

Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/v1.0/users/dumbo@itfordummies.net/messages/AQMkAGUxMGFjMTg0LTU3OWQtNDU5Yi04OWVjLWJhNDUwNzQ5NTA1NgBGAAADG35iX-3jnU_AjwRGvCkingcAZbNWqQU7lk2WqeIfOz7G5gAAAgEMAAAAZbNWqQU7lk2WqeIfOz7G5gAFE5p-DAAAAA==/

As you can see in the previous example, I known the message ID required by the graph. If you don’t know it, you can use the $filter to search for specific email, and then get the ID and call a Graph method on it:

$ID = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/dumbo@itfordummies.net/messages/?`$filter=internetMessageId eq '20201127060315.14956.153598004.swift@softcedric.activehosted.com'").value.id
 Invoke-MgGraphRequest -Method DELETE -Uri "$($GraphAPIUrl)users/$UserUPN/messages/$ID"

“InternetMessageID”, for the Microsoft Graph, it’s the “Message Id” from the headers:

The “DELETE” method we just used will put the mail in the recoverable items in the “Deleted Items” folder, it will be permanently deleted after the recoverable item life time.