Introduction to PowerShell SDK for MS Graph

Entra ID and PowerShell

Generated with AI

This week I have been focusing on how to get information from Entra ID, specifically stale devices as I saw I had around 252 of them last time I visited the Entra ID portal for work. The new way to access data across Microsoft 365 services is using the Microsoft Graph.

The PowerShell SDK for MS Graph is a module that provides cmdlets for working with Microsoft Graph. You can use the cmdlets to perform common operations, such as getting users, groups, messages, files, events, etc. You can also use the cmdlets to create, update, delete, and manage resources on Microsoft Graph.

In this post I’ll just focus on getting everything setup before connecting using PowerShell.

Before you get started

Developer sandbox

If you want to test your PowerShell MS Graph scripts in a safe environment, you can use the Microsoft 365 Developer Program. This program gives you access to a free sandbox subscription that includes sample data and users. If auto renews every 90 days. The sandbox doesn’t have any devices, I haven’t tested registering devices yet but I imagine you can.

You can sign up here: https://developer.microsoft.com/en-us/microsoft-365/dev-program

Certificate

For testing you can use a self signed certificate. To be honest I’m not sure how to go about getting a certificate from a Public CA, but this is something I would like to investigate in the future.

Create a self-signed public certificate to authenticate your application | Microsoft Learn

Register an Azure AD application

You'll also need to register an Azure AD application and grant it the necessary permissions to access Microsoft Graph. You would then use

Create application

From the Entra ID home page you can go to the Add menu and then choose App registration

Alternatively, you can also go to App registrations via the side menu on the left:

Finally choose New Registration

I named the app PowerShell-MSGraph

Upload Public certificate

The next step is to upload the certificate by going to Certificates & Secrets

In the certificates tab you will see the Upload certificate

You will need to upload the public certificate (the one with the .cer extension) created in the previous section.

API permissions

Next you need to give permissions to the app to read or write data in MS graph. You will need to go to the API permissions page.

In the API permissions page you’ll find a button to add a permission

On the blade that appears next, you will need to chose Microsoft Graph

And then choose Application permissions

You can use the search box to filter the permissions available. You’ll notice it requires admin consent as shown in the right column, We’ll take care of that in the next step. If you want to work with user accounts you might want to select User.ReadWrite.All or User.Read.All. In the example below I selected Device.read.All

If required you can then click on Grant admin consent for <Tenant name> above the list of permissions you selected.

Connect with PowerShell SDK

Now your application will be able to read and/or write to the data you specified in the permissions. You would then use PowerShell to authenticate the application which does the work behind the scenes.

Use this command to connect using the certificate.

$Cert = Get-ChildItem Cert:\LocalMachine\My\$CertThumbprint
Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -Certificate $Cert

I will go into how to use the certificate for automating your scripts in a future post.

Resources

I used the following video to get started, it goes through creating the certificate and the app registration mentioned above and finally connecting using PowerShell and the certificate.

This video gives an overview and explanation of the Microsoft Graph

Conclusion

The idea is to be able to authenticate using a certificate as I wanted to avoid using any user accounts because all users in my organisation are required to provide Multifactor authentication. This will be useful if I want to automate scripts that interact with Entra ID, I have been testing this out in Azure DevOps.

I hope this blog post has given you an overview of how to get started with the SDK. I didn’t cover any PowerShell commands but you can find documentation here: Powershell SDK for Microsoft Graph. I’ll eventually post some PowerShell examples in this post or a new post and also share the script I have been using to get stale devices. If you have any questions or feedback, please let me know in the comments below.