Microsoft Graph | Powershell Script from Scratch
Summary
TLDRThis video tutorial guides viewers through writing a script from scratch to query Microsoft Graph using the client credential flow. It covers registering an app in Azure AD, granting necessary permissions, obtaining an access token, and making API calls to fetch user and device information.
Takeaways
- 😀 The video series focuses on Microsoft Graph and scripting to query it.
- 🔑 To access Microsoft Graph, you need an application registered in Azure Active Directory.
- 📝 The script is being written to query Microsoft Graph using the client credential flow, which requires no user interaction.
- 👤 The video demonstrates registering a new app in Azure AD and obtaining a client ID and client secret.
- 📎 Understanding the OAuth client credential flow is a prerequisite for the script.
- 👀 The script requests permissions from Microsoft Graph, specifically 'User.Read.All' for accessing user information.
- 🔗 The token endpoint for OAuth is accessed using the well-known configuration of the tenant.
- 📚 The script uses PowerShell to interact with Microsoft Graph, prompting the user for their tenant domain name.
- 🔑 The access token is obtained by sending a POST request to the token endpoint with client ID, client secret, and other required parameters.
- 🔎 The script queries Microsoft Graph to retrieve user information, demonstrating how to use the access token in the authorization header.
- ⚙️ Additional permissions may be required for accessing different resources, such as devices, and must be granted in the Azure portal.
Q & A
What is the first step in accessing Microsoft Graph?
-The first step in accessing Microsoft Graph is to create an application in Azure Active Directory. This application will be used to authenticate and gain access to the protected information.
Why is client credential flow important in this context?
-Client credential flow is important because it allows an application to authenticate and access resources without user interaction. This is crucial when writing scripts that need to query Microsoft Graph without user involvement.
What is the purpose of registering a new app in Azure Active Directory?
-Registering a new app in Azure Active Directory is necessary to create an identity for the application that can be used to authenticate and request access to Microsoft Graph API.
What permissions are needed for the app to access user information in Microsoft Graph?
-The app needs to have application permissions, specifically the 'User.Read.All' permission, to access user information in Microsoft Graph.
Why is it necessary to grant admin consent for the app?
-Admin consent is necessary because the app is using application permissions, which require administrative approval to access the resources on behalf of the organization.
How can you find the token endpoint for Microsoft Graph?
-You can find the token endpoint for Microsoft Graph by accessing the well-known configuration of your tenant, which can be found in the 'Endpoints' section of your app registration in Azure Active Directory.
What information is required to request an access token using client credential flow?
-To request an access token using client credential flow, you need to provide the client ID, client secret, redirect URI, grant type (set to 'client_credentials'), and the resource URL (Microsoft Graph).
How does the script interact with the Microsoft Graph API to query user information?
-The script uses a REST method to send a POST request to the token endpoint with the necessary credentials to obtain an access token. It then uses this token to make a GET request to the Microsoft Graph API endpoint to query user information.
What happens if the script tries to access device information without the necessary permissions?
-If the script tries to access device information without the necessary permissions, it will receive an error indicating insufficient privileges.
How can you customize the script to display specific information from the Microsoft Graph API?
-You can customize the script by using PowerShell cmdlets like 'Select' to choose specific properties from the returned data, or by using 'ConvertTo-JSON' to structure the data in a JSON format.
Outlines
📝 Registering a New App in Azure AD
The video begins with the process of registering a new application in Azure Active Directory (AD) to access Microsoft Graph. The presenter demonstrates how to sign in as a global admin, navigate to Azure AD, and register a new app named 'craft script'. This involves selecting the 'Web' option and specifying 'localhost' as the redirect URI. The application is then registered, and the presenter emphasizes the importance of understanding the OAuth client credential flow, which is a prerequisite for accessing the Graph API. The client ID and client secret are generated and noted for use in the script.
🔗 Configuring API Permissions for the App
The presenter continues by explaining how to configure the newly registered app to access the Microsoft Graph API. This involves granting the app the necessary permissions, specifically the 'User.Read.All' permission, which allows the app to query user information without user interaction. The presenter also discusses the importance of granting admin consent for the tenant, which is required since there is no user interaction in this scenario. The video also covers how to find the token endpoint for the OAuth client credential flow by accessing the well-known configuration of the tenant.
💻 Writing the Script to Access Microsoft Graph
The video script then shifts to writing a script from scratch to access Microsoft Graph. The presenter introduces the concept of defining a variable for the tenant domain and prompts the user to enter their domain name. The script is saved and run in PowerShell, demonstrating how the user input is captured. The script then uses REST methods to access the well-known configuration endpoint to determine the token endpoint. The presenter also explains how to display the token endpoint in the console and how to save this information for later use in the script.
🔑 Requesting an Access Token
The presenter proceeds to explain how to request an access token using the client credential flow. This involves constructing a body object with the client ID, client secret, redirect URI, and grant type set to 'client_credentials'. The resource is specified as 'graph.microsoft.com', and the tenant is included as an optional parameter. The script uses a REST method to post this information to the token endpoint, and the access token is displayed in the console. The presenter emphasizes the importance of entering the values correctly as expected by Azure AD.
🔎 Querying Microsoft Graph for User Information
With the access token obtained, the presenter demonstrates how to query Microsoft Graph for user information. This involves creating an API variable that invokes a REST method with the authorization header containing the access token. The script is then used to query the '/users' endpoint of Microsoft Graph. The presenter shows how to display the response in the console and how to customize the output by selecting specific properties such as 'userPrincipalName' and 'accountEnabled'. The video also covers how to handle errors related to insufficient privileges and how to grant the necessary permissions to access device information.
🚀 Finalizing the Script and Accessing Device Information
The final part of the video script focuses on finalizing the script and accessing device information through Microsoft Graph. The presenter explains how to refresh the permissions and re-run the script to access device information. The video concludes with a reminder that the script is a basic introduction to scripting and accessing Microsoft Graph API, and encourages viewers to explore more efficient methods and customize the script according to their needs. The presenter also invites viewers to ask questions in the comment section and promises to add more scripts and features in the community section.
Mindmap
Keywords
💡Microsoft Graph
💡Application
💡Client Credential Flow
💡Azure Active Directory
💡Application Permissions
💡Token Endpoint
💡Client ID
💡Client Secret
💡REST Method
💡Authorization Header
💡PowerShell
Highlights
Introduction to a series on Microsoft Graph, focusing on writing a script to query Microsoft Graph.
The necessity of an application to access information protected by Microsoft Graph.
Demonstration of registering a new app in Azure Active Directory for script access.
Explanation of the prerequisites, including understanding the OAuth client credential flow.
Step-by-step guide to creating an application and obtaining a client ID and client secret.
Instructions on granting the application access to Microsoft Graph API using application permissions.
Discussion on the importance of client credential flow for non-interactive scripts.
How to access the token endpoint for OAuth client credential flow.
Using PowerShell to write a script that queries user information from Microsoft Graph.
Creating variables for tenant domain names and prompting users to enter their tenant name.
Initiating a REST method to reach the OpenID Connect well-known configuration endpoint.
Displaying the token endpoint on the console for user clarity.
Building the body object with client ID, client secret, redirect URI, and grant type for token request.
Invoking a REST method to request an access token from the token endpoint.
Displaying the access token received from Microsoft Graph API.
Querying Microsoft Graph API using the access token with proper authorization headers.
Selecting specific user information fields to display, such as user principal name and account enabled.
Handling errors related to insufficient privileges when querying devices in Microsoft Graph.
Granting additional permissions for device access and troubleshooting potential delays in permission propagation.
Final demonstration of querying device information from Microsoft Graph after granting necessary permissions.
Encouragement for viewers to ask questions and engage with the community for further learning.
Transcripts
hi guys hope you all doing well welcome
back to our series of Microsoft graph
and in this video we are going to write
a script from scratch that will be used
to query Microsoft graph now the very
first thing that you need to access any
information that's being protected by
Microsoft graph is an application ok so
what I'm going to do is I'm going to
switch to my browser where I have signed
in as global admin and then I went to
Azure Active Directory and now I have
selected our precious creation and I'm
going to register a brand new app let's
say I'm going to access craft through a
script so I'll name it as craft script
ok I'm not going to make any change here
here I will select web option itself and
here I'm going to type HTTP and then
let's say localhost that's all that's
all I need as of now ok and I have
clicked on it registered as if now an
application is registered in my eyes
your ad but still this application
doesn't have the required permission to
access graph API now there is a
prerequisite which is must and that is
you should know how Roth client
credential flow works so if you have not
seen that video by any chance please go
ahead and watch that video because there
are multiple things which I'm going to
use as a reference in this video which I
have already covered specifically the
attributes or the values that needs to
be present when your request is reaching
a specific end point of your Asha area
ok so as of now I have just created an
application the next step is to copy
this application ID because this is
something which will which we will be
using in our script ok so this is my
client ID and then I'll create a client
secret as well because again this is
something which is required for client
credential slow ware and there is no
user interaction
okay now welcome back to my console
where we have access portal Roger comm
and in this application what I'm going
to do is I'm going to allow this
application to access an API which will
be Microsoft graph ok and let's assume
we will use this script to query user
information okay but since we are using
client credential flow and there is no
user interaction delegated permissions
are not going to work so now what you
need to do is you have to click on this
option which says Microsoft graph and
then click on application permissions
and then scroll down and go to the user
section and here give this permission
which says user dot read all that's all
you need to do ok now again since there
will be no user interaction that means
the consent prom will not be shown ok so
the fact is that if consent is not shown
then the required permission cannot be
granted by any user that means as an add
many you have to grant us permission for
your tenant and that's exactly what I
have done by clicking on this option
which says grant Ardoin consent for
concepts work now as of now the
configuration that is required from
Azure ad prospective as done that means
I need a client ID and I need a client
secret that's it but the fact is that if
you guys remember when we have discussed
about OAuth client credential flow there
is a specific endpoint which is used and
which is called
the token endpoint ok and that can be
accessed or you can check that
information by going to well-known
configuration of a tenant now how to
access this particular endpoint just go
to your application or go to that
section from where you create
application click on endpoints and then
there will be an option of a well-known
configuration for open ID Connect as you
can see this is the link which I have
opened here but this is we 1.0 now you
can use we 1.0 end points or we 2.0
endpoints as
but honestly speaking using we 2.0
endpoints here will not going to make
any difference because since there is no
consent so there is no fundamental of
using an endpoint that uses incremental
consent it's very simple but there will
be no interaction that can be approved
by your application and there is no user
interaction so if you will use the v 1.0
endpoints as well everything will be in
place there will be no difference okay
so now let's come back to our visual
studio code where we will be writing our
first script from scratch okay
now let's say you're going to give the
script to any of your customer or any of
your team members as well and let's say
you want to make the script available to
anyone who can use this to just query
the user information in that case you
don't know who is going to access or who
is going to use this particular script
then what you can do you can just define
a variable let's say tenant and you can
prompt your user to enter their domain
name okay so as of now what it will do
it will ask the user to enter the tenant
name that's all I have done I have
declared a variable button I'm asking
the user to enter their tenant name now
this script is as of now saved in B
script lab on my machine and the script
name is graph so I'll go to my
PowerShell and I will run the script to
see what's exactly happening so this is
my PowerShell console and I'm at the
same location which is D script lab and
now if I'll try to run this let's see
what happens nothing is happening as of
now because I hope it's not saved so I
saved it again and now let's let me run
this so as you can see as a user now I'm
getting the prompt okay and the expected
behavior is that this value will just
get saved in this particular variable
okay now since we need to know which
endpoint we have to reach okay that
means we have to access this particular
end point from our script to know the
token end point because that is
something which will be
used inclined credential flow but since
the naming convention of this particular
endpoint ends up with open ID so let's
declare a variable and name it as open
ID okay and then what we will do is
we'll ask partial to initiate a rest
method and reach this particular URI
which is the open ID connect well-known
configuration so if I'll copy the
squally from here and I'll come back to
my script let me save that value here
and instead of concepts were calm what
you should use use the value which the
user has entered okay so this was pretty
much simple that we have just declared a
variable and this variable will be used
to access a particular link and the
value of tenant is the same value which
the user will be entering okay now let's
display this variable on the console and
let's see what all we get okay
so file again pre initiate the script
and if all do concepts work.com let's
see what happens perfect we are getting
all the endpoint list but the fact is
that this is the endpoint which we have
to reach so now instead of displaying
everything what will say just display
the access token or sorry the token
endpoint okay will again save this and
now we're again the initiate our script
and let's see perfect this is what we
are getting okay to make it more
interactive what you can do is you can
display it like this let's say right -
host the token endpoint of your
directory yes and then this endpoint
okay let's say concepts were calm the
token point of directory is this one
does not see even if I type
Microsoft comm here it is going to work
you see the squid value is getting
changed so we have done the first step
of just creating the endpoint that we
have to reach that's all we have done as
of now okay but we are going to use this
value multiple times so let save this
let's save this value as well - let's
say token endpoint itself let's name it
a new variable where we are requesting
the access token and let's save this
value here okay now if you guys remember
when we were talking about OAuth client
credential flow there is a specific set
of information that should reach this
endpoint which is the token endpoint and
the artists client ID client secret
redirect URI and then the grant type ask
line credential because then only we are
letting the azure ad know that we are
using client credential flow today so
now what we are going to do is we are
going to declare an object let say body
because this is going to include
multiple set of information and in this
I'm going to add my client ID and client
ID is the same value which we have
already copied from our ad okay and I'll
paste that value here then the next
thing that we need is client secret okay
and that is also something which we have
already copied so what I'll do is I'll
name a new value here as client on the
sword
secret and then I will give my client
secret value okay
now there is a specific value which is
required and that is redirect URI which
we have already saved in our
configuration so we will again declare
the same value redirect URI and what it
was STD PS localhost now the method that
we are going to use is client credential
so a new value which will be grant
underscore type and then it will be
client credential okay now make sure
that you enter the values similarly as I
am entering them right now or as I am
typing them because everything is as a
test that means it has to be used like
this this is something which is defined
or which as your IDI expects okay so
don't customize these values you may end
up a scenario where in your script might
not work okay
the resource that we will be accessing
will be graphed okay so what I'll do is
graph dot microsoft.com add this value
which I'm going to mention now which is
tenant is basically an optional value if
you want you can mention it if you don't
want it you should leave it so what I'm
doing as of now I'm sending the same
value which the user has entered okay as
of now we know the endpoint we know the
values which we have to send okay but
the fact is that no token is requested
okay so let's say to make it more
interactive what I'm doing is right hos
requesting access token okay requesting
access token and the question comes how
to request let's name it a new variable
here and name it as a request and then
let's ask this variable to invoke a rest
method and reach URI which is what our
token endpoint
what's a dollar dot token and then in
the body use all this information so use
the body object and then in the method
what you have to do is you have to post
this information okay that means what
this request value sorry this request
variable will get some
information right so let's write this
request variable and the console and
let's see what's happening now okay
so I will do concepts were calm and as
you can see I am getting access token
again this is the section which is
actually consisting the entire access
token
so now or I'll say just display the
access token part save it clear the
screen again run the script and let's
see now what we are getting perfect so
the token end point of your directory is
this one and this is requesting access
token this is the access token which we
have received now see the agenda of this
video is not to let you know how to
write the most efficient script the
agenda of this video is to let you know
how to begin with scripting and how you
can use a very small script and the
easiest authentication method flow by
using client credential to access
Microsoft graph API many of you would
already know ten thousand different ways
to make it more efficient it's
absolutely perfect please let me know in
the comment section as well but this is
exceptionally basic I'm trying to
explain each and every line and what
exactly I'm doing okay so as of now we
have just requested the access token we
know the token end point now the final
step is to query graph okay now in this
variable on going to add the end point
which is moreover related for graph
let's say graph dot microsoft.com
forward slash meter endpoint and then
reach users okay but the fact is that
there should be some authorization that
should be present that means this
request that has to reach to this
particular endpoint should have the
authorization of the access token okay
so now what I'm going to do is I'm going
to make a new variable as API are in
this API variable what I'm going to do
is I'm going to invoke a rest method
and in this rest method what should be
present is the authorization header that
should contain the access token okay so
now I'm going to use a switch which is
named as headers and inside this header
I'm going to use a specific keyword
called authorization and that what I'm
saying that include a keyword named as
be error and then include the value
inside the token which we have received
okay so what I'll do is I'll include
that particular value by keeping it in
braces and what we have to actually send
is this particular access token okay so
I'll copy this value here now the next
thing is we know the URI where we have
to reach so we'll you type URI
and then we will say dollar graph okay
this is where you have to go okay but
still there is something missing and
that is the last part where in which
HTTP method I should use and that is get
so what does this actually mean that get
all the users from this particular
endpoint by using this access token okay
now the question comes that this
variable will get something in response
okay so let's display this particular
variable on the console I have just
saved my script I'll come back partial
and I'll again initiate the same script
and let's see what happens and as you
can see I'm getting the value but again
the entire details is in the value
section so what I'll do is I'll say show
me the values inside value okay I'll
again initiate the same script concepts
were calm and let's see what happens and
as you can see I'm getting all the
information now let's say I don't want
all this information to be displayed
so what I can do is I can say select
let's say user principal name and let's
say account enabled okay
I'll save this and I'll again come back
and I'll again be initiate my script
let's say concepts were calm and let's
see what happens
perfect I'm getting much more organized
information okay now not only this those
who are super awesome with partial
scripting they can use different methods
likewise you can simply do convert - to
JSON depending upon your requirement
what kind of information you need how
you want it to be structured now these
are all different methods which are
available with PowerShell so if you
already have good knowledge of scripting
you can do n number of customization in
terms of the data that your script is
getting back from this particular API
these are some very small options which
I'm trying to showcase you guys to query
all the set of information now let's say
we have discussed how to access users
okay then you can do all the
customization but let's say if now you
try to access devices okay I have saved
this let's see what happens and the most
expected error is that I will get a
prompt which will say n sufficient
privileges but let's see what happens as
you can see this is exactly what I'm
getting okay so now if I'll go back to
my portal okay and let's say I am
granting this permission as well so I'll
go to API permission section and then
I'll click on add permission and again
I'll click on Microsoft graph and then
I'll click on application permission and
I'll go to the devices section and let's
see I'm giving this permission to device
read all and then again click on this
option which is grant admin consent
click on yes wait for 20 30 seconds and
then again the initiate your script if
it is still giving you error and you
have to just wait for a couple of
minutes provided you have ground
the right permission it should work so I
again got the error let's wait for 10
seconds or let's just give it one more
try without waiting let's see what
happens
no it's still there's there is a lag
let's go back here let's just refresh
this permission and let's come back here
in the screen draw concepts were calm
and let's see perfect ok so you see this
data which I'm getting is disorganized
now the reason behind that is the
devices object will not have these
attributes right so I'll remove this
I'll save this and I'll again come back
clear screen again run the script
concepts were calm that's it now I'm
getting the device information ok so as
we move along with this entire playlist
I'll let you know different methods that
you can use to access different kind of
information through Microsoft graph ok
so this was all about knowing how to
begin what writing a script you know
that you can use to access Microsoft
graph API if you guys have any questions
please feel free to ask me in the
comment section and as we move along
with this entire playlist whatever
script I will be creating or I will be
using to demonstrate any of the feature
that is something that I'm going to add
in the community section ok so if you
guys have learned something new please
let me know in the comment section thank
you so much thanks for your time but
what
Посмотреть больше похожих видео
API Authentication with OAuth using Azure AD
Snowflake connector for MuleSoft using Azure Oauth Client Credentials
Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online
Creating custom copilot with Copilot Studio based on your files in SharePoint
Microsoft Teams Integration with ServiceDesk Plus
Building and Deploying a Basic REST API with Azure App Service, Azure Portal, and Visual Studio
5.0 / 5 (0 votes)