Microsoft Graph | Powershell Script from Scratch

00:00

hi guys hope you all doing well welcome

00:03

back to our series of Microsoft graph

00:04

and in this video we are going to write

00:07

a script from scratch that will be used

00:10

to query Microsoft graph now the very

00:14

first thing that you need to access any

00:16

information that's being protected by

00:18

Microsoft graph is an application ok so

00:23

what I'm going to do is I'm going to

00:24

switch to my browser where I have signed

00:26

in as global admin and then I went to

00:29

Azure Active Directory and now I have

00:32

selected our precious creation and I'm

00:35

going to register a brand new app let's

00:38

say I'm going to access craft through a

00:40

script so I'll name it as craft script

00:43

ok I'm not going to make any change here

00:46

here I will select web option itself and

00:49

here I'm going to type HTTP and then

00:53

let's say localhost that's all that's

00:57

all I need as of now ok and I have

01:00

clicked on it registered as if now an

01:01

application is registered in my eyes

01:03

your ad but still this application

01:06

doesn't have the required permission to

01:09

access graph API now there is a

01:13

prerequisite which is must and that is

01:16

you should know how Roth client

01:18

credential flow works so if you have not

01:21

seen that video by any chance please go

01:24

ahead and watch that video because there

01:26

are multiple things which I'm going to

01:29

use as a reference in this video which I

01:32

have already covered specifically the

01:35

attributes or the values that needs to

01:37

be present when your request is reaching

01:40

a specific end point of your Asha area

01:43

ok so as of now I have just created an

01:47

application the next step is to copy

01:51

this application ID because this is

01:55

something which will which we will be

01:58

using in our script ok so this is my

01:59

client ID and then I'll create a client

02:04

secret as well because again this is

02:06

something which is required for client

02:08

credential slow ware and there is no

02:11

user interaction

02:12

okay now welcome back to my console

02:16

where we have access portal Roger comm

02:19

and in this application what I'm going

02:22

to do is I'm going to allow this

02:24

application to access an API which will

02:26

be Microsoft graph ok and let's assume

02:30

we will use this script to query user

02:33

information okay but since we are using

02:36

client credential flow and there is no

02:39

user interaction delegated permissions

02:42

are not going to work so now what you

02:44

need to do is you have to click on this

02:46

option which says Microsoft graph and

02:49

then click on application permissions

02:51

and then scroll down and go to the user

02:54

section and here give this permission

02:58

which says user dot read all that's all

03:01

you need to do ok now again since there

03:05

will be no user interaction that means

03:07

the consent prom will not be shown ok so

03:11

the fact is that if consent is not shown

03:13

then the required permission cannot be

03:16

granted by any user that means as an add

03:19

many you have to grant us permission for

03:21

your tenant and that's exactly what I

03:24

have done by clicking on this option

03:26

which says grant Ardoin consent for

03:28

concepts work now as of now the

03:32

configuration that is required from

03:33

Azure ad prospective as done that means

03:36

I need a client ID and I need a client

03:39

secret that's it but the fact is that if

03:41

you guys remember when we have discussed

03:44

about OAuth client credential flow there

03:46

is a specific endpoint which is used and

03:49

which is called

03:50

the token endpoint ok and that can be

03:53

accessed or you can check that

03:55

information by going to well-known

03:58

configuration of a tenant now how to

04:00

access this particular endpoint just go

04:03

to your application or go to that

04:05

section from where you create

04:07

application click on endpoints and then

04:10

there will be an option of a well-known

04:12

configuration for open ID Connect as you

04:15

can see this is the link which I have

04:17

opened here but this is we 1.0 now you

04:21

can use we 1.0 end points or we 2.0

04:25

endpoints as

04:26

but honestly speaking using we 2.0

04:29

endpoints here will not going to make

04:31

any difference because since there is no

04:33

consent so there is no fundamental of

04:36

using an endpoint that uses incremental

04:38

consent it's very simple but there will

04:40

be no interaction that can be approved

04:43

by your application and there is no user

04:45

interaction so if you will use the v 1.0

04:48

endpoints as well everything will be in

04:50

place there will be no difference okay

04:53

so now let's come back to our visual

04:55

studio code where we will be writing our

04:58

first script from scratch okay

05:01

now let's say you're going to give the

05:04

script to any of your customer or any of

05:06

your team members as well and let's say

05:08

you want to make the script available to

05:11

anyone who can use this to just query

05:14

the user information in that case you

05:17

don't know who is going to access or who

05:19

is going to use this particular script

05:20

then what you can do you can just define

05:22

a variable let's say tenant and you can

05:25

prompt your user to enter their domain

05:29

name okay so as of now what it will do

05:32

it will ask the user to enter the tenant

05:36

name that's all I have done I have

05:38

declared a variable button I'm asking

05:41

the user to enter their tenant name now

05:44

this script is as of now saved in B

05:47

script lab on my machine and the script

05:49

name is graph so I'll go to my

05:52

PowerShell and I will run the script to

05:54

see what's exactly happening so this is

05:57

my PowerShell console and I'm at the

06:00

same location which is D script lab and

06:03

now if I'll try to run this let's see

06:06

what happens nothing is happening as of

06:08

now because I hope it's not saved so I

06:10

saved it again and now let's let me run

06:13

this so as you can see as a user now I'm

06:16

getting the prompt okay and the expected

06:18

behavior is that this value will just

06:20

get saved in this particular variable

06:23

okay now since we need to know which

06:27

endpoint we have to reach okay that

06:30

means we have to access this particular

06:33

end point from our script to know the

06:36

token end point because that is

06:38

something which will be

06:39

used inclined credential flow but since

06:42

the naming convention of this particular

06:44

endpoint ends up with open ID so let's

06:47

declare a variable and name it as open

06:49

ID okay and then what we will do is

06:52

we'll ask partial to initiate a rest

06:55

method and reach this particular URI

07:00

which is the open ID connect well-known

07:04

configuration so if I'll copy the

07:06

squally from here and I'll come back to

07:09

my script let me save that value here

07:12

and instead of concepts were calm what

07:16

you should use use the value which the

07:18

user has entered okay so this was pretty

07:22

much simple that we have just declared a

07:24

variable and this variable will be used

07:27

to access a particular link and the

07:31

value of tenant is the same value which

07:34

the user will be entering okay now let's

07:37

display this variable on the console and

07:42

let's see what all we get okay

07:44

so file again pre initiate the script

07:48

and if all do concepts work.com let's

07:52

see what happens perfect we are getting

07:54

all the endpoint list but the fact is

07:57

that this is the endpoint which we have

08:00

to reach so now instead of displaying

08:02

everything what will say just display

08:06

the access token or sorry the token

08:10

endpoint okay will again save this and

08:14

now we're again the initiate our script

08:17

and let's see perfect this is what we

08:21

are getting okay to make it more

08:23

interactive what you can do is you can

08:26

display it like this let's say right -

08:29

host the token endpoint of your

08:38

directory yes and then this endpoint

08:42

okay let's say concepts were calm the

08:49

token point of directory is this one

08:51

does not see even if I type

08:53

Microsoft comm here it is going to work

08:56

you see the squid value is getting

08:58

changed so we have done the first step

09:02

of just creating the endpoint that we

09:05

have to reach that's all we have done as

09:08

of now okay but we are going to use this

09:11

value multiple times so let save this

09:14

let's save this value as well - let's

09:17

say token endpoint itself let's name it

09:20

a new variable where we are requesting

09:22

the access token and let's save this

09:25

value here okay now if you guys remember

09:30

when we were talking about OAuth client

09:32

credential flow there is a specific set

09:36

of information that should reach this

09:38

endpoint which is the token endpoint and

09:41

the artists client ID client secret

09:43

redirect URI and then the grant type ask

09:47

line credential because then only we are

09:49

letting the azure ad know that we are

09:51

using client credential flow today so

09:54

now what we are going to do is we are

09:55

going to declare an object let say body

09:58

because this is going to include

10:01

multiple set of information and in this

10:04

I'm going to add my client ID and client

10:08

ID is the same value which we have

10:11

already copied from our ad okay and I'll

10:15

paste that value here then the next

10:20

thing that we need is client secret okay

10:24

and that is also something which we have

10:26

already copied so what I'll do is I'll

10:29

name a new value here as client on the

10:34

sword

10:34

secret and then I will give my client

10:39

secret value okay

10:42

now there is a specific value which is

10:47

required and that is redirect URI which

10:50

we have already saved in our

10:52

configuration so we will again declare

10:55

the same value redirect URI and what it

10:58

was STD PS localhost now the method that

11:03

we are going to use is client credential

11:05

so a new value which will be grant

11:08

underscore type and then it will be

11:12

client credential okay now make sure

11:17

that you enter the values similarly as I

11:22

am entering them right now or as I am

11:25

typing them because everything is as a

11:28

test that means it has to be used like

11:30

this this is something which is defined

11:33

or which as your IDI expects okay so

11:36

don't customize these values you may end

11:39

up a scenario where in your script might

11:40

not work okay

11:41

the resource that we will be accessing

11:43

will be graphed okay so what I'll do is

11:46

graph dot microsoft.com add this value

11:50

which I'm going to mention now which is

11:52

tenant is basically an optional value if

11:56

you want you can mention it if you don't

11:58

want it you should leave it so what I'm

12:00

doing as of now I'm sending the same

12:02

value which the user has entered okay as

12:05

of now we know the endpoint we know the

12:09

values which we have to send okay but

12:12

the fact is that no token is requested

12:15

okay so let's say to make it more

12:17

interactive what I'm doing is right hos

12:21

requesting access token okay requesting

12:25

access token and the question comes how

12:28

to request let's name it a new variable

12:33

here and name it as a request and then

12:37

let's ask this variable to invoke a rest

12:41

method and reach URI which is what our

12:46

token endpoint

12:49

what's a dollar dot token and then in

12:54

the body use all this information so use

13:00

the body object and then in the method

13:04

what you have to do is you have to post

13:09

this information okay that means what

13:13

this request value sorry this request

13:17

variable will get some

13:19

information right so let's write this

13:22

request variable and the console and

13:25

let's see what's happening now okay

13:29

so I will do concepts were calm and as

13:33

you can see I am getting access token

13:36

again this is the section which is

13:38

actually consisting the entire access

13:41

token

13:41

so now or I'll say just display the

13:44

access token part save it clear the

13:47

screen again run the script and let's

13:51

see now what we are getting perfect so

13:55

the token end point of your directory is

13:57

this one and this is requesting access

13:59

token this is the access token which we

14:01

have received now see the agenda of this

14:05

video is not to let you know how to

14:07

write the most efficient script the

14:10

agenda of this video is to let you know

14:13

how to begin with scripting and how you

14:16

can use a very small script and the

14:19

easiest authentication method flow by

14:22

using client credential to access

14:24

Microsoft graph API many of you would

14:28

already know ten thousand different ways

14:31

to make it more efficient it's

14:32

absolutely perfect please let me know in

14:35

the comment section as well but this is

14:37

exceptionally basic I'm trying to

14:39

explain each and every line and what

14:42

exactly I'm doing okay so as of now we

14:45

have just requested the access token we

14:48

know the token end point now the final

14:50

step is to query graph okay now in this

14:55

variable on going to add the end point

14:58

which is moreover related for graph

15:00

let's say graph dot microsoft.com

15:02

forward slash meter endpoint and then

15:05

reach users okay but the fact is that

15:09

there should be some authorization that

15:11

should be present that means this

15:13

request that has to reach to this

15:16

particular endpoint should have the

15:19

authorization of the access token okay

15:22

so now what I'm going to do is I'm going

15:24

to make a new variable as API are in

15:28

this API variable what I'm going to do

15:30

is I'm going to invoke a rest method

15:33

and in this rest method what should be

15:37

present is the authorization header that

15:41

should contain the access token okay so

15:44

now I'm going to use a switch which is

15:46

named as headers and inside this header

15:49

I'm going to use a specific keyword

15:52

called authorization and that what I'm

15:55

saying that include a keyword named as

15:58

be error and then include the value

16:03

inside the token which we have received

16:06

okay so what I'll do is I'll include

16:10

that particular value by keeping it in

16:13

braces and what we have to actually send

16:16

is this particular access token okay so

16:21

I'll copy this value here now the next

16:24

thing is we know the URI where we have

16:28

to reach so we'll you type URI

16:30

and then we will say dollar graph okay

16:35

this is where you have to go okay but

16:38

still there is something missing and

16:40

that is the last part where in which

16:42

HTTP method I should use and that is get

16:45

so what does this actually mean that get

16:49

all the users from this particular

16:52

endpoint by using this access token okay

16:57

now the question comes that this

16:59

variable will get something in response

17:02

okay so let's display this particular

17:04

variable on the console I have just

17:08

saved my script I'll come back partial

17:11

and I'll again initiate the same script

17:15

and let's see what happens and as you

17:20

can see I'm getting the value but again

17:22

the entire details is in the value

17:25

section so what I'll do is I'll say show

17:28

me the values inside value okay I'll

17:32

again initiate the same script concepts

17:36

were calm and let's see what happens and

17:39

as you can see I'm getting all the

17:42

information now let's say I don't want

17:44

all this information to be displayed

17:46

so what I can do is I can say select

17:49

let's say user principal name and let's

17:55

say account enabled okay

17:59

I'll save this and I'll again come back

18:01

and I'll again be initiate my script

18:04

let's say concepts were calm and let's

18:07

see what happens

18:08

perfect I'm getting much more organized

18:11

information okay now not only this those

18:16

who are super awesome with partial

18:19

scripting they can use different methods

18:21

likewise you can simply do convert - to

18:23

JSON depending upon your requirement

18:25

what kind of information you need how

18:28

you want it to be structured now these

18:31

are all different methods which are

18:32

available with PowerShell so if you

18:34

already have good knowledge of scripting

18:36

you can do n number of customization in

18:39

terms of the data that your script is

18:41

getting back from this particular API

18:43

these are some very small options which

18:46

I'm trying to showcase you guys to query

18:48

all the set of information now let's say

18:51

we have discussed how to access users

18:53

okay then you can do all the

18:55

customization but let's say if now you

18:57

try to access devices okay I have saved

19:00

this let's see what happens and the most

19:04

expected error is that I will get a

19:07

prompt which will say n sufficient

19:09

privileges but let's see what happens as

19:11

you can see this is exactly what I'm

19:13

getting okay so now if I'll go back to

19:16

my portal okay and let's say I am

19:21

granting this permission as well so I'll

19:24

go to API permission section and then

19:28

I'll click on add permission and again

19:30

I'll click on Microsoft graph and then

19:32

I'll click on application permission and

19:35

I'll go to the devices section and let's

19:38

see I'm giving this permission to device

19:40

read all and then again click on this

19:46

option which is grant admin consent

19:48

click on yes wait for 20 30 seconds and

19:51

then again the initiate your script if

19:54

it is still giving you error and you

19:56

have to just wait for a couple of

19:58

minutes provided you have ground

19:59

the right permission it should work so I

20:03

again got the error let's wait for 10

20:05

seconds or let's just give it one more

20:07

try without waiting let's see what

20:10

happens

20:12

no it's still there's there is a lag

20:14

let's go back here let's just refresh

20:18

this permission and let's come back here

20:22

in the screen draw concepts were calm

20:28

and let's see perfect ok so you see this

20:33

data which I'm getting is disorganized

20:35

now the reason behind that is the

20:38

devices object will not have these

20:40

attributes right so I'll remove this

20:43

I'll save this and I'll again come back

20:46

clear screen again run the script

20:49

concepts were calm that's it now I'm

20:54

getting the device information ok so as

20:57

we move along with this entire playlist

20:59

I'll let you know different methods that

21:01

you can use to access different kind of

21:03

information through Microsoft graph ok

21:09

so this was all about knowing how to

21:12

begin what writing a script you know

21:15

that you can use to access Microsoft

21:16

graph API if you guys have any questions

21:18

please feel free to ask me in the

21:21

comment section and as we move along

21:24

with this entire playlist whatever

21:26

script I will be creating or I will be

21:28

using to demonstrate any of the feature

21:30

that is something that I'm going to add

21:31

in the community section ok so if you

21:34

guys have learned something new please

21:36

let me know in the comment section thank

21:39

you so much thanks for your time but

21:40

what