Azure AD Graph APIs using PowerShell

Azure AD Graph APIs using PowerShell

by | May 14, 2020 | How-tos, Identity, Modern Devices & UEM

So you want to use the Graph API to interact with AzureAD or Intune?  Then normally you need to follow these generic steps to execute Graph APIs from your programs or scripts. 

  1. Register Application and Get App Key&ID 
  2. Assign appropriate Permissions  
  3. Request for Authorisation Token 
  4. Execute Graph APIs by passing the token in Request Header  

Let’s find an easier way!  Graph APIs are effective way to interact with Azure Active Directory and whilst the above steps are highly recommended for pragmatic application development, a System Admin can shave some effort off this with some PowerShell magic.   

The following explains how to execute Graph APIs on PowerShell Scripts using Global Admin credentials and WITHOUT registering the Applications on Azure AD (skipping steps 1 and 2 above) 

Note – before you start:  Ensure the Azure Module is installed. To install the Azure Module, execute PowerShell cmdlet install-module azure. 

Step 1:  Get the Authorisation Token for Azure AD PowerShell using well-known Application ID 
“1950a258-227b-4e31-a9cf-717495945fc2” 

You can use the following GetAuthzToken() function in your Script by passing parameters for Tenant Name and Global Admin Credentials 

 

Function GetAuthzToken

{

param

(

[Parameter(Mandatory=$true)]

$Tenant,

$user,

$Passwd

)

Import-Module Azure

$client_Id = “1950a258-227b-4e31-a9cf-717495945fc2”

$redirect_Uri = “urn:ietf:wg:oauth:2.0:oob”

$AppId_URI = “https://graph.microsoft.com”

$authority = “https://login.microsoftonline.com/$Tenant”

$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority

$AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $user,$Passwd

$authResult = $authContext.AcquireToken($AppId_URI, $client_Id,$AADCredential)

 

return $authResult

}

 

$token=$null

# Enter Tenant Name

$AzureTenant=“<TenantName>.onmicrosoft.com”

# Enter GA Credentials

$username=“<GA Username >”  

$userPassword=“<Password>” 

$secureStringPwd = $userPassword | ConvertTo-SecureString -AsPlainText -Force

#Get Access token.

$token = GetAuthzToken -Tenant $AzureTenant -user $username -Passwd $secureStringPwd

Here’s the sample token output:

Step 2: Create the Authorization Header by adding Security Token, retrieved from step 1

Use the  CreateAuthorizationHeader() method to build the Authorisation header

 #Create Authorization Header

$authHeader = @{

‘Content-Type’=’application\json’

‘Authorization’=$token.CreateAuthorizationHeader()

}

Here’s the sample Authorization Header:

Step 3: Execute your Azure AD Graph API by passing the Authorization Header 

Use the Invoke-RestMethod cmdlet to execute Graph API. Basic syntax is as follows

Invoke-RestMethod -Uri <Graph API URI> –Headers $authHeader –Method Get

Tip: Use Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) to test the Graph APIs before adding into your PowerShell Script.

The following retrieves the Group Members of an Azure AD Group. The highlighted part is your choice of  the Azure AD Group ID 

$uri = “https://graph.microsoft.com/v1.0/groups/ed33efc5-70f8-4f87-8276-3ad2513929cc/members”

do

{

#Get Group Members

$Response=Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get

 

$uri =$Response.’@odata.nextLink’

foreach ($user in $Response.value)

{

 

$user.displayname

}

} while ($Response.’@odata.nextLink’)

Here’s the sample Output:

Putting it all together:  the whole script for you to re-use

To test this script, don’t forget to change the highlighted parameters 

Function GetAuthzToken

{

param

(

[Parameter(Mandatory=$true)]

$Tenant,

$user,

$Passwd

)

Import-Module Azure

$client_Id = “1950a258-227b-4e31-a9cf-717495945fc2”

$redirect_Uri = “urn:ietf:wg:oauth:2.0:oob”

$AppId_URI = “https://graph.microsoft.com”

$authority = “https://login.microsoftonline.com/$Tenant”

$authContext = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext” -ArgumentList $authority

$AADCredential = New-Object “Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential” -ArgumentList $user,$Passwd

$authResult = $authContext.AcquireToken($AppId_URI, $client_Id,$AADCredential)

 

return $authResult

}

 

$token=$null

# Enter Tenant Name

$AzureTenant=”<TenantName>.onmicrosoft.com”

# Enter GA Credentials

$username=”<Username of GA>

$userPassword=”<Password>

$secureStringPwd = $userPassword | ConvertTo-SecureString -AsPlainText -Force

#Get Access token.

$token = GetAuthzToken -Tenant $AzureTenant -user $username -Passwd $secureStringPwd

 

$authHeader = @{

‘Content-Type’=’application\json’

‘Authorization’=$token.CreateAuthorizationHeader()

}

 

#Replace Highlighted part with Group ID

$uri = “https://graph.microsoft.com/v1.0/groups/ed33efc5-70f8-4f87-8276-3ad2513929cc/members”

 

do

{

#Get Group Members

$Response=Invoke-RestMethod -Uri $uri –Headers $authHeader –Method Get

 

$uri =$Response.’@odata.nextLink’

foreach ($user in $Response.value)

{

 

$user.displayname

}

} while ($Response.’@odata.nextLink’)

Want to talk to us about PowerShell and AzureAD and Graph?  Get in touch

Chris Hudson

Chris develops our thinking for Identity Management and Azure AD integration.  He’s developed lots of cool snippets and and tools to help make Identity Sysadmins lives that little bit easier.  You can follow Chris on LinkedIn below