Microsoft Graph or https://aka.ms/ge or https://ge.cmd.ms/
# Default Query
https://graph.microsoft.com/v1.0/me
# Filtered Attributes
https://graph.microsoft.com/v1.0/me?$select=id,userPrincipalName
# User.Read.All - Permission is needed to run the below query
https://graph.microsoft.com/v1.0/users?$select=id,userPrincipalName
# Get Top three users
https://graph.microsoft.com/v1.0/users?$top=3&$select=id,userPrincipalName$url = "https://graph.microsoft.com/v1.0/users"
$token = "*************************************"
$header = @{Authorization = "Bearer $token"}
invoke-RestMethod -uri $url -Headers $header
$result =invoke-RestMethod -uri $url -Headers $header
$result.value
$result.value | Measure-Object
$result.value | Select-Object id,userPrincipalName
- scope uri is needed to query the AAD users & resource uri is needed to query the AZ resources.
- Authorization endpoint is not needed when "grant_type" is "client_credentials". The token endpoint is only needed. Token type: Access_Token
- Token Endpoint (V1) : https://login.microsoftonline.com/<tenant_Id>/oauth2/token - Use that for AZ Resouces
- Token Endpoint (V2) : https://login.microsoftonline.com/<tenant_Id>/oauth2/v2.0/token - Use that for AAD Users
<##
.Description
Retrieve users from the Microsoft Graph API using an Azure Service Principal
Source: https://github.com/goodworkaround/bluescreen_scripts/blob/main/Working%20with%20the%20Microsoft%20Graph%20from%20PowerShell/get-access-token-manual.ps1
https://github.com/goodworkaround/bluescreen_scripts/blob/main/Working%20with%20the%20Microsoft%20Graph%20from%20PowerShell/get-access-token-sdk.ps1
https://github.com/BohrenAn/GitHub_PowerShellScripts/blob/main/AzureAD/CreateAADApp-MgGraph.ps1
##>
# Define variables
$tenantId = "*********************"
$clientId = "*********************"
$clientSecret = "*****************"
# Define API endpoint and parameters
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$tokenParams = @{
grant_type = "client_credentials"
client_id = $clientId
client_secret = $clientSecret
scope = "https://graph.microsoft.com/.default"
}
# Get access token
$accessToken = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $tokenParams
# Output access token
#Write-Output $accessToken.access_token
$result = Invoke-RestMethod "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $($accessToken.access_token)"}
$result.value | Measure-Object
$result.value | Select-Object id,userPrincipalName# Microsoft Azure REST API's using Client credential flow
Connect-AzAccount -Identity
$tenantid = Get-AzKeyVaultSecret -VaultName "<KeyVault>" -Name "<tenantId_Seceret>" -AsPlainText
$openid = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantid/.well-known/openid-configuration"
$tokenendpoint = $openid.token_endpoint
$body = @{
grant_type = "client_credentials"
client_id = "<Client_Id>"
client_secret = "<Client_Secret>"
redirect_uri = "https://localhost"
resource = "https://management.core.windows.net"
tenant = "<Domainname.com>" # optional
}
$token = Invoke-RestMethod -Uri $tokenendpoint -Body $body -Method Post
$access_token = $token.access_token
$url = "https://management.azure.com/subscriptions/<Subscription_id>/resources?api-version=2021-04-01"
$az_resources = Invoke-RestMethod $url -Headers @{Authorization = "Bearer $($access_token)"} -Method GetRetrieve AAD Users from the Microsoft Graph PowerShell using System Assigned Managed Identity(MSI) & KeyVault
#Script is tested from Azure Automation Account & Azure VM
#Requires -Module @{ ModuleName = 'Az.Accounts'; ModuleVersion = '2.13.2' }
#Requires -Module @{ ModuleName = 'Az.KeyVault'; ModuleVersion = '5.0.1' }
#Requires -Module @{ ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '2.10.0' }
#Requires -Module @{ ModuleName = 'Microsoft.Graph.Users'; ModuleVersion = '2.10.0' }
Connect-AzAccount -Identity
$ApplicationId = Get-AzKeyVaultSecret -VaultName "<Your_KeyVault>" -Name "<ClientId_Secret>" -AsPlainText
$SecuredPassword = Get-AzKeyVaultSecret -VaultName "<Your_KeyVault>" -Name "<Client_Secret>" -AsPlainText
$tenantID = Get-AzKeyVaultSecret -VaultName "<Your_KeyVault>" -Name "<TenantID_Secret>" -AsPlainText
$SecuredPasswordPassword = ConvertTo-SecureString -String $SecuredPassword -AsPlainText -Force
$ClientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList `
$ApplicationId, $SecuredPasswordPassword
Connect-MgGraph -TenantId $tenantID -ClientSecretCredential $ClientSecretCredential -NoWelcome
Get-MgUser | Select-Object DisplayName, Id, UserPrincipalName# Permissions are needed as per the above screenshot.
$client_id = "*****************"
$tenant_id = "********************"
$thumb_print = (Get-ChildItem "Cert:\LocalMachine\my" | Where-Object { $_.Subject -eq "CN=*******" }).Thumbprint
Connect-MgGraph -ClientId $client_id -TenantId $tenant_id -CertificateThumbprint $thumb_print
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users"
$result.value
$result.value | Select-Object id,displayName,userPrincipalName# 'Application.ReadWrite.OwnedBy' - Permission is required
$client_id = "*****************"
$tenant_id = "********************"
$thumb_print = (Get-ChildItem "Cert:\LocalMachine\my" | Where-Object { $_.Subject -eq "CN=*******" }).Thumbprint
Connect-MgGraph -ClientId $client_id -TenantId $tenant_id -CertificateThumbprint $thumb_print
New-MgApplication -DisplayName <My_New_App1># Get the Azure Automation connection object
$connection = Get-AutomationConnection -Name "<Azure_SPI>"
# Connect to Azure using the connection object
Try {
Connect-MgGraph -ClientId $connection.ApplicationID `
-TenantId $connection.TenantID `
-CertificateThumbprint $connection.CertificateThumbprint
}
catch {
Write-Error -Message $_.Exception
throw $_.Exception
}
# Set the subscription context
Set-AzContext -SubscriptionId "<Sub_Id>" | Out-Null
Connect-MgGraph -ClientId $client_id -TenantId $tenant_id -CertificateThumbprint $thumb_print -NoWelcome
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users"
#$result.value
$result.value | Select-Object id,displayName,userPrincipalName- API : https://graph.microsoft.com/v1.0/organization
- Access Token URL
- Client ID
- Client Secret
- Scope : https://graph.microsoft.com/.default
- Client Authentication: Send as Basic Auth Header
- Attribute : createdDateTime
# MSFT Graph API : https://learn.microsoft.com/en-us/graph/api/organization-list?view=graph-rest-1.0&tabs=http
# Define variables
$tenantId = "************************"
$clientId = "************************"
$clientSecret = "************************"
# Define API endpoint and parameters
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$tokenParams = @{
grant_type = "client_credentials"
client_id = $clientId
client_secret = $clientSecret
scope = "https://graph.microsoft.com/.default"
}
# Get access token
$accessToken = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $tokenParams
# Output access token
#Write-Output $accessToken.access_token
$result = Invoke-RestMethod "https://graph.microsoft.com/v1.0/organization" -Headers @{Authorization = "Bearer $($accessToken.access_token)" }
[PSCustomObject]@{
TenantCreationDate = $($result.value.createdDateTime)
CustomDomain = $($result.value.verifiedDomains.Name)
onPremisesSyncEnabled = $($result.value.onPremisesSyncEnabled)
onPremisesLastSyncDateTime = $($result.value.onPremisesLastSyncDateTime)
countryCode = $($result.value.countryLetterCode)
}
function New-JwtToken {
param (
[Parameter(Mandatory = $true)]
[System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate,
[Parameter(Mandatory = $true)]
[string]$ClientId,
[Parameter(Mandatory = $true)]
[string]$TenantId
)
$header = @{
alg = "RS256"
typ = "JWT"
x5t = [System.Convert]::ToBase64String($Certificate.GetCertHash())
}
$claims = @{
aud = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
iss = $ClientId
sub = $ClientId
jti = [System.Guid]::NewGuid().ToString()
exp = [System.DateTimeOffset]::UtcNow.ToUnixTimeSeconds() + 3600
nbf = [System.DateTimeOffset]::UtcNow.ToUnixTimeSeconds()
}
$encodedHeader = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json $header -Compress)))
$encodedClaims = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((ConvertTo-Json $claims -Compress)))
$unsignedToken = "$encodedHeader.$encodedClaims"
$rsaProvider = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($Certificate)
$signatureBytes = $rsaProvider.SignData([System.Text.Encoding]::UTF8.GetBytes($unsignedToken), [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1)
$signature = [System.Convert]::ToBase64String($signatureBytes)
return "$unsignedToken.$signature"
}
# Enter Your TenantID, ClientID & Thumbprint
$tenantId = ""
$clientId = ""
$certificateThumbprint = ""
# Define API endpoint and parameters
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$tokenParams = @{
grant_type = "client_credentials"
client_id = $clientId
scope = "https://graph.microsoft.com/.default"
}
# Get the certificate
$cert = Get-Item -Path "Cert:\LocalMachine\My\$certificateThumbprint"
# Get access token
$tokenParams["client_assertion"] = New-JwtToken -Certificate $cert -ClientId $clientId -TenantId $tenantId
$tokenParams["client_assertion_type"] = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
$accessToken = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $tokenParams
# Output access token
Write-Output $accessToken.access_token
Invoke-RestMethod "https://graph.microsoft.com/v1.0/users" -Headers @{Authorization = "Bearer $($accessToken.access_token)" }