Azure AD Graph API via PowerShell


To use PowerShell to connect to Azure AD Graph API you will need to install Azure Resource Manager Module. Then request a Graph Token and use Invoke-RestMethod to interact with the API.

You will need PowerShell 5 or above:
Windows Management Framework 5.0
Windows Management Framework 5.1

More information about AzureRM:
AzureRM 4.4.0
Install and configure Azure PowerShell

If you don’t have Azure Resource Manager Module installed, open up the PowerShell console and run:
Install-Module AzureRM -ErrorAction Stop

After that load the function that requests the Graph Token
Function New-GraphToken {
    ####Requires Module AzureRM
    [CmdletBinding()]
    Param(
        $TenantName
    )

    try{
        Import-Module AzureRM -ErrorAction Stop
    }
    catch{
        write-host "AzureRM PS Module not Installed. Run 'Install-Module AzureRM'" -ForegroundColor Red
        break
    }

    $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" #PowerShell ClientID. Don't change.
    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"
    $resourceAppIdURI = "https://graph.windows.net"
    $authority = "https://login.windows.net/$TenantName"
    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
    #$authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId,$redirectUri, "Auto")
    $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId,$redirectUri, "Always")

    @{
       'Content-Type'='application\json'
       'Authorization'=$authResult.CreateAuthorizationHeader()
    }
}

Now fill up the Tenant name and run the Function. You will be prompted to input your credentials:
$TenantName = "tennant.com"
$GraphToken = New-GraphToken -TenantName $TenantName

After you obtain the Token here are some examples:

Output all Users
Only the Tennant Name that we input above is needed here. The Rest Method is Get.
#####################################################################################
##List All Users
#####################################################################################
Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/?api-version=1.6" -Headers $GraphToken -Method Get | Select-Object -ExpandProperty Value | out-gridview

Reset a User Password
The essential input needed here is Tennant Name, User ID (or User Login) and New Password. The Rest Method is Patch.
#####################################################################################
##Reset Password
#####################################################################################
$DumboObjectID = '00738295-bd35-4182-b2f9-c68691f1180e'
$ResetPwd = @{
    "passwordProfile" = @{
        "password" = "Test123456"
        "forceChangePasswordNextLogin" = $false
    }
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/$DumboObjectID`?api-version=1.6" -Headers $GraphToken -Method Patch -ContentType "application/json" -Body $ResetPwd

Create User
The Tennant Name and User Info for the new user are required for this one. The Rest Method is Post.
#####################################################################################
Create Account
#####################################################################################
$userProfile = @{
    "accountEnabled" = "true"
    "displayName" = "GraphUser"
    "mailNickname" = "GraphUser"
    "passwordProfile" = @{
        "password" = "Test123456"
        "forceChangePasswordNextLogin" = $false
    }
    "userPrincipalName" = "GraphUser@tennant.com"
} | ConvertTo-Json


Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/?api-version=1.6" -Headers $GraphToken -Method Post -ContentType "application/json" -Body $userProfile

Get Tennant Licenses
After you acquire the Response the Licenses are in PSCustom Objects in $licenses.Value. The Rest Method is Get.
#####################################################################################
##Get tennant Licenses
#####################################################################################
$licenses = Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/subscribedSkus?api-version=1.6" -Headers $GraphToken -Method Get -ContentType "application/json"

Set Office365 License for a User
The approach with the JSON with this one is a little different. Since the JSON is a bit more complex, we just go on and input it as text. You input the skuID of the subscription (available from the previous example) and the UserID (or Login Name) in the URL. The Rest Method is Post.

#####################################################################################
##Assign Licenses
#####################################################################################

$licenseJSON =@"
{
  "addLicenses": [
    {
      "disabledPlans": [],
      "skuId": "dcb1a3ae-b33f-4487-846a-a640262fadf4"
    }
  ],
  "removeLicenses": []
}
"@

Invoke-RestMethod -Uri "https://graph.windows.net/$TenantName/users/$DumboObjectID/assignLicense?api-version=1.6" -Headers $GraphToken -Method Post -ContentType "application/json" -Body $licenseJSON 

Comments

Post a Comment