Friday, 5 January 2018

Connect to Microsoft Graph API using PowerShell

In this article I will explain how to connect to Microsoft Graph and query current user information from Azure AD. To call Microsoft Graph, we must first acquire an access token from Azure Active Directory (Azure AD), we can get access token either using registered Azure AD application or by using well known Azure AD clients (Ex: PowerShell).

Pre-requisites

We are going to get access token by using AuthenticationContext.AquireToken method from the Active Directory Authentication Library (ADAL). To use ADAL library we need to install Azure Resource Manager PowerShell. If your main OS is Windows 10, and if you have PowerShellGet installed, you can run the following command to install the Azure Resource Manager PowerShell module.
Install-Module AzureRM -SkipPublisherCheck -AllowClobber -Force

Function - GetAccessToken

Instead of creating a new Client Id and Azure AD application, here we are using a well know Client Id reserved for PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2. You need to pass your tenant name (ex: domain.onmicrosoft.com) to this function and enter your user credentials to get token.
Function GetAccessToken
   {
    param (
        [Parameter(Position=0, Mandatory=$true)]
        [string] $TenantName,        
        [Parameter(Position=1, Mandatory=$false)] 
        [string] $Office365Username, 
        [Parameter(Position=2, Mandatory=$false)] 
        [string] $Office365Password
      )

    Import-Module AzureRm
    #PowerShell Client Id. This is a well known Azure AD client id of PowerShell client. You don't need to create an Azure AD app.
    $clientId = "1950a258-227b-4e31-a9cf-717495945fc2"
    $resourceAppIdURI = "https://graph.microsoft.com"
    $authority = "https://login.microsoftonline.com/$TenantName"
    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority

    #Ask credential if not provided.
    if (([string]::IsNullOrEmpty($Office365Username) -eq $false) -and ([string]::IsNullOrEmpty($Office365Password) -eq $false)) 
    { 
    $SecurePassword = ConvertTo-SecureString -AsPlainText $Office365Password -Force            
    #Build Azure AD credentials object  
    $AADCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $Office365Username,$SecurePassword
    } 
    else 
    { 
    #Build credentials object  
    $Credential = Get-Credential
    $AADCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $credential.UserName,$credential.Password
    } 

    $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId,$AADCredential)
    return $authResult.AccessToken
}

Connect and Fetch data from Azure AD using Rest API :

Once you get the required access token you can easily query graph api using Invoke-RestMethod cmdlet by passing access token.

Get Access Token : The below command gets required access token.
$accessToken= GetAccessToken -TenantName "tenant.onmicrosoft.com"
Get Access Token by passing credentials :
$accessToken= GetAccessToken -TenantName "tenant.onmicrosoft.com" -Office365Username "admin@tenant.onmicrosoft.com" -Office365Password "admin_pwd"
Example 1: The below command gets the current user profile details.
$apiUrl = "https://graph.microsoft.com/v1.0/me"
$myPrfoile = Invoke-RestMethod -Headers @{Authorization = "Bearer $accessToken"} -Uri $apiUrl -Method Get
Example 2: The below command gets all the Azure AD user details.
$apiUrl = "https://graph.microsoft.com/v1.0/users"
$users = Invoke-RestMethod -Headers @{Authorization = "Bearer $accessToken"} -Uri $apiUrl -Method Get

Advertisements
Advertisements

No comments:

Post a Comment