The Microsoft Graph PowerShell commands for Microsoft 365 are what all Administrators should be learning.

https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta

The PowerShell module contains commands for the following categories:

  • Applications – Microsoft.Graph.Applications
  • Bookings – Microsoft.Graph.Bookings
  • Calendar – Microsoft.Graph.Calendar
  • Change Notifications – Microsoft.Graph.ChangeNotifications
  • Cloud Communications – Microsoft.Graph.CloudCommunications
  • Compliance – Microsoft.Graph.Compliance
  • Cross-Device Experiences – Microsoft.Graph.CrossDeviceExperiences
  • Device Management – Microsoft.Graph.DeviceManagement
  • Device Management Actions – Microsoft.Graph.DeviceManagementActions
  • Device Management Administration – Microsoft.Graph.DeviceManagementAdministration
  • Device Management Enrollment – Microsoft.Graph.DeviceManagementEnrollment
  • Device Management Functions – Microsoft.Graph.DeviceManagementFunctions
  • Devices Cloud Print – Microsoft.Graph.Devices.CloudPrint
  • Directory Objects – Microsoft.Graph.DirectoryObjects
  • Education – Microsoft.Graph.Education
  • Identity Directory Management – Microsoft.Graph.Identity.DirectoryManagement
  • Identity Directory Governance – Microsoft.Graph.Identity.Governance
  • Identity Directory Sign-ins – Microsoft.Graph.Identity.SignIns
  • Mail – Microsoft.Graph.Mail
  • Notes – Microsoft.Graph.Notes
  • People – Microsoft.Graph.People
  • Personal Contacts – Microsoft.Graph.PersonalContacts
  • Planner – Microsoft.Graph.Planner
  • Reports – Microsoft.Graph.Reports
  • Schema Extensions – Microsoft.Graph.SchemaExtensions
  • Search – Microsoft.Graph.Search
  • Security – Microsoft.Graph.Security
  • Sites – Microsoft.Graph.Sites
  • Teams – Microsoft.Graph.Teams
  • Users – Microsoft.Graph.Users
  • User Actions – Microsoft.Graph.Users.Actions
  • User Functions – Microsoft.Graph.Users.Functions

To review the category permissions, create an app registration within Azure Active Directory (Azure AD), and add Microsoft Graph API Permissions.

To use the categories within the Microsoft Graph, you must assign permissions as part of the connection command. Permissions required for the commands use the “Scopes” parameter. All permissions within the graph are Read or Write. For example, to manage users and groups within Azure Active Directory would require the following permission scopes.

  • User.ReadWrite.All
  • Group.ReadWrite.All
  • GroupMember.ReadWrite.All

To connect with these permissions, we pass these values as part of the connect command.

Connect-MgGraph -Scopes `
		"User.ReadWrite.All" `
		"Group.ReadWrite.All" `
		"GroupMember.ReadWrite.All"

After executing the command, the consent framework allows you to apply it as a user or consent for the entire tenant.

The most interesting thing is that all the PowerShell commands are available after importing the Microsoft Graph module. The scopes on the connection allow you to execute the specific commands. If the permissions are missing or incorrect when running, it will fail.

The good news is that you can see what scopes within the current connection.

Get-MgContext | Select -ExpandProperty Scopes

Luckily, you can reconnect at any point with the added permissions to continue executing commands.

# Initial Connection
Connect-MgGraph -Scopes `
	"User.ReadWrite.All"
# Updated Connection
Connect-MgGraph -Scopes `
	"User.ReadWrite.All", `
	"Group.ReadWrite.All", `
	"GroupMember.ReadWrite.All"

The Microsoft Graph PowerShell is full of nearly all the commands you need to manage your Microsoft 365 Tenant. Now is a great time to start migrating away from the current commands to these new ones.

https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta