APIs are quickly becoming more and more prevalent in the SysAdmin/DevOps space and one of the most powerful resources is the Microsoft Graph API. Why? One thing I’ve had front of mind is the realization that often times these public APIs are available prior to UI integrations within web portals or consoles. What this often means is that if the thing you’re looking for doesn’t exist, create it!
The reason why I decided to make this guide is that most of the time when I’ve been looking up guidance or information on this topic, I end up finding a narrow example that doesn’t help me understand all the options available. A common misconception I also hear is that people are just looking for how to pull an access token for Graph, but this is a bit too broad and has led me down a path of confusion in the past where I was trying methods that ultimately did not work. Understanding what methods are available to meet your needs will help you equip yourself to have an informed conversation with your Cloud/Security teams to evaluate what makes the most sense for your own scenarios.
I recognize that not all of us come from a development background, so this 3 part guide is going to help provide some tangible examples and guidance around what I think the hardest part about using the Graph API is, authentication. Each part will be broken down as follows:
-
Part 1: Intro (Identifying the required permissions for your use case)
-
Part 2: Application Permissions
-
Part 3: Delegated Permissions
Typically, the process begins with the identification of what exactly you are trying to achieve and then finding the necessary permission scopes and type that are available. Understanding this is critical as there are 2 primary types of permissions: Delegated and Application. In either case, scripts can run interactively or non-interactively. I will say though that it’s generally easier, more secure, and less overhead to use application permissions if your script needs to run non-interactively. Here’s how I think of them:
Note: Microsoft Documentation on this topic is available here.
Application Permissions: The access token pulled performs actions without a user account.
Delegated Permissions: The access token pulled performs actions on behalf of the user that is authenticated when requesting the token.
The reason why this is so important to understand is that the methods that are available to authenticate can vary based on what types of permissions are required for the use case. You should never mix Application Permissions with Delegated Permissions.
Example: Let’s say you want to create a script that can silently pull device data out of Intune and export it to a CSV on an automated schedule. Since we know we want our script to run non-interactively on a schedule, therefore if there are application permissions available, that would be the preferred option.
Note: In some cases, Application or Delegated permissions might not be available, which may require some creativity to meet your needs.
Follow these steps to find the necessary permissions for the use case at hand:
-
Head over to the Microsoft Graph REST API reference page (Keep in mind there are 1.0 and beta versions available currently)
-
I often find myself searching Google instead, in this case, I’d search “get device graph api” which will lead you here: https://learn.microsoft.com/en-us/graph/api/device-get?view=graph-rest-1.0&tabs=http
-
Another option would be to use this cmdlet from the Microsoft.Graph module
Find-MgGraphPermission device
-
-
We can see that in our example use case, there are permission sets available for both Application and Delegated to get device data. As mentioned above, our preference in this case would be to use Application.
-
The least privileged Application permission required for our use case is Device.Read.All.
-
Keep this jotted down as it will be required later.
-
Microsoft Graph authentication is built upon the Microsoft Identity Platform for which the best way I’ve found to authenticate is by using 1 of 2 available modules: MSAL.PS or Microsoft Graph PowerShell. However, ultimately the Microsoft Graph PowerShell module is suggested to use once a token has been retrieved as it cleanly handles passing the token in the request headers automatically, and there are many cmdlets available to simplify the process. With that said, it is not absolutely mandatory to use if you find a gap or cannot use it in your environment for whatever reason.
Now that you’ve identified what types of permissions are needed for your use case, click the corresponding link below for more information on next steps. This will help you understand what is required regarding the configuration of an Azure AD App Registration as well as how to actually make the proper authentication call from PowerShell: