How to Install Microsoft Graph PowerShell SDK

Install Microsoft Graph PowerShell SDK

1. Right click on Windows Start icon then select PowerShell Admin. In Windows 11, select Terminal Admin instead of PowerShell Admin.

2. Copy then paste all below commands into the PowerShell window at once the hit to add the PSGallery repository and install the Microsoft Graph PowerShell modules.

##Add Repopsitory
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Install-PackageProvider -Name NuGet -Force
Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted

##Install modules
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Install-Module MSAL.PS -Scope AllUsers -Force

3. Once done, you can run the Connect-MgGraph command to connect to Microsoft Graph. You must using an administrative account to login when prompted.

If you see the text Welcome To Microsoft Graph. You’ve connected.

PS C:\> Connect-MgGraph
Welcome To Microsoft Graph!

Determine required permission scopes

Each API in the Microsoft Graph is protected by one or more permission scopes. The user logging in must consent to one of the required scopes for the APIs you plan to use.

To retrieve the details about your current session, you can run Get-MgContext command.

PS C:\Users\admin> Get-MgContext

ClientId              : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId              : 7bda07b0-7ff7-4fd9-9f29-d925ed968476
CertificateThumbprint :
Scopes                : {AuditLog.Read.All, Directory.Read.All, email, Group.ReadWrite.All...}
AuthType              : Delegated
AuthProviderType      : InteractiveAuthenticationProvider
CertificateName       :
Account               : [email protected]
AppName               : Microsoft Graph PowerShell
ContextScope          : CurrentUser
Certificate           :
PSHostVersion         : 5.1.22621.963
ClientTimeout         : 00:05:00

To retrieve all the scopes that you’ve consented to, expand the Scopes property using the -ExpandProperty parameter.

PS C:\> Get-MgContext | Select -ExpandProperty Scopes
AuditLog.Read.All
Directory.Read.All
email
Group.ReadWrite.All
openid
Organization.Read.All
profile
User.Read
User.Read.All
User.ReadWrite.All

Switching between Microsoft Graph profiles

By default the Microsoft Graph PowerShell commands target the v1.0 API version. Commands for APIs that are only available in beta aren’t available in PowerShell by default.

To check your current profile, run Get-MgProfile:

PS C:\> Get-MgProfile

Name Description
---- -----------
v1.0 A snapshot of the Microsoft Graph v1.0 API for the Global cloud.

Use Select-MgProfile to change your target API version. Fo example, to change to the beta version, run:

PS C:\> Select-MgProfile -Name Beta
PS C:\> Get-MgProfile

Name Description
---- -----------
beta A snapshot of the Microsoft Graph beta API for the Global cloud.

To switch back to using v1.0 API commands, specify v1.0 for the name parameter.

PS C:\> Select-MgProfile -Name v1.0
PS C:\> Get-MgProfile

Name Description
---- -----------
v1.0 A snapshot of the Microsoft Graph v1.0 API for the Global cloud.

Using Invoke-MgGraphRequest

Invoke-MgGraphRequest issues REST API requests to the Graph API. It works for any Graph API if you know the REST URI, method and optional body parameter. This command is especially useful for accessing APIs for which there isn’t an equivalent cmdlet yet.

To retrieve the details of the signed-in user, run:

Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/me

PS C:\> Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/me

Name                           Value
----                           -----
userPrincipalName              [email protected]
preferredLanguage
mobilePhone
displayName                    Chris
givenName
mail                           [email protected]
@odata.context                 https://graph.microsoft.com/v1.0/$metadata#users/$entity
id                             617660b7-8595-42d1-94d7-57de2373b56a
jobTitle
officeLocation
businessPhones                 {}
surname

Using Find-MgGraphCommand cmdlet

Find-MgGraphCommand aims to make it easier for you to discover which API path a command calls, by providing a URI or a command name.

The Find-MgGraphCommand allows to:

Pass a Microsoft Graph URL (relative and absolute) and get an equivalent Microsoft Graph PowerShell command.
Pass a command and get the URL it calls.
Pass a command or URI wildcard (.*) to find all commands that match it.

Pass a command and get the URI it calls:

Find-MgGraphCommand -Command 'Get-MgUser'

PS C:\> Find-MgGraphCommand -Command 'Get-MgUser'

   APIVersion: v1.0

Command    Module Method URI              OutputType           Permissions
-------    ------ ------ ---              ----------           -----------
Get-MgUser Users  GET    /users           IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceMana...
Get-MgUser Users  GET    /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceMana...


   APIVersion: beta

Command    Module Method URI              OutputType          Permissions
-------    ------ ------ ---              ----------          -----------
Get-MgUser Users  GET    /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManag...
Get-MgUser Users  GET    /users           IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManag...

Pass a command and get the permissions required:

Find-MgGraphCommand -Command 'Get-MgUser' | Select -First 1 -ExpandProperty Permissions

PS C:\> Find-MgGraphCommand -Command 'Get-MgUser' | Select -First 1 -ExpandProperty Permissions

Name                                         IsAdmin Description                                   FullDescription
----                                         ------- -----------                                   ---------------
DeviceManagementApps.Read.All                True    Read Microsoft Intune apps                    Allows the app to read the properties, group assignments and status of apps, app co...
DeviceManagementApps.ReadWrite.All           True    Read and write Microsoft Intune apps          Allows the app to read and write the properties, group assignments and status of ap...
DeviceManagementManagedDevices.Read.All      True    Read devices Microsoft Intune devices         Allows the app to read the properties of devices managed by Microsoft Intune.
DeviceManagementManagedDevices.ReadWrite.All True    Read and write Microsoft Intune devices       Allows the app to read and write the properties of devices managed by Microsoft Int...
DeviceManagementServiceConfig.Read.All       True    Read Microsoft Intune configuration           Allows the app to read Microsoft Intune service properties including device enrollm...
DeviceManagementServiceConfig.ReadWrite.All  True    Read and write Microsoft Intune configuration Allows the app to read and write Microsoft Intune service properties including devi...
Directory.AccessAsUser.All                   True    Access the directory as you                   Allows the app to have the same access to information in your work or school direct...
Directory.Read.All                           True    Read directory data                           Allows the app to read data in your organization's directory.
Directory.ReadWrite.All                      True    Read and write directory data                 Allows the app to read and write data in your organization's directory, such as oth...
User.Read.All                                True    Read all users' full profiles                 Allows the app to read the full set of profile properties, reports, and managers of...
User.ReadBasic.All                           False   Read all users' basic profiles                Allows the app to read a basic set of profile properties of other users in your org...
User.ReadWrite.All                           True    Read and write all users' full profiles       Allows the app to read and write the full set of profile properties, reports, and m...

Find Microsoft Graph PowerShell commands using a command wildcard:

Find-MgGraphCommand -Command .*Teams.* -APIVersion 'v1.0'

PS C:\> Find-MgGraphCommand -Command .*Teams.* -APIVersion 'v1.0'

Command                                     Module Method URI
-------                                     ------ ------ ---
Get-MgTeamSchedule                          Teams  GET    /teams/{team-id}/schedule
Get-MgTeamScheduleOfferShiftRequest         Teams  GET    /teams/{team-id}/schedule/offerShiftRequests/{offerShiftRequest-id}
Get-MgTeamScheduleOfferShiftRequest         Teams  GET    /teams/{team-id}/schedule/offerShiftRequests
Get-MgTeamScheduleOpenShift                 Teams  GET    /teams/{team-id}/schedule/openShifts/{openShift-id}
Get-MgTeamScheduleOpenShift                 Teams  GET    /teams/{team-id}/schedule/openShifts
Get-MgTeamScheduleOpenShiftChangeRequest    Teams  GET    /teams/{team-id}/schedule/openShiftChangeRequests/{openShiftChangeRequest-id}
Get-MgTeamScheduleOpenShiftChangeRequest    Teams  GET    /teams/{team-id}/schedule/openShiftChangeRequests
Get-MgTeamScheduleSchedulingGroup           Teams  GET    /teams/{team-id}/schedule/schedulingGroups/{schedulingGroup-id}
Get-MgTeamScheduleSchedulingGroup           Teams  GET    /teams/{team-id}/schedule/schedulingGroups
...

Disconnect-MgGraph

Once you’re signed in, you’ll remain signed in until you invoke Disconnect-MgGraph. Microsoft Graph PowerShell automatically refreshes the access token for you and sign-in persists across PowerShell sessions because Microsoft Graph PowerShell securely caches the token.

Use Disconnect-MgGraph to sign out: