With the Microsoft Graph PowerShell SDK, you need to connect to the Graph API with a scope.
The scope denotes what permissions you’ll need to execute your commands during the session.
But what permissions are you going to need?
The easiest way to identify this is by using the Find-MgGraphCommand CmdLet.
As an example, to identify the permissions needed to run Get-MgUser, run the following command:
Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0
Important parameters are:
- Command (which is mandatory)
- ApiVersion (select between v1.0 and Beta)
The output will look similar to this:
PS C:\> Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 APIVersion: v1.0 Command Module Method URI OutputType Permissions Variants ------- ------ ------ --- ---------- ----------- -------- Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All...} {Get1, GetViaIdentity1} Get-MgUser Users GET /users IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All...} {List1}
The two lines denote a request for a specific user and a general request for users.
To see the required permissions for the general request in more detail run the following command:
(Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 | ? { $_.URI -eq '/users'}).Permissions | ft Name,Description
This will generate output similar to the following:
PS C:\> (Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 | ? { $_.URI -eq '/users'}).Permissions | ft Name,Description Name Description ---- ----------- DeviceManagementApps.Read.All Read Microsoft Intune apps DeviceManagementApps.ReadWrite.All Read and write Microsoft Intune apps DeviceManagementManagedDevices.Read.All Read devices Microsoft Intune devices DeviceManagementManagedDevices.ReadWrite.All Read and write Microsoft Intune devices DeviceManagementServiceConfig.Read.All Read Microsoft Intune configuration DeviceManagementServiceConfig.ReadWrite.All Read and write Microsoft Intune configuration Directory.AccessAsUser.All Access the directory as you Directory.Read.All Read directory data Directory.ReadWrite.All Read and write directory data User.Read.All Read all users' full profiles User.ReadBasic.All Read all users' basic profiles User.ReadWrite.All Read and write all users' full profiles
As you’ll notice, the permissions include various Intune permissions on top of the User and Directory permissions.
You may not need those permissions when querying a standard user using the Get-MgUser command.
Also, some of the listed permissions are subsets that you can skip (e.g., Directory.ReadWrite.All includes Directory.Read.All).
Easy Office 365 Management
If you would like to manage your Office 365 environment with the Microsoft Graph PowerShell API without writing a single line of code, check out Easy365Manager.
Easy365Manager is a snap in to AD Users & Computers that gives you user friendly and fast Office 365 management: