How to Find Permissions Needed to Run Graph Powershell Command

Command Permissions, Microsoft Graph PowerShell

With the Microsoft Graph PowerShell SDK, you need to connect to the Graph API with a scope.

The scope denotes what permissions you’ll need to execute your commands during the session.

But what permissions are you going to need?

The easiest way to identify this is by using the Find-MgGraphCommand CmdLet.

As an example, to identify the permissions needed to run Get-MgUser, run the following command:

Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0

Important parameters are:

  • Command (which is mandatory)
  • ApiVersion (select between v1.0 and Beta)

The output will look similar to this:

PS C:\> Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0

   APIVersion: v1.0
Command    Module Method URI              OutputType           Permissions                                                                                                                                                   Variants
-------    ------ ------ ---              ----------           -----------                                                                                                                                                   --------
Get-MgUser Users  GET    /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All...} {Get1, GetViaIdentity1}
Get-MgUser Users  GET    /users           IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All...} {List1}

The two lines denote a request for a specific user and a general request for users.

To see the required permissions for the general request in more detail run the following command:

(Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 | ? { $_.URI -eq '/users'}).Permissions | ft Name,Description

This will generate output similar to the following:

PS C:\> (Find-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 | ? { $_.URI -eq '/users'}).Permissions | ft Name,Description
Name                                         Description
----                                         -----------
DeviceManagementApps.Read.All                Read Microsoft Intune apps
DeviceManagementApps.ReadWrite.All           Read and write Microsoft Intune apps
DeviceManagementManagedDevices.Read.All      Read devices Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All Read and write Microsoft Intune devices
DeviceManagementServiceConfig.Read.All       Read Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All  Read and write Microsoft Intune configuration
Directory.AccessAsUser.All                   Access the directory as you
Directory.Read.All                           Read directory data
Directory.ReadWrite.All                      Read and write directory data
User.Read.All                                Read all users' full profiles
User.ReadBasic.All                           Read all users' basic profiles
User.ReadWrite.All                           Read and write all users' full profiles

As you’ll notice, the permissions include various Intune permissions on top of the User and Directory permissions.

You may not need those permissions when querying a standard user using the Get-MgUser command.

Also, some of the listed permissions are subsets that you can skip (e.g., Directory.ReadWrite.All includes Directory.Read.All).

Easy Office 365 Management

If you would like to manage your Office 365 environment with the Microsoft Graph PowerShell API without writing a single line of code, check out Easy365Manager.

Easy365Manager is a snap in to AD Users & Computers that gives you user friendly and fast Office 365 management: