Welcome to the home of PowerShell examples for Microsoft Graph – this repository is designed for administrators, developers, and IT professionals seeking to maximize the capabilities of Microsoft Graph within their PowerShell scripts. Whether you're automating Office 365 tasks, managing Entra ID resources, or integrating various Microsoft services, this repository aims to be a community driven go-to resource for scripts, modules, and best practices.
PowerShell SDK for Microsoft Graph
Install-Module Microsoft.Graph -AllowClobber -ForceOptionally, also install:
Install-Module Microsoft.Graph.Beta -AllowClobber -ForceUsing the Microsoft Graph Command Line Tools Enterprise Application
Connect-MgGraph -Scopes @('')Using an existing Access Token
Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost)
Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'Using a ClientId and Secret (Password)
$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
'SecretCredential' = $secretCredential
'TenantId' = $tenantId
}
Connect-MgGraph @paramsThis Entra ID error occurs when the authentication method by which the user authenticated with the service doesn't match the requested authentication method defined by the provider.
Retrieving and storing current Conditional Access Policy sign-in failures.
Find Application Registrations that have been disabled or are missing their Enterprise Application instance (Service Principal).
Find Application Registrations with Password or Certificate Credentials.
Find Application Registration Certificate or Secret expiry status.
Find Application Registrations without assigned Owners.
Adding a Microsoft Graph App Role to a Service Principal (Application/Managed Identity). ie. 'User.Read.All'
Find all Enterprise Applications
Find all Managed Identities
Find all Microsoft Applications
Find all Enterprise Applications with the ability to consumer services in Microsoft Graph, AAD Graph and O365 API without a signed in user.
Find SAML SSO expiry status on enabled Enterprise Applications.
Retrieve an Access Token for Microsoft Graph from an Azure AD Automation Account Managed Identity.
Confirm one or more riskyUser objects as compromised. This action sets the targeted user's risk level to high.
Find all cloud only groups (those not synchronised from AD on-premises).
Find all cloud only accounts.
Find all Guest accounts.
Find the last sign-in activity of an account.
Find all Member accounts.
Make a cloud or on-premises user change their password on their next sign-in to Azure. This cannot be used in conjunction with Passthrough Authentication.
Find all accounts assigned licenses.
Find Member account by email address.
Find all Member accounts by on-premises extensionAttribute.
Find accounts by User Principal Name prefix.
Find all Conditional Access Policies.
Zero Trust Persona-based Azure AD Conditional Access Policies
Find accounts with the Global Administrator role using an access token acquired for the Azure Portal (Entra).
Find Application Registrations for Single Page Applications that contain secrets.
Obtaining an Access Token for Microsoft Graph using the Application Client Credentials grant using native PowerShell and the Invoke-RestMethod cmdlet.
Obtaining an Access Token for Microsoft Graph using the Device Code grant and PowerShell with the Invoke-RestMethod cmdlet.