Learning and Sharing
  • Home
  • Blog
  • Linux
  • macOS
  • Virtualization
    • VMware
    • VirtualBox
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server
  • Series
    • Symantec
    • Intune
    • Microsoft Azure
    • Powershell
    • VirtualBox
    • VMware
    • PowerShell Learning
    • Microsoft Graph
  • More
    • Auto Installation
    • AEC Installation
  • Contact
No Result
View All Result
  • Home
  • Blog
  • Linux
  • macOS
  • Virtualization
    • VMware
    • VirtualBox
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server
  • Series
    • Symantec
    • Intune
    • Microsoft Azure
    • Powershell
    • VirtualBox
    • VMware
    • PowerShell Learning
    • Microsoft Graph
  • More
    • Auto Installation
    • AEC Installation
  • Contact
No Result
View All Result
No Result
View All Result

How to Use Find-MgGraphCommand cmdlet in Microsoft Graph PowerShell

August 29, 2023
in Blog, Microsoft Graph, Powershell
0
ADVERTISEMENT

Table of Contents

Least Permission Model

With the Microsoft Graph PowerShell SDK, you need to connect to the Graph API with a scope. The scope denotes what permissions you’ll need to execute your commands during the session.

Permission handling differs significantly between the Entra ID PowerShell module and the Microsoft Graph PowerShell SDK. When you sign in using the Connect-AzureAD cmdlet, you can use all the administrative permissions owned by the account you sign in with. However, the Graph SDK operates on a least permission model, which means that you must request permissions to perform actions, even when connecting with a highly-permissioned account.

As you can see in the below example, even we’re connect to Microsoft Graph using a global admin account, we still cannot get the list of accounts in our tenant.

PS C:\> Connect-MgGraph
Welcome to Microsoft Graph!

PS C:\> Get-MgUser
Get-MgUser : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2023-08-28T13:13:28

PS C:\> Get-MgContext

ClientId               : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId               : c032627b-6715-4e39-9990-bcf48ee5e0c5
Scopes                 : {openid, profile, User.Read, email}
AuthType               : Delegated
TokenCredentialType    : InteractiveBrowser
CertificateThumbprint  :
CertificateSubjectName :
Account                : [email protected]
AppName                : Microsoft Graph Command Line Tools
ContextScope           : CurrentUser
Certificate            :
PSHostVersion          : 5.1.22621.169
ManagedIdentityId      :
ClientSecret           :
Environment            : Global

But what permissions are you going to need? The easiest way to identify this is by using the Find-MgGraphCommand CmdLet.

Using Find-MgGraphCommand cmdlet

Find-MgGraphCommand aims to make it easier for you to discover which API path a command calls, by providing a URI or a command name. The Find-MgGraphCommand allows to:

  • Pass a Microsoft Graph URL (relative and absolute) and get an equivalent Microsoft Graph PowerShell command.
  • Pass a command and get the URL it calls.
  • Pass a command or URI wildcard (.*) to find all commands that match it.
   APIVersion: v1.0

Command       Module Method URI              OutputType           Permissions
-------       ------ ------ ---              ----------           -----------
Get-MgUser    Users  GET    /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementAp...
Remove-MgUser Users  DELETE /users/{user-id}                      {DeviceManagementApps.ReadWrite.All, DeviceManagem...
Update-MgUser Users  PATCH  /users/{user-id}                      {DeviceManagementApps.ReadWrite.All, DeviceManagem...


   APIVersion: beta

Command       Module Method URI              OutputType          Permissions
-------       ------ ------ ---              ----------          -----------
Get-MgUser    Users  GET    /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApp...
Remove-MgUser Users  DELETE /users/{user-id}                     {DeviceManagementApps.ReadWrite.All, DeviceManageme...
Update-MgUser Users  PATCH  /users/{user-id}                     {DeviceManagementApps.ReadWrite.All, DeviceManageme...

The output of this cmdlet also includes the permissions required to authenticate the specified cmdlet. For more information on cmdlet permissions, see Using Find-MgGraphPermission. Not all cmdlets have the permissions available on running this command. This is an ongoing feature and permissions will continue to be added.

Find Microsoft Graph PowerShell commands by URI

#Syntax
Find-MgGraphCommand -Uri <String[]> [-Method <String>] [-ApiVersion <String>]
  • For -ApiVersion parameter, there are two possible values: v1.0 and Beta.
  • The -Method parameter is only available when using URI to find commands and allows the HTTPs methods such as GET, POST, PUT, PATCH and DELETE.

Example 1: Use a URI to get all related cmdlets:

Find-MgGraphCommand -Uri '/users/{id}'
   APIVersion: v1.0

Command       Module Method URI              OutputType           Permissions
-------       ------ ------ ---              ----------           -----------
Get-MgUser    Users  GET    /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementAp...
Remove-MgUser Users  DELETE /users/{user-id}                      {DeviceManagementApps.ReadWrite.All, DeviceManagem...
Update-MgUser Users  PATCH  /users/{user-id}                      {DeviceManagementApps.ReadWrite.All, DeviceManagem...


   APIVersion: beta

Command       Module Method URI              OutputType          Permissions
-------       ------ ------ ---              ----------          -----------
Get-MgUser    Users  GET    /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApp...
Remove-MgUser Users  DELETE /users/{user-id}                     {DeviceManagementApps.ReadWrite.All, DeviceManageme...
Update-MgUser Users  PATCH  /users/{user-id}                     {DeviceManagementApps.ReadWrite.All, DeviceManageme...

Find Microsoft Graph PowerShell commands by command name

Example 2: To identify the permissions needed to run Get-MgUser, run the following command:

Find-MgGraphCommand -Command Get-MgUser
   APIVersion: v1.0

Command    Module Method URI              OutputType           Permissions
-------    ------ ------ ---              ----------           -----------
Get-MgUser Users  GET    /users           IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps....
Get-MgUser Users  GET    /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps....

   APIVersion: beta

Command    Module Method URI              OutputType          Permissions
-------    ------ ------ ---              ----------          -----------
Get-MgUser Users  GET    /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApps.R...
Get-MgUser Users  GET    /users           IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApps.R...

The two lines denote a request for a specific user and a general request for users. To see the required permissions for the general request in more detail run the following command:

Find-MgGraphCommand -command Get-MgUser | Select -First 1 -ExpandProperty Permissions
Name                                         IsAdmin Description
----                                         ------- -----------
DeviceManagementApps.Read.All                True    Read Microsoft Intune apps
DeviceManagementApps.ReadWrite.All           True    Read and write Microsoft Intune apps
DeviceManagementConfiguration.Read.All       True    Read Microsoft Intune Device Configuration
DeviceManagementConfiguration.ReadWrite.All  True    Read and write Microsoft Intune Device
DeviceManagementManagedDevices.Read.All      True    Read devices Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All True    Read and write Microsoft Intune devices
DeviceManagementServiceConfig.Read.All       True    Read Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All  True    Read and write Microsoft Intune configuration
Directory.Read.All                           True    Read directory data
Directory.ReadWrite.All                      True    Read and write directory data
User.Read.All                                True    Read all users' full profiles
User.ReadBasic.All                           False   Read all users' basic profiles
User.ReadWrite.All                           True    Read and write all users' full profiles

As you’ll notice, the permissions include various Intune permissions on top of the User and Directory permissions. You may not need those permissions when querying a standard user using the Get-MgUser command.

Also, some of the listed permissions are subsets that you can skip (e.g., Directory.ReadWrite.All includes Directory.Read.All).

Find Microsoft Graph PowerShell commands using a command wildcard

Example 3: Search for commands using a command wildcard

Find-MgGraphCommand -Command .*UserToDo.* -APIVersion 'v1.0'
APIVersion: v1.0

Command                          Module          Method URI
-------                          ------          ------ ---
Get-MgUserTodoList               Users           GET    /users/{user-id}/todo/lists/{todoTaskList-id}
Get-MgUserTodoList               Users           GET    /users/{user-id}/todo/lists
Get-MgUserTodoListDelta          Users.Functions GET    /users/{user-id}/todo/lists/delta
Get-MgUserTodoListExtension      Users           GET    /users/{user-id}/todo/lists/{todoTaskList-id}/extensions/{ex...
Get-MgUserTodoListExtension      Users           GET    /users/{user-id}/todo/lists/{todoTaskList-id}/extensions
Get-MgUserTodoListTask           Users           GET    /users/{user-id}/todo/lists/{todoTaskList-id}/tasks/{todoTas...
Get-MgUserTodoListTask           Users           GET    /users/{user-id}/todo/lists/{todoTaskList-id}/tasks
Get-MgUserTodoListTaskAttachment Users           GET    /users/{user-id}/todo/lists/{todoTaskList-id}/tasks/{todoTas...
...

Find Microsoft Graph PowerShell commands using a URI wildcard

Example 4: Search for commands using URI wildcard

Find-MgGraphCommand -Uri ".*users.*" -Method 'Get' -ApiVersion 'v1.0'
   APIVersion: v1.0

Command                                                   Module                      Method URI
-------                                                   ------                      ------ ---
Export-MgUserDeviceAndAppManagementData                   Users.Functions             GET    /users/{user-id}/export...
Get-MgAllUserChatMessage                                  Users.Functions             GET    /users/{user-id}/chats/...
Get-MgDeviceAppMgtManagedEBookUserStateSummary            Devices.CorporateManagement GET    /deviceAppManagement/ma...
Get-MgDeviceAppMgtManagedEBookUserStateSummary            Devices.CorporateManagement GET    /deviceAppManagement/ma...
Get-MgDeviceAppMgtManagedEBookUserStateSummaryDeviceState Devices.CorporateManagement GET    /deviceAppManagement/ma...
Get-MgDeviceAppMgtManagedEBookUserStateSummaryDeviceState Devices.CorporateManagement GET    /deviceAppManagement/ma...
Get-MgDeviceAppMgtMobileAppConfigurationUserStatuses      Devices.CorporateManagement GET    /deviceAppManagement/mo...
Get-MgDeviceAppMgtMobileAppConfigurationUserStatuses      Devices.CorporateManagement GET    /deviceAppManagement/mo...

Find-MgGraphPermission

Additionally, you can use another Microsoft Graph cmdlet to figure out what permissions need to perform actions. For example, run below command to find the permissions related to user actions:

PS C:\> Find-MgGraphPermission user | select Id, Name

Id                                   Name
--                                   ----
0e263e50-5827-48a4-b97c-d940288653c7 Directory.AccessAsUser.All
ff91d191-45a0-43fd-b837-bd682c4a0b0f EAS.AccessAsUser.All
9769c687-087d-48ac-9cb3-c37dde652038 EWS.AccessAsUser.All
d04bb851-cb7c-4146-97c7-ca3e71baf56c IdentityRiskyUser.Read.All
e0a7cdbb-08b0-4697-8264-0069786e9674 IdentityRiskyUser.ReadWrite.All
2903d63d-4611-4d43-99ce-a33f3f52e343 IdentityUserFlow.Read.All
281892cc-4dbf-4e3a-b6cc-b21029bb4e82 IdentityUserFlow.ReadWrite.All
652390e4-393a-48de-9484-05f9b1212954 IMAP.AccessAsUser.All
d7b7f2d9-0f45-4ea1-9d42-e50810c06991 POP.AccessAsUser.All
...

Read more: How to Use Find-MgGraphPermission.

Not a reader? Watch this related video tutorial:

5/5 - (1 vote)
Previous Post

Available Authentication Methods in Microsoft Graph PowerShell

Next Post

How to Use Find-MgGraphPermission cmdlet in Microsoft Graph PowerShell

Related Posts

Running Hyper-V and VMware Workstation on The Same Machine

August 15, 2024

How to Uninstall All Autodesk Products At Once Silently

July 29, 2024
Ftr5

How to Uninstall the Autodesk Genuine Service on Windows

July 29, 2024
Ftr19

How to Fix Windows Cannot Read the ProductKey From the Unattend Answer File in VirtualBox

July 26, 2024
Ftr25

How to Update Windows Terminal in Windows 10/11

July 26, 2024

How to Disable The Beep Sound in WSL Terminal on Windows

July 26, 2024

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • How To Turn On uBlock Origin Extension in Chrome (2025)
  • Images Hidden Due To Mature Content Settings In CivitAI
  • Azure OpenAI vs Azure AI Hub, How to Choose the Right One for Your Needs

Categories

Stay in Touch

Discord Server

Join the Discord server with the site members for all questions and discussions.

Telegram Community

Jump in Telegram server. Ask questions and discuss everything with the site members.

Youtube Channel

Watch more videos, learning and sharing with Leo ❤❤❤. Sharing to be better.

Newsletter

Join the movement and receive our weekly Tech related newsletter. It’s Free.

General

Microsoft Windows

Microsoft Office

VMware

VirtualBox

Technology

PowerShell

Microsoft 365

Microsoft Teams

Email Servers

Copyright 2025 © All rights Reserved. Design by Leo with ❤

No Result
View All Result
  • Home
  • Linux
  • Intune
  • macOS
  • VMware
  • VirtualBox
  • Powershell
  • Windows 10
  • Windows 11
  • Microsoft 365
  • Microsoft Azure
  • Microsoft Office
  • Active Directory

No Result
View All Result
  • Home
  • Linux
  • Intune
  • macOS
  • VMware
  • VirtualBox
  • Powershell
  • Windows 10
  • Windows 11
  • Microsoft 365
  • Microsoft Azure
  • Microsoft Office
  • Active Directory