Table of Contents
Least Permission Model
With the Microsoft Graph PowerShell SDK, you need to connect to the Graph API with a scope. The scope denotes what permissions you’ll need to execute your commands during the session.
Permission handling differs significantly between the Entra ID PowerShell module and the Microsoft Graph PowerShell SDK. When you sign in using the Connect-AzureAD cmdlet, you can use all the administrative permissions owned by the account you sign in with. However, the Graph SDK operates on a least permission model, which means that you must request permissions to perform actions, even when connecting with a highly-permissioned account.
As you can see in the below example, even we’re connect to Microsoft Graph using a global admin account, we still cannot get the list of accounts in our tenant.
PS C:\> Connect-MgGraph
Welcome to Microsoft Graph!
PS C:\> Get-MgUser
Get-MgUser : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2023-08-28T13:13:28
PS C:\> Get-MgContext
ClientId : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId : c032627b-6715-4e39-9990-bcf48ee5e0c5
Scopes : {openid, profile, User.Read, email}
AuthType : Delegated
TokenCredentialType : InteractiveBrowser
CertificateThumbprint :
CertificateSubjectName :
Account : [email protected]
AppName : Microsoft Graph Command Line Tools
ContextScope : CurrentUser
Certificate :
PSHostVersion : 5.1.22621.169
ManagedIdentityId :
ClientSecret :
Environment : GlobalBut what permissions are you going to need? The easiest way to identify this is by using the Find-MgGraphCommand CmdLet.
Using Find-MgGraphCommand cmdlet
Find-MgGraphCommand aims to make it easier for you to discover which API path a command calls, by providing a URI or a command name. The Find-MgGraphCommand allows to:
- Pass a Microsoft Graph URL (relative and absolute) and get an equivalent Microsoft Graph PowerShell command.
- Pass a command and get the URL it calls.
- Pass a command or URI wildcard (.*) to find all commands that match it.
APIVersion: v1.0
Command Module Method URI OutputType Permissions
------- ------ ------ --- ---------- -----------
Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementAp...
Remove-MgUser Users DELETE /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManagem...
Update-MgUser Users PATCH /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManagem...
APIVersion: beta
Command Module Method URI OutputType Permissions
------- ------ ------ --- ---------- -----------
Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApp...
Remove-MgUser Users DELETE /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManageme...
Update-MgUser Users PATCH /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManageme...The output of this cmdlet also includes the permissions required to authenticate the specified cmdlet. For more information on cmdlet permissions, see Using Find-MgGraphPermission. Not all cmdlets have the permissions available on running this command. This is an ongoing feature and permissions will continue to be added.
Find Microsoft Graph PowerShell commands by URI
#Syntax
Find-MgGraphCommand -Uri <String[]> [-Method <String>] [-ApiVersion <String>]- For -ApiVersion parameter, there are two possible values:
v1.0andBeta. - The -Method parameter is only available when using URI to find commands and allows the HTTPs methods such as GET, POST, PUT, PATCH and DELETE.
Example 1: Use a URI to get all related cmdlets:
Find-MgGraphCommand -Uri '/users/{id}' APIVersion: v1.0
Command Module Method URI OutputType Permissions
------- ------ ------ --- ---------- -----------
Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementAp...
Remove-MgUser Users DELETE /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManagem...
Update-MgUser Users PATCH /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManagem...
APIVersion: beta
Command Module Method URI OutputType Permissions
------- ------ ------ --- ---------- -----------
Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApp...
Remove-MgUser Users DELETE /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManageme...
Update-MgUser Users PATCH /users/{user-id} {DeviceManagementApps.ReadWrite.All, DeviceManageme...Find Microsoft Graph PowerShell commands by command name
Example 2: To identify the permissions needed to run Get-MgUser, run the following command:
Find-MgGraphCommand -Command Get-MgUser APIVersion: v1.0
Command Module Method URI OutputType Permissions
------- ------ ------ --- ---------- -----------
Get-MgUser Users GET /users IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps....
Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser1 {DeviceManagementApps.Read.All, DeviceManagementApps....
APIVersion: beta
Command Module Method URI OutputType Permissions
------- ------ ------ --- ---------- -----------
Get-MgUser Users GET /users/{user-id} IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApps.R...
Get-MgUser Users GET /users IMicrosoftGraphUser {DeviceManagementApps.Read.All, DeviceManagementApps.R...The two lines denote a request for a specific user and a general request for users. To see the required permissions for the general request in more detail run the following command:
Find-MgGraphCommand -command Get-MgUser | Select -First 1 -ExpandProperty PermissionsName IsAdmin Description
---- ------- -----------
DeviceManagementApps.Read.All True Read Microsoft Intune apps
DeviceManagementApps.ReadWrite.All True Read and write Microsoft Intune apps
DeviceManagementConfiguration.Read.All True Read Microsoft Intune Device Configuration
DeviceManagementConfiguration.ReadWrite.All True Read and write Microsoft Intune Device
DeviceManagementManagedDevices.Read.All True Read devices Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All True Read and write Microsoft Intune devices
DeviceManagementServiceConfig.Read.All True Read Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All True Read and write Microsoft Intune configuration
Directory.Read.All True Read directory data
Directory.ReadWrite.All True Read and write directory data
User.Read.All True Read all users' full profiles
User.ReadBasic.All False Read all users' basic profiles
User.ReadWrite.All True Read and write all users' full profilesAs you’ll notice, the permissions include various Intune permissions on top of the User and Directory permissions. You may not need those permissions when querying a standard user using the Get-MgUser command.
Also, some of the listed permissions are subsets that you can skip (e.g., Directory.ReadWrite.All includes Directory.Read.All).
Find Microsoft Graph PowerShell commands using a command wildcard
Example 3: Search for commands using a command wildcard
Find-MgGraphCommand -Command .*UserToDo.* -APIVersion 'v1.0'APIVersion: v1.0
Command Module Method URI
------- ------ ------ ---
Get-MgUserTodoList Users GET /users/{user-id}/todo/lists/{todoTaskList-id}
Get-MgUserTodoList Users GET /users/{user-id}/todo/lists
Get-MgUserTodoListDelta Users.Functions GET /users/{user-id}/todo/lists/delta
Get-MgUserTodoListExtension Users GET /users/{user-id}/todo/lists/{todoTaskList-id}/extensions/{ex...
Get-MgUserTodoListExtension Users GET /users/{user-id}/todo/lists/{todoTaskList-id}/extensions
Get-MgUserTodoListTask Users GET /users/{user-id}/todo/lists/{todoTaskList-id}/tasks/{todoTas...
Get-MgUserTodoListTask Users GET /users/{user-id}/todo/lists/{todoTaskList-id}/tasks
Get-MgUserTodoListTaskAttachment Users GET /users/{user-id}/todo/lists/{todoTaskList-id}/tasks/{todoTas...
...Find Microsoft Graph PowerShell commands using a URI wildcard
Example 4: Search for commands using URI wildcard
Find-MgGraphCommand -Uri ".*users.*" -Method 'Get' -ApiVersion 'v1.0' APIVersion: v1.0
Command Module Method URI
------- ------ ------ ---
Export-MgUserDeviceAndAppManagementData Users.Functions GET /users/{user-id}/export...
Get-MgAllUserChatMessage Users.Functions GET /users/{user-id}/chats/...
Get-MgDeviceAppMgtManagedEBookUserStateSummary Devices.CorporateManagement GET /deviceAppManagement/ma...
Get-MgDeviceAppMgtManagedEBookUserStateSummary Devices.CorporateManagement GET /deviceAppManagement/ma...
Get-MgDeviceAppMgtManagedEBookUserStateSummaryDeviceState Devices.CorporateManagement GET /deviceAppManagement/ma...
Get-MgDeviceAppMgtManagedEBookUserStateSummaryDeviceState Devices.CorporateManagement GET /deviceAppManagement/ma...
Get-MgDeviceAppMgtMobileAppConfigurationUserStatuses Devices.CorporateManagement GET /deviceAppManagement/mo...
Get-MgDeviceAppMgtMobileAppConfigurationUserStatuses Devices.CorporateManagement GET /deviceAppManagement/mo...Find-MgGraphPermission
Additionally, you can use another Microsoft Graph cmdlet to figure out what permissions need to perform actions. For example, run below command to find the permissions related to user actions:
PS C:\> Find-MgGraphPermission user | select Id, Name
Id Name
-- ----
0e263e50-5827-48a4-b97c-d940288653c7 Directory.AccessAsUser.All
ff91d191-45a0-43fd-b837-bd682c4a0b0f EAS.AccessAsUser.All
9769c687-087d-48ac-9cb3-c37dde652038 EWS.AccessAsUser.All
d04bb851-cb7c-4146-97c7-ca3e71baf56c IdentityRiskyUser.Read.All
e0a7cdbb-08b0-4697-8264-0069786e9674 IdentityRiskyUser.ReadWrite.All
2903d63d-4611-4d43-99ce-a33f3f52e343 IdentityUserFlow.Read.All
281892cc-4dbf-4e3a-b6cc-b21029bb4e82 IdentityUserFlow.ReadWrite.All
652390e4-393a-48de-9484-05f9b1212954 IMAP.AccessAsUser.All
d7b7f2d9-0f45-4ea1-9d42-e50810c06991 POP.AccessAsUser.All
...Read more: How to Use Find-MgGraphPermission.
Not a reader? Watch this related video tutorial:
