Table of Contents
The Microsoft Graph PowerShell SDK application requires users to have domain knowledge of both the semantics and syntax of Microsoft Graph API permissions used to authorize access to the API.
Currently, PowerShell commands and scripts, including those implemented with Microsoft Graph PowerShell SDK itself, have no way of validating user input that refers to permissions or providing “auto-complete” user experiences to help users accurately supply input to commands.
Least Permission Model
Permission handling differs significantly between the Entra ID PowerShell module and the Microsoft Graph PowerShell SDK. When you sign in using the Connect-AzureAD cmdlet, you can use all the administrative permissions owned by the account you sign in with. However, the Graph SDK operates on a least permission model, which means that you must request permissions to perform actions, even when connecting with a highly-permissioned account.
As you can see in the below example, even we’re connect to Microsoft Graph using a global admin account, we still cannot get the list of accounts in our tenant.
PS C:\> Connect-MgGraph
Welcome to Microsoft Graph!
PS C:\> Get-MgUser
Get-MgUser : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2023-08-28T13:13:28
PS C:\> Get-MgContext
ClientId : 14d82eec-204b-4c2f-b7e8-296a70dab67e
TenantId : c032627b-6715-4e39-9990-bcf48ee5e0c5
Scopes : {openid, profile, User.Read, email}
AuthType : Delegated
TokenCredentialType : InteractiveBrowser
CertificateThumbprint :
CertificateSubjectName :
Account : [email protected]
AppName : Microsoft Graph Command Line Tools
ContextScope : CurrentUser
Certificate :
PSHostVersion : 5.1.22621.169
ManagedIdentityId :
ClientSecret :
Environment : GlobalThe question then arises how to find the Microsoft Graph API permissions necessary to perform an action. The SDK includes two cmdlets to help developers figure out what permissions they need to perform actions.
- Find-MgGraphPermission: Lists the delegated and application permissions for different actions.
- Find-MgGraphCommand: Lists the cmdlets available to interact with different types of objects, including the required permissions. The cmdlet works by taking the URI for an object to find the available commands.
Find permissions related to a given domain
For instance, let’s assume that we want to interact with organization information stored in Entra ID. We could start by running the Find-MgGraphPermission cmdlet:
Find-MgGraphPermission organization | `
Where-Object {$_.PermissionType -eq "Application"} | Format-List Name, DescriptionName : Organization.Read.All
Description : Allows the app to read the organization and related resources, without a signed-in user.ÂRelated resources include
things like subscribed skus and tenant branding information.
Name : Organization.ReadWrite.All
Description : Allows the app to read and write the organization and related resources, without a signed-in user.ÂRelated resources
include things like subscribed skus and tenant branding information.From the output, it’s obvious that we should use the Organization.Read.All permission to read organization information (like the tenant name and identifier), and Organization.ReadWrite.All should we need to update a writeable setting.
Another example, here’s the truncated output for the Group.ReadWrite.All permission, needed to update the properties of Entra ID groups, including Microsoft 365 groups.
Find-MgGraphPermission group | `
Where-Object {$_.PermissionType -eq "Delegated"} | Format-List Name, Description..
Name : Group.ReadWrite.All
Description : Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user.
Additionally allows group owners to manage their groups and allows group members to update group content.
...You could try a modified version of the commands to see what permissions are needed to interact with Users, Groups, Entra ID (Directory), Apps (Application), and so on.
Find the permissions related to application.
Find-MgGraphPermission application PermissionType: Delegated
Id Consent Name
-- ------- ----
c79f8feb-a9db-4090-85f9-90d820caa0eb Admin Application.Read.All
bdfbf15f-ee85-4955-8675-146e8e5296b5 Admin Application.ReadWrite.All
b27add92-efb2-4f16-84f5-8108ba77985c Admin Policy.ReadWrite.ApplicationConfigurationFind the permissions related to teams (Microsoft Teams).
PS C:\> Find-MgGraphPermission teams
PermissionType: Delegated
Id Consent Name
-- ------- ----
0e755559-83fb-4b44-91d0-4cc721b9323e User TeamsActivity.Read
7ab1d787-bae7-4d5d-8db6-37ea32df9186 User TeamsActivity.Send
daef10fc-047a-48b0-b1a5-da4b5e72fabc User TeamsApp.Read
9127ba42-f79f-43b1-be80-f23ecd42377e Admin TeamsApp.Read.All
2a5addc2-4d9e-4d7d-8527-5215aec410f3 User TeamsApp.ReadWrite
d3f0af02-b22d-4778-a433-14f7e3f2e1e2 Admin TeamsApp.ReadWrite.All
bf3fbf03-f35f-4e93-963e-47e4d874c37a User TeamsAppInstallation.ReadForChat
5248dcb1-f83b-4ec3-9f4d-a4428a961a72 Admin TeamsAppInstallation.ReadForTeam
c395395c-ff9a-4dba-bc1f-8372ba9dca84 User TeamsAppInstallation.ReadForUser
aa85bf13-d771-4d5d-a9e6-bca04ce44edf Admin TeamsAppInstallation.ReadWriteForChat
2e25a044-2580-450d-8859-42eeb6e996c0 Admin TeamsAppInstallation.ReadWriteForTeam
093f8818-d05f-49b8-95bc-9d2a73e9a43c Admin TeamsAppInstallation.ReadWriteForUser
0ce33576-30e8-43b7-99e5-62f8569a4002 Admin TeamsAppInstallation.ReadWriteSelfForChat
0f4595f7-64b1-4e13-81bc-11a249df07a9 Admin TeamsAppInstallation.ReadWriteSelfForTeam
207e0cb1-3ce7-4922-b991-5a760c346ebc User TeamsAppInstallation.ReadWriteSelfForUser
48638b3c-ad68-4383-8ac4-e6880ee6ca57 Admin TeamSettings.Read.All
39d65650-9d3e-4223-80db-a335590d027e Admin TeamSettings.ReadWrite.All
a9ff19c2-f369-4a95-9a25-ba9d460efc8e Admin TeamsTab.Create
59dacb05-e88d-4c13-a684-59f1afc8cc98 Admin TeamsTab.Read.All
b98bfd41-87c6-45cc-b104-e2de4f0dafb9 Admin TeamsTab.ReadWrite.All
ee928332-e9c2-4747-b4a0-f8c164b68de6 Admin TeamsTab.ReadWriteForChat
c975dd04-a06e-4fbb-9704-62daad77bb49 Admin TeamsTab.ReadWriteForTeam
c37c9b61-7762-4bff-a156-afc0005847a0 User TeamsTab.ReadWriteForUser Find the permissions related to mail (Exchange Online).
PS C:\> Find-MgGraphPermission mail
PermissionType: Delegated
Id Consent Name
-- ------- ----
64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0 User email
570282fd-fa5c-430d-a7fd-fc8dc98a9dca User Mail.Read
7b9103a5-4610-446b-9670-80643382c1fa User Mail.Read.Shared
a4b8392a-d8d1-4954-a029-8e668a39a170 User Mail.ReadBasic
024d486e-b451-40bb-833d-3e66d98c5c73 User Mail.ReadWrite
5df07973-7d5d-46ed-9847-1271055cbd51 User Mail.ReadWrite.Shared
e383f46e-2787-4529-855e-0e479a3ffac0 User Mail.Send
a367ab51-6b49-43bf-a716-a1fb06d2a174 User Mail.Send.Shared
87f447af-9fa4-4c32-9dfa-4a57a73d18ce User MailboxSettings.Read
818c620a-27a9-40bd-a6a5-d96f7d610b4b User MailboxSettings.ReadWriteFind the permissions related to site (Sharepoint Online and OneDrive for Business).
PS C:\> Find-MgGraphPermission site
PermissionType: Delegated
Id Consent Name
-- ------- ----
5a54b8b3-347c-476d-8f8e-42d5c7424d29 Admin Sites.FullControl.All
65e50fdc-43b7-4915-933e-e8138f11f40a User Sites.Manage.All
205e70e5-aba6-4c52-a976-6d2d46c48043 User Sites.Read.All
89fe6a52-be36-487e-b7d8-d061c450a026 User Sites.ReadWrite.AllFind the permissions related to device.
PS C:\> Find-MgGraphPermission device
PermissionType: Delegated
Id Consent Name
-- ------- ----
bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804 User Device.Command
11d4cd79-5ba5-460f-803f-e22c8ab85ccd User Device.Read
951183d1-1a61-466f-a6d1-1fde911bfd95 Admin Device.Read.All
4edf5f54-4666-44af-9de9-0144fb4b6e8c Admin DeviceManagementApps.Read.All
7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af Admin DeviceManagementApps.ReadWrite.All
f1493658-876a-4c87-8fa7-edb559b3476a Admin DeviceManagementConfiguration.Read.All
0883f392-0a7a-443d-8c76-16a6d39c7b63 Admin DeviceManagementConfiguration.ReadWrite.All
3404d2bf-2b13-457e-a330-c24615765193 Admin DeviceManagementManagedDevices.PrivilegedOperations.All
314874da-47d6-4978-88dc-cf0d37f0bb82 Admin DeviceManagementManagedDevices.Read.All
44642bfe-8385-4adc-8fc6-fe3cb2c375c3 Admin DeviceManagementManagedDevices.ReadWrite.All
49f0cc30-024c-4dfd-ab3e-82e137ee5431 Admin DeviceManagementRBAC.Read.All
0c5e8a55-87a6-4556-93ab-adc52c4d862d Admin DeviceManagementRBAC.ReadWrite.All
8696daa5-bce5-4b2e-83f9-51b6defc4e1e Admin DeviceManagementServiceConfig.Read.All
662ed50a-ac44-4eef-ad86-62eed9be2a29 Admin DeviceManagementServiceConfig.ReadWrite.All
40b534c3-9552-4550-901b-23879c90bcf9 Admin Policy.ReadWrite.DeviceConfigurationFind the identifier for a specific permission
Find-MgGraphPermission application.Read | Format-ListId : c79f8feb-a9db-4090-85f9-90d820caa0eb
PermissionType : Delegated
Consent : Admin
Name : Application.Read.All
Description : Allows the app to read applications and service principals on behalf of the signed-in user.
Id : bdfbf15f-ee85-4955-8675-146e8e5296b5
PermissionType : Delegated
Consent : Admin
Name : Application.ReadWrite.All
Description : Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in
user. Does not allow management of consent grants.
Id : 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30
PermissionType : Application
Consent : Admin
Name : Application.Read.All
Description : Allows the app to read all applications and service principals without a signed-in user.
Id : 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
PermissionType : Application
Consent : Admin
Name : Application.ReadWrite.All
Description : Allows the app to create, read, update and delete applications and service principals without a signed-in user.
Does not allow management of consent grants.
Id : 18a4783c-866b-4cc7-a460-3d5e5662c884
PermissionType : Application
Consent : Admin
Name : Application.ReadWrite.OwnedBy
Description : Allows the app to create other applications, and fully manage those applications (read, update, update application
secrets and delete), without a signed-in user. ÂIt cannot update any apps that it is not an owner of.Find-MgGraphCommand
Additionally, you can use another Microsoft Graph cmdlet to retrieve the related permissions for a cmdlet. For example, we find the required permissions to run the Get-MgUser cmdlet:
(Find-MgGraphCommand Get-MgUser).PermissionsName IsAdmin Description
---- ------- -----------
DeviceManagementApps.Read.All True Read Microsoft Intune apps
DeviceManagementApps.ReadWrite.All True Read and write Microsoft Intune apps
DeviceManagementConfiguration.Read.All True Read Microsoft Intune Device
...Read more: How to Use Find-MgGraphCommand cmdlet.
Manage Microsoft 365 Using Microsoft Graph
You can also take a look at the following Microsoft Graph posts that help to manage Microsoft 365 efficiently.
- Create a new user
- Create bulk users in Microsoft 365
- Get a list of all users in Microsoft 365
- Update user properties
- Add a user to a group
- Add bulk users to a group
- Remove users from a group
- Remove multiple users from a group
- Assign managers for Microsoft 365 users
- Assign licenses to users
- Removing licenses from user accounts
- Delete a user from Microsoft 365
- How to use Get-MgUser cmdlet
Not a reader? Watch this related video tutorial:
