GRAPH API Authentication with App Registration

GRAPH API becomes one of the main tools to use for managing and reporting M365 environments. There are a lot of advantages by getting data via GRAPH API but the most important for me is that in most cases you cannot get some data by automated report in any other way than using GRAPH API.

GRAPH documentation is in my eyes pretty good source of information on what and how you can query but most admins stop as they do not know how start.

Here, I will explain only one of the ways that this can work. We will use Powershell to get Authentication token and make queries to GRAPH API.

First – We need to register an App Registration in Azure AD

App Registration can be used to authenticate – to get authentication token which is later used to fetch data from/via GRAPH API. Its like a user object with a username and password but it is not, its a app registration object with client id and client secret 🙂

Step 1. Go to AzureAD – > App registrations – > New registration

Step 2. Enter all data needed and click Register on the bottom of the page

Now you will be able to see your App/Client ID. Copy it somewhere as you will need it.

Step 3. Create new client secret by going to Certificates & secrets menu -> New Client secret

You can enter Description and Expiration setting here. Do it and click Add.

Copy secret Value now as it wont be visible later. If it happened that you do not copy value, no worries, you can always create new Client secret.

Granting Permissions to an App Registration

After we have registered the app, we need to assign needed permissions to the app.

Go to API Permissions – > Add a permission – > Microsoft Graph

On next screen select Application permissions.

Now you will see a list of permissions and you will need to find what suits your needs. In our example I will select Directory.ReadWrite.All which is really powerful permission. In the end you need to go by least privilege concept.

Now you need to grant consent:

Now that we have Client ID, Client secret and Permissions granted we can obtain Authentication token and make our first query to GRAPH API.

Prerequisite!

Install Microsoft.ADAL.PowerShell

https://www.powershellgallery.com/packages/Microsoft.ADAL.PowerShell/1.12

You can install this module by running following command in Powershell:

Install-Module -Name Microsoft.ADAL.PowerShell

Then you can run the following Powershell code to obtain Authentication token that will be used in queries (You can find Tenant ID in Azure Active Directory – > Properties – > Tenant ID) :


 Import-Module Microsoft.ADAL.Powershell
 $tenantID = "ENTER YOUR TENANT ID"
 $authString = "https://login.microsoftonline.com/$tenantID" 
 $appId = "ENTER YOUR APP ID"
 $appSecret = "ENTER YOUR APP SECRET"
 this part uses the classes to obtain the necessary security token for performing our operations against the Graph API
 $creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList $appId, $appSecret
 $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext"-ArgumentList $authString
 $context = $authContext.AcquireTokenAsync("https://graph.microsoft.com/", $creds).Result
 $token=$context.AccessToken
 Function Get-Headers {
     param( $token )
 Return @{     "Authorization" = ("Bearer {0}" -f $token);     "Content-Type" = "application/json"; }
 }
 $headers=Get-Headers($token)

After we have Authentication token header we can make our first query.

In this query we will get all users.

Here is Powershell code:

$GetAllUsers= "https://graph.microsoft.com/beta/users"
$myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headers -Uri $GetAllUsers)
$convertedReport += ($myReport.Content | ConvertFrom-Json).value
$convertedReport | select Userprincipalname

Explanation:

$getAllUsers is an endpoint that we query or URL.

$myreport is actual invoking a query of API and a variable where response is saved in JSON.

$convertedReport is a variable where content attribute is converted from JSON

$convertedReport | select Userprincipalname is just a selection on UPN attribute.

Here how it looks like on my end:

That`s it. If you Have any questions or you need help please do not nesitate to contact me and I will try to help you.

Thanks for reading this article!

One thought on “GRAPH API Authentication with App Registration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: