The AAD Graph PowerShell SDK allowed you to use a client secret for the Application only ( Service Principal ) login flow – also known as the client_credentials grant flow. The documentation for the new Microsoft Graph PowerShell SDK does not tell you how to use a client secret but instead, uses the more secure certificate method for the flow: Use app-only authentication with the Microsoft Graph PowerShell SDK |…
Read MoreRetrieve Schema Extension Values for Devices from PowerShell
You can create complex schema extension properties for devices and then retrieve those specific properties from PowerShell. This blog post will walk you through how to do this. I created an app registration in my tenant to be the owner of my device schema extension following these instructions but for devices: Add custom data to groups using schema extensions – Microsoft Graph | Microsoft Docs One thing to point out…
Read MoreHow to get and update Directory Schema Extension Attributes with the Microsoft Graph .Net SDK
Microsoft Graph Directory Schema Extensions are a convenient way to store additional data on certain objects such as users or groups. You can read about them here. This blog post is assuming you have already registered an extension and now you’re looking to be able to retrieve the extension and values for a user ( I will use a user object as an example ) or update the value using…
Read MoreUse the Microsoft.Graph PowerShell SDK to get a list of Devices that do not have BitLocker Recovery Keys
As you may be aware, the AzureAD powershell module is being deprecated at the end of the year along with the AD Graph endpoint. As a result, all customers need to migrate their code to the Microsoft Graph endpoint. This blog post will show you how to use the Microsoft.Graph PowerShell module to get a list of devices that do not have a BitLocker Recovery key in Azure. This would…
Read MorePython Scripts may be detected as web-crawler when making Microsoft Graph requests.
Sometimes, a python script that is making Microsoft Graph requests may be detected by the gateway as a web-crawler if you are using a pool manager and block the request. The error will look similar to this: {‘error’: {‘code’: ‘UnknownError’, ‘message’: ‘\r\n403 Forbidden\r\n\r\n 403 Forbidden \r\n Microsoft-Azure-Application-Gateway/v2 \r\n\r\n\r\n’, ‘innerError’: {‘date’: ‘{UTC Date/Time}’, ‘request-id’: ‘{guid}’, ‘client-request-id’: ‘{guid}’}}} To overcome this issue the easiest way is to use the MS Graph SDK…
Read MoreDownload the user signInActivity from the beta endpoint using Microsoft Graph Powershell module.
You can use the Microsoft Graph Powershell module to download last sign in date / time for users from the Beta endpoint ( the signInActivity is currently not available in v1.0 ) and save the list to a .csv file. You must have the Microsoft Graph powershell module installed. This document will help you get started. My powershell script:
Read MoreUsers unable to lookup other users in the MS Graph Users endpoint
The Microsoft Graph endpoint is how you can interact programmatically with your tenant data. One of the most common scenarios is a MS Graph request to look up a user or users in the tenant. If you’re using delegated permissions in your access token, for a user to look up another user, the access token will need the delegated permission of User.Read.All However, there are ways to prevent users from…
Read MoreUsing the Application.ReadWrite.OwnedBy API permission
You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate. The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API: For more information…
Read MoreWhy do I sometimes get a 404 when trying to update an Azure Directory object after I just created it?
Azure AD is a distributed computing system which means, all of the data must be duplicated to the various data centers. You can read about the architecture of Azure here. We occasionally see a case where a customer is using Microsoft Graph to programmatically create a user, group, application, etc. and getting the object id back from that request and then using that id to do some kind of management…
Read MoreMicrosoft Graph: Why you cannot call the “me” endpoint with a token acquired via the client credentials grant flow
Introduction Microsoft Graph has a couple of primary ways you can get information about a user in Azure AD. This not only includes things like the user attributes but also groups the user is a member of, access to mail, and etc. Each endpoint does require specific permissions but generally speaking, a user can get the basic information about him/herself via the “me” endpoint. The “me” endpoint From our docs…
Read More