11 Jul 2021

Hello world for Azure Graph (PowerShell)

When i need quick PowerShell example to make sure i have configured the hosting/infrastructure/egress-allow correctly i use this small example.

To set it up in Azure I go to “app registrations” and click through the defaults for a new registration. I grant it directory.read.all as an app permission. Then i create a secret. You’ll see each of these configuration options in the UI for app registrations (“Certificates and Secrets” and “App Permissions”).

Then, based on this new configuration i create the three environment variables you see below, the first three things used in this small script. The hosting platform will have it’s own approach for environment variable configurations and this is a good way to test that you’ve figured it out.

# Get env variables
$TenantId = (Get-Item -Path Env:TenantId).Value
$ClientId = (Get-Item -Path Env:ClientId).Value
$ClientSecret = (Get-Item -Path Env:ClientSecret).Value

# Request Body for auth
$Body = @{
    'tenant' = $TenantId
    'client_id' = $ClientId
    'scope' = 'https://graph.microsoft.us/.default'
    'client_secret' = $ClientSecret
    'grant_type' = 'client_credentials'
}

# Auth Params including request body from above. 
$Params = @{
    'Uri' = "https://login.microsoftonline.us/$TenantId/oauth2/v2.0/token"
    'Method' = 'Post'
    'Body' = $Body
    'ContentType' = 'application/x-www-form-urlencoded'
}

$Response = Invoke-RestMethod @Params

$Headers = @{
    'Authorization' = "Bearer $($Response.access_token)"
}

$Result = Invoke-RestMethod -Uri 'https://graph.microsoft.us/v1.0/users' -Headers $Headers

Write-Host $Result.value
Thanks!
Chad Duffey

Security Engineer