# LAB 01b: Finding Microsoft Graph Commands and Permissions

This lab will help you become familiar with using the `Find-MgGraphCommand` and `Find-MgGraphPermission` cmdlets to discover Microsoft Graph PowerShell commands and the permissions they require.

## Tasks

Using the `Find-MgGraphCommand` and `Find-MgGraphPermission` cmdlets, find the following information:

1. Find the Microsoft Graph PowerShell command that can be used to modify a group.
2. Find out which permissions are required to run that cmdlet.
3. Find a command that could retrieve the list of appRoleAssignment that have been granted to a service principal.
4. What is the identifier of the `Application.Read.All` permission that is required to run that command in an unattended script?

## Task 1: Find the Microsoft Graph PowerShell command that can be used to modify a group

You can search for commands by URI or by command name pattern.

In [None]:
# Search for all commands with the noun -MgGroup using -Uri
Find-MgGraphCommand -Uri '*/groups/*'

In [None]:
# We need to target the existing group that has an ID
Find-MgGraphCommand -Uri '/groups/{id}'

In [None]:
# Filter by HTTP method to find PATCH operations
Find-MgGraphCommand -Uri '/groups/{id}' -Method PATCH

In [None]:
# Alternatively, search by command pattern
Find-MgGraphCommand -Command '*mggroup*'

## Task 2: Find out which permissions are required to run that cmdlet

Once we've identified that `Update-MgGroup` is the command we're looking for, we can find the required permissions.

In [None]:
# Method 1: Get permissions by URI
Find-MgGraphCommand -Uri '/groups/{id}' -Method PATCH -APIVersion v1.0 | Select-Object -ExpandProperty Permissions

In [None]:
# Method 2: Get permissions by command name
# Pay attention to the `IsLeastPrivilege` property, which indicates whether the permission is a least privilege permission
Find-MgGraphCommand -Command Update-MgGroup | Select-Object -ExpandProperty Permissions | Format-List

## Task 3: Find a command that could retrieve the list of appRoleAssignments that have been granted to a service principal

We can search for commands related to service principals and app role assignments.

In [None]:
# Search using wildcards in URI
Find-MgGraphCommand -Uri '/servicePrincipals/{id}/.*'

In [None]:
# Narrow down the search to app-related endpoints
Find-MgGraphCommand -Uri '/servicePrincipals/{id}/app.*'

In [None]:
# Get specific command for appRoleAssignments
Find-MgGraphCommand -Uri '/servicePrincipals/{servicePrincipal-id}/appRoleAssignments' -Method GET

In [None]:
# Alternative approach using command name wildcards
# BUG: This command does not return the expected results. It should return the Beta commands, too.
Find-MgGraphCommand -Command get-mg*serviceprincipal*approleassignment | Format-List

In [None]:
# Verify the command existence using Get-Command
Get-Command get-mg*servicePrincipal*appRoleAssignment*

## Task 4: Find the identifier of the Application.Read.All permission

For unattended scripts, application permissions are required. Let's find the identifier for the Application.Read.All permission.

In [None]:
# Get the identifier for Application.Read.All application permission
Find-MgGraphPermission -SearchString Application.Read.All -ExactMatch -PermissionType Application

## Summary

In this lab, you've learned how to:

1. Find Microsoft Graph PowerShell commands using URI patterns and command name patterns
2. Determine the required permissions for Microsoft Graph operations
3. Search for specific API endpoints and commands for service principal app role assignments
4. Find permission identifiers for use in application authentication scenarios

These skills are essential when working with Microsoft Graph PowerShell to manage Microsoft Entra ID resources.