Microsoft Graph PowerShell

Consume Microsoft Graph resources directly from your PowerShell scripts

API Documentation | SDK Documentation

The Microsoft Graph PowerShell SDK is made up of a set of modules that enable you to interact with the Microsoft Graph API using PowerShell commands. The modules consist of commands that act as wrappers for the API, allowing you to access all the features and functionality of the API through PowerShell.

Modules | Getting Started | API Version | Notes | Troubleshooting | Known Issues | Feedback | License

Modules

The table below contains links to our latest and preview versions of the Microsoft Graph module. The meta modules will install all the service modules as their dependencies.

Module	Latest	Preview
Microsoft.Graph		-
Microsoft.Graph.Beta		-

See Microsoft Graph PowerShell modules for a list of all modules supported by this repository.

Getting Started

1. Installation

Microsoft Graph PowerShell module is published on PowerShell Gallery. Installing is as simple as:

Install-Module Microsoft.Graph

Run Install-Module with -AllowClobber and -Force parameters if you run into command name conflicts when upgrading to older versions of the module. This may be the case when upgrading from v1.x to v2.x:

Install-Module Microsoft.Graph -AllowClobber -Force

See Install the Microsoft Graph PowerShell Module guide for detailed installation instructions.

2. Authentication

The module supports two main types of authentication:

Delegated access

Get access to Microsoft Graph resources on behalf of a user.

# Using interactive authentication.
Connect-MgGraph -Scopes "User.ReadBasic.All", "Application.ReadWrite.All"

App-only access (client credentials grant flow)

Get access to Microsoft Graph resources using the identity on an app and not on behalf of a user.

# Using -CertificateThumbprint
Connect-MgGraph -ClientId "YOUR_APP_ID" -TenantId "YOUR_TENANT_ID" -CertificateThumbprint "YOUR_CERT_THUMBPRINT"

See Authentication for more information on the usage of Connect-MgGraph.

3. List users in your tenant

Get-MgUser -Top 10 -Property Id, DisplayName, BusinessPhones | Format-Table Id, DisplayName, BusinessPhones

4. Filter a user in your tenant

$User = Get-MgUser -Filter "displayName eq 'Megan Bowen'"

5. Create a new app registration

New-MgApplication -DisplayName "ScriptedGraphPSApp" `
                  -SignInAudience "AzureADMyOrg" `
                  -Web @{ RedirectUris = "https://localhost"}

6. Sign out of the current logged-in context i.e. app only or delegated access

Disconnect-MgGraph

API Version

Install Microsoft.Graph.Beta module to commands that call Microsoft Graph Beta API endpoint.

Install-Module Microsoft.Graph.Beta
# Consume Microsoft Graph beta resources.
Connect-MgGraph
$Users = Get-MgBetaUser

Notes

Upgrading to v2

The following breaking changes have been introduced between v1.x and v2.x:

• Dropped profile support.
• Dropped support for -ForceRefresh on Connect-MgGraph.
• Renamed beta command names from <Verb>-Mg<Noun> to <Verb>-MgBeta<Noun>.
• Renamed DeviceManagement.Enrolment module to DeviceManagement.Enrollment.
• Moved directory role and entitlement management commands from DeviceManagement.Enrollment to Identity.Governance module.
• Changed beta namespace from Microsoft.Graph.PowerShell.Models.<Entity> to Microsoft.Graph.Beta.PowerShell.Models.<Entity>.
• Changed -AccessToken type on Connect-MgGraph from String to SecureString.

See the v2 upgrade guide for more details.

Troubleshooting

Permission Related Errors

When working with various operations in the Graph, you may encounter an error such as "Insufficient privileges to complete the operation." For example, this particular error can occur when using the New-MgApplication command if the appropriate permissions are not granted.

If permission-related errors occur and the signed-in user/app has been granted the appropriate permissions to perform the operation, you can explicitly fetch a new access token by running Disconnect-MgGraph, then Connect-MgGraph. This will trigger a refresh of the access token in your cache. Microsoft Authentication Library (MSAL) will only refresh access tokens in your cache if they have expired (usually an hour).

See Microsoft Graph API Permissions Reference for more details.

Common Errors

See our troubleshooting guide for a detailed view of how to troubleshoot common errors when using Microsoft Graph.

Known Issues

• Using the -Property {PropertyName} parameter will not select the property as the output of the command. All commands return CLR objects, and customers should pipe the command outputs to Format-Table or Select-Object to return individual properties.

• Customers upgrading from previous versions of the SDK may encounter auth prompts on every command call. If this happens, one can use the following steps to reset their token cache:

  • Use Disconnect-MgGraph to sign out of the current session.
  • Run Remove-Item "$env:USERPROFILE\.mg" -Recurse -Force to delete your token cache.
  • Run Connect-MgGraph to reconstruct a clean token cache.

Feedback

If you find any bugs when using the Microsoft Graph PowerShell modules, please file an issue on our GitHub issues page.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

License

Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT license.