Objectives
| # | Objective |
|---|
| 1 | Install the Microsoft.Graph module from the PowerShell Gallery |
| 2 | Connect to Microsoft Graph using Connect-MgGraph with delegated permissions |
| 3 | Understand permission scopes and what they control |
| 4 | View the active connection context with Get-MgContext |
| 5 | Run your first Graph queries โ Get-MgUser and Get-MgOrganization |
| 6 | Use Find-MgGraphCommand to discover the right cmdlets |
| 7 | Disconnect cleanly with Disconnect-MgGraph |
| 8 | Knowledge check โ Graph SDK fundamentals |
Key Concepts
| Concept | What it means |
|---|
| Microsoft Graph | Microsoft's unified API for all Microsoft 365, Azure AD / Entra ID, and other Microsoft cloud services. One endpoint: graph.microsoft.com. The Graph PowerShell SDK wraps this API in cmdlets. |
| Delegated Auth | You sign in interactively as a user. All actions are performed as that user's identity โ limited by that user's own permissions in Entra ID. |
| App-only Auth | An app identity (service principal) signs in using a certificate or secret โ no user involved. Used for automation and scheduled scripts. |
| Permission Scopes | Granular permissions that control what Graph can access. E.g. User.Read.All lets you read all users, User.ReadWrite.All lets you modify them. Always use the least-privileged scope needed. |
| Get-MgContext | Shows the current Graph connection state โ tenant, scopes granted, auth type, and the identity in use. The first thing to check when troubleshooting. |
| Find-MgGraphCommand | Searches all Graph SDK cmdlets by API endpoint or URI. The key tool for discovering what cmdlet to use when you know the Graph API path but not the PS cmdlet name. |
| Beta vs v1.0 | Graph has two API versions. v1.0 is stable and production-ready. Beta has preview features that may change. Use Connect-MgGraph -NoWelcome then Set-MgRequestContext for beta. |
Commands Practised in This Lab
| Cmdlet | Purpose |
|---|
| Install-Module Microsoft.Graph | Full SDK install from PSGallery (~40 sub-modules) |
| Install-Module Microsoft.Graph.Authentication | Core auth module only โ faster install for connect-only scenarios |
| Import-Module Microsoft.Graph.Users | Load the Users sub-module to access Get-MgUser |
| Get-Module Microsoft.Graph* | List all loaded Graph sub-modules and versions |
| Connect-MgGraph -Scopes | Authenticate with specific permission scopes |
| Get-MgContext | View active connection details โ tenant, scopes, identity |
| Get-MgUser | List Entra ID users from the tenant |
| Get-MgUser -UserId | Retrieve a specific user by UPN or Object ID |
| Get-MgUser -Filter | OData filter โ server-side filtering on Graph API |
| Get-MgUser -Select | Request only specific properties โ faster for large tenants |
| Get-MgOrganization | Returns tenant organisation details |
| Find-MgGraphCommand | Discover cmdlets by Graph API URI or command name |
| Disconnect-MgGraph | Close the Graph session and revoke the token |
Simulated Entra ID tenant: contoso.onmicrosoft.com with 20 users. Tab completes cmdlet names. โโ for history. Type ? for available commands.