Moving from Azure AD PowerShell to Microsoft Graph PowerShell

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this to the cloud video where scott and i dive into azure ad powershell in the transition from azure 80 powershell to microsoft graph powershell as you may know azure 80 powershell has been deprecated the move is going to be to write everything in the microsoft graph powershell so we dive into the terminal and compare the two explore the new command let's explore the microsoft graph and hopefully teach you a little bit about moving your powershell scripts from azure id powershell to microsoft graph powershell so let's dive in um so jumping over in you'll notice the first thing is that requirement of 5.1 or later uh this does work on a mac so if i go launch i run the powershell preview because what fun is it if you don't run the preview of pretty much everything um yeah so i'm logged in i do already have that module installed uh but if you haven't it's just that install like you said it's install module we can do a whole tab complete excel of my tab completes and microsoft graph and this will go out to that gallery grab the microsoft graph module go ahead and get that installed the one thing i will say that is probably the biggest transition that i have found is the scopes that you were talking about in terms of giving permission to the application uh being able to figure all that out you'll notice the tenant i'm actually going to go against once we start doing this is this nava tenant that i have i have some of these enterprise applications listed already some provisioning stuff some power bi stuff uh i do have the pnp office 365 management modules but i don't have any of the azure id stuff out there so hopefully this will install and the first thing that i did when i went and started using this was exactly what you showed right maybe go out and i'd want to connect to mggraph and it will go ahead and try to connect it'll pop open a new browser window let me sign in i'm going to go ahead and [Music] sign in with this account and it starts asking for permissions permission requested that graph powershell it wants to at least sign in and read my profile information maintain access to data i'm just going to go ahead and consent on behalf of your organization and accept authentication complete great all well and good we're connected welcome to the microsoft graph the first thing we're going to do just a quick note on the consent piece these are all admin consent requirements so you are going to need an administrator within that tendency to go ahead and approve those um and that's no different than like if you wanted to maybe get started in the graph explorer before you came over and started doing the powershell side of things like same thing you need to authenticate like graph explorer as an application or in this case your uh your kind of powershell context uh over to your tenancy so you were able to get through that flow pretty quickly because you have rights within that tendency to right to grant that admin consent uh but if like we went over to another tenant like you know and i like i was trying to do the same thing and i didn't have permissions in there uh it's gonna just kind of yell at me and say sorry no go go find an admin who can get you what you need yeah that's a good call-out because i had this when we were working with a client the other day where we were used to being able to go and like connect azure id or connect to something and as long as you had a certain level of admin rights you were able to just go start running the powershell but the admin rights to maybe connect to azure id and retrieve users is not as high of a permission as you need to approve an enterprise application and grant access to certain scopes and if you don't get all the scopes you need right away there can be some back and forth in order to actually get all those permissions granted that you need with somebody high enough to go in and approve all of that um it's a little a little in some cases it's a lot more work to go in and grant all of those right permissions because even though i'm a global admin and i just connected with a global admin and approve those permissions if i go try to do like a get mg user it actually goes in and fails because i have insufficient privileges to complete the operation back to that whole scopes thing it's like do you have user.read.all and and now are you able to do that mapping in your head of what permissions uh or you know effectively like what scopes do i actually need to perform the set of operations that i want to perform within the context of this connection specifically yeah it starts to get really really weird really quick there is one out there i will it's in the documentation here where they talked about it as you start using it um determining those scopes this find mg graph command and i would get very familiar with this save this in a clipboard somewhere where you can use this find mg graph command pass it in the command you want to use pipe that to select dash first one expand property permissions and this will give you this type of output of all of the scopes that are available that can be used or the scope permission that can be used to grant that mg user permission level so in this case if i go through that over there and i'm actually going to delete off the pipe what you're looking for with this find mg graph command is that pipe is actually going through and getting all of these permissions here underneath this get mg users if you just do the find graph command you'll see a lot of those different methods too that it's using it's using a get get method it's going to this user's endpoint or the user's user id endpoint so you can get more of that information about the command if truly all you're looking for is just that permission level you can go right that permission level so as long as i'm granted that device management apps directory read all directory read write all one of these scopes i'll be able to use this get mg user command within the the within the scope that that command has been granted so like this is i think where it starts to get maybe a a little weird is depending on what you want to do like if you're not doing something that requires say like management of intune devices you don't need to type in and grant yourself the scope for device management like if all you want to do is to get users you can do user.read.all and you're good ready to go uh you know you don't need that other kind of permission on top of it this is the kind of you know the whole kitchen uh when maybe all you need is just one or two pots or pans out of the cabinet kind of thing right and where it starts getting tricky this i would say is the other aspect to this is now let's say i want to get an mg user and i want to start working with my users but i also want to go start working with groups in azure 80 if i want to work with a group i need i can do it with directory read all directory read write all which are two of those permissions up here or i can do a grip group read all and i could do a user read all so at this point in time based on the commandlets that end up going into my powershell script that i'm writing do i grant a bunch of different scopes or do i go find the least common denominator that applies to all of them in terms of maybe i just grant directory read all so that i don't have to go in and grant both a user read all and a group read all and now i want to go start writing to groups yeah i i don't think i've seen good guidance out there on on what that actually looks like like lots of the examples they tend to flip-flop uh between the more constrained permission set versus the the wider permission set yeah and i don't see this is one of them it used to be set group i think now it's update mg group where if i'm doing an update now i need to have that read write all um so going back to now i've started to figure out what is that permission level i need um i can go in and grant it before i do that let's jump back to enterprise integration or enterprise applications you'll actually see now that i refresh this i have this microsoft graph powershell um uh oh and i get the spinning beach ball it's all starting to melt application so this is where when you showed me that process of going through and registering the application i was like i've never had to do that because that initially you know down this path yeah right goes and starts doing it already so i could go start looking at permissions and this is where that access is denied where i do have um that user read this one in theory should have i think i can maybe just read my own profile with this one i can't read everybody else's it's not a direct yeah so you can go to like you can go to the me endpoint but you can't go to say like the overall user's endpoint right so it's just granted those initial permissions in order to get the rest of those what i can do is i can actually go back to my connect and one of the parameters that i can pass in now is this scopes uh so we have started determining that in order to get my users i need this user read all and i'm gonna grab that one and you can pass in multiple scopes so i can do a user read all and let's say i know i don't need a directory read all i just want users and groups if i go grab these and i can pass in multiple scopes put the comma the i don't even know what word that is it's comma delimited comma delim delineation it's not delineation put a comment there and do another connect this will prompt back prompt that login dialog prompt another tab and now when i go log in this time i actually have a lot more permissions that it will ask me to consent to yeah so eventually it's i guess that's the other thing with uh the permissioning and kind of the admin consents is it's really a consent per permission so like every time you pass in a new permission that you don't have consent to and that hasn't been granted that admin consents like you've got the you know authent box up there and hey i'm going to consent on behalf of my organization kind of thing every single one of those that's new that hasn't been granted to that application uh that azure id enterprise application the registered app then you've got to go through this flow every time um so so you might want to account for that in uh say like automation like this probably isn't something you've ever really had to uh you know i certainly think about these things with like the azure ad command let's like hey i'm gonna write this script that manages onboarding new users doing initial license assignment all those kinds of things what are all the permissions that i need to be able to do that on day one so i can go grant consent to all of those at once because if i miss one or a new one is added or something like that all of a sudden your whole automation just kind of blows up like it can't run anymore exactly and that's what i've hit or you yeah you want to go add something new to your automation you have to remember that you can't just add it you have to go make sure that those permissions are there um so that authenticated com authentication completed if i go refresh this now once it actually takes effect there it goes you'll see now i can read all users for full profiles i can read all groups so if i go back to my powershell window now this time if i do the get mg user nmg user it actually has those permissions to go at that endpoint go and grab all of those different users out of that tenant um same thing i went in and i'm able to get my groups now so i can see all of those but as soon as i would go in and try to update an mg group um it's going to ask for group id and some other stuff here where's the group id i can use it's not going to be able to update them because i only granted those read permissions so to your point now i'd have to go back in [Music] it's like playing whack-a-mole just actually but i didn't try to update anything what can i update on a group probably the name is there a name parameter on there mail team onenote we'll make it mail enabled mail enabled true mail enabled isn't a boolean it's just a dash ooh maybe it's letting me update it which would be odd it shouldn't uh yeah because i didn't grant read write to the groups i don't think um but that gets to that point of as you go through and do all these different things you may have to go in and change those scopes adjust those the nice thing is once you add them the next time i would go through and connect because consent has already been granted i'm not going to have to go in and pass those scopes through every time yeah just don't delete that application registration right so if i would do for example disconnect mg mg graph i log out i try to get mg users now i'm not connected authentication is needed so this time i could just go through and i could do a connect mg graph it's still going to walk me through potentially that prompt it may pick up that i already logged in we'll have to see what happens here um yeah you know sign in again pick my account again [Music] give my password again i don't get any prompts i'm not asking for any new scopes all the scopes that i didn't pass in any new scope so it's not prompting for any i already have those scopes that i used in the past so i could go do that get mg user again and and we go grant them all i'm not going to have to go like i said i don't have to go re-request those i already have them they've already been granted so the other option is with this as you go find that highest scope level this is by far probably not security best practice at the highest scope level and say i'm done with this forget about it i don't have to worry about it anymore because i've granted every possible write to that graph powershell hopefully you enjoyed diving into azure 80 powershell and microsoft graph powershell if you do want to see the full hour-long recording feel free to join our podcast membership site this video channel this youtube channel is a spin-off from the ms cloud it pro podcast if you sign up for a membership over there by going to msclouditpro.com membership link in the description below you can get access to the full hour-ish recording of these to the cloud videos you'll get access to watch them and participate in the live recording of these as well as the weekly live recording of the podcast and access to our private discord server where we have conversations about all thing microsoft cloud related so again don't forget to subscribe be notified about future video clips on this channel or future videos on this channel as well as check out the membership site again ms cloud itpro.com membership [Music] [Music] you

Info

Channel: Two The Cloud

Views: 4,789

Rating: undefined out of 5

Keywords: Microsoft Cloud, Ben Stegink, Scott Hoag, Azure Active Directory, Azure AD, AAD, Microsoft 365, Azure, PowerShell, Office 365, Microsoft Graph, Microsoft Graph PowerShell, Azure AD PowerShell, Microsoft Graph PowerShell SDK, Cloud, Two the Cloud, MS Cloud IT Pro

Id: Phxuta2NmlI

Channel Id: undefined

Length: 19min 39sec (1179 seconds)

Published: Wed Aug 03 2022