The Microsoft Graph PowerShell SDK V2 attained general availability on July 4, 2023. Microsoft did a horrible job of announcing the news, but now that the SDK V2 is available, it’s time to migrate scripts from earlier versions. Splitting the V1.0 and beta cmdlets into different modules is a big difference, as is renaming the beta cmdlets. But other points exist to consider as you migrate from the Microsoft Graph PowerShell SDK V1 to V2.
Using Connect-MgGraph scopes to request a precise set of permissions at the start of a PowerShell script is the right way to make sure that the script can run and access the data it needs to process. Two schools of thought exist. Is it best to use the Scopes parameter to define the set of permissions when connecting with Connect-MgGraph, or should you go ahead and connect and check afterward? I favor the first approach, but either way works.
I now have a Microsoft Graph Early Adopter badge. I didn’t ask for it. The badge just arrived via email. Which brings me to how to deliver product feedback. Sure, you can make comments via GitHub, but that ignores a perfectly good feedback portal developed to allow people to give direct feedback (including requests for new features) to Microsoft. You won’t get a badge for providing feedback via the portal, but it’s the right thing to do.
Microsoft announced the availability of the SharePoint Admin API for the Microsoft Graph on May 8. The API currently supports a small set of tenant settings., but it’s a start and a pointer to where Microsoft is going. And while they’re looking in that direction, maybe they might accelerate production of a Graph API for Exchange Online management.
The set of permissions consented for the Microsoft Graph Explorer allows the app to run Graph API requests. Over time, the set of Graph Explorer permissions can accumulate to a point where the app is overly permissioned. That can be a bad thing because you might overlook the need for an app to have consent for a permission to run successfully. In this article, we look at how to remove permissions from the Graph Explorer.
In an unannounced move, Microsoft imposed a new limit on Graph requests using the List Users API that include the SignInActivity property. The old limit allowed a request to fetch 999 items; the new reduces it to 120 items. I’m sure that the change is made with the best possible motive, but introducing something like this without warning broke a lot of programs and scripts, and that’s just unacceptable.
Microsoft has released the first public preview of the Microsoft Graph PowerShell SDK V2.0. Although the new version delivers some welcome functionality, it contains some contentious proposals such as dividing the SDK into V1.0 and beta modules and using different names for the beta cmdlets. It would be nice if Microsoft fixed some of the basic group and user cmdlets before they imposed more work on PowerShell developers.
A December 2 post by the Microsoft Graph development team clarifies how it plans to charge for some Microsoft 365 APIs. The three-tier model Microsoft plans to use is logical and the default will remain free access to customer data. However, the way Microsoft has communicated the introduction of a charging model for some high-capacity APIs is a model of how not to manage change.
This article offers some tips about working with the Microsoft Graph Usage Reports API. In particular, we cover how to detect if the concealment of display names setting is active and how to reset it to allow display names appear in reports. We also cover the strangeness of some of the numbers reported for Teams message counts.
No Microsoft 365 admin portal will tell you about the set of email addresses assigned to Teams channels. Fortunately, it’s relatively easy to create a report with PowerShell and just a little Graph magic.
A new version of the Microsoft 365 user activity report PowerShell script is available. This version extends the activity lookback period to 180 days, which is helpful when assessing if user accounts are active when people might be on parental leave or sabbaticals.
In a July 12 announcement, Microsoft says that they will restrict the use of Exchange Web Services to access Teams message data from September 30. Microsoft wants customers to use the Teams Export API instead. All that’s fine, but it means that customers have to change their Teams backup product to one that uses the new API – and they’ll be charged for the privilege of using the Export API.
The new tenant admin Microsoft Graph API allows access to read and update SharePoint Online tenant settings. Although the API offers limited capabilities for now, it marks the start of Graph support for tenant settings that are currently managed through admin portals or PowerShell. It’s a welcome development.
Cmdlets in the Microsoft Graph PowerShell SDK module can interact with many types of Microsoft 365 data using Graph API requests. Adding the Debug parameter gives you an insight into what happens when SDK cmdlets run Graph requests. The knowledge can help you write better code and avoid mistakes, and that’s always a good thing.
The Microsoft Graph continues to grow in importance, as do tools like the Graph Explorer web application. The Explorer has received a couple of new and useful features recently, including the generation of PowerShell code snippets. This doesn’t work for every Graph API, but it’s a start and a great enhancement to what’s already a very useful tool.
The Azure AD PowerShell module allows guest accounts to sign into target tenants and update their account photo there. The Microsoft Graph PowerShell SDK includes a cmdlet to do the job, but it doesn’t work when connected to a target tenant. Permissions are the reason why, which is what we explain in this article.
The new Graph X-Ray extension available for the Chrome and Edge browsers gives developers an insight into how the Azure AD admin center uses Graph API commands to retrieve user and group objects. The insight is invaluable when teasing out some of the syntax needed to get work done with the Graph. It’s much appreciated.
A reader asked if it’s possible to use PowerShell to return the unread count for the Inbox folder in user mailboxes. The standard Exchange Online PowerShell cmdlets tell you a lot about mailbox folder statistics, but they can’t look inside a folder. But the Microsoft Graph APIs can, so a combination of PowerShell and the Graph deliver a solution to the problem.
The Microsoft Graph SDK for PowerShell includes cmdlets for management of Azure AD Groups. The cmdlets work, and in some places they are screamingly fast compared to Exchange Online or Azure AD cmdlets. In other places, the cmdlets are a tad bizarre and expose a little too much of their Graph underpinnings. Oh well, at least after reading this article, you’ll know where the holes lie.
With the demise of the Azure AD and MSOL PowerShell modules on the horizon, it’s time to figure out how to upgrade scripts to use cmdlets from the Microsoft Graph PowerShell SDK. This article books at basic account management and shows how to update, delete, restore, and find Azure AD accounts using SDK cmdlets.
Microsoft has announced that it will be possible to recover a deleted service principal by the end of May. This is good news because it means that an accidental deletion can’t wreak the kind of havoc it can today. Microsoft hasn’t updated the APIs to manage soft-deleted service principals yet, but we can get an insight into what’s likely to happen by investigating how to manage deleted Azure AD accounts using cmdlets from the Microsoft Graph PowerShell SDK.
Lots of news has emerged from Microsoft recently regarding the deprecation of the Azure AD PowerShell module and the older MSOL module. Although dates have slipped from the original June 30, 2022 deadline, the signs are that Microsoft will retire the modules in early 2023. However, the Azure AD and MSOL license management cmdlets will stop working on August 26, 2022, so that’s the immediate priority for script upgrades.
Teams tags appeared in early 2020 as a method to address subsets of a team membership in channel conversations. Microsoft doesn’t provide a method to report what teams use tags and what those tags are, but we can find out using the Graph APIs. In this article, we show how to use the Microsoft Graph PowerShell SDK to create a report of all teams which use tags, the names of the tags, and the team members assigned the tags.
With the upcoming deprecation of the Azure AD and Microsoft Online Services (MSOL) PowerShell modules, it’s time to upgrade scripts which depend on the cmdlets from these modules. In this example, we use the Microsoft Graph SDK for PowerShell to create a report for Azure AD accounts showing the authentication methods each account uses. The idea is to highlight accounts not protected by strong authentication so that administrators can help users to upgrade their protection against attack.
People insights is one of the three types of insights derived by the Microsoft Graph from signals gathered from user activity in Microsoft 365 apps. Some organizations don’t like to show people insights in the user profile card, and now you can update an organization setting to remove people insights from the card for all or just some users.
By now, Microsoft 365 tenant administrators realize the need to understand how apps use consent to access Microsoft 365 data. App certification helps by reassuring tenant administrators that third-party apps meet certain criteria set by Microsoft. Achieving Microsoft 365 certification is the highest bar in the program. It’s just a pity that many of the apps now appearing in the ecosystem don’t achieve this level of app certification.
A new Microsoft Teams feature means that local time zone information appears on user profile cards. While it seem simple, the feature is very useful when arranging meetings because you know up-front about the working hours of your colleagues. It’s a detail that makes sense!
Access tokens are an important part of accessing data using modern authentication through APIs like the Microsoft Graph. But what’s in an access token and how is the information in the access token used by PowerShell when the time comes to run some Graph queries in a script? In this article, we look behind the scenes to find out what’s in the JSON-structured web tokens issued by Entra ID.
The Microsoft 365 group expiration policy can remove inactive groups after a set period. This helps clean up Azure AD, but the removal of a group might come as a surprise. To help remind administrators when groups will expire, we can use PowerShell to create a report of groups within the cope of the expiration policy and their next renewal dates. And to speed things up, we can turbo-charge matters with a Graph query.
Service principal sign-in data from Azure AD is now accessible through a Microsoft Graph API. This means that you can analyze sign-in data to locate problem apps and remove old or unwanted service principals from your Microsoft 365 tenant. It’s time for spring cleaning!
Finding the age of a Microsoft 365 tenant isn’t an important administrative operation. However, understanding how to retrieve this information (if asked) is an interesting question, which is why we spent several hours playing around with PowerShell and the Microsoft Graph to figure out how to answer the question. It’s the kind of in-depth analysis we do all the time to build content for the Office 365 for IT Pros eBook.
A new List Teams API is available in the beta version of the Microsoft Graph. In time, the new API might replace the existing methods used to fetch sets of teams for processing. For now, there’s no need to update any code as we wait for Microsoft to fully bake the new API. Maybe it will be more performant and functional in the future!
A Microsoft October 5 announcement gives a clear signal that Exchange Web Services is on a short runway to oblivion. The first step is the removal of 25 APIs on March 31, 2022. It’s all part of the master plan to get Office 365 tenants and ISVs to move to the Microsoft Graph APIs. This is a perfectly laudable ambition but it’s complicated because of the lack of suitable Graph APIs to handle the volume of Exchange data involved in scenarios like backup/restore and migration. Teams has a new Graph Export API, but it introduces consumption metering and charging. Is a new Exchange API coming and will it use the same charging mechanism? We live in interesting times…
The usage reports available in the Microsoft 365 admin center, Teams admin center, and other places now include anonymized user information by default. The new default became active on September 1, 2021 and the organization setting applies to any usage data generated by the Microsoft Graph usage reports API, which means that some scripts might create reports less interesting and useful than before. It’s a good change for privacy, but will organizations persist with the new default?
Microsoft has replaced the controls which disabled document insights in Delve with new Graph-based settings. However, you might still have a bunch of users with the Delve settings who need to migrate to the Graph settings. In this article, we explore how the settings work and how to query the Graph to find the set of users who disabled the setting in Delve. We can then use PowerShell to add those accounts to the group of disabled insights users for the Graph-based settings.
Many PowerShell scripts which access Office 365 data could do with a speed boost. Replacing cmdlets with Microsoft Graph API calls is one way to get extra speed. In this article, we take a PowerShell script to report the memberships users have of Microsoft 365 groups and replace some important cmdlets with Graph API calls. The result is a big speed increase.
The preview of a new app governance add-on for Microsoft Client App Security gives Office 365 administrators insight into Graph-based apps. The add-on depends on information gathered from Azure AD and MCAS to generate insights about apps and their usage, including highlighting apps which are overprivileged or highly privileged. Although you can do some of the auditing yourself, the add-on makes it easier. It’s a preview, so some glitches are present.
The latest update for the Teams admin center includes the ability to manage the permissions used by third-party apps to access data via the Microsoft Graph. The updates also include the ability to manage resource specific consent (RSC) for Teams apps. While third-party apps ate the obvious target, LOB apps created by tenants are managed in the same way.