How to use The Microsoft Graph Explorer Tool

Microsoft Graph Explorer is one of the most convenient and simplest tools you can use to help you better your understanding of the Graph API and develop scripts using PowerShell by bridging the gap between developers and us admins. This tool is not just limited to PowerShell either, it is still heavily used by software developers using languages such as C#, Go, Java and JavaScript.

In this tutorial, I am going to take you through getting started with the Microsoft Graph Explorer tool to aid your with migrating to Microsoft Graph PowerShell from legacy modules such as AzureAD or MSOL.

How to login to Microsoft Graph Explorer

Start by opening your preferred web browser and navigating to the Microsoft Graph Explorer link below:

https://developer.microsoft.com/en-us/graph/graph-explorer

To login and connect the tool to your tenant, click the profile icon at the top right of the page, this will load a popout window prompting you to sign into your tenant.

Login to Microsoft Graph Explorer
Login to Microsoft Graph Explorer

When prompted, sign in with global admin credentials. The reason for this is that while you use the tool you will need the right to consent to different permissions to the Graph Explorer application in Azure AD and to consent to these permissions, global admin rights are needed.

Once you sign in, an Entperise application is registered in Azure Active Directory named Graph Explorer. You can view the application by logging into https://entra.microsoft.com, expanding Applications then Enterprise applications.

view Graph Explorer application
view Graph Explorer application

You may notice that the Application ID for the Graph Explorer app is identical across all Microsoft tenants: de8bc8b5-d9f9-48b1-a8ad-b748da725064. This poses some security risks, which we will address later in this book.

Navigating the tool

Microsoft has done well with the user experience of this tool, navigation is quick, easy and intuitive once you learn your way around it. Below you will find screenshots of the Microsoft Graph Explorer tool where any points of interest have been highlighted:

Graph Explorer Queries
Graph Explorer Queries
Sample Queries

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

The resource tab provides a list of all available resources you can query in Microsoft Graph. You are also able to switch between v1.0 and the Beta version of Graph. which can impact the availability of resources.

History

The history tab provides you with a list of all queries you have made using the Graph Explorer tool in the last 30 days.

On the remainder of the page (everything to the right of the previous image), you will find all the tools and information for creating and handling requests, and managing responses.

Graph Explorer Main Window
Graph Explorer Main Window
Get

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

v1.0

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

URL

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Run Query

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Share

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Request body

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Request headers

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Modify Permissions

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Access Token

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Response preview

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Response headers

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Code snippets

The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.

Using sample queries

Sample queries are easy to use and convenient queries provided to you by Microsoft to help get you started with the Graph Explorer tool. Although samples are not provided for every resource, a list of common resources is made available for you to query.

Let’s say you want to get a list of all groups in your organisation, you can do so with a sample query. Start by selecting the Sample queries tab, then search for Groups.

Sample Queries Groups
Sample Queries Groups

Expand the Groups tab and select list all groups in my organisation.

Get all groups
Get all groups

You will notice that the query box is automatically filled out with the information for the selected request. Once that is done, click Run query to see your results.

Same Query URL
Same Query URL

From the response preview tab, you can see the response for your query which will include a list of all groups in your organisation.

Same Query Response
Same Query Response

Consenting to permissions

Occasionally, you may find that when you attempt to run a query, you are met with a red warning banner and an error in the response preview like the following.

{
    "error": {
        "code": "AccessDenied",
        "message": "You cannot perform the requested operation, required scopes are missing in the token.",
        "innerError": {
            "date": "2023-06-13T15:17:39",
            "request-id": "6e3bbe1f-270f-4030-b6e0-ed13e25e4902",
            "client-request-id": "8791dfff-cf8a-60ec-ad16-1202022a920e"
        }
    }
}

In this case, I attempted to list all conditional access policies in my organisation, however, the error states that I do not have the required permission scopes to complete this request. 

The red warning banner provides us with similar information, however, it also advises us on the resolution to the issue.

Red warning
Red warning

In order to complete this request, we need to grant the necessary Graph permissions to the Graph Explorer application in Azure AD using consent from a Global Administrator. To do this, select the Modify permissions tab. You will see the necessary permissions have helpfully already been listed on the page. Click Consent next to the relevant permission, then follow the steps on the screen to grant consent to the requested permissions.

Modify permissions tab
Modify permissions tab

Once complete, re-run your query and the response should return OK.

OK response
OK response

The permissions you consent to here are permanently consented to the Graph Explorer tool and will remain available after signing out and back in. Follow the steps in Chapter 4 to learn how to remove permissions that you have previously consented to.

Retrieving PowerShell Code

One of the best features of the Graph Explorer tool is the simplistic way it can convert your custom queries into PowerShell code, which you can then incorporate into your scripts. It can also convert queries into other languages such as C#, Go, Java and Javascript.

To retrieve the equivalent PowerShell code for your query, first run the query and confirm the output is as expected. Here is my example:

https://graph.microsoft.com/v1.0/users?$count=true&$filter=Department eq 'Finance'&$orderBy=displayName&$select=id,displayName,department

This query will filter for all users in the Finance department, then sort the results by the DisplayName attribute while only returning the user’s ID, DisplayName and Department values.

From the bottom section of the screen, select Code Snippets.

Code snippets
Code snippets

Then select the PowerShell tab to display the PowerShell code:

PowerShell code
PowerShell code

Use the copy button at the top right of the PowerShell window to copy your PowerShell code:

Copy button
Copy button

Here are the results:

Import-Module Microsoft.Graph.Users

Get-MgUser -CountVariable CountVar -Filter "Department eq 'Finance'" -Sort "displayName" -Property "id,displayName,department" -ConsistencyLevel eventual 

Unfortunately, the only information it will not show in the PowerShell code is the Connection-MgGraph method and permission scope. So don’t forget, if you are running this code in PowerShell, the permissions you previously consented to in the Graph Explorer tools will not apply. You must either Consent to the permissions during the Connect-MgGraph command or apply this to the Azure AD Application in advance.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply