Microsoft Graph Explorer is one of the most convenient and simplest tools you can use to help you better your understanding of the Graph API and develop scripts using PowerShell by bridging the gap between developers and us admins. This tool is not just limited to PowerShell either, it is still heavily used by software developers using languages such as C#, Go, Java and JavaScript.
In this tutorial, I am going to take you through getting started with the Microsoft Graph Explorer tool to aid your with migrating to Microsoft Graph PowerShell from legacy modules such as AzureAD or MSOL.
How to login to Microsoft Graph Explorer
Start by opening your preferred web browser and navigating to the Microsoft Graph Explorer link below:
https://developer.microsoft.com/en-us/graph/graph-explorer
To login and connect the tool to your tenant, click the profile icon at the top right of the page, this will load a popout window prompting you to sign into your tenant.
When prompted, sign in with global admin credentials. The reason for this is that while you use the tool you will need the right to consent to different permissions to the Graph Explorer application in Azure AD and to consent to these permissions, global admin rights are needed.
Once you sign in, an Entperise application is registered in Azure Active Directory named Graph Explorer. You can view the application by logging into https://entra.microsoft.com, expanding Applications then Enterprise applications.
You may notice that the Application ID for the Graph Explorer app is identical across all Microsoft tenants: de8bc8b5-d9f9-48b1-a8ad-b748da725064. This poses some security risks, which we will address later in this book.
Navigating the tool
Microsoft has done well with the user experience of this tool, navigation is quick, easy and intuitive once you learn your way around it. Below you will find screenshots of the Microsoft Graph Explorer tool where any points of interest have been highlighted:
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The resource tab provides a list of all available resources you can query in Microsoft Graph. You are also able to switch between v1.0 and the Beta version of Graph. which can impact the availability of resources.
The history tab provides you with a list of all queries you have made using the Graph Explorer tool in the last 30 days.
On the remainder of the page (everything to the right of the previous image), you will find all the tools and information for creating and handling requests, and managing responses.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
The sample queries tab provides you a list of pre-set and simple queries from Microsoft to help you get, create a modify resources.
Using sample queries
Sample queries are easy to use and convenient queries provided to you by Microsoft to help get you started with the Graph Explorer tool. Although samples are not provided for every resource, a list of common resources is made available for you to query.
Let’s say you want to get a list of all groups in your organisation, you can do so with a sample query. Start by selecting the Sample queries tab, then search for Groups.
Expand the Groups tab and select list all groups in my organisation.
You will notice that the query box is automatically filled out with the information for the selected request. Once that is done, click Run query to see your results.
From the response preview tab, you can see the response for your query which will include a list of all groups in your organisation.
Consenting to permissions
Occasionally, you may find that when you attempt to run a query, you are met with a red warning banner and an error in the response preview like the following.
{
"error": {
"code": "AccessDenied",
"message": "You cannot perform the requested operation, required scopes are missing in the token.",
"innerError": {
"date": "2023-06-13T15:17:39",
"request-id": "6e3bbe1f-270f-4030-b6e0-ed13e25e4902",
"client-request-id": "8791dfff-cf8a-60ec-ad16-1202022a920e"
}
}
}
In this case, I attempted to list all conditional access policies in my organisation, however, the error states that I do not have the required permission scopes to complete this request.
The red warning banner provides us with similar information, however, it also advises us on the resolution to the issue.
In order to complete this request, we need to grant the necessary Graph permissions to the Graph Explorer application in Azure AD using consent from a Global Administrator. To do this, select the Modify permissions tab. You will see the necessary permissions have helpfully already been listed on the page. Click Consent next to the relevant permission, then follow the steps on the screen to grant consent to the requested permissions.
Once complete, re-run your query and the response should return OK.
The permissions you consent to here are permanently consented to the Graph Explorer tool and will remain available after signing out and back in. Follow the steps in Chapter 4 to learn how to remove permissions that you have previously consented to.
Retrieving PowerShell Code
One of the best features of the Graph Explorer tool is the simplistic way it can convert your custom queries into PowerShell code, which you can then incorporate into your scripts. It can also convert queries into other languages such as C#, Go, Java and Javascript.
To retrieve the equivalent PowerShell code for your query, first run the query and confirm the output is as expected. Here is my example:
https://graph.microsoft.com/v1.0/users?$count=true&$filter=Department eq 'Finance'&$orderBy=displayName&$select=id,displayName,department
This query will filter for all users in the Finance department, then sort the results by the DisplayName attribute while only returning the user’s ID, DisplayName and Department values.
From the bottom section of the screen, select Code Snippets.
Then select the PowerShell tab to display the PowerShell code:
Use the copy button at the top right of the PowerShell window to copy your PowerShell code:
Here are the results:
Import-Module Microsoft.Graph.Users
Get-MgUser -CountVariable CountVar -Filter "Department eq 'Finance'" -Sort "displayName" -Property "id,displayName,department" -ConsistencyLevel eventual
Unfortunately, the only information it will not show in the PowerShell code is the Connection-MgGraph method and permission scope. So don’t forget, if you are running this code in PowerShell, the permissions you previously consented to in the Graph Explorer tools will not apply. You must either Consent to the permissions during the Connect-MgGraph command or apply this to the Azure AD Application in advance.