I’ve spent the past few day wrestling with the using Microsoft Graph with PowerShell, and it hasn’t been fun. Let me explain.
The first issue is that you can’t use the connect-graph command in the PowerShell ISE in Windows 10. if you do, you just get a flashing cursor as shown above that eventually times out.
If you repeat the same process in wither Windows terminal (above) or the PowerShell command you are taken through the standard device login browser process as expected.
After that, if you return to the ISE (above) and repeat the command connect-graph, you receive a message telling you that you are connected by virtue of the token from the previous Windows Terminal session.
If you run the preferred Graph command get-mguser (above) you see that the AssignedLicenses and AssignedPlans attributes are blank.
If you now run my script:
https://github.com/directorcia/Office365/blob/master/Intune-connect.ps1
You also get connected to the Microsoft Graph as I highlighted here, but specifically to the Intune portion of the Graph:
New Intune connection PowerShell script
Typically, this type of connection is also designed for device management with PowerShell and work very well. However, because device management also requires access to users, we can also get access to user data via the Graph.
You achieve this by running the following script after connecting to Intune Graph:
$uri = “https://graph.microsoft.com/beta/users”
$users = (Invoke-MSGraphRequest -Url $uri -HttpMethod GET).Value
$users
which you see above gives you similar to the user options before but with far more detail as demonstrated by the assignedLicenses and assignedPlans highlighted previously highlight above.
Just to prove there is no smoke and mirrors here, above the output of the command get-mguser used after the connect-graph command (i.e. the non-Intune connection method).
Clearly, the data is in the Graph, but the command get-mguser does not yet seem to support pulling all this down from what I see. I hope someone can point out the error of my ways here but to create the reporting and automation I REALLY want looks like I’m to either have to use the PowerShell Intune module or revert to using the full web based invoke-request to get what I’m after.
What kind of worries me a little is that Intune PowerShell project seen above and at:
https://github.com/microsoft/Intune-PowerShell-SDK
that works REALLY well, hasn’t seen any updates in 2 years! There are 57 outstanding issues at the time of writing this blog, including two from me because not all the native wrapper commands work as expected. Are they being attended to at all I wonder?
In summary then, I’m in somewhat of quandary about using PowerShell with the Microsoft Graph. Specific stuff like the Intune SDK works well using the invoke-msgraphrequest command. It is easy to setup and manage the permissions for. On the other hand, the more general Graph commands like get-mguser don’t as yet seem to return as much information as they could. As well as the Intune SDK works I’m kind of afraid that it will not see future development.
So where should I invest my time to continue automating Microsoft 365 administration? Suggestion anyone?
CIAOPS 
One of the downsides of projecting the Microsoft Graph API into PowerShell is that the quirks come for free. The User entity on Microsoft Graph v1.0 only returns a subset of the properties. You can use the -select parameter to explicitly choose the parameter you want to return or you can switch to the beta API and you will get them all.
You can use this,
Set-MgProfile beta
to switch to beta.
LikeLike
Unfortunately, changing to beta seems not to be working. It still fails, respectively returns empty entries for i.e. AssignedPlans.
LikeLike
Graph powershell is a effing mess. The documentation is absolute sh*te, the number of hoops you need to jump through to do a simple task is unbelieveable.
Someone needs to cram this baby back in the oven until it is done
LikeLike
My never ending challenge of using Powershell, is finding the correct modules to successfully run the commands.
EX: Get-IntuneDevicePrimaryUser
The term “Get-IntuneDevicePrimaryUser” is not recognized as a name of a cmdlet, function, script file, or operable program ….
And here I hit the never ending wall of using Powershell
What module is required, and how do I “translate” the command into finding a correct module name?
LikeLike
Typically you need the Microsoft.Graph module but that contains EVERYTHING in the Graph and can a long time to install and update. Get-Intune* commands use Microsoft.Graph.Intune ‘sub’ module. I have created a free Intune connect script at https://github.com/directorcia/Office365/blob/master/Intune-connect.ps1 that may help.
LikeLike
PS C:\WINDOWS\system32> Import-Module Microsoft.Graph.Intune
PS C:\WINDOWS\system32> Get-IntuneDevicePrimaryUser -Device dtp-xxxx Get-IntuneDevicePrimaryUser : The term ‘Get-IntuneDevicePrimaryUser’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + Get-IntuneDevicePrimaryUser -Device dtp-xxxx + ~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-IntuneDevicePrimaryUser:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
Thank You,
Christopher (Chris) Markis Help Desk Support Technician/Information Technology Helpdesk: 575-528-3202 [color-60 (4)]
LikeLike
That command doesn’t work here either so MS clearly have changed things. I’m not a fan of the mirosoft.graph.intune module and those commands. See – https://blog.ciaops.com/2022/08/12/inconsistent-intune-powershell-module-results/. I use http requests directly now in everything I do. Anything else has inconsistencies.
LikeLike
Personally, I think it is time to move away from the get-intune* stuff as I get the impression MS hasn’t maintained that for years and is now woefully outta. You need to move to the direct HTTP request and call the MS Graph directly in your own code via a HTTP request unfortunately.
LikeLike
Ah ha, announced today – https://techcommunity.microsoft.com/t5/intune-customer-success/update-to-microsoft-intune-powershell-example-script-repository/ba-p/3842452. That repo you are using is old and replaced with https://github.com/microsoft/mggraph-intune-samples that uses the Connect-MgGraph command to sign in with the required scopes.
LikeLike
Good Monday Morning
And all I’m trying to do is to “Get the Primary User” of a computer. And “Set the Primary User” of a computer.
Without all the cross checks, and verifications.
“KIS” Keep it Simple
I thought I would be able to create a simple, to the point, “half-page script”, instead of these 2 – 6 page scripts I’ve been seeing (??).
Any recommendations of something barebones, and “Simple” that would do what I’m attempting?
Respectfully,
Christopher (Chris) Markis Help Desk Support Technician/Information Technology Helpdesk: 575-528-3202 [color-60 (4)]
LikeLike
I suggest you look in https://github.com/microsoft/mggraph-intune-samples
LikeLike
get-mgdevice – https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdevice?view=graph-powershell-1.0 is also probably a good start
LikeLike