I’ve spent the past few day wrestling with the using Microsoft Graph with PowerShell, and it hasn’t been fun. Let me explain.
The first issue is that you can’t use the connect-graph command in the PowerShell ISE in Windows 10. if you do, you just get a flashing cursor as shown above that eventually times out.
If you repeat the same process in wither Windows terminal (above) or the PowerShell command you are taken through the standard device login browser process as expected.
After that, if you return to the ISE (above) and repeat the command connect-graph, you receive a message telling you that you are connected by virtue of the token from the previous Windows Terminal session.
If you run the preferred Graph command get-mguser (above) you see that the AssignedLicenses and AssignedPlans attributes are blank.
If you now run my script:
You also get connected to the Microsoft Graph as I highlighted here, but specifically to the Intune portion of the Graph:
New Intune connection PowerShell script
Typically, this type of connection is also designed for device management with PowerShell and work very well. However, because device management also requires access to users, we can also get access to user data via the Graph.
You achieve this by running the following script after connecting to Intune Graph:
$uri = “https://graph.microsoft.com/beta/users”
$users = (Invoke-MSGraphRequest -Url $uri -HttpMethod GET).Value
which you see above gives you similar to the user options before but with far more detail as demonstrated by the assignedLicenses and assignedPlans highlighted previously highlight above.
Just to prove there is no smoke and mirrors here, above the output of the command get-mguser used after the connect-graph command (i.e. the non-Intune connection method).
Clearly, the data is in the Graph, but the command get-mguser does not yet seem to support pulling all this down from what I see. I hope someone can point out the error of my ways here but to create the reporting and automation I REALLY want looks like I’m to either have to use the PowerShell Intune module or revert to using the full web based invoke-request to get what I’m after.
What kind of worries me a little is that Intune PowerShell project seen above and at:
that works REALLY well, hasn’t seen any updates in 2 years! There are 57 outstanding issues at the time of writing this blog, including two from me because not all the native wrapper commands work as expected. Are they being attended to at all I wonder?
In summary then, I’m in somewhat of quandary about using PowerShell with the Microsoft Graph. Specific stuff like the Intune SDK works well using the invoke-msgraphrequest command. It is easy to setup and manage the permissions for. On the other hand, the more general Graph commands like get-mguser don’t as yet seem to return as much information as they could. As well as the Intune SDK works I’m kind of afraid that it will not see future development.
So where should I invest my time to continue automating Microsoft 365 administration? Suggestion anyone?
3 thoughts on “Frustrations of using the Microsoft Graph with PowerShell”
One of the downsides of projecting the Microsoft Graph API into PowerShell is that the quirks come for free. The User entity on Microsoft Graph v1.0 only returns a subset of the properties. You can use the -select parameter to explicitly choose the parameter you want to return or you can switch to the beta API and you will get them all.
You can use this,
to switch to beta.
Unfortunately, changing to beta seems not to be working. It still fails, respectively returns empty entries for i.e. AssignedPlans.
Graph powershell is a effing mess. The documentation is absolute sh*te, the number of hoops you need to jump through to do a simple task is unbelieveable.
Someone needs to cram this baby back in the oven until it is done