Getting Started with MS Graph, Step-by-Step (Part 2) - Connect to the API

In Part 1 of our post for Getting Started with MS Graph, we had covered the basics of how to complete an app registration in Azure.

In this part 2, we will cover how to connect to the MS Graph REST API and provide some samples on how to do some cool stuff! Let's go!

Obtaining the Authentication Token

In order to connect to the MS Graph REST API we created in Part 1 we need an Authentication Token. To acquire this token, we will leverage the Microsoft Authentication Library (MSAL).

“The Microsoft Authentication Library (MSAL) enables developers to acquire tokens from the Microsoft identity platform in order to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL supports many different application architectures and platforms including .NET, JavaScript, Java, Python, Android, and iOS.”

Learn about MSAL - Microsoft Entra | Microsoft Docs

We won't cover what MSAL is in detail but if you need or want, you can check out additional detailed information regarding MS Graph Authentication from Microsoft.

The Authentication Token will allow us to construct the Authentication Header that is required when querying the MS Graph REST API.

A PowerShell module is available that wraps MSAL.NET functionality into PowerShell-friendly cmdlets. This module is called “MSAL.PS”. For additional detailed information regarding this module refer to the MSAL GitHub and PowerShell Gallery for the MSAL Module.

For the purpose of this demo I will be using PowerShell Core. MSAL.PS will also work on Windows PowerShell.

To start, check to see if you have the “MSAL.PS” module already installed.

Get-InstalledModule | Where-Object{$_.Name -eq "MSAL.PS"}

If not, install it.

Install-Module MSAL.PS

For detailed instructions on how to install the MSAL.PS module, refer to GitHub.

With the MSAL module successfully installed, let’s create the Authentication token for an interactive user session with the MS Graph API we created in Part 1.

You will need the following information:

Application ID – You can find this on the Overview page of the App Registration you created in Part1. Tenant ID - You can find this on the Overview page of the App Registration you created in Part 1.

Scope – refers to the permissions granted during authentication. For instance, you may only need read access for users in Azure AD.

For this particular blog demo, our scope would be "User.Read.All".

If you needed to write user attributes in Azure AD our scope would be “User.ReadWrite.All”.

As you might guess Devices follow the same convention “Device.Read.All” etc.

Additionally broader permissions are available if multiple object types need to be accessed, for instance, “Directory.Read.All”.

For additional detailed Information on MS Graph permissions, check out the Microsoft Graph Permission Reference.

Here is an example of permissions associated with a specific action (Get User) : Get a user - Microsoft Graph v1.0 | Microsoft Docs