Accessing Microsoft Graph With PowerShell

Question

I've been having a hell of a time trying to access the Microsoft Graph using PowerShell.

First I tried using the authorization flow and Invoke-WebRequest and Invoke-RestMethod neither of which I could get to work.

Then I found this blog that showed how to do it using PowerShell and a couple of the Azure modules. Below is the code I'm using (ripped right from that blog) but every time I get to the Invoke-RestMethod (in the do-while loop) instead of getting the result of the query I get a 403 Forbidden error:

Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

Function GetAuthToken {
    Param (
        [Parameter()]
        $TenantName
    )
    Import-Module Azure
    $clientId = "1950a258-227b-4e31-a9cf-717495945fc2"
    $resourceAppIdURI = "https://graph.microsoft.com"
    $authority = "https://login.microsoftonline.com/$TenantName"
    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
    $Credential = Get-Credential
    $AADCredentialUser = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $credential.UserName, $credential.Password
    $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $AADCredentialUser)
    Write-Output $authResult
}

Function GetAllObjectOfType {
    param
    (
        [Parameter(Mandatory = $true)]
        $Tenant,
        [Parameter(Mandatory = $true)]
        $Type,
        [Parameter(Mandatory = $false)]
        $BatchSize = 100,
        [Parameter(Mandatory = $false)]
        $Version = 'Beta'
    )

    #------Get the authorization token------#
    $token = GetAuthToken -TenantName $tenant

    #------Building Rest Api header with authorization token------#
    $authHeader = @{
        'Content-Type'  = 'application/json'
        'Authorization' = $token.CreateAuthorizationHeader()
    }

    #------Initial URI Construction------#
    #$uritest = "https://graph.microsoft.com/v1.0/users/[email protected]/mailFolders/Inbox/childFolders"
    $uritest = "https://graph.microsoft.com/v1.0/me/mailFolders/Inbox"
    #Join-Path -Path ''
    $ObjCapture = @()
    do {
        $users = Invoke-RestMethod -Uri $uritest -Headers $authHeader -Method Get
        $FoundUsers = ($Users.value).count
        write-host "URI" $uri " | Found:" $FoundUsers
        #------Batched URI Construction------#
        $uri = $users.'@odata.nextlink'
        $ObjCapture = $ObjCapture + $users.value

    }until ($uri -eq $null)
    $ObjCapture
}

I can run this same query (/v1.0/me/mailFolders/Inbox) from the Graph Explorer and it runs perfectly fine with no errors.

The GetAuthToken seems to be working as I do get a token back with an expiry, refresh token, etc and the $token.CreateAuthorizationHeader() also returns the correct Authorization = Bearer token

I've never done anything with the Microsoft Graph before so I'm sure there is something I'm doing wrong but I cannot for the life of me figure out what.

Answer 1

You cannot reuse the clientid from that blog post. You need to obtain your own clientid by registering your application. See Register your app with the Azure AD v2.0 endpoint for details on how to register your app.

Answer 2

This seems like it was answered in a follow-up blog post from the same source.

When an App is created, by default it has rights to access only the data of the user that had signed in with the account though the “Sign in and read user profile” delegated permissions. If you try to execute a script that uses this AppID/ClientID to query Azure AD to get a list of all users in the directory, you would receive an error stating (403) Forbidden because it didn’t have adequate permissions to do that activity.