Introduction
When connecting to Microsoft Graph PowerShell, it is important to determine what permissions are needed for that connection as it could determine which cmdlets we are able to run as well as what access is granted to manage objects with Graph PowerShell. Microsoft does provide a hand pair of cmdlets for determining cmdlets to use as well as determining the permissions required for these cmdlets. Let’s explore the Find-MgGraphPermission cmdlet which is defined here in the new Microsoft Learn documentation for Graph.
Get-Help Find-MgGraphPermission -Examples
This cmdlet has five examples:
Trying the cmdlet out, we do not see a correlation of permissions to cmdlets in graph with this cmdlet:
What other cmdlets can we try to find this? Find-MgGraphCommand appears to be a solution.
Find-MgGraphCommand
Next up, we have the Find-MgGraphCommand cmdlet which we can use to expose the permissions required to run Microsoft Graph PowerShell cmdlets. How do we do this?
Examples
Example 1 for the cmdlet reveals that a Permissions property exists for each of the Graph cmdlets:
We should be able to use the Find-MgGraphCommand cmdlet to query this information for any cmdlet we need to know about. Be aware that some cmdlets do have empty permission sets:
PowerShell
For this example we will look for all commands that are in the Microsoft Graph Groups module which means we need to look at all Graph PowerShell cmdlets and filter for the ‘Microsoft.Graph.Groups’ module:
Get-Command | Where Source -eq Microsoft.Graph.Groups
Truncated list (from 319 cmdlets):
OK, so we see we have a list of cmdlets and we know that the Find-MgGraphPermission cmdlet can pull permissions for a cmdlet. What do the results of this cmdlet, when querying one cmdlet, look like:
Find-MgGraphCommand -command New-MgGroupSetting | fl
Now, we were able to pull the complete list of Groups cmdlets, we see the properties we need to pull from the output from the cmdlet and should be able to put together quick script to gather permissions required for each cmdlet. First line:
$MgGroupCommands = Get-Command | Where Source -eq Microsoft.Graph.Groups
All of the cmdlets from this PowerShell module are now stored in the $MgGroupCommands variable. Next, we set up out output file with a destination and column headers:
$Outfile = 'C:\downloads\qa\graph\GraphPermissionsFile.txt' $Output = 'Command | URI | Permissions' | Out-File -FilePath $Outfile
Note: The pipe symbol (‘|’ is used as the delimiter in the file and was chosen because some of the data that is pulled has special characters (/ {, }, etc Choosing this, importing into Excel should be easier and create the correct columns for review. We need to loop through each cmdlet in the $MgGroupCommands variable:
Foreach ($MgGroupCommand in $MgGroupCommands) {
Add some error correct:
$Caught = $False
In this code section, Try Catch is used to perform error correction if a cmdlet is not found or does not query for some reason. Otherwise, the $Results variable will store information about a cmdlet (name, APIVersion, URI and Permissions for example).
Try { $Results = Find-MgGraphCommand -Command $MgGroupCommand -ApiVersion v1.0 -ErrorAction Stop } Catch { $Results = $Null $Caught = $True }
If an exception (no cmdlet found) is not caught ($Caught is $False), then we can process information about the cmdlet:
If (!$Caught) { Foreach ($Result in $Results) {
$URI is stored in a variable:
$Uri = $Results.URI
Then all permissions are extracted:
$PermissionGroup = ((Find-MgGraphCommand -Uri "/users" -ApiVersion v1.0 | Select-Object permissions).permissions).Name
The list is then joined into one line, which will be in one column of the output:
$Permissions = $PermissionGroup -join ','
Finally, each line (command, URI and permissions) is placed in our output file and the loop is closed:
$Output = "$MgGroupCommand | $URI | $Permissions" | Out-File -FilePath $Outfile -Append } } }
Raw Output
A raw output file looks like this [CSV]
Then imported into Excel, we have this now:
We can then review the Permissions column to see what permissions grant the access for a user needing to run a cmdlet.
———————————————————————————————————–
Comments? Questions?
Feel free to leave your Comments below! Learn to more efficiently utilize PowerShell to manage Exchange Server, Exchange Online, Microsoft Defender for Office or Microsoft Purview Compliance portals by picking up frequently updated eBooks: