Introduction
A couple of weeks ago we reviewed how to go through the Graph cmdlets and also exposed all of the submodules that are present in the Graph PowerShell module – read about that here. Now we are going to explore each of these submodules and break down as much as possible the cmdlets from each module. One module, the Microsoft.Graph.Authentication module, has already been broken down in this article. Looking over the list of available options we have quite a few options to choose from. For this post we will review another small module ‘Microsoft.Graph.Identity.DirectoryManagement’. This submodule contains quite a few cmdlets, which will not be able to cover in one article, however we will cover a fair chunk and follow-up with more articles in the coming weeks and months.
Available Cmdlets
First, we need to list all cmdlets in the module:
Get-Command | Where Source -eq Microsoft.Graph.Identity.DirectoryManagement
… This results in 352 cmdlets which is way too many for one blog post for sure … so we’ll start with the Get based cmdlets of which there are 73.
Get-Command Get-* | Where Source -eq Microsoft.Graph.Identity.DirectoryManagement
Here we go.
Get-* Cmdlets
In this section we will breakdown some of the Get cmdlets for this module to give you a flavor of what you can use them for.
Get-MgContact
With this cmdlet we can pull information on Organizational contacts that exist in a tenant and query information about those contact objects. For example, a quick list of contacts would look like this:
Using a single Group ID we can further dig into contact details.
Get-MgContact -OrgContactId 1aa8f9d5-786c-49f3-97d3-9ee3c18c9ca0
There are four properties which list ‘Microsoft.Graph.PowerShell …’ as their value. We can expand upon each, like so [two examples]:
and
Get-MgContactById
Similar to the previous cmdlet, but we retrieve contacts using their ObjectId in the tenant.
Get-MgContactById -Ids 1aa8f9d5-786c-49f3-97d3-9ee3c18c9ca0
Much different results than the previous cmdlet, but we should be able to see more with a Format List.
Using Format List:
Get-MgContactById -Ids 1aa8f9d5-786c-49f3-97d3-9ee3c18c9ca0 | fl
A little better, but the values for the object seem to be placed in the ‘AdditionalProperties’ property of the object.
We can expand that property like so:
(Get-MgContactById -Ids 1aa8f9d5-786c-49f3-97d3-9ee3c18c9ca0).additionalproperties
Now we see a similar data set to what we received with Get-MgContact. We are missing manager from the list, member of and a few other properties, but nonetheless:
((Get-MgContactById -Ids 1aa8f9d5-786c-49f3-97d3-9ee3c18c9ca0).additionalproperties).phones | fl
We are missing some data, but otherwise the cmdlets are similar to each other.
Get-MgContactDelta
The help for this cmdlet is unhelpful both online and in the Get-Help section of the module. When the cmdlet is run, the list is essentially the same as Get-MgContact. In a test environment it shows some sorting taking place with the GivenName field, but otherwise the output is the same.
Get-MgContactDirectReport
This cmdlet seems a bit odd in that it will retrieve direct reports for contacts, which one would imagine that since contacts are not employees so why would a manager be recorded for a contact. Well, it is possible and it can be detected or listed with this cmdlet as well as the Get-Contact cmdlet in Exchange Online, but not, ironically, with the Get-MailContact cmdlet.
Get-Recipient (get-MgContactDirectReport -OrgContactId <guid of mail contact>).Id
This provides the direct reports for a mail contact in a tenant:
Get-MgContactManager
Similar to the previous cmdlet, this one will pull the manager listed for contacts, which one would imagine that since contacts are not employees so why would a manager be recorded for a contact. Well, it is possible and it can be detected or listed with this cmdlet as well as the Get-Contact cmdlet in Exchange Online, but not, ironically, with the Get-MailContact cmdlet.
Get-MgContactManager -OrgContactId <guid of mail contact>
Idntifying a contacts manager:
Get-MGUSer -UserId (Get-MgContactManager -OrgContactId <guid of mail contact>).ID
Get-MgContactMemberGroup
With this cmdlet, we can take the Directory Id of an object in a tenant to see what groups that object is a member of. Example of a single contact query:
Get-MgContactMemberGroup -OrgContactId 54336451-2d16-4158-8a9a-d20672157ba9 -SecurityEnabledOnly:$False
Breaking this down with a large amount of contacts. WE can use a small scrip to query the groups for each contact, using the Get-MgContactMemberGroup and then passing those IDs to the Get-MgGroup to get the name of the for reference.
Foreach ($ID in $IDs) { $GroupID = Get-MgContactMemberGroup -OrgContactId $Id -SecurityEnabledOnly:$False $Contact = (Get-MgContact -OrgContactId $ID).DisplayName If ($Null -ne $GroupId) { $SplitIds = $GroupId.Split("`n") Foreach ($SplitID in $SplitIds) { $GroupName = (Get-MgGroup -GroupId $SplitID).DisplayName Write-Host "$Contact is in " -NoNewLine Write-Host "$GroupName" -ForegroundColor Green } } Else { Write-Host "$Contact is in no groups." -ForegroundColor Yellow $GroupId = $Null } }
With a sample tenant, we see results like this, with one contact in 1 group, another in no groups and yet another in four groups:
Get-MgContactMemberObject
Per Microsoft:
“Return all IDs for the groups, administrative units, and directory roles that a user, group, service principal, organizational contact, device, or directory object is a member of.”
$IDs = Get-MgContactMemberObject -OrgContactId 06d54121-c7ff-4398-ad82-20b5f2e35b2d -SecurityEnabledOnly:$False Foreach ($ID in $IDS) { (Get-MgDirectoryObject -DirectoryObjectId $ID).AdditionalProperties | ft}
Get-MgContactMemberOf
Similar to the Get-MgContactMemberGroup cmdlet, we are able to get a list of groups that a Contact object is in. The notable difference is that we do not need to specify whether Security Groups are the only groups reviewed.
Get-MgContactMemberGroup -OrgContactId <contact object ID>
Get-MgContactTransitiveMemberOf
This cmdlet will list all groups a contact is in as well as subgroups if there are any. For example, say a contact is in 5 groups and at least one of these groups is also contained in another group. This cmdlet would the list these groups out. Sample usage:
Get-MgContactTransitiveMemberOf -OrgContactId 4356926e-ce5c-4f9c-98f1-628135978bee
More on this here: https://learn.microsoft.com/en-us/graph/api/group-list-transitivemembers?view=graph-rest-1.0&tabs=http
Get-MgContract
Will list any existing contracts that exist in a tenant. From what I read this has to do with partnerships between tenants. There are three types of possible contracts as well: SyndicationPartner, BreadthPartner and ResellerPartner.
To find existing contracts in a tenant, just run the cmdlet, with no other parameters or switches:
Get-MgContract
More on this can be found here – microsoft-graph-docs/contract.md at main · microsoftgraph/microsoft-graph-docs (github.com)
Get-MgContractById
Similar to the previous cmdlet, we can list any existing Contracts in the tenant, but this time we need the ID to do so. Sample one-liner is below:
Get-MgContractById -Ids 83721da6-2b61-4c88-b8ff-0b939712394a
Get-MgContractMemberGroup
This cmdlet will reveal any groups that the contract is a member of.
Get-MgContractMemberGroup -Ids 83721da6-2b61-4c88-b8ff-0b939712394a
Get-MgContractMemberObject
Not much to go on for this cmdlet. The Get-Help and Online help are both bad, with bad examples and just overall zero help.
In PowerShell:
Online
Hopefully this gets rectified.
Conclusion
So there you have it. In this blog article we reviewed the first few GET cmdlets of the microsoft.graph.identity.directorymanagement PowerShell submodule with some practical examples. Stay tuned for more of these over the coming Wednesdays. While fifteen cmdlets are not a lot in the grand scheme of things, these cmdlets do take some time to figure out and properly present for blog articles. Will try to do more each article depending on the results of testing. If you felt this article was either unhelpful or helpful, please leave comments below and thanks for reading.
———————————————————————————————————–
Comments? Questions?
Feel free to leave your Comments below! Learn to more efficiently utilize PowerShell to manage Exchange Server, Exchange Online, Microsoft Defender for Office or Microsoft Purview Compliance portals by picking up frequently updated eBooks: