When using Microsoft Graph to connect to Azure, Intune, etc., you have to grant the correct permissions and use the proper (and safe 😉 ) scopes to connect. This blog post will show a few ways to gather that information.
What is Microsoft Graph?
“Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows, and Enterprise Mobility + Security. Use the wealth of data accessible through Microsoft Graph to build apps for organizations and consumers that interact with millions of users.”
Source: Microsoft Graph overview – Microsoft Graph | Microsoft Learn
Ways to retrieve the needed permissions
You can use three, probably more, but I use these to find the required permissions for certain cmdlets. In the examples below, I’m searching for the permissions needed for the Get-MgBetaDeviceManagementManagedDeviceOverview cmdlet, which should show me the amount of Intune enrolled devices.
Using the PowerShell Microsoft Graph cmdlet itself
When you use an existing script that uses Microsoft Graph cmdlets, it can throw an error that you don’t have the correct permissions to query data. For example:
In this case, I tried to retrieve a list of the Intune devices in my test tenant, but it threw the error in red. The error shows you the required permissions and that you need one of those to connect: “DeviceManagementManagedDevices.Read.All, DeviceManagementManagedDevices.ReadWrite.All”
However, if you use a Try/Catch construction in your script with an ErrorAction value of Stop to avoid seeing errors like this, it will not show this error, of course 🙂
You can also use the -Debug parameter in the Microsoft Graph cmdlet, which Tony Redmond pointed out (Thanks!), like this:
This will show the Uri being called and the permissions needed, with more details than the default error message being thrown.
Using Find-MgGraphCommand
When using the Find-MgGraphCommand cmdlet, you can specify the cmdlet you want to see for the permissions needed. For example:
This will show you the required permission in the Name column, the IsAdmin column will show you if it has the consent for the permissions, and the Description column will show the simplified information about the permissions.
To retrieve more information about a specific permission, you can use Find-MgGraphPermissions followed by the permission that you want more information about, regardless of the cmdlet that it’s being used for:
Using Microsoft Graph Explorer
You can browse the Microsoft Graph resource using Microsoft Graph Explorer after clicking the people icon on the top right to sign in with an Admin account. If you sign in the first time, it will show you this Window that you need to accept to use the Graph Explorer:
After browsing to the correct URL in the address bar (You can find the correct path by the naming in the cmdlet name, Get-MgBetaDeviceManagementManagedDeviceOverview –> Mg Beta DeviceManagement ManagedDeviceOverview –> https://graph.microsoft.com/beta/deviceManagement/managedDeviceOverview), you can select the Modify Permission tab to show the required permissions:
Connecting using the found permissions
We can now use Connect-MgGraph with the -Scopes parameter and the least permissions we discovered using one of the options above to retrieve data. In this case, that’s DeviceManagementManagedDevices.Read.All of which is nicely highlighted with an information icon in Graph Explorer:
When running Connect-MgGraph, it will prompt you for the permissions that it needs, and you can then grant them as an admin:
After selecting “Consent on behalf of your organization” as an Admin and selecting Accept, the Get-MgBetaDeviceManagementManagedDeviceOverview now works and will display that it has 4 enrolled devices in my tenant:
Wrapping up
I showed you a few ways to discover the needed permissions so that you can connect to Microsoft Graph with the correct scope. This makes it easier to search for the least amount of permissions required to get the job done 🙂
BTW you can analyze the code automatically https://doitpshway.com/how-to-get-all-graph-api-permissions-required-to-run-selected-code-using-powershell 👍
Nice! That is very good, adding the module MSGraphStuff to my list of modules ❤️