MVP

 

Dear Microsoft Azure and Microsoft 365 Friends,

 

This article continues with the topic Microsoft Graph PowerShell SDK. Part 1, 2 and 3 can be found here:

https://gorovian.000webhostapp.com/?exam=t5/windows-powershell/part-1-manage-azure-and-microsoft-365-with...

 

https://gorovian.000webhostapp.com/?exam=t5/windows-powershell/part-2-manage-azure-and-microsoft-365-with...

 

https://gorovian.000webhostapp.com/?exam=t5/windows-powershell/part-3-manage-azure-and-microsoft-365-with...

 

This article is about managing users and groups. How to Connect to Microsoft 365 for User Management? Remember: Connections to the Microsoft Graph are protected by one or more permission scopes.

_MSG_01.JPG

 

Delegated User Permissions:

 

1. User.ReadBasic.All
Allows reading a basic set of profile properties of other users in the organization on behalf of the signed-in user

 

2. User.Read.All
Allows reading the full set of profile properties, reports, and managers of other users in the organization, on behalf of the signed-in user

 

3. User.ReadWrite.All
Allows reading and writing the full set of profile properties, reports, and managers of other users in the organization, on behalf of the signed-in user. Allows creation and deletion of users as well as reset passwords

 

4. Directory.Read.All
Allows reading of data in the organization's directory, such as users, groups and apps

 

5. Directory.ReadWrite.All
Allows reading and writing data in the organization's directory, such as users, and groups

 

6. Directory.AccessAsUser.All
Allows the app or code to have the same access to data in the directory as the signed-in user

 

Connect for User Management:

 

#If needed
Import-Module Microsoft.Graph

 

#Set the API to the 'beta' endpoint
Select-MgProfile -Name "beta"

 

#Read Only Connection
$scopes = @(
"User.ReadBasic.All"
"User.Read.All"
"Directory.Read.All"
)
Connect-MgGraph -Scopes $scopes

 

#Read and Write Connection
$scopes = @(
"User.ReadWrite.All"
"Directory.ReadWrite.All"
)
Connect-MgGraph -Scopes $scopes

 

#Check the permissions
Get-MgContext | select -ExpandProperty scopes

 

Creating, Updating, and Deleting Users - Basic User Management Commands:

- Get-MgUser
- Remove-MgUser
- New-MgUser
- Update-MgUser

 

Retrieving User Accounts:

 

#Retrieve All Users
Get-MgUser | Format-List ID, DisplayName, Mail, UserPrincipalName

 

#Retrieve Specific User by ID
Get-MgUser -UserId 'f9c720a4-c7f1-4b00-b419-ff2c806e0ddf' | Format-List ID, DisplayName, Mail, UserPrincipalName

 

#Create a New User Account
$password = @{ Password= 'P@ssw0rd4625???' }
New-MgUser -DisplayName 'Timo Jones' -PasswordProfile $password -AccountEnabled -MailNickName 'timojones' -UserPrincipalName 'timo.jones@tomrocks.ch'

 

Updating User Accounts:

 

#Update User Using ID
Update-MgUser -UserId 'e0004b8a-b13f-4355-a291-4a7fef7d96df' -DisplayName 'Timo R Jones'

 

#Did it work
Get-MgUser -UserId 'e0004b8a-b13f-4355-a291-4a7fef7d96df'

 

#Retrieve User Using Filtering, Then Update
$user = Get-MgUser -ConsistencyLevel eventual -Filter "startsWith(UserPrincipalName, 'timo.jones@tomrocks.ch')"
Update-MgUser -UserId $user.Id -DisplayName 'Timo Jones'

 

#Did it work
Get-MgUser -UserId 'e0004b8a-b13f-4355-a291-4a7fef7d96df'

 

Deleting User Accounts:

 

#Remove User by ID
Remove-MgUser -UserId 'e0004b8a-b13f-4355-a291-4a7fef7d96df'

 

#Remove User by ID with Confirmation
Remove-MgUser -UserId 'e0004b8a-b13f-4355-a291-4a7fef7d96df' -Confirm

 

#Retrieve User Using Filtering, Then Delete
$user = Get-MgUser -ConsistencyLevel eventual -Filter "startsWith(UserPrincipalName, 'timo.jones@tomrocks.ch')"
Remove-MgUser -UserId $user.Id -Confirm

 

#Did it work
Get-MgUser -UserId 'e0004b8a-b13f-4355-a291-4a7fef7d96df'

 

How to Connect to Microsoft 365 for Group Management?

_MSG_02.JPG

 

Delegated Group Permissions:

 

1. Group.Read.All
Allows listing groups, and reading properties and all group memberships on behalf of the signed-in user

 

2. Group.ReadWrite.All
Allows creation of groups and reading of all group properties and memberships on behalf of the signed-in user

 

3. GroupMember.Read.All
Allows listing of groups, reading basic group properties and reading memberships of all groups the signed-in user has access to

 

4. GroupMember.ReadWrite.All
Allows listing of groups, reading basic properties, reading and updating the membership of the groups the signed-in user has access to

 

Connect for Group Management:

 

#Read Only Connection
$scopes = @("Group.Read.All")
Connect-MgGraph -Scopes $scopes

 

#Read and Write Connection
$scopes = @("Group.ReadWrite.All")
Connect-MgGraph -Scopes $scopes

 

#Read and Write Connection Including Group Memberships
$scopes = @(
"Group.ReadWrite.All"
"GroupMember.ReadWrite.All")
Connect-MgGraph -Scopes $scopes

 

#Check the permissions
Get-MgContext | select -ExpandProperty scopes

 

Creating, Updating, and Deleting Groups - Basic Group Management Commands:

- Get-MgGroup
- Remove-MgGroup
- New-MgGroup
- Update-MgGroup

 

Retrieving Groups:

 

#Retrieve All Groups
Get-MgGroup| Format-List ID, DisplayName, Description, GroupTypes

 

#Retrieve Specific Group by ID
Get-MgGroup -GroupId '12eda8b0-695b-4f57-a7b3-245b2a6552c9' | Format-List ID, DisplayName, Description, GroupTypes

 

#Retrieve Groups by Filtering
Get-MgGroup -ConsistencyLevel eventual -Filter "startsWith(DisplayName, 'Technik')"

 

Creating Groups:

 

#Create a New Group
New-MgGroup -DisplayName 'MSGraph' -MailEnabled: $False -MailNickName 'MSGraph' -SecurityEnabled

 

Updating Groups:

 

#Update Group Using ID
$properties = @{
"Description" = "New MS Graph Group"
"DisplayName" = "New MS Graph Group Description"
}
Update-MgGroup -GroupId 'b2af405b-1c46-46c2-be8e-5288bc9c7dc6' -BodyParameter $properties

 

#Did it work?
Get-MgGroup -GroupId 'b2af405b-1c46-46c2-be8e-5288bc9c7dc6'

 

Deleting Groups:

 

#Remove Group by ID
Remove-MgGroup -GroupId 'b2af405b-1c46-46c2-be8e-5288bc9c7dc6'

 

#Remove Group by ID with Confirmation
Remove-MgGroup -GroupId 'b2af405b-1c46-46c2-be8e-5288bc9c7dc6' -Confirm

 

#Retrieve Group Using Filtering, Then Delete
$group = Get-MgGroup -ConsistencyLevel eventual -Filter "startsWith(DisplayName, 'New MS Graph Group Description')"
Remove-MgGroup -GroupId $group.Id -Confirm

 

#Did it work?
Get-MgGroup -GroupId 'b2af405b-1c46-46c2-be8e-5288bc9c7dc6'

 

Modify Group Membership:

 

#Add a Group Member
$user = Get-MgUser -ConsistencyLevel eventual -Search '"DisplayName:Timo Meyer"'
$group = Get-MgGroup -GroupId 'be278623-1c0b-4c18-bb97-c617463ca920'

New-MgGroupMember -GroupId $group.Id -DirectoryObjectId $user.Id

 

#Did work?
Get-MgGroupMember -GroupId $group.Id

 

So that's it again for part 4, we'll see you again in the next part! A little preview, in the next part we'll talk about Exchange Online in the Microsoft Graph. See you soon.

 

I hope this article was useful. Thank you for taking the time to read the article.


Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

www.000webhost.com