Thursday, March 12, 2015

Query AAD Using Graph API from PowerShell

One of my favourite things about PowerShell is discoverability, and how quickly you can use PowerShell to investigate and learn.  This post shows some snippets for using PowerShell to query the Azure Active Directory Graph API using PowerShell. 

NOTE: I’ve downloaded the Active Directory Authentication Library (ADAL) to C:\ADAL for the samples, so you’ll have to do something similar before the rest of the script will work.

Once authentication is done with ADAL, the PowerShell command ‘Invoke-RestMethod’ is used over and over by changing the URI slightly since the URI contains the query details.

<#

    Load the Active Directory Authentication Library

    Microsoft.IdentityModel.Clients.ActiveDirectory.dll

 

    https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory

 

#>

Add-Type -Path 'C:\ADAL\Microsoft.IdentityModel.Clients.ActiveDirectory.dll'

 

<#

    Create the AuthenticationContext object

#>

$authenticationContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext -ArgumentList @(

    'https://login.windows.net/common' #authority

    $false                             #validateAuthority

)

 

<#

    Create the AuthenticationResult object

 

    This overload is used: public AuthenticationResult AcquireToken(string resource, string clientId, Uri redirectUri)

 

    For more overloads, see:

    https://msdn.microsoft.com/en-us/library/microsoft.identitymodel.clients.activedirectory.authenticationcontext.acquiretoken.aspx

#>

$resource    = "https://graph.windows.net"

$clientId    = "1950a258-227b-4e31-a9cf-717495945fc2"

$redirectUri = [uri]"urn:ietf:wg:oauth:2.0:oob"

$authenticationResult = $authenticationContext.AcquireToken($resource, $clientId, $redirectUri)

 

<#

   Get all users

#>

Invoke-RestMethod -Method Get -Headers @{

    Authorization   = $authenticationResult.CreateAuthorizationHeader()

    'Content-Type'  = "application/json"

} -Uri ('https://graph.windows.net/{0}/users?api-version=2013-04-05' -f $authenticationResult.TenantId) |

select -expand Value

 

<#

   Get a user by UPN

#>

Invoke-RestMethod -Method Get -Headers @{

    Authorization   = $authenticationResult.CreateAuthorizationHeader()

    'Content-Type'  = "application/json"

} -Uri ('https://graph.windows.net/{0}/users/craig.martin@edgile.com?api-version=2013-04-05' -f $authenticationResult.TenantId)

 

<#

   Get a user by filter

#>

Invoke-RestMethod -Method Get -Headers @{

    Authorization   = $authenticationResult.CreateAuthorizationHeader()

    'Content-Type'  = "application/json"

} -Uri ('https://graph.windows.net/{0}/users?$filter=givenName eq ''Craig'' and surname eq ''martin''&api-version=2013-04-05' -f $authenticationResult.TenantId)

 

<#

   Get deltas

#>

Invoke-RestMethod -Method Get -Headers @{

    Authorization   = $authenticationResult.CreateAuthorizationHeader()

    'Content-Type'  = "application/json"

} -Uri ('https://graph.windows.net/{0}/directoryObjects?api-version=2013-04-05&deltaLink=' -f $authenticationResult.TenantId)

 

<#

   Get deltas with only the specified attributes

#>

Invoke-RestMethod -Method Get -Headers @{

    Authorization   = $authenticationResult.CreateAuthorizationHeader()

    'Content-Type'  = "application/json"

} -Uri ('https://graph.windows.net/{0}/directoryObjects?api-version=2013-04-05&deltaLink=&$select=User/displayName,User/givenName' -f $authenticationResult.TenantId)

 

 

No comments: