Token Protection Extends to Microsoft Graph PowerShell SDK Sessions

Token Protection Extends to Graph PowerShell SDK

The conditional access policy condition for token protection now extends to Microsoft Graph PowerShell SDK interactive sessions. Any account within the scope of a CA policy that requires token protection can use Web Account Manager (WAM) to sign in and check that everything is secure and ready to go. It’s a protection that might be of interest to administrators and developers that access sensitive data in Graph SDK sessions.

Mailbox Import-Export Graph APIs Leave No Audit Trail

Mailbox Import-Export Graph API

A recent post revealed that the Mailbox Import-Export Graph API doesn’t capture audit events for its operations. The API is in beta, but this is disappointing. Auditing any mailbox is important, but it becomes a critical requirement when the possibility exists that attackers could use the API to exfiltrate mailbox data outside of the tenant. This is a hole that Microsoft needs to close.

Microsoft Launches the Copilot Interaction Export API

aiInteractionHistory Graph API

Microsoft will launch the aiInteractionHistory Graph API (aka, the Copilot Interaction Export API) in June. The API enables third-party access to Copilot data for analysis and investigative purposes, but any ISV who wants to use the API needs to do some work to interpret the records returned by the API to determine what Copilot really did in its interactions with users.

How to List Hidden Group Memberships with the Graph

Listing hidden group membership with the Graph

A user reported that a script didn’t list any details of hidden group memberships and asked why. The reason is that a separate Graph permission controls access to hidden group memberships. If an app doesn’t have the permission, the Graph returns null memberships, which is probably not all that helpful. Once the right permission is in place, everything works.

Microsoft Graph PowerShell SDK V2.28 Attempts to Restore Stability

Microsoft Graph PowerShell SDK V2.28

On May 10, 2025, Microsoft released V2.28 of the Microsoft Graph PowerShell SDK in the hope that the new version would fix a bunch of annoying problems that have dogged the SDK for several months. The first few days haven’t revealed any new problems and bug reports are being closed, so the signs are positive. But do test before deploying V2.28 into production.

How to Permanently Remove Mailbox Items with the Graph API

Permanent deletiion of mailbox items

Some new Graph APIs were announced on April 1 to close a feature gap with EWS. The new APIs permanently remove mailbox items and other objects, including folders, calendars, and calendar items. Permanent deletion means that items cannot be recovered through clients because they end up in the Purges folder in Recoverable Items. This article explains how the new APIs work, including a practical example.

Microsoft Attempts to Fix Microsoft Graph PowerShell SDK Problem with Azure Automation

Buggy Microsoft Graph PowerShell SDK

V2.26 and V2.26.1 of the Microsoft Graph PowerShell SDK were low-quality, buggy disasters. Microsoft aims to fix the problem in the next version to make it possible for the SDK to work with Azure Automation runbooks again and address many of the obvious problems that should never have appeared outside Microsoft. It will take time for customer confidence to be restored.

Microsoft Graph PowerShell SDK V2.26.1 Remains Flawed

Microsoft Graph PowerShell SDK V2.26.1 remains flawed

The developers rushed out Version 2.26.1 of the Microsoft Graph PowerShell SDK to fix some obvious issues. Alas, problems persist in PowerShell SDK cmdlets, including licensing failures and an issue that prevents the Connect-MgGraph cmdlet from being able to obtain an access token from Entra ID. My advice is to stay with V2.25 until Microsoft resolves the problems and generates a new stable version of the SDK.

Microsoft Graph PowerShell SDK Runs into Choppy Waters

Graph SDK V2.26 Issues Make the Software Unusable

A bunch of problems with V2.26 of the Microsoft Graph PowerShell SDK V2.26 make the software unusable. Not only did Microsoft do a horrible job of testing the new release before making it available to customers, but they also failed to communicate the level of change in the new SDK and how it could impact Azure Automation runbooks.

Processing Multiple Message Attachments with the Microsoft Graph PowerShell SDK

Add attachments to email with the Graph SDK

Many examples are available online to explain how to add a single attachment to messages using the Microsoft Graph PowerShell SDK. Here we look at the principles behind how to add attachments (one or many) to messages before sending them with the Send-MgUserMail cmdlet. Get the principles right and you’ll never go wrong!

Entra ID Introduces New Graph Permissions for User Accounts

Graph permissions for user accounts. Graph permissions to manage Entra ID accounts.

A set of new granular Graph permissions for User account management is now available to handle common operations like changing account passwords or updating phone numbers. There’s no need to update existing code unless you want to use the principle of lease privilege, in which case you’ll replace the current permissions with the new permissions. My feeling is that relatively few will go update code, but I could be surprised.

Primer: Output Data Generated with an Azure Automation Runbook to a SharePoint List

The second part of the Azure Automation runbook primer brings us to output, specifically how to create items generated by a runbook in a SharePoint Online list. Once in the lists, items can be processed using Power Automate, Power Apps, or Power BI or exported to Excel. It’s a great way of capturing information generated by background jobs.

Using the SharePoint Pages Graph API

Microsoft released the SharePoint Pages API in mid-2024. This article describes how to create and publish a news item using cmdlets from the Microsoft Graph PowerShell SDK based on the API. The net result is that the API appears to work well but some problems are evident in the cmdlets. Or maybe it’s just my lack of knowledge!

Processing Microsoft 365 Retention Labels with the Microsoft Graph PowerShell SDK

Two types of retention labels are in use: Microsoft 365 retention labels and MRM retention tags. Clients hide the difference, but the Microsoft Graph PowerShell SDK cmdlets can only process Microsoft 365 retention labels for files stored in SharePoint Online and OneDrive for Business. EWS can manage MRM retention tags, but it’s on a fast path to retirement in 2026…

Microsoft Recommends the UnifiedRoleDefinition Graph API for Role Assignment Automation

Microsoft recommends that developers move from the older DirectoryRoles Graph API and use the UnifiedRoleDefinition API instead. Changing APIs will impact the code in any PowerShell scripts used to automate role assignments. In this article, we review some examples of the older way to assign roles and show how to do the same tasks with the new API.

How to Use the Graph SDK to Manage Group-Based Licensing

Group-based licensing is a mechanism to make it easier to assign and manage product licenses for large sets of user accounts. In this article, we discuss how to use Microsoft Graph PowerShell SDK cmdlets to manage group-based license assignments in a Microsoft 365 tenant. Assigning licenses to groups is very much like direct assignments, but some differences exist.

Microsoft Releases Beta Version of New Cloud Licensing Graph API

A new Cloud Licensing API has turned up in the Microsoft Graph beta endpoint. Apparently, the new API aims to improve license management in various ways. For now, the new API returns essentially the same licensing data that’s available through other APIs and cmdlets. The full story about what problem Microsoft plans to solve with the Cloud Licensing API and usage rights remains to be seen.

Microsoft Graph Doesn’t Support Custom Attributes for Groups

Container management labels are an effective way to ensure that groups, teams, and sites have the right settings. The Graph doesn’t support custom attributes for groups, so these attributes aren’t available to store details of the “approved” container management label to check if anyone has changed the label after the original assignment. Time to find a new way to store this data.

Installing the Entire Microsoft Graph PowerShell SDK Seems Like the Right Idea

An article described some benefits that could be gained from not installing the complete Microsoft Graph PowerShell SDK. The question is whether the claimed benefits are more theoretical than actual. It’s hard to say because it all depends on how someone uses the SDK for development or to run scripts. Anyway, it’s a topic worth discussing.

How to Report the Information Stored in Recoverable Items

This article explains how to use the Microsoft Graph PowerShell SDK to report Recoverable Items in a form that is usable for eDiscovery investigators and other highly-privileged use. The script fetches details of items found in folders like Deletions, Purges, Versions, and SubstrateHolds. Because accessing mailbox data is a sensitive action, consider restricting access to confidential mailboxes using RBAC for applications.

Copilot Usage Report APIs Available

In MC877369, Microsoft announced the availability of three Copilot usage reports in the Graph usage reports API to track usage of Copilot for Microsoft 365 in the apps enabled for Copilot, like Outlook, Excel, Word, PowerPoint, Loop, etc. The data available in the Copilot usage reports isn’t very informative and you might be better off using audit records to analyze what’s happening.

Transferring Reusable PowerShell Objects Between Microsoft 365 Tenants

People often need to transfer objects or code between Microsoft 365 tenants. When it comes to dealing with objects, the Microsoft Graph PowerShell SDK’s ToJsonString method is very useful. The method outputs a string containing JSON content, but only for object properties that have a value. This makes the much easier to use the output as the basis for a template object or as the payload body to create an object in another tenant.

Switching Microsoft 365 Data Report Privacy On and Off

The Usage Reports Graph API is now generally available, which means that it’s fully supported. In other news, a Graph API is available for Microsoft 365 Backup, The news demonstrates once again how widely the Graph APIs are used with Microsoft 365 and why tenant administrators should acquire some knowledge about how the Graph works.

Handling the Too Many Retries Error and Dealing with Odd Numbers of Audit Events

The AuditLog Query Graph API remains in beta status but cmdlets are now available in the Microsoft Graph PowerShell SDK. This led to some oddities in results when the number of audit events found by a search didn’t match those reported by the Purview compliance portal. It all worked out in the end. In other news, the Set-MgRequestContext helped sort out some retry problems.

The Maddening Side of the Microsoft Graph PowerShell SDK

All software has unique quirks, and the foibles of the Microsoft Graph PowerShell SDK are well known. But it’s much harder when the underlying foundation contributes to the craziness as described in this article. Graph pagination works in a specific way and Microsoft tunes the Graph to deliver great performance by reducing the set of properties returned for objects. Both can cause concern for developers.

Upgrading the Teams and Groups Activity Report to 6.0

The Teams and Groups activity report is a popular script that helps administrators identify inactive teams and groups within a Microsoft 365 tenant. The script code has been developed over the years. The last version converted to Graph API requests to improve performance. This time, the upgrade is to use the Microsoft Graph PowerShell SDK to make the code easier to maintain.

The Curiously Unfinished Outlook Settings API

The Outlook settings API is a unfinished Graph API that can read and update some but not all mailbox settings. It’s a pity that the API is incomplete because it would be nice to have a comprehensive API that supported every mailbox setting, including some of the more recently introduced tweaks seen in OWA. The current state of the Outlook settings API is usable but not for much, but at least it can update auto-reply settings.

Planner User Policy Stops Task and Plan Deletions

The Set-PlannerUserPolicy cmdlet allows Microsoft 365 tenant administrators stop users deleting tasks created by other users. However, an undocumented consequence of setting the policy for user accounts is that it stops those accounts removing plans too. The unexpected block imposed by Set-PlannerUserPolicy caused me problems when attempting to delete a plan with PowerShell. It would be nice if the modules created by Microsoft worked as expected (and as documented).

Working with Calendar Permissions using the Microsoft Graph PowerShell SDK

The Set-MailboxFolderPermission cmdlet is usually used to set calendar permissions, including the permission for the default user to allow everyone in an organization to see each other’s calendars. But you can use cmdlets from the Microsoft Graph PowerShell SDK too. The Graph SDK cmdlets are faster, but not enough to warrant replacing the Exchange cmdlet in scripts. We explain why here.

Per-User MFA State Added to Tenant Passwords and MFA Report

A Microsoft Graph update makes per-user MFA state available for user accounts. Being able to access the data means that we can include it in the User Passwords and Authentication report. You can now see if accounts are disabled, enabled, or enforced for per-user MFA along with all the other information captured about passwqrd changes, MFA authentication methods, and so on.

Choosing Between Graph API Requests or Graph SDK Cmdlets

Deciding whether to use Microsoft Graph PowerShell SDK cmdlets or Graph API requests is sometimes not easy. Some say that it’s best to use Graph API requests everywhere and avoid the complication of possibly buggy Graph PowerShell SDK cmdlets. My approach is different. I start with Graph PowerShell SDK cmdlets and only resort to Graph API requests when absolutely necessary. It works for me!

Sending Urgent Teams Chats with PowerShell

A reader asked if it is possible to script sending chat messages. In this article, we explore how to compose and send Teams urgent messages to a set of recipients using Microsoft Graph PowerShell SDK cmdlets. The conversation with each recipient is a one-to-one chat that Teams either creates from scratch or reuses (if a suitable one-on-one chat exists).

Microsoft Graph Activity Logs Hit General Availability

April 11 saw the general availability of Microsoft Graph activity logs, a new set of data recording details of Graph API HTTP requests made in a tenant. The logs are intended to help security analysts understand actions taken by apps in a tenant such as data access or configuration updates. Before working with Graph activity logs, security analysts will need to understand Graph API requests and the context they’re made.

Report OneDrive for Business Storage Based on Usage Data

If you wanted to write a PowerShell script to create a OneDrive storage report, you’d probably use the cmdlets from the SharePoint Online management module. But accessing OneDrive usage data via the Graph is much faster. And you can include information from other sources, such as user properties, to build out the report. All explained here.

Use the Graph SDK to Access Microsoft 365 Service Health Information

The Microsoft Graph includes the Service Communications API. SDK cmdlets can use the API to retrieve and work with service health data. In this article, we show how to use Graph SDK cmdlets (based on the API) to fetch and work with service health data, including creating an email report to update people about the current state of tenant health.

Graph User.ReadBasic.All Application Permission Available

The Graph User.ReadBasic.All permission is now available for both delegated and application usage. Think before rushing to use the permission. Although the permission does what it sets out to do, the restriction on filtering means that many scenarios need the full User.Read.All permission.

How to Use PowerShell to Retrieve Permissions for Entra ID Apps

Recent attacker activity made me think that access might have been gained through an OAuth app. Keeping an eye on app permissions is important. From a PowerShell perspective, it is reasonably straightforward to retrieve details of app permissions using the Microsoft Graph PowerShell SDK. Several methods are available to do the job.