Creating custom connections scripts, such as to the Microsoft Graph API

Owned by Alan Forbes
Last updated: Oct 07, 2021
3 min read

Anytime you need to connect to a service, such as Azure or the Graph API, the best approach is to make a connection script in one script, then refer to that script from any script that needs the connection. This is described here in Referencing reusable code modules across scripts

To connect to the Microsoft Graph API takes a number of steps, because this API is so fortified to prevent unauthorized use.


Certificate

The first thing we would need is a certificate installed on both the front end (API and UI) machine and upload the certificate to the App Registration in the Azure Portal. This authorizes VitalSigns to call the Graph API for your organization

Create the certificate and install it to the LocalMachine\My store


Below makes the cert, adds it to the store and exports it to a file. If you are using a more “company accepted” cert, you would just have to add it to the LocalMachine\My cert store on the UI/API box. I believe the only requirement is the DnsName has to match your Tenant Name, which can be found following the instructions below if needed.

Go to the UI/API box and open a PowerShell ISE window (normal PowerShell works fine, just easier via ISE) as administrator and copy/paste the below commands there.
Note that on the 1st line, you will have to change TENANTNAMEHERE to your tenant name. The easiest way to confirm it’s the correct one is to the Azure Portal, go to the Azure Active Directory page and it should be listed on the 1st page with the Primary Domain title.

Also, change the file path on line 3 if the path does not work for you

 

$newCert = New-SelfSignedCertificate -DnsName TENANTNAMEHERE -CertStoreLocation "Cert:\LocalMachine\My" $certItem = Get-ChildItem Cert:\LocalMachine\My\$($newCert.Thumbprint) $certItem | Export-Certificate -FilePath C:\\Graph_Cert.cer

 

Upload certificate to the App via the Azure Portal

Go to the Azure Portal and go to the App Registrations page

Click on All Applications and then search for the VitalSigns app and click it

On the left panel, click “Certificates & Secrets”

Under Certificates, click Upload Certificate, click the Select a file box and select the certificate file, either your self-signed cert or one made via another method.

Install the Graph API Modules (this part we did in the call)

 

Go to the desired machine (in our case the UI/API machine) and open a PowerShell window as Administrator

Run the following command
Install-Module Microsoft.Graph

Note that this will take upwards of 10-15 minutes to complete.

  

Below is how I implemented it into PowerScripts. Feel free to tweak this but this is what worked for me

Create the Connect to Graph API script

 

Go to the VitalSigns site and go to the PowerScripts Script Management tab and click “Add” to create a new script

Select the Device Type “Office 365”

Give the script a name, for example “Connect Graph API” (if you change the name, ensure the following script reflects the change)

Give the script a description (if desired)

Select the “This script does not need authentication to Office365”. Checking this box saves you from consuming an unnecessary session to O365.

 

Script:

 

$CertificateThumbprint = ‘XXXXXXXXXXXXXXXXXXXXXXX’  #Replace this with your CertificateThumbprint of the uploaded cert $ClientId = 'XXXXXXXXXXXXXXXXXXXX'   #Replace this with your ClientID of the App Registration. This can be found on the VitalSign’s Azure Portal App Registration page, on the Overview page under the Application (client) ID $TenantId = ‘XXXXXXXXXXXXXXXXXX’     #Replace this with your TenantId. This can be found via the Azure Portal, Azure Active Directory page. $certItem = Get-ChildItem Cert:\LocalMachine\My\$CertificateThumbprint  Import-Module Microsoft.Graph.Authentication Connect-MgGraph -ClientId $ClientId -TenantId $TenantId -Certificate $certItem

 

Create a script which requires the Graph API, for instance to Remove MFA Devices

Go to the VitalSigns site and go to the PowerScripts Script Management tab and click “Add” to create a new script

Select the Device Type “Office 365”

Give the script a name, I called it “Remove All MFA Devices”

Give the script a description (if desired)
Select the Type “Users”, or whatever types you wish
Under Script Dependencies field, click the dropdown, expand Office 365, select “Connect Graph API” (or whatever you called it)

Select the “This script does not need authentication to Office365”

Note that line 3 references the connection script made above.

 

param([string]$UserPrincipalName) Connect_Graph_Api      # If your name of the connect script is different, change this to reflect the changes. Replace spaces with underscores Select-MgProfile -Name beta Import-Module Microsoft.Graph.Identity.SignIns Get-MgUserAuthenticationEmailMethod -UserId $UserPrincipalName | % {     try {         Write-Output "Removing email $($_.EmailAddress)"         Remove-MgUserAuthenticationEmailMethod -UserId $UserPrincipalName -EmailAuthenticationMethodId $_.Id     } catch {         Write-Error "Error removing email. $_"     } } Get-MgUserAuthenticationPhoneMethod -UserId $UserPrincipalName | % {     try {         Write-Output "Removing phone $($_.PhoneNumber)"         Remove-MgUserAuthenticationPhoneMethod -UserId $UserPrincipalName -PhoneAuthenticationMethodId $_.Id     } catch {         Write-Error "Error removing phone. $_"     } }

Video walk through of the process above: