Scripts & PS

Microsoft Graph API: Getting Started for IT Admins

Published 9 October 2025 · 8 min read

Microsoft Graph is the unified API for all Microsoft 365 services - Entra ID, Exchange, Teams, SharePoint, Intune, and more. Knowing how to query Graph opens up automation possibilities not available in any admin portal. This guide gets you making real API calls in 15 minutes.

Contents
  1. What is Microsoft Graph
  2. Graph Explorer - no setup needed
  3. Create an app registration
  4. Get an access token
  5. Make your first API call

What is Microsoft Graph

Graph is a REST API at https://graph.microsoft.com. Every call follows the same pattern:

GET https://graph.microsoft.com/v1.0/{resource}
Authorization: Bearer {access_token}

Graph Explorer

The fastest way to start - sign in and run queries against your own tenant immediately:

https://developer.microsoft.com/en-us/graph/graph-explorer

Try:
GET https://graph.microsoft.com/v1.0/me
GET https://graph.microsoft.com/v1.0/users
GET https://graph.microsoft.com/v1.0/users?$filter=department eq 'IT'

Create an app registration

Entra ID portal → App registrations → + New registration
  1. Name: My Graph Scripts
  2. Supported account types: This organization only
  3. Note the Application (client) ID and Directory (tenant) ID
  4. Go to API permissions → + Add → Microsoft Graph → Application permissions
  5. Add required permissions (e.g. User.Read.All)
  6. Click Grant admin consent
  7. Go to Certificates & secrets → + New client secret

Get an access token

$body = @{
    grant_type    = "client_credentials"
    scope         = "https://graph.microsoft.com/.default"
    client_id     = "your-app-id"
    client_secret = "your-client-secret"
}
$token = Invoke-RestMethod -Method Post `
    -Uri "https://login.microsoftonline.com/your-tenant-id/oauth2/v2.0/token" `
    -Body $body
$accessToken = $token.access_token

Make your first API call

$headers = @{ Authorization = "Bearer $accessToken" }

# Get all users
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers $headers
$users.value | Select displayName, userPrincipalName

# Get Intune managed devices
$devices = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices" -Headers $headers
$devices.value | Select deviceName, complianceState

Frequently Asked Questions

Q: What permissions does my Graph app need?

It depends on what you are querying. Use least privilege - only add the permissions your script needs.

Q: What is the difference between Delegated and Application permissions?

Delegated permissions act as a signed-in user. Application permissions are granted to the app itself - used for background scripts.

Q: How do I handle paging?

Graph returns up to 100 results by default. Follow the @odata.nextLink URL in a loop. The PowerShell module handles paging automatically with -All.

Related Guides
-> Connect M365 with PowerShell-> Deploy PS Scripts via Intune-> Intune Custom Reports
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages