- Introduction
- The legacy Office 365 APIs
- Office Add-Ins JavaScript APIs
- The Office 365 Management APIs
- The Microsoft Graph API
- Powershell Azure AD modules
- Microsoft 365 CLI
- Powershell to Exchange Online
- Powershell to Sharepoint Online
- Powershell to Teams
- Powershell to Azure Security and Compliance
- Powershell to the Power Platform
- Sources
Introduction #
The main option for most end-users and administrators for accessing Microsoft 365 apps and services is to utilize the Web-based Microsoft 365 portals (Microsoft 365 user portal, Microsoft 365 Admin Center, Exchange Online Admin Center, Sharepoint Online Admin Center, Teams Admin Center, Security Center, Compliance Admin Center, etc).
The following screenshot provides an overview of all available Microsoft 365 admin centers. You can view a detailed description of all Microsoft 365 admin centers at: https://stefanos.cloud/kb/how-to-access-all-microsoft-365-admin-centers/.
Besides the Web-based admin centers mentioned above, Powershell allows for accessing all available features and functionality of Microsoft 365 from an administrator perspective.
This article provides guidance on how to connect to Microsoft 365 management tools.
The legacy Office 365 APIs #
In the days before the Microsoft Graph API, there have been various Application Programming Interfaces available for Office 365. Microsoft no longer actively maintains the legacy APIs. Details about these legacy APIs of Office 365 can be found at: https://docs.microsoft.com/en-us/previous-versions/office/office-365-api/.
Office Add-Ins JavaScript APIs #
An Office add-in can use the Office JavaScript APIs to interact with objects in Office client applications. There are two types of Office Add-Ins Javascripts APIs:
- Application-specific APIs provide strongly-typed objects that can be used to interact with objects that are native to a specific Office application.
- Common APIs can be used to access features such as UI, dialogs, and client settings that are common across multiple types of Office applications.
The Office 365 Management APIs #
The Office 365 management APIs provide RESTful based programmatic access to Office 365 services primarily for auditing, health monitoring and reporting purposes. All of the Office 365 Management APIs are consistent in design and implementation with the current suite of Office 365 REST APIs. All Office 365 management APIs make use of industry standard protocols for authentication and authorization, including OAuth v2, OData v4, and JSON. In all cases, making use of the Office 365 management APIs requires that the developer first registers their application inside Azure Active Directory (Azure AD) and configures the required certificate and private key as well as defines the application permissions to the Office 365 management API.
There are two major subsets of the Office 365 management API:
- The service health and communications API in Microsoft Graph. You can use the service communications API in Microsoft Graph to access the health status and message center posts about Microsoft cloud services.
- The Office 365 Management Activity API. The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365 and Azure Active Directory activity logs.
The Microsoft Graph API #
Microsoft 365 online apps and services, such as OneNote, Outlook, Excel, OneDrive, Microsoft Teams, Planner, and SharePoint, are exposed via the Microsoft Graph API. Microsoft Graph is a unified API endpoint for accessing data across Microsoft 365 services, which includes Office 365, Enterprise Mobility, and Security and Windows services. It provides a simplified developer experience, with one endpoint and a single authentication token which provides to developers with access to data across all services. You can utilize the RESTful API services of Microsoft Graph inside your mobile, web and desktop software applications. The API is available for .NET, PHP, Java, Python, Ruby on Rails, the Universal Windows Platform (UWP), iOS and Android.
There are currently 2 versions of Microsoft Graph REST APIs - v1.0 and beta. Each Microsoft Graph API REST request to the v1.0 endpoint has the following format.
https://graph.microsoft.com/v1.0/{resource}?[query_parameters]The Microsoft Graph Explorer Web-based application can be used to run any Microsoft Graph REST request and review the results. For running Graph API requests via Powershell, the following module must first be installed and imported.
Install-Module Microsoft.Graph
#The installation process will take a few minutes.
Import-Module Microsoft.GraphPowershell Azure AD modules #
The Azure Active Directory Module is being replaced by the Microsoft Graph PowerShell SDK. You can use the Microsoft Graph PowerShell SDK to access all Microsoft Graph APIs. There are two versions of the PowerShell module that you can use to connect to Microsoft 365 and administer user accounts, groups, and licenses:
- Azure Active Directory PowerShell for Graph, whose cmdlets include AzureAD in their name.
Install-Module -Name AzureAD
Import-Module AzureAD- Microsoft Azure Active Directory Module for Windows PowerShell, whose cmdlets include Msol in their name
If you're not running Windows 10, install the 32-bit version of the Microsoft Online Services Sign-in Assistant: Microsoft Online Services Sign-in Assistant for IT Professionals RTW.
Install-Module MSOnline
Import-Module MSOnline
Connect-MsolServiceCurrently, the Azure Active Directory PowerShell for Graph module doesn't completely replace the functionality of the Microsoft Azure Active Directory Module for Windows PowerShell module for user, group, and license administration. In some cases, you need to use both versions. You can safely install both versions on the same computer.
Microsoft 365 CLI #
For details on how to deploy the Microsoft 365 CLI, refer to the following article:
https://stefanos.cloud/kb/how-to-install-and-manage-cli-for-microsoft-365/
Powershell to Exchange Online #
Requirements #
The account that you use to connect to must be enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell. TCP port 80 traffic needs to be open between your local computer and Microsoft 365. It's probably open, but it's something to consider if your organization has a restrictive internet access policy. If your organization uses federated authentication, and your identity provider (IDP) and/or security token service (STS) isn't publicly available, you can't use a federated account to connect to Exchange Online PowerShell. Instead, create and use a non-federated account in Microsoft 365 to connect to Exchange Online PowerShell.
High level steps #
For Exchange Online, make use of the most recent Exchange Online v2 Powershell module. The high level steps for connecting to Exchange Online with the PS v2 module with MFA and modern authentication are the following:
Set-ExecutionPolicy RemoteSigned
Install-Module -Name PowerShellGet -Force -AllowClobber
winrm get winrm/config/client/auth
# If you don't see the value Basic = true, you need to run the following command
winrm set winrm/config/client/auth '@{Basic="true"}'
#Install the Exchange Online V2 module for all users
Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Get-Module ExchangeOnlineManagement
Connect-ExchangeOnline
#To update the module to latest version for all users run the following cmdlet
Update-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName <UPN> [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
#To keep two versions installed side by side
#This command will install latest version side-by-side with existing version
Install-Module -Name ExchangeOnlineManagement -Force
#You should also check which M365 users have Powershell remote access enabled
Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'
#To enable remote access for a user
Set-User -Identity [email protected] -RemotePowerShellEnabled $true
Disconnect-ExchangeOnline
The high level steps for connecting to Exchange Online with the PS v2 module with modern authentication without MFA are the following:
Import-Module ExchangeOnlineManagement
$UserCredential = Get-Credential
Connect-ExchangeOnline [-Credential $UserCredential] [-ShowBanner:$false] [-ExchangeEnvironmentName <Value>] [-DelegatedOrganization <String>] [-PSSessionOption $ProxyOptions]
#Example for non-special environments (no US Gov, China or Germany regions)
Connect-ExchangeOnline -Credential $UserCredential
Disconnect-ExchangeOnlinePowershell to Sharepoint Online #
Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell or installing the module from the PowerShell Gallery. Run the following commands to install and validate the installation of the Sharepoint Online Powershell module.
Install-Module -Name PowerShellGet -Force -AllowClobber
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version
#Optionally you can update the Sharepoint Online Powershell module with the following command.
Update-Module -Name Microsoft.Online.SharePoint.PowerShell
#Connect without multi-factor authentication with the following command.
Connect-SPOService -Url -Credential [email protected]
#Connect with multi-factor authentication with the following command.
Connect-SPOService -Url
Get-SPOSite
Disconnect-SPOService
Powershell to Teams #
The Microsoft Teams module for Powershell is compatible with Powershell for Windows 5.1. Run the following commands to install and import the Teams module for administering the Microsoft Teams entities.
Install-Module -Name PowerShellGet -Force -AllowClobber
Install-Module -Name MicrosoftTeams -Force -AllowClobber
Connect-MicrosoftTeams
#Optionally update the Microsoft Teams module to the latest version if needed.
Update-Module MicrosoftTeams
Disconnect-MicrosoftTeams
Powershell to Azure Security and Compliance #
You can manage the following Defender services using Powershell besides using Microsoft Endpoint Manager (MEM) Web-based interface.
You can manage some Microsoft Defender Antivirus settings on devices with PowerShell, Windows Management Instrumentation (WMI), and the Microsoft Malware Protection Command Line Utility (MPCmdRun.exe). Defender for Endpoint also offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications.
The service base URI is: https://api.securitycenter.microsoft.com. The following Defender for Endpoint APIs are available:
- Investigation
- Response
- Entities
- Streaming
- SIEM
To connect to the Microsoft Purview objects via Powershell instead of using the Web-based Compliance portal at: https://compliance.microsoft.com, run the following commands. You need to utilize the Azure Az modules. Avoid using the legacy AzureRM Powershell module, which is being deprecated, in favor of the new Az modules.
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
Import-Module Az
Connect-AzAccount
Login-AzAccount
Get-AzPurviewAccountPowershell to the Power Platform #
Run the following commands in a Powershell 5.1 elevated command prompt.
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber
Import-Module -Name Microsoft.PowerApps.Administration.PowerShell
Import-Module -Name Microsoft.PowerApps.PowerShell
Add-PowerAppsAccount -Endpoint prod
Get-AdminPowerAppEnvironment
Get-AdminPowerAppEnvironment -Default
Sources #
https://www.powershellgallery.com/packages/Microsoft.Graph/1.9.6
https://docs.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-beta
https://docs.microsoft.com/en-us/powershell/microsoftgraph/overview?view=graph-powershell-beta
