0.4 Supporting Blog C: Mastering Workload Identity Security in Microsoft Entra ID - An Exploratory Guide

Supporting Blog C: Setting Up Your PowerShell Environment (Microsoft Graph Modules)

PowerShell is an indispensable tool for Microsoft Entra administrators, allowing for automation, bulk operations, and advanced querying capabilities beyond what the admin centre UI offers. The Microsoft Graph PowerShell SDK is the modern standard for interacting with Microsoft Entra ID and its workload identities. This blog will guide you through installing and preparing the necessary modules and teach you how to use cmdlets that interact with the Microsoft Graph beta endpoint.

Rationale:

• Automation: Script routine tasks like inventorying service principals, checking credential expiry, and auditing permissions.

• Advanced Queries: Extract detailed information that is not easily visible in the UI.

• Beta Endpoints: Use specific beta cmdlets to access the latest features and properties available for workload identities. These features are often exposed in the /beta Microsoft Graph endpoint before becoming generally available in the /v1.0 endpoint. The Microsoft Graph PowerShell SDK provides cmdlets specifically for these beta features (e.g., Get-MgBetaServicePrincipal).

Prerequisites:

• PowerShell Version: PowerShell 7.x or later is recommended for the best experience and cross-platform compatibility. Windows PowerShell 5.1 is also supported, but may require .NET Framework 4.7.2 or later.

• To check your PowerShell version, open PowerShell and run: $PSVersionTable.PSVersion

• Execution Policy: Your PowerShell execution policy must be set to RemoteSigned or be less restrictive when running scripts.

• To check:

  Get-ExecutionPolicy

• To set (if needed, run as Administrator):

  Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force

• Administrator Rights: You'll need administrator rights on your machine to install PowerShell modules for all users (-Scope AllUsers). Installing for the current user (-Scope CurrentUser) typically doesn't require elevation.

Step-by-Step Guide to Installing Microsoft Graph PowerShell Modules:

1. Open PowerShell as an Administrator (Recommended for first-time full SDK install or for -Scope AllUsers):

• Search for "PowerShell" in your Windows search bar.

• Right-click on "Windows PowerShell" or "PowerShell 7" and select "Run as administrator".

  

• Install the Main Microsoft Graph SDK Module:

• The Microsoft Graph PowerShell SDK is modular. You can install the entire SDK, which includes all submodules (services like Users, Groups, Applications, etc.), or install specific submodules as needed.

• For comprehensive workload identity management, we often interact with applications and service principals. Microsoft Graph.Applications is a key module.

• The core module Microsoft.Graph.Authentication is always required and is installed as a dependency.

• To install the complete SDK (which pulls all sub-modules for both v1.0 and beta cmdlets):
  

  Install-Module Microsoft.Graph -Scope CurrentUser -Force

• Note on -Scope CurrentUser vs. -Scope AllUsers:

• CurrentUser: Installs the module only for your user profile. Does not require admin rights.

• AllUsers: Installs for all users on the machine. Requires admin rights.

• NuGet Provider: If prompted about installing the NuGet provider, type Y and press Enter.

• Untrusted Repository: If prompted about an untrusted repository (PSGallery should generally be trusted), type A (Yes to All) and press Enter if you are comfortable proceeding.

  

3. Alternative: Installing Specific Submodules (Recommended for Minimal Footprint):

• You can specify which modules to install. For workload identities, we'll primarily need Microsoft.Graph.Applications and Microsoft.Graph.DirectoryObjects. The Microsoft.Graph.Authentication module will be installed automatically as a dependency. Other modules like Microsoft.Graph.Reports (for audit logs and sign-in activities) and Microsoft.Graph.Identity.SignIns (for Identity Protection features) will be useful.

  Install-Module Microsoft.Graph.Applications, Microsoft.Graph.DirectoryObjects, Microsoft.Graph.Reports, Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Force

• To discover other available submodules:

  Find-Module Microsoft.Graph*

4. Verify Installation:

• To check that the main module is installed and see its version:

• To discover other available submodules:

  Get-InstalledModule Microsoft.Graph

• To see all installed Microsoft Graph submodules:

  Get-InstalledModule Microsoft.Graph*

  

Connecting to Microsoft Graph and Using Beta Cmdlets:

Once the modules are installed, you must connect to Microsoft Graph before running cmdlets. To use features available in the beta endpoint of Microsoft Graph, you will use cmdlets that are explicitly named for beta, typically following the pattern Verb-MgBetaNoun (e.g., Get-MgBetaServicePrincipal).

1. Define Required Permissions (Scopes):

• Different cmdlets require different permissions (scopes). For managing applications and service principals, common scopes include:

• Application.Read.All: To read all application and service principal information.

• Application.ReadWrite.All: To read and write all application and service principal information.

• Directory.Read.All: To read directory data.

• AuditLog.Read.All: To read audit logs.

• IdentityRiskEvent.Read.All, IdentityRiskyServicePrincipal.Read.All: For Identity Protection features.

• Always use the least privilege required for your tasks.

2. Connect using Connect-MgGraph:

• Connect by specifying the necessary scopes. The connection doesn't lock you into v1.0 or beta; the cmdlets you use determine the endpoint.

  # Define the scopes you need
  $scopes = @(
      "Application.Read.All",
      "Directory.Read.All",
      "Organization.Read.All", # For Get-MgBetaOrganization
      "AuditLog.Read.All",
      "Policy.Read.All", # For Conditional Access policies
      "IdentityRiskEvent.Read.All", # For Identity Protection
      "IdentityRiskyServicePrincipal.Read.All", # For Identity Protection
      "AppRoleAssignment.ReadWrite.All", # For app role assignments
      "ServicePrincipalEndpoint.Read.All", # For listing SP endpoints/permissions
      "User.Read.All" # Added for resolving owner display names if they are users
      # Add "RoleManagement.Read.Directory" for PIM access reviews if needed later
  )
  
  # Connect to Microsoft Graph
  Connect-MgGraph -Scopes $scopes

• If this is your first time using the service, you will be prompted to sign in via a web browser and consent to the requested permissions if new scopes are requested.

  

• Successful Connection: You won't see an error, and the prompt will return. You can confirm your connection context:

  Get-MgContext

Using Beta Cmdlets:

After connecting to use a beta feature, you call the beta-specific cmdlet. For example:

• To get service principals using the beta endpoint:

  Get-MgBetaServicePrincipal

• To get applications using the beta endpoint:

  Get-MgBetaApplication

This series will primarily use these *-MgBeta* cmdlets for their potentially richer feature set regarding workload identities.

Updating the Modules:

• It's good practice to keep your modules updated:

  Update-Module Microsoft.Graph

Disconnecting:

• When you're finished:

  Disconnect-MgGraph

You are now equipped with the Microsoft Graph PowerShell SDK and understand how to connect and use specific beta cmdlets to interact with your Microsoft Entra workload identities. The subsequent blogs will heavily leverage these capabilities.

The next blog in the series is:

Blog 1: The Foundation - Understanding & Discovering Your Workload Identities (Free Tier).