How to request data from Graph API in PowerShell?

Question

How to request data from Graph API in PowerShell?

Diana 20

Hi,

I am a beginner in this, sorry in advance.

I need to get information from this URI in PowerShell: https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions.

I have created an application EntraID with the following permissions:

AccessReview.ReadWrite.All
Groups.Read.All

I have granted admin consent to the two.

I have this script:

# GET TOKEN
$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
    client_id     = $AppId
    scope         = "https://graph.microsoft.com/.default"
    client_secret = $AppSecret
    grant_type    = "client_credentials"
}


$tokenRequest = Invoke-WebRequest -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Body $body -UseBasicParsing
# Unpack Access Token
$token = ($tokenRequest.Content | ConvertFrom-Json).access_token
$Headers = @{
            'Content-Type'  = "application\json"
            'Authorization' = "Bearer $Token" 
            'ConsistencyLevel' = "eventual" }

# GET DATA
$URI= "https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions"

Invoke-RestMethod -Headers $Headers -Uri $Uri -UseBasicParsing -Method "GET" -ContentType "application/json"

I receive a token that I can parse in jwt.ms.

I can't see the scopes or roles in this token (or at least, I can't find it).

But, for the URI I need info from,

"https://graph.microsoft.com/v1.0/identityGovernance/accessReviews/definitions"

I only receive a 403 Forbidden error...

I don't know what's wrong. Could you please help me?

Diana 20 Reputation points

2025-03-06T07:55:55.6633333+00:00

Note, in graph explorer, the permissions required for identityGovernance/accessReviews/definition are either AccessReview.ReadWrite.All or AccessReview.Read.All

Accepted answer

1 additional answer

Your answer

Diana 20 Reputation points

2025-03-06T07:55:55.6633333+00:00

Note, in graph explorer, the permissions required for identityGovernance/accessReviews/definition are either AccessReview.ReadWrite.All or AccessReview.Read.All

Answer 1

Anonymous

Hello Diana,

Thank you for reaching out to Microsoft Support!

If you get a token that is parsed in jwt.ms and does not have a "roles" attribute, your token does not have any privileges, so a 403 error is expected.

Next, check in Azure that the permissions granted to your application need to be application permissions, as shown below:

User's image

Reference document:

https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Diana 20 Reputation points

2025-03-06T10:17:11.02+00:00

That was it... Thank you!!

Answer 2

Vasil Michev 119.5K MVP Volunteer Moderator

If the token you've received does not reflect said permissions, you need to double-check the configuration on your app registration. What kind of permissions did you add to your app registration, and did you ensure that admin consent has been granted for them?

Diana 20 Reputation points

2025-03-06T10:16:38.3233333+00:00

Hi Vasil,

The app has these, and it's the app I'm using the AppID and Secret value from...

I know that the AppID and Secret value are correct because else, I get an error when trying to get the token.

But now, I'm thinking it's because I chose "Delegated" instead of "Application permissions"?

Should I have to pick "Application permissions" because I am getting my token by authenticating with the secret value?
Vasil Michev 119.5K Reputation points MVP Volunteer Moderator

2025-03-06T10:30:46.06+00:00

Yes, this is why I asked "What kind of permissions did you add" above. The client credentials flow (authenticating via client secret or certificate) always uses application permissions.

Share via

How to request data from Graph API in PowerShell?

1 additional answer

Your answer