How to Use Microsoft Graph API with PowerShell on Windows Server 2016

Introduction

Microsoft Graph API provides a unified REST endpoint for accessing Microsoft 365, Azure AD, and related services. Using PowerShell on Windows Server 2016 with the Microsoft.Graph module, administrators can automate user lifecycle management, generate audit reports, and manage cloud resources programmatically.

Installing the Microsoft Graph PowerShell Module

Install the module and authenticate to Graph:

Install-Module Microsoft.Graph -Force -Scope AllUsers
Import-Module Microsoft.Graph
# Connect with delegated permissions (interactive)
Connect-MgGraph -Scopes 'User.Read.All','Group.ReadWrite.All','AuditLog.Read.All'
# Confirm connection
Get-MgContext

Authenticating with Application Permissions

For automation and scheduled tasks, use certificate-based application authentication:

$tenantId = 'your-tenant-id'
$clientId = 'your-app-id'
$certThumbprint = 'YOUR_CERT_THUMBPRINT'
Connect-MgGraph -TenantId $tenantId -ClientId $clientId -CertificateThumbprint $certThumbprint

Querying Users and Groups

Retrieve and manage Azure AD objects:

# Get all users
Get-MgUser -All | Select-Object DisplayName,UserPrincipalName,JobTitle,Department
# Get specific user
Get-MgUser -UserId '[email protected]' -Property 'displayName,mail,jobTitle'
# Get group members
$group = Get-MgGroup -Filter "displayName eq 'IT Admins'"
Get-MgGroupMember -GroupId $group.Id | ForEach-Object {
    Get-MgUser -UserId $_.Id | Select-Object DisplayName,UserPrincipalName
}

Generating Sign-In Audit Reports

Pull security audit data from Azure AD sign-in logs:

Get-MgAuditLogSignIn -Filter "status/errorCode ne 0" -Top 100 |
    Select-Object UserDisplayName,IpAddress,CreatedDateTime,
        @{N='FailureReason';E={$_.Status.FailureReason}} |
    Export-Csv C:ReportsFailedSignIns.csv -NoTypeInformation

Automating User Lifecycle Management

Disable stale accounts that have not signed in for 90 days:

$cutoff = (Get-Date).AddDays(-90)
Get-MgUser -Filter "signInActivity/lastSignInDateTime le $($cutoff.ToString('yyyy-MM-ddTHH:mm:ssZ'))" -All |
    ForEach-Object {
        Update-MgUser -UserId $_.Id -AccountEnabled $false
        Write-Host "Disabled: $($_.UserPrincipalName)"
    }

Summary

Microsoft Graph API with PowerShell on Windows Server 2016 enables powerful hybrid cloud automation. From managing Azure AD users and groups to pulling sign-in audit logs and automating account lifecycle, Graph API provides a consistent, secure interface for administering the Microsoft cloud platform at scale.