MSGraphRequest

A PowerShell module that simplifies interacting with Microsoft Graph API. Provides consolidated authentication (six flows) and functions to perform GET, POST, PATCH, PUT, and DELETE operations with automatic paging, throttling, and token refresh.

v2.0.1 | 100% native REST - zero SDK or MSAL dependencies.

Functions

Function	Description
`Connect-MSGraphRequest`	Authenticate to Microsoft Graph (six flows)
`Disconnect-MSGraphRequest`	Clear all tokens and connection state
`Invoke-MSGraphOperation`	Execute Graph API requests with automatic paging, throttling, and token refresh
`Test-AccessToken`	Check if the current token is near expiry
`Show-AuthenticationInfo`	Display current connection context and token details
`Add-AuthenticationHeaderItem`	Add custom HTTP headers (e.g. `consistencylevel`)
`Remove-AuthenticationHeaderItem`	Remove custom HTTP headers

Backward compatibility: Get-AccessToken is available as an alias for Connect-MSGraphRequest.

Installing the module

Install-Module -Name "MSGraphRequest" -AcceptLicense

Requirements

PowerShell 5.1 or later
No external module dependencies

Supported authentication flows

Flow	Parameter	Use case
Interactive (Auth Code + PKCE)	`-TenantId`	User sign-in via browser — default flow
Device Code	`-TenantId -DeviceCode`	Environments without a browser
Client Secret	`-TenantId -ClientId -ClientSecret`	App-only with a secret
Client Certificate	`-TenantId -ClientId -ClientCertificate`	App-only with a certificate (JWT assertion)
Managed Identity	`-ManagedIdentity`	Azure VMs, App Service, Functions
Bring Your Own Token	`-AccessToken`	Pre-acquired token from any source

How to use the module

Connect — Interactive (default)

Uses the well-known Microsoft Graph PowerShell app ID (14d82eec-204b-4c2f-b7e8-296a70dab67e) by default. Opens the browser with an account picker.

Connect-MSGraphRequest -TenantId "contoso.onmicrosoft.com"

With a custom app registration:

Connect-MSGraphRequest -TenantId "contoso.onmicrosoft.com" -ClientId "00000000-0000-0000-0000-000000000001"

Connect — Device Code

Connect-MSGraphRequest -TenantId "contoso.onmicrosoft.com" -DeviceCode

Connect — Client Secret

Connect-MSGraphRequest -TenantId "contoso.onmicrosoft.com" -ClientId "<AppId>" -ClientSecret "<Secret>"

Connect — Client Certificate

$cert = Get-Item "Cert:\CurrentUser\My\<Thumbprint>"
Connect-MSGraphRequest -TenantId "contoso.onmicrosoft.com" -ClientId "<AppId>" -ClientCertificate $cert

Connect — Managed Identity

# System-assigned
Connect-MSGraphRequest -ManagedIdentity

# User-assigned
Connect-MSGraphRequest -ManagedIdentity -ManagedIdentityClientId "<ClientId>"

Connect — Bring Your Own Token

Connect-MSGraphRequest -AccessToken $myToken

Graph API requests

Invoke-MSGraphOperation handles paging (@odata.nextLink), throttling (Retry-After), and automatic token refresh.

# GET all Intune managed devices
Invoke-MSGraphOperation -Get -Resource "deviceManagement/managedDevices" -APIVersion "v1.0"

# GET with Beta API
Invoke-MSGraphOperation -Get -Resource "devices" -APIVersion "Beta"

# POST
Invoke-MSGraphOperation -Post -Resource "deviceManagement/deviceCategories" -Body ($body | ConvertTo-Json) -APIVersion "v1.0"

# PATCH
Invoke-MSGraphOperation -Patch -Resource "deviceManagement/managedDevices('$id')" -Body ($body | ConvertTo-Json)

# DELETE
Invoke-MSGraphOperation -Delete -Resource "deviceManagement/managedDevices('$id')"

Custom headers

Some Graph operations require additional headers (e.g. advanced queries with $count):

Add-AuthenticationHeaderItem -Name "consistencylevel" -Value "eventual"

# Later, remove if no longer needed
Remove-AuthenticationHeaderItem -Name "consistencylevel"

Custom headers are preserved across automatic token refreshes.

Check connection status

# Quick expiry check
Test-AccessToken

# Full connection context
Show-AuthenticationInfo

# Decoded JWT payload
Show-AuthenticationInfo -FullDetails

Disconnect

Disconnect-MSGraphRequest

MSEndpointMgr/MSGraphRequest