PowerShell and the Microsoft Graph Security API
As security operations continue to evolve, so do the tools available to practitioners. With so many new tools, languages, and platforms showing up all the time, it is easy to forget that the tools you already know can still be incredibly effective.
For teams living in the Microsoft ecosystem, PowerShell remains one of those tools.
What is the Microsoft Graph Security API?¶
The Microsoft Graph Security API provides a unified interface for integrating with Microsoft security products and partner solutions. It helps organizations consolidate and correlate alerts, automate tasks, and retrieve security data through a common API surface.
That makes it useful for teams that want to enrich processes, automate operations, or build custom integrations around security data.
How to access the Microsoft Graph Security API¶
Connecting to the API requires a few foundational steps:
- Register an application in Microsoft identity platform and obtain an application ID.
- Configure permissions in the Azure portal for Microsoft Graph.
- Grant admin consent so the application can use the requested permissions.
- Obtain an access token using OAuth 2.0.
- Make authenticated API calls to retrieve the required data.
Microsoft documents the authorization flow here: Grant permissions to an application for Microsoft Graph security API.
Using PowerShell with the API¶
PowerShell is a strong fit here because it is already native to many Microsoft-centric environments and can work directly with REST endpoints. You do not need a custom module just to get started.
The following example authenticates with application credentials and retrieves alerts from Microsoft Graph Security API:
# Authenticate and connect to the Microsoft Graph Security API
$tenantId = "<Your-Tenant-ID>"
$appId = "<Your-App-ID>"
$appSecret = "<Your-App-Secret>"
$resource = "https://graph.microsoft.com"
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/token"
$body = "resource=$resource&client_id=$appId&client_secret=$appSecret&grant_type=client_credentials"
$oauth = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body -ContentType "application/x-www-form-urlencoded"
# Set the header with the access token
$headers = @{
Authorization = "Bearer $($oauth.access_token)"
}
# Query the Microsoft Graph Security API for alerts
$alertsUrl = "https://graph.microsoft.com/v1.0/security/alerts"
$alerts = Invoke-RestMethod -Uri $alertsUrl -Headers $headers -Method Get
# Output the list of alerts
$alerts.value
Customize the placeholders for your tenant, app registration, and secret before running the script.
The point¶
PowerShell may look old compared to newer tooling, but that can be misleading. Between ongoing PowerShell improvements, Microsoft Graph, and tight integration with Azure and Microsoft 365, PowerShell remains a strong option for automation, enrichment, and administration in Microsoft security environments.
If you already know the tool, it can still take you a long way.