Clearing an attribute for all users through Microsoft Graph

Certain Azure AD attributes, such as businessPhones, are not available through the Azure AD PowerShell module. Here is a super quick way to work with the graph using PowerShell, without needing separate app registrations etc.

When signing into the Microsoft Graph Explorer, you can change scope and stuff to generate an access token that can be used towards the Graph. Because the access token is listed in the url, it is SUPER easy to just copy and use in PowerShell. The token is valid for one hour only.

Start by navigating to Microsoft Graph Explorer and clicking the sign in button on the left.

Sign in with the user you want to be the actor of your requests, such as a global admin.

Copy the url in the browser (it will contain #access-token=).

The below PowerShell will find the access token from the URL on the clipboard and clear the businessPhones attribute.

Function ConvertFrom-Base64 {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$True,
                   Position=0,
                   ValueFromPipeline=$true)]
        [ValidateNotNull()]
        [ValidateNotNullOrEmpty()]
        [string]
        $Base64String
    )

    Begin{}
    Process{
        return [System.Text.Encoding]::UTF8.GetString(([System.Convert]::FromBase64String($Base64String)));
    }
    End{}

}

<#
.Synopsis
   Function to simply return the access token from the graph explorer URL
#>
function Get-AccessTokenFromGraphExplorerUrlOnClipboard
{
    [CmdletBinding()]
    [Alias()]
    Param
    ()

    Process
    {
        $first = $true
        do {
            if(!$first) {
                Sleep -Seconds 1   
            }
            $first = $false 

            Write-Verbose "Trying to get Graph Explorer URL from clipboard"
            $url = Get-Clipboard
            if($url -ne $null -and $url.StartsWith("https://developer.microsoft.com/en-us/graph/graph-explorer#access_token=")) {
                $token = $url -split "[=&]" | Select -Index 1
            }
        } while($token -eq $null -or !$token.StartsWith("ey"))

        $token
    }
}

$token = Get-AccessTokenFromGraphExplorerUrlOnClipboard -Verbose

$users = @()
$url = "https://graph.microsoft.com/beta/users?`$top=999"
do {
    $result = Invoke-RestMethod $url -Headers @{Authorization = "Bearer $token"}  -Verbose
    $users += $result.value
    $url = $result.'@odata.nextLink'
} while ($url)

$users | ? businessPhones | foreach {
    $body = '{"businessPhones" : []}'
    invoke-restmethod "https://graph.microsoft.com/beta/users/$($_.id)" -Method Patch -body $body -Headers @{Authorization = "Bearer $token"} -Verbose -ContentType "application/json"
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s