If you manage Active Directory, Azure infrastructure, or anything else Microsoft-related, PowerShell is an essential tool to use. When it comes to Windows 365, there is no difference. The capability to deploy or get information from environments is handy, especially if you want to automate something.
Before we can get started with Windows 365 and Powershell, we have to take a quick tour around Microsoft Graph, as this is where the magic happens, as there is no direct PowerShell module to Windows 365.
What is Microsoft Graph
Microsoft Graph allows IT administrators to access and interact with Microsoft 365, Windows 10, and Enterprise Mobility + Security data. It gives you insight and knowledge about your current environment and services.
Microsoft Graph contains three components, Microsoft Graph API, Microsoft Graph Connectors, and Microsoft Graph Data Connect.
Each component has its purpose. We’ll be focusing on Microsoft Graph API as this is the main thing we are interested in regarding getting information from Windows 365 service. Check out the official documentation from Microsoft regarding the three components.
Microsoft Graph API
With Microsoft Graph API, you can perform Methods. Some also call it Actions.
You can perform the following Methods:
GET: Read data from a resource.
POST: Create a new resource, or perform an action.
PUT: Replace a resource with a new one.
PATCH: Update a resource with new values.
DELETE: Remove a resource.
Before performing a Method, you have to choose which version of Graph API you want to use. There are currently two versions you can use:
v1.0: This is generally available and is considered production-ready.
Beta: Newly announced APIs or updated APIs would be in the Beta version before releasing to v1.0
You have to choose Beta to interact with Windows 365 API.
Microsoft Graph PowerShell SDK
For those who want to call cmdlets from PowerShell and get the information you wish to right away, I can genuinely say the Microsoft Graph PowerShell SDK is here to save the day. The module act as a wrapper around Graph API. This simplifies the required knowledge of Graph API and the time to spend before getting the result you want. Below are some of the essential commands to know.
Install the Microsoft Graph PowerShell SDK.
Login to Microsoft Graph.
-scopes specify which API you wish to authenticate to. In the example below, you will get access to read all users and groups.
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All"
Switch between v1.0 and Beta API versions.
Select-MgProfile -Name "beta"
Select-MgProfile -Name "v1.0"
How scopes work
To connect to any Graph API, you’ll have to specify the parameter -Scopes. You might have to look up what the scopes for the different services are called.
I usually start by going to the Graph Permissions reference and searching for whatever service I need.
For Cloud PC, the permissions are called CloudPC.ReadWrite.All and CloudPC.Read.All
You will have to use the Connect-MgGraph any time you wish to add an API endpoint in your PowerShell Session.
How permissions work
Like everything else, the user account you authenticate with needs the proper permissions to do whatever you want. When connecting to any API, it will validate your user account. If the user account provided doesn’t have the proper permissions to that Graph API, a dialog box will pop up asking if you would like to get the required permissions. You can only accept the request if you have the proper administrator permissions.
Beware of additional permissions that have to be given. For example, if you want to get audit logs for Windows 365, the user you are using needs either Global Administrator, Intune Service Administrator, or the role Audit data – read besides the Graph API permissions.
Windows 365 and Powershell in action
Now we got the basics. Let’s look at how to view the Provision State of our Cloud PCs.
You can find Graph API cmdlets for Windows 365 here.
First, we connect to Microsoft Graph API, scoping the CloudPC.Read.All as we only need to read the configuration and not change it.
Now, let’s switch to Beta APIs, as this is where the APIs for CloudPC currently are accessible.
Let’s check what cmdlets are available for CloudPC. All CloudPC cmdlets are called something with VirtualEndpoint. To get information on the current CloudPCs you need to use the cmdlet Get-MgDeviceManagementVirtualEndpointCloudPC
As you can see, the user [email protected] has two Cloud PC, and both have been provisioned successfully. Otherwise, the value would not have been Provisioned.
For some people, it’s a bummer that there is no direct PowerShell module for Windows 365 as they are used to. But when you start using Microsoft Graph, you’ll find out it’s not that complicated, and it’s extremely powerful.
Getting, creating, or updating Windows 365 configuration in PowerShell is just really neath. You can now get the information you are used to and maybe wrap it in some automation like Azure Automation Account to run schedules or create Webhooks.