Get List Items with Microsoft Graph Cover

How to get SharePoint List Items with Graph API (PowerShell)

In this article, I want to show you how to get SharePoint List Items with Graph API. Sometimes we are limited to the tools we can use, so we need to think about other approaches, to get our aim delivered. In this article, I want to show you how you can get SharePoint List items with the Microsoft Graph API by using PowerShell.

To get SharePoint List Items with Graph API, you can follow the next three steps:

  1. Configure the Azure Enterprise Application
  2. Grant the Enterprise Application the Permission
  3. Get SharePoint List Items with Graph API in PowerShell

Prerequistes

If you are interested in topics around Microsoft cloud services, you would highly motivate me, if you share this article and subscribe to the newsletter. If you think, that I missed out any point, please let me know.

Subscribe to our newsletter!

Step 1: Configure the Azure Enterprise Application

I am following the least privilege approach and grant only the necessary permission for the app registration.

Hence I have created an App registration with following permissions:

Permission NameType
Sites.Selected Application
User.ReadDelegated
Application Registration in Microsoft Azure for reading SharePoint List Items

If you don’t know how to create it, follow my next steps, otherwise if you are familiar with it, you can also skip to the Step 2 – Grant the Enterprise Application the Permission.

1. Browse to Azure Portal and Search for Application Registrations and click on New registration

Create a new Azure App registration Screenshot

2. Give the App a meaningful name, which follows your organization standards (Differnt admins should recognize what the purpose for this app is) and Register it

Registration of new App registration in Azure Portal

3. Note down the Application ID and go to Certificates & Secrets

Display of Application Registration in Azure Portal

4. Create a new client secret or upload a certificate (I will show the secret approach)

Creation of new client secret in Azure Portal

5. Also here a meaningful name is supportive for other colleauges. For the duration it makes sense to go with a reasonable duration. I would go with the recommendation of Microsoft as you might have lost this application out of sight in 24 months, which is the maximum duration for a client secret.
Creation of client secret for an App registration
6. Now you will have ONE chance to note down the client secret. Treat it like a password. Depending on your App Permission your App might be powerful. Hence you should save for instance in a Password Manager.
Client Secret Exposure for App registration

7. Now Click on API permissions on the left navigation pane and add a permission for Microsoft Graph

Adding Permission for Microsoft Graph
8. Add the Application Permission Sites.Selected if you want the code run in the background without a signed-in user.
API Permission for Application Permissions
Sites.Selected Graph Permissions
9. Once you added that, you will need to consent the permission from a global administrator.
Not granted permissions for sites.selected
Granted permissions look like this:
Granted app registration permissions

That’s it. You created an Azure App registration with Sites.Selected permission, where you need now to grant the permissions for the specific site.

Step 2: Grant the Enterprise Application the Permission

For this step you need to ensure that PNP Module is installed on your client and that you are allowed to use it.

If both conditions are appliying, you can use this code to grant Enterprise App, created in Step 1 the right permission for the site. In this case I am granting a read role.

Import-Module PnP.PowerShell

$AppID = "9ea2120f-288c-47b6-8895-31e0fb4d9211"

$DisplayNameofSitePermission = "Enterprise Application SP_Access_SharePoint_List_SalesAndMarketing"
$SiteURL = "https://m365x323732.sharepoint.com/sites/SalesAndMarketing"


Connect-PnPOnline -Url $SiteURL -Interactive
Grant-PnPAzureADAppSitePermission -AppId $AppID -DisplayName $DisplayNameofSitePermission -Site $SiteURL -Permissions Read 

You will need to log in with an account, which has access to the site.

After that you will see, that the Enterprise Application has now read access to the Site.

Screenshot of PowerShell, which indicates that Site Access is now working

Step 3: Get SharePoint List Items with Graph API in PowerShell

As the enterprise application has now the permission to read contents from the designated SharePoint Site, you are able to read the contents of the SharePoint Site.

For this we need the app credentials and the site id of the site for which you want to read out the content.

<siteurl>/_api/site/id

For my example it is:

https://m365x323732.sharepoint.com/sites/SalesAndMarketing/_api/site/id

Screenshot of the SharePoint site Id

Once you adjusted the parameters, you can run the script

Param (
    $AppID = "9ea2120f-288c-47b6-8895-31e0fb4d9211",
    $Scope = "https://graph.microsoft.com/.default",
    $Tenant = "m365x323732",
    $SiteID = "e35cee33-6d10-4e2c-a83b-496a26062ad3",
    $ListTitle = "Product%20List"
)

Import-Module PnP.PowerShell


$AppCredential = Get-Credential($AppID)

#region authorize

$Body = @{
    client_id = $AppCredential.UserName
    client_secret = $AppCredential.GetNetworkCredential().password
    scope = $Scope
    grant_type = 'client_credentials'
}

$GraphUrl = "https://login.microsoftonline.com/$($Tenant).onmicrosoft.com/oauth2/v2.0/token"
$AuthorizationRequest = Invoke-RestMethod -Uri $GraphUrl -Method "Post" -Body $Body
$Access_token = $AuthorizationRequest.Access_token

$Header = @{

    Authorization = $AuthorizationRequest.access_token
}

#endregion

#region get items

$GraphUrl = "https://graph.microsoft.com/v1.0/sites/$SiteID/lists/$ListTitle/items?expand=fields"

$Items  = Invoke-RestMethod -Uri $GraphUrl -Method 'GET' -Body $Body -Headers $Header
$Items.value.fields
#endregion 
Screenshot of items, which we could read with Microsoft Graph

Further reference

To understand how Microsoft Graph API works, check out this article from Microsoft:
Use the Microsoft Graph API – Microsoft Graph | Microsoft Learn

You might also be interested in getting all SharePoint lists with PowerShell
SharePoint Online: How to get all lists and libraries (sposcripts.com)

Leave a Comment