What is Microsoft Graph?
Microsoft Graph provides access to data within Microsoft 365, Windows, and Enterprise Mobility + Security. You can think of it as a bunch of PowerShell modules like MSOnline, Azure AD, etc. wrapped into one endpoint.
What can I use Graph for?
Microsoft Graph can be used for a number of things. I’ll stick with some Microsoft 365 examples:
- Device and app management
The list goes on and on.
Maybe you’re building an automation in Power Automate and you need a specific user attribute.
Maybe you need to track group changes in an automation and do something with that data.
Maybe you want to assign an Intune device automatically to a newly onboarded user in your company.
All this can be done with Microsoft Graph.
Check out the API Reference here:
Microsoft Graph has two types of permissions that can be exposed: Application and Delegated.
Application allows you to act on behalf of the app registration. If you use this permission, then admin-consent must be granted once you’ve added a permission such as User.Read.All
Delegated allows you to act on behalf of a user. Once you’ve added a permission, you can admin-consent. You don’t have to, but if you don’t, then when a user signs-in using this particular app registration, they will have to consent to the permissions.
For any type of automation that runs in the background, you’ll want to use Application.
If you want to learn more about permissions, head over to Microsoft’s documentation: Permissions
Creating an App Registration
In order to access Microsoft Graph, we need to create an App Registration in Azure AD. It’s super-easy and takes about 5 minutes. But if you’re really good at clicking buttons, you can do it in 60 seconds.
- Open Azure Active Directory admin center
- Go to the App registrations blade
- Select New registration
- Give your App registration a name
- Leave the Supported account types as the default, unless you want to open up the API to other tenants.
- Select Register
Assign Graph API Permissions
Now that we have our App registration created, we can assign it permissions.
Let’s say I want to use this app registration in an automation that needs to read user profiles, groups, and group memberships. I will need to assign it the following Application permissions:
Now let’s assign those permissions.
- On your app registration, select the API permissions blade
- Under configured permissions, select Add a permission. This will open the Request API Permissions blade from the right.
- Select Microsoft Graph. (You literally cannot miss it.)
- Next, you’ll be asked to select Delegated or Application. Select Application.
- Search for the permissions you need to add. Once you check a permission, you can search for another and do the same. In this case, I’ll be adding the following:
- Once you’ve selected the permissions, select Add permissions at the bottom.
- Next, you’ll need to provide admin consent since this is application permissions.
- Select Grant admin consent for <TENANT> (You’ll need to be a Global Admin).
Hurray! You’ve successfully granted some Graph API permissions.
Crearte Client Secret
I’m assuming you’ll want to actually use the Graph API now, so I’ll go over using a client secret.
- On your app registration, select the Certificates & secrets blade
- It should bring you to the client secrets tab by default. If not, click on the client secret tab.
- Select New client secret. This will bring out the Add a client secret blade from the right. Give it a description so you can remember what it’s being used for, then select an expiration.
- Select Add.
- Copy the Secret Value. This will only appear after initially creating it. It will be scrubbed after, so make sure to store it in a secure place.
Now that you have a client secret, you can use Graph!
Ready to use Graph API?
Stay tuned. I’ll be creating a few more articles on using Graph API in Postman and Power Automate.