Microsoft Graph: A unified platform to integrate Microsoft 365, Windows 10 and Enterprise Mobility+Security.
Organizations and Businesses in today’s times rely more than ever on Data and Information for business-critical decision making. Every app or service that is built or used either generates data or consumes data. Microsoft Graph is that service which is specifically designed for the purpose of consuming this data in Microsoft 365, Windows 10, and Enterprise Mobility + Security.
A brief on Microsoft Graph
The term graph has almost become ambiguous with terms like report graphing, GraphQL and social graphs. Microsoft Graph is a gateway to data and intelligence in Microsoft 365. It is a Restful API to expose Data over “HTTPS”. In simple terms, Microsoft Graph is the API for Microsoft 365.
Why use Microsoft graph API?
Let’s say you want to display your unread emails in SharePoint homepage. You must work with three resources – User profile, SharePoint, and Outlook API. And more importantly each API requires authentication before accessing them. Microsoft has been providing APIs to their online products for years. Using Microsoft Graph API, you can easily work across most of Microsoft’s products and services instead of working on each product’s individua API. The Graph API enables cross-application scenarios conveniently and easily. Microsoft 365 developers love this friendly API as it helps to work with multiple products by having multiple token management under a single umbrella.
The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com and the documents, graph explorer, Changelog and code snippets can be accessed from here.
Microsoft Graph explorer
Microsoft has provided this learning tool to help us deep dive and understand the API.
Having navigated to this site, if we click on the first button, “Get my profile” under the “Getting Started” dropdown, the first thing to notice is the URL being populated in the box at the top right. This is the first part of what is meant by unified. All the resources are made available through this domain, graph.microsoft.com.
At the top we see there are different ways of accessing this resource such as /me or /users/id or name. The/me endpoint is an alias for the signed-in user and that it is the same as using the user’s endpoint for their id. Next, we see the modify permission section and a list of permissions. A user will need to be given one of these permissions to be able to access this resource. Some of the permissions can be granted to an app by a user, whereas rest of the permissions can only be granted to an app by the administrator. This gives the developers enough flexibility for developing a secure application. And from the security perspective caution should be practiced while granting the level of access to a particular user.
Microsoft Graph is an interconnected collection of resources. As we see in the site, we can get the user’s profile photo, who their manager is, emails, calendar events, even their OneDrive storage, and the groups that they belong to. Each one of these points to a separate resource type that is available through Microsoft Graph. The graph explorer can be accessed from the below link:
Endpoint versions:
Microsoft Graph provides two endpoint versions.
v1.0 – It is suitable for Production environment. API sets on the v1.0 endpoint (https://graph.microsoft.com/v1.0) are in general availability (GA) status and go through a rigorous review-and-feedback process with customers to meet practical, production needs. Updates to APIs on this endpoint are additive in nature and do not break existing app scenarios.
Beta – The beta endpoint includes APIs that are currently in preview and are not yet generally available.
Admin Consent
For an app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process. Admin consent is required for resources that are not common for all the users to access without permission. An Azure AD tenant administrator must explicitly grant these permissions by making a call to the admin consent endpoint. Example permission for User.Read can be granted by individual user but User.Read.All requires admin consent as it will potentially grant the app privileges of reading the profiles of all of the users in a directory. Hence the manual intervention of an admin is required to verify if a requested permission is necessary for the app.
Conclusion
Microsoft Graph is continuously evolving to incorporate more and more resources to the Graph API. In a nutshell, it is a powerful API service that provides insights based on data that can be further used effectively within Microsoft’s wide range of apps, products and services.
