Kalyan Krishna, a Senior PM in the Microsoft identity platform team, introduces Microsoft Graph for developers and walks through the various steps and coding required to access Microsoft Graph from an application registered with the Microsoft identity platform. He introduces the Microsoft Graph API, why it was built, its advantages and the fundamentals a developer should be aware of to successfully develop applications with it. He covers Graph's entity centric modeling, the permissions & consent framework, application types and topologies and the SDKs available to help developers with the authentication, authorization and to consume the API with the least effort on your part. This is the first part of a two-part series. In the next session, he’d cover the advanced features of Microsoft Graph which developers can use to add more power to their applications.

1. An introduction to Microsoft Graph for
Developers
Part I - Getting started
Identity Developer Advisors
October 17th, 2019
Kalyan Krishna
Sr Program Manager-Identity Division
kalyankrishna1

2. NDA community efforts for developers
 New feature descriptions/ Group Sessions
 Great opportunity to learn what’s new and provide feedback to our development
plans.
 Typically Wed, 9AM PT - recorded for feedback collection.
 Next session, Nov 21st :
 An introduction to Microsoft Graph for Developers, Part 2 - Advanced topics

4. Agenda
 What is Microsoft Graph ?
 Why did we build Microsoft Graph ?
 Common Scenarios
 Developing applications for Microsoft Graph
 Permissions & Consent
 Common application topologies
 SDKs
 The app patterns
 Code walkthrough – Manage Users
 The Big Picture
 Q&A
PAGE 3

5. Identity and Security Collaborative Engineering
Some background questions …
PAGE 5

6. Identity and Security Collaborative Engineering
#1 How many of you are aware of Microsoft Graph?
A. I’ve never heard of it before
B. I’ve heard of it, but not sure what it is
C. I’m pretty sure I know what it is … but a refresher wouldn’t hurt …
D. I’ve built apps that use Microsoft Graph
PAGE 6

7. Identity and Security Collaborative Engineering
#2 Which Microsoft APIs does your app call (currently or planning to)?
a) Microsoft Graph
b) Azure AD Graph
c) Individual Office APIs (Outlook, OneNote, OneDrive, Excel, etc)
d) Azure Service/Resource Manager APIs
e) Other (Please Specify)
f) My app doesn’t call any Microsoft APIs
PAGE 7

9. Microsoft Graph: gateway to your data in the Microsoft cloud

11. Discovery
Service
AAD
OneDrive for Business
Outlook
https://api.office.com/discover
https://graph.windows.net/contoso.com/users
https://contoso-
https://outlook.office.com/api/v2.0/Me/Inbox
Too many SDKs, each
with own security,
messaging and data
format requirement.

12. scattered and
https://graph.windows.net/contoso.com/users
https://graph.windows.net/contoso.com/groups
https://apis.live.net/v5.0/me
https://contoso.sharepoint.com/_api/SP.UserProfiles.PeopleManager/GetMyProperties
https://graph.microsoft.com/v1.0/me/photo
https://outlook.office.com/api/v2.0/me/Messages
https://outlook.office.com/api/v2.0/me/Events
https://contoso-my.sharepoint.com/personal
/yina_contoso_com/_api/v2.0/drive
https://contoso.sharepoint.com/sites
/designCouncil/_api/v2./drive
https://api.onedrive.com/v1.0/drive
https://contoso.sharepoint.com/_api/search/query?Querytext='*'&Prop
erties='GraphQuery:actor(ME,action:1020,or(action:1020,action:1003
,action:1001,action:1024,action:1005,action:1037,action:1039,action
:1036)'&SelectProperties='Docid,Title

13. https://graph.microsoft.com
Operation Service endpoint
GET my profile https://graph.microsoft.com/v1.0/me
GET my mail https://graph.microsoft.com/v1.0/me/messages
GET my calendar https://graph.microsoft.com/v1.0/me/calendar
GET my contacts https://graph.microsoft.com/v1.0/me/contacts
GET my photo https://graph.microsoft.com/v1.0/me/photo/$value
GET my files https://graph.microsoft.com/v1.0/me/drive/root/children
GET my manager https://graph.microsoft.com/v1.0/me/manager
GET last user to modify file foo.txt https://graph.microsoft.com/v1.0/me/drive/root/children/foo.txt/lastModifiedByUser
GET users in my organization https://graph.microsoft.com/v1.0/users
GET group conversations https://graph.microsoft.com/v1.0/groups/<id>/conversations
GET people related to me https://graph.microsoft.com/beta/me/people
GET my tasks https://graph.microsoft.com/beta/me/tasks
GET my notes https://graph.microsoft.com/beta/me/notes/notebooks
GET files trending around me https://graph.microsoft.com/beta/me/insights/trending

17. Microsoft NDA Confidential
Identity and Security Collaborative Engineering
DELVE

18. Microsoft NDA Confidential
Identity and Security Collaborative Engineering
OFFICE.COM

20. 5 steps
https://aka.ms/ge

22. Try it now..
Microsoft Graph Explorer – https://aka.ms/ge

27. Verify the
identity of the
End-User
Authentication

28. Authentication
Users
Apps

29. Authentication
APIs (Like Graph)

30. Authentication
APIs

31. APIs
Authorization

32. APIs
Authorization
Scope

33. Scope
extent or range of view,
outlook, application,
operation, effectiveness, etc
Source:
Dictionary.com

34. Applications
specify the range
of operation they
REQUIRE by
requesting a scope
REQUIRED Only – Never ask for more than the app implements

35. Applications
specify the range
of operation they
REQUIRE by
requesting a scope

36. InteractiveAuthenticationProvider authenticationProvider = new InteractiveAuthentica
tionProvider(app,
scopes: new string[] { "user.read", "Directory.Read.All", "user.readwrite.all" });

37. If it is a REQUEST, the request must be granted or denied

38. App requests a scope
User is presented a
Permission dialog
listing the scopes
As result we often
refer to scopes as
permissions

39. App receives, or not,
an Access Token to
use as a Bearer Token
when calling the API
We say the app has
be granted or denied
consent
eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFDRWZleFh4amFtUWIzT2VHUT
RHdWd2STdUZ085c0NEWVc5SlVQMzRaUG1tak5ZRTd5XzJvMTRRbTYtRzBwcXFld
E9JaENadjNFTmtLdGkyZTJTUVJNTjZteWdIbmt2MW1UcFJNQXotbDhRcGlBQSIsIm
FsZyI6IlJTMjU2IiwieDV0IjoiLXN4TUpNTENJRFdNVFB2WnlKNnR4LUNEeHcwIiwia2l
kIjoiLXN4TUpNTENJRFdNVFB2WnlKNnR4LUNEeHcwIn0.eyJhdWQiOiJodHRwczovL2dy
YXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85NmM5YzY
2Ny1lMGQ2LTQzNzMtYmRlNi1iOTcwOTg5ODQ5NTAvIiwiaWF0IjoxNTUwNzI1NTQyLCJuYmYiOjE
1NTA3MjU1NDIsImV4cCI6MTU1MDcyOTQ0MiwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFTUU
EyLzhLQUFBQWplbUJ5aC9yN29vZzJPZG5LcVc4NGViNU5TSm1adEV6dWcrajBwamhEY2M9IiwiY
W1yIjpbInB3ZCJdLCJhcHBfZGlzcGxheW5hbWUiOiJQZXJtaXNzaW9uRGVtbyIsImFwcGlkIjoiZWUx
ZjcyNGYtMmM3Ni00NjRjLTgyNTgtZDBhZDM1M2YzOGMzIiwiYXBwaWRhY3IiOiIwIiwiZGV2aWNl
aWQiOiI5YjI4ZTY1Zi05Yzc5LTQ4Y2QtYTA1OC01YmY3YWIyZWM1YzkiLCJmYW1pbHlfbmFtZSI6Il
JvYmVydHNvbiIsImdpdmVuX25hbWUiOiJSb2JiaWUiLCJpcGFkZHIiOiI1MC4zNS42NC4xODQiLCJ
uYW1lIjoiUm9iYmllIFJvYmVydHNvbiIsIm9pZCI6ImZkZDBkMGYwLTJiMTQtNDYxNC1hZTc2LWRjO
GZlNzZlYzI3MiIsInBsYXRmIjoiMyIsInB1aWQiOiIxMDAzM0ZGRkFFQThEMzM2Iiwic2NwIjoicHJvZ
mlsZSBvcGVuaWQgZW1haWwgVXNlci5SZWFkIiwic3ViIjoiYXh3c2JWTmVSc2V0bDFMYnp1bmtG
eWxtTlFfaUpPXy1sbTUyd25wcnBqYyIsInRpZCI6Ijk2YzljNjY3LWUwZDYtNDM3My1iZGU2LWI5Nz
A5ODk4NDk1MCIsInVuaXF1ZV9uYW1lIjoicnJAa3lsZXNzdGFnZS5vbm1pY3Jvc29mdC5jb20iLCJ1
cG4iOiJyckBreWxlc3N0YWdlLm9ubWljcm9zb2Z0LmNvbSIsInV0aSI6Imt5Zk11Y18zMjBxZ3FKOEF
scXhBQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfc3QiOnsic3ViIjoiam9rS0xYcG1CVXo5cDh0YWVzYnVuZmdz
RFhHYjFKZ0Q2NTJtMFV0bjNYcyJ9LCJ4bXNfdGNkdCI6MTUzNzMzNDc1NH0.LmNqF8hbd7Ep
vtKhiAJtbMPanCh6q0SAjgTgFUqP23Sn_m4A2hNfJwZYURpb040jun6JXK7zwFyHvI
E9vMU_veWqn-adrDcS7ATT44jAb-
chrCLxeT0kirc81xSSWh1vY3JEL0esR5zmCK_RiA0xZpOkf7fAASGlyxpUeIrGoFj66PNI
YG3GMuTQP7vye74X13m2z9txcKrGAYQHPvbaz_E2tFCJyc7rQtQNXqURoeTATTIVU
c4ZDxQYOhvaZ0ebGhsYewv5V4SwJjPWNboE2_PNiNNWLxAFqzm47oYQe34VS7JL
d8zjYbr375ojjNQfBDfQ2EeuuoA362BD9c1_NQ

40. xmlHttp.setRequestHeader('Authorization', 'Bearer ' + accessToken);

42. Permission Display String Description
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of
signed-in users. It also allows the app to read basic company information of
signed-in users.
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to
update the signed-in user's profile information on their behalf.
User.ReadBasic.All Read all users'
basic profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and
last name, email address, open extensions and photo. Also allows the app to read
the full profile of the signed-in user.

43. Permission Display String Description
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of
signed-in users. It also allows the app to read basic company information of
signed-in users.
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to
update the signed-in user's profile information on their behalf.
User.ReadBasic.All Read all users'
basic profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and
last name, email address, open extensions and photo. Also allows the app to read
the full profile of the signed-in user.
User.Read.All Read all users' full
profiles
Allows the app to read the full set of profile properties, reports, and managers of
other users in your organization, on behalf of the signed-in user.
User.ReadWrite.All Read and write all
users' full profiles
Allows the app to read and write the full set of profile properties, reports, and
managers of other users in your organization, on behalf of the signed-in user.
Also allows the app to create and delete users as well as reset user passwords on
behalf of the signed-in user.

44. Permission Display String Description
Admin
Consent
Required
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of
signed-in users. It also allows the app to read basic company information of
signed-in users.
No
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to
update the signed-in user's profile information on their behalf.
No
User.ReadBasic.All Read all users'
basic profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and
last name, email address, open extensions and photo. Also allows the app to read
the full profile of the signed-in user.
No
User.Read.All Read all users' full
profiles
Allows the app to read the full set of profile properties, reports, and managers of
other users in your organization, on behalf of the signed-in user.
Yes
User.ReadWrite.All Read and write all
users' full profiles
Allows the app to read and write the full set of profile properties, reports, and
managers of other users in your organization, on behalf of the signed-in user.
Also allows the app to create and delete users as well as reset user passwords on
behalf of the signed-in user.
Yes

45. Users can not grant consent
for a permission that requires
Admin consent
Admins can grant this consent
When running the app

46. Users can not grant consent
for a permission that requires
Admin consent

47. Admins can also consent for
all users in the organization
Applies to both consent User
and Admin permissions
When running the app
In the Azure Portal
Great choice for LOB apps
Developers should declare all permissions ahead of time

48. Users can consent for their data or admin can consent for all users Only admin can consent
Delegated
permissions
App
Permissions
App
permissions
Permission type: applicationPermission type: delegated
Get access on behalf of users Get access as a service
Effective permissionEffective permission
https://aka.ms/ConsentAndPermissions

51. Microsoft Graph
https://graph.microsoft.com/
Insights and relationships
Calendar
Personal
Contacts
Files Notes
Org
Contacts
NotesPeopleUsers ExcelTasksMailGroups
Data
XCode
Eclipse or
Android Studio
Visual Studio REST
Development
Environment
YOUR APP
Your choice of technology (.NET, JS, HTML, Ruby, etc.)
Microsoft Azure
Other hosting
(IIS, LAMP, etc.)
Solution
Authentication
and Authorization OpenID Connect and OAuth 2.0

52. https://aka.ms/identityplatform
https://aka.ms/AuthLab

53. access_tokenMSAL
YOUR APP
Microsoft
Graph
id_token
access_token refresh_token
Microsoft
Identity
platform

54. https://docs.microsoft.com/graph/sdks/sdks-overview

56. Fast and simple integration
Authentication libraries
 Secure access to users and data made
simple
 Microsoft’s world (Microsoft Graph, other APIs)
 Your own APIs
 MSAL - best in class auth libs
 Built for v2 endpoint, reach any audience
 Follows Microsoft Security Development Lifecycle

57. Fast and simple integration
Simplifying the developer platform
Your target
audience
Endpoint
MSALClient SDK
App registration
ADAL

58. Graph SDKs, samples and tooling

59. Graph SDKs
• Designed to simplify building high-quality,
efficient, and resilient applications that access
Microsoft Graph
• Available to be included in your projects via
GitHub and popular platform package managers
• The library contains models and request
builders that are generated from Microsoft
Graph metadata

60. Graph SDKs
• Provides support for common tasks such as
• Models and request builders for entities
• Paging through collections.
• Creating batch requests.
• More..
• Embedded support for
• Retry handling
• Secure redirects
• Payload compression
• More..
Improve your application's interactions with Graph,
without adding complexity

61. Microsoft Graph .NET Authentication Provider Library
 Microsoft Graph .NET authentication library provides a set of
OAuth scenario-centric authentication providers that implement
Microsoft.Graph.IAuthenticationProvider and uses Microsoft
Authentication Library (MSAL) under the hood to handle access
token acquisition and storage.
 Its still in prerelease, so , use the –prerelease flag in Nuget fetch
Install-Package Microsoft.Graph.Auth -PreRelease

62. https://docs.microsoft.com/graph/sdks/sdks-overview

63. Scenario: A Web app calling Graph
https://docs.microsoft.com/azure/active-directory/develop/scenario-web-app-call-api-overview
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplic
ationBuilder
.Create(clientId)
.WithRedirectUri(redirectUri)
.WithClientSecret(clientSecret) // or .WithCertificate(certificate)
.Build();
AuthorizationCodeProvider authenticationProvider = new AuthorizationCodeProvider(confid
entialClientApplication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

64. Scenario: Desktop app calling Graph
https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-overview
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();
InteractiveAuthenticationProvider authenticationProvider = new InteractiveAuthenticatio
nProvider(publicClientApplication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);
IntegratedWindowsAuthenticationProvider authenticationProvider = new IntegratedWindowsA
uthenticationProvider(publicClientApplication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

65. Scenario: Web API calling Graph
https://docs.microsoft.com/azure/active-directory/develop/scenario-web-api-call-api-overview
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplic
ationBuilder
.Create(clientId)
.WithRedirectUri(redirectUri)
.WithClientSecret(clientSecret)
.Build();
OnBehalfOfProvider authenticationProvider = new OnBehalfOfProvider(confidentialClientAp
plication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

66. Scenario : Daemon app calling Graph
https://docs.microsoft.com/azure/active-directory/develop/scenario-daemon-call-api?tabs=dotnet
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplic
ationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.WithClientSecret(clientSecret)
.Build();
ClientCredentialProvider authenticationProvider = new ClientCredentialProvider(confiden
tialClientApplication);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

67. Scenario: Browserless app calling Graph
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.Build();
DeviceCodeProvider authenticationProvider = new DeviceCodeProvider(publicClientApplicat
ion, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

68. Scenario: Mobile application calling Graph
https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-overview
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.Build();
InteractiveAuthenticationProvider authenticationProvider = new InteractiveAuthenticatio
nProvider(publicClientApplication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);

72. Office 365
Windows 10
Enterprise
Mobility + Security
Your tailored
experiences or
customizations
https://graph.microsoft.com

73. Microsoft Graph
Data Connect
Microsoft Graph
Office 365 Windows 10 Enterprise Mobility + Security
Microsoft Graph
REST APIs and Webhooks
Documents Conversations Portals Timeline
Extend Microsoft 365 experiences
Web
apps
Bots &
agents
Device
& native
Daemon
apps
Workflow
automation
Build your experience
Connectors
Microsoft Identity
Azure AI platformYour local data
Search
Insight
apps

74. 1.Accessing data
2.Traversing data
3.Accessing insights
4.Work/School and Personal
Accounts
https://graph.microsoft.com/

75. your
Users, Groups, Organizations
Outlook
SharePoint
OneDrive
Teams
Planner
Excel
OneNote
Activities
Device Relay
Commands
Notifications
Azure AD
Intune
Identity Manager
Advanced Threat Analytics
Advanced Threat Protection
Mail, Calendar,
Contacts and Tasks
Sites and Lists
Drives and Files
Channels, Messages
Tasks and Plans
Spreadsheets
Notes, and more…
Identity Management
Access Control
Synchronization
Domains
Administrative Units
Applications and Devices
Advanced Threat Analytics
Advanced Threat Protection
Alerts
Policies
and more…
Office 365 Windows 10 Enterprise Mobility + Security
https://graph.microsoft.com
Dynamics 365
Business Central

77. Next Session
An introduction to Microsoft Graph for Developers
Part 2 - Advanced topics
Nov 21st 2019

78. Twitter
#MicrosoftGraph
GitHub
/MicrosoftGraph
StackOverflow
[MicrosoftGraph]
Submit new feature and service requests @ https://feedback.azure.com

79. https://aka.ms/o365devprogram

80. Microsoft Confidential
Engage with us!
Topic Feedback type Forum URL Who supports
All identity developer
topics (Auth libraries, MS
Graph, App Registration
portals)
Community-driven
developer Support for
Questions and Answers
Stack Overflow
https://stackoverflow.com/questions/tagged/azu
re-active-directory+or+microsoft-
graph+or+azure-ad-conditional-access
Supported by Microsoft and
community
Authentication Libraries –
ADAL, MSAL, Auth
Middleware
Library issues, bugs, open
source contributions
GitHub
https://docs.microsoft.com/azure/active-
directory/develop/active-directory-
authentication-libraries
Azure AD teams manage issues, bugs
and review/ approve contribution
Azure AD, MS
Graph, Libraries, App
Registration – Developer
Experiences
Feature requests,
suggestions for product
improvements
Azure Feedback
Azure Feedback for Authentication and also
AppRegFeedback@microsoft.com for portal
specific feedback. User Voice for Microsoft
Graph
Azure AD teams triage feature
requests
All identity developer
topics (Auth libraries, MS
Graph, App Registration
portals)
Discussion with other
MVPs and NDA
community
Yammer Identity
Developer Advisors
https://www.yammer.com/azureadvisors/#/threa
ds/inGroup?type=in_group&feedId=5800064
Engagement with Identity Advisors
and Microsoft product groups
Identity developer topics
for Auth
Delve deep into complex
identity related
development topics live Community Office Hours
azuread Twitter handle and the
Microsoft Tech community
Opportunity to make questions and
answers in real time to product teams
via live conference
All developer topics Assisted support for
developers
Customer Service and
Support
More information on support options:
https://aka.ms/devexhelpsupport
Direct 1:1 help from our support
engineering teams

81. References
and
Samples
• Microsoftidentityplatform(v2.0)overview
• MSAL.NETWiki
• MSAL.NETReferencedocumentation
• InstalltheMicrosoftGraphSDKs
• MicrosoftGraph.NETAuthenticationProviderLibrary
• ChooseaMicrosoftGraphauthenticationproviderbasedon
scenario
• MicrosoftGraphUservoice
• BestpracticesforworkingwithMicrosoftGraph
• MicrosoftGraphresources
• MicrosoftGraphTutorials

82. Thank you!
https://aka.ms/graph
PAGE 85
Developing applications for Microsoft Graph

83. What you’ll need to do to develop apps
App registration
Permissions
(Token validation)
Acquire token
(Authorization)
Token cache
serialization
Best practices

84. Scenario: Desktop app that calls web APIs
https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-overview
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();
UsernamePasswordProvider authenticationProvider = new UsernamePasswordProvider(publicCl
ientApplication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();