Kalyan Krishna, a Senior PM in the Microsoft identity platform team, introduces Microsoft Graph for developers and walks through the various steps and coding required to access Microsoft Graph from an application registered with the Microsoft identity platform. He introduces the Microsoft Graph API, why it was built, its advantages and the fundamentals a developer should be aware of to successfully develop applications with it. He covers Graph's entity centric modeling, the permissions & consent framework, application types and topologies and the SDKs available to help developers with the authentication, authorization and to consume the API with the least effort on your part.
This is the first part of a two-part series. In the next session, he’d cover the advanced features of Microsoft Graph which developers can use to add more power to their applications.
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Microsoft identity platform developer community call-October 2019
1. An introduction to Microsoft Graph for
Developers
Part I - Getting started
Identity Developer Advisors
October 17th, 2019
Kalyan Krishna
Sr Program Manager-Identity Division
kalyankrishna1
2. NDA community efforts for developers
New feature descriptions/ Group Sessions
Great opportunity to learn what’s new and provide feedback to our development
plans.
Typically Wed, 9AM PT - recorded for feedback collection.
Next session, Nov 21st :
An introduction to Microsoft Graph for Developers, Part 2 - Advanced topics
3.
4. Agenda
What is Microsoft Graph ?
Why did we build Microsoft Graph ?
Common Scenarios
Developing applications for Microsoft Graph
Permissions & Consent
Common application topologies
SDKs
The app patterns
Code walkthrough – Manage Users
The Big Picture
Q&A
PAGE 3
6. Identity and Security Collaborative Engineering
#1 How many of you are aware of Microsoft Graph?
A. I’ve never heard of it before
B. I’ve heard of it, but not sure what it is
C. I’m pretty sure I know what it is … but a refresher wouldn’t hurt …
D. I’ve built apps that use Microsoft Graph
PAGE 6
7. Identity and Security Collaborative Engineering
#2 Which Microsoft APIs does your app call (currently or planning to)?
a) Microsoft Graph
b) Azure AD Graph
c) Individual Office APIs (Outlook, OneNote, OneDrive, Excel, etc)
d) Azure Service/Resource Manager APIs
e) Other (Please Specify)
f) My app doesn’t call any Microsoft APIs
PAGE 7
13. https://graph.microsoft.com
Operation Service endpoint
GET my profile https://graph.microsoft.com/v1.0/me
GET my mail https://graph.microsoft.com/v1.0/me/messages
GET my calendar https://graph.microsoft.com/v1.0/me/calendar
GET my contacts https://graph.microsoft.com/v1.0/me/contacts
GET my photo https://graph.microsoft.com/v1.0/me/photo/$value
GET my files https://graph.microsoft.com/v1.0/me/drive/root/children
GET my manager https://graph.microsoft.com/v1.0/me/manager
GET last user to modify file foo.txt https://graph.microsoft.com/v1.0/me/drive/root/children/foo.txt/lastModifiedByUser
GET users in my organization https://graph.microsoft.com/v1.0/users
GET group conversations https://graph.microsoft.com/v1.0/groups/<id>/conversations
GET people related to me https://graph.microsoft.com/beta/me/people
GET my tasks https://graph.microsoft.com/beta/me/tasks
GET my notes https://graph.microsoft.com/beta/me/notes/notebooks
GET files trending around me https://graph.microsoft.com/beta/me/insights/trending
37. If it is a REQUEST, the request must be granted or denied
38. App requests a scope
User is presented a
Permission dialog
listing the scopes
As result we often
refer to scopes as
permissions
39. App receives, or not,
an Access Token to
use as a Bearer Token
when calling the API
We say the app has
be granted or denied
consent
eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFDRWZleFh4amFtUWIzT2VHUT
RHdWd2STdUZ085c0NEWVc5SlVQMzRaUG1tak5ZRTd5XzJvMTRRbTYtRzBwcXFld
E9JaENadjNFTmtLdGkyZTJTUVJNTjZteWdIbmt2MW1UcFJNQXotbDhRcGlBQSIsIm
FsZyI6IlJTMjU2IiwieDV0IjoiLXN4TUpNTENJRFdNVFB2WnlKNnR4LUNEeHcwIiwia2l
kIjoiLXN4TUpNTENJRFdNVFB2WnlKNnR4LUNEeHcwIn0.eyJhdWQiOiJodHRwczovL2dy
YXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85NmM5YzY
2Ny1lMGQ2LTQzNzMtYmRlNi1iOTcwOTg5ODQ5NTAvIiwiaWF0IjoxNTUwNzI1NTQyLCJuYmYiOjE
1NTA3MjU1NDIsImV4cCI6MTU1MDcyOTQ0MiwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkFTUU
EyLzhLQUFBQWplbUJ5aC9yN29vZzJPZG5LcVc4NGViNU5TSm1adEV6dWcrajBwamhEY2M9IiwiY
W1yIjpbInB3ZCJdLCJhcHBfZGlzcGxheW5hbWUiOiJQZXJtaXNzaW9uRGVtbyIsImFwcGlkIjoiZWUx
ZjcyNGYtMmM3Ni00NjRjLTgyNTgtZDBhZDM1M2YzOGMzIiwiYXBwaWRhY3IiOiIwIiwiZGV2aWNl
aWQiOiI5YjI4ZTY1Zi05Yzc5LTQ4Y2QtYTA1OC01YmY3YWIyZWM1YzkiLCJmYW1pbHlfbmFtZSI6Il
JvYmVydHNvbiIsImdpdmVuX25hbWUiOiJSb2JiaWUiLCJpcGFkZHIiOiI1MC4zNS42NC4xODQiLCJ
uYW1lIjoiUm9iYmllIFJvYmVydHNvbiIsIm9pZCI6ImZkZDBkMGYwLTJiMTQtNDYxNC1hZTc2LWRjO
GZlNzZlYzI3MiIsInBsYXRmIjoiMyIsInB1aWQiOiIxMDAzM0ZGRkFFQThEMzM2Iiwic2NwIjoicHJvZ
mlsZSBvcGVuaWQgZW1haWwgVXNlci5SZWFkIiwic3ViIjoiYXh3c2JWTmVSc2V0bDFMYnp1bmtG
eWxtTlFfaUpPXy1sbTUyd25wcnBqYyIsInRpZCI6Ijk2YzljNjY3LWUwZDYtNDM3My1iZGU2LWI5Nz
A5ODk4NDk1MCIsInVuaXF1ZV9uYW1lIjoicnJAa3lsZXNzdGFnZS5vbm1pY3Jvc29mdC5jb20iLCJ1
cG4iOiJyckBreWxlc3N0YWdlLm9ubWljcm9zb2Z0LmNvbSIsInV0aSI6Imt5Zk11Y18zMjBxZ3FKOEF
scXhBQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfc3QiOnsic3ViIjoiam9rS0xYcG1CVXo5cDh0YWVzYnVuZmdz
RFhHYjFKZ0Q2NTJtMFV0bjNYcyJ9LCJ4bXNfdGNkdCI6MTUzNzMzNDc1NH0.LmNqF8hbd7Ep
vtKhiAJtbMPanCh6q0SAjgTgFUqP23Sn_m4A2hNfJwZYURpb040jun6JXK7zwFyHvI
E9vMU_veWqn-adrDcS7ATT44jAb-
chrCLxeT0kirc81xSSWh1vY3JEL0esR5zmCK_RiA0xZpOkf7fAASGlyxpUeIrGoFj66PNI
YG3GMuTQP7vye74X13m2z9txcKrGAYQHPvbaz_E2tFCJyc7rQtQNXqURoeTATTIVU
c4ZDxQYOhvaZ0ebGhsYewv5V4SwJjPWNboE2_PNiNNWLxAFqzm47oYQe34VS7JL
d8zjYbr375ojjNQfBDfQ2EeuuoA362BD9c1_NQ
42. Permission Display String Description
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of
signed-in users. It also allows the app to read basic company information of
signed-in users.
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to
update the signed-in user's profile information on their behalf.
User.ReadBasic.All Read all users'
basic profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and
last name, email address, open extensions and photo. Also allows the app to read
the full profile of the signed-in user.
43. Permission Display String Description
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of
signed-in users. It also allows the app to read basic company information of
signed-in users.
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to
update the signed-in user's profile information on their behalf.
User.ReadBasic.All Read all users'
basic profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and
last name, email address, open extensions and photo. Also allows the app to read
the full profile of the signed-in user.
User.Read.All Read all users' full
profiles
Allows the app to read the full set of profile properties, reports, and managers of
other users in your organization, on behalf of the signed-in user.
User.ReadWrite.All Read and write all
users' full profiles
Allows the app to read and write the full set of profile properties, reports, and
managers of other users in your organization, on behalf of the signed-in user.
Also allows the app to create and delete users as well as reset user passwords on
behalf of the signed-in user.
44. Permission Display String Description
Admin
Consent
Required
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of
signed-in users. It also allows the app to read basic company information of
signed-in users.
No
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to
update the signed-in user's profile information on their behalf.
No
User.ReadBasic.All Read all users'
basic profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and
last name, email address, open extensions and photo. Also allows the app to read
the full profile of the signed-in user.
No
User.Read.All Read all users' full
profiles
Allows the app to read the full set of profile properties, reports, and managers of
other users in your organization, on behalf of the signed-in user.
Yes
User.ReadWrite.All Read and write all
users' full profiles
Allows the app to read and write the full set of profile properties, reports, and
managers of other users in your organization, on behalf of the signed-in user.
Also allows the app to create and delete users as well as reset user passwords on
behalf of the signed-in user.
Yes
45. Users can not grant consent
for a permission that requires
Admin consent
Admins can grant this consent
When running the app
46. Users can not grant consent
for a permission that requires
Admin consent
47. Admins can also consent for
all users in the organization
Applies to both consent User
and Admin permissions
When running the app
In the Azure Portal
Great choice for LOB apps
Developers should declare all permissions ahead of time
48. Users can consent for their data or admin can consent for all users Only admin can consent
Delegated
permissions
App
Permissions
App
permissions
Permission type: applicationPermission type: delegated
Get access on behalf of users Get access as a service
Effective permissionEffective permission
https://aka.ms/ConsentAndPermissions
49.
50.
51. Microsoft Graph
https://graph.microsoft.com/
Insights and relationships
Calendar
Personal
Contacts
Files Notes
Org
Contacts
NotesPeopleUsers ExcelTasksMailGroups
Data
XCode
Eclipse or
Android Studio
Visual Studio REST
Development
Environment
YOUR APP
Your choice of technology (.NET, JS, HTML, Ruby, etc.)
Microsoft Azure
Other hosting
(IIS, LAMP, etc.)
Solution
Authentication
and Authorization OpenID Connect and OAuth 2.0
56. Fast and simple integration
Authentication libraries
Secure access to users and data made
simple
Microsoft’s world (Microsoft Graph, other APIs)
Your own APIs
MSAL - best in class auth libs
Built for v2 endpoint, reach any audience
Follows Microsoft Security Development Lifecycle
57. Fast and simple integration
Simplifying the developer platform
Your target
audience
Endpoint
MSALClient SDK
App registration
ADAL
59. Graph SDKs
• Designed to simplify building high-quality,
efficient, and resilient applications that access
Microsoft Graph
• Available to be included in your projects via
GitHub and popular platform package managers
• The library contains models and request
builders that are generated from Microsoft
Graph metadata
60. Graph SDKs
• Provides support for common tasks such as
• Models and request builders for entities
• Paging through collections.
• Creating batch requests.
• More..
• Embedded support for
• Retry handling
• Secure redirects
• Payload compression
• More..
Improve your application's interactions with Graph,
without adding complexity
61. Microsoft Graph .NET Authentication Provider Library
Microsoft Graph .NET authentication library provides a set of
OAuth scenario-centric authentication providers that implement
Microsoft.Graph.IAuthenticationProvider and uses Microsoft
Authentication Library (MSAL) under the hood to handle access
token acquisition and storage.
Its still in prerelease, so , use the –prerelease flag in Nuget fetch
Install-Package Microsoft.Graph.Auth -PreRelease
73. Microsoft Graph
Data Connect
Microsoft Graph
Office 365 Windows 10 Enterprise Mobility + Security
Microsoft Graph
REST APIs and Webhooks
Documents Conversations Portals Timeline
Extend Microsoft 365 experiences
Web
apps
Bots &
agents
Device
& native
Daemon
apps
Workflow
automation
Build your experience
Connectors
Microsoft Identity
Azure AI platformYour local data
Search
Insight
apps
75. your
Users, Groups, Organizations
Outlook
SharePoint
OneDrive
Teams
Planner
Excel
OneNote
Activities
Device Relay
Commands
Notifications
Azure AD
Intune
Identity Manager
Advanced Threat Analytics
Advanced Threat Protection
Mail, Calendar,
Contacts and Tasks
Sites and Lists
Drives and Files
Channels, Messages
Tasks and Plans
Spreadsheets
Notes, and more…
Identity Management
Access Control
Synchronization
Domains
Administrative Units
Applications and Devices
Advanced Threat Analytics
Advanced Threat Protection
Alerts
Policies
and more…
Office 365 Windows 10 Enterprise Mobility + Security
https://graph.microsoft.com
Dynamics 365
Business Central
80. Microsoft Confidential
Engage with us!
Topic Feedback type Forum URL Who supports
All identity developer
topics (Auth libraries, MS
Graph, App Registration
portals)
Community-driven
developer Support for
Questions and Answers
Stack Overflow
https://stackoverflow.com/questions/tagged/azu
re-active-directory+or+microsoft-
graph+or+azure-ad-conditional-access
Supported by Microsoft and
community
Authentication Libraries –
ADAL, MSAL, Auth
Middleware
Library issues, bugs, open
source contributions
GitHub
https://docs.microsoft.com/azure/active-
directory/develop/active-directory-
authentication-libraries
Azure AD teams manage issues, bugs
and review/ approve contribution
Azure AD, MS
Graph, Libraries, App
Registration – Developer
Experiences
Feature requests,
suggestions for product
improvements
Azure Feedback
Azure Feedback for Authentication and also
AppRegFeedback@microsoft.com for portal
specific feedback. User Voice for Microsoft
Graph
Azure AD teams triage feature
requests
All identity developer
topics (Auth libraries, MS
Graph, App Registration
portals)
Discussion with other
MVPs and NDA
community
Yammer Identity
Developer Advisors
https://www.yammer.com/azureadvisors/#/threa
ds/inGroup?type=in_group&feedId=5800064
Engagement with Identity Advisors
and Microsoft product groups
Identity developer topics
for Auth
Delve deep into complex
identity related
development topics live Community Office Hours
azuread Twitter handle and the
Microsoft Tech community
Opportunity to make questions and
answers in real time to product teams
via live conference
All developer topics Assisted support for
developers
Customer Service and
Support
More information on support options:
https://aka.ms/devexhelpsupport
Direct 1:1 help from our support
engineering teams
83. What you’ll need to do to develop apps
App registration
Permissions
(Token validation)
Acquire token
(Authorization)
Token cache
serialization
Best practices
84. Scenario: Desktop app that calls web APIs
https://docs.microsoft.com/azure/active-directory/develop/scenario-desktop-overview
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();
UsernamePasswordProvider authenticationProvider = new UsernamePasswordProvider(publicCl
ientApplication, scopes);
GraphServiceClient graphServiceClient = new GraphServiceClient(authenticationProvider);
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();
Notes de l'éditeur
With Microsoft Graph, apps and services can leverage this incredibly rich data set from M365 thanks to the Microsoft Graph service, which directs the calls to the right source so developer don’t need to know where exactly the data lives. Graph also aggregates calls for efficiency and performance, and allows the developer to easily traverse the graph of data. This way, it’s easy to build an app that – for example – based on a security alert in a tenant, can traverse the graph to see which users might be affected, and for each user, which devices and documents might be affected – thus making it easy to connect data from across many services to solve for real business scenarios.
And some of these scenarios include :
building apps for identity-centric scenarios - where users, and other AAD-centric and directory data is at the center – for example, like pulling in who is someone's manager or what organization they are in.
Devs can build apps with richer content – Access deep insights generated from usage patterns, such as trending documents, best team meeting times, or who people typically work with.
Devs can also build apps with deep insights based on machine learning algorithms that power some of the Graph APIs.
And finally devs can build apps with real time updates of the data – for businesses that run in real time. Developers can respond to changes in Microsoft Graph data in real time. For example, reschedule a meeting based on responses, notify others when a file is modified, or continue a process after it's been approved.
We’re super excited to make Microsoft Graph the gateway to data and intelligence in Microsoft 365 and give developers a unified programmability model to take advantage of the tremendous amount of data in Office 365, Enterprise Mobility + Security, and Windows 10. And we’ve also recently added Dynamics 365 Business Central data in Microsoft Graph.
Demos with graph explorer:
Prep:
Navigate to https://http://aka.ms/ge
Sign in and consent if prompted
In the txt box type the requests bellow to showcase the API
Click GO or press enter to execute the request and see the API call results.
Demo Intro:
This is a web application built for showcasing requests and responses of Microsoft Graph hosted under graph.microsoft.com. I’m logged in to this application using my credentials and I will show you how using this single endpoint I can access data across services in Office 365 and Azure.
Requests:
/ME
Talking point: graph.microsoft.com is an API that aggregates information across services. Starting with the user, I can make request to get my profile using the shortcut /me. This requests goes and gets my basic profile information from Azure AD, my picture from Exchange and my extended profile from SharePoint, like my interests and skills
https://graph.microsoft.com/v1.0/me
https://graph.microsoft.com/v1.0/me/userPhoto
https://graph.microsoft.com/v1.0/me?$select=skills
/USERS
Talking point: in a similar fashion I can get the same information for other users in my organization, including organizational structure
https://graph.microsoft.com/v1.0/me/manager
https://graph.microsoft.com/v1.0/me/directReports
https://graph.microsoft.com/v1.0/me/memberOf
https://graph.microsoft.com/v1.0/users
https://graph.microsoft.com/v1.0/users?$filter=Department eq ‘Extensibility’
https://graph.microsoft.com/v1.0/users/kkrishna@microsoft.com
https://graph.microsoft.com/v1.0/users/kkrishna@microsoft.com/manager
/MESSAGES and /EVENTS
Talking point: using the same endpoint I can get access to my messages and calendar from Exchange
https://graph.microsoft.com/v1.0/me/messages?$top=5
https://graph.microsoft.com/v1.0/me/messages?$skip=5&$orderBy=DateTimeCreated
https://graph.microsoft.com/v1.0/me/messages?$search=”from:dan” --- Use CTRL+F to use browser search to find Dan
https://graph.microsoft.com/v1.0/me/events
https://graph.microsoft.com/v1.0/me/events?$top5
/FILES
Talking point: and files from OneDrive for Business. Furthermore, I can navigate to a particular file and see the profile of the last person who modified it
https://graph.microsoft.com/v1.0/me/drive/root/children
https://graph.microsoft.com/v1.0/me/drive/root/children/file.txt
https://graph.microsoft.com/v1.0/me/drive/items/<id>
https://graph.microsoft.com/v1.0/me/drive/items/<id>/lastModifiedByUser
https://graph.microsoft.com/v1.0/kkrishna@microsoft.com/drive/root
https://graph.microsoft.com/v1.0/kkrishna@microsoft.com/drive/items/<id>/lastModifiedByUser/manager
/GROUPS
Talking point: Microsoft Graph is also the API front for Office 365 Groups, where users can collaborate and have conversations, shared calendar and shared files. Using graph.microsoft.com is the way to go to access all of the group’s information, for both management and content. Information groups is coming from multiple services, including AAD, SharePoint and Exchange and growing to OneNote and others.
https://graph.microsoft.com/v1.0/groups
https://graph.microsoft.com/v1.0/groups?$filter=groupType eq ‘Unified’
https://graph.microsoft.com/v1.0/groups/<id> – Select a unified group on ID
https://graph.microsoft.com/v1.0/groups /<id>/members
https://graph.microsoft.com/v1.0/groups/<id>/drive/root/children https://graph.microsoft.com/v1.0/groups/<id>/conversations
https://graph.microsoft.com/v1.0/groups/<id>/events
/TRENDINGAROUND and /PEOPLE
Talking point: Now, I think you have all heard about our intelligent services and the insight and relationships that we calculate based on user activity in the service. Microsoft Graph exposes those APIs as well. Here is where we take all of the data across Office 365 services and the signals collected based on user’s activity, and combine them and process them through a whole bunch of machine learning, relevance and ranking algorithms that return inferred and calculated insights and relationships between entities. These relationships between people, content and interactions that occur across Office 365.
https://graph.microsoft.com/beta/me/people
https://graph.microsoft.com/beta/me/trendingAround
/WORKBOOK – EXCEL API
Talking point: Do you need to calculate, analyze, automate, report on or manage data in your app? Well, look no further at building these capabilities yourself – using the new Excel REST API, you have the power and simplicity of Excel at your fingertips (or a few simple HTTP calls) for all of your app’s calculation needs.
https://graph.microsoft.com/v1.0/me/drive/root:/bool.xlsx:/workbook/worksheets('Sheet1')
PATCH https://graph.microsoft.com/v1.0/me/drive/root:/bool.xlsx:/workbook/worksheets('Sheet1')/range(address='A1:A6')/format/fill
{ color: "#FF0000" }
You protect your business and your customer. When your app asks for all the permissions you make your app a target. If it gets compromised then your own name is at stake.
Microsoft Build 2017
Microsoft Tech Summit FY17
Why libraries? Goal not OAuth2 expert, Goal awesome apps, tax
You have choices – Microsoft open standards – lots open source choices
Advantages – common tasks few lines of code, SSO, take care CA – MDM / MAM
If you are on ADAL, not only supported, invested update
UPDATE ADAL – better SSO
1 – one portal, all apps – converged, backfilled – “app is an app”
2 – ADAL not deprecated – debated color
3 – v2 endpoint – now issues v1 tokens
4 - ADFS
One more way of looking at what Microsoft Graph has to offer is by looking at the resources is exposes
These services and the suite of products behind them, have core entities that drive user productivity and the one of the first steps on my journey to serve you as a developer is to expose these core entities in a coherent and consistent form so that you can interact with them and use them in your tailored solutions.
NOTE: Prevent you from using extensions to solve real customer problems