Microsoft Graph API Deep Dive
Donald HessingLead Architect, Capgemini, The NetherlandsMicrosoft Certified Master (MCM)
Agenda
• Introduction to Microsoft Graph API• What is now and what is new in GA and Preview• Authentication - Single Sign On and Caching• DEMO’s (SharePoint, Planner, Excel, Insights)• SharePoint Add-ins versus Microsoft Graph
IntroductionMicrosoft Graph API
Office 365 by the numbers
Office platformWhat can I build?
Before Microsoft Graph
• Many different APIs to access data• Seperate Auth stack for work and personal
Microsoft Graph API
https://graph.microsoft.com/
Unified API Style &Single Endpointhttps://graph.microsoft.com
Operation Service EndpointGET my profile https://graph.microsoft.com/v1.0/meGET my files https://graph.microsoft.com/v1.0/drive/root/childrenGET my photo https://graph.microsoft.com/v1.0/photo/$valueGET my mail https://graph.microsoft.com/v1.0/me.messagesGET my calendar https://graph.microsoft.com/v1.0/me/calendarGET my manager https://graph.microsoft.com/v1.0/me/managerGET group conversations https://graph.microsoft.com/v1.0/groups/<id>/conversationsGET files trending around me https://graph.microsoft.com/v1.0/me/insights/trending
What’s been GA over thelast year?• Azure Active Directory• Outlook mail, calendar and contacts• Office 365 groups and conversations• OneDrive drives and files• WebHooks for Outlook data• ShraePoint & LiveID profiles
What’s new in GA?
• Excel API• WebHooks for OneDrive• Extend Graph with your own LOB info for Outlook• FindMeetingTimes scheduling API
What’s new in Preview?
• SharePoint Sites and Lists• Hybrid On-premises support for Outlook• @Mentions social gestures• Simpler query syntax without $• OneDrive large file upload• Azure AD
• Administrative Units• Invitation Manager• Priviledge Identity Management• Identity Protection• Application Proxy
Coming Soon• Delta queries for Outlook and Azur• Intune API• Office 365 Reports
Graph, Graph, Graph
• Open Graph• Microsoft Graph• Azure AD Graph• ….
Microsoft GraphAuthentication
Azure Active Directory andOffice 365• Single auth flow for O365
• Sign users in using OpenID Connect• Azure AD, Exchange, SharePoint, Yammer, OneNote• Device apps, web sites, SPAs, and service apps• Admin and end-user consent
• Secure protocol• OpenID Connect and OAuth 2.0• No capturing user credentials• Fine-grained access scopes• Supports MFA and federated user sign-in• Long-term access through refresh tokens
Consent
User Consent• Consent provided by the user• Any user in the organisation can install the application• Implemented by default, but can be switched off by the Office 365 Admin
Admin Consent• Consent provided by an Office 365 Global Administrator• Only Office 365 global administrators• Consent is given to all users in the organisation
Register your Application
Sign in to the Azure Management Portal Create a new application Select the Scope (Multi-Tenant) Generate Client Secret (Web apps only) Get Client ID Add Redirect URLs Select Permissions
DEMO
• APP Registration
Your ApplicationAzure AD Authorization
EndpointAzure AD Token
Endpoint Office 365 API
Request authorization code
Sign-in via browser pop-up
Return authorization code
Redeem authorization code and acquire access token for Office 365 resource
Return id, access, and refresh tokens
Return Http Response
Call Office 365 API using the access token
Autentication to Office 365
Caching ADAL Tokens• 1. ADAL needs to check the cache to see if there is already an access
token for resource1 obtained by client1, or if there is a refresh token good for obtaining such an access token, and whatever other private heuristic you don’t need to worry about. Right before it reads the cache, ADAL calls the BeforeAccess notification. Here, you have the opportunity of retrieving your persisted cache blob from wherever you chose to save it, and pump it in ADAL.
• 2. As we said, this is the first time that the application runs: hence the cache will (typically) be empty. Hence, ADAL pops out the authentication UX and guides the user through the authentication experience. Once it obtains a new token, it needs to save it in the cache: but right before that, it invokes the BeforeWrite notification.
• 3. After ADAL added the new token in its in-memory copy of the cache, it calls the AfterAccess notification. That notification is in fact called every time ADAL accessed the cache, not just when a write took place: however you can always tell if the current operation resulted in a cache change, as in that case the property HasStateChanged will be set to true If that is the
Revoke User Consent
Native Application Consent is part of the Refresh Token and typically stored on the device Revoke Consent typically means uninstall the application or clear TokenCache
Web Server Applications Consent is stored in Azure Active Directory and not part of the Refresh Token User can Revoke Consent at http://myapps.microsoft.com
DEMOSharePoint Sites
DEMOPlanner
DEMOExcel
DEMOTrending Around Me
App Only Operations
Azure AD App Only withMicrosoft Graph• Before background operations where done via an ACS ClientID / Client
Secret• Azure AD App Only provides:
• A more secure way of doing background operations by using a certificate trust relationship
• Consumption of other services than just Microsoft Graph• Allows you to do multi tenant
App Only - Certificate
• Requires a certificate for authentication• Azure AD will get the public key• App will get the private key• Use trusted certificates for production – issued by a well Certificate
Authority• Can use self signed certificates for dev – test (MakeCert.exe)
DEMOApp Only calls with Microsoft Graph
Microsoft Graph versus SharePoint App Model
What makes SharePoint Add-indifferent?
SharePoint versus Graph
Calling from SharePoint App
DEMOCalling Microsoft Graph from SharePoint App
Key takeaways
• Microsoft Graph provides a single API end point including discoverability of Office 365 services
• Not a replacement of existing APIs like CSOM, and Exchange Web Services
• Great for composed device applications that spam a single end point• For more advanced scenario’s specific service API’s like SharePoint
CSOM is till required • Microsoft Graph is protected by Azure AD compared to ACS for
SharePoint CSOM