Part 3: Graph API and Graph Explorer

This article is part of a series.


If you are new to Graph API, Graph Explorer is a great tool to learn the first steps into the Microsoft Graph. Next to that, it will also help you to shape your custom connector in the next part. Before diving into that, we’ll need to understand how Graph API works, and how Graph Explorer can help you with that.

First, let’s bookmark the Graph Explorer for future use. Graph Explorer comes with the best short URL ever: https://aka.ms/ge. That’s easy, right?

When you access Graph Explorer the first time, you are not signed in. That means that you can run queries against sample data. A nice way to explore the different types of queries and responses, without touching actual company data.

When you sign in, you are prompted for consent.

Permissions

Just like we did with the app registration, your user account needs to have certain permissions to run queries. If you are running a query that needs extra permissions, Graph Explorer will tell you what permissions you have to consent to.

You can also see an overview of all permissions using this menu option:

Before moving into the next section, make sure that you consented to both UserAuthenticationMethod.ReadWrite and UserAuthenticationMethod.ReadWrite.All.

Temporary Access Pass

Now, let’s see if we can focus on our theme and run some queries around the Temporary Access Pass section.

First, let’s make sure that you can use this feature in Azure Active Directory. Make sure that the policy is enabled for your test users or all users. You can find these settings in https://portal.azure.com -> Azure Active Directory -> Security -> Authentication methods.

Next, we need documentation about the different types of queries. You can easily hop to the API references from Graph Explorer or just use this link.

Here we can find all the possible queries like List, Create, Get and Delete. Also, every section holds a sample that we use to make our own queries.

Let’s run our first query and create a Temporary Access Pass for Adele.

Use POST (1) as the method and make sure that you’ve selected beta (2) as the API version. Use the URL below, and replace AdeleV@M365x583104.OnMicrosoft.com with the UserPrincipalName of your test user.

https://graph.microsoft.com/beta/users/AdeleV@M365x583104.OnMicrosoft.com
/authentication/temporaryAccessPassMethods

!! Make sure to enter two brackets {} in the request body. Since we use an empty payload (4), the Temporary Access Pass will be created using the default settings that you can configure in the Azure portal.

If you want, you can also use the request body to create a divergent access pass. An example of that is showing in the API reference. To make things as easy as possible, we’ll stick with an empty payload for now.

{
  "@odata.type": "#microsoft.graph.temporaryAccessPassAuthenticationMethod",
  "startDateTime": "2021-01-26T00:00:00.000Z",
  "lifetimeInMinutes": 60,
  "isUsableOnce": false
}

If your query was successful, you should be able to see the Temporary Access Pass using the Azure portal.

In Graph Explorer, replace the POST for GET and remove the brackets in the body. When you run the query, you should now see the Temporary Access Pass that you’ve created for Adele in the previous step.

Let’s see if we can delete the Temporary Access Pass as well. Now it is getting a little more complex. Here we need the ID of the Temporary Access Pass first. You can grab that from the response in the previous step.

Now, change the method to DELETE, and paste the ID of the Temporary Access Pass after the query. The request body should be empty. Your query should look like this: (replace the UPN and the ID)

https://graph.microsoft.com/beta/users/AdeleV@M365x583104.OnMicrosoft.com
/authentication/temporaryAccessPassMethods/84a6bd43-a41a-4e5e-857d-d5e3989ad651

Check the Azure Portal, or run the GET query to check if the Temporary Access Pass is deleted. You should also see the records showing up in the audit logs in the Azure portal.

We have no tested three types of queries:

  1. Create a Temporary Access Pass
  2. List the Temporary Access Pass
  3. Delete the Temporary Access Pass

Note: you can have only 1 Temporary Access Pass per user.

Wrap things up

So why is this valuable? Using the Graph Explorer, you will get comfortable with queries and reading JSON responses. Using the variety of samples, you can explore all features easily. Also, we need this data in our next step: creating the custom connector. Here, we are going to use these queries and responses from the queries that we just practiced.

If you want to learn more about Graph API, check out this awesome series on Graph Explorer as well.

Feeling comfortable? Move on to the next part! Part 4: Build a custom connector based on the Graph API

This article is part of a series.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.