Overview of Users, Groups and Permissions in Microsoft Graph–Part 1
Last Updated on
Jan 25, 2021
The concept of Microsoft Graph revolves around the thoughts of users & groups.
Among consumers of Microsoft 365 cloud services, a Microsoft Graph User is also one of them. The identity of the user is well protected, and its access is also managed effectively. To run businesses, the user’s data plays an important role. Through Microsoft Graph Services, this data is represented to businesses in real-time updates, rich contexts, and better understanding at depth level. The appropriate permissions are managed on the data accessibility via Microsoft Graph Services.
An Office 365 group is a core entity that collaborates with users. It connects with SharePoint development services, enabling a wide range of collaboration scenarios, task planning, teamwork, and more.
Feature | Supporting services | Description |
---|---|---|
Users | Azure AD and most efficient, collaboration, intelligence, and education services |
The user is at the core of Microsoft Graph, around which many Microsoft Graph services build user-centric functionality. |
Groups | Azure AD, OneDrive, OneNote, Outlook, Teams, Planner |
An Office 365 group provides an important collaborative unit for users to share news, conversations, files, notes, calendars, plans, and more. |
Identity and Access Management |
Azure AD | Creates and manages directory resources such as users, groups, and applications. Manages access to resources and data. Provides customers access to sign-in and account risk data in Azure AD. |
Note: The Bold Italic text must be supplied in accordance with one’s texts/tokens.
Integrating users’ data, Microsoft 365 services, and your apps
The primary focus of the Microsoft Graph is on users and groups. It casts a Microsoft 365 services network. It also features data management, data protection, and data extraction for assisting various business scenarios. Microsoft Graph allows accessibility of user data but doesn’t risk the data by managing appropriate authorization.
Working with Users in Microsoft Graph
Microsoft Graph lets you build rich app experiences based on users and their relationships with other users and groups, their mail, calendar, and files.
You can get to users through Microsoft Graph in two different ways:
- By their ID, /users/{id | userPrincipalName}
- By utilizing the /me alias for the signed-in user, which is the same as /users/{signed-in user’s id}
Authorization
We require one of the following permissions to access user operations. The first three permissions can be granted to an app by a user (no admin access required). The rest of the permissions can only be provided to an app by the administrator.
- User.ReadBasic.All
- User.Read
- User.ReadWrite
- User.Read.All
- User.ReadWrite.All
- Directory.Read.All
- Directory.ReadWrite.All
- Directory.AccessAsUser.All
Common Properties
The following compose the default set of properties that are returned when getting a user or listing users. These are a subset of all available properties. To fetch more sets of user properties, one can use the $select query parameter.
Property | Description |
---|---|
id | The unique identifier for the user. |
businessPhones | The user’s phone numbers. |
displayName | The name is displayed in the address book for the user. |
givenName | The first name of the user. |
jobTitle | The user’s job title. |
The user’s email address. | |
mobilePhone | The user’s cell phone number. |
officeLocation | The user’s physical office location. |
preferredLanguage | The user’s language of preference. |
surname | The last name of the user. |
userPrincipalName | The user’s principal name. |
Common Operations
Note: Some of these operations require additional permissions.
Path | Description |
---|---|
/users | To get all the users of the organization. |
/users/{id} | To list a specific user by id. |
Create New User
Using Microsoft Graph services, the creation of a new user is a relatively easy task. The user which is required to create is present in the request body. To create a new user, minimum required properties need to be supplied while in addition, any writable properties can also be provided.
Permissions
You require one of the following permissions to call this API.
Permission type | Permissions (from least to most privileged) |
---|---|
Delegated (work or school account) | 1.User.ReadWrite.All 2. Directory.ReadWrite.All 3. Directory.AccessAsUser.All |
Delegated (personal Microsoft account) | Not supported. |
Application | 1. User.ReadWrite.All 2.Directory.ReadWrite.All |
Registering an Azure AD V2 App using Azure AD App Registration
We need to register an Azure Active Directory (Azure AD) application that will be used to communicate with the Microsoft Graph.
There are two popular endpoints in Azure AD to register applications, known as V1 and V2. Here, we are going to use the new experience Azure AD app registration portal and the recommended V2 endpoint to register the application as that is the ideal approach moving forward.
- Open a browser and select App registrations in Azure AD Portal.
- Click + New registration from the current blade tabs.
- Specify the following values on the Register an application page:
- Name = msgraph-usermgmt-app (or any name that works for you)
- Supported account types = Accounts in the current organizational directory only (e.g., TatvaSoft) <choose the value that applies to your needs>
- Redirect URI = Web: https://localhost:8080
Note: The Redirect URI value can be altered at a later stage and can also be pointed to URI that isn’t hosted.
- For registering an application, hit the Register button.
- The Application Overview page opens once the app registration completes. From this page, copy below two IDs as they will be required later.
- Application (client) ID
- Directory (tenant) ID
- From the current blade navigation pane, select Manage > Authentication. Add second redirect URI https://app.getpostman.com/oauth2/callback and click Save. This URL will be used later while consuming the Microsoft Graph via Postman.
- From the current blade navigation pane, select Manage > Certificates & secrets. Click the + New client secret. Specify the following values on Add a client secret dialog that appears:
- Description = UserMgmtSecret
- Expires = Never
- Click Add.
- Once the screen displays the newly created Client Secret, copy its Value to use it as required.
Important: Make sure you copy the client secret now, as it will never be shown again in the Azure portal.
Now for making the Microsoft Graph calls, assign the required permissions to the application. The permission is categorized into two below-mentioned sets.
Delegated Permissions | Application Permissions |
---|---|
For the application which runs in the user context, one can use this set of permission. |
While using the Client-credential flow (app only flow), this set of permission is utilized. |
With the usage of this permission, one can explicitly delegate the application to run on the user’s behalf. |
With the usage of this permission, the application runs without any user context. |
For creating a user in the organization via Microsoft Graph query, bring the newly created Azure AD Application in use. Accordingly, we will grant “User.ReadWrite.All” and “Directory.ReadWrite.All” application permissions.
- From the current blade navigation pane, choose Manage > API permissions.
- Hit on + Add a permission button and choose the Microsoft Graph under Microsoft APIs.
- Choose the Delegated permissions.
- Check the box for “User.ReadWrite.All” permission after expanding the User category. Similarly, expand the Directory category and check the boxes for “Directory.ReadWrite.All” and “Directory.AccessAsUser.All” permissions. Hit the Add permissions button.
- Now select the Application Permissions.
- Check the box for “User.ReadWrite.All” permission after expanding the User category. Similarly, expand the Directory category and check the box for “Directory.ReadWrite.All” permission. Hit the Add permissions button.
Note: You will notice that the Admin consent required column shows “Yes” besides selected permissions. Thus, it is concluded that before using the application for the execution of Microsoft Graph queries, the Azure Ad Admin must provide the permissions.
- Click Grant admin consent for <tenantName> from the API Permissions screen, and after that, click Yes.
Note: To grant consent, one must be either Azure AD Domain Administrator or have a similar role.
Create a Flow to create a user using Microsoft Graph
You need to have an Application ID, a Secret Key, and your Tenant ID/Name to use Microsoft Graph in Microsoft Flow.
- Browse the https://flow.microsoft.com, select My flows, and click New > Instant-from blank.
- Add a Flow button as a trigger and select Manually trigger a flow.
- Add a step (action) – Initialize variable. Add Name as “GraphUrl,” change the Type to “String,” and add the Value of the Graph URL https://graph.microsoft.com/v1.0/users.
Authenticating to Microsoft Graph from Flow
- Add a step (action) – HTTP-HTTP. Rename the action to Get bearer token Change Method to “POST” for URI https://login.microsoft.com/{TENANTID}/oauth2/v2.0/token, use “Content-Type” with “application/x-www-form-urlencoded” as Headers.Use the following parameter-set for Body: client_id={APPLICATIONID/CLIENTID}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret={CLIENTSECRET}&grant_type=client_credentials
The above call to the Azure AD authentication endpoint will give you OAuth 2.0 authorization bearer token, which will be utilized in the HTTP calls to Microsoft Graph endpoints. You need to parse the response using Data operations – Parse JSON action.However, parsing JSON requires that we have a schema or we have a sample payload of the JSON returned. At this point, we can run the flow to get the sample payload. Dig into the Flow execution details using Run history, check the return value of the HTTP action Get bearer token as shown below. Copy the content of the Body. - Paste the copied value as a sample payload for Parse JSON action and then click Done.
- Your Parse JSON action would look like the one below.
Calling Microsoft Graph API from Flow
Finally, we are ready to make the actual HTTP call to the Graph endpoint for creating a new User.
- Add an action HTTP-HTTP. Rename the action to Create a new Office 365 user. In this case, we select “POST” as the Method, and the URI of the endpoint is https://graph.microsoft.com/v1.0/users, which is the “GraphUrl” variable initialized earlier. In the Header section, we add two headers
- “Authorization” and use parsed values “token_type” which is the bearer token and “access_token” which will be different each time.
- “Content-Type” which is “application/json.”
- Provide a JSON representation of the user object in the request body.
ConclusionIt’s highly favorable to create new Office 365 groups (also add users as an owner based on requirement) and users purely through MS Flow using the right combination of Microsoft Graph requests and parsing the responses returned, with no custom code such as an Azure function needed. The next blog in this series will walk through the process of assigning permissions using unified groups. |
Comments