arrow Created with Sketch. Insights Blog

Feb 22 / 2017

Workstate Codes: Using Microsoft Graph API with Azure Active Directory (Bryan Bernard, Associate Software Consultant)

IdentityServer3views.pngMicrosoft Azure contains a wide variety of cloud services, including its industry-leading platform for identity and access management. With it you can manage all of your users, groups and other identity objects in a similar way that you would an on-premise instance of Active Directory.

While the user interface (Azure Management Portal) is constantly improving, there are still a number of management and power tools that aren’t available yet. This is where the power of the Microsoft Graph API comes into play. With some simple RESTful API calls, you can easily manage your directory information, even without a portal UX.

In this blog post, we will go over how to gain access to the Graph API and demonstrate an example request to get the list of users from Azure Active Directory.

Before you get started, make sure you have an Azure Subscription with an Active Directory Tenant and any flavor of Visual Studio with .NET 4+.

Create an Azure AD application with privileges to read and write to the directory
The first step in creating a custom application to manage Azure Active Directory is to create an Azure AD App with privileges to view and modify the directory.

Log into your Azure Management portal, and go to the Azure Active Directory tab. Next go to Applications and Add a new application. Once that is created, navigate to the app and go to the configure tab. 

Copy down the Client ID field; we will need this later when authorizing the app to make a call to the Graph API.

Next, in the Keys section add a new key. After saving the application, the key value will appear – copy that down, as we will be using it later when we refer to the App Key.

Finally, in the Other Applications section, click Add Application and add the Microsoft Graph application. In the Permissions section, set the Application Permissions to “Read and Write directory data.”

Get valid access token using application clientid and secret
Now we are ready to write the code that will use this application to authorize access to the Graph API, so we can view and edit the directory data.

First, we will need a valid access token. In order to retrieve this we will need the Azure AD TenantID and the Application ClientID and AppKey from the earlier steps.

var authority = "{TenantID}/oauth2/token"
var authenticationContext = new AuthenticationContext(authority, false);
var clientCred = new ClientCredential({ClientID}, {AppKey});
var authenticationResult = authenticationContext.AcquireToken("", clientCred);
var accessToken = authenticationResult.AccessToken;

Now that we have the access token, we can add it to the request header to authorize access to the Graph API.

Calling the Graph API
For this example, we will use the Get User endpoint, which will return a list of all users registered in the Active Directory.

var url = "" + {tenant} + "/users"
var request = new HttpRequestMessage(HttpMethod.Get, url);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
var response = await http.SendAsync(request);
var content = response.Content.ReadAsStringAsync();

The content returned will be a JSON object with all of the users in the Active Directory.

For more information on all of the different things you can do with Graph API, check out Microsoft’s Graph API Documentation. If you would like to test out the various API calls without writing code, check out Microsoft’s Graph Explorer, which is a great way to make sure you have the proper formatting and permissions in place while debugging any issues.

Interested in learning more about the fundamentals of Identity and Access Management?

Get IAM Primed Now!

Don’t forget to subscribe to receive future blog posts directly in your email!