พบกับเซสชั่น "Microsoft Graph for Microsoft 365 and Power Platform" ในงาน Microsoft 365 Developer Bootcamp
- แนะนำ Microsoft Graph
- เรียนรู้การเรียกใช้งาน REST API เพื่อเข้าถึงข้อมูลบนบริการต่าง ๆ ของ Microsoft 365
โดยคุณแชมป์ Narisorn Limpaswadpaisarn (Microsoft Certified Trainer)
5. Microsoft Graph:
Clean API for
developers,
providing access
to digital work
and life data
Gateway to your data in the Microsoft cloud
USERS FILES MAIL CALENDAR TASKSGROUPS
graph.microsoft.com
Insights and relationships from Graph
7. APIs scattered and inconsistent
https://graph.windows.net/contoso.com/users
https://graph.windows.net/contoso.com/groups
https://apis.live.net/v5.0/me
https://contoso.sharepoint.com/_api/SP.UserProfiles.PeopleManager/GetMyProperties
https://graph.microsoft.com/v1.0/me/photo
https://outlook.office.com/api/v2.0/me/Messages
https://outlook.office.com/api/v2.0/me/Events
https://contoso-my.sharepoint.com/personal
/yina_contoso_com/_api/v2.0/drive
https://contoso.sharepoint.com/sites
/designCouncil/_api/v2./drive
https://api.onedrive.com/v1.0/drive
https://contoso.sharepoint.com/_api/search/query?Querytext='*'&Prop
erties='GraphQuery:actor(ME,action:1020,or(action:1020,action:1003
,action:1001,action:1024,action:1005,action:1037,action:1039,action
:1036)'&SelectProperties='Docid,Title
Click to add text
8. APIs centralized and consistent
https://graph.microsoft.com
Operation Service endpoint
GET my profile https://graph.microsoft.com/v1.0/me
GET my mail https://graph.microsoft.com/v1.0/me/messages
GET my calendar https://graph.microsoft.com/v1.0/me/calendar
GET my contacts https://graph.microsoft.com/v1.0/me/contacts
GET my photo https://graph.microsoft.com/v1.0/me/photo/$value
GET my files https://graph.microsoft.com/v1.0/me/drive/root/children
GET my manager https://graph.microsoft.com/v1.0/me/manager
GET last user to modify file foo.txt https://graph.microsoft.com/v1.0/me/drive/root/children/foo.txt/lastModifiedByUser
GET users in my organization https://graph.microsoft.com/v1.0/users
GET group conversations https://graph.microsoft.com/v1.0/groups/<id>/conversations
GET people related to me https://graph.microsoft.com/beta/me/people
GET my tasks https://graph.microsoft.com/beta/me/tasks
GET my notes https://graph.microsoft.com/beta/me/notes/notebooks
GET files trending around me https://graph.microsoft.com/beta/me/insights/trending
9. Microsoft 365 Platform
Microsoft Graph
data connect
Microsoft Graph
Office 365 Windows 10 Enterprise Mobility + Security
Microsoft Graph
REST APIs and webhooks
Documents Conversations Portals Timeline
Extend Microsoft 365 experiences
Web
apps
Bots &
agents
Device
& native
Daemon
apps
Workflow
automation
Build your experience
Connectors
Microsoft Identity
Azure AI platformYour local data
Search Analytics
apps
10. Microsoft Graph
Gateway to your data in the Microsoft cloud
Users, Groups, Organizations
Outlook
SharePoint
OneDrive
Teams
Planner
Excel
OneNote
Activities
Device Relay
Commands
Notifications
Azure AD
Intune
Identity Manager
Advanced Threat Analytics
Advanced Threat Protection
Mail, Calendar,
Contacts and Tasks
Sites and Lists
Drives and Files
Channels, Messages
Tasks and Plans
Spreadsheets
Notes, and more…
Identity Management
Access Control
Synchronization
Domains
Administrative Units
Applications and Devices
Advanced Threat Analytics
Advanced Threat Protection
Alerts
Policies
and more…
Office 365 Windows 10 Enterprise Mobility + Security
https://graph.microsoft.com
Dynamics 365
Business Central
11. Supported HTTP methods
GET - Read data from a resource.
POST - Create a new resource, or perform an action. (Request Body required)
PUT - Update a resource with new values. (Request Body required)
PATCH - Replace a resource with a new one. (Request Body required)
DELETE - Remove a resource.
** Body is usually JSON format information that
contains additional information such as the value of
properties of the resource
12. API Versions
v1.0 - includes generally available APIs. Use the v1.0 version for all
production apps.
beta - includes APIs that are currently in preview. Because we might
introduce breaking changes to our beta APIs, we recommend that you use
the beta version only to test apps that are in development; do not use beta
APIs in your production apps.
https://docs.microsoft.com/en-us/graph/versioning-and-support
13. Common Graph API Scenarios
Reading from Microsoft Graph
• Implement People or Group Picker – List/Search users/groups
• Design workflows that lookup Manager/Direct Report relationships
• Authz checks: determine Users’ Group, Directory Role Memberships, App roles
• Synchronize directory data with an app – requesting delta changes
Writing to Microsoft Graph
• Provisioning/De-provisioning Users, setting licenses
• Adding Users to Groups/Directory Roles/App Roles
20. Build and execute runbooks for
investigation and remediation
Automate security policy checks and
enforce rules
Orchestrate actions across security
solutions
Traverse alerts and related entities, like
users, hosts, apps, …
Dive deep into related security profiles,
aggregated across security solutions
Add organizational context from other
Microsoft Graph providers (Identity,
Intune, Office, etc.)
Correlate alerts across security
solutions more easily with a common
alert schema
Write code once to enable any graph-
supported security solution
Keep alert status and assignments in
sync across all solutions
Unified gateway to security insights and actions across Microsoft products, services, and partners
Unify and standardize alert
management
Automate SecOps for
greater efficiency
Unlock security context to
drive investigation
22. Alerts are streamed in near real-time through Azure Monitor and event hubs,
enabling integration with existing SIEM solutions
aka.ms/graphsecuritySIEM
24. Microsoft Graph
https://graph.microsoft.com/
Insights and relationships
Calendar
Personal
Contacts
Files Notes
Org
Contacts
NotesPeopleUsers ExcelTasksMailGroups
Data
XCode
Eclipse or
Android Studio
Visual Studio REST
Development
Environment
YOUR APP
Your choice of technology (.NET, JS, HTML, Ruby, etc.)
Microsoft Azure
Other hosting
(IIS, LAMP, etc.)
Solution
Authentication
and Authorization OpenID Connect and OAuth 2.0
25. Alerts
Security Profiles
Host | User | File | App | IP
Actions Configurations
Insights and relationships
OAuth 2.0 and OpenID Connect 1.0
Azure AD Identity
Protection IntuneWindows
Defender ATP
Office 365 ATP Cloud Application
Security
Azure ATP Azure Security
Center
Azure Information
Protection
Ecosystem
Partners
Other Microsoft Graph Services
Office 365 | Intune | Active Directory | More…
Users Groups Mail Files Calendar
26.
27. MSAL connects to Microsoft Identity Platform v2.0 endpoint (more feature,
standard complaint such as OAuth 2.0 and OpenID Connect)
ADAL connects to Azure Active Directory for developers v1.0 endpoint
MSAL vs ADAL
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview
Microsoft identity p atform
endpoint v
or or schoo
accounts
A ure AD
ersona accounts
Microsoft account
ocia or oca
accounts
A ure AD
https porta a ure com
Microsoft Authentication i rary M A
A ure AD Authentication i rary
ADA
Active Directory
ederation ervices
AD
A ure AD endpoint v
31. Register your app with Azure AD
Configure app permissions
Use OpenID Connect for sign-in
Get token using OAuth2.0 flow
Build code using REST APIs or client SDKs
Building an app..
34. App types and permissions
Users can consent for their data or admin can consent for all users Only admin can consent
Delegated
permissions
App
Permissions
App
permissions
Permission type: applicationPermission type: delegated
Get access on behalf of users Get access as a service
Effective permissionEffective permission
https://aka.ms/ConsentAndPermissions
36. Scopes and permissions
• Web-hosted resources that integrate with Azure AD have a resource
identifier (Application ID URI)
• Office 365 Unified Mail API: https://outlook.office.com
• Microsoft Graph: https://graph.microsoft.com
• Resources define permissions
• Calendar.Read
• Profile.ReadWrite
• Mail.Send
37. Permission examples
Permission Display String Description
Admin
Consent
Required
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in
users. It also allows the app to read basic company information of signed-in users.
No
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to update
the signed-in user's profile information on their behalf.
No
User.ReadBasic.All Read all users' basic
profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and last
name, email address, open extensions and photo. Also allows the app to read the full
profile of the signed-in user.
No
User.Read.All Read all users' full
profiles
Allows the app to read the full set of profile properties, reports, and managers of other
users in your organization, on behalf of the signed-in user.
Yes
User.ReadWrite.All Read and write all
users' full profiles
Allows the app to read and write the full set of profile properties, reports, and managers
of other users in your organization, on behalf of the signed-in user. Also allows the app
to create and delete users as well as reset user passwords on behalf of the signed-in
user.
Yes
39. Use least privileged permissions
Use least privilege! Only request permissions which are absolutely
necessary, and only when you need them
Be thoughtful when configuring your app! This will directly affect end user
and admin experiences, along with app adoption and security
When building a multi-tenant app, expect customers to have various
application and consent controls in different states
Don’t use AppOnly for user interactive scenarios.
Avoid permission that are not specific, like Directory.AccessAsUser.All
40. Microsoft Graph | SDKs
SDKs are all OSS on
https://github.com/microsoftgraph
Great source of SDK examples- https://github.com/microsoftgraph/aspnet-
snippets-sample
41. MSAL
Samples, Docs
and feedback
• Samples
• Calling a ASP.NET Core Web API from a WPF application using
Azure AD v2.0
• An ASP.NET Core 2.x Web App which sign-in users (including in
your org, many orgs, orgs + personal accounts, sovereign clouds)
and call Web APIs (including Microsoft Graph)
• Docs
• MSAL.NET Wiki
• MSAL.NET Reference documentation
• Feedback
• Issues with MSAL.NET ? Let us know.
43. Single API for:
1.Accessing data
/me, /users, /groups, /messages, /drive, ….
2.Traversing data
/drive/items/<id>/lastmodifiedByUser
3.Accessing insights
/insights/trending
4.Work/School and Personal
Accounts
What is Microsoft Graph?
https://graph.microsoft.com/
45. 18 trillion
Microsoft Graph nodes
180 million
monthly active users of
Office 365 commercial
90%
Fortune 500
1 billion
users across work,
life and edu
100 billion
Microsoft Graph
requests per month
1 million
monthly active apps using
Microsoft Identity
Your tailored
experiences or
customizations
46. More Graph in numbers
70 PETABYTES
OF ENTERPRISE
DATA
8 BILLION
RELATIONSHIPS
4 TRILLION
NODES
60 BILLION
ATTACHMENTS
25 PERCENT
RELATIONSHIPS
ARE PERSON-TO-PERSON
850 MILLION
MEETINGS
PER MONTH