พบกับเซสชั่น "Microsoft Graph for Microsoft 365 and Power Platform" ในงาน Microsoft 365 Developer Bootcamp - แนะนำ Microsoft Graph - เรียนรู้การเรียกใช้งาน REST API เพื่อเข้าถึงข้อมูลบนบริการต่าง ๆ ของ Microsoft 365 โดยคุณแชมป์ Narisorn Limpaswadpaisarn (Microsoft Certified Trainer)

1. Microsoft Graph and Power Platform
Global M365 Developer Bootcamp
Narisorn Limpaswadpaisarn
28/11/2020

2. http://aka.ms/msgraph
Narisorn Limpaswadpaisarn
Global M365 Developer Bootcamp

3. Agenda

4. What is Microsoft
Graph

5. Microsoft Graph:
Clean API for
developers,
providing access
to digital work
and life data
Gateway to your data in the Microsoft cloud
USERS FILES MAIL CALENDAR TASKSGROUPS
graph.microsoft.com
Insights and relationships from Graph

6. Discovery
Service
AAD
OneDrive for Business
Outlook
https://api.office.com/discover
https://graph.windows.net/contoso.com/users
https://contoso-my.sharepoint.com/personal/joe_contoso_com/_api/v2.0/drive/root/children
https://outlook.office.com/api/v2.0/Me/Inbox
Previous model for interacting with O365 APIs
Too many SDKs, each
with own security,
messaging and data
format requirement.

7. APIs scattered and inconsistent
https://graph.windows.net/contoso.com/users
https://graph.windows.net/contoso.com/groups
https://apis.live.net/v5.0/me
https://contoso.sharepoint.com/_api/SP.UserProfiles.PeopleManager/GetMyProperties
https://graph.microsoft.com/v1.0/me/photo
https://outlook.office.com/api/v2.0/me/Messages
https://outlook.office.com/api/v2.0/me/Events
https://contoso-my.sharepoint.com/personal
/yina_contoso_com/_api/v2.0/drive
https://contoso.sharepoint.com/sites
/designCouncil/_api/v2./drive
https://api.onedrive.com/v1.0/drive
https://contoso.sharepoint.com/_api/search/query?Querytext='*'&Prop
erties='GraphQuery:actor(ME,action:1020,or(action:1020,action:1003
,action:1001,action:1024,action:1005,action:1037,action:1039,action
:1036)'&SelectProperties='Docid,Title
Click to add text

8. APIs centralized and consistent
https://graph.microsoft.com
Operation Service endpoint
GET my profile https://graph.microsoft.com/v1.0/me
GET my mail https://graph.microsoft.com/v1.0/me/messages
GET my calendar https://graph.microsoft.com/v1.0/me/calendar
GET my contacts https://graph.microsoft.com/v1.0/me/contacts
GET my photo https://graph.microsoft.com/v1.0/me/photo/$value
GET my files https://graph.microsoft.com/v1.0/me/drive/root/children
GET my manager https://graph.microsoft.com/v1.0/me/manager
GET last user to modify file foo.txt https://graph.microsoft.com/v1.0/me/drive/root/children/foo.txt/lastModifiedByUser
GET users in my organization https://graph.microsoft.com/v1.0/users
GET group conversations https://graph.microsoft.com/v1.0/groups/<id>/conversations
GET people related to me https://graph.microsoft.com/beta/me/people
GET my tasks https://graph.microsoft.com/beta/me/tasks
GET my notes https://graph.microsoft.com/beta/me/notes/notebooks
GET files trending around me https://graph.microsoft.com/beta/me/insights/trending

9. Microsoft 365 Platform
Microsoft Graph
data connect
Microsoft Graph
Office 365 Windows 10 Enterprise Mobility + Security
Microsoft Graph
REST APIs and webhooks
Documents Conversations Portals Timeline
Extend Microsoft 365 experiences
Web
apps
Bots &
agents
Device
& native
Daemon
apps
Workflow
automation
Build your experience
Connectors
Microsoft Identity
Azure AI platformYour local data
Search Analytics
apps

10. Microsoft Graph
Gateway to your data in the Microsoft cloud
Users, Groups, Organizations
Outlook
SharePoint
OneDrive
Teams
Planner
Excel
OneNote
Activities
Device Relay
Commands
Notifications
Azure AD
Intune
Identity Manager
Advanced Threat Analytics
Advanced Threat Protection
Mail, Calendar,
Contacts and Tasks
Sites and Lists
Drives and Files
Channels, Messages
Tasks and Plans
Spreadsheets
Notes, and more…
Identity Management
Access Control
Synchronization
Domains
Administrative Units
Applications and Devices
Advanced Threat Analytics
Advanced Threat Protection
Alerts
Policies
and more…
Office 365 Windows 10 Enterprise Mobility + Security
https://graph.microsoft.com
Dynamics 365
Business Central

11. Supported HTTP methods
GET - Read data from a resource.
POST - Create a new resource, or perform an action. (Request Body required)
PUT - Update a resource with new values. (Request Body required)
PATCH - Replace a resource with a new one. (Request Body required)
DELETE - Remove a resource.
** Body is usually JSON format information that
contains additional information such as the value of
properties of the resource

12. API Versions
v1.0 - includes generally available APIs. Use the v1.0 version for all
production apps.
beta - includes APIs that are currently in preview. Because we might
introduce breaking changes to our beta APIs, we recommend that you use
the beta version only to test apps that are in development; do not use beta
APIs in your production apps.
https://docs.microsoft.com/en-us/graph/versioning-and-support

13. Common Graph API Scenarios
Reading from Microsoft Graph
• Implement People or Group Picker – List/Search users/groups
• Design workflows that lookup Manager/Direct Report relationships
• Authz checks: determine Users’ Group, Directory Role Memberships, App roles
• Synchronize directory data with an app – requesting delta changes
Writing to Microsoft Graph
• Provisioning/De-provisioning Users, setting licenses
• Adding Users to Groups/Directory Roles/App Roles

14. Try it now..
Microsoft Graph Explorer – https://aka.ms/ge

15. Try it now..
Try it on API references

16. Testing

17. Entity Centric
Modeling

18. Silos in enterprises
User Files Conversations People & Groups Events

20. Build and execute runbooks for
investigation and remediation
Automate security policy checks and
enforce rules
Orchestrate actions across security
solutions
Traverse alerts and related entities, like
users, hosts, apps, …
Dive deep into related security profiles,
aggregated across security solutions
Add organizational context from other
Microsoft Graph providers (Identity,
Intune, Office, etc.)
Correlate alerts across security
solutions more easily with a common
alert schema
Write code once to enable any graph-
supported security solution
Keep alert status and assignments in
sync across all solutions
Unified gateway to security insights and actions across Microsoft products, services, and partners
Unify and standardize alert
management
Automate SecOps for
greater efficiency
Unlock security context to
drive investigation

21. Microsoft services – no extra cost

22. Alerts are streamed in near real-time through Azure Monitor and event hubs,
enabling integration with existing SIEM solutions
aka.ms/graphsecuritySIEM

23. The App topology
Developing applications for Microsoft Graph

24. Microsoft Graph
https://graph.microsoft.com/
Insights and relationships
Calendar
Personal
Contacts
Files Notes
Org
Contacts
NotesPeopleUsers ExcelTasksMailGroups
Data
XCode
Eclipse or
Android Studio
Visual Studio REST
Development
Environment
YOUR APP
Your choice of technology (.NET, JS, HTML, Ruby, etc.)
Microsoft Azure
Other hosting
(IIS, LAMP, etc.)
Solution
Authentication
and Authorization OpenID Connect and OAuth 2.0

25. Alerts
Security Profiles
Host | User | File | App | IP
Actions Configurations
Insights and relationships
OAuth 2.0 and OpenID Connect 1.0
Azure AD Identity
Protection IntuneWindows
Defender ATP
Office 365 ATP Cloud Application
Security
Azure ATP Azure Security
Center
Azure Information
Protection
Ecosystem
Partners
Other Microsoft Graph Services
Office 365 | Intune | Active Directory | More…
Users Groups Mail Files Calendar

27. MSAL connects to Microsoft Identity Platform v2.0 endpoint (more feature,
standard complaint such as OAuth 2.0 and OpenID Connect)
ADAL connects to Azure Active Directory for developers v1.0 endpoint
MSAL vs ADAL
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview
Microsoft identity p atform
endpoint v
or or schoo
accounts
A ure AD
ersona accounts
Microsoft account
ocia or oca
accounts
A ure AD
https porta a ure com
Microsoft Authentication i rary M A
A ure AD Authentication i rary
ADA
Active Directory
ederation ervices
AD
A ure AD endpoint v

28. Graph SDKs, samples and tooling

29. Samples
https://developer.microsoft.com/en-
us/graph/gallery/?filterBy=Samples

30. Authentication
Developing applications for Microsoft Graph

31. Register your app with Azure AD
Configure app permissions
Use OpenID Connect for sign-in
Get token using OAuth2.0 flow
Build code using REST APIs or client SDKs
Building an app..

32. Auth
access_tokenMSAL
YOUR APP
Microsoft
Graph
id_token
access_token refresh_token
Microsoft
Identity
https://docs.microsoft.com/en-us/azure/active-
directory/develop/active-directory-v2-protocols
•Access tokens - tokens that a resource server receives from a client, containing permissions the client has been granted.
•ID tokens - tokens that a client receives from the authorization server, used to sign in a user and get basic information about them.
•Refresh tokens - used by a client to get new access and ID tokens over time. These are opaque strings, and are only
understandable by the authorization server.
Auth and Get id_token
Token as JWT (JSON Web Token)
https://tools.ietf.org/html/rfc7519
Identity verified
Call APIs
When expireSend back

33. The Permissions
Developing applications for Microsoft Graph

34. App types and permissions
Users can consent for their data or admin can consent for all users Only admin can consent
Delegated
permissions
App
Permissions
App
permissions
Permission type: applicationPermission type: delegated
Get access on behalf of users Get access as a service
Effective permissionEffective permission
https://aka.ms/ConsentAndPermissions

35. User signs-in and consents (first time only)

36. Scopes and permissions
• Web-hosted resources that integrate with Azure AD have a resource
identifier (Application ID URI)
• Office 365 Unified Mail API: https://outlook.office.com
• Microsoft Graph: https://graph.microsoft.com
• Resources define permissions
• Calendar.Read
• Profile.ReadWrite
• Mail.Send

37. Permission examples
Permission Display String Description
Admin
Consent
Required
User.Read Sign-in and read
user profile
Allows users to sign-in to the app, and allows the app to read the profile of signed-in
users. It also allows the app to read basic company information of signed-in users.
No
User.ReadWrite Read and write
access to user
profile
Allows the app to read the signed-in user's full profile. It also allows the app to update
the signed-in user's profile information on their behalf.
No
User.ReadBasic.All Read all users' basic
profiles
Allows the app to read a basic set of profile properties of other users in your
organization on behalf of the signed-in user. This includes display name, first and last
name, email address, open extensions and photo. Also allows the app to read the full
profile of the signed-in user.
No
User.Read.All Read all users' full
profiles
Allows the app to read the full set of profile properties, reports, and managers of other
users in your organization, on behalf of the signed-in user.
Yes
User.ReadWrite.All Read and write all
users' full profiles
Allows the app to read and write the full set of profile properties, reports, and managers
of other users in your organization, on behalf of the signed-in user. Also allows the app
to create and delete users as well as reset user passwords on behalf of the signed-in
user.
Yes

38. Admin Consent

39. Use least privileged permissions
Use least privilege! Only request permissions which are absolutely
necessary, and only when you need them
Be thoughtful when configuring your app! This will directly affect end user
and admin experiences, along with app adoption and security
When building a multi-tenant app, expect customers to have various
application and consent controls in different states
Don’t use AppOnly for user interactive scenarios.
Avoid permission that are not specific, like Directory.AccessAsUser.All

40. Microsoft Graph | SDKs
SDKs are all OSS on
https://github.com/microsoftgraph
Great source of SDK examples- https://github.com/microsoftgraph/aspnet-
snippets-sample

41. MSAL
Samples, Docs
and feedback
• Samples
• Calling a ASP.NET Core Web API from a WPF application using
Azure AD v2.0
• An ASP.NET Core 2.x Web App which sign-in users (including in
your org, many orgs, orgs + personal accounts, sovereign clouds)
and call Web APIs (including Microsoft Graph)
• Docs
• MSAL.NET Wiki
• MSAL.NET Reference documentation
• Feedback
• Issues with MSAL.NET ? Let us know.

42. Summarizing

43. Single API for:
1.Accessing data
/me, /users, /groups, /messages, /drive, ….
2.Traversing data
/drive/items/<id>/lastmodifiedByUser
3.Accessing insights
/insights/trending
4.Work/School and Personal
Accounts
What is Microsoft Graph?
https://graph.microsoft.com/

44. The Opportunity

45. 18 trillion
Microsoft Graph nodes
180 million
monthly active users of
Office 365 commercial
90%
Fortune 500
1 billion
users across work,
life and edu
100 billion
Microsoft Graph
requests per month
1 million
monthly active apps using
Microsoft Identity
Your tailored
experiences or
customizations

46. More Graph in numbers
70 PETABYTES
OF ENTERPRISE
DATA
8 BILLION
RELATIONSHIPS
4 TRILLION
NODES
60 BILLION
ATTACHMENTS
25 PERCENT
RELATIONSHIPS
ARE PERSON-TO-PERSON
850 MILLION
MEETINGS
PER MONTH

47. How clients use
the API
Developing applications for Microsoft Graph

48. Calling Microsoft Graph
Microsoft
Graph

50. Microsoft Graph in Power Platform
Office 365 user Connectors, Outlook Connector and more

51. Custom connector
For more defined actions apart from standard connectors

52. Custom connector
For more defined actions apart from standard connectors

53. Custom connector
For more defined actions apart from standard connectors

54. Custom connector