What the heck is the GraphAPI and why should I care?

What the heck is the GraphAPI and why should I care?

So recently I have been spending time learning about the new Preview Intune Portal which is moving over to the Ibiza Azure Portal. As part of this migration from the existing Silverlight Intune portal to the new Ibiza portal Microsoft is working on exposing a vast amount of information (if not all) for your Intune Subscription via the GraphAPI. I’m going to quote from the Microsoft Graph website here the GraphAPI is “One endpoint to rule them all”, I’m sure there is a joke about rings and volcano’s that could be put in here.
But in all seriousness GraphAPI is well on it’s way to living up to that tag line, today as i write this there is already a vast amount of objects from the Office world which are already available to interrogate for example you can do a simple “Get” request on: https://graph.microsoft.com/v1.0/me you will be able to see a JSON response. I’m sure you have just clicked on the link and you got a JSON reply looking something like this:
“error”: {
“code”: “InvalidAuthenticationToken”,
“message”: “Bearer access token is empty.”,
“innerError”: {
“request-id”: “c6a2dcfe-4ee6-489a-9de3-a5573c6e2576”,
“date”: “2017-01-27T03:35:07”

So as you might have guessed by now it’s not completely straight forward to interrogate the GraphAPI, this is actually a really good thing as you need to provide an access token to be able to query the data from GraphAPI. To test a query you can use the Graph Explorer which you can find here: https://graph.microsoft.io/en-us/graph-explorer
By default it will be signed in with a “Demo Tenant” where you can test out the API calls, but once you sign in you can interrogate your own data you will be prompted to allow the Group Explorer access to your data during logon so you know what type of items which the GraphAPI has access too.
If we run the same link as we previously ran in the GraphAPI you will get a JSON reply which looks something like this:
“@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#users/$entity”,
“id”: “2f2916e5-953c-4c5d-9f52-bd5db8131d49”,
“businessPhones”: [],
“displayName”: “Steven Hosking”,
“givenName”: “Steven”,
“jobTitle”: null,
“mail”: “steve@AusIgnite2017DEMO.onmicrosoft.com”,
“mobilePhone”: null,
“officeLocation”: null,
“preferredLanguage”: “en-AU”,
“surname”: “Hosking”,
“userPrincipalName”: “steve@AusIgnite2017DEMO.onmicrosoft.com”

As you can see GraphAPI is quite secure, in that you can’t just randomly query the GraphAPI objects from another company without a Access Token. In this demo the Graph Explorer handles the process of obtaining access to your Subscription be it Intune, Office 365, or Azure Active Directory.
It’s also worth noting as of today to access the Intune sections of the API you need to change the v1.0 to Beta in the URL’s, in saying that not all Intune subscriptions have currently been migrated to the Ibiza Portal which enables the GraphAPI so you might not be able to test this, to find more information regarding the Intune GraphAPI have a look here as it will be continually updated during the roll of the Ibiza Portal support.

In future blog posts I will explain the process to query the GraphAPI with PowerShell.

Good Luck


One thought on “What the heck is the GraphAPI and why should I care?

Leave a Reply