slides supporting the session at SharePoint Fest Seattle 2019. Talking about the Microsoft Graph API, Azure Active Directory, OAuth, OData and more.

1. Introduction to the Microsoft
Graph : Getting Started Quickly
& Getting the Most Out of It
SharePoint Fest Seattle 2019
Vincent Biret

2. Passionate about technologies, development and community
Vincent Biret
@baywet
bit.ly/vince365
Microsoft Office Dev MVP
Azure and Office 365 developer @ 2toLead

3. Audience?

4. Agenda
•Introduction to the Microsoft Graph
•Authentication & authorization
•Azure Functions
•Tips
•Conclusion

5. Ready?

6. The Microsoft Graph

7. Regardless of your development model, the Microsoft Graph grants access to a wealth of
data
Your gateway to Microsoft 365
Your
app
Gateway
Your data or
your
customer’s
Office 365 Windows 10 Enterprise Mobility and Security
1Microsoft Graph

8. The Microsoft Graph provides a unified auth model and set of API’s for both pro and
personal accounts/data
Personal and professional accounts
(lucy)

9. The Microsoft Graph is the fastest growing API at Microsoft
Some numbers
18TNodes
181Countries
1BMonthly active apps
90%F500 companies have data
available via Microsoft
Graph
180MMonthly active users in
Microsoft 365
100BRequests each month

10. https://graph.microsoft.com
Microsoft Graph started with Office 365 and became THE API for enterprise and personal
data
What data is available?
Users, Groups, Organizations
Outlook
SharePoint
OneDrive
Teams
Planner
Excel
OneNote
Activities
Devices relays
Commands
Notifications
Azure AD
Intune
Identity Manager
Advanced Threat Analytics
Advanced Threat Protection
Email, Calendar,
Contacts and Tasks
Sites and Lists
Disks and Files
Channels, Messages
Tasks and Plans
Worksheets
Notes, and more…
Identity management
Access control
Synchronization
Domains
Organizational units
Applications and Devices
Threats analysis
Threats protection
Alerts
Policies
And more…
Office 365 Windows 10 Enterprise mobility and security
Dynamics 365
Finances

11. One of the key points of the Microsoft Graph is providing a unified data model
Wide and transversal API
SITES
GROUPS
USERSINSIGHTS
CONTACTS
PEOPLE
ORGANIZATION
EMAIL
CONTENT
DOCUMENTS
DEVICES
TEAMS
REPORTS
ME
ADMIN UNITS
ROLES
APPS
SECURITY DATA &
AUTOMATION
ORGANIZATION
USERS
BUSINESS
PARTNER

12. Microsoft provides a consistent approach to the API
Basics
• HTTP verbs represent the intent: GET | POST | PATCH | PUT | DELETE
• Version: /v1.0 or /beta
• Resource: /users, /groups, /sites, /drives, /devices, …
• Collection item: /users/john
• Property: /users/john/department
• Linked data via navigation: /users/john/events
• Query parameters: /users/john/events?$top=5
o Format: $select | $orderby
o Filter/Navigate: $filter | $expand
o Pagination: $top | $skip | $skiptoken
/{version} ?{parameters}/{resource}/{id}/{property}

13. Various supported languages and platforms
SDKs
Generally Available ( /v1.0 ) Preview ( /beta )
And Soon

14. Documentation, samples, quick starts and asking for help
Demo

15. Authentication
and authorization

16. Resources provided by the Graph are always secured. Depending on the authentication
flow, you might need multiple tokens.
Base principles
access_token
MSAL or
ADAL
Your APP
Microsoft
Graph
id_token
access_token refresh_token
Microsoft
Identity

17. It is crucial to think through your auth scenario before starting development as it has a
deep impact.
Contexts types
Users can consent for their data, admins for the whole tenant Only admins can consent
Delegated
permissions
User’s
privileges
App
permissions
Permission Type: applicationPermission Type: Delegated
Access as a user Access as a service
Effective PermissionsEffective Permissions

18. Permissions follow a description model. Tip: always request the least permissions
Permissions/scopes structure
specific: .All,
.Shared, etc
Read,
ReadWrite,
etc.
Target Entity:
files, mail,
groups,
calendars,
etc…
Ex: User.Read Directory.ReadWrite.All
Resource Action Scope

19. Microsoft has been working really hard to improve the situation. This is why it’s important
to think your auth.
Complex situation
Your target
audience
ADALSDK Client
App Reg.
MSAL
Endpoint

20. App registration experience
Demo

21. Azure Functions

22. Improving the « pay for what you use » and the elasticity principles, it also provides a
total abstraction of servers
Serverless definition

23. Enable your team to deliver solutions faster, in a more structured way moving the focus
on the business logic
Benefits

24. Google Cloud Functions and AWS Lambdas are direct competitors of Azure Functions
Offerings

25. 5 languages supported for production in Azure Functions and more to come
Languages (v2)

26. Solution “I’m sick boss”
Demo

27. Tips

28. Microsoft is trying to improve your Graph dev experience
$whatif
• Simply add $whatif at the end of a request to know where the data is coming from
• Useful when debugging
• /me/?$whatif
{
"Description": "Execute HTTP request",
"Uri": "https://graph.windows.net/v2/c03a026e-335e-458c-bad2-
3309fe59663b/users('c9452811-4b6e-4073-b7cf-
3f681f55539b')?$select=businessPhones,displayName,givenName,jobTitle,mail,mobi
lePhone,officeLocation,preferredLanguage,surname,userPrincipalName,id",
"HttpMethod": "GET"
}

29. A good knowledge of OData is key to build applications properly, even when using SDKs
Know your OData!
• Sets
• $count
• $filter
• $expand
• $orderby
• $select
• $skip/$skipToken
• $top
• Search
• $search
• Values
• $ref
• $value

30. Microsoft must define boundaries to keep the service up and running. This sandbox is
defined at multiple levels and revolves around multiple concepts which makes the
problem more complex.
Throttling – the problem
• Microsoft 365 is a set of services, usage always limited
• Relies on limited and costly resources (CPU, mmory, storage…)
• These limits can be dynamic or fixed
• API usage is dynamic
• Site collection storage is fixed
• You can expand the boundaries: type and/or number of licenses
• API usage limitation is defined per user (to start with)
• This limits impact on the service, users and revenue

31. The idea is to limit resource usage, spread out pic activity, allow key features to survive by
stopping minor features using the same resource or even tell users to slow down before
everything stops.
Throttling – what can you do?
• Implement read cache (if possible)
• In proc, in memory, distributed cache (Redis)
• Pay attention to Rate-Limit Limit, Remaining, and Reset headers
• Pay attention to 429’s or 503’s and impl. « exponential back-off retry policies»*
• Or better, retry after the delay provided by retry-after header
• Implement “Circuit Breaker” design pattern
• Limit incoming traffic using telemetry

32. Conclusion

33. All these developer productivity improvements translate to savings in development
investments and better productivity for end users which means better ROI!
Conclusion
•Great potential
•Consistent API
•Auth design is key
•Functions are here to help
•Shorter delivery time
•Better apps integration
•Better user experience

34. Check out these sessions to learn more about the Microsoft Graph
To go further
• 6 demos to impress your boss/customers with Microsoft Graph
• Jeremy Take AZR104 room 604 3PM
• Automating Provisioning for Your digital workplace : With Graph and
Azure Durable Functions
• Vincent Biret AZR303 room 604 Friday 3PM

35. Bit.ly/vince365 @baywet slideshare.net/VincentBIRET
Thanks!/Questions?
Vincent Biret
Office 365 and Azure
Developer, 2toLead
@baywet
Bit.ly/vince365