Introduction
If you work with Azure Active Directory (now called Microsoft Entra ID), Microsoft 365, or any Microsoft cloud services, you’ve likely heard about the Microsoft Graph API.
But what exactly is it? How do you use it to extract data like user details, audit logs, sign-in reports, and application ownership?
This guide will answer all those questions in detail — with real-world API examples, endpoint references, permission requirements, and SEO-optimized content that helps you learn and helps your website rank.
Related: How to Troubleshoot Azure Entra ID Sign-in Logs Deep Dive
What is Microsoft Graph API?
Microsoft Graph API is the unified API endpoint that connects you to data across Microsoft services. It acts as a single gateway to access data from Microsoft 365, Azure AD, Intune, Teams, OneDrive, Outlook, and more.
Instead of managing multiple APIs for different Microsoft services, you can use one endpoint:
Everything you need — from user attributes to audit logs, groups, applications, devices, and security insights — can be retrieved or modified through this one URL structure.
Why is Microsoft Graph API Important?
Unified access – Access all Microsoft cloud data from one API.
Automation – Ideal for scripting, reporting, and provisioning.
Security insights – Monitor sign-ins, risky users, and compliance.
Integration – Easily connect Microsoft data with external applications or Power BI.
Scalability – Works for both small organizations and large enterprises.
🧠 In short, if you’re managing users, auditing logs, or automating reports in Microsoft Entra ID — Graph API is your best friend.
How to Use Microsoft Graph API (Step-by-Step)
To use Graph API, you first need to register an application in Azure Entra ID, assign the right permissions, and then authenticate to get a token.
Let’s go step by step,
Step 1: Register an App in Azure Entra
Click New Registration.
Give your app a name (e.g., GraphAPIDemoApp).
Choose supported account types (usually “Accounts in this organizational directory only”).
Add redirect URI if needed (for delegated access).
Click Register.
You’ll now see:
Application (client) ID
Directory (tenant) ID
Option to create a client secret
Keep these safe — they’ll be used for authentication.
Step 2: Authentication Flow
There are two main ways to authenticate:
| Type | Use Case | Description |
|---|---|---|
| Delegated Permissions | For apps acting on behalf of a signed-in user | Needs user login & consent |
| Application Permissions | For background services (no user interaction) | Requires admin consent |
To get a token:
POST https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token Content-Type: application/x-www-form-urlencoded client_id=<ClientID> &scope=https://graph.microsoft.com/.default &client_secret=<Secret> &grant_type=client_credentials
You’ll receive an access token which is used in the authorization header for each Graph API call.
Step 3: Make Your First Graph API Call
Once you have a token, add it to your headers:
🎯 Pro Tip: Use tools like Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) to test requests before running scripts.
Microsoft Graph API Endpoints
Here’s a table of the most commonly used endpoints:
| Category | Endpoint | Description |
|---|---|---|
| Users | /v1.0/users | List all users |
| Single User | /v1.0/users/{id or userPrincipalName} | Get specific user |
| Groups | /v1.0/groups | Get list of groups |
| Applications | /v1.0/applications | List registered apps |
| Service Principals | /v1.0/servicePrincipals | List enterprise apps |
| Audit Logs | /v1.0/auditLogs/directoryAudits | Directory-level activity logs |
| Sign-In Logs | /v1.0/auditLogs/signIns | User sign-in events |
| App Owners | /v1.0/applications/{id}/owners | List owners of a specific app |
📘 For extended examples, visit Microsoft Graph API Documentation.
Permissions Required for Graph API
Permissions are critical — they define what data your app can access.
Here are the most commonly required permissions:
| Task | Delegated Permission | Application Permission |
|---|---|---|
| Read user data | User.Read | User.Read.All |
| Read directory data | Directory.Read.All | Directory.Read.All |
| Read audit logs | AuditLog.Read.All | AuditLog.Read.All |
| Read sign-in logs | AuditLog.Read.All | AuditLog.Read.All |
| Read applications | Application.Read.All | Application.Read.All |
| Manage applications | Application.ReadWrite.All | Application.ReadWrite.All |
Important:
-
Delegated permissions require user consent.
-
Application permissions require admin consent (performed by a Global Admin or Privileged Role Administrator).
How to Get User Details with Microsoft Graph API
To fetch user details, use:
Example Response:
Use the $select query to limit properties:
🔗 Related: Learn How to Use Graph API for Azure Entra ID User Management
How to Get Audit and Sign-In Logs with Graph API
The Audit Logs and Sign-In Logs endpoints are powerful tools for security analysis.
Get Audit Logs
Filter results:
Get Sign-In Logs
Filter by date and status:
Tip: Always use $top or $filter to reduce payload size.
How to Get Application Details with Owners
Applications endpoint helps you retrieve app registrations and their owners.
Example:
To get owners of an application:
Response:
More Data You Can Access Using Microsoft Graph API
| Category | Example Endpoint | Description |
|---|---|---|
| Groups | /groups |
List all groups |
| Devices | /devices |
View registered devices |
| OneDrive Files | /me/drive/root/children |
Get user’s OneDrive files |
| Teams Channels | /teams/{id}/channels |
Fetch Microsoft Teams channels |
| Security Alerts | /security/alerts |
Retrieve security alerts |
| Licenses | /subscribedSkus |
Check tenant licenses |
| Policies | /policies/conditionalAccessPolicies |
Get Conditional Access policies |
Related: Azure Entra Conditional Access Policies — Deep Dive Guide
Advanced Graph API Features
-
Delta Queries – Sync incremental changes only.
-
Batch Requests – Send multiple queries in one call.
-
Webhooks (Change Notifications) – Get alerts for new sign-ins or user updates.
-
Beta Endpoint (
/beta) – Access preview features (not for production).
Example Delta Query:
Best Practices for Using Microsoft Graph API
-
Use Least Privilege: Request only permissions you need.
-
Prefer Application Permissions for automation and scripts.
-
Paginate Results: Use
@odata.nextLinkfor large datasets. -
Error Handling: Implement retry and exponential backoff for 429 (rate limit).
-
Secure Secrets: Store client secrets safely in Azure Key Vault.
-
Monitor API Usage: Check API throttling limits for enterprise-scale apps.
-
Use
$select&$filter: Always narrow down data to improve performance.
Troubleshooting Common Graph API Issues
| Problem | Cause | Fix |
|---|---|---|
| 401 Unauthorized | Invalid token | Regenerate token or verify scope |
| 403 Forbidden | Missing permission | Add required API permission and grant admin consent |
| 404 Not Found | Invalid object ID or endpoint | Double-check endpoint path |
| 429 Too Many Requests | Rate-limited | Add retry logic |
| Slow response | Fetching too many attributes | Use $select to limit properties |
Troubleshooting Common Graph API Issues
| Problem | Cause | Fix |
|---|---|---|
| 401 Unauthorized | Invalid token | Regenerate token or verify scope |
| 403 Forbidden | Missing permission | Add required API permission and grant admin consent |
| 404 Not Found | Invalid object ID or endpoint | Double-check endpoint path |
| 429 Too Many Requests | Rate-limited | Add retry logic |
| Slow response | Fetching too many attributes | Use $select to limit properties |
Conclusion
Microsoft Graph API is a game-changer for automating, reporting, and integrating with Microsoft Entra ID and 365 services.
It unifies multiple data sources, simplifies permissions, and provides a standard REST API surface for developers and admins.
With the right permissions and proper authentication, you can:
-
Fetch user details
-
Retrieve audit and sign-in logs
-
Manage applications and owners
-
Access security insights, devices, and more
Leave a Reply