Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users...
Transcript of Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users...
![Page 1: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/1.jpg)
![Page 2: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/2.jpg)
Microsoft Graph API Deep Dive
Donald HessingLead Architect, Capgemini, The NetherlandsMicrosoft Certified Master (MCM)
![Page 3: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/3.jpg)
Agenda
• Introduction to Microsoft Graph API• What is now and what is new in GA and Preview• Authentication - Single Sign On and Caching• DEMO’s (SharePoint, Planner, Excel, Insights)• SharePoint Add-ins versus Microsoft Graph
![Page 4: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/4.jpg)
IntroductionMicrosoft Graph API
![Page 5: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/5.jpg)
![Page 6: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/6.jpg)
Office 365 by the numbers
![Page 7: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/7.jpg)
Office platformWhat can I build?
![Page 8: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/8.jpg)
Before Microsoft Graph
• Many different APIs to access data• Seperate Auth stack for work and personal
![Page 9: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/9.jpg)
Microsoft Graph API
https://graph.microsoft.com/
![Page 10: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/10.jpg)
Unified API Style &Single Endpointhttps://graph.microsoft.com
Operation Service EndpointGET my profile https://graph.microsoft.com/v1.0/meGET my files https://graph.microsoft.com/v1.0/drive/root/childrenGET my photo https://graph.microsoft.com/v1.0/photo/$valueGET my mail https://graph.microsoft.com/v1.0/me.messagesGET my calendar https://graph.microsoft.com/v1.0/me/calendarGET my manager https://graph.microsoft.com/v1.0/me/managerGET group conversations https://graph.microsoft.com/v1.0/groups/<id>/conversationsGET files trending around me https://graph.microsoft.com/v1.0/me/insights/trending
![Page 11: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/11.jpg)
What’s been GA over thelast year?• Azure Active Directory• Outlook mail, calendar and contacts• Office 365 groups and conversations• OneDrive drives and files• WebHooks for Outlook data• ShraePoint & LiveID profiles
![Page 12: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/12.jpg)
What’s new in GA?
• Excel API• WebHooks for OneDrive• Extend Graph with your own LOB info for Outlook• FindMeetingTimes scheduling API
![Page 13: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/13.jpg)
What’s new in Preview?
• SharePoint Sites and Lists• Hybrid On-premises support for Outlook• @Mentions social gestures• Simpler query syntax without $• OneDrive large file upload• Azure AD
• Administrative Units• Invitation Manager• Priviledge Identity Management• Identity Protection• Application Proxy
Coming Soon• Delta queries for Outlook and Azur• Intune API• Office 365 Reports
![Page 14: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/14.jpg)
Graph, Graph, Graph
• Open Graph• Microsoft Graph• Azure AD Graph• ….
![Page 15: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/15.jpg)
Microsoft GraphAuthentication
![Page 16: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/16.jpg)
Azure Active Directory andOffice 365• Single auth flow for O365
• Sign users in using OpenID Connect• Azure AD, Exchange, SharePoint, Yammer, OneNote• Device apps, web sites, SPAs, and service apps• Admin and end-user consent
• Secure protocol• OpenID Connect and OAuth 2.0• No capturing user credentials• Fine-grained access scopes• Supports MFA and federated user sign-in• Long-term access through refresh tokens
![Page 17: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/17.jpg)
Consent
User Consent• Consent provided by the user• Any user in the organisation can install the application• Implemented by default, but can be switched off by the Office 365 Admin
Admin Consent• Consent provided by an Office 365 Global Administrator• Only Office 365 global administrators• Consent is given to all users in the organisation
![Page 18: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/18.jpg)
Register your Application
Sign in to the Azure Management Portal Create a new application Select the Scope (Multi-Tenant) Generate Client Secret (Web apps only) Get Client ID Add Redirect URLs Select Permissions
![Page 19: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/19.jpg)
DEMO
• APP Registration
![Page 20: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/20.jpg)
Your ApplicationAzure AD Authorization
EndpointAzure AD Token
Endpoint Office 365 API
Request authorization code
Sign-in via browser pop-up
Return authorization code
Redeem authorization code and acquire access token for Office 365 resource
Return id, access, and refresh tokens
Return Http Response
Call Office 365 API using the access token
Autentication to Office 365
![Page 21: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/21.jpg)
Caching ADAL Tokens• 1. ADAL needs to check the cache to see if there is already an access
token for resource1 obtained by client1, or if there is a refresh token good for obtaining such an access token, and whatever other private heuristic you don’t need to worry about. Right before it reads the cache, ADAL calls the BeforeAccess notification. Here, you have the opportunity of retrieving your persisted cache blob from wherever you chose to save it, and pump it in ADAL.
• 2. As we said, this is the first time that the application runs: hence the cache will (typically) be empty. Hence, ADAL pops out the authentication UX and guides the user through the authentication experience. Once it obtains a new token, it needs to save it in the cache: but right before that, it invokes the BeforeWrite notification.
• 3. After ADAL added the new token in its in-memory copy of the cache, it calls the AfterAccess notification. That notification is in fact called every time ADAL accessed the cache, not just when a write took place: however you can always tell if the current operation resulted in a cache change, as in that case the property HasStateChanged will be set to true If that is the
![Page 22: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/22.jpg)
Revoke User Consent
Native Application Consent is part of the Refresh Token and typically stored on the device Revoke Consent typically means uninstall the application or clear TokenCache
Web Server Applications Consent is stored in Azure Active Directory and not part of the Refresh Token User can Revoke Consent at http://myapps.microsoft.com
![Page 23: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/23.jpg)
DEMOSharePoint Sites
![Page 24: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/24.jpg)
DEMOPlanner
![Page 25: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/25.jpg)
DEMOExcel
![Page 26: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/26.jpg)
DEMOTrending Around Me
![Page 27: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/27.jpg)
App Only Operations
![Page 28: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/28.jpg)
Azure AD App Only withMicrosoft Graph• Before background operations where done via an ACS ClientID / Client
Secret• Azure AD App Only provides:
• A more secure way of doing background operations by using a certificate trust relationship
• Consumption of other services than just Microsoft Graph• Allows you to do multi tenant
![Page 29: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/29.jpg)
App Only - Certificate
• Requires a certificate for authentication• Azure AD will get the public key• App will get the private key• Use trusted certificates for production – issued by a well Certificate
Authority• Can use self signed certificates for dev – test (MakeCert.exe)
![Page 30: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/30.jpg)
DEMOApp Only calls with Microsoft Graph
![Page 31: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/31.jpg)
Microsoft Graph versus SharePoint App Model
![Page 32: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/32.jpg)
What makes SharePoint Add-indifferent?
![Page 33: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/33.jpg)
SharePoint versus Graph
![Page 34: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/34.jpg)
Calling from SharePoint App
![Page 35: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/35.jpg)
DEMOCalling Microsoft Graph from SharePoint App
![Page 36: Microsoft Graph API Deep Dive - European SharePoint ... Single auth flow for O365 • Sign users in using OpenID Connect • Azure AD, Exchange, SharePoint, Yammer, OneNote • Device](https://reader031.fdocuments.us/reader031/viewer/2022022502/5aac7d027f8b9aa06a8d16bb/html5/thumbnails/36.jpg)
Key takeaways
• Microsoft Graph provides a single API end point including discoverability of Office 365 services
• Not a replacement of existing APIs like CSOM, and Exchange Web Services
• Great for composed device applications that spam a single end point• For more advanced scenario’s specific service API’s like SharePoint
CSOM is till required • Microsoft Graph is protected by Azure AD compared to ACS for
SharePoint CSOM