Microsoft Graph is the gateway to data and intelligence in Microsoft 365. It provides a unified programmability model that you can use to access the tremendous amount of data in Microsoft 365, Windows 10, and Enterprise Mobility + Security. Use the wealth of data in Microsoft Graph to build apps for organizations and consumers that interact with millions of users.
To get used to Graph Operations, Microsoft Graph Explorer is a good starting point that helps us analyze the request responses while invoking the Graph API. We did explore it in this article. In this article, we will see how we can use Postman to work with Graph API requests against Office 365 Tenant. In case you don’t have one, you can register for a free tenant under the Office 365 Developer Program.
Let’s head over to the Postman and sign in. We can also use the desktop app and in case you don’t have on installed, you can get it from here. Sign in to the app and create a new workspace from the top menu. I have given a name for the workspace and set its visibility to Private, but you have options to make the workspace public as well as shareable with selected team members.
Any changes made to the Web App will get reflected in the desktop app as well if you have signed in to the account.
You can find the Microsoft Graph Collection here. Specify the Label for the Collection that will be added to your workspace and select the recently created workspace from the drop-down.
Once the fork creation is successful, we can see in in the workspace where we can expand the various nodes to explore the APIs under Delegated and Application nodes.
So as to get started with using Graph API in Postman, we need to generate a Bearer Token which will take care of the Authentication to Windows Identity Platform as well as the Authorization to the respective resources that we are going to work with using Graph API. So as to generate the Token, let’s go ahead and register an Azure AD Application and perform the below steps in order
- Fetch the Client ID and Tenant ID
- Generate the Client Secret and Fetch it
- Assign the appropriate permissions for Graph Resources
To register the application, head over to Azure Portal and search for App Registration in the top Search Bar. From the App Registrations window, click on “New Registration”. Add the below details to the registration page:
<Name of the Application>
Supported Account Types
Accounts in this organizational directory only
Select Web from Dropdown and add the URL: https://oauth.pstmn.io/v1/browser-callback
Click on Register to provision the application
Successful registration will take us to the overview page from where we will copy the Application ID and Directory ID as we will be using them in Postman
As the next step, head over to the Certificates & secrets section in left pane and click on New Client Secret which will open up the right pane where we can provide a description and expiry for the secret.
Click on Add and copy the Secret from the Value column which we will be using later in Postman.
As the next step, we will assign permissions that will be required to invoke specific operations on them from Postman using Graph API. Select the API Permission tab from the left pane and click on Add a permission.
As we will be working with Graph, Select the option Microsoft Graph
It will provide us the option to select either Delegated or Application Permission. In case the application needs to run in the context of a signed-in user, we will go ahead with delegated else if the application has to be run without user context or sign in like an unattended console application, we can go with application permission
For working with Delegated Permission with a signed-in context we will select delegated permissions and choose the User.Read permission which will let us read the personal user profile.
To test Application permission, we will select the Application permissions section and select the Sites.Read.All permission which will let us get the SharePoint site details. Click on Add permission to add them to the application.
We can see that the User.Read Delegated permission does not require an admin consent as he is accessing his personal information. But Sites.Read.All permission exposes organizational data to the application and unless the admin is confident that the application is using it for a genuine purpose, the consent should not be granted. Based on the Admin’s discretion, he can provide the consent without which access to the resource will not succeed.
Clicking on Grant admin consent for <tenant> will provide admin consent to the permissions.
Thus we have completed the Azure App registration. Now let’s head over to Postman.
Head over to Fork Environment so as to create a copy of the Graph Environment in the local environment we had created. Specify a label ensure to select the local environment we had created earlier, Click on Fork Environment
In the forked environment, add the Corresponding values for Client ID, Tenant ID and Client Secret which we had retrieved from the Azure Application we created. Change the Environment value in the dropdown from No Environment to M365 Environment and click on Save.
So as to call the Graph API to get the User Profile details using Delegated permission, head over to the Collections tab in the left pane and click Delegated folder, and select Authorization tab. In the Configure New Token section, leave all the values as preconfigured and click on Get New Access Token
As this is delegated permission, we will have to go through a login process to get the current user context for which we will get the authentication prompt to your Office 365 Tenant.
Once you have selected the account and entered the password, the authentication handshake will be completed and
Click on the Use Token button which will automatically copy the token to the Access Token section in the Authorization tab
Let’s test the delegated permission request by heading over to the User tab in the left pane and select Get my profile which will auto-populate the REST method and URL. Click on Send to issue the request.
We can see that it has returned the Success Status 200 and the response which contains the personal user profile details.
To test the application permission request, head over to the SharePoint folder and select “Get my organization’s default site collection” which will auto populate the API URL https://graph.microsoft.com/v1.0/sites/root . Click on Send to issue the request.
We have received the success code 200 as well the response detailing the Root Site collection details.
The access token has a validity expiry, and we will get the Unauthorized error. To overcome this, repeat the token generation process by heading over to the Authorization tab of Delegated/Application folder and click on Get New Access Token
Thus, we saw how to set up the Azure AD Application for authenticating Postman to query Graph API and we tested Delegated and Application Permission requests to a couple of Graph APIs already available in the collection. In case the API is not present in the collection, you can modify the URL in the address bar with one of your choices and test the request-response in postman.