MS Build SK108 Microsoft Graph data and services – a deep dive for developers

Just another WordPress site

MS Build SK108 Microsoft Graph data and services – a deep dive for developers

hi everyone my name is Enid Ennis I am a program manager of the Microsoft graph team and today I’m here with Darrell hi I’m Daryl Miller I’m p.m. I work for email and developer experience team today we’re gonna talk about Microsoft graph and a deep dive for developers so let’s get started okay so here’s a key takeaways for today first we’re gonna learn about how to use Microsoft graph to power your up experiences what are the types of apps that you can build with Microsoft graph and then the tips and best practices that you can use while using Microsoft graph in your applications so we’ll forth without further ado let’s get started with what is Microsoft prep so I want to post a definition for what is Microsoft graph Microsoft graph is the Microsoft 365 data that describes the patterns of productivity in identity and security in an organization it is this pirate of interconnected data that has all the patterns that and virtuous cycles are between the people and the content and the signals of all the activity that they do in our services so all that interconnected data is what is behind Microsoft graph now it is for individual users and also for organizational users so if you think about all of the data that we have on the service that we have or this the different types of experiences that we have in Microsoft 365 whether it is in exchange or SharePoint or our Active Directory or planner or OneNote or Excel or in tune or Windows all of these different set of services are and all of these different set of organizational data is exposed in the Microsoft graph now Microsoft graph of course powers Microsoft 365 experiences and I’m gonna share with you three experiences in Microsoft 365 that are powered by Microsoft graph let’s start with Microsoft teams so Microsoft teams offers a single pane for collaboration and productivity you will see the calendar information the conversations the files that you have in onedrive of the profile information all of these set of experiences are actually powered by Microsoft graph now the next one is Dell self provides all of the experience and insights for the user organization it allows users to personalize and access the profile information and also in present customers with contextual information and about the people that they work with and the files that they have that are relevant to them because of their their working group so all of these experiences are powered by Microsoft graph and calculated based on the activity of the users that they have in our service now the third experience is Microsoft search the new Microsoft search experience is actually powered by Microsoft graph is constantly dating search across office comm and SharePoint and Bing and Windows across all of these Microsoft 365 canvases and then just using the Microsoft graph powering all of these experiences so those are the three examples on how we use Microsoft graph experiences in Microsoft 365 and we also have many more because Microsoft graph powers Microsoft 365 whether it is with office 365 Windows 10 on the enterprise mobility and Security Suite Microsoft Rack is the data that powers all of these experiences now the other thing is that Microsoft graph can power your application experiences at Microsoft we actually build products and services that cater to a wide range of customers we have industry verticals or every like walks of life whether this consumer or commercial actually the same outlook that my kids use at school is you also used by paralegals in the legal industry or by healthcare workers medical professionals in the healthcare industry or by like you know retail or rec or marketing like all of these different set of uses for the same tool yet their needs for productivity are very different so at Microsoft we actually rely on our partners to help us tailor those experiences customized to the needs that our customers have and need those specific needs so your tailored experiences actually help us achieve that now with the set of data that you can access across Microsoft graph gravitates across and difference of the so gravity so whether these productivity or communication or security or education or organization and management content management all of these are data sets that are available and they so when we talk about communication for example we have all of the meetings and chat messages and email me email conversations that are happening on the different set of services that all of that is exposed in Microsoft graph when it comes to productivity so we talked about like you know all of the different set of like you know kind are information and files and this is our set of activity of the users having the service to all of these are centers of gravity for the data now in order to really see what Microsoft graph makes

possible I’m going to roll the video of what Bill is doing today so Biddle is an ISV based on Iceland and they have created an application on top of Microsoft teams that uses Microsoft graph extensively their application is supporting remote learning for multiple schools across Europe and it’s helping them with remotes learning as I mentioned before so let’s take a look hi hospital rotating educational solutions within Microsoft teams thanks to max of tools and technologies were able to develop features that meet the needs of today’s classrooms the max of graph and the graph toolkit a part of a century of tools we use and have made a product development much easier and faster the be the classlist is a good example where we use the max of graph to pull in data from the education of roster and build classes with the users and use the data such as emails and photos so teachers and students can interact easily it also provides the data for some of our class functionalities and we use the graph for teachers to create and start online class meetings with the students the person card is the latest component we’ve implemented from the max with graph toolkit and the currently customizing the toolkit team has done a great job to make it simple to implement and extend in our planning module we’ve used the files API and SharePoint api’s to enable creation and management of all Macs with 365 documents in a single place I hope you’re all having a great max of experience now that we’ve seen a partner use Microsoft graph in their application let me show you how you can get started in less than three minutes I’m going to go to the graph developer portal on graph of Microsoft comm then we’re going to click on this getting started after clicking and getting started I’m going to select the dotnet framework then I’m going to be presented with a set of experiences that I can use including this QuickStart in which we can be low enough in less than three minutes I’m gonna keep the language of selection for my platform pick the lab for a platform I’m gonna keep dotnet and then I’m gonna go and register an application and get the secret so this is going to do it for me I’m going to go back and paste it into my quick start and then the big star is going to create a project with all of these different information that I’m gonna be able to download I’m gonna pour it feedback because there’s always they’re good to give feedback to the tools and then I can go and look at this downloaded package and then rest just running Visual Studio now I’ve already open sip the package and run it this is the same code you can see that I’m using a business using all of the references and the only thing that I’ve added here differently is that I’ve added a couple of great points now after building it their project let’s try to run it and what we’re gonna see is that it’s gonna know what this is p.net web application when I click sign it is gonna prompt me for selecting the account that I want to use I’m gonna pick this one which is my demo account and then it’s gonna hit the break point this is the free point where I’m creating the first class a graph client with my SDK and is making the request to my user profile to get my name that is going to be displayed now in the application now if I want to get to my calendar we’re gonna hit the second breakpoint and this actually is bringing in is using again they don’t let SDK to bring all of my calendar information so this is the meetings that are currently on my demo account calendar now if I wanna extend these example and a1 say for example add information about the files that I have for my onedrive so let’s stop there the project and then what I’m gonna do is I’m gonna select this this code and I’m gonna copy it so that I can create a in this new class instead of getting an event I’m gonna get a drive item so let’s select right item here and then it’s gonna return actually at drawing items so let’s change that and this time around I am going to actually remove this code that is calling for events and then I know that it’s good but what I’m gonna return is collection of children so I’m gonna change that now in order to get to the code that I need to make in this request I’m gonna go back through the portal and I’m gonna go to graph Explorer so grab Explorer has this get if somebody is queries and I’m gonna select the one for my drive now I can see that when you run the request again all the information for my request and I can pop out the preview of that including the response headers and adaptive first rendering of the cards and the code snippets so it’s very simple I’ll just copy the code snippet and then bring it back to my phone now I’m gonna paste it here I already had a graph client so I’m gonna go and remove that and then voila I have ready a class that is interacting with my onedrive files and enumerated them and I can bring the views to bring that back into my application so that’s how simple you can get started and add an

additional code to that cause the Microsoft rack so with that in mind let me go back to the definition and complement it so Microsoft graph can be access to a set of tools that I may want you to build productivity apps that integrate with Microsoft 365 so let’s focus on that apps tools and data they the apps are the ones that you can extend our own experiences or you can create your own tools we have for developers for cities and developers on the variety pros and the data is all the data in Microsoft 365 so if we look at these three concepts apps tools and data to access Microsoft 365 let’s start go over them I’m gonna start first with data so we have over 23 million notes of data across users groups and organizations in Microsoft graph but Microsoft like we actually don’t own this data this is data that is your data and we actually provide a service to it so it’s important to know that is actually your data and not Microsoft data however it’s also important to know that there are four boundaries across the data that authorship graph has for each organization so the data that does not cross organizational boundaries for example the data from photo so does not cross boundaries with the data from fabrica unless is explicit explicitly configured to do so and third like any access to data requires consent so colors must be authenticated unless have the right light right level of authorization granted for that application for example if I want an application that access my calendar information you will need to specifically request that permission and the permission scope which is calendar three and then the owner of that calendar data can consent and grant the application access to it now in terms of the data available in Microsoft graph there are several popular data sets that we see and then have large applications that integrate with them like mail files calendars groups conversations tasks teams and more and actually there’s you know get some data in Microsoft graph like there’s over 5,000 api’s and and you know I have some of these data sets listed here but it’s actually many many more and this is all of the data back to what I was saying before the powers that Microsoft 365 experiences now we saw I always look at the tools tools again we have tools for developers for citizen developers and for IT pros and I’m gonna start the tools for developers now we have in that case interfaces as the case and components so in interfaces we’ll have the Microsoft graph API which basically is an HTTP API that allows you to get transactional data and Microsoft grant data connect and connectors allows you to move data in and out Microsoft draft to you know to power different experiences we’ll take a look at that in a second then we have libraries in the new variety of languages and we have pu x components with the Microsoft graph toolkit that like you can bring into your application with just a couple of lines of code so let’s get started with chef Rafi yeah so Microsoft drive API as I mentioned is an HTTP API you know it’s basically Jason permanent request in responses that give you access to all of the user group and organizational information across all services that make part of Microsoft 365 so whether that’s you know yeah a surety or exchange or SharePoint or you know in tune or Windows and all of the different services that we have across the entire suite you can access all of the different schemas for that data using the API this is a transactional API you can miss a single endpoint graph of Microsoft a problem and then you access it with one on the deviation token next set up connectors so first I’m going to talk about Microsoft graph data connect so Microsoft graph data Connect is a pipeline that allows you to securely move both data from office 365 into Azure so we have all the data and then we have all the azure tooling that you can use to process that data if you’re building a set of like insights applications or analytics applications they actually require a different kind of data this is not transactional data this is data that you required like snapshots over a period of time and this is the type of things that you can do with dynamic then move all of that data into Azure data Lake and then process it with all the azure tooling to generate insights so for example if you want to know you know who knows what and their organization or to join that data with other data that you have externally from your line of business services and then you know create all those connections between people and data the young the things that we will do internally in Microsoft 365 so for that you can use Microsoft graph data connect then the Microsoft graph connectors so my consume graph connectors allow you to index your own data from into Microsoft graph whereas Microsoft graph data Connect allows you to move data out Microsoft graph connectors allow you to bring data in and then it participates in Microsoft or 65 experiences in this case in participates in Microsoft search so actually let’s see a demo on how we are indexing the API is to bring in and participate into Microsoft arm using the indexing API to bring in and participate in the Microsoft search to experiences in this demo I’m gonna start in office.com and make a search request if you notice there is a column here that is called products well this is an

additional vertical that I’ve added so let’s get rolling and the first thing that we’re gonna do is if I click on products well I don’t want to have any information and I can go to the admin server and configure that a result type now after I do the configuration like selecting the contents from the connections that I’m half I can select the rules and the layout so here we’re using adaptive parts to see the results displayed in the actual search experience now I’m going to go into postman and first I’m going to query the set of connections that we have so remember I have two connections here first when the request comes a back I’m going to see the products panel information and the contoso HR connection we’re gonna be adding data to the products cattle information so let’s first see the schema on that connection so I’m going to query that and then I’m gonna see all of the different set of entities that we’re gonna be adding to that particular schema so product image description now let’s try to see if there’s already any items on that particular indexing so there there are no aliens that get an item not found response and the thing that we’re gonna do right now is I’m gonna iterate over the indexing API to add all of that information so we’re gonna do it this little run and I’m gonna select it and there API that we’re gonna run so which is going to be indexing protocol I’m going to switch my medic variables and then I’m gonna bring in a file that where I have all the information in this case you know it’s a have a lot of information of toys for Microsoft I’m gonna load that file and then I’m running run it yeah at this point it is adding all of and indexing all of these information and then it’s going to be able to participate in the search experience so if I go back to pop postman I can go back to quit making that query and now I’m going to see that in the body I’m going to pray for all the different items that there are on this product title connection if I run this request now all of the items that we have indexes are going to appear right here on search experience now let’s go on query for one of these items and going back to office.com if I equate for example for that item zombie now we’re gonna see that actually that’s gonna come back and this is one of the items that we just uploaded and I can also query for all the items that we indexed and they’re right there in SharePoint com we can also get the same experience now this is how easy you can use their our connectors to bring in data extern from external services whether it is a line of business service or another file share or another cloud service and bring it into Microsoft graph so that it can participate in all of these microsoft search experiences now the next thing that I want to talk about is our libraries so we have SDKs across a variety of different languages and then you know as we saw earlier we have these three minute quick starts where you can use the SDKs or we have step by step to 30 minute tutorials also using the SDKs whether it is using the mint or Java or Objective C or JavaScript or even power show we have all these different set of experiences and libraries that you can use the power in your application and then finally we talked about the component so for components we have our Microsoft graph ticket which is a connect collection of framework agnostic web components that are powered by Microsoft graph they are they work with a framework and then he can use them on web applications or in teams tabs or in Cherbourg web webparts let me show you actually our playground for the Microsoft graph toolkit and see how you can get started adding Microsoft graph to key components into your applications so this is mgt def which is the Microsoft graph toolkit playground the first component that I want to show you is the sign-in come from it as you can see if you can add with one line of code which is just simple HTML web you know where friend motor neurons the component and then the users will be able to use this control to sign in into your web application using the mom are you know Microsoft 365 identities so here we have Meghan Boeing signed in and let’s see what some other things that you can do so we can have people as a control and then you can have also person card and agenda and login and all of that let’s take a look at the person part so person is gonna give me profile information from Microsoft and it’s going to be rendering that information in a way that it looks and feels like it belongs to you know their Microsoft 365 experiences and then I can also go and extend that and template the the person card with additional details so imagine that you want to bring in information into the into the profile card that has you know maybe connecting with your HR system or to any any other line of business system in your company you can add that additional information right here into the card with just simple HTML so let’s go back to the deck and this is again Microsoft graph toolkit simple framework agnostic web components that you can add with one line of code now if you’re not a developer well we also have tools for

you so we have you know of course for apps and power automate and all of the power platform to build automated workflows to build government processes and then we have partial as well then whether you’re a professional developer a citizen developer or an IT admin you can use to interact with all the data in Microsoft craft now let’s talk about the applications that you can do there’s two things one applications that extend Microsoft 365 experiences whether whether it is using you know documents of conversations and themes tabs or box or message extensions or applications that you know you build your own experience separately like your own web application or your own board or a device app or a daemon application now all of that together creates the Microsoft 365 platform and we’re offering this platform to build people centric and productivity identity and security focused experiences that increase the engagement of your application now the foundation of this platform is of core microsoft identity where we have all of the identity of the users across without you know work and school and life forever for you know all the users that we have in our service and for developers it uses the standard based off libraries that you can use to do sign up sign up close a single sign off and an Apollo that a female’s the access to the data Microsoft 365 then we have Microsoft graph which is the gateway for your customers and data in the Microsoft cloud primarily and in Microsoft 365 and the Microsoft graph provides the four schema for many of the most important productivity data types Microsoft graph offers the REST API then enable transaction to access all these applications that we were talking about whether it is your own experiences or the Microsoft critics are extending the Microsoft 365 experiences and it also offers connectors now the first one is data connect that allows you to bring old data in out of Microsoft 365 into usher to power all your analytic applications and the second one is connected Microsoft are connectors which allows you to bring data into Microsoft 365 to participate in our experiences like Microsoft search so I’m going to wrap up Microsoft graph you know is the data that distractive habits of productivity identity and security in your organization you can have a variety of tools classes that data that enable you to build apps that integrate with Microsoft 365 now there is always constant things coming in new to Microsoft graph so in order to keep up to date to what’s going on and all of them build announcements that we have for 2020 I recommend that you go to aka.ms/offweb sleep now we’re going to switch gears and we’re gonna see a series of tips and tricks that you can use to become a ninja coder with Microsoft crap go ahead take it off thank you very much Jena and we have 7 tips and tricks to be able to become a better Graf application developer and we’re going to start with graph explorer again now I know you know already showed a little bit of a demo of graph explorer but we’re gonna dig a little bit further into graph explorer to understand what the things you can do as an application developer when you are using graph explorer it’s not just about learning how to use graph from the beginning it’s also about whilst you’re working with the application you want to call a new API and you can use the permissions tab to discover what consent what scopes are needed in order to be able to call it and if you’re having problems getting your app to call out you’re having some kind of authorization problems don’t worry go back to graph explorer and you can make a call get it successful a graph explorer grab that token and then copy that token into your app and test for authorization problems don’t forget to test or consumer and commercial accounts sometimes the behaviors a little bit different whether you using an outlook.com account or whether you using an enterprise you can get it working in Graff Explorer and then come back and test it in your application and there’s another very handy little header that you can add into graph explorer by adding the accept header with this value you get all kinds of additional metadata coming back to you so that you can see things like navigation properties and all kinds of other things to learn what other things that you can do from the data that you have got back from graph explorer so here we have the set of standard graph operations now the thing that we try and do in graph is you’ll recognize the set of kind of crud operations going in getting a list of collections go and get a member of the collection it shouldn’t really be anything new there and that’s why that’s our intention we’re trying to you know use the principle of least surprise and allow people to do the things that they’re used to using so if you want to create a new thing you can post to a collection you want to update it you can either patch to update just a few values or you can do a put to change the complete value and of course deleting is just as easily as you would expect it to be but there are some other operations that are quite interesting on the graph we have the notion of actions and functions and the difference here is actions could be what we call unsafe operations they might make changes to

your data so in this case we’re verifying to see what their domain is correctly and we use the post to indicate that it might be unsafe there’s also functions which use get and they allow you to retrieve a set of data in a slightly more customized way you can see here we’re searching and providing a parameter in order to search for messages or data in your drives that have the word keyword graph in there and the one thing to know about functions is the data that actually comes back might not be formatted in your standard entity format yeah we have the freedom to return different shape data coming back from there which brings us the last two operations here navigation and batch these are more performance related navigation is interesting because here we’re trying to get the primary channel from a team well in many HTTP API is what you’d have to go and do is go and retrieve the team entity and then go and look in there and find the primary channel ID and then make a second callback this is one of the criticisms that graph QL folks will make about HTTP is I have to make multiple round trips in order to be able to get a single piece of data while using these navigation properties you can make a single request and be able to get back those related entities and this works for any many to one or one to one type of relationships and batch is another scenario where you might want to get access to the users information and also maybe their profile information and the events on the calendar you can bundle these up into a single request and make one round trip in order to get that data so digging a little bit deeper into put and patch and post so sometimes when you’re making these requests you doing an update you’re doing a crate you want to get back the information that has been updated by your request maybe the server added some additional information in there and so you want to get back that data that you’ve just changed other times maybe you do get an import operation so you’re bringing in lots of information that you don’t really care you know that that data is getting saved so what you want to do is use a special header called the prefer header and when you provide the prefer header and set return equals minimum minimal what you’re telling the server to do is yeah you’ve got that data I don’t need to see it updated don’t bother returning back any information and that saves bytes over the wire and this is one of many ways that we could save performance so the next example is using batch example batch to save performance I mentioned it before but this is what you would have to do you create a request you use our batch endpoint and you create a JSON array of requests to say all the different requests that you want to make and then what that returns is a responses array that contain multiple different responses the problem of course is doing this is you have to construct these payloads so we’ve decided to make it easier and we’ve added capabilities into our SDK so if you’ll see in our SDK example here we can use our standard in order to be able to make a request to go get the information about a user go get the information about their calendar and then create this batch request content object in the batch request on content object you can just add those requests in package them up and send them over wire as a single request and this just requires a single roundtrip when you get those responses back we have some helper methods to help you get those responses out individual responses out to be able to handle the results so that makes life a lot easier when it comes to creating batches so in the next tip we’re going to talk about the basic query parameters and so when you’re accessing a collection of data say I said if users are set of messages there may be many users in the system you may not necessarily be interested in all of the users so one of the most powerful parameters we have is dollar filter it allows you to use a standard syntax in order to be able to filter the results of your collection down to just the information that you’re interested in and it doesn’t matter where you’re calling on graph you always use the same query parameter for filtering by the rows that you want to get access to if we look at the second parameter dollar select that allows you to reduce the payload in a different way by saying I’m only interested in these columns it’s a product projection operation that allows you say I just want these columns for the set of rows that I’m interested in and if you’re getting many rows back you might want to sort them better to sort them on the server side than having to sort them down on the client side and depending on how you sort them maybe you’re only interested in the top ten results so we have the top operator in order to limit maybe you only have a certain amount of

UI s real estate in order to be able to render them no point bringing those extra rows back you can go back and get the extra rows later which brings us to a really interesting operator the expand operator and this is another performance enhancing thing where instead of having to go and get a list of groups and then go as a second call to go and get the members or worse have to go and get the members for each group in a separate request in kind of an n plus-1 problem you can use expand to make a single request and go pull all of the that data down in a single result and the result will produce a hierarchical JSON object with all the data that you’re requesting the last two are just extra obvious ones getting a count of data maybe you don’t need that all the data you just want to know how many there are or if you want to search by a particular keyword there are a number of entities that give you the ability to search by a particular keyword now these are kind of ad hoc examples real power is when you start grabbing the bringing these together and these are some real-world examples that we pulled out of our logs of customers who are in the first example there go get the latest 25 messages since a particular point in time and include the attachment size so we’re using the expand here to bring in attachments but then further reducing that to only select the size property in attachments this can be really helpful when you want to know okay well should I go and try and retrieve those attachments or maybe not because it’s like 15 Meg’s worth of attachments right so this is a great way of making a very complex requesting to select exactly the data that you are interested in and the lower query is interesting it allows you to go and get a list of unified groups that a user is a member of and you can see we’re looking at users particular user and finding the things that they are a member of well member of brings back both groups and it brings back directory roles but we’re interested only in groups so we use this Microsoft graph that group type as kind of a filter to say only bring back objects of that type and then we further refine it by saying in those groups look at the group type property which is actually as an array so we have to use the any operator to filter to group types that include the unified keyword as one of the values in that array so that’s a more sophisticated way of filtering down the list of informations that you just retrieve what it is that you need and so the next tip is live it we’ve talked about things that you can do to reduce a list but we also as graph API is reduce the things that we are necessarily returning you tell me oh I want the messages do you really want the messages for the last eight years which is seven thousand or twenty thousand messages so we don’t want to necessarily bring back all that data so what we do is we paginate it we bring back just a first page of data and depending on the API maybe that’s twenty maybe that’s fifty rows that come back you can actually can change the size of the page by using the top operator but if you don’t we’ll pick a default size but what you have to realize is that you need to go look in that payload to see if there’s an ADD o dated up next link and that is a signal to you that we have paginate Edyta and if you want to get the next page you’re going to need to follow that at OData dot next link and when you keep following those pages and retrieving the pages at some point you’ll get a page with it doesn’t have an ad Oh de dooda next link and that will say okay yes you’re done you’ve got all other information and don’t forget don’t go looking into that URL and trying to extract information out of that next link treat it as an opaque string because there are scenarios where that link might actually change so don’t take a dependency on that now you might say well that’s a lot of work I got to go and MIT and go and pull out that link and make these extra requests well we’ve done efforts to try and make that easier for you into our SDKs we’ve built what’s called a page iterator so you go and make that request for the first collection the first page and then you define the operation using a callback of what you want to do with each of those messages that come back in those pages and you pass that information into our page generator and then we will iterate through all of those items on the page and all of those pages and make sure that we call that callback for you in each case and you can do clever things you can return a true or false from that callback so you if you’re searching through items you can pause partway through and say ah yes I found the information you could pause and you can there’s a bunch of functionality there that makes it easier dealing with pages so the next step is going to talk about

tracking changes in data so you’ve received a set of messages but maybe what you’re interested in is really just the pate that messages that have actually changed so you can use a function on that messages collection called a delta function and that allows you to discover newly created updated or deleted entities without having to fully pull down the collection and compare with what you’ve previously received and this is very useful for synchronizing to a local data store and it works in much the same way we use the Oda data next link because there may be more than one page with of changes and you keep following those next links until you get to the OData dot delta link now what the auditor Delta link tells you is yes you have finished getting at all of the changes and you need to hold on to that Delta link so that at some later point in time you can call that Delta link again and we will tell you all of the things that have changed since you last called us and if no changes occurred will return you back same delta link with no responses now the challenge of course using Delta queries is well how often do I call do I call every minute do I call every five minutes or call once an hour it sometimes is not the most efficient way there are scenarios where there’s a better option which is changed notifications and these are idea where there’s more of a low frequency number of changes but you want to know right away you don’t want to wait for that polling period so the way this works is you subscribe to a particular resource in this case we’re subscribing to the mail folders and the messages on that mail folder and you provide us with a callback URL and when something changes we will call back your service to tell you yes there is data that has changed in this particular API and this is another valuable thing it comes a little bit of a problem when you have very a larger volume of data and that’s where you get to combine the two things you can actually use change notifications as the trigger to go and make your delta calls so when you use those together they’re even better and our tip number six is about using PowerShell we’ve recently introduced the parish shell graph library and while this solves a lot of problems for IT amens there’s also some great nuggets in here for application developers when you’re creating an application you need to create an application registration and there’s a command look to be able to do that you simply call command tell it the name of your app tell it whether it’s a public or public or web client and provide it with your redirect URLs and if you’re testing an application you’re going to go through a process of consenting regularly and if you want to retest that scenario you want to be able to undo that consent well to do that you need to be able to remove the service principle and there’s a PowerShell command –let that allows you to go and find that service principle and remove the service principle and which brings us to tip number seven I’m going to hand it back Tina to talk about choosing the right authentication flow and lease privilege permissions indeed but let’s first start with some key concepts I’m going to talk about permissions it’s very important that you select the least privileged permissions in your application and the way the permissions are structure is that there is a research for example a mail or life file or live group there is an option that you’re executing on that data whether it is read or read write and there is a scope that it applies to so for example what it is it is personal or to all the users or to share data so some examples here users are three notes that we write or directory that we print or oh now after that as we mentioned before that if you want to select the least privileged permissions of your application you can go to graph Explorer and every single request that you make there is this modifying permissions tab that you will be able to see in order of least privilege permissions the informations that are required to access that particular API in this bare important that you always select the minimum set of permissions that your app requires to be successful now there is a second thing that we need to get look into which is like whether your access your application is that accessing data on behalf of a user or is accessing data independently so let’s imagine that you’re building an application that is building accessing data on behalf of a user whether it is an email client or a calendar scheduling pod or for example of people paper there’s always a user that I signed in and that it is interactively um that is interacting with the application so in this case you will either use on behalf of flow or device code grant flow if your application has like a limited input for like two straight devices like for example a watch or or a TV now the second type of application is an

application when there is no user in the middle right like in this in this application your application actually accesses the data in Microsoft crafts just without that user consideration so this is the typical flow that will be used that we used for a service daemon application like data loss relations scenarios or for a user provisioning workflows now here it is very important that you consider all of the security because you’re accessing all of that data not being trimmed by the permissions of a user and that user has access in the service now let’s take a look at those two type of applications in more detail for the user interactive applications that users must be signed in must be present and consent to with their own credentials to grant access to the application the user consents the application can assign access token to be able to make this API calls and then the effective permissions of the request are the intersection of the permissions that they have been granted to the application and the permissions that they user has now let’s imagine that I have an email application into which we have consented access to a mile mail right so once we get an access token then we can make a get request using that access tokens to my messages endpoint the response is going to be in 200 because this access token is actually have been has a delegation to get access to that data if I try to get access to somebody else’s mailbox like for example Daryl’s with that same access token I’m gonna get an accent forum tree forbidden in this case the axis is the nine because there is I don’t have access to Darryl’s mail spot mailbox now let’s take a look at since when it comes to interactive applications first if you have an email client that has a signing user and he’s calling Microsoft ran directly this is a good thing to do if you have a middle tier application but in this case you will use and on behalf hello if there’s always this concept of the user being present in your request now the thing that you don’t want to be doing is having the middle to your application where your middle tier is using an app only flow in which you know you get into this very Blatz of problems where this there’s no security to further security trimming being done to the data that you’re receiving so this is definitely a bad bad bad choice and a bad pattern to use now let’s look at the non interactive applications in this case there is no user present the user the application only has its own credentials and can interact with all the data that it has been accessed and delegated to so in this case the administrator is the one that consents to this permissions and the scope is the entire organization there are ways in which we have for a mail calendar context data that you can restrict to the set of users but again like this is mostly our wide scope access to the all the data in their organization then the application uses its own credentials to authenticate without a user being present and in this case as opposed to last one they affect desperations of the requests are all of the permissions that they have been granted to the application so let’s go and look at what are some of the good and bad design choices in this case so first of all if you are doing some place imagine that you’re doing a daemon application that is using the client potential supposed to get access to Microsoft graph data well this is a good thing to do do you have to be very mindful about all of the different set of data that you’re not getting but then what you don’t want to do is like you use for example impersonating an admin to then go and use delegated flow to get access to that data this is a very insecure practice because now like you know if those differentials are compromised and all of that data in their organization is going to be compromised you again you always want to be using the own set of permissions and the right authentication flow for the application that you’re building now with that let’s summarize that so like you you can build two types of application and user interactive application and in this side like it’s gonna be a mobile web a mobile web application or or you know user interactive application like a spa in this case you’re gonna be get access to data on behalf of users users or administrator can consent for them or for behalf of older organization and then effective permissions are the ones that are granted to the app and the intersection with the permissions that the calling user has at the point that when time the second model that you have is application permissions in this case there’s a you know you’re building whether it’s a service or a diamond application the scenario is that you will be getting as casting the data as a service and only the administrator will be able to consent in this in this case and effective permissions of that of that application gets is all of their the permissions that have been granted to the application so with that congratulations you’re now up skilled and you’re a Microsoft graph B – developer and thank you for taking the time to you know see all of this content with us today if you want to continue to connect with us like we are follow us on Twitter with the Microsoft 365 day of

account to tag all of your posts with hashtag Microsoft graph and we follow them we interact with all of them our fellow developers on those social forums there’s also a ton of videos that we have on YouTube every single month we have community calls for all telling you all of the different news about Microsoft craft we have a Developer Program that we can you can join it’s free and then you can get Microsoft 365 subscription for development that you can it will continue to be free as long as you’re actively developing and then we have content on Microsoft learn you know aka that ms /n 365 there’s training we have Microsoft have learning paths we have certifications that you can get if you go through all of these different learning content and then there is a whole bunch of different news of the things that we’re releasing at this here at Microsoft Bill 2020 and that’s all in our blog and multiple blocks I’m thinking either M 265 def built views thank you for joining us today and as always is there is one thing that you can remember is graphed on microsoft.com that’s the place where you’ll find all of the different information about Microsoft graph and we’re really excited that you’re using Microsoft graph in your applications let us know about all the different scenarios that you’re building and see you next time thank you and happy coding thank you you