Microsoft Graph 

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. The previous article discussed the Microsoft Graph Data Connect used with Microsoft Graph. This article discusses known limitations and workarounds. Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries

Microsoft Graph provides a unified programmability model by consolidating multiple APIs into one. As Microsoft’s cloud services have evolved, the APIs to reference them has also changed. Originally, when cloud services like Exchange Online, Sharepoint, OneDrive and others evolved, the API to access those services was launched too. The list for SDKs and REST APIs for these services started growing for developers to access content. Each endpoint also required Access Tokens and returned status code that were unique to each individual service. Microsoft Graph brought a consistent simplified way to interact with these services.

Some limitations apply to the application and servicePrincipal resources. Some application properties will not be available. Only multi-tenant applications can be registered. Azure Active Directory users can register applications and add additional owners. Support for OpenID connect and OAuth protocols have limitations. Policy assignments to an application fail. Operations on ownedObjects that require appId fail. The best resolution for these limitations is to wait for the changes being made to the application and servicePrincipal roles.

Cloud solution providers must acquire tokens from Azure AD v1 endpoints because Azure AD v2 is not supported for their applications. These include usages of those applications for their partner managed customers.

The pre-consent for CSP applications does not work in some customer tenants. These manifest as error issuing tokens when an application uses delegated permissions or error with an access denied message in using Microsoft Graph after an application acquires token with application permission. The suggested workaround in this case involves opening an Azure AD Powershell  session and connecting to the customer tenant and downloading and installing the Azure AD powershell v2 followed by creating the Microsoft Graph service principal.

Other forms of identity related limitations include conditional access policies requiring consent to permission. The ClaimsMappingPolicy API might require consent to both  the Policy.ReadAll and Policy.ReadWrite.ConditionalAccess for the List operation on /policies/claimMappingPolicies and /policies/claimMappingPolicies/{id} objects. If there are no such objects available to retrieve in a List operation, either permission is sufficient to call the methods. If there are claimMappingPolicy objects, the app must consent to both permissions.