Microsoft Graph

This is a continuation of a series of articles on Azure services from an operational engineering perspective with the most recent introduction of this topic with the link here. This article continues to elaborate on the best practices in working with the Microsoft Graph.

Microsoft Graph enables integration with the best of Microsoft 365, Windows 10 and Enterprise mobility and security services in Microsoft 365, using REST APIs and client libraries. It uses the concepts of users and groups to elaborate on these functionalities.

A user is an individual who uses Microsoft 365 cloud services. Throughout Microsoft Graph, it is the focal point of whose identity is protected and access is well managed. It is the data associated with this entity and the opportunities to enrich the context, provide real-time information, and deep insights that make the Microsoft Graph so popular. The services supporting this entity are the Azure AD and most productivity, collaboration intelligence, and education services.

A group is the fundamental entity that lets users collaborate and integrate with other services which enable scenarios for task planning, teamwork, education and more.

The Graph Explorer helps to know the API and is the easiest way to start experimenting with the data available. Proper REST requests can be made and the responses are representative of those encountered programmatically which eliminates surprises and errors during implementation.

Authentication for Microsoft Graph is made easier using the Microsoft Authentication Library API, MSAL which acquires an access token.

The best practices for consent and authorization involve the following:

-          Using least privilege so that the APIs are called only with what permission is necessary.

-          Using the correct permission type based on the scenario which is particularly important for delegated permissions. If the code runs without a signed-in user, it can lead to vulnerability.

-          Configuring the application properly for end-user and administrator experiences.

-          Using multi-tenant applications so that the customer have various application and consent controls in different states.

Responses can be large for the requests made to Microsoft Graph. Pagination can help browse the results efficiently.

Handling of expected errors is required from the application using the Microsoft Graph for robustness and user-convenience. Certain errors are retriable while others need to be translated to the user.

Adding members to existing enumerations can break applications. Evolvable enumerations provide a better alternative. They have a common sentinel member called the unknownFutureVaue that demarcates known members that have been defined in the enum initially and unknown members that are added subsequently or will be defined in the future. Members of evolvable enums can be references by their string values.

These are some of the considerations towards the best practice in working with Microsoft Graph.