Microsoft Graph: 

This is a continuation of a series of articles on operational engineering aspects of Azure public cloud computing that included the most recent discussion on cloud protection. This article describes Microsoft Graph.

 

Microsoft Graph provides a unified programmability model and similar in its utility as a Kusto cluster and database. The Microsoft Graph model allows Microsoft Graph Connectors to access data from different data sources and provides a common way to query the data. It is the gateway to data and intelligence in Microsoft 365. It can also act as a source for downstream Azure data stores that require data to be delivered. The Microsoft Graph Data Connect provides a set of tools to streamline secure and scalable delivery of Microsoft Graph Data.

There is a single endpoint https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud. REST APIs and SDKs can be used to access the endpoint, and this powers the applications that support Microsoft 365 scenarios that span productivity, collaboration, education, people, and workplace intelligence. It includes services that manage user and device identity, access, compliance, security and helps protect organizations from data leakage or loss.

The Microsoft Graph exposes data from Microsoft 365 services, Enterprise Mobility and Security Services, Windows 10 services and Dynamics 365 Business Central. Microsoft 365 core services include Bookings, Calendar, Delve, Excel compliance eDiscovery, Search, OneDrive, OneNote, Planner, SharePoint, Teams, To Do, and Workplace analytics. The Enterprise Mobility and Security Services include Advanced Threat Analytics, Advanced Threat Protection, Azure Active Directory, Identity Manager, and Intune. Windows 10 services include activities, devices, notifications, and Universal Print. The Dynamics365 Business Central has its own data ecosystem.

The primary use case for Microsoft Graph is to open the Microsoft 365 platform for developers. The graph-explorer helps query and view this data

Data Connect and Graph APIs provide access to the same underlying data but in different ways. Data Connect works with bulk data so that extracting and moving large amounts of data is easy.  Microsoft Graph APIs are more suitable for accessing discrete sets of data in real time. So if we want to get all of last year’s emails, then we would run Data Connect but rely on Graph APIs to get specific emails.

Data Connect involves some setup and overhead before the bulk operations on data. This can be about 45 minutes regardless of the data and all pipelines will take at least that long. It might be a negligible cost for large amounts of data but using it for something lightweight is not recommended and the Graph APIs are more suitable for that.

The billing for Graph APIs is on a pay-as-you-go basis and the billing unit is multiples of 1000s of objects, where 1 object maps to 1 individual instance of an entity in Microsoft 365 such as an email, file, or message. There are no charges to use User, MailboxSettings, Manager, and DirectReport.

Service principals are required for Microsoft Graph Data Connect which uses it as an identity for getting authorized access to Microsoft 365 data. Before data connect can copy data, an administrator must approve a Privileged Access Management Request. Either all the users in the user list must have Workplace Analytics license or all those users must not have it. There is no mixed mode user list for Data Connect users.