Graph API

Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. In this article, we will go through the requests we have to make in order to access the documents in a SharePoint Document Library.

Prerequisites:

  • Register an Azure AD app and allow the app to have full/read control to SharePoint sites in all site collections without a signed-in user. Refer the Microsoft Graph permissions reference here
  • Note down the Application ID(Client ID) and Key(Client Secret)
  • Download and install Postman that simplifies the API testing or any API Testing Tool

REST Calls involved

Get Access Token 

To call Microsoft Graph, your app must acquire an access token from Azure Active Directory (Azure AD), Microsoft’s cloud identity service. Access tokens issued by Azure AD are base 64 encoded JSON Web Tokens (JWT). They contain information (claims) that web APIs secured by Azure AD, like Microsoft Graph, use to validate the caller and to ensure that the caller has the proper permissions to perform the operation they’re requesting.

Copy “access_token” value from the following API call’s reponse. This value will be used in the subsequent REST API calls as bearer token.

Replace:

{tenant-id} with your Office 365 Tenant ID. You can find the same from here.

{client-id} with Application ID copied from Azure AD Application.

{client-secret} with Key(Client Secret) copied from Azure AD Application.

Get SharePoint Site ID

We have to get the SharePoint Site ID(highlighted) where document library is located using the following url:

https://graph.microsoft.com/v1.0/sites/host-name:/server-relative-path

Replace:

{host-name} with your SharePoint online root site url.

{server-relative-path} with site’s relative path.

Get Document Libraries from a SharePoint Site

To get a list of document libraries from a SharePoint site, call the following endpoint:

https://graph.microsoft.com/v1.0/sites/site-id/drives

Replace:

{site-id} with the site id received in the previous step.

Get Files from a Document Library 

To get a list of files in a document library, call the following endpoint:

https://graph.microsoft.com/v1.0/sites/site-id/drives/drive-id/root/children

Replace:

{site-id} with the site id received in the previous step.

{drive-id} with one of the document library id received in the previous step.

Get a Specific File from a Document Library

To get a specific file from a document library, call the following endpoint:

https://graph.microsoft.com/v1.0/sites/site-id/drives/drive-id/root:/item-path

Replace:

{site-id} with the site id received in the previous step.

{drive-id} with one of the document library id received in the previous step.

{item-path} with file name or path.

I hope this article has helped you to understand the REST API calls required to reach a file in a SharePoint Document Library using Graph API.

Sharing is Caring !

Microsoft Graph is the gateway to data and intelligence in Microsoft 365. Microsoft Graph provides a unified programmability model that you can use to take advantage of the tremendous amount of data in Office 365, Enterprise Mobility + Security, and Windows 10.

You can use the Microsoft Graph API to build apps for organizations and consumers that interact with the data of millions of users. With Microsoft Graph, you can connect to a wealth of resources, relationships, and intelligence, all through a single endpoint: https://graph.microsoft.com.

Register Application

In order to call Graph API you need to have a registered application within Azure Active Directory that has delegated permissions for the API application.

  • Sign in to your Application Registration Portal(https://apps.dev.microsoft.com).
  • Click on the “Add an app” button.
  • Enter the app name and click the “Create” button to proceed further.
  • Copy Application Id(Client Id) and save it.
  • Now you need to create the Application Secret. To do so click on the “Generate New Password” button as shown below. Once you click the button a pop-up screen will appear displaying the generated one time password. Copy the password and save it securely. Then click the “Ok” button as shown below.
  • Add the Microsoft Graph Permission as shown below
  • Click on the “Save” button to update the changes you made.

Grant Admin Consent

Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.

To grant admin consent through a URL request:

  • Construct a request to login.microsoftonline.com with your app configurations and append on &prompt=admin_consent.
  • After signing in with admin credentials, the app has been granted consent for all users.

Execute Console Application

  • Download the code sample from this link.
  • Open the solution in Visual Studio.
  • Update the following values in the App.config file
    • TenantId – Office 365 Tenant Identity
    • ClientId – Application Id copied in the app registration process
    • ClientSecret – Password / Public Key copied in the app registration process
  • Save and Execute the console application

Output

Note: Output may vary based on the groups created in your tenant.

Special thanks to @Arutvicky for the code cleanup.

What is governance?

Establishment of policies, and continuous monitoring of a proper implementation, by the members of the governing body of an organization. It includes the mechanisms required to balance the powers of the members (with the associated accountability), and their primary duty of enhancing the prosperity and viability of the organization. Governance is not about limiting the freedom.

Top 4 Office 365 management challenges explained by Marc Anderson and Benjamin Niaulin

  • Lack of visibility on what users are doing in Office 365
  • Group owners need guidance
  • Balancing user freedom with corporate governance requirements
  • Transitioning to a new accountability model

This article explains about different options available to govern Microsoft Teams and Groups.

Manage who can create Office 365 Groups

Because it’s so easy for users to create Office 365 Groups, we can restrict Office 365 Group creation to the members of a security group.

  • To manage who creates Office 365 Groups, we need Azure AD Premium or Azure AD Basic EDU license.
  • Only one security group in your organization can be used to control who is able to create Office 365 Groups. But, we can nest other security groups as members of this group.

Refer this article for more details.

Office365 Group Expiration Policy

A group lifecycle policy allows administrators to set an expiration period for groups. For example, after 180 days, a group expires. When a group reaches its expiration, owners of the group are required to renew their group within a time interval defined by the administrator. Once renewed, the group expiration is extended by the number of days defined in the policy. For example, the group’s new expiration is 180 days after renewal. If the group is not renewed, it expires and is deleted. The group can be restored within a period of 30 days from deletion.

Refer this article for more details.

Orphan Teams and Groups

It is a good practice to find teams and groups without owners. We can get this information from Teams Admin Center as shown below

Best Practices

  • Assign minimum two owners
  • Create a PowerShell script to find the orphan groups on a weekly or monthly basis and send reports to admins.

Potentially Obsolete Teams and Groups

Analytics and reports will help you create different reports to get insights into how users in your organization are using Teams. Your organization can use the information from the reports to better understand usage patterns, help make business decisions, and inform training and communication efforts.

As we noticed from the Teams Admin Center, this is not a rich report. Tony Redmond has written an awesome PowerShell script that can reveal unused teams or groups.

Guest access in Teams

Guest access in Teams lets people outside your organization access teams and channels. You can control the guest permissions on Teams meeting and messaging from the Teams Admin centre.

The following functionalities are not available to a guest in Microsoft Teams as of today:

  • OneDrive for Business
  • People search outside of Teams
  • Calendar, Scheduled Meetings, or Meeting Details
  • PSTN
  • Organization chart
  • Create or revise a team
  • Browse for a team
  • Upload files to a person-to-person chat

Teams Classifications

Adding team’s classification helps us to group the teams with restrictions such as guest access, meeting policies, etc.,

Refer here for more details.

Group Naming Policy

We use group naming policy to enforce a consistent naming strategy for Office 365 groups created by users in your organization. A naming policy can help you and your users identify the function of the group, membership, geographic region, or who created the group.

Refer here for more details.