Graph Explorer is a tool that is mainly aimed at developers, but anyone can use it to learn more about the Graph APIs and how the queries should be constructed. In the previous article, we saw how to install and work with the Graph API from PowerShell. In this article, we will have a look at how to use Graph Explorer, which is more visual.
You can launch graph explorer by navigating to aka.ms/ge. Below is how it looks.
You have the sample queries to help you get started on the left hand side, the middle top bar shows the specific entity and API modules we are querying. The output from the commands executed are shown in the ‘Response Preview’ tab. You do not have to login to your tenant to get started, as the sample queries are backed by a sample tenant.
For example, running https://graph.microsoft.com/v1.0/me (which is there by default) will show details about Megan Bowen, who is listed an auditor.
If you now sign into your tenant with your M365 credentials using the button at the end (above the ‘run query’ button), you will be prompted to accept the permissions required.
You do not have to ‘consent on behalf of the organization’ to run any query which is personal to you (like obtaining your profile info, querying for your photo in Azure AD etc). If you are an administrator, you can check the consent box and accept the permissions on behalf of the organization, so that other users won’t be asked to do the same.
Sure enough, it will return information about you which is in your Azure AD tenant. Any user (without any admin rights) can perform this action or any action that you are allowed to do normally (creating a Microsoft Team for example).
You can run the sample query on the left hand side to display your photo (if you have one in the cloud). Click on the GET button against ‘my photo’ and the query will be updated. Clicking the ‘run query’ button will show your photo in the response pane.
You get the idea, you can try the other queries listed like getting your manager info, your mail, items in your drive etc. This is where the power of Graph API comes in. You can query Azure AD, Exchange Online, SharePoint etc by connecting to a single endpoint. Previously, we had to connect to each workload separately to get the response. And this was proving hard when you wanted to run a script that queries data from various workloads to bring it into a single output file.
If you try running the query for ‘my mail’, you may be welcomed with an error message. This is because we don’t have the permission to the scope (mail.read) yet.
But we can sort the permissions ourselves by clicking on the ‘modify permissions’ tab, selecting the permission we need and consenting. Notice that there is a cross mark against the ‘admin consent’ column, which means that any user can acquire this permission without getting a consent from the admin.
Click on the consent button against mail.read and agree to the new set of permissions.
Run the query again. Sure enough, the email information is displayed in the response tab.
You might be thinking as to how this Graph Explorer is bringing the information back and where these consents are getting processed. Let me explain how it works.
The Microsoft Graph Explorer is configured as an enterprise application in your tenant out of the box. If you navigate to ‘Enterprise Applications’ & search for Graph, it will come up.
Click on the Graph Explorer app and navigate to the ‘permissions’ tab -> User Consent. This area will list all the consents that the users in your tenant have made.
As an administrator, you can consent permissions on behalf of the organizations as well.
In short, Graph Explorer is an enterprise application which is guarded by Azure AD from an authentication standpoint. Once you are authenticated, you can access any workload & get results if you have the permissions.
To summarize, we have learned
- What Graph Explorer is.
- How to navigate the tool.
- How to run sample queries.
- How to run queries against your own tenant.
- How to modify permissions and consent and
- A tour of the Graph Explorer app in Azure AD.
Do let me know if you have any questions in the comment section below.