Query Azure Active Directory using Graph API & Logic Apps
Summary
In this post, I want to demonstrate how to get a Users Department details from Azure Active Directory using Graph API. I’ll be using Logic Apps for this demonstration, but this could very well be done using another serverless tool such as Azure Functions.
Logic Apps – OTB Connector
Out-of-the-box, the Logic Apps connector is great for very basic Azure Active Directory tasks.
I’m going to demonstrate what is returned using the built-in Get group members Action.
The idea is simple – set up a simple Scheduled Trigger with the Action: Get group members.
The Group ID is the Object Id in Azure Active Directory.
Once successfully triggered, the output should be as follows:
[
{
"@odata.type": "#microsoft.graph.user",
"id": "3f9632a5-cf42-4d48-9a96-176bffbfb50d",
"businessPhones": [
"07710139246"
],
"displayName": "Bruce Wayne",
"givenName": "Bruce",
"jobTitle": null,
"mail": "Bruce.Wayne@eax360.com",
"mobilePhone": "+44 0771013000",
"officeLocation": null,
"preferredLanguage": "en-GB",
"surname": "Hussain",
"userPrincipalName": "Bruce.Wayne@eax360.com"
}
]As you can see from the above, only very basic information is provided. There is no ‘Department’ information listed here.
Luckily Microsoft Graph API can be used to query Active Directory.
HTTP Graph API Queries
The steps to complete this are a little more involved. Here is the general outline. We’re going to use Microsoft API Graph to make HTTP GET Requests. We’ll process those requests in Azure Logic Apps. The steps are as follows:
- Create a new Azure AD App registration.
- Grant API permissions.
- Generate a Client Secret.
- Build the new Logic App.
Create a new Azure AD App registration
Simply go to Azure Active Directory and create a new Application Registration.
For this example, I called my App Logic-Apps AAD User Retrieval.
Grant API permissions
To grant API permission go to the API permissions setting in your APP.
Add Permissions and then select Graph API.
You’ll then be presented with the Request API permissions screen. It’s best practice to only provide the least permissions. To see the list of Graph API permissions go to the Microsoft Graph documentation site: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
In this example, I’ll be calling the following API methods:
- List users
- Get user
- Get delta
For these Methods my Application needs the following permissions:
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Add each permission one at a time. The final result should look something like:
Save changes and Grant Admin Consent.
Generate a Client Secret
Generate a Client secret and keep this value safe. Note that for production scenarios I suggest using the Certificate option.
Once the secret has been created, take note of this. The next step is to create an HTTP Action.
HTTP Request Action
Once the above has been complete, create a new HTTP Action in Logic Apps, completing the parameters as necessary.
Note that the URI should be: https://graph.microsoft.com/v1.0/users.
Authentication type: Active Directory OAuth
Tenant: {{ your Azure AD Tenant ID }}
Audience: https://graph.microsoft.com/
Client ID: {{ your Application ID}}
Credential Type: Secret
Secret: {{ The secret you created earlier }}
You can find all the details above in the application you created.
Run Logic Apps
If everything turned out well, what you should see is a successful execution.
The HTTP Method we called was:
https://graph.microsoft.com/v1.0/users?This returned the complete list of Users. If we now want to narrow down the list to return only Users that have a Department, we need to write a query. Luckily Graph API supports the OData Query Parameters.
Run Queries
By default, only a limited set of attributes are returned with each GET request. These are: businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, and userPrincipalName.
To return other attributes we need to use the OData $select query parameter.
E.g., to return displayName, givenName, and department, add the following to the query $select=displayName,givenName,department.
GET https://graph.microsoft.com/v1.0/users?$select=displayName,givenName,departmentCertain properties cannot be returned within a user collection. The following properties are only supported when retrieving a single user: aboutMe, birthday, hireDate, interests, mySite, pastProjects, preferredName, responsibilities, schools, skills, mailboxSettings.
For example, if you wanted to return the Department for a given User. You would have to:
Return the list of Users.
GET https://graph.microsoft.com/v1.0/usersThen once you have the id or userPrincipalName, run the second query:
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,givenName,departmentFor the complete list of Graph API methods, go to the Microsoft Graph API doc site: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
Forbidden 403 – Authorization_RequestDenied
If you get the error below, here are the things to check:
- Make sure you assigned both Delegated & Application Permissions.
- Your secret key is correct.
- You have granted Admin consent on the permissions.
Final thoughts
If you need to access Microsoft Graph outside of Logic Apps, the detailed instructions can be found here: https://docs.microsoft.com/en-us/graph/auth-v2-service