Query Azure Active Directory using Graph API & Logic Apps


In this post, I want to demonstrate how to get a Users Department details from Azure Active Directory using Graph API. I’ll be using Logic Apps for this demonstration, but this could very well be done using another serverless tool such as Azure Functions.

Logic Apps – OTB Connector

Out-of-the-box, the Logic Apps connector is great for very basic Azure Active Directory tasks.

I’m going to demonstrate what is returned using the built-in Get group members Action.

The idea is simple – set up a simple Scheduled Trigger with the Action: Get group members.

The Group ID is the Object Id in Azure Active Directory.

Once successfully triggered, the output should be as follows:

    "@odata.type": "#microsoft.graph.user",
    "id": "3f9632a5-cf42-4d48-9a96-176bffbfb50d",
    "businessPhones": [
    "displayName": "Bruce Wayne",
    "givenName": "Bruce",
    "jobTitle": null,
    "mail": "Bruce.Wayne@eax360.com",
    "mobilePhone": "+44 0771013000",
    "officeLocation": null,
    "preferredLanguage": "en-GB",
    "surname": "Hussain",
    "userPrincipalName": "Bruce.Wayne@eax360.com"

As you can see from the above, only very basic information is provided. There is no ‘Department’ information listed here.

Luckily Microsoft Graph API can be used to query Active Directory.

HTTP Graph API Queries

The steps to complete this are a little more involved. Here is the general outline. We’re going to use Microsoft API Graph to make HTTP GET Requests. We’ll process those requests in Azure Logic Apps. The steps are as follows:

  1. Create a new Azure AD App registration.
  2. Grant API permissions.
  3. Generate a Client Secret.
  4. Build the new Logic App.

Create a new Azure AD App registration

Simply go to Azure Active Directory and create a new Application Registration.

For this example, I called my App Logic-Apps AAD User Retrieval.

Grant API permissions

To grant API permission go to the API permissions setting in your APP.

Add Permissions and then select Graph API.

You’ll then be presented with the Request API permissions screen. It’s best practice to only provide the least permissions. To see the list of Graph API permissions go to the Microsoft Graph documentation site: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

In this example, I’ll be calling the following API methods:

  1. List users
  2. Get user
  3. Get delta

For these Methods my Application needs the following permissions:

Permission typePermissions (from least to most privileged)
Delegated (work or school account)User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account)Not supported.
ApplicationUser.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Add each permission one at a time. The final result should look something like:

Save changes and Grant Admin Consent.

Generate a Client Secret

Generate a Client secret and keep this value safe. Note that for production scenarios I suggest using the Certificate option.

Once the secret has been created, take note of this. The next step is to create an HTTP Action.

HTTP Request Action

Once the above has been complete, create a new HTTP Action in Logic Apps, completing the parameters as necessary.

Note that the URI should be: https://graph.microsoft.com/v1.0/users.

Authentication type: Active Directory OAuth

Tenant: {{ your Azure AD Tenant ID }}

Audience: https://graph.microsoft.com/

Client ID: {{ your Application ID}}

Credential Type: Secret

Secret: {{ The secret you created earlier }}

You can find all the details above in the application you created.

Run Logic Apps

If everything turned out well, what you should see is a successful execution.

The HTTP Method we called was:


This returned the complete list of Users. If we now want to narrow down the list to return only Users that have a Department, we need to write a query. Luckily Graph API  supports the OData Query Parameters.

Run Queries

By default, only a limited set of attributes are returned with each GET request. These are: businessPhonesdisplayNamegivenNameidjobTitlemailmobilePhoneofficeLocationpreferredLanguagesurname, and userPrincipalName.

To return other attributes we need to use the OData $select query parameter.

E.g., to return displayNamegivenName, and department, add the following to the query $select=displayName,givenName,department.

GET https://graph.microsoft.com/v1.0/users?$select=displayName,givenName,department

Certain properties cannot be returned within a user collection. The following properties are only supported when retrieving a single useraboutMebirthdayhireDateinterestsmySitepastProjectspreferredNameresponsibilitiesschoolsskillsmailboxSettings.

For example, if you wanted to return the Department for a given User. You would have to:

Return the list of Users.

GET https://graph.microsoft.com/v1.0/users

Then once you have the id or userPrincipalName, run the second query:

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,givenName,department

For the complete list of Graph API methods, go to the Microsoft Graph API doc site: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0

Forbidden 403 – Authorization_RequestDenied

If you get the error below, here are the things to check:

  1. Make sure you assigned both Delegated & Application Permissions.
  2. Your secret key is correct.
  3. You have granted Admin consent on the permissions.

Final thoughts

If you need to access Microsoft Graph outside of Logic Apps, the detailed instructions can be found here: https://docs.microsoft.com/en-us/graph/auth-v2-service

Leave a comment