Microsoft Graph API Tutorial: Creating Azure AD App, Access Token, and Calling APIs (App Permission)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay you might have some idea on the graph API anyway so now let's see how we can get the access token and try to get some data from there so initially we will see the authentication part so there are two types of authentication one is the delegated user based Authentication and another one is app only Authentication the delegate user-based authentication means if you log into any of the website like Outlook Microsoft Azure so you as a user is trying to log into that website so that is kind of a delegated user Authentication you perform the logins and you entered your credentials and try to log in and another one is app on your syndication here user intervention is not required you like based on your uh we can say like application is performing an authentication on behalf of a user for example I have built a web application and I want to retrieve some user data and uh I can just take the email ID of that user who has logged into my application and I can perform the authentication on behalf of that user and get the user details otherwise the user can just perform an action on my website and get his user details that is again delegated permission so now let's see initiate a app only authentication is the easiest one to implement compared to the user only Authentication so let's see this part in order to work with the app only authentication we need to create a application in Azure active directory so let's start that maybe somewhere here we might get something so here you see so initially we will do register the application in the portal so let's do that so we go to Azure active directory we go to apply stations and here we click on new application and here we just give any name let's say graph Quick Start and here supported account types so in this case if you are developing your application as multi-tenant that is multiple organization can interact with your application then you select this yes if you are only building your application for us your own website for your own company then you go with a single tenant if at all your building application for multiple organizations plus personal accounts personal accounts here uh if you might have heard of at the rate of hotmail.com those are all outcomes under the personal Microsoft accounts so if you're building for them as then you select the third option so let's go ahead and click the multi-tenant that's the easiest to do and let's see what else things are required to our PlayStation and that is all so kindly redirect URL is not required because we are authenticating from the application not as a user if you are authenticating as a user so once user login to your application then they will be redirect to this URL whatever you specify here that we are currently not doing so let's restore it so there are two main important things in order to get the access token one is the client ID and another one is the client secret that you generate here so let's generate a client Secret so this is kind of a password for your application and this is kind of a username for your application so using this credential you're trying to get the access token so let's see so along with that they are cliented we also need the tenant ID in order to authenticate initially it's the basic permissions that are assigned to any application is the user.read so that's the basic condition that are assigned and currently it is a delegated permission so we require the application permission because we are building this application on behalf of fields so here you see Microsoft graph and you here you see two different types delegated or application so the signed in user will be getting the access token and interacting with his or her data that is called the delegated permission else for the application permission the application will run in the background and do all the authentication part and all interact with the data without the scientific user that's the application of missions so here and here here they have changed that to the application so let's do that so I'll go to application permission and let's search for user and user.red on that means read all users full profiles so with this permission I have access to basically this form application I have access to all the user data so let's add that and let's get rid of this one okay and yeah so in order to work with the application permissions API permissions we require like the admin needs to Grant the admin consent to this particular application so that it can interact with the Azure active directory data see here not granted for JD board that means the admin has not granted permission to this application to work with the data so if you do not Grant you will not be able to work basically get any data so let's Grant the permission and now comes the client secret that is also done let's move to the next part so this is done let's go to the next so this is all the C sharp code So currently we will be only looking at the Postman for now okay app only Authentication yeah so this is the end point use it okay this is a different score let's see where is the end point okay it is done using the client libraries and let's see in the official documentation let's go back yeah here it is Authentication and get access on behalf of your user and get access without a result so where we are sorry my bad we are working with this one yeah so yeah on behalf of Visa it is the delegated one I use the wrong term earlier and this get access without a user this is the application one so now let's call this particular endpoint in order to get our access token where it is get access token so let's copy this and put it here it's a post request so draw access token and it requires a tenant ID we can hard code it or we can create a environment in order to pass my values so I'll create an environment and here I'll just add environment variable as tenant ID and the initial value let's get it from here that is users oh that's a blank c yeah this is the tenant ID okay and we save this and when we go back to our post request here we can access our environment variable using uh double travel bracket that is starting that is tenant ID so this is how you can put like get the data from the environment variable so make sure the variable is defined so it is not able to retrieve the value from my environment in order to do that you have to go to your collection and somewhere environments on the top right here here you need to choose your environment so I'll just choose my graph API as the environment and now here there is no error for the tenant ID all right now let's see what all things are required in the header part the post we have already given in the endpoint URI this is my host that is not required okay the content type let's add it and this guy that's value okay now this post properties are required in order to work with the application and one is the client ID and those are Again part of the items let's copy this all these variables and then we can initialize them with the value there are two types of Grant type one is the client credentials that means you have created an application in Azure active directory and you are passing its credentials that is client credential and one more is the user credential so that is you are taking the user credentials and then getting there its access token so that's another one that is not secured at all because you had to hard code the username and their password that is not secured so this is also not secure but yeah we still use the client credentials in order to make it more secure we save this data you know like in terms of let's say Azure we save it in the keyboard that's a more secure as of now and let's see and we want to you now store this put the values client ID next is the giant Secret so since I did not copy so now I am not able to view the values so I have to create a new one so make sure once you are here you copy its value because the next time when you come back it will not be visible to you so that's client Secret and the grand type is client credentials the scope is this all right so now we have everything data required to get the access token so let's run this one so here we have invalid request so the request body must contain the following parameters then type okay so I think I made a request mistake so this all are the part of my request body I guess so let's see what station the request wording must contain the equivalent parameter Grant type okay let's put it here oh got it got it so you see here the content type we have given is WWE form URL encoded so that will come as the body and here it will come so let's move them there and let's get rid of this guys let's see if it works the provided value for school is not valid client credentials so must have a score planning with defaults are fixed to a resource identifier application ID URI okay and let's see let's remove this URL encoded values and let's try again and there we have the access token Now using this access toolkit this particular application the one which we have registered in Ico can now interact with the data using the graph apis okay so what each of the tasks that you perform using the graph API it has its own permission that you need to assign then in the Azure active directory application here so if you are working with Outlook then you have to give Outlook permission keep working with teams you have to give teams permission so whatever the cloud services that you want to interact with you need to get that permission set up here the best way is let's say okay let's work with users for now that's the easiest one and let's see what all permissions are required for the user default user permissions yeah this is the documentation that I was looking for so here you can see all the API endpoints along with their permission required for example let's go to user and user here you can see under user what all things you can perform and yeah it's everything here let's say create let's use the get and here you can see the permissions that are required to work this to work with this particular endpoint get user so here here they have mentioned both delegated permission and application permission So currently we are working with the application permission so we have already assigned this so that I can delete data if at all I want to modify some data for a particular user I have to give this permission and if I want to read everything in the directory then I can give this permission okay and now let's see so slash me will not work because uh I'm not working with a delegated permission I have to use this one slash users then let's see the main endpoint that we need use API and values of Postman flashed users okay that is for the access so can let me now add a new request get user and let me go to maybe here only I'll get the details yeah here it is I'll copy this and put it here since it's designated request nothing is required over here and now I have to replace this with the user ID that I want to get so I can get the user object ID from the Azure active directory so I'll copy its object ID and put it here and answers thing that is required to authenticate with this one is the access token that we have already received so let me show you that documentation as well in the authentication and authorization get access without a user get an access token that is done yeah so this is the one so this is the two key value pairs for the headers you need to give in order to work with this one so you already have an access token you copy this one and paste it there and you have to up concatenate with this beer and the token and next is yeah that is all required so let's see and here we have the user details right so this access token I guess it it is valid only for one hour I guess that is expires and 35.99 I think that's 10 seconds and now let's see for the for the end point s okay let me close this one and now let's see email that's a good one list messages main read basic all let's give this permission you search the permission which is there in the documentation here and give that permission that saying easiest one way to do and now let's Grant the admin consent now let's see how we can call that so here in order to get particular users mailbox you just have to use this one so let's see I think arun's main box non-fiction but let's see let me duplicate this particular request it's not duplicated let me copy this seeds foreign Quest I guess so let's check no it's a get request and what's endpoint slash user slash ID slash messages then you have to just put messages here and let's see if he has the mailbox we should get something I doubt it'd be acid check credentials and try again okay let's put let's see for the other user okay error access denied I think we are missing some permissions let's add yeah these two commissions read mail dot print and the three basic Mainland marketing for sales switch okay let's create this delete one and this is my endpoint correct ID mean users slash aren't in optional query parameters the crisp body is not required okay now let's see no still not working let's try to get the user details if it is working okay we are creating the answer details okay that's fine let's pick something else that we can research on that creator what is the easiest one to pick most of them requires a huge amount of permissions group list groups this is the one this you can pick and slash group let's try to give these permissions on regular strength in this guy so I just want to get the list groups let's see if it works so named Roy Shang Bang regroups authorization request denied insufficient privileges to complete the operation Theory let's see mortization or dismissing so list all groups available in an organization excluding Dynamic District forms of girls request man notification tomatoes than most heated bacon that is past consistency level and then it is better than counter required and using search this we are not using are we using the correct endpoint version 1.0 groups let's see it works here if I am able to get it from here that means I'm able to get it from there as well so this works fine and let's see what is the access token that it has given down there it should be present yeah go to the permission yes it is permissions are done maybe it takes time okay let's try again let's get a new access token and then try again so there it is since we changed the permission we have to get the new access token I think that's the problem that we were having so here we can have all the list of groups and I think even the mailbox should work now so let's say Flash messages and let me change the access token here as well and there we have some data so yeah so here I have all the email content available here in this request all right so we are up the time yeah any questions anybody's okay if nothing else we can close thanks everyone

Info

Channel: Dewiride Technologies

Views: 24,205

Rating: undefined out of 5

Keywords: Microsoft Graph API, Azure AD Application, Access Token, Postman, Users API, Email API, Application Permission, API Development, API Integration, REST APIs, API Programming, Microsoft APIs, Microsoft Developer Tools, Microsoft Azure, Microsoft Office 365, Microsoft Graph Explorer, API Authentication, API Authorization, API Security, API Testing, graph api, graph, azure graph

Id: NlrQ6ReYlb4

Channel Id: undefined

Length: 28min 42sec (1722 seconds)

Published: Thu Feb 23 2023