Eksportuj (0) Drukuj
Rozwiń wszystko
EN
Ta zawartość nie jest dostępna w wymaganym języku. Wersja w języku angielskim znajduje się tutaj.

Azure AD Graph API

Updated: June 5, 2014

The Azure Active Directory Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform create, read, update, and delete (CRUD) operations on directory data and objects. For example, the Graph API supports the following common operations for a user object:

  • Create a new user in a directory

  • Get a user’s detailed properties, such as their groups

  • Update a user’s properties, such as their location and phone number, or change their password

  • Check a user’s group membership for role-based access

  • Disable a user’s account or delete it entirely

In addition to user objects, you can perform similar operations on other objects such as groups and applications. To call the Graph API on a directory, the application must be registered with Azure AD and be configured to allow read or read/write access to the directory. For more information, see Accessing the Graph API in the Adding, Updating, and Removing an Application topic.

The Graph API provides the following features:

  • REST API Endpoints: The Graph API is a RESTful service comprised of endpoints that are accessed using standard HTTP requests. The Graph API supports XML or Javascript Object Notation (JSON) content types for requests and responses. For more information, see Azure AD Graph REST API Reference.

  • Authentication with Azure AD: Every request to the Graph API must be authenticated by appending a JSON Web Token (JWT) in the Authorization header of the request. This token is acquired by making a request to Azure AD’s token endpoint and providing valid credentials. You can use the OAuth 2.0 client credentials flow, authorization code grant flow, or OpenID Connect to acquire a token to call the Graph. For more information, see Authentication Scenarios for Azure AD.

  • Role-Based Authorization (RBAC): Security groups are used to perform RBAC in the Graph API. For example, if you want to determine whether a user has access to a specific resource, the application can call the Check Group Membership (transitive) operation, which returns true or false. For more information about RBAC in Azure AD, see Authorization with Azure Active Directory.

  • Differential Query: If you want to check for changes in a directory between two time periods without having to make frequent queries to the Graph API, you can make a differential query request. This type of request will return only the changes made between the previous differential query request and the current request. For more information, see Azure AD Graph API Differential Query.

  • Directory Extensions: If you are developing an application that needs to read or write unique properties for directory objects, you can register and use extension values by using the Graph API. For example, if your application requires a Skype ID property for each user, you can register the new property in the directory and it will be available on every user object. For more information, see Azure AD Graph API Directory Schema Extensions.

The Graph API enables many application scenarios. The following scenarios are the most common:

  • Line of Business (Single Tenant) Application: In this scenario, an enterprise developer works for an organization that has an Office 365 subscription. The developer is building a web application that interacts with Azure AD to perform tasks such assigning a license to a user. This task requires access to the Graph API, so the developer registers the single tenant application in Azure AD and configures read and write permissions for the Graph API. Then the application is configured to use either its own credentials or those of the currently sign-in user to acquire a token to call the Graph API.

  • Software as a Service Application (Multi-Tenant): In this scenario, an independent software vendor (ISV) is developing an application that provides user management features for other organizations that use Azure AD. These features require access to directory objects, and so the application needs to call the Graph API. The developer registers the application in Azure AD, configures read and write permissions for the Graph API, and then enables external access so that another organization can consent to use the application in their directory. When a user in the other organization authenticates to the application for the first time, they are shown a consent dialog that requires their permissions so that the application can access the Graph API on their behalf.

See Also

Pokaż:
© 2014 Microsoft