Azure Active Directory Graph Overview
Updated: May 20, 2014
Azure AD Graph provides programmatic access to Azure Active Directory (AD) through REST API endpoints. Using Azure AD Graph developers can execute create, read, update, and delete (CRUD) operations on Azure AD objects such as users and groups. In the on-premise world, you would usually programmatically access Windows Server Active Directory by using ADSI or ADO.NET libraries. In the cloud, you programmatically access Azure AD using Azure AD Graph.
Azure AD Graph offers the following set of features that enable several scenarios (the scenarios are discussed in the next section):
REST API endpoints. Azure AD Graph exposes REST endpoints so that developers can consume it in their applications. Azure AD Graph conforms to OData v3 protocol, which makes it possible to consume from any modern development platform and application architecture, ranging from mobile devices to Office 365 extensions. Read more in the Azure AD Graph REST API Reference.
Azure AD Authentication. In order to execute any of the operations available through the Graph, the client needs to be authenticated first. The Graph relies on Azure AD for authentication. The Graph federates with Azure AD, which serves as a Security Token Service (STS) for client requests. Read more in Azure AD Graph Authentication.
Role-Based Authorization. Client access permissions are managed using Role-Based Access Control (RBAC). Client applications can be assigned different administrator roles that enable privileges such as read and write. Roles are managed using the Azure Management Portal, or alternatively using the Azure AD PowerShell Cmdlets and scripts. Read more in Azure AD Graph and Role-Based Access Control.
Azure AD Graph enables two key scenarios:
Line of Business Applications (LOB). In this scenario, you are an enterprise developer and your organization purchased a subscription that includes Azure AD (for example, Office 365 or Windows Intune). The Office 365 functionally mainly fulfills your organization’s needs, but there are some needs that are not present in the service. As an enterprise developer, you need to extend the functionality of Office 365. This may require access to Azure AD objects.
Multi-Tenant Applications That Require Azure AD Access. In this scenario, you are building a multi-tenant application that requires access to a tenant’s directory data (very similar to an on-premises application that use LDAP to query the local directory). Directory access for reading or writing data is done by calling the Graph API. Typical use cases include people pickers, validating a user’s security group membership, updating group membership, provisioning new users and groups, resetting users’ passwords, and validating a tenant or users’ licensing information.
Creating Reusable Features That Require Azure AD Access. In this scenario, you are an independent software vendor (ISV) that specializes in creating and selling reusable features that extend the functionality of cloud applications. As an ISV you want to offer to your customers reusable features that require access to Azure AD objects.
Explore the Guidance