Effective Administration of User Identities, Groups, and Devices with Microsoft Graph REST API

|

Microsoft Graph API is a powerful unified endpoint for accessing and managing various Microsoft 365 services, including users, groups, devices, and security features. With RESTful principles and OAuth 2.0 authentication, administrators can efficiently manage user identities, groups, and devices programmatically.

Introduction to Microsoft Graph API

Microsoft Graph API enables developers and IT administrators to interact with Microsoft 365 services using a single endpoint: https://graph.microsoft.com. It supports a wide range of functionalities, including:

  • User identity management
  • Group administration
  • Device management
  • Security and compliance monitoring
  • Entra ID (Azure AD) Object Management

To use the API, you must register an application in the Azure portal and obtain an access token using OAuth 2.0 authentication.

Setting Up Microsoft Graph API Authentication

Before making API calls, configure authentication:

  1. Register an application in Azure AD
  2. Assign necessary permissions (e.g., User.ReadWrite.All, Group.ReadWrite.All)
  3. Obtain an access token using OAuth 2.0

Obtaining an Access Token

Use the following request to obtain an access token via OAuth 2.0:

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
client_id={your_client_id}&
client_secret={your_client_secret}&
scope=https://graph.microsoft.com/.default

A successful response returns an access token:

{
  "token_type": "Bearer",
  "expires_in": 3600,
  "access_token": "eyJ0eXA..."
}

Include this token in the Authorization header of subsequent requests.

Managing User Identities with Microsoft Graph API

Retrieving User Information

To get details of a specific user, use:

GET https://graph.microsoft.com/v1.0/users/{user_id}
Authorization: Bearer {access_token}

Example Response:

{
  "id": "1234-abcd",
  "displayName": "John Doe",
  "mail": "johndoe@example.com",
  "jobTitle": "Software Engineer"
}

Creating a New User

To create a new user:

POST https://graph.microsoft.com/v1.0/users
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "accountEnabled": true,
  "displayName": "Jane Doe",
  "mailNickname": "janedoe",
  "userPrincipalName": "janedoe@example.com",
  "passwordProfile": {
    "forceChangePasswordNextSignIn": true,
    "password": "SecureP@ssword123"
  }
}

Updating User Attributes

Modify user properties like job title or department:

PATCH https://graph.microsoft.com/v1.0/users/{user_id}
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "jobTitle": "Senior Developer"
}

Deleting a User

To remove a user from the directory:

DELETE https://graph.microsoft.com/v1.0/users/{user_id}
Authorization: Bearer {access_token}

Managing Groups in Microsoft Graph API

Listing All Groups

Retrieve all groups in the directory:

GET https://graph.microsoft.com/v1.0/groups
Authorization: Bearer {access_token}

Creating a New Group

To create a security group:

POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "displayName": "Developers",
  "mailEnabled": false,
  "mailNickname": "devs",
  "securityEnabled": true
}

Adding a User to a Group

Add a user to a group using the members endpoint:

POST https://graph.microsoft.com/v1.0/groups/{group_id}/members/$ref
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "@odata.id": "https://graph.microsoft.com/v1.0/users/{user_id}"
}

Removing a User from a Group

DELETE https://graph.microsoft.com/v1.0/groups/{group_id}/members/{user_id}/$ref
Authorization: Bearer {access_token}

Managing Devices with Microsoft Graph API

Listing All Devices

Retrieve all devices registered in the directory:

GET https://graph.microsoft.com/v1.0/devices
Authorization: Bearer {access_token}

Registering a New Device

POST https://graph.microsoft.com/v1.0/devices
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "displayName": "Laptop-12345",
  "operatingSystem": "Windows 10",
  "operatingSystemVersion": "10.0.19042"
}

Deleting a Device

DELETE https://graph.microsoft.com/v1.0/devices/{device_id}
Authorization: Bearer {access_token}

Managing Entra ID (Azure AD) Objects

Listing Directory Objects

To retrieve directory objects (users, groups, devices):

GET https://graph.microsoft.com/v1.0/directoryObjects
Authorization: Bearer {access_token}

Getting a Specific Directory Object

Retrieve details of a specific object by ID:

GET https://graph.microsoft.com/v1.0/directoryObjects/{object_id}
Authorization: Bearer {access_token}

Deleting a Directory Object

Remove an object from Entra ID:

DELETE https://graph.microsoft.com/v1.0/directoryObjects/{object_id}
Authorization: Bearer {access_token}

Conclusion

Microsoft Graph API provides a unified and efficient approach for managing user identities, groups, devices, and directory objects within Microsoft 365. By leveraging RESTful endpoints, administrators can automate key tasks such as user provisioning, group membership management, and device monitoring.

The API’s flexibility allows organizations to integrate it into their existing workflows, enabling better security and operational efficiency. With proper authentication and permissions, IT teams can scale their identity and access management efforts while maintaining compliance with organizational policies.

Whether you’re working with small-scale automation or enterprise-level identity management, Microsoft Graph API is an indispensable tool for streamlined administration.