Hi Folks. Lakshman Hariharan here with a post on a cool tool from our good friends on the Azure team called Graph Explorer. In a nutshell, the Azure AD Graph API provides programmatic access to Azure AD through REST API endpoints. Applications can use the Graph API to perform create, read, update, and delete (CRUD) operations on directory data and objects. For example, the Graph API supports the following common operations for a user object:
· Create a new user in a directory
· Get a user’s detailed properties, such as their groups
· Update a user’s properties, such as their location and phone number, or change their password
· Check a user’s group membership for role-based access
· Disable a user’s account or delete it entirely
Since I am not a programmer even if one were to apply the most generous interpretation of the word, this feature called Graph Explorer that I came across recently peeked my interest. Graph Explorer, as the name suggests, allows you to explore or browse your Azure AD with absolutely no programming skills required. Several blogs abound discuss what Graph Explorer is, so I intend to use this post to show you how you can, if you have an Azure AD tenant setup, start using Graph Explorer. The post is broken down into four steps.
Step 1: Log in to your Azure AD tenant using Azure Active Directory Powershell Step2: Create the Service Principal (MsolServicePrincipal) and allow access to read and modify data Step 3: Login to Graph Explorer Step 4: Run queries using Graph Explorer
So that being said, let’s get started. Before you can follow along this step by step, here are few things you will require
1. An online Azure AD tenant setup with at least a handful of users populated either via DirSync or AADSync from your on-premises Active Directory environment.
2. An online Service Principal (MsolServicePrincipal) that has permissions to access your online Azure AD tenant.
Step 1: Log in to your Azure AD tenant using Azure Active Directory Powershell
My online Azure AD tenant is called lhazure.com so I used the Connect-MsolService cmdlet to connect and authenticate to Azure AD using an account that is a Global Administrator
Step2: Create the Service Principal (MsolServicePrincipal) and allow access to read and modify data
a. Once logged in using an account that is a Global Administrator, execute the following PowerShell cmdlet to create the new Service Principal
This will result in something similar to the following screenshot
Since I didn’t specify a value for the symmetric key, one was automatically generated for me.
Important: Make a note of this key and the AppPrincipalID because you will need it to log in to Graph Explorer. Also make a note of the ObjectID since you will need it to provide the Service Principal rights to Azure AD.
b. Execute the following cmdlet to give the Service Principal you created in the previous step rights in Azure AD. At the risk of stating the obvious, replace the value for RoleMemberObjectID with the value of the ObjectID created by you. This should return a successful result.