Collection of useful Graph API calls

Table of contents

Accessing the Graph API
Graph Explorer
Postman
Power Automate
Sample requests
List Microsoft 365 groups
Search users that have not signed in since a specified time
Search for old files in Microsoft 365
Search for files with refinables from SPO search schema
Search for old files with specific retention label applied
Getting current license subscriptions

☝

TL;DR - Graph is everywhere in Microsoft 365. Graph is the foundational API that provide information, data and insights within Microsoft 365. While the Graph API is already inside most applications, you can use the Graph API for custom automation as well.

Accessing the Graph API

Quick explanation: To access graph api endpoints you will need permissions. Some endpoints are available to you by default, some only with special permissions that you have to grant access for. Delegated permissions always run in the user context. If you don’t have access administratively to that endpoint you are trying to use, the request will fail. Application permissions grant access to certain endpoint independent of the user context. Even if you don’t have administrative access,to lets say Microsoft Purview, sending request to the service using application permissions will work fine.

🚨

Always work with least privileged access! If it works with delegated permissions, thats amazing. Only give out applications permissions if necessary or when the access is read only.

Graph Explorer

A web based tool (like Postman) but specifically made for the Graph API.

https://developer.microsoft.com/en-us/graph/graph-explorer

You can work with sample data, I recommend signing in with your work account. With that being said, your IT might restrict signing into Graph Explorer, which is fine.

You will start with default delegated permissions. Once you come to a point where default permissions are not enough, the explorer will tell you. You can then request more permissions. Depending on the request permissions, you will need an approval from an IT administrator for Microsoft 365.

Postman

You will need to create an app registration to use this method. You can use delegated or application permissions. For delegated permissions you will need to add a few extra steps in Postman.

More coming some day.

Power Automate

You can use the HTTP action (requires premium subscription) or third-party HTTP actions like the one from Encodian (requires a subscription with Encodian) to send requests to the Graph API. The Third-Party Encodian action will be the cheaper option, with the same functionality.

You will need to create an app registration to use this method. You can use delegated or application permissions. For delegated permissions you will need to add a few extra steps in your Flow.

More coming some day.

Sample requests

List Microsoft 365 groups

Method: GET
//Shows all Microsoft 365 groups up to 999 at a time. If you have more than 99 groups you will have the option to navigate multiple pages
URI: https://graph.microsoft.com/v1.0/groups?$filter=groupTypes/any(c:c+eq+'Unified')&$top=999

//include the sensitivity label information by using the assignedLabels property
URI: https://graph.microsoft.com/v1.0/groups?$select=displayName,assignedLabels,groupTypes&$filter=groupTypes/any(c:c+eq+'Unified')&$top=999

Search users that have not signed in since a specified time

Requires the AuditLog.Read.All permission. This filter cannot be combined with any other filters. Therefore, you will need to filter later in your flow or application.

Within the object of signInActivity are more properties available. All are described here: https://learn.microsoft.com/en-us/graph/api/resources/signinactivity?view=graph-rest-1.0

Method: GET
URI: https://graph.microsoft.com/v1.0/users?$select=signInActivity,userPrincipalName,userType&$filter=signInActivity/lastSuccessfulSignInDateTime le 2025-01-01T00:00:00Z

Search for old files in Microsoft 365

This will look for all documents (OneDrive or SharePoint) that were modified before 1st of January 2025 by the user with the name Alex Wilber. Make sure to change the name (Alex Wilber) in the queryString to your name. Adjust the LastModifiedTime to your needs.

https://learn.microsoft.com/en-us/graph/search-concept-files#example-6-specify-select-properties

Method: POST
Uri: https://graph.microsoft.com/v1.0/search/query
Body:
{
    "requests": [
        {
            "entityTypes": [
                "driveItem"
            ],
            "query": {
                "queryString": "LastModifiedTime<2025-01-01 AND isDocument=true"
            },
      "fields": [
          "title",
          "path",
          "LastModifiedTime",
          "Editor"
      ],
            "sortProperties": [
          {
              "name": "LastModifiedTime",
              "isDescending": false
          }
      ],"size":500
        }
    ]
}

Search for files with refinables from SPO search schema

Yes, Graph search supports tenant - level search schema. Therefore, make sure to map your metadata to tenant level refinables instead of site level refinables. With Managed Metadata from the term store use the ows_taxId property and map it to any refinablestring.

Source 1: https://learn.microsoft.com/en-us/graph/api/resources/searchrequest?view=graph-rest-1.0

Source 2: https://learn.microsoft.com/en-us/graph/search-concept-files

Method: POST
Uri: https://graph.microsoft.com/v1.0/search/query
Body:
{
    "requests": [
        {
            "entityTypes": [
                "listItem"
            ],
            "query": {
                "queryString": "isDocument=true"
            },
      "fields": [
          "title",
          "path",
          "LastModifiedTime",
          "Author",
          "Editor",
          "RefinableString06"
      ],
            "sortProperties": [],
            "size":500
        }
    ]
}

Search for old files with specific retention label applied

{
    "requests": [
        {
            "entityTypes": [
                "driveItem"
            ],
            "query": {
                "queryString": "LastModifiedTime<2015-11-27 AND ComplianceTag:Unclassified"
            },
      "fields": [
          "Id",
          "eTag",
          "cTag",
          "title",
          "path",
          "Created",
          "createdDateTime",
          "LastModifiedTime",
          "lastModifiedDateTime",
          "ComplianceTag",
          "sharepointIds",
          "createdBy",
          "lastModifiedBy",
          "parentReference"
      ],
            "sortProperties": [
          {
              "name": "LastModifiedTime",
              "isDescending": false
          }
      ],
      "size":50,
      "region": "EMEA"
        }
    ]
}

Getting current license subscriptions

Organization.ReadAll

Method: GET
Uri: https://graph.microsoft.com/v1.0/directory/subscriptions

❤️ Thanks for reading.