Handling Microsoft Graph API Auth
Aka â making secure calls to Microsoft Graph API Endpoints
Microsoft Graph APIs are at the heart of everything Microsoft does but theyâre not entirely straight forward to monitor or even call successfully â something even Microsoft can struggle with. Fortunately, this is a relatively easy problem to solve.
Overview
Microsoft Graph is an OAuth based service but has some additional layers which mean our Wizard doesnât handle it directly âout of the boxâ – instead we recommend a 2 stage workflow with environment variables set for your organization or project:
Workflow 1 will contain a single call which initiates the call to kick off the sign in process where you authenticate the service – this will uses unique GUIDs that are passed to Microsoft to be used in the generation of the tokens
Workflow 2 â contains a single call which obtains the access token, the expires in timing and sets the refresh token
The variables this process sets will be used in our security configuration to then handle ongoing authentication.
This will let you get an OAuth Token from Microsoft Graph, but weâll need to add a final stage to handle a Refresh Token cleanly and securely so you donât have to set it manually.
Basic Configuration for Microsoft Graph API Auth
In the âEnvironment Variablesâ menu set the following variables:
Client_id â provided by your Microsoft application
Client_secret â all provided by Microsoft Graph API Auth
Redirect_uri â this is the callback setting to allow Microsoft to know what to do after sign in â this will be https://client.apimetrics.io/token/callback
Scope â you’ll obtain this from Microsoft for the service you are authenticating the call to reach â more details can be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Once they are set you need to create 3 API calls.
Call 1 â OAuth: Authorize â using the POST method you should enter something like this â note you donât need to put a body for this URI
The call here uses 2 system variables we generate for you as well as the environment variables we set first.
Finally, this call needs to know to open the browser and make the authenticate call, so in the META tab, you need to add the following:
apimetrics:browser
Now when you run the call it will trigger the web browser to open.
Call 2 â OAuth Access Token â to be triggered AFTER youâve authenticated with your log in should look like this and when itâs setup, you should click on the CONDITIONS tab.
In the Conditions Tab youâll need to set the variables we will be using for actual calls.
This will look something like this.
Â
Call 3 â Refresh Token Auth
Â
This will be called to refresh the authentication once we have everything set up, so you donât have to worry about going in every time a token expires.
Â
Once this is done, we recommend creating 3 worlflows, one for each of these API calls and naming them something like:
- Auth Step 1: (scope reference) Step 1 / 2
- Auth Step 2 (scope reference) Step 2 / 2
- OAuth: Refresh Token
Next we set up the security setting and token we will use.
Configure Security Settings and Tokens
We now need to set up a way to tell the APIs you create what Auth settings to use â you’ll have seen that already in the screen shots but now we set it up.
APImetrics handles security separate to the API calls, so you can set up a type of authentication and a token and then you can apply that to lots of calls without having to create and edit the security for each different API call you monitor.
Go to Auth & Tokens in the side navigation menu. Select âCreate New Authenticationâ – because the Microsoft Graph system is a little non-standard for an OAuth service weâre going to select âManual Authâ
Things to note:
1) We do recommend adding the Endpoint domain that this auth will apply to â this will make it easier to track moving forward
2) Authentication Type is Manual Setup â don’t use the OAuth options
3) Select the OAuth: Refresh Token Workflow
4) Itâs worth filling in the meta data fields so you can easily find docs later
Â
5) Finally, under âRefresh Token Workflowâ select the Refresh Token Workflow you configured first.Â
Â
Save the configuration.
We can now create our first token to use with this auth. All the API will need is a header to be set with the following parameters: Authorization: Bearer (token number)
Create the Token and give it a name, then select enter values manually and set a header with:
Â
Authorization with the parameter Bearer %%ACCESS_TOKEN%% – which is the variable we set in the work flow we created.
Â
Pulling It All Together
Step 1 â Authenticate to service. Run Workflow 1 / 2 and sign in to the service
When you arrive back at the Callback screen, select Workflow 2 / 2 from the menu and run it. You should now have valid tokens!
Now go to the API call and select âRUN NOWâ from the top left.
This should run and pass.
From now on weâll handle things for you, whenever the Token expires, the Refresh Token workflow will be triggered in the background and will automatically update the tokens for you.
Run a Microsoft Graph API call
Create an API call to your endpoint and select your Security Method and add the name of your auth settings and the token name to use.
Â
Click Run Now to test â it should pass.
Start Monitoring your Microsoft Graph APIs
Select Monitor and pick a schedule and off you go!
APIMETRICS GUIDES
Detailed guides to using APImetrics to solve critical business problems.
Take a detailed look
Download a detailed introduction to APImetrics and learn how we are bringing common standards to API monitoring with integrated monitoring, performance assurance and compliance analysis!