Microsoft Graph

App

Configuration

  1. Configure Settings (register your application in Azure)

  2. Add MSGRAPH_GROUP_NAME_TO_SYNC to settings/base.py:

    MSGRAPH_GROUP_NAME_TO_SYNC = get_env_variable("MSGRAPH_GROUP_NAME_TO_SYNC")

This is the name of the group e.g. kbuk in this screenshot:

_images/2022-05-25-azure-ad-group-name.png

Diagostics

Click here for Microsoft Graph error responses and resource types

Here is an example error:

format 500: The operation has timed out. ('generalException')

The Microsoft Graph error responses and resource types says generalException, An unspecified error has occurred.

Management Commands

To run update_microsoft_graph_users (from msgraph.service):

django-admin update-microsoft-graph-users

The update-microsoft-graph-users management command will:

  1. Retrieve all users from the Graph API

  2. Select the list of users to synchronise by finding the members of the Active Directory group (settings.MSGRAPH_GROUP_NAME_TO_SYNC).

  3. Add the users to the MicrosoftGraphUser model.

  4. If a user has been removed from Active Directory, then the MicrosoftGraphUser record will be soft-deleted.

  5. Retrieve all user managers from the Graph API

  6. Add the managers to the MicrosoftGraphUserSupervisor model.

To download the Microsoft Graph users to a CSV file:

django-admin microsoft-graph-users-as-csv

To download the Microsoft Graph groups to a CSV file:

django-admin microsoft-graph-groups-as-csv

Pagination

Paging Microsoft Graph data in your app https://docs.microsoft.com/en-us/graph/paging

Example diff https://gitlab.com/kb/msgraph/-/commit/b12a03bb1d174b94cd9a3a28d3303dc88de89c25

URLs

urlpatterns = [
    url(regex=r"^microsoft/graph/", view=include("msgraph.urls")),
]

Template (Settings)

{% block content %}
  <div class="pure-g">
    {% include 'msgraph/_settings.html' %}
  </div>
{% endblock content %}

Settings

  1. Register an application with the Microsoft identity platform

    e.g. for an app called ticket-3597-v1:

_images/msgraph-overview.png _images/msgraph-redirect-uris.png

  1. Under the applications API permissions page, choose Add a permission, select Microsoft Graph, and then choose the permissions your app requires under Application permissions:

_images/2021-08-19-api-permissions-with-group.png

Note

The User.Read permission does not need to be selected. It is automatically Delegated when you select User.ReadWrite.

Note

If you change permissions, users and/or admins will have to consent even if they have done so previously.

Tip

19/08/2021, The group permissions were added to allow us to Sync user permissions from Active Directory.

  1. Under the applications Certificates & secrets page in the Client secrets section, create a New client secret:

_images/msgraph-client-secret.png

Warning

I think you only get a single chance to copy this secret!

  1. Copy the Application (client) ID to and client secret to your environment e.g:

    # .private
set -x MSGRAPH_APPLICATION_ID "6731de76-14a6-4931de76-14a6-49ae"
set -x MSGRAPH_CLIENT_SECRET "the-client-secret"

  2. Browse to Settings, Microsoft Graph, Get Consent

_images/msgraph-settings-get-consent.png

  1. Make a note of the Redirect URI for the next step:

_images/msgraph-get-consent.png

  1. Under the applications Authentication page in the Redirect URIs section, set the redirect URI for your web site.

_images/msgraph-redirect-uri.png

Tip

The Redirect URI is displayed on your web site under Settings, Microsoft Graph, Get Consent.