Microsoft Graph API & Development — Complete Guide
Graph Fundamentals · Authentication · OData Queries · Webhooks · Delta Query · Batch API · SDKs · Scenarios · Cheat Sheet
Table of Contents
- Core Concepts — Basics
- Authentication & Authorisation
- OData Queries & Key Endpoints
- Advanced Graph Features
- Graph SDKs & Power Platform Integration
- Scenario-Based Questions
- Cheat Sheet — Quick Reference
1. Core Concepts — Basics
What is Microsoft Graph and what problem does it solve?
Microsoft Graph is a unified REST API providing access to data, relationships, and intelligence across all Microsoft 365 services through a single endpoint: https://graph.microsoft.com.
The problem it solved — before Graph:
- Each service had its own API: Exchange → EWS, SharePoint → CSOM/REST, Azure AD → AAD Graph, Teams → Teams API, OneDrive → its own endpoint
- Developers had to learn multiple auth models, endpoint patterns, and SDKs per service
- Cross-service scenarios (create a Teams meeting + add to calendar + notify by email) required calls to multiple separate APIs
With Microsoft Graph:
- Single endpoint: one URL, one SDK, one auth flow for all M365 services
- Rich relationships: traverse entity relationships — user → mailbox → messages → attachments, user → joined Teams → channels → messages
- Intelligence layer: access M365 AI insights — trending documents, people you work with, meeting insights
What Graph covers: Users, Groups, Mail, Calendar, Contacts, Teams, SharePoint, OneDrive, Planner, To-Do, OneNote, Security, Identity, Intune, Compliance, Reports, and more.
What are the two versions of Microsoft Graph API?
| Version | Endpoint | Use |
|---|---|---|
| v1.0 | https://graph.microsoft.com/v1.0/ |
Stable, production-ready, backward compatibility guaranteed. Use for all production apps. |
| beta | https://graph.microsoft.com/beta/ |
Preview APIs under development. May change without notice. Prototyping only — never production. |
Warning: Using beta APIs in production is a common and dangerous mistake. If a beta API changes or is removed, your production application breaks without warning.
What are delegated permissions vs application permissions?
Delegated permissions: app acts on behalf of a signed-in user. App can only do what the user can do — user's permissions are the ceiling.
Application permissions: app acts as itself with no user context. Can access all tenant data for the granted scope. Admin consent required.
Delegated (user context):
→ Requires a signed-in user
→ Token contains user claims
→ Access scoped to what the signed-in user can access
→ Consent: user or admin can consent
→ Use for: apps with interactive user sign-in
→ Example: GET /me/messages ← signed-in user's emails only
Application (service/daemon):
→ No user — app authenticates with its own identity
→ Token contains app claims (no user)
→ Access to ALL tenant data in the granted scope
→ Consent: ADMIN ONLY
→ Use for: background services, automation, scheduled jobs
→ Example: GET /users/{userId}/messages ← any user's emails
Critical: Application permissions are extremely powerful
Mail.Read (application) = read EVERY mailbox in the entire tenant
Always apply least privilege — request minimum permissions needed
Critical: Admin consent is required for ALL application permissions. Never grant broader permissions than the app actually needs.
What is Graph Explorer?
Graph Explorer (developer.microsoft.com/graph/graph-explorer) is a web-based tool for exploring and testing Graph API calls without writing code.
Key features:
- Sign in with your M365 account to run real calls against your tenant
- Library of 200+ sample queries across all workloads
- Request builder with headers and request body
- Full JSON response viewer with syntax highlighting
- Permissions panel — see required permissions, consent for testing
- Code snippets — auto-generate code in C#, JavaScript, Java, Python, PowerShell, Go
2. Authentication & Authorisation
What OAuth 2.0 flows are used for Microsoft Graph?
Auth Code Flow (delegated — web apps with user sign-in):
1. User clicks Sign In → app redirects to Entra ID login
2. User authenticates + consents to permissions
3. Entra ID returns authorisation code to redirect URI
4. App exchanges code for access token + refresh token
5. App calls Graph: Authorization: Bearer {access_token}
6. Token expires → refresh token used silently for new access token
→ Use for: web apps, mobile apps with user context
Client Credentials Flow (application — no user):
1. App authenticates to Entra ID with client ID + client secret/certificate
2. Entra ID returns access token (no user claims)
3. App calls Graph: Authorization: Bearer {access_token}
→ Use for: background services, daemons, scheduled jobs
Device Code Flow (delegated — devices without browser):
1. App requests device code from Entra ID
2. App shows user a code + URL (microsoft.com/devicelogin)
3. User opens URL on another device, enters code, authenticates
4. App polls Entra ID until auth complete
→ Use for: CLIs, IoT devices, scripting tools (PnP PowerShell uses this)
On-Behalf-Of (OBO) Flow (delegated — API calling Graph for a user):
1. User authenticates to API A
2. API A calls Graph on behalf of user using OBO
3. Graph sees original user identity in the token
→ Use for: middle-tier APIs that call Graph with user context
How do you register an app to call Microsoft Graph?
Steps:
1. Azure Portal → Entra ID → App registrations → New registration
→ Set: name, supported account types, redirect URI
2. Note credentials from Overview:
Application (client) ID: unique app identifier in Entra ID
Directory (tenant) ID: your Entra ID tenant identifier
3. Create credentials (Certificates & Secrets):
→ Client secret: simple but requires rotation
→ Certificate: recommended for production — more secure
4. Configure permissions (API permissions):
→ Add permission → Microsoft Graph
→ Select: Delegated permissions OR Application permissions
→ Choose required scopes
5. Grant admin consent:
→ Required for application permissions and high-privilege delegated scopes
→ "Grant admin consent for [tenant]" button
Token endpoint:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
Scope formats:
https://graph.microsoft.com/.default ← all granted permissions
https://graph.microsoft.com/User.Read ← specific delegated scope
https://graph.microsoft.com/Mail.Send ← specific delegated scope
What is MSAL and why should you use it?
MSAL (Microsoft Authentication Library) is Microsoft's official library for authenticating with Entra ID and acquiring tokens. Available for .NET, JavaScript/Node.js, Python, Java, Go, iOS, Android.
Why use MSAL over raw HTTP:
- Token caching: automatically caches and reuses tokens until expiry
- Token refresh: silently refreshes expired tokens — no user re-prompt
- Multiple flow support: handles Auth Code, Client Credentials, Device Code, OBO flows
- Conditional Access handling: detects claims challenges and triggers re-authentication
- Security built-in: implements PKCE, state parameter, nonce automatically
// MSAL Node.js — Client Credentials (app-only):
const msal = require('@azure/msal-node');
const config = {
auth: {
clientId: process.env.CLIENT_ID,
authority: `https://login.microsoftonline.com/${process.env.TENANT_ID}`,
clientSecret: process.env.CLIENT_SECRET
}
};
const cca = new msal.ConfidentialClientApplication(config);
const tokenResponse = await cca.acquireTokenByClientCredential({
scopes: ['https://graph.microsoft.com/.default']
});
const accessToken = tokenResponse.accessToken;
// Use in: Authorization: Bearer {accessToken}
3. OData Queries & Key Endpoints
What are the OData query parameters in Microsoft Graph?
$select — choose which fields to return (always use this!):
GET /me/messages?$select=subject,from,receivedDateTime,isRead
→ Returns only those fields, not the full ~40-property message object
$filter — filter results:
GET /users?$filter=department eq 'Finance'
GET /me/messages?$filter=isRead eq false and importance eq 'high'
GET /groups?$filter=startswith(displayName,'Sales')
GET /me/events?$filter=start/dateTime ge '2025-01-01T00:00:00Z'
$orderby — sort results:
GET /me/messages?$orderby=receivedDateTime desc
GET /users?$orderby=displayName asc
$top — limit results returned:
GET /users?$top=50
GET /me/messages?$top=25
$expand — include related entities inline:
GET /me/messages?$expand=attachments
GET /groups?$expand=members($select=displayName,mail)
GET /users/{id}?$expand=manager($select=displayName,mail)
$count — include total count:
GET /users?$count=true
(Requires header: ConsistencyLevel: eventual)
$search — full-text search:
GET /me/messages?$search="project proposal"
GET /users?$search="displayName:John"
Tip: Always use
$selectin production — the default response returns every property. This dramatically reduces payload size and improves performance at scale.
How does pagination work in Microsoft Graph?
When results exceed the page size, Graph returns an @odata.nextLink property containing the URL for the next page.
// Pagination loop (JavaScript):
let url = 'https://graph.microsoft.com/v1.0/users?$top=100&$select=displayName,mail';
let allUsers = [];
while (url) {
const response = await graphClient.api(url).get();
allUsers = allUsers.concat(response.value);
url = response['@odata.nextLink'] || null;
}
console.log(`Total users: ${allUsers.length}`);
Key pagination rules:
- Never construct pagination URLs manually — always use
@odata.nextLinkas-is $skiptokenvalues are opaque — never parse or modify them$skip + $topis NOT reliable for large datasets — usenextLink- Some endpoints have max
$topvalues (messages: 1000 max, users: 999 max)
What are the most important Graph endpoints?
Identity / Users:
GET /me ← signed-in user profile
GET /users ← all users in tenant
GET /users/{id} ← specific user
GET /users/{id}/manager ← user's manager
GET /users/{id}/directReports ← direct reports
GET /users/{id}/memberOf ← groups/roles user belongs to
GET /me/photo/$value ← profile photo (binary)
Mail:
GET /me/messages ← inbox messages
POST /me/sendMail ← send email
GET /me/mailFolders ← folder list
PATCH /me/messages/{id} ← update (e.g., mark read)
Calendar:
GET /me/events ← calendar events
POST /me/events ← create meeting/event
GET /me/calendarView?startDateTime=&endDateTime= ← events in range
Teams:
GET /me/joinedTeams ← teams I'm member of
GET /teams/{id}/channels ← team channels
POST /teams/{id}/channels/{id}/messages ← send channel message
GET /chats/{id}/messages ← chat messages
SharePoint / OneDrive:
GET /me/drive ← my OneDrive
GET /me/drive/root/children ← root folder contents
GET /sites/{siteId}/drives ← SharePoint document libraries
GET /sites/{siteId}/lists ← SharePoint lists
GET /sites/{siteId}/lists/{listId}/items ← list items
Groups:
GET /groups ← all M365 + security groups
POST /groups ← create group
GET /groups/{id}/members ← group members
POST /groups/{id}/members/$ref ← add member to group
Reports (admin only — Reports.Read.All):
GET /reports/getEmailActivityCounts(period='D30')
GET /reports/getTeamsUserActivityCounts(period='D30')
GET /reports/getSharePointSiteUsageDetail(period='D30')
What is the difference between /me and /users/{id}?
/me — delegated tokens only:
→ Shortcut for the signed-in user
→ Only works when a user is signed in
→ Returns data for the authenticated user
GET /me/messages ← my emails
GET /me/events ← my calendar
GET /me/drive ← my OneDrive
/users/{id} — delegated OR application tokens:
→ Explicitly specifies a user by ID or UPN
→ Required for daemon apps and admin scenarios
GET /users/alice@contoso.com/messages ← Alice's emails
GET /users/{objectId}/events ← specific user's calendar
Application permission scenarios always use /users/{id}:
→ Background compliance scanning of all mailboxes
→ Admin reporting tool reading all user profiles
→ Provisioning service creating calendar events for onboarded users
4. Advanced Graph Features
What are Microsoft Graph change notifications (webhooks)?
Change notifications allow your application to receive real-time notifications when M365 resources change — instead of polling repeatedly.
1. Register a subscription:
POST https://graph.microsoft.com/v1.0/subscriptions
{
"changeType": "created,updated,deleted",
"notificationUrl": "https://yourapp.com/webhook",
"resource": "/me/messages",
"expirationDateTime": "2025-04-01T00:00:00Z",
"clientState": "secretClientState"
}
2. Validate endpoint (Graph sends validation request):
POST https://yourapp.com/webhook?validationToken=abc123
→ Your endpoint MUST echo back validationToken within 10 seconds
3. Receive change notifications:
{
"value": [{
"subscriptionId": "...",
"changeType": "created",
"resource": "users/abc/messages/xyz",
"clientState": "secretClientState",
"resourceData": { "@odata.type": "#microsoft.graph.message", "id": "xyz" }
}]
}
4. Fetch the changed resource:
GET /me/messages/xyz
Key requirements:
→ Subscriptions expire (max 4,230 minutes for most resources)
→ Renew before expiry: PATCH /subscriptions/{id}
→ Always validate clientState on incoming notifications (security)
→ Respond 202 Accepted immediately, then process async
→ Rich notifications: include resource data in the payload
Tip: Always respond 202 Accepted immediately — then process the notification asynchronously. Slow responses cause Graph to mark your endpoint unhealthy and stop sending notifications.
What is Microsoft Graph Delta Query?
Delta Query returns only the changes (new, updated, deleted items) since the last call — without re-fetching the full dataset.
Initial full sync:
GET /users/delta?$select=displayName,mail,department
Response includes:
{
"@odata.deltaLink": "https://graph.microsoft.com/v1.0/users/delta?$deltatoken=abc123",
"value": [ ...all users... ]
}
→ Store the deltaLink token
Incremental sync (call every 15 minutes):
GET https://graph.microsoft.com/v1.0/users/delta?$deltatoken=abc123
→ Returns ONLY users added, updated, or deleted since last call
→ Provides new deltaLink token for next call
Deleted items appear as:
{ "id": "xyz", "@removed": { "reason": "deleted" } }
Resources supporting delta:
users, groups, messages, events, contacts,
directoryObjects, teams, channels, driveItems
Use cases:
→ User provisioning: sync new/changed/deleted users to HR system
→ Calendar sync: get only new/changed meetings
→ Teams membership: track who joined/left teams
→ Mail processing: process only new emails since last run
Tip: Delta Query is the correct answer to any "how do you efficiently sync M365 data to an external system" question. Never poll the full resource list — use delta for incremental changes only.
What is the Microsoft Graph Batch API?
The Batch API combines up to 20 individual Graph requests into a single HTTP request — reducing round trips.
POST https://graph.microsoft.com/v1.0/$batch
{
"requests": [
{
"id": "1",
"method": "GET",
"url": "/me/profile"
},
{
"id": "2",
"method": "GET",
"url": "/me/messages?$top=5&$select=subject,from"
},
{
"id": "3",
"method": "GET",
"url": "/me/joinedTeams"
}
]
}
Response:
{
"responses": [
{ "id": "1", "status": 200, "body": { ...profile... } },
{ "id": "2", "status": 200, "body": { ...messages... } },
{ "id": "3", "status": 200, "body": { ...teams... } }
]
}
Batch API rules:
- Up to 20 requests per batch
- Each request is independent — one failure doesn't affect others
- Responses may be out of order — matched by
idfield - Dependency chaining via
"dependsOn": ["1"]for sequential operations - All requests use the same auth token
How do you handle throttling in Microsoft Graph?
Throttling occurs when too many requests are made in a short period. Graph returns 429 Too Many Requests with a Retry-After header.
// Exponential backoff with Retry-After:
async function callGraphWithRetry(url, headers, maxRetries = 5) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, { headers });
if (response.status !== 429) {
return await response.json();
}
const retryAfter = parseInt(response.headers.get('Retry-After') || '30');
const backoff = Math.pow(2, attempt) * 1000;
const delay = Math.max(retryAfter * 1000, backoff);
console.log(`Throttled. Retrying after ${delay}ms (attempt ${attempt + 1})`);
await new Promise(resolve => setTimeout(resolve, delay));
}
throw new Error('Max retries exceeded — request consistently throttled');
}
Prevention strategies:
- Always use
$selectto reduce response payload - Use Delta Query instead of full re-fetch
- Use Batch API to consolidate requests
- Implement request queuing with rate limiting
- Distribute large jobs across time periods (avoid bursts)
5. Graph SDKs & Power Platform Integration
What are the Microsoft Graph SDKs?
| SDK | Language | Package |
|---|---|---|
| Graph SDK for .NET | C#, F#, VB.NET | Microsoft.Graph + Azure.Identity |
| Graph JavaScript SDK | Node.js, browser | @microsoft/microsoft-graph-client + @azure/msal-node |
| Graph SDK for Python | Python | msgraph-sdk + azure-identity |
| Graph SDK for Java | Java, Android | microsoft-graph + azure-identity |
| Graph PowerShell SDK | PowerShell | Microsoft.Graph module |
// C# Graph SDK — app-only (client credentials):
using Azure.Identity;
using Microsoft.Graph;
var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(credential);
var users = await graphClient.Users.GetAsync(config => {
config.QueryParameters.Select = new[] { "displayName", "mail", "department" };
config.QueryParameters.Filter = "department eq 'Finance'";
config.QueryParameters.Top = 50;
});
foreach (var user in users.Value) {
Console.WriteLine($"{user.DisplayName} - {user.Mail}");
}
// JavaScript SDK — delegated:
const { Client } = require('@microsoft/microsoft-graph-client');
const graphClient = Client.initWithMiddleware({ authProvider });
const messages = await graphClient
.api('/me/messages')
.select('subject,from,receivedDateTime,isRead')
.filter('isRead eq false')
.top(25)
.get();
What is the Microsoft Graph PowerShell SDK?
The Graph PowerShell SDK replaces the deprecated Azure AD PowerShell (AzureAD) and MSOnline (MSOL) modules.
# Install and connect:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
# Users:
Get-MgUser -UserId "alice@contoso.com"
Get-MgUser -Filter "department eq 'Finance'" -Select DisplayName,Mail
New-MgUser -DisplayName "Bob Smith" -MailNickname "bsmith" -AccountEnabled $true ...
Update-MgUser -UserId $userId -Department "Engineering"
# Groups:
Get-MgGroup -Filter "startswith(displayName,'Sales')"
Add-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId
Remove-MgGroupMemberByRef -GroupId $groupId -DirectoryObjectId $userId
# Mail:
Get-MgUserMessage -UserId $userId -Filter "isRead eq false" -Top 25
# Migration from deprecated modules:
# AzureAD module → Microsoft.Graph PowerShell SDK
Get-AzureADUser → Get-MgUser
New-AzureADUser → New-MgUser
Get-AzureADGroup → Get-MgGroup
Add-AzureADGroupMember → Add-MgGroupMember
# MSOnline module → Microsoft.Graph PowerShell SDK
Get-MsolUser → Get-MgUser
Warning: Azure AD PowerShell (AzureAD module) and MSOnline (MSOL) are fully deprecated as of March 2025. All scripts must be migrated to Microsoft.Graph PowerShell SDK — a critical migration point for every M365 admin.
How do you use Microsoft Graph in Power Automate?
Option 1: HTTP with Azure AD connector (recommended):
Action: HTTP
Method: GET
URI: https://graph.microsoft.com/v1.0/users?$select=displayName,mail
&$filter=department eq 'Finance'
Authentication: Active Directory OAuth
Tenant: [tenant ID]
Audience: https://graph.microsoft.com
Client ID: [app registration client ID]
Secret: [from Key Vault reference]
→ Follow with Parse JSON to work with response
Option 2: Office 365 Users connector (standard — no premium):
→ Get user profile, manager, direct reports, search users
→ No premium licence required
→ Limited to user-related operations only
Office 365 Users in Power Apps:
Office365Users.UserProfile("alice@contoso.com").DisplayName
Office365Users.ManagerV2({userId: User().Email}).DisplayName
Office365Users.DirectReports(User().Email)
6. Scenario-Based Questions
Scenario: Build a user provisioning system syncing Azure AD users to an external HR database.
-
App registration: application permission
User.Read.All. Certificate authentication (not client secret) for production. Admin consent granted. -
Initial full sync:
GET /users/delta?$select=displayName,mail,department,jobTitle,accountEnabledProcess all users. Store the final
@odata.deltaLinktoken in your database. -
Incremental sync (scheduled every 15 minutes):
GET /users/delta?$deltatoken={stored_token}Process only changed/added/deleted users. Update stored token.
-
Deletion handling: when
@removedappears → mark user inactive in HR system. -
Pagination: follow
@odata.nextLinkuntil all results retrieved before storing the final deltaLink. -
Error handling: exponential backoff for 429 responses. Dead-letter queue for failed sync items with retry logic.
Scenario: Build a Teams bot that notifies a channel when a new SharePoint list item is created.
-
App registration: permissions
Sites.Read.All+ChannelMessage.Send -
Subscribe to SharePoint list changes:
POST /subscriptions { "changeType": "created", "notificationUrl": "https://yourbot.azurewebsites.net/webhook", "resource": "/sites/{siteId}/lists/{listId}/items", "expirationDateTime": "2025-04-30T00:00:00Z", "clientState": "mySecretState" } -
Webhook endpoint: validate
clientState. Respond202 Acceptedimmediately. Process async. -
Fetch the new item:
GET /sites/{siteId}/lists/{listId}/items/{itemId}?$expand=fields -
Post to Teams channel:
POST /teams/{teamId}/channels/{channelId}/messages { "body": { "contentType": "html", "content": "<b>New item:</b> {item.fields.Title}" } } -
Subscription renewal: Azure Function timer — renew subscriptions before expiry using
PATCH /subscriptions/{id}.
Scenario: Send an email with attachments using Microsoft Graph.
Permission: Mail.Send (delegated = user's own email, application = any user's email)
POST /users/{userId}/sendMail
{
"message": {
"subject": "Q1 Project Update",
"body": {
"contentType": "HTML",
"content": "<h1>Q1 Update</h1><p>Please see attached.</p>"
},
"toRecipients": [
{ "emailAddress": { "address": "alice@contoso.com", "name": "Alice" } }
],
"ccRecipients": [
{ "emailAddress": { "address": "manager@contoso.com" } }
],
"attachments": [
{
"@odata.type": "#microsoft.graph.fileAttachment",
"name": "Q1_Report.pdf",
"contentType": "application/pdf",
"contentBytes": "base64EncodedFileContent=="
}
],
"importance": "high"
},
"saveToSentItems": true
}
For large attachments (> 3MB):
POST /me/messages/{id}/attachments/createUploadSession
→ Upload in chunks up to 4MB each
→ Better reliability for large files
Scenario: Build an M365 usage reporting dashboard.
-
Permission:
Reports.Read.Allas application permission (admin consent required) -
Available report endpoints:
GET /reports/getEmailActivityCounts(period='D30') GET /reports/getTeamsUserActivityCounts(period='D30') GET /reports/getSharePointSiteUsageDetail(period='D30') GET /reports/getOneDriveActivityUserDetail(period='D30') GET /reports/getM365AppUserDetail(period='D30') GET /reports/getMailboxUsageDetail(period='D30') -
Response format: CSV by default. Pass
Accept: application/jsonheader for JSON. -
Privacy note: user display names are anonymised by default. Enable "Display concealed user, group, and site names in reports" in M365 Admin → Settings → Reports to show real names.
-
Power BI integration: use Power BI's built-in M365 Usage Analytics template or import JSON reports for custom dashboards.
7. Cheat Sheet — Quick Reference
Permission Quick Reference
Permission type: Delegated Application
User context: Required None (no user)
Token contains: User + app claims App claims only
Consent: User or admin ADMIN ONLY
Use for: Interactive apps Background services
Max scope: What user can do All tenant data
Common delegated scopes:
User.Read → read signed-in user's profile
Mail.Read → read signed-in user's email
Mail.Send → send mail as signed-in user
Calendars.ReadWrite → manage signed-in user's calendar
Sites.Read.All → read all SharePoint sites
Group.Read.All → read all groups
Common application scopes:
User.Read.All → read all users in tenant
Mail.Read → read ALL mailboxes in tenant
Calendars.Read → read ALL calendars in tenant
Sites.Read.All → read all SharePoint content
Reports.Read.All → read M365 usage reports
OData Quick Reference
Filter operators:
eq, ne, gt, ge, lt, le → equals, not-equals, comparison
and, or, not → logical operators
startswith(prop, 'value') → string starts with
endswith(prop, 'value') → string ends with
contains(prop, 'value') → string contains
Common filter patterns:
$filter=department eq 'Finance'
$filter=isRead eq false
$filter=startswith(displayName,'J')
$filter=createdDateTime ge '2025-01-01T00:00:00Z'
$filter=assignedLicenses/any(x:x/skuId eq {skuGuid})
Combine parameters:
/users?$select=displayName,mail&$filter=department eq 'IT'&$orderby=displayName&$top=50
Webhook Subscription Limits
Resource Max expiration
Messages (mail) 4,230 minutes (~3 days)
Calendar events 4,230 minutes
Users / Groups (directory) 41,760 minutes (~29 days)
Teams channels / chats 60 minutes
SharePoint list items 4,230 minutes
driveItem (OneDrive/SPO) 4,230 minutes
Renewal: PATCH /subscriptions/{id}
{ "expirationDateTime": "new-expiry-datetime" }
Best practice: renew at 75% of subscription lifetime
Schedule a timer function to check and renew all active subscriptions
Delta Query Support
Supports delta:
/users/delta → user provisioning sync
/groups/delta → group membership sync
/me/messages/delta → incremental mail processing
/me/events/delta → calendar sync
/me/contacts/delta → contacts sync
/directoryObjects/delta → all directory changes
/teams/delta → Teams changes
/sites/{id}/lists/{id}/items/delta → SharePoint list sync
deltaLink: use to get changes since last call
nextLink: use to page through large initial sync
@removed: indicates deleted item { "reason": "deleted" | "changed" }
Graph SDK Comparison
.NET SDK:
Install-Package Microsoft.Graph Azure.Identity
var client = new GraphServiceClient(credential);
var users = await client.Users.GetAsync(...);
JavaScript SDK:
npm install @microsoft/microsoft-graph-client @azure/msal-node
const client = Client.initWithMiddleware({ authProvider });
const result = await client.api('/users').select('displayName').get();
Python SDK:
pip install msgraph-sdk azure-identity
client = GraphServiceClient(credentials=credential, scopes=scopes)
users = await client.users.get()
PowerShell SDK:
Install-Module Microsoft.Graph
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -Filter "department eq 'Finance'"
Top 10 Tips
-
Single endpoint, one auth flow — Graph's key value proposition over pre-Graph era.
https://graph.microsoft.comcovers all M365 services. Demonstrate you understand this unification. -
v1.0 for production, beta never in production — beta APIs can change or be removed without notice. Always a key rule to state in any Graph API design discussion.
-
Application permissions require admin consent — and give access to ALL tenant data in the granted scope. Always request minimum permissions (least privilege). This shows security awareness.
-
Always use $select — the default response returns every property.
$selectdramatically reduces payload size and improves performance at scale. Mention this in every query discussion. -
Delta Query for sync, not full re-fetch — the correct answer to any "how do you sync M365 data to an external system" question. Initial full sync + incremental delta = efficient synchronisation.
-
Change notifications over polling — webhooks push changes to your app in real time. Polling the API every minute is wasteful and gets throttled. Always recommend change notifications for event-driven scenarios.
-
202 Accepted immediately, then process async — webhook endpoints must respond within a few seconds. Never do synchronous processing in the webhook handler — queue the work and process it asynchronously.
-
Retry-After header on 429 — always honour the
Retry-Aftervalue from throttled responses. Implement exponential backoff. Ignoring throttle responses is a common production bug. -
Azure AD PowerShell is deprecated (March 2025) — AzureAD and MSOnline modules are dead. All admin scripts must use Microsoft.Graph PowerShell SDK. Knowing this migration is critical for admin.
-
Graph Explorer is your best friend — being fluent in Graph Explorer demonstrates practical experience immediately. Know how to use the sample queries, permissions panel, and code snippet generation.
