This chapter covers Microsoft 365 Admin APIs and the Microsoft Graph API basics, which are essential for automating administration and integrating applications with Microsoft 365. On the MS-900 exam, approximately 5-10% of questions touch on administration tools and APIs, focusing on understanding the purpose of Graph API, its role in automation, and the available admin portals. You'll learn the key concepts, how Graph API works, and how it differs from other admin interfaces, preparing you to answer scenario-based questions about automation and integration.
Jump to a section
Imagine you have a universal remote that can control every device in your smart home: lights, thermostat, security cameras, door locks, and entertainment system. Each device has its own proprietary remote and app, but the universal remote uses a single unified interface and a common language (infrared codes) to send commands. When you press 'Away Mode' on the universal remote, it sends a sequence of commands: turn off all lights, set thermostat to eco mode, arm security cameras, lock doors, and turn off TV. The remote doesn't care about the make or model of each device; it just sends the standardized command and the device interprets it. Similarly, Microsoft Graph API provides a single RESTful endpoint that can interact with a multitude of Microsoft 365 services—Exchange Online, SharePoint Online, Teams, Azure AD, OneDrive, and more. Instead of learning separate APIs for each service, developers use one unified API. When an application sends a request to Graph API (e.g., to create a Teams meeting), Graph translates that request into the appropriate calls to the underlying service (Exchange calendar for the meeting, Teams for the channel, etc.) and returns a consistent JSON response. The universal remote analogy breaks down slightly because Graph also provides a rich query language and can combine data from multiple services in a single request, like a smart remote that can execute macros across different devices simultaneously.
What is Microsoft Graph API?
Microsoft Graph API is the unified RESTful API endpoint (https://graph.microsoft.com/v1.0) that provides programmatic access to Microsoft 365 data and services. It consolidates multiple APIs from Exchange Online (formerly EWS), SharePoint Online (CSOM), Azure AD (MS Graph), and other services into a single endpoint with a consistent authentication and query model. The exam expects you to understand that Graph API is the recommended way to access Microsoft 365 data for automation, reporting, and application development.
Why Microsoft Graph Exists
Before Graph, developers had to learn and authenticate separately for each service: Exchange Web Services (EWS) for mail, SharePoint Client Object Model (CSOM) for files, Azure AD Graph for directory, etc. This was cumbersome, inconsistent, and required managing multiple tokens. Graph was introduced to unify these APIs under a single RESTful interface, using OAuth 2.0 for authentication and providing a common schema (the Microsoft Graph metadata). The key driver was to enable 'write once, integrate everywhere'—an application can query a user's calendar, emails, and files in a single request using expand queries.
How Graph API Works Internally
#### Authentication and Authorization
Every request to Graph API requires an OAuth 2.0 access token. The token is obtained from Azure AD (now Microsoft Entra ID) by registering an application in the Azure portal. The app specifies permissions (delegated or application) and the token includes claims that define what the app can access. For example, an app with delegated Mail.Read permission can read the signed-in user's mail. The token is passed in the Authorization header as Bearer <token>. Graph validates the token and checks permissions before processing the request.
#### RESTful Endpoints
Graph API uses standard HTTP methods (GET, POST, PUT, PATCH, DELETE) and JSON responses. Resources are organized hierarchically: /users/{id}, /users/{id}/messages, /groups/{id}/members, etc. The API supports OData query parameters like $filter, $select, $expand, $top, $skip, and $orderby. For example:
GET https://graph.microsoft.com/v1.0/users?$filter=department eq 'Sales'&$select=displayName,mailThis returns only the display name and email of users in the Sales department.
#### Batch Requests
For efficiency, Graph supports batch requests that combine multiple operations into a single HTTP call. A batch request is a POST to $batch with a JSON payload containing individual requests. Each request can depend on previous ones using @odata.id references. This is crucial for applications that need to perform multiple operations, like creating a user and assigning a license in one call.
Key Components and Values
Endpoint versions: v1.0 (generally available) and beta (preview). Exam may ask that beta endpoints are not recommended for production.
Permissions: Delegated (user context) vs. Application (app-only). The exam tests understanding that application permissions require admin consent and are used for daemon apps.
Throttling: Graph has throttling limits to prevent abuse. Limits vary by service; for example, Exchange Online allows 10,000 requests per 10 minutes per app per tenant. The exam might ask what happens when throttled: HTTP 429 response with a Retry-After header.
Delta query: Allows applications to track changes over time without fetching full data. Uses delta function (e.g., /users/delta). The exam may ask about its purpose: efficient synchronization.
Microsoft Graph SDKs: Available for .NET, JavaScript, Java, Python, etc. They simplify authentication and request building.
Admin APIs Beyond Graph
While Graph is the primary API, there are other admin APIs for specific scenarios:
- Microsoft 365 Admin Center API: For managing admin tasks like user creation via the admin center UI. This is not a separate API but the web interface that uses Graph behind the scenes.
- Office 365 Management APIs: Used for security and compliance scenarios (e.g., auditing logs, alerts). They have their own endpoint: https://manage.office.com.
- Azure AD PowerShell and CLI: Not APIs per se, but command-line tools that use Graph or Azure AD Graph. The exam may test that Azure AD PowerShell is being replaced by Microsoft Graph PowerShell.
How to Verify and Configure
To test Graph API, you can use the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) which allows you to sign in and make requests interactively. To register an app: 1. Go to Azure AD > App registrations > New registration. 2. Specify name, supported account types, and redirect URI. 3. Under API permissions, add Graph permissions (e.g., User.Read.All). 4. For application permissions, click 'Grant admin consent'. 5. Use the client ID and secret (or certificate) to get a token.
Example PowerShell script to get a token:
$body = @{
client_id = "your-client-id"
client_secret = "your-secret"
scope = "https://graph.microsoft.com/.default"
grant_type = "client_credentials"
}
$response = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/your-tenant-id/oauth2/v2.0/token" -Body $body
$accessToken = $response.access_tokenThen use the token in a request:
$headers = @{
Authorization = "Bearer $accessToken"
}
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers $headersInteraction with Related Technologies
Graph API is deeply integrated with Azure AD for authentication and with Power Automate and Logic Apps for low-code automation. For example, a Power Automate flow can trigger on a new email (via Graph) and create a SharePoint list item. The exam may ask about scenarios where Graph is used instead of custom code: using Power Automate with Graph connector. Additionally, Microsoft 365 admin centers (Teams admin center, Exchange admin center) all use Graph behind the scenes. Understanding that Graph is the backbone of Microsoft 365 automation is key.
Common Exam Traps
Confusing Graph API with Azure AD Graph: Azure AD Graph is deprecated; Microsoft Graph is the replacement. The exam may have a question asking which API to use for new development.
Thinking Graph API can only access one service at a time: Actually, a single query can traverse multiple services via $expand (e.g., get user and their direct reports).
Misunderstanding permissions: Delegated permissions require a signed-in user; application permissions run in the background. The exam might ask which type is needed for a daemon app.
Assuming all Microsoft 365 data is accessible via Graph: Not all data is available; some services like Yammer have limited Graph support. The exam may ask about limitations.
Specific Numbers and Defaults
Rate limits: Vary by resource; for example, /users has a limit of 5,000 requests per 10 seconds per app per tenant. The exam may not require memorizing exact numbers but understanding that throttling exists.
Batch request limits: Maximum 20 individual requests per batch (v1.0) and 100 in beta.
Pagination: Default page size for most resources is 100 items. Use $top to adjust (max 999). @odata.nextLink indicates more pages.
Token expiration: Default token lifetime is 60 minutes for client credentials grant, 1 hour for authorization code flow. Refresh tokens last 90 days of inactivity.
Step-by-Step: Using Graph API to Create a User
Register an application in Azure AD with User.ReadWrite.All application permission.
Get an access token using client credentials flow.
Send a POST request to https://graph.microsoft.com/v1.0/users with JSON body:
{
"accountEnabled": true,
"displayName": "John Doe",
"mailNickname": "johndoe",
"userPrincipalName": "johndoe@contoso.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bwh-d"
}
}Handle response: HTTP 201 Created with user object. If throttled, receive 429 and retry after suggested delay.
Verify: Use GET /users/johndoe@contoso.com.
This process is fundamental for automation scenarios tested on the exam.
Register Application in Azure AD
In the Azure portal, navigate to Azure Active Directory > App registrations > New registration. Provide a name (e.g., 'Automation App'), select supported account types (typically 'Accounts in this organizational directory only' for single-tenant), and optionally set a redirect URI (e.g., 'https://localhost' for testing). Upon creation, note the Application (client) ID and Directory (tenant) ID. Then, go to 'API permissions' and add Microsoft Graph permissions. For automated scenarios, choose 'Application permissions' (e.g., User.ReadWrite.All). Click 'Grant admin consent' to activate. This step is critical because without proper registration and consent, the app cannot authenticate. The exam may test that admin consent is required for application permissions.
Obtain OAuth 2.0 Access Token
Using the client credentials grant flow, the application authenticates with Azure AD to get an access token. Send a POST request to the OAuth 2.0 token endpoint: `https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token` with body containing `client_id`, `client_secret` (or certificate), `scope=https://graph.microsoft.com/.default`, and `grant_type=client_credentials`. The response includes an `access_token` (valid for 60 minutes by default) and a `token_type` of 'Bearer'. This token proves the app's identity and permissions. The exam may ask that the token must be sent in the Authorization header of subsequent Graph requests. If the secret expires, the token request fails. The token itself is a JWT containing claims like 'roles' (the permissions).
Construct and Send Graph API Request
With the access token, the app builds an HTTP request to the desired Graph endpoint. For example, to list users: `GET https://graph.microsoft.com/v1.0/users` with header `Authorization: Bearer {token}`. The request can include OData query parameters. The app must use the correct HTTP method: GET for read, POST for create, PATCH for update, DELETE for remove. The Graph API validates the token, checks that the required permission is granted (e.g., User.Read.All for GET /users), and processes the request. If the permission is missing, Graph returns HTTP 403 Forbidden. If the token is expired, Graph returns HTTP 401 Unauthorized. The exam may test that the app must handle these errors gracefully.
Process JSON Response
Graph API returns data in JSON format. For a GET request, the response includes a `value` array containing the requested objects, and possibly `@odata.nextLink` if pagination is needed. The app must parse the JSON and iterate through pages by following `@odata.nextLink` until it is null. For a POST request, the response is HTTP 201 Created with the created object in the body. The app should check the HTTP status code: 200 OK for successful GET, 201 for creation, 204 No Content for successful DELETE or PATCH. The exam may ask about pagination: the default page size is 100 items; use `$top` to change it (max 999).
Handle Throttling and Errors
If the app exceeds rate limits, Graph returns HTTP 429 Too Many Requests with a `Retry-After` header indicating seconds to wait. The app must implement retry logic with exponential backoff. Common errors: 400 Bad Request (malformed request), 403 Forbidden (insufficient permissions), 404 Not Found (resource doesn't exist), 409 Conflict (e.g., duplicate userPrincipalName). The app should log errors and optionally notify an admin. The exam may test that the app should respect `Retry-After` and not simply retry immediately. Additionally, some errors are transient (e.g., 503 Service Unavailable) and should be retried.
In a large enterprise with 50,000 users, the IT team needs to automate user provisioning from an HR system (e.g., Workday) to Microsoft 365. They build a custom .NET application that uses Microsoft Graph API with application permissions (User.ReadWrite.All, Directory.ReadWrite.All). The app runs as a scheduled task every hour, fetching new hires from Workday via an API, then calling Graph to create users in Azure AD and assign licenses (using POST /users and POST /users/{id}/assignLicense). They also use delta queries to sync changes (e.g., department updates) without re-fetching all users. A common issue is throttling: the app sends too many concurrent requests and gets 429 errors. The solution is to implement a batch processing system that sends requests in batches of 20 (the batch limit) and respects Retry-After. They also use the $batch endpoint to combine multiple user creations into a single HTTP call, reducing load. Another scenario: A SaaS application wants to read Teams messages for compliance monitoring. The vendor registers a multi-tenant app and requests admin consent from each customer. They use the beta endpoint for Teams messages (since v1.0 does not support all Teams features). However, the exam warns that beta endpoints are subject to change; the vendor must be prepared for breaking changes. They also implement delta queries to track new messages efficiently. Misconfiguration example: An admin grants User.Read.All delegated permission but the app runs as a background service (no user signed in). The token request fails because delegated permissions require a user context. The admin must switch to application permissions and re-consent. Another common mistake: forgetting to grant admin consent for application permissions; the app gets 403 Forbidden even with the correct token. The exam tests that admin consent is a separate step after adding permissions.
The MS-900 exam (Objective 4.2) focuses on understanding the purpose and capabilities of Microsoft Graph API, not on coding details. Key areas: - What Graph API is: The unified API for accessing Microsoft 365 data. Wrong answers often say it's only for Exchange or SharePoint. - Authentication: Requires Azure AD OAuth 2.0 tokens. Common wrong answer: using username/password in the request. The exam tests that you cannot call Graph without a valid token. - Permissions: Delegated vs. Application. The exam will ask which is used for a daemon app (application permissions). Wrong answer: delegated, because daemon apps have no user. - Throttling: When throttled, Graph returns HTTP 429. Wrong answer: HTTP 503 (service unavailable) or HTTP 403 (forbidden). The exam expects 429. - Graph Explorer: A web-based tool to test queries. Wrong answer: the only way to use Graph is via code; Graph Explorer is a testing tool. - Microsoft Graph vs. Azure AD Graph: Azure AD Graph is deprecated. The exam may ask which API to use for new development. Answer: Microsoft Graph. - Batch requests: Can combine up to 20 individual requests (v1.0). Wrong answer: unlimited or 100 (100 is beta). - Delta queries: Used for incremental synchronization. Wrong answer: to get all data every time. - Admin consent: Required for application permissions. Wrong answer: only needed for delegated permissions. - Common scenarios: Automating user creation, reading mail, managing groups. The exam gives a scenario and asks which tool/API to use. If the scenario requires automation, the answer is Graph API. If it's a one-time admin task, the admin center is appropriate. - Edge case: Graph API cannot access all Microsoft 365 data; Yammer and some compliance data have limited support. The exam may have a 'choose the correct statement' question about Graph's scope. - Exam tip: Eliminate answers that mention 'cmdlets' or 'PowerShell' when the question asks about REST API. Graph is RESTful, not PowerShell-native (though PowerShell can call it).
Microsoft Graph API is the unified RESTful endpoint for accessing Microsoft 365 data and services.
Authentication requires an OAuth 2.0 token from Azure AD; no token = no access.
Delegated permissions act on behalf of a user; application permissions act without a user.
Throttling returns HTTP 429 with Retry-After header; implement retry logic.
Batch requests combine up to 20 individual requests (v1.0) into one HTTP call.
Delta queries enable efficient incremental synchronization.
Azure AD Graph is deprecated; use Microsoft Graph for new development.
Graph Explorer is a free web tool to test Graph API queries.
Admin consent must be granted for application permissions to work.
Not all Microsoft 365 data is available via Graph; some services require other APIs.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Graph API
Programmatic access via RESTful API
Requires app registration and OAuth tokens
Suitable for automation, integration, and custom applications
Can handle bulk operations (e.g., create 1000 users via batch)
Requires developer skills to implement
Microsoft 365 Admin Center
Graphical web interface for manual administration
Uses interactive user sign-in with MFA support
Suitable for one-time tasks and small-scale changes
Not designed for bulk operations (can be slow)
No coding required; accessible to IT admins
Mistake
Microsoft Graph API is the same as Azure AD Graph API.
Correct
They are different. Azure AD Graph API (`https://graph.windows.net`) is deprecated and will be retired. Microsoft Graph (`https://graph.microsoft.com`) is the current unified API that includes Azure AD functionality and more. New development should use Microsoft Graph.
Mistake
You can call Microsoft Graph API without authentication for read-only data.
Correct
Every request to Microsoft Graph requires a valid OAuth 2.0 access token. There is no anonymous access. Even public data (like organization info) requires a token. The token must be obtained from Azure AD.
Mistake
Delegated permissions and application permissions are interchangeable.
Correct
They are not. Delegated permissions require a signed-in user and the app acts on behalf of that user. Application permissions allow the app to run without a user (daemon/service). The exam tests which type is appropriate for a given scenario. Using the wrong type results in authentication or authorization errors.
Mistake
Microsoft Graph API can access all data in Microsoft 365.
Correct
Graph covers many services but not all. For example, Yammer has limited Graph support, and some advanced compliance features may require other APIs (e.g., Office 365 Management APIs). The exam may present a scenario where Graph is not the best fit.
Mistake
You need to install software to use Microsoft Graph API.
Correct
Graph is a RESTful API accessible over HTTPS. You can call it from any programming language or tool (e.g., Postman, cURL). No additional software is needed beyond an HTTP client. However, Microsoft provides SDKs for convenience.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Graph API is used to programmatically access data and services across Microsoft 365, including Azure AD, Exchange Online, SharePoint Online, Teams, OneDrive, and more. It enables automation, integration, and custom application development. For the MS-900 exam, know that it is the recommended way to access Microsoft 365 data programmatically.
For the MS-900 exam, you do not need to write code, but you must understand the concepts. In practice, using Graph API requires programming skills (e.g., REST calls, authentication). However, tools like Graph Explorer allow you to experiment without coding. The exam tests your understanding of when to use Graph versus admin centers.
Delegated permissions allow an app to act on behalf of a signed-in user, with that user's permissions. Application permissions allow an app to run without a user (e.g., background service) and require admin consent. For example, a mobile app reading your email uses delegated Mail.Read; a daemon app reading all mail in the organization uses application Mail.Read.All.
Graph returns HTTP 429 Too Many Requests with a Retry-After header indicating how many seconds to wait before retrying. You must implement retry logic with exponential backoff. The limits vary by resource; for example, Exchange Online allows 10,000 requests per 10 minutes per app per tenant. The exam may test that 429 is the correct response.
No, Microsoft Graph API is for cloud services only. For on-premises, you need other tools like Exchange Management Shell or SharePoint Server APIs. The exam may ask about the scope of Graph: it covers Microsoft 365 cloud services, not on-premises.
Yes, Microsoft Graph API is free to use. There is no additional cost beyond the Microsoft 365 subscription. However, usage is subject to throttling and fair use policies. The exam may ask that there is no separate charge for Graph API calls.
Graph Explorer is a web-based tool at https://developer.microsoft.com/en-us/graph/graph-explorer that allows you to sign in and make REST calls to Microsoft Graph API interactively. It is useful for testing queries and learning the API. The exam may ask about its purpose: to explore and test Graph API without writing code.
You've just covered Microsoft 365 Admin APIs and Graph API Basics — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?