Azure Graph API and OAuth

  • 145 Views
  • Last Post 24 October 2016
kool posted this 24 October 2016

I thought I'd share this on the chance it might save someone else a lot of hair pulling.

As most of you know Azure AD uses a RESTful API to perform CRUD operations on AAD objects. This is called the Azure Graph. You can also do a form of "recent-changes" querying using the differential query technique. However this does not allow you to ask a question like "show me the last 10 logons for user foo." MS has a new reporting (sign-in/audit) API in public preview (https://azure.microsoft.com/en-us/documentation/articles/active-directory-reporting-api-getting-started/) that shows events rather than object states.

I've been playing with this API and noticed (after much gnashing of teeth) that it has a stricter requirement on the authorization header. Both APIs use OAuth where you supply an authorization header that specifies the OAuth access token. The header can be expressed one of two ways:
Authorization:
Authorization: Bearer

The first form works with the Azure Graph but gives a 400 bad request with the reporting API. The second form works for both APIs. This was a problem for me because I found some C# sample code for making Azure Graph calls that specified the auth header using the first form. This code did not work for the reporting API and I went down a rat hole trying to figure out how to get Fiddler working to capture the wire traffic (that's another story best told elsewhere). I finally realized that other OAuth examples I've seen prefix the token with the "Bearer" string. I don't know if the OAuth spec has this as a SHOULD or a MUST. In any case the two Azure APIs are not consistent in their implementation. Is anyone surprised by this?

BTW, the Office 365 folks have released a Microsoft Graph API that they claim will supersede the Azure Graph. I'm not sure the Azure folks are on board with this because the reporting API uses the same endpoint as the Azure Graph API.

Cheers,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

darren posted this 24 October 2016

Good stuff! Thanks for the tip Eric. I was looking at digging into this again soon. I did some work around an older reporting API a while back and it was reasonably simple via PowerShell.

Funny about the different APIs btw Office and Azure. Can't say I'm surprised, though hopefully they get their *hit together and unify those at some point.

Darren

show

Close