How do I create an auth token with the new microsoft graph api?

Question

I've been using this:

https://github.com/Azure-Samples/active-directory-php-graphapi-web.git

to access the graph api, which works. My azure AD registered application is able to query the API to get a list of users in the directory.

But now I want to list folders for a user in the directory. This page

http://graph.microsoft.io/docs

says the url should be:

https://graph.microsoft.com/v1.0/me/drive/root/children

When I use that url in my REST call, I get

"code": "InvalidAuthenticationToken",
"message": "CompactToken parsing failed with error code: -2147184105"

Makes sense, it's getting a token from

https://graph.windows.net

So, I'm lost. There's so many different versions of the API, from the consumer grade onedrive (formerly skydrive), the first graph api (which I access via https://graph.windows.net), the office 365 API (which I access via https://login.microsoftonline.com) and now the graph api (formerly universal api https://graph.microsoft.com) I just don't know where to begin to look for correct information.

I'm working in PHP at the moment, and I'm sure that's going to be pretty low on microsoft's list of supported platforms, but any direction about how the access token generation works in the newest api versus the o365 api versus the other graph api (at graph.windows.net) would be appreciated.

Is anybody else as confused as I am? Is there some central reference that explains all the differences between these apis and how to access them?

Answer 1

The Microsoft Graph should provide you with one endpoint (and token acquisition) to access data offered by Office 365 and Azure AD services. Please visit https://graph.microsoft.com for more details - but please use the v1.0 version as this is the GA version that is appropriate for production services.

As for your question about a service app with no user UI - you can get an app-only access token using the client_credential flow. (This is not currently documented in the Microsoft Graph documentation, but it is supported and described elsewhere - just set the resource to be https://graph.microsoft.com/). In the Azure Management Portal you'll need to select the "Application Permissions" that your app requires too. Currently app-only access to mail resources is supported, but app only access to one drive resources (through Microsoft graph) is not supported. We'll be looking to open that up shortly.

Hope this helps,

Answer 2

The endpoint of https://login.microsoftonline.com is Azure AD authorization endpoint which provides SSO page for users login on and authenticate & obtain an authorization code.

The others like https://graph.microsoft.com is a resource endpoint which is built on REST APIs and provides resources and services from Microsoft.

Specifically, to endpoint https://graph.windows.net, the explanation on official site is :

The Azure Active Directory Graph API provides programmatic access to Azure Active Directory through REST API endpoints. Apps can use the Azure AD Graph API to perform create, read, update, and delete (CRUD) operations on directory data and directory objects, such as users, groups, and organizational contacts. And https://graph.mircosoft.com is a unified API that also includes APIs from other Microsoft services like Outlook, OneDrive, OneNote, Planner, and Office Graph, all accessed through a single endpoint with a single access token.

Refer to AD Graph REST for more information.

To integrate office 365 via Azure AD, you have to check whether you have an office 365 tenant and your administrator user of office 365 tenant has the access permission on Azure AD. You can refer to Deep Dive into the Office 365 Unified API for step by step guide of integrating office 365 Unified API.

Furthermore, you can refer to Get started with Office 365 APIs powered by Microsoft Graph to create a PHP example.