Tuesday, November 16, 2021

What's the difference between Azure AD Graph, Azure Resource Graph and Microsoft Graph?

It started with a tweet.

 

Microsoft MVP Joe Stocker shared Alex Simon's article "Automate and manage Azure AD tasks at scale with the Microsoft Graph PowerShell SDK", where Derrick Kimani (Microsoft Identity Division Program Manager) lays out the plan for managing Azure AD with the Microsoft Graph PowerShell SDK.

 

Joe pointed out that IT Pros should learn this new /the Microsoft Graph PowerShell SDK because Microsoft has stopped writing Azure AD PowerShell commands and they won't work with PowerShell 7.

 

Cue discussion about various Microsoft things with the word "graph" in them! So let's break down this announcement and explore a few of our common terms.

 

TL;DR:

Azure AD Graph is the service used to query Azure Active Directory, which the Azure AD PowerShell and MSOnline PowerShell modules use. It's being retired, but you have plenty of time before that happens and Microsoft is working on migration tooling and documentation.
Azure Resource Graph is the service you can use to query some resources in Azure and their basic properties.
Microsoft Graph allows you to query many different Microsoft services, including Microsoft 365 and Windows 10. It will be the query plane for Azure Active Directory.

 

APwhats?

Microsoft provides access to query and change things in it's online services through something called an API (application programming interface). Think of an API as being like the Microsoft Translator app, that converts the language you are using to request something, into the language the system understands to fulfil that request - like ordering fast food in a foreign language country. API is a standard industry term and most software companies provide an API for querying their systems.

Software developers may be more familiar with APIs, using them to fetch data when their application interacts with other applications. IT Pros are used to issuing PowerShell commands and they just do their thing, regardless of the coding underneath that makes them work. However, we have already seen changes in those commands, from the old MSOnline commands (like "New-MsolUser") to the Azure AD PowerShell module commands (like "New-AzureADUser"). That Azure AD PowerShell module is known as "Azure Active Directory PowerShell for Graph".

 

Wait, Graph?

Yes! Azure Active Directory was accessed via an API known as the Azure Active Directory Graph API, which was specific to Azure AD and only provided access to the Azure AD service. That's sometimes referred to as the Azure AD Graph.

 

Now introducing the Microsoft Graph!

Microsoft Graph is your gateway to data in a bunch of different Microsoft services, including Microsoft 365, Windows 10 and Enterprise Mobility + Security. It includes connectors to other services (both Microsoft and non-Microsoft). Data Connect into Azure data stores and the Microsoft Graph API! Developers would find this useful, for building applications that extend across different services and data sources, including the status of users, devices, compliance and security.

 

The Microsoft GraphThe Microsoft Graph

 

But IT Pros managing Azure Active Directory haven't really needed to do anything at all with the Microsoft Graph. It does contain some commands to access user information in Azure AD, like showing who a user reports to in the organization chart, but it was pretty limited. See Overview of users in Microsoft Graph.

 

Goodbye, Azure AD Graph

As Derrick mentioned in the article, Microsoft announced in June 2020 that the Azure AD Graph was being retired and would no longer have any new features added. From 30 June 2022, the Azure AD Graph would no longer be supported or receive security updates.

 

The June 2020 announcement at Microsoft Build likely didn't make the radar or most IT Pros, who were happily executing PowerShell commands. The more recent June 2021 article caught our eye though, as it mentions our beloved Azure AD PowerShell module. In essence, Microsoft is reaffirming that any investment it makes to the experience of interacting with Azure AD programmatically will be done via the Microsoft Graph. It makes sense to consolidate any API requests to our systems via the one Graph, instead of having to develop and maintain a separate Graph API for Azure AD.

 

So, no more PowerShell :( ?

Not exactly. You can access the Microsoft Graph API by using the Microsoft Graph PowerShell SDK. Another developer-friendly term - an SDK (software development kit) is a collection of tools bundled together and means the entire API set will be exposed to PowerShell, for us to build even better commands and functionality. And it's open source and cross-platform with PowerShell 7 and above.

 

OK, just show me the new commands!

Patience, my friends. The Identity team are working hard on this, including working on an extension period to allow the Azure AD PowerShell module to continue to work for a while, migration documentation and tools for your existing PowerShell scripts. We'll continue to explore this topic and will bring you scenarios and examples in the future.

 

For now, you can find the Microsoft Graph PowerShell SDK here on GitHub.

And the Identity team would love your feedback and questions - add your comment to the article Automate and manage Azure AD tasks at scale with the Microsoft Graph PowerShell SDK

 

But what about the other Graphs?

Ah yes, let's talk about other places you'll find the term "graph" ...

 

Azure Resource Graph - This is used for querying resources that exist in Microsoft Azure, and their basic properties. It's similar to an API, except technically it uses the APIs of each of the different Azure resource providers (like Microsoft.Compute) to gather information about the Azure resource and stores this information, then you query the information held by Azure Resource Graph. It's great if I want to find how many of my Azure Virtual Machines are running Windows or Linux, but that's just scratching the surface!  You can use a bunch of different query methods, including Azure Resource Graph Explorer in the Azure portal and the Azure Resource Graph query language, Azure PowerShell, or even languages like Java or Python.

For a list of supported resource types, visit Azure Resource Graph table and resource type reference.
For more information, check out Billy York's Azure Resource Graph: Zero to Hero.

GraphQL - On purpose, I've avoided using the term REST APIs, as explaining REST is outside the scope of this article. However if you start searching for the Graph query language when you mean the Azure Resource Graph query language, you might stumble across GraphQL. GraphQL is an open source language used in applications for communication between the client and the server. If you still want to learn more, go check out https://graphql.org/


Microsoft Graph Security API - This is just one of the underlying APIs that targets a particular service via the Microsoft Graph, in this case security solutions from Microsoft and ecosystem partners. For more information visit Use the Microsoft Graph Security API and for a complete list of Microsoft Graph APIs visit the Microsoft Graph REST API v1.0 reference.

Conclusion

There's a significant amount of integration already between Microsoft's products and services - Microsoft 365 users are Azure Active Directory users, for example. Consolidating management tools is a logical step, and with the Microsoft Graph already surfacing APIs for a bunch of different services, this is a great platform to invest in for the future of identity management at scale.

 

The product group are working on this shift and are open to hearing your questions and feedback. Yes, it may mean that IT Pros have to review and update PowerShell scripts they are using to automate tasks, but more guidance is coming and there's plenty of time to prepare before the existing Azure AD PowerShell module will stop functioning. I hope this article has given you a great frame of reference of how Microsoft sees the concept of a "graph" across Azure resources and Microsoft services.

 

Learn more:

Major services and features in Microsoft Graph

Azure AD identity and access management API overview

Microsoft Learn - What is Microsoft Graph?

 

 

 

 

 

 

 

Posted at https://sl.advdat.com/3qFuSd0