Accessing Azure Active Directory Graph API

In this blog post I’m building an application that requires Azure Graph access.


I’m starting off with a new .NET Core console application to keep the example simple.

dotnet new console -o testGraphClient

I’m adding two NuGet packages to the project file, to help with authenticating against Active Directory.

<Project Sdk="Microsoft.NET.Sdk">

    <PackageReference Include="Microsoft.Graph" Version="1.12.0" />
    <PackageReference Include="Microsoft.IdentityModel.Clients.ActiveDirectory" Version="4.4.2" />

Azure Active Directory

Now before I get into the code, I’m going to skip ahead to registering your application. I’m using the Application Registrations Preview on Azure.

Application Registration

Let’s go ahead and register the new application. I’m leaving the Redirect empty.

New Application Registration

Make a note of the ApplicationID.

Create a new Client Secret and take a note of it, because once created you’ll never be able to see it again.

New Secret

Take a note of the Azure Tenant ID which can be found under the properties as the Directory ID.

Directory ID

Granting Application Permissions

Make sure that you are logged in as an Admin. Under the created application registration from above, there is an option to Add API Permissions.

App Permissions Overview

Select Azure Graph, and then Application Permissions.

App Permissions Type

All the application needs is readonly access to users, so grab that.

Readonly Users

Azure will immediately comment that the application needs approval from an admin.

Admin Approval

Go ahead and grant permissions using the button at the bottom of the screen.


The code is using the credentials from the application registered above to request a Bearer Token and call the Azure GraphServiceClient.

using Microsoft.Graph;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Net.Http.Headers;

namespace testGraphClient
    class Program
        static void Main(string[] args)
            string clientID = ""; // Put the Application ID from above here.
            string clientSecret = ""; // Put the Client Secret from above here.

            string graphApiResource = "";
            Uri microsoftLogin = new Uri("");
            string tenantID = ""; // Put the Azure AD Tenant ID from above here.

            // The authority to ask for a token: your azure active directory.
            string authority = new Uri(microsoftLogin, tenantID).AbsoluteUri;
            AuthenticationContext authenticationContext = new AuthenticationContext(authority);
            ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);

            // Picks up the bearer token.
            AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(graphApiResource, clientCredential).Result;

            GraphServiceClient graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(
                async (requestMessage) =>
                    // This is adding a bearer token to the httpclient used in the requests.
                    requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", authenticationResult.AccessToken);

            IGraphServiceUsersCollectionPage users = graphClient.Users.Request().GetAsync().Result;

            // I don't have many users, else I'd have to request the next page of results.
            foreach (var user in users.CurrentPage)
                Console.WriteLine("DisplayName: {0}", user.DisplayName);

The results printed out to console will be the DisplayNames for each of your users. A sample given below of my results.

DisplayName: Daniel Test
DisplayName: Daniel O


Actually calling the graph service is easy. Most of the difficulties come from not knowing where to register for and assign permissions. The quickstart references are here.