Azure Active Directory Graph API

Demonstrates use of the AAD Grpah API to perform common read and write operations on Users, Groups, Group Membership, Roles, Tenant information, Service Principals, and Applications.


To  make connection to your own azure active directory using the Graph API,You need to make the application and get client id and recreate key from the azure portal

Register the sample app for your own tenant

1. Sign in to the Azure management portal.
2. Click on Active Directory in the left hand nav.
3. Click the directory tenant where you wish to register the sample application
4. Click the APP Registrations tab
5. In the drawer, click New Application Registration
6. Enter friendly name to the application name
7. Select application type Web Api Or native from the given dropdown.
8.For the Sign-on URL, enter a value (NOTE: this is not used for the console app, so is only needed for     this initial configuration): “http://localhost
9.Click on Create button
10.Copy the application id from the portal and paste it in a side. we will need it in later stage as client    ID.
11.Click on settings
12.Click on Keys
13.Under the Keys section, select either a 1-year or 2-year key – the keyValue will be displayed after you save the configuration at the end – it will be displayed, and you should save this to a secure location. NOTE: The key value is only displayed once, and you will not be able to retrieve it later
14.Click on Requires Permission
15.Configure Permissions – under the “Permissions to other applications” section, you will configure permissions to access the Graph (Windows Azure Active Directory). For “Windows Azure Active Directory” under the first permission column (Application Permission:1″), select “Read directory data”. Notes: this configures the App to use OAuth Client Credentials, and have Read access permissions for the application.Select the Save button at the bottom of the screen – upon successful configuration, your Key value should now be displayed – please copy and store this value in a secure location.
16.Click on Save
17.Click on grant permission from the Global administrator or Company administrator role.
18.Once permission is granted, click on manifest
19.Find  “oauthAllowImplicitFlow” set to true and save
Open Visual Studio -> File->Project->Select Console App->Give name and location->Ok
– Add Microsoft.identityModel.Clients.ActivityDirectory to console application
Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 3.19.8.

Add following constant values in to the constants.cs file

public const string TenantName = “samplesolution.onmicrosoft.com”;
public const string TenantId = “8f4455df-8ae6-454d-bd00-e53e5f87f050”;
public const string ClientId = “3db07cc2-3c44-4f13-ca43-8edcbe130a29”;
public const string ClientSecret = “ItcmltZpNj4UiRItqJUsT8P2G3Fx6HY9RCU/l9vizpQ=”;
public const string ResourceUrl = “https://graph.windows.net”;
public const string authority=”https://login.windows.net/”CommonConstants.TenantName;

ClientID = Application ID which we have store in separate file.
Secret key = key value which we have get from azure portal while generate the key.Code to create a ActiveDirectoryClient

using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Data;
using System.Data.SqlClient;
using System.Linq;
using System.Net.Http.Headers;
using System.Threading.Tasks;static void Main(string[] args)
ActiveDirectoryClient activeDirectoryClient = GetActiveDirectoryClientAsApplication();

// Get user based on email address.
// We can get the user from Azure AD using below method.We can get user based on UPN(User Principal Name,UserType) ;
Microsoft.Azure.ActiveDirectory.GraphClient.User user = (Microsoft.Azure.ActiveDirectory.GraphClient.User)activeDirectoryClient.Users.Where(u => u.Mail.Equals(mailAddress)).ExecuteAsync().Result.CurrentPage.FirstOrDefault();

// Get application from the Azure AD which we have configured earlier.
Application application = (Application)activeDirectoryClient.Applications.Where(app => app.AppId.Equals(Constants.CommonConstants.ClientId)).ExecuteAsync().Result.CurrentPage.FirstOrDefault();

// Get approle from selected application
// App role is define in to the manifest file.
AppRole appRole = application.AppRoles.Where(role => role.Id.Equals(Guid.Parse(Constants.ApplicationConstants.AppRoleID))).FirstOrDefault();

// We can create new app role from below code.
//Create App Role
AppRole appRole = new AppRole();
appRole.Id = Guid.NewGuid();
appRole.IsEnabled = true;
appRole.DisplayName = “Something”;
appRole.Description = “Anything”;
appRole.Value = “policy.write”;

// Get Service principal from active directory

ServicePrincipal servicePrincipal = (ServicePrincipal)activeDirectoryClient.ServicePrincipals.Where(service => service.AppId.Equals(Constants.CommonConstants.ClientId)).ExecuteAsync().Result.CurrentPage.FirstOrDefault();

// Assign user to application in azure active directory
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.Id = appRole.Id;
appRoleAssignment.ResourceId = Guid.Parse(servicePrincipal.ObjectId);
appRoleAssignment.PrincipalType = “User”;
appRoleAssignment.PrincipalId = Guid.Parse(user.ObjectId);

public static ActiveDirectoryClient GetActiveDirectoryClientAsApplication()
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(new Uri(new Uri(Constants.AzureConstants.ResourceUrl), Constants.CommonConstants.TenantId),
async () => await AcquireTokenAsyncForApplication());
return activeDirectoryClient;


public static async Task<string> AcquireTokenAsyncForApplication()
return GetAccessTokenAzure();

public static string GetAccessTokenAzure()
AuthenticationContext authContext = new AuthenticationContext(Constants.AzureConstants.authority, null);
ClientCredential creds = new ClientCredential(Constants.CommonConstants.ClientId, Constants.CommonConstants.ClientSecret);

AuthenticationResult authenticationResult = authContext.AcquireTokenAsync(Constants.AzureConstants.ResourceUrl, creds).Result;
string accessToken = authenticationResult.AccessToken;
return accessToken;

Happy Coding 🙂