Microsoft Graph API Connector

overview the microsoft graph api connector facilitates seamless integration with various microsoft services, enabling comprehensive access and control over data and functions within the microsoft ecosystem microsoft graph api is a unified gateway to data and intelligence in microsoft 365, providing secure access to a wealth of resources including users, mail, files, and more this connector enables seamless integration with third party tools, allowing users to automate tasks within swimlane turbine by leveraging this connector, users can enhance their security automation workflows, streamline data retrieval, and perform actions across various microsoft services without manual intervention configuration prerequisites to utilize the microsoft graph api connector with swimlane turbine, ensure you have the following prerequisites delegated flow authentication with these parameters url endpoint for microsoft graph api tenant id unique identifier of your azure ad tenant username user's account username in azure ad password corresponding password for the azure ad account client id application id registered in azure ad client secret secret generated for the application in azure ad asset authentication with these parameters url endpoint for microsoft graph api client id application id registered in azure ad client secret secret generated for the application in azure ad tenant id unique identifier of your azure ad tenant scope permissions the app requires oauth2 client credentials with these parameters url endpoint for microsoft graph api client id application id registered in azure ad client secret secret generated for the application in azure ad token url url to retrieve the oauth2 token scope permissions the app requires authentication methods oauth 2 0 client credentials authentication with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad token url url to retrieve the oauth token scope permissions the app requires password grant (delegated authentication) for acting on behalf of a user url endpoint for microsoft graph api tenant id directory id of the azure ad tenant oauth un user's username to authenticate oauth pwd user's password to authenticate oauth cl id application (client) id registered in azure ad oauth cl secret client secret (key) generated for the application in azure ad login url login url default value is https //login microsoftonline com https //login microsoftonline com (optional) scope permissions the app requires optional field (optional) asset credentials specific to your organization (microsoft graph api asset tenant id) url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions the app requires capabilities the microsoft graph api connector gives the ability to get and update security alerts, and modify user licenses and sessions add group member add group owner add identity directory device registered user add identity directory role member add incident comment add member to directory administrative unit add members assign and remove license audit logs get signin audit logs list signins cancel security action create contact create event create rejectedsender create group create identity directory device create identity directory domain create identity directory role management create security action create threat intelligence indicator for azure sentinel create threat intelligence indicator for microsoft defender create user mail rule delete directory administrative unit member delete email delete email authentication method delete fido2 authentication method delete identity directory device delete identity directory device registered user delete identity directory domain delete identity directory role management delete identity directory role member delete microsoft authenticator auth method delete phone authentication method delete profile email delete software oath authentication method delete temporary access pass auth method delete threat intelligence indicator delete user mail rule delete windows hello for business auth method expand and get item properties attached to message forward email get alert get control profile get directory administrative unit get directory administrative unit list get directory administrative unit member get directory administrative unit member list get documents shared get documents used or viewed get email attachments get emails export email as eml get file metadata get folders get group get group member list get group owners list get group rejected senders list get groups list get identity directory device get identity directory device group list get identity directory device list get identity directory domain get identity directory domain list get identity directory object get identity directory objects by ids list get identity directory registered users list get identity directory role get identity directory role assignment get identity directory role management get identity directory role management list get identity directory role members list get identity directory roles assignment list get identity directory roles assignment list get license details get list of child folders get manager root level get profile email get profile email list get risk detections get secure control profiles list get secure score get secure scores list get security action get security action list get security get incident get security get repeat offenders get security get simulation get security get simulation automations get security get simulation coverage for users get security get simulation overview get security get training coverage users get security list incident get security list simulation get security list simulation automations get security list simulation users get security run hunting query get security ediscovery get case get security ediscovery list case custodians get security ediscovery list case operations get security ediscovery list case review sets get security ediscovery list case searches get security ediscovery list case tags get security ediscovery list cases get site drives get threat assessment get threat assessment list get threat intelligence indicator get threat intelligence indicators list get trending documents get user collaborators list get user mail rule get user mail rules list get user by id list a users direct membership list alerts list analyzed emails list riskyusers list password authentication methods move email post group rejected sender post threat assessment email post threat assessment file post threat assessment uri post threat assessment url remove directory role member remove group rejected sender reply to email reset user password revoke user signin session send email sharepoint add or update file sharepoint checkin file sharepoint checkout file sharepoint create list sharepoint create list item sharepoint create list column sharepoint delete list sharepoint delete list column sharepoint delete list item sharepoint get file sharepoint get list sharepoint get list columns sharepoint get list columns sharepoint get site sharepoint update list item update alert update incident update user retrieve authentication methods asset setup client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) user readwrite all calendars readwrite directory readwrite all directory accessasuser all securityevents read all securityevents readwrite all mail readwrite mail send sites readwrite all files readwrite all auditlog read all mail readbasic all securityanalyzedmessage readwrite all securityalert readwrite all user manageidentities all, user enabledisableaccount all, user readwrite all securityincident readwrite all userauthenticationmethod read all userauthenticationmethod readwrite all group readwrite all identityriskyuser read all sites readwrite all is needed by sharepoint actions only in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset password flow (delegated auth) use delegated permissions, instead of application permissions, and generate client id , tenant id , and client secret as described in the above client credential flow authentication we also need an username and a password for this authentication limit access to specific mailboxes administrators who want to limit app access to specific mailboxes can create an application access policy by using the new applicationaccesspolicy powershell cmdlet for more information please see the article limiting application permissions to specific exchange online mailboxes https //docs microsoft com/en us/graph/auth limit mailbox access action setup odata filters information on the filter input formatting can be found here https //docs microsoft com/en us/graph/query parameters#filter parameter keep in mind that not specifying a folder as an input will result in the query affecting all possible folders example if we want to ingest only unread emails, and we don't set the input "folder", we will ingest all unread emails from all folders, including "deleted items", "junk", etc well known folders well known folders can be used instead of folder ids for email actions all well known folder names can be found here https //docs microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 sites get site all the sites actions require the site id to be executed the site id can be obtained using the action sites get site, in order to run the action the site hostname and site name are needed this two values can be found in a site url https //{site hostname} sharepoint com/sites/{site name} for example if our site url is https //swimlaneintegrations sharepoint com/sites/integrationssite we should use site hostname swimlaneintegrations site name integrationssite after the action execution you can find the site id on the id output field sites create list in order to create a list with its columns, use the input columns you can find all the possible values with its configuration on the following table property name type description boolean booleancolumn https //docs microsoft com/en us/graph/api/resources/booleancolumn?view=graph rest 1 0 this column stores boolean values calculated calculatedcolumn https //docs microsoft com/en us/graph/api/resources/calculatedcolumn?view=graph rest 1 0 this column's data is calculated based on other columns choice choicecolumn https //docs microsoft com/en us/graph/api/resources/choicecolumn?view=graph rest 1 0 this column stores data from a list of choices currency currencycolumn https //docs microsoft com/en us/graph/api/resources/currencycolumn?view=graph rest 1 0 this column stores currency values datetime datetimecolumn https //docs microsoft com/en us/graph/api/resources/datetimecolumn?view=graph rest 1 0 this column stores datetime values geolocation geolocationcolumn https //docs microsoft com/en us/graph/api/resources/geolocationcolumn?view=graph rest 1 0 this column stores a geolocation lookup lookupcolumn https //docs microsoft com/en us/graph/api/resources/lookupcolumn?view=graph rest 1 0 this column's data is looked up from another source in the site number numbercolumn https //docs microsoft com/en us/graph/api/resources/numbercolumn?view=graph rest 1 0 this column stores number values personorgroup personorgroupcolumn https //docs microsoft com/en us/graph/api/resources/personorgroupcolumn?view=graph rest 1 0 this column stores person or group values text textcolumn https //docs microsoft com/en us/graph/api/resources/textcolumn?view=graph rest 1 0 this column stores text values validation columnvalidation https //docs microsoft com/en us/graph/api/resources/columnvalidation?view=graph rest 1 0 this column stores validation formula and message for the column hyperlinkorpicture hyperlinkorpicturecolumn https //docs microsoft com/en us/graph/api/resources/hyperlinkorpicturecolumn?view=graph rest 1 0 this column stores hyperlink or picture values term termcolumn https //docs microsoft com/en us/graph/api/resources/termcolumn?view=graph rest 1 0 this column stores taxonomy terms thumbnail thumbnailcolumn https //docs microsoft com/en us/graph/api/resources/thumbnailcolumn?view=graph rest 1 0 this column stores thumbnail values contentapprovalstatus contentapprovalstatuscolumn https //docs microsoft com/en us/graph/api/resources/contentapprovalstatuscolumn?view=graph rest 1 0 this column stores content approval status for a complete version of this table please see the official column definition table https //docs microsoft com/en us/graph/api/resources/columndefinition?view=graph rest 1 0#properties create list column refer to the above table to get the type properties and column type input the type properties are documented within the links in the type column get list items in order to use the filter input please refer to the microsoft graph api connector /#odata filters section the column used to filter the output must be indexed, see the microsoft documentation https //support microsoft com/en us/office/add an index to a list or library column f3f00554 b7dc 44d1 a2ed d477eac463b0?ui=en us\&rs=en us\&ad=us to add an index to a list limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation the assign/remove user license requires either the disabled plans and accompanying sku ids to assign licenses or the sku id of the license you want to remove the get security alert has additional information it can return there are a large number of fields that don't relate to many alerts, so they are not mapped; you can add them if desired send email action example notes an introduction to microsoft graph api https //social technet microsoft com/wiki/contents/articles/33525 an introduction to microsoft graph api aspxmicrosoft graph security api homepage https //www microsoft com/en us/security/intelligence security apimicrosoft graph rest api v1 0 reference https //docs microsoft com/en us/graph/api/overview?view=graph rest 1 0query parameters documentation odata v4 https //docs microsoft com/en us/graph/query parametersmicrosoft graph security api v1 0 refrence https //docs microsoft com/en us/graph/api/resources/security api overview?view=graph rest betaazure ad oauth2 flow https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth codeoauthlib legacy application client https //requests oauthlib readthedocs io/en/latest/oauth2 workflow\ html#legacy application flow , this is sort of a hack to bypass manual login (typically required) limiting application permissions to specific exchange online mailboxes https //docs microsoft com/en us/graph/auth limit mailbox accessmicrosoft graph reports audit logs api reference https //learn microsoft com/en us/graph/api/resources/azure ad auditlog overview?view=graph rest 1 0