Microsoft Graph API Groups and Collaboration

this connector facilitates the management of groups and collaboration settings within microsoft 365 through the microsoft graph api, enabling automated workflows for group administration and user collaboration microsoft graph api is a unified gateway to data and intelligence in microsoft 365, providing access to rich, people centric data and insights exposed as resources in microsoft graph the groups and collaboration connector allows swimlane turbine users to automate group management and collaboration workflows it enables the addition of members to groups, management of rejected senders, and streamlines collaboration across microsoft services this integration empowers security teams to maintain group integrity and manage collaboration settings efficiently, enhancing organizational security posture with minimal manual intervention configuration prerequisites to utilize the microsoft graph api groups and collaboration connector, ensure you have the following prerequisites client credentials and tenant id authentication with these parameters url endpoint for microsoft graph api client id application identifier registered with azure ad client secret confidential string used to establish app identity tenant id directory identifier in azure ad scope permissions the app requires oauth 2 0 client credentials with these parameters url endpoint for microsoft graph api client id application identifier registered with azure ad client secret confidential string used to establish app identity token url url to obtain the access token scope permissions the app requires delegated flow authentication with these parameters url endpoint for microsoft graph api tenant id directory identifier in azure ad and so on authentication methods oauth 2 0 client credentials authentication with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad token url url to retrieve the oauth token scope permissions the app requires password grant (delegated authentication) for acting on behalf of a user url endpoint for microsoft graph api tenant id directory id of the azure ad tenant oauth un user's username to authenticate oauth pwd user's password to authenticate oauth cl id application (client) id registered in azure ad oauth cl secret client secret (key) generated for the application in azure ad login url login url default value is https //login microsoftonline com (optional) scope permissions the app requires optional field (optional) asset credentials specific to your organization (microsoft graph api asset tenant id) url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions the app requires authentication for oauth2 refresh token grant credentials for microsoft graph api authentication url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad refresh token refresh token scope permissions the app requires capabilities the microsoft graph api connector gives the ability to get and update security alerts, and modify user licenses and sessions add members create rejectedsender asset setup client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) user readwrite all directory readwrite all directory accessasuser all group readwrite all identityriskyuser read all in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset password flow (delegated auth) use delegated permissions, instead of application permissions, and generate client id , tenant id , and client secret as described in the above client credential flow authentication we also need an username and a password for this authentication authentication flow for oauth2 refresh token oauth 2 0 refresh token grant, which requires a refresh token , tenant id , client id and client secret use this auth with accounts which have mfa enabled to generate a refresh token please follow the instructions below in step 3 of the above mentioned setup instructions, please provide a redirect uri and select the platform as 'web', before clicking on register at the the bottom proceed with the remaining steps to generate 'client id', tenant id and client secret add the permissions in delegated permissions the swimlane team will provide a python script and instructions on how to use the script to generate the refresh token limit access to specific mailboxes administrators who want to limit app access to specific mailboxes can create an application access policy by using the new applicationaccesspolicy powershell cmdlet for more information please see the article https //docs microsoft com/en us/graph/auth limit mailbox access action setup odata filters information on the filter input formatting can be found https //docs microsoft com/en us/graph/query parameters#filter parameter keep in mind that not specifying a folder as an input will result in the query affecting all possible folders example if we want to ingest only unread emails, and we don't set the input "folder", we will ingest all unread emails from all folders, including "deleted items", "junk", etc well known folders well known folders can be used instead of folder ids for email actions all well known folder names can be found https //docs microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 sites get site all the sites actions require the site id to be executed the site id can be obtained using the action sites get site, in order to run the action the site hostname and site name are needed this two values can be found in a site url https //{site hostname} sharepoint com/sites/{site name} for example if our site url is https //swimlaneintegrations sharepoint com/sites/integrationssite we should use site hostname swimlaneintegrations site name integrationssite after the action execution you can find the site id on the id output field sites create list in order to create a list with its columns, use the input columns you can find all the possible values with its configuration on the following table property name type description boolean https //docs microsoft com/en us/graph/api/resources/booleancolumn?view=graph rest 1 0 this column stores boolean values calculated https //docs microsoft com/en us/graph/api/resources/calculatedcolumn?view=graph rest 1 0 this column's data is calculated based on other columns choice https //docs microsoft com/en us/graph/api/resources/choicecolumn?view=graph rest 1 0 this column stores data from a list of choices currency https //docs microsoft com/en us/graph/api/resources/currencycolumn?view=graph rest 1 0 this column stores currency values datetime https //docs microsoft com/en us/graph/api/resources/datetimecolumn?view=graph rest 1 0 this column stores datetime values geolocation https //docs microsoft com/en us/graph/api/resources/geolocationcolumn?view=graph rest 1 0 this column stores a geolocation lookup https //docs microsoft com/en us/graph/api/resources/lookupcolumn?view=graph rest 1 0 this column's data is looked up from another source in the site number https //docs microsoft com/en us/graph/api/resources/numbercolumn?view=graph rest 1 0 this column stores number values personorgroup https //docs microsoft com/en us/graph/api/resources/personorgroupcolumn?view=graph rest 1 0 this column stores person or group values text https //docs microsoft com/en us/graph/api/resources/textcolumn?view=graph rest 1 0 this column stores text values validation https //docs microsoft com/en us/graph/api/resources/columnvalidation?view=graph rest 1 0 this column stores validation formula and message for the column hyperlinkorpicture https //docs microsoft com/en us/graph/api/resources/hyperlinkorpicturecolumn?view=graph rest 1 0 this column stores hyperlink or picture values term https //docs microsoft com/en us/graph/api/resources/termcolumn?view=graph rest 1 0 this column stores taxonomy terms thumbnail https //docs microsoft com/en us/graph/api/resources/thumbnailcolumn?view=graph rest 1 0 this column stores thumbnail values contentapprovalstatus https //docs microsoft com/en us/graph/api/resources/contentapprovalstatuscolumn?view=graph rest 1 0 this column stores content approval status for a complete version of this table please see https //docs microsoft com/en us/graph/api/resources/columndefinition?view=graph rest 1 0#properties create list column refer to the above table to get the type properties and column type input the type properties are documented within the links in the type column get list items in order to use the filter input please refer to the docid\ x3cccivybg4bj5d05 say section the column used to filter the output must be indexed, see the https //support microsoft com/en us/office/add an index to a list or library column f3f00554 b7dc 44d1 a2ed d477eac463b0?ui=en us\&rs=en us\&ad=us to add an index to a list limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation the assign/remove user license requires either the disabled plans and accompanying sku ids to assign licenses or the sku id of the license you want to remove the get security alert has additional information it can return there are a large number of fields that don't relate to many alerts, so they are not mapped; you can add them if desired notes https //social technet microsoft com/wiki/contents/articles/33525 an introduction to microsoft graph api aspx https //docs microsoft com/en us/graph/api/overview?view=graph rest 1 0 https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth code https //requests oauthlib readthedocs io/en/latest/oauth2 workflow\ html#legacy application flow , this is sort of a hack to bypass manual login (typically required) configurations microsoft graph api asset tenant id authenticates using client credentials and tenant id configuration parameters parameter description type required url a url to the target host string required tenant id the tenant id string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional password grant (delegated authentication) authenticates on behalf of a user using oauth 2 0 credentials configuration parameters parameter description type required url a url to the target host string required login url string optional tenant id string required oauth un the username for authentication string required oauth pwd the password for authentication string required oauth cl id the client id string required oauth cl secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional ms graph openid connect refresh token grant authenticates using refresh token configuration parameters parameter description type required url a url to the target host string required cl id the client id string required cl secret the client secret string required refresh token refresh token string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add members adds a new member to a group using the 'group id' and member's '@odata id' in microsoft graph api endpoint url /v1 0/groups/{{group id}}/members/$ref method post input argument name type required description path parameters group id string required the id of the group to which the member will be added @odata id string optional the id of the directory object to add as a member input example {"json body" {"@odata id" "https //graph microsoft com/v1 0/directoryobjects/{id}"},"path parameters" {"group id" "f0b2d6f5 097d 4177 91af a24e530b53cc"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {} create rejectedsender add a user or group to the rejected sender list in microsoft graph api using their unique id endpoint url /v1 0/groups/{{id}}/rejectedsenders/$ref method post input argument name type required description path parameters id string required the unique identifier for the group @odata id string optional the id of a user or group object input example {"json body" {"@odata id" "https //graph microsoft com/v1 0/users/alexd\@contoso com"},"path parameters" {"id" "732227b1 1927 49d4 bba9 cc30e6baf602"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} response headers header description example cache control directives for caching mechanisms private client request id http response header client request id b15e85c5 d517 4e9e a99e d32ec5057dd7 content encoding http response header content encoding gzip content type the media type of the resource application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=false;charset=utf 8 date the date and time at which the message was originated thu, 05 jun 2025 05 18 27 gmt odata version http response header odata version 4 0 request id http response header request id f2584bdf 0295 424e bdb1 2df08413c0c3 strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x ms ags diagnostic http response header x ms ags diagnostic {"serverinfo" {"datacenter" "central india","slice" "e","ring" "3","scaleunit" "001","roleinstance" "pn3pepf000002a8"}} x ms resource unit http response header x ms resource unit 2