Streamlining your business processes using Microsoft Graph - BRK2266
All. Right. Thank. You all for joining us, I'm, Jeff sakowitz I'm, Elizabeth Olsen and, I'm mark wall and we're gonna talk about how to streamline, your business processes using Microsoft, graph. All. Right so, before we dive in I want to give you an overview of Microsoft, graph so. In a nutshell Microsoft. Graph is a REST API, that. Helps you integrate with data, relationships. Insights. And intelligence. Across, Microsoft, 365. In. Other words it's, the Gateway to your data in the Microsoft, cloud whether. You're building a web app a native, app a bot, a background, process or running, a PowerShell script if that's your thing you, can use Microsoft graph as your, single point of integration across. All of Microsoft, 365, including. Office 365, Windows. 10 and EMS. Now. You will notice a xor's not up here this, API is focused, currently on Microsoft, 365, but. You can absolutely build. Your apps in Azure and there are a bunch, of great better, together, functionality. That you can leverage in Azure. Like. Logic. Apps power apps flow as your functions, so. Azure and Microsoft graph do generally, play better together even, though you there's a separate set of API for integrating with Azure. So. You can use Microsoft graph to build net new apps or add, functionality, to your existing, apps that you're already using today. Microsoft. Graph can help you get access to your, data if you're a lot of business app developer, or an IT admin or your. Customers, data if you're an ISV building, apps for other companies now. We take security and privacy very. Very seriously, with Microsoft, graph so, we're not just exposing, all this data for anybody to go query from the API it's. Only accessible, once a user or an, administrator, that's in charge of that data consents. For the application, that's requesting, data to have access to it and, we. Use the. Microsoft identity, platform for. All of our authentication. And authorization flows. And Microsoft. Graph supports, organizational. Identities in Azure ad including. We'll, talk more about that later as well, as consumer, identities. So. Let's take a look at what this looks like in visual form so. It all starts with /me, which, is an alias for the signed-in user that, you can see here at the center of the graph because. It's a graph you, can then traverse using, navigation, properties, and see, who, the direct reports are of that user what, groups they're a member of what, teams they're collaborating, in details. About their organization, and the people they work with most frequently. You. Can also see what roles they're a member of what, other users are in the organization, around them and build out the whole work hierarchy. And. Now you can then you can also start at brainian content, from. Office, 365, services, you, can access SharePoint, sites you, can see what emails the user has been sending or receiving most. Recently and you, can see what devices they're using now. You'll. Notice that a lot of these you. Know at the beginning we were talking about mostly things that live in Azure Active Directory may, be a little bit of in tune and now you're seeing things like sites and emails, and. Previously. To build an app that leveraged, all of these different, pieces of data and all of these relationships you, would have had to integrate with two three, four maybe even five different, rest api's that. Had different, schemas different. They accepted different tokens they spoke a slightly different query, language, and it was really painful and we heard this feedback from a lot of developers so. Microsoft crafts really makes it a lot easier to. Build integrations, that take advantage of the full power of Microsoft 365. Regardless. Of what service in the background, actually is hosting. That data or powering that service action you integrate with Microsoft, graph as your, you, know your unified, gateway to Microsoft, 365, and, you have one endpoint one.
Token One, set of Doc's one, set of SDKs, and it's a lot simpler than, developing. Against our cloud stack was before you. Also your time to value when, there's new data available. In Microsoft 365. Is also. Significantly. Decreased, when you integrate with Microsoft graph for. Example we just announced, that we added some dynamics, financials, api's, to Microsoft, graph recently, now. Previously if you want to to extend, your app to go work with those if your app is already using you know some of these other entities you, would have to go figure out where that API lives and how to integrate with it how to request permissions, and you, know get access now, you can simply request, a new permission to Microsoft, graph for. The dynamics. Information, but you don't have to change a ton about how your app works and all of a sudden you have a net new type of data in your app with very little extra work that you had to do to take advantage of it and this is really really useful. So. We, also have api's for, facilitating, collaboration. Between business partners which we're gonna do a deep dive on later and. We. Have insights api's so, a lot of what I covered previous on this slide was an example of you, know static, entity data, or relationships. Between entities which, are very powerful but we also have our machine. Learning back, to insights where. We are calculating, all, this intelligence, across Microsoft, 365, and, we package it up in an easy-to-use API, so. Your app can take advantage, of all that hard work Microsoft. 365 is doing to, figure out what documents, are trending in an organization, who, someone works with most originally, what, security, risks are relevant to an organization, and you could consume that without doing all the hard work that's happening, behind the scenes in Microsoft 365, to, get that rich piece of intelligence, and last. But not least we, have a ton, of really, exciting, security, data in automation API.
Is In the graph that, are a lot of which are pretty new some, of which recently went GA which we're really excited about and we'll talk more about this a little bit later as well. So. It. Was probably obvious from the last slide Microsoft. Graph has an extremely, large surface, area now. In this session we're. Gonna specifically. Focus, on the. EMS, portion, of Microsoft, graph if, you're. Not familiar with the MS it's, a comprehensive. Suite of services, and products that. Help. Customers do things like identity. Nexus management, mobile, device and application, management information, protection, threat. Detection and so on and this, is the space we're gonna focus on today even. Within this space EMS, is a large, space in and of itself. From a scenario, perspective, we're gonna focus on secure, and compliant productivity. And. We're gonna show you how you can facilitate, collaboration, across organizational, boundaries. Automate. Compliance, and address IT governance, goals. Protect. Data and stay, secure and we're gonna show you how you can do this using Microsoft, graph to. Take tasks, that were previously very. Complex. Error. Prone, and time consuming and automate. Them into easy, workflows, that are embedded directly into your apps or our scriptable, using PowerShell, or automated, in the background, and what, you'll be able to do this for, many users that are, using tons of apps, accessing. And generating, lots of data across, many different devices. So. Before we dig deep into that I do, want to show you how you can use Microsoft graph to, make this all a little more real. Calling. The API is really simple so you start with the base URL, which, is graph Microsoft. Comm. You. Use standard, HTTP. Verbs to, indicate, the, intent, of your request. You. Add on the version v1. Is where of all of our gaap. Eyes live these are ap eyes that are ready for use in production today and, beta. Is basically. Our staging, area where we're baking you ap eyes and we're constantly innovating, and you can go there to see what's, new what's coming next you can test it out provide, feedback we. Know we love the feedback so definitely go keep an eye on beta and test out the new and exciting stuff that's there. Then. You add on the resource collection, you're interested, in like groups users, sites, and then. You can hone in on a specific member. Of that resource collection, if you want so, you can reference. The member of the users collection, by gooood. Or you can reference them by friendly name as well whatever works for you and, then. You can dig into the property level or, you. Can traverse a navigation, property, in this. Last query that I put up here is an example of a query that simply was not possible before Microsoft, graph in order, to go from a user's profile. To. The events, on their calendar, you, would have had to integrate with the azure ad graph API and the. Outlet rest api and so. You have two points of integration for one request, and then, you would have to eat correlate, between the two responses to make sure you got the right data back and it was stitched together correctly, it, was really painful and. So the graph makes this a whole, lot easier for you. We. Also support a whole host of Oh data query parameters, to, make sure that the route that you're getting back exactly. The data you want exactly. In the format you want it and. By, the way graphed up Microsoft comm is also where all of our documentation, live so, everything I put on here the query parameters, all, the different entities you can query navigation. Properties and everything is all. Detailed. Document, we have a ton of detail documentation, on the site. So. To, give you an example of some of these queries in action, let's. Imagine that you're building a basic, company.
Portal Application where, everyone. In your organization is gonna sign in every morning, and that, you want to greet them by name show. Their profile photo in the top right hand corner to make it feel more personal, and modern and then you want to give them some personalized, news and, actionable. Information to, help them start their day and be productive so. What you want to do, first. You want to get the users profile and grab their display name and take, in their job title and you can use the display name to greet them by name then. You get their photo and, now. Your application, feels a lot more personal and modern instead of seeing a placeholder of, an empty face they, actually see their own face on the screen. Then. You can see who their manager is and you, might want to use this to then run a query also. In graph against, Outlook and see, if they have any high priority, mail that. They've gotten from their manager since the last time they signed it to the portal and they, might want to know that in order so they can prioritize, answering, those mails or taking action in order to start their day effectively, you. Can do the same thing with their direct reports which. Can be used in the same way and then. You can see what groups they're a member of now, you might want to use these groups to show them some personalized, content based, on the project groups they're in or the, groups they're collaborating. In in teams. Or you. Might want to restrict, access to certain parts, of the portal and certain pieces of data base. Membership, of a security group and you can use the member of query for all of that. You. Can also get insights based, on activities, both, being done by the user and other users in the organization so, you can see what. Documents, are trending around the user what, they've worked on recently who. The people they work with most frequently, are what. Are the best time to schedule a meeting between them and a few people on their team is and there's, a whole bunch of interesting insights, api's.
You. Can also get, notifications, and track changes these. Are a, couple platform, capabilities, we have that. Help you be a lot more efficient, when, you're talking to Microsoft graph so. We have what we call web hooks and Delta, query web. Hooks allow you to subscribe to. Push notifications. That. Tell your app when there's new data change. Data or deleted, data in the graph that your app cares about and then. Delta query is basically, a get changes API and then, when so when you get a poke from, our web hooks subscription, engine, you can call back using, Delta query and say, hey what's changed, since the last time I talked to you and we'll give you back just the data that's changed, for the entity that, you care about so. You can see all the new users that were created, since the last time you made a query all the new emails that came into a users mailbox things. Learnt what any new files that were uploaded things, along those lines and. This helps your you be a lot more efficient and not need to do a full read with every request and handle complicated. You know diff, evaluations. It's a lot simpler if you just use these capabilities. We. Also have a bunch more platform, capabilities like this including. The ability to add extensions so, you can add your own custom schema. Extensions, to Microsoft, graph so. Again going back to our company portal example, you, might want to. Let. The user choose their favorite color and their. Theme for the portal but, that might be the only customization. You offer so, you might not want to have. A database that sits behind your portal just to store those two values instead. You can store them directly, in Microsoft, graph so, what you can do is you can extend, user profile, to, have a favorite. Color and a, preferred theme you. Could also store language if you wanted and you. Could then when that, so that extends the user profile directly, in the graph so. Then when the user signs in you. Take their token you come to graph and you get their profile now, you see directly. In line with the you the response on the get user you, see their favorite color and their their, preferred theme so, you can render the portal in blue, and use, the light theme if that's what they prefer and you don't need to store that data locally, which is really nice. Alright. So. Now let's do some deep dives on some particularly, interesting, parts of the graph for. This portion let's, imagine that you. Work for a large multinational. Company. That recently. Acquired, a smaller subsidiary, and, you're, in the middle of the acquisition, process and your. Team specifically. Is in charge of making sure that the acquisition goes, smooth from, an EMS perspective, and.
So. Microsoft craft can help here, by turning a bunch of things that we're gonna be manual, laborious, tasks, and to automated workflows, and really, save you a lot of time effort and save. You a lot of error risk. So. You can do things like help streamline the facilitation, and climb across corporate. Entities, manage. Employee lifecycle. Protect. Sensitive data across devices and, detect. And respond. To security threats and we're going to show you how a graph can help with, all of this so. With that I'm gonna pass off to Elizabeth he's gonna dig into the collaboration, aspect all right thanks Jeff. So. You're. In. This merger. Scenario. Or acquisition, scenario let's. Imagine that you, need. To facilitate that. Collaboration. And in, order to do that you want to enable all the users on. One. Side of the. Entity or one, of you will. Say the parent entity to keep things clear you want to enable everyone in the parent entity to work on the resources, in the child, entity and vice versa and one. Of the things that we have to. Enable that let. Me advance the slides is. This concept of as, reactive directory b2b guests. And, so, if you're not familiar with b2b that's, a way that you can invite people into, a tenon in order to collaborate on the resources there without, giving them a new account and new credentials, that they have to manage they can use their existing cadet credentials. If. You want to learn more about b2b I'm doing a talk about that on Friday so I encourage you to drop in and see that but, today I'm going to talk to you about the, invitations. API that we have in ms graph that you can use to invite. People and, manage, your, guest users, and. Whether that applies to this day one scenario is that you, can use this API to, bulk, invite, everyone from the child to the parent or, vice versa and enable. That collaboration, to start happening on day one without having to worry about giving, people new accounts, or migrating, from one tenant to the other or collapsing, or anything like that so you can get that collaboration, started and start getting the value, of that acquisition and. Then plan for a collaboration, later, down the road on a timeline, that you are more comfortable with, you. Can also use the API to build, ongoing. Automation. That syncs users as they get added or removed from, one system or the other so, that you always have everybody, in sync across both of the tenants. So. I'm going to switch over to my machine. And. So. I'm going to show you how this works using graphics blur and if you're not familiar with graph explore this is a really, awesome tool, that we host online, that, enables you to play around with a graph API and see how it works, without having to write a whole app and a whole place. To host, your code. Without. Logging in so right now I haven't logged in I'm not using my own data but we have some demo data that you can use to kind of see how the API is work at least the. The read API is you we don't let you update or delete things in our test data but. You can see that we have a test user.
Logged. In whose name is Megan Bowen she has some. Properties. Associated her account you, can see the other API is that we have available like how to get her photo and and, see. What the the query is for that and, different. Items that you can you can dig dig into and that can kind of give you inspiration for, how. You would build API is to satisfy your scenarios. So. Once you log in to graph explorer then you're running against your own data and you can do whatever you want against, that data so. Just, keep in mind this is real and if you delete something it's really deleted in real life so be very careful with what you do the. Whole with great power comes great responsibility thing. Comes into play here. But. So now that I'm logged in if I run the same me query that I did before you can see that I'm a different user now and let me zoom, in so you can actually read that. But. I'm a different user now I'm the, mod administrator. And, I have different properties here because this is my real live data and. Because I'm an administrator, I can do. Things here like I can actually. Invite people so what I'm going to do is I'm, going to. Actually. Take this one and show, you the invitation API, so here, I. Just. Replaced. The me with invitation so that's the way of targeting the invitations, API and everything. Else is the same so that's the power of graph is that now that I've figured, out how to target. One API it's really simple for me to bring in more functionality. Over time without, having to figure out new tokens or anything like that. And. So, for. This invitation API, it's a post and. They. Move this out of the way and. The only required properties, to invite a guest user are, the. Invited, user, email. Address so that's who, this, user actually is it's how we identify, them as via their email address and, also, the invite, redirect, URL and so that's what we where, we send the user after they've successfully come in and authenticated, we. Send them to this place in your system and so this. Is a great way if you want to build this into an app where maybe you want to build, sharing, into, a custom, app you can say I. Want to invite people and when they come in drop, them on this page inside my app so that, can be a really powerful experience that's kind of how, the office. Clients, or SharePoint or teams or whatnot a few experienced, sharing in there that's. How they take advantage of it they're using the b2b API as well. So. I'm going to just. Run. This. And. It was successful because the demo gods are happy today. And. You, can see now that I've got a guest in my system I now have a, user, ID for that user so I can use that to do other operations, on, this user I. Also have, properties. That are based on the information I already put in like the display name is set to the. First part of the email address, and. Those properties that I set before in terms of the invited. User email address and. The redirect, URL are both set here as well so, you can use this API to do that bulk invite that I was talking about in this mergers, acquisitions scenario. You could admit. You, could imagine you have all of those users in like a CSV, file or something and just run a PowerShell script or some. Other way of bulk processing, those users and then hook. Into alerts. When your users are created to call this API again for those new users and invite. Them into your system. So. With that I'm gonna move back over to the presentation, and. So, the API for b2b has, a few more capabilities, you, obviously.
You Can invite people through the API and that's very powerful in and of itself but. You can also use the API to list the guests you have in the tenant if you want to do some kind of management, lifecycle. Management. Or auditing of those guests and we, recently added, the capability to filter those guests based on the invitation, status so, if they've never come in you might want to know like who you sent invitations, to who have never come back you. Can get that with the API that's, technically, rolling out it's going to be live next week we think we, just didn't quite meet the train for ignite unfortunately, but. That's imminently. Available, so by the time you get back to your office, and you start, recovering. From ignite that should be there for you so. With that I'm going to pass it off to mark great. Thanks very much so. What I'm going to talk about next is some. Of the work that we're doing in, order to provide. Additional, controls. Over. Identity. And access, for, users employees. As those guests, and, partners in the directory platform so what. Kinds, of capabilities are we working on here one, slide too far so. First of all we want to talk about the motivation for doing this now those of you who went to my talk yesterday you, probably saw this slide already if not go. Look at the session, code at the bottom recording. Afterwards but, briefly what organizations. Are often concerned, about is the proliferation, of access. All. These users coming in employees, business. Guests, partners what. Do they have access to how. Do I get, my hands around the, access that they have and then, start asking some fundamental, questions why. Do they have that access, why, do they have so much access what. Are they doing with that access, do, they still need it, maybe. People got access accidentally. Maybe they're put into a group and they didn't even realize that what, can we do about this never have more control because. Organizations that, are concerned about security or, in regulated, industries, sometimes. Someone a security, investigator, an auditor. Regulator, will come and look and take, a view. Of what's going on in directory and say hmmm how. Is it that that person, has. So much power. In the organization, and they'll, say great. Question, I guess we should do something about that well. What can we do to avoid having those unpleasant, auditor. Conversations. How can we put more control, over identities. And access. Using, graph and how, can we then provide the right visibility. So, that you as well as all the people who are working with your organization. Looking, at understanding. The big picture are. People getting access at the right time so they can be productive and, are they losing access well they don't no, longer need it so you can stay secure how, do we make sure those goals are being met, so.
I'm Going to show some ideas, for how to do that using, graph. So. I'm going to show a couple things they're going to show how to use queries. How to pull back audit, logs how. To do some reviews, how, to use pin for the privileged access, but. One, thing I'm, going to do a little bit differently you. Probably saw graph, and heard people saying API so I go you're gonna do development, and stuff I'm not I'm, not a developer they haven't, we check in any code since like 99. But. What they do let me do is they let me run my own PowerShell, so I'm going to show you how to do all this without, writing any code so, I'm going to use PowerShell for this so. How. Do you use PowerShell for. Interacting. With Microsoft. Graph and using some of these exciting, capabilities, it's, really a three-step, process the. First process, is tell. Azure. Active Directory about. Your, application, what, it is you're going to be doing so, I went to the portal here and under app registrations. You. Under. App registrations, I create, this app and the important thing here are. The required permissions, what, permissions do I want my application, house so you can see I've gone in and given, a whole bunch of permissions that, Microsoft. Craft has to, my application, so I can go and do this demo but, of course this whole you know great power great responsibility. Meme it's pretty important so you probably want to narrow that down just because you. Have all those permissions, doesn't, necessarily mean you want everyone in your organization to do that so, the second part of it as Jeff mentioned before is to, understand, who, in your organization can. Have those, permissions who can use this and that you do here again through the eyes or portal when you look at enterprise, applications, so here's my same graph, application. I just told idea about it and I've told that I'm pretty, much allowed everyone to go use this because I'm want. To live dangerously now. In case you're wondering like well mark how did you know that you needed those permissions, how did you know that export. Users data in terms of use agreements were relevant, to your, app that's. Here in the documentation, so if you go to a developer, site. When you mention here before look under graph section, you'll see here that every. Time we're talking about one of these API is we use this little section here at the front about authorization it. Tells you what permissions make, sense and some of the guys will even have a table so that you can know how to have least privilege, if your app doesn't need to change any users don't ask for the ability to write users just as for the read ability. So. That's, the first step going through and getting your, application, the, right permissions so, can then interact, with craf the. Second step is. Authentication, how, do you get users to then interact. With, your. Application be able to sign in using your PowerShell, based application, and use. Graph, well. The, easiest way to do that is to steal something that already does it so, I found this blog post called. How to use it to access key into an API from Microsoft graph which, we scroll down it basically.
Said Everything I just said and then. After a whole bunch of really exciting stuff about Intune it started. To have some examples. I thought wow that's so great maybe, my feature as your active directory access reviews, should have this as well so I basically stole. Their content and republished. It under my name sorry. Which. Has of course all the same thing and you know why I was able to do that was. Because it's exactly the same the. Whole part about authentication. How, i authenticate. To use graft it doesn't matter if I'm going to be calling the Intune api's or the access, reviews or office it's all the same process so all this code is exactly boilerplate. You have to make any changes so go find one of these blog posts usually Intune post or or my post about access reviews just copy this whole top, part off put, it into a file and, you're. Pretty, much done so. Let's take a look at then here's my, favorite development, environment Visual Studio code with, little, PowerShell window here at the bottom and you'll, see that I took the access review example, off that blog post and that has. All. The, standard boilerplate stuff now all this is doing here is simply loading, in the dll's, to do the authentication haseyo, see, dll, die new you're gonna get the code the. Good news is if you use the azure ad PowerShell, module does. Anyone use the as rating PowerShell module yeah pretty much always you already, have the DLLs when, you install a or any PowerShell loads the DLL on there so if you're doing PowerShell, you've used as your ad good, news this thing just looks and see where you've got the PowerShell for. Already loaded pulls in those DLLs you're good to go. Okay. So now. We've got our, application. Called graph sample, we. Have the ability to authenticate users with, this code I got, off the internet now. What can I do with it how hard is it going to be to actually call graph. Well. It's actually pretty. Easy. So first. Question how, do I understand. What access, someone. Has in my organization, well let's start some basic questions what. Groups are they in what, roles are they in so, here we have a target, user so here's an object ID I got from the directory, similarly, you saw that come back from the invite API could be anyone and here, I'm, pasting. That in with the graph, path for member, of and I'm, calling invoke rabu crest and converting, the JSON let's, see if this works it. Works great so, it told me that this, user who just happens to be me is, a company administrator. Provincial. Administrative, and interestingly, enough in finance, which I guess add a group now. This will probably it's just for a real company raise, all kinds of interesting, questions how, is this guy both, an administrator, and in, a finance group how, did, they get there so let's.
Start Looking at the question, how do they get there and figure out how we answer that with, graph, so. We have a another. Example here. Of using graph, using. The audit, log API so here I'm querying the directory again through graph here's. My user I'm going, to go query the audit log and look, then for records that have that same user so that's I'd get. Graph. Audit, okay, so. What's going on now is it is. Done. It's gone and retrieved. What. The, user has been doing or has been done to the user I can then see some update operations, I can see roles. Things like that and I. Can go back and look over time and see, what. Happened to this user in the past and if I go back far enough I'll see an ADD member the group and if I go look up that group again using the ability of graph to traverse, links I can find out who. Put, that user into the group when, did they do it you know all that data is available there, through, graph now. That's interesting, I've gone and gotten into some finance group let's, see if that's given me any particular, powers have. I been able to sign, in to any additional applications, based on that guess, what it's another API and graph and you'll see it's, all the same code over and over I get, the URL I call. Web requests I convert. The JSON response back, do, some traversal, the API pretty, boilerplate, stuff I get spent a lot of time with, copy and paste and built a pretty extensive, Apple over here so. Let's take a look at that. So. Again I'm going into inquiry and graph and that was pretty fast it went to see what I've been doing and pretty. Much I've been using office, I've been using this graph sample app using. PowerShell, ok looks pretty safe I haven't done anything to financial, looking here so probably, I'm not a bad guy maybe I'm just seeing, what. I can get access to I'm a administrator. I can put myself in any group hey. What's. The worst that could happen right, well. Probably, that shouldn't be going on in your organization you probably shouldn't, have, administrators. Going in and adding themselves, and getting access to to, finance and, you really want some oversight, over this process so. We have features in Azure, Active Directory that. Go and provide, that, oversight so, we have the ability and, we're looking here at all our groups to, go and put some controls. Over. Group. Membership, you have self service group management, for approvals. That people get in but once you administer just added themselves to the group directly how do you go and regularly look at your groups and make sure that the right people have access so, here we have in the eyes of portal a feature called access, reviews I can go on a recurring basis ask someone. Let's say head, of Finance or the owner of this Finance Group to, go and review. Who. Really. Should, have access going, forward so again, we have a lot of powerful. Features in Azure ad to go and and do, all these review experiences. And look at the results, but, you probably know what's coming next I'm gonna say yeah, that portal, was fun but really what I'd rather do is see. What's going on with. This access, review through, PowerShell has, anyone, done any reviews, has anyone taken any action, yet so, we see here we can query again using Sam, and graph API if we look at the code it's gonna look exactly the same as everything else we're, going in querying the access reviews we're, looking at the review decisions, so has, anyone taken any action, yet looks like not yet so group owner hasn't had a cat to make, any changes but hopefully, they'll come in here and take. Me, and probably, some other admin accounts out of this group, so. Again all this information is written to the audit log I can go in and I can provide controls. Over. How, access. To different resources is, being monitored I can get out that through PowerShell, now it's not just groups and apps I can also do this for administrative. Resources as well so, some, of you may be familiar with as rady with Azure ad privileged Identity, Management so, I can use privileged, Identity Management to, assign. People to roles, with limited time I can, also use privileged Identity Management to, control access to as your resources as well looks, like I don't, have any my demo right now but, the, principle is the same so we mentioned at the beginning that, graph. Is intended. For managing. Information in, 365. But, in the case of privileged. Identities, privileged access these.
Kinds Of things are so important, to build a big picture view of what, your administrators, have access to we can go and query from. From. Graph and find out information about, administrators. What they're doing and be able to then join that data up with. With. Data over on the azure side of the house as well so I can go and see what's going on with my administrators, I can see I scroll, down here that. There's, various administrators, being added to roles again I can traverse all these relationships, using, the graph to find out what those roles are I can see roles on the azure side, as well as on the eight Azure, Active Directory side I can then see privileged operation, events people being added and removed to, different roles so there's. A lot again of really powerful, capabilities, that, are going. On here in the system so, I don't. Have time really to go into all the detail but I will give you some hints for where to go take a look at next so we talked about how, to go query what groups people are in, get. To activity, logs each, of the services like teams SharePoint. Yammer again have additional, interfaces as well you, can go and find. Out more about what the users been doing you. Can then once you've determined what are the interesting resources go and ask someone to go and review that access, so you don't have to rely solely upon IT you can say hey, application, owners group, owners go and make sure that these people are the right people to have access and finally. You have the ability to time limits, time. Limit privilege access now if you have a smartphone you want to get your smartphone out just, for one minute now don't make any calls to just have it handy because going on at the same time as this session is, another session down there about Azure Active Directory PIM, which, unfortunately, you're all missing, by, being, here listening to me but that's okay if you are interested. In using p.m. and you say well I don't have that today you, can go and get PIM trial. For one year and that gives you access to all the things that I've just been talking about during. This part of the session so you can go and use the access reviews and use the PIM and use all these features, okay. Now, I need you to put your phones back on mute and we'll transition on to the final part of the presentation. Thank. You Marc. Alright, now, I want to talk about protecting sensitive data across devices using, Microsoft, Intune and graph if, you're not familiar Intune.
Is A really powerful service, that's part of EMS that helps you do mobile, app management mobile, device management and a whole lot more it's. A it's a massive service there's a lot of really interesting things you can do with it and there's a ton of api's, and graph to interact with in tune there's also a ton of powershell scripts that are out there in that blog, that Mark mentioned but. For this portion, we're gonna focus on one particular scenario. That, applies to our company, acquisition, example so. Let's imagine that the. Acquiring. Enterprise, has. Only previously, used iOS, and Windows devices, but. The new subsidiary, that they're acquiring has. A bunch of users who brought. The who brought, their own Android devices to work and use and use them to work. You know do work and access. Sensitive information. Now, as the, team responsible, for making sure things stay secure, after you acquire this new company you want to make sure that when, people are accessing sensitive, company, documents sensitive. Sites that, you, know that's being done securely, in a compliant manner so. Intune can help in Microsoft graph can help make that easier so, what you might want to do here is create, and deploy an, Android, device compliance. See so. You can use Graf to create a new policy by, posting, to the device management endpoint. And then. You need and then you need to figure out who you're going to apply that policy to so. What you might do here is use. Azure Active Directory, through. Graph, to. Get a list of the users who were newly added to the tenon through. The invitation, process that, Elizabeth highlighted, so, you can use Delta query to see all of the new guests, that, have appeared in the tenant and, you know since the migration, happened and you. Could get this list of users and you, can add them all to a new group in Azure ad and then, using into an api's but again this is all obfuscated. To you because just through graphs you'll need to care whether it's a journey or in tune you can assign, that policy. That you created in step one to this group and that policy might say something like, in. Order for, users. To register, they're, in tuned devices, with the company they, must be on a certain OS level and they must not be jailbroken for example and then, you could further, combine, that with another grey DMS feature called, Ezzor ad conditional, access to, say users. Must satisfy. All, of these Intune policies, and have their device, registered.
And Compliant, managed, in order to access sensitive, applications, or even just access their email and now, you made sure that even though people are bringing in these devices, that you know come from the wild you're making sure that these devices are safe. And compliant and up-to-date and don't have you know glaring security, holes and. Any, old device can't just show up and get access to data. So. Like I said in to is a really wide space that's just one example the. Rule of thumb with into an API is and graph is if you can do it in the azure portal, form in tune you can do it in graph and that's, very. True because a hundred percent of what the Intune portal, does it. Does it talks, to its own back-end through, graph one hundred percent of the time you, can see this if you open developer mode on your browser while, you're in the Intune portal you'll see the calls going to grep Microsoft, graph and. Like. I mentioned before there's. A really, really good repo, of PowerShell scripts out there in github and. There's, a session tomorrow that, theater said that's at the bottom of this slide. Where they're gonna be going through and walking, through some of these scripts and showing you how you can automate into new operations, using, PowerShell, and Microsoft, graph. There's. Also a bunch of new API capabilities. And in tune, that. Are highlighted here get, your photo this if you want but if you don't want to bother right now you can, always look at our change log on the Microsoft graph documentation. Site we, have a log, where we put any new API or any updated API that, we that's in its organized, month-by-month service. By service so, if you want to keep up with the latest and greatest you, can check there or you can also look at our blogs but the change log is a really nice way to just see you know a punch, list of all the new and updated API is what's moved from beta to be one so, on and so forth so definitely check that out. Alright. Now, let's talk about graph. Security, api's this. Is a really exciting new capability. That. We're adding to, graph and you're gonna see a lot more coming in this area going forward, so. We've. Got all these really, useful, security, providers, across. Microsoft, and our third-party partners these, are things like Windows, Defender ATP. As your. Ad Identity Protection cloud. App security and. Things, developed, by our ecosystem, partners and they're super useful they're, generating, trillions. Of signals every, day but. There's, a couple problems it's. Really difficult, to, correlate. All of the disparate, signals, that are coming from all these different providers it's. Really hard to get context, on those and figure, out what. Does this alert pertain to is it actually, a problem do it do I need to take action how do I take action and which, service, should I use to take action and it's, like sometimes, correlation. For, security, teams when, you have all these different providers speaking, different languages, and talking to different products, is like, finding a needle in a stack of haystacks. The. Another big problem here is that. It's, really painful to. Get value, the, time to value when you bring one of these new security providers, online is, a really long timeline sometimes, it can take months to get all of your to get your seen system, and all of your other front-end, apps that, actually consumed. Created, by these security providers it can take months to get that up and running after you do some clunky integration, right some new code figure. Out what config you know elements, you need to put in place and. I'm sure some of you can relate to this so, just, like we solved this problem for app. Developers, in Microsoft, graph the, security, API helps solve this for. All these the, front-end security, products, in Microsoft. That in, Microsoft, graph so, what we've done is we've basically aggregated. And built a gateway for all this security, alerts. Intelligence. And actions, in. The Microsoft, graph so it's a it's a graph inside, of the graph and insert, your inception, joke here.
So. Basically. The surfaced alerts security. Scores actions, you can take and other security, valuable, security, data and threat intelligence all through, the graph security, API is in a normalized, way and it's all powered by the same security. Providers. That, everybody knows and loves but, it's done in a way that makes it much more easy to integrate all of your apps whether, those are apps that you're building in-house, or. Whether they're apps you're building for customers, of your and ISV or, apps that you're consuming from an ISV it's. Getting, significantly. Easier for, those apps to, filter. Through the noise correlate. Activity, and incidents, and. Consume. Threat intelligence data to give you actionable, insights, and let, you take action, on security, threats by. Using the security graph API. If. You want to learn more about this there's a deep dive happening, tomorrow morning that's gonna go in much more depth than, this than I am today and there's, also been a few sessions already this week so go check out the recordings there's a ton of really good content this week about. A bunch of these api's that we recently announced this GA and a bunch more that are in preview and up and coming. All. Right so what's next well. Like I said earlier graphed Microsoft, comm is where all of our Doc's live we, have tutorials we, have quick starts we have SDKs, and a ton of languages. We. Have a bunch of resources, we have deep API references, we have conceptual, documentation. We, have a big deep dive on permissions, and consent, if you want to learn more about that I know that's a common question we've, been getting at the booth all week, so. Go Grafton Microsoft comm check. Out our organization. On github slash Microsoft, graph ton. Of samples there we. Also have all, of our docs on github if you prefer to consume them that way. Tell. Us what you're building on Twitter with the Microsoft graph hashtag and if you have questions you can use Stack Overflow, and again the Microsoft, craft tag there. There's. A bunch of sessions this week on Microsoft, graph in addition to the sessions that we plugged at the bottom of those slides these are some other ones if. You don't see a date and a time it means the session already happened so watch, the video or. Maybe you were there which is awesome a lot, of these will go into depth on certain areas of the graph or. Certain. Ways to use the graph so those are the 75 these, are the 45s. These. Are the theatres. And. That's it I'll take questions. Thanks. Everybody.
2018-10-05 03:44
