Exercise - Authorize access to Microsoft Graph API with MSAL
In this exercise, you will configure the application with permissions and use MSAL to access user profile information from the Microsoft Graph (MS Graph) API.
Add Microsoft Graph permissions to App registration
Web services secured by Azure Active Directory define a set of permissions that provide access to the API functionality and data exposed by that service. Before an application can can access data or act on a user's behalf, it must request these permissions to be approved by the users. These API permissions can be assigned to your app registration from the Azure portal. Here are the steps to assign Microsoft Graph API permissions to your application.
In the app's registration screen, click on the API permissions blade in the left to add access to the APIs that your application needs.
Click the Add permissions button and then,
Ensure that the Microsoft APIs tab is selected.
In the Commonly used Microsoft APIs section, click on Microsoft Graph.
In the Delegated permissions section, select the User.Read in the list. This particular permission is for accessing the information of the signed-in user from the
Click on the Add permissions button in the bottom.
Run the application
You can try the Graph API call on the application that you have running from the previous exercise.
Open your browser and navigate to
http://localhost:8080/msal4j-servlet-graph/. If you are not already signed in, you will be redirected to login with Azure Active Directory. On successful login, you should see a page as shown in the below image.
Click the Call Graph button to make a call to Microsoft Graph's
/meendpoint and see the user details displayed.
Overview of code for Microsoft Graph access
The code for accessing Microsoft Graph API can be found in the servlet class
CallGraphServlet.java under the
msal4j/callgraphwebapp/ directory of the sample project. It defines the
/call_graph endpoint in the application which makes authorized calls to the Microsoft Graph API's
https://graph.microsoft.com/v1.0/me endpoint to retrieve the profile information of the signed in user. Here are more details of the Graph access code.
./src/main/resources/authentication.propertiesfile, the value of
aad.scopesis set to the User.Read scope.
Scopes tell Azure Active Directory the level of access that the application is requesting and map to the permissions in the app registration. Based on the requested scopes, Azure Active Directory presents a consent dialogue to the user upon signing in. If the user consents to one or more scopes , the scopes consented to are encoded into the resulting
access_tokenreturned in the authentication response.
When the user navigates to
/call_graph, the application creates an instance of the IGraphServiceClient (Microsoft Graph SDK Java), passing along the signed-in user's access token. The Graph client from hereon places the access token in the Authorization headers of its requests. The app then asks the Graph Client to call the Microsoft Graph's
/meendpoint to yield details for the currently signed-in user.
The following code is all that is required for an application developer to write for accessing the
/meendpoint, provided that they already have a valid access token for Graph Service with the
//CallGraphServlet.java User user = GraphHelper.getGraphClient(contextAdapter).me().buildRequest().get();