Table of Contents
And How to Block this Access
I recently noted that the Graph Explorer utility has some useful new features. Well, here’s another feature to consider that might be useful some day: you can sign into the Graph Explorer as a guest user in a tenant.
When you start Graph Explorer, you can run sample commands that operate against dummy data or sign into a tenant to use real data. Up to now, you sign in with a tenant account to access the data in that tenant, just like you’d sign into OWA or the Microsoft 365 admin center.
Signing into Graph Explorer as a Guest
However, if you add the name of a tenant where you have a guest account to the Graph Explorer URI, the tool will sign into that tenant. For example, the “normal” URI for the Graph Explorer is:
https://developer.microsoft.com/en-us/graph/graph-explorer
To sign into another tenant with a guest account, add the service domain or the tenant identifier. For example:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=o365maestro.onmicrosoft.com
or
If you know a tenant’s domain, but not its service domain or tenant identifier, you can use this website to look up the tenant identifier.
When you sign in using the Graph Explorer, you can use your regular account. Azure AD will go through the normal sign-in process for the target tenant, including enforcement of multi-factor authentication as dictated by that tenant, and if your account is recognized as a guest, you’ll connect. To validate that you’re using a guest account, run the sample “my profile” query and you’ll see that the user principal name shown for the account belongs to a guest. For instance, Figure 1 shows that Chris.Bishop@office365itpros.com is connected to the O365Maestro tenant using the guest account Chris.Bishop_office365itpros.com#EXT#@o365maestro.onmicrosoft.com.
Guest accounts are limited in what they can do when connected to a tenant. In many cases, attempts to run queries such as listing all users or all groups in the tenant result in:
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
Which is a nice way of saying that although your account is a valued guest in the organization, that’s not an invitation to poke around and look for information. Other requests, such as anything to do with a mailbox, see errors like:
"error": {
"code": "MailboxNotEnabledForRESTAPI",
"message": "The mailbox is either inactive, soft-deleted, or is hosted on-premise.",
Guest accounts do have mailboxes, but they are special cloud-only mailboxes created and managed by the Microsoft 365 substrate to store compliance records like those captured for Teams chats and channel conversations.
Blocking Access
Although the Graph Explorer enables limited access to tenant data for guest accounts, you might not like the idea of guests connecting like this. Three solutions exist. First, you can block user access to the Graph Explorer Azure AD app. Open the Azure AD admin center, go to enterprise applications, and search for Graph Explorer. Open the app’s properties and update the Enabled for users to sign in setting to Off (Figure 2) and save the new app settings.
This is a crude but effective mechanism that blocks all access to the Graph Explorer, including to administrators. Anyone attempting to access the app encounters the error:
AADSTS7000112: Application 'de8bc8b5-d9f9-48b1-a8ad-b748da725064'(Graph Explorer) is disabled.
Second, you can assign specific users and groups to the app. The Assignment required slider is visible in Figure 2. When set to Yes, administrators must explicitly allow users and groups access to the app (through the Users and groups menu option on the left-hand side). If a user who doesn’t have an assignment attempts to use the app, they get the following error when they try to sign in:
AADSTS50105: Your administrator has configured the application Graph Explorer ('de8bc8b5-d9f9-48b1-a8ad-b748da725064') to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'Chris.Bishop@office365itpros.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application.
Conditional Access Block
Conditional access (CA) policies offer the most precise way to control access. A simple CA policy to block access to the Graph Explorer app for guest users (Figure 3) does the trick.
Tenant users can continue to sign in and use the Graph Explorer, but guests run into the CA block (Figure 4).
We can also confirm the effectiveness of the CA policy by searching the Azure AD audit logs to look for sign ins to the Graph Explorer app. Here’s how to do it with the Microsoft Graph PowerShell SDK:
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All" Select-MgProfile Beta [array]$Records = Get-MgAuditLogSignIn -Filter "(appdisplayname eq 'Graph Explorer' and signInEventTypes/any(t: t eq 'interactiveUser'))" -Sort "createdDateTime DESC" $Records | Format-Table createddatetime, userprincipalname, ConditionalAccessStatus CreatedDateTime UserPrincipalName ConditionalAccessStatus --------------- ----------------- ----------------------- 28/08/2022 15:25:24 chris.bishop@office365itpros.com success 28/08/2022 15:15:52 tony.redmond@office365itpros.com success 28/08/2022 15:01:56 warren.gatland@o365maestro.onmicrosoft.com failure
Unknown User Case for Guest Access
After noodling on this subject for a few days, I still haven’t come up with a good use case why the Graph Explorer supports guest access. I suppose it’s a good thing and I’m sure that an Azure AD development engineer put forward an excellent case to justify the feature, but I know many will disagree. Now if I could use this access to update the photo for my guest account (possible with Azure AD PowerShell but not with the Graph), I’d have a good use case!
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
Hi thanks for the article. I added an external guest user (user1) as a site member, my sharepoint site is called “project site”, user1 received the invite, accept and can have access to the sharepoint “project site” and browse all the documents libraries within the site. I opened MS Graph Explorer with my tenant Id and I see user1 signed it with my tenant. I tried to access the site with MS Graph Explorer using a endpoint like https://graph.microsoft.com/v1.0/sites?search=* to get the site Id, but I got item not found. I know this endpoint works fine with a standard user of the organization. any clue ?
No clue. I haven’t tried to do what you report and quite frankly, it’s impossible to replicate unless I see exactly what you do… The joys of cloud software.