Microsoft Graph API is a powerful tool for interacting with Microsoft 365 services, including Entra ID (Azure Active Directory). With Postman, you can easily test and execute Microsoft Graph API requests. This blog post will guide you through the process of using Postman to read a list of Entra ID users by invoking the Microsoft Graph API. By the end, you’ll be able to retrieve user data from your Entra ID instance and also you will have much deeper understand about each element in the process.

Prerequisits

Before you get started, ensure you have the following prerequisites:

  • Microsoft 365 account: A valid Microsoft 365 tenant with administrative access.
  • Entra ID Application: You must have registered an app in Azure AD to get the necessary client ID and client secret to authenticate the request.
    Make sure to grant User.Read.All for the application
  • Postman: Download and install Postman on your machine to send HTTP requests.

Understanding the Components

In this section, we’ll introduce several key terms and concepts you need to understand to interact with the Microsoft Graph API effectively. These terms will be central to constructing and sending requests, and they’ll help you understand the flow of how authentication and authorization work with Microsoft Graph.

What is a URL

The URL is the full link to which you send a request. It’s the complete address used to access a resource on the internet, including the protocol (https://), domain (graph.microsoft.com), and sometimes a specific path to the resource.

In the case of Microsoft Graph API, the base URL is:

https://graph.microsoft.com/v1.0

The endpoint is the specific part of the URL that tells the API what data or action you’re requesting. For example, to retrieve a list of users in Entra ID, the endpoint is /users. Combined with the base URL, the full request URL becomes:

https://graph.microsoft.com/v1.0/users

In this case:

  • https://graph.microsoft.com/v1.0 is the base URL
  • /users is the endpoint

Together, they form the complete address needed to call the API and fetch user data.

Think of the URL as the full address to a house (123 Main Street, City, Country). The endpoint is the specific room or person you’re trying to reach inside the house (like “Room 5” or “John”).

What is the Header

The Header provides additional metadata to the server about the request. The header is a key-value pair, separated by a colon “:”

The key value is unique and is not duplicated in the header key section

KeyValue
Header OneThe Value

One of the most important elements in the header when working with the Microsoft Graph API is the Authorization header, which contains the Access Token.

What is the Access Token

The Access Token functions as a key that unlocks access to specific resources in Microsoft Graph, such as Entra ID users. It’s a short-lived token that grants access to API endpoints, and it must be included in the header to verify the request’s legitimacy.

To get an access token, you first need to create an identity that will be used to authenticate with Microsoft Graph and get the Access Token. This can be done through creating an Application Registration in Entra ID.

In short, you need Client Secret, Client ID, and the Tenant ID

Including the Access Token in the header tells Microsoft Graph that your request is authenticated and authorized to access the resources. The access token proves that the application (or user) has the necessary permissions to interact with the Microsoft Graph API. Without this token, the API will reject the request, as it needs to ensure the requestor has the appropriate rights to access the data.

Using Postman to Get Entra ID Users

Now we have a good understanding of the basic elements to place the moving parts together, so we can read the user’s information.

Obtain Access Token

To authenticate and obtain the access token, follow these steps:

  1. Open Postman and create a new POST request.
  2. In the URL field, enter the token endpoint:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

Replace {tenantId} with your Azure AD tenant ID.

  1. In the Body section, select x-www-form-urlencoded and include the following parameters:
  • grant_type: client_credentials
  • client_id: Your registered app’s client ID.
  • client_secret: Your registered app’s client secret.
  • scope: https://graph.microsoft.com/.default
  1. Click Send to get the access token.

In the response, you’ll receive an access_token. Copy this token as you’ll need it for the next step.

The access token looks like this

eyJ0eXAiOiJKV1QiLCJub25jZSI6InhwRkF1dkRCdmxJcWtpd3NTcm9QakR3eVBCMEwzeFhxYmREQWtLZnZlSEkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85NzlmZWFlZS1iOWNiLTRiNWQtYjNjMy01YTExZWU5NWI4MDkvIiwiaWF0IjoxNzQ0OTc4MDEyLCJuYmYiOjE3NDQ5NzgwMTIsImV4cCI6MTc0NDk4MTkxMiwiYWlvIjoiazJSZ1lIQnJ1L2pBYTRKUDM1ektjcDFqVC9wTEFRPT0iLCJhcHBfZGlzcGxheW5hbWUiOiJUZXN0IiwiYXBwaWQiOiIyYWJhYjAyNi03ZWY4LTQ2MjAtYjFlMy1kZDVlMzJhNzBlN2MiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85NzlmZWFlZS1iOWNiLTRiNWQtYjNjMy01YTExZWU5NWI4MDkvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiJlNjUxOTBhMi1jY2I3LTRkNzctOTMzMy03ODkwNzM0MDNkYTciLCJyaCI6IjEuQVVFQjd1cWZsOHU1WFV1encxb1I3cFc0Q1FNQUFBQUFBQUFBd0FBQUFBQUFBQUJCQVFCQkFRLiIsInJvbGVzIjpbIlNpdGVzLlJlYWQuQWxsIiwiVXNlci5SZWFkLkFsbCIsIkNhbGVuZGFycy5SZWFkV3JpdGUiXSwic3ViIjoiZTY1MTkwYTItY2NiNy00ZDc3LTkzMzMtNzg5MDczNDAzZGE3IiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkVVIiwidGlkIjoiOTc5ZmVhZWUtYjljYi00YjVkLWIzYzMtNWExMWVlOTViODA5IiwidXRpIjoiWWl6dWxjRkk3RU9BSEp2cUtmSkNBQSIsInZlciI6IjEuMCIsIndpZHMiOlsiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl0sInhtc19pZHJlbCI6IjcgMjAiLCJ4bXNfdGNkdCI6MTcyMDc2MTU1Nn0.SNjvvJhl3xXXlJUx6zc2XIzmL9Zap8TbdyuSSx52J6GULag-OO3S5owjM5X-8pMpOcVRcqAXo6_920IOLSmyJcxpAI6Ygbe6HFQhU5jl8v4toLF2YrJpdyqEeyRmCoszY8OrsLou0kMZBCjE0QIBb4ceF-HyYZoXgSauJYK7hqQ99JQyTRaJJUgd3S10h8wpXSGLZjyt9eWC35hrBwvgZ2cMtUl-J0APqwUPSJAsD4ngPHdBAiPhKloeyBU84gwPmKs8FnTnMHCUJlwc5O2aEu1_ZobXHQJD1I2zf4fKq5Gy-6GK15HmY8L-CxS-tyaNGEn7yEIOuzP9wE4OYBOrcg

You can use https://jwt.io/ to decode the value of the token and read the application ID used in the authentication context, along with some information about the roles assigned to the application.

Fetching Users from Entra ID using Postman

The first part is completed, and now we have the access token. We will use this token with each request sent to the Microsoft Graph.

Create a new GET request in Postman.

In the URL field, enter the following endpoint to retrieve the list of Entra ID users:

https://graph.microsoft.com/v1.0/users
  1. In the Headers section, add the following:
AuthorizationBearer AccessToken
Content-Typeapplication/json

Replace AccessToken with the token you copied in the previous step, and keep the word Bearer.
No need to add double-qoute for the token, its just the word Bearer and the token

  1. Click Send to execute the request.

You should now receive a list of users from your Entra ID instance.

5/5 - (1 vote)