Checking Microsoft 365 Group resources via the Graph API

Ever since the release of Office 365 Groups (now Microsoft 365 Groups), the marketing and product folks at Microsoft have been nagging customers to switch to them, while blissfully ignoring most feedback about potential issues and concerns customers had. In effect, many organizations are now facing challenges dealing with the Group sprawl, and the lack of governance and reporting tools definitely plays a great role in that.

One common question/request is around the lines of “give me a report of which groups are being used, and for what purposes”. Fairly reasonable request, yet no easy way to answer it, as Microsoft hasn’t provided any tools for the task. In fact, the most meaningful way to report on this remains custom scripts, such as this one Tony Redmond has put together, combining different bits and pieces from across the service. While the script does help in reporting group activity and figuring out how the users within your organization are actually leveraging the group(s) functionality, a simpler way to answer the latter question is very much needed. And now, it seems Microsoft is finally doing something meaningful about it, or at least I hope so.

Enter the recently introduced endpoint resource type for the Graph API. Here’s how Microsoft describes it:

Endpoints represent URLs for resources associated with an entity. For example, when a new Microsoft 365 group is created, additional resources are also created as part of the Microsoft 365 group. These include things like a group mailbox for conversations and a group OneDrive folder for documents and files. Further information about these Microsoft 365 group resources, including their associated resource URLs can now be read using the endpoints navigation on the group resource-type. This allows applications to understand these resources, and even embed the resource URL experiences in their own experiences.

Sounds useful, and hopefully it will actually be supported this time around, unlike previous iterations of similar functionality (the resourceProvisioningOptions or creationOptions properties). For the time being though, it’s fairly useless though, as we will see in a second. But here’s hoping!

So, how do we get this new goodness? In a nutshell, one needs to query the /group/{id}/endpoints endpoint… not a pun. This new endpoint is only available under /beta currently, so it goes without saying that things might change before release. In any case, here’s an example of fetching a group’s endpoints via the Graph explorer:

Three useful pieces of information are presented:

  • capability – with values such as Messages (Exchange), Team Collaboration (Teams), Conversations (Yammer)
  • provider – the associated service (Exchange, Microsoft Teams, Yammer)
  • uri – link to the corresponding group resource

So it all sounds good in theory, but in practice the current implementation only seems to return the Team Collaboration and Conversation capabilities, with no trace whatsoever of anything Exchange, SharePoint, Planner, Intune or any other workloads supported by Groups. Effectively, the data obtained from this endpoint is pretty much the same as what’s currently exposed via resourceProvisioningOptions/creationOptions. Of course, this might simply represent the earliest stages of the implementation, so we’ll definitely keep an eye on this functionality.

The other bad news is that we cannot use the $expand operator currently, so if we want to gather this value for all Groups in the tenant, we will have to make a separate call against each group’s endpoints endpoint (yeah!). Here’s a quick and dirty PowerShell snippet that does just that (authentication not included, handle that on your own):

$uri = "https://graph.microsoft.com/v1.0/groups?`$filter=groupTypes/any(c:c+eq+'Unified')"
$result = Invoke-WebRequest -Headers $AuthHeader1 -Uri $uri
$result = ($result.Content | ConvertFrom-Json).Value

foreach ($group in $result) {
$prop = Invoke-WebRequest -Headers $AuthHeader1 -Uri "https://graph.microsoft.com/beta/groups/$($group.id)/endpoints"
$prop = ($prop.Content | ConvertFrom-Json).Value
$group | Add-Member -MemberType NoteProperty -Name "Capabilities" -Value ($prop.capability -join ",")
$group | Add-Member -MemberType NoteProperty -Name "Providers" -Value ($prop.providerName -join ",")
}
$result | ft displayName,resourceProvisioningOptions,creationOptions,Capabilities,Providers

Obviously, this is just a sample code, with no error handling or anything, so use at your own risk, or modify it to best fit your needs. Here’s how the expected output should look like:

Not too exciting, as only the Team-ified Groups and the single Yammer one I have in my tenant return values for the capability and providerName properties, but hopefully this will change in the future and we will be able to obtain a full list of resources enabled for a given Group, with the corresponding URIs. And who knows, maybe even a way to toggle a specific resource on/off?

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.