All product names, logos, and brands used in this post are property of their respective owners.
The Microsoft Graph API is a powerful tool. I rely on it heavily for querying data in Azure AD and related services. In my experience, writing complicated queries is daunting; that is especially true if they contain complex filters.
I recently stumbled across a method (NOT Graph Explorer) to generate complicated Graph API queries (filters) with a graphical user interface (GUI). It is akin to Query Designer in SQL Server Management Studio (which I am also a big fan of).
In brief, several Azure blades use the Graph API themselves!
Take the Sign-in logs blade as an example. When you add filters, the results are retrieved using the Microsoft Graph API.
Because of that, you can use Developer Tools in your browser (Network tab) to view the Graph query filters generated by the Azure AD portal:
To validate, copy and paste the resulting Graph API request from Developer Tools into Graph Explorer and run it. You should see the same results you see in the Azure Portal.
https://graph.microsoft.com/beta/auditLogs/signIns?api-version=beta&$filter=(createdDateTime%20ge%202021-10-16T19:42:42.028Z%20and%20createdDateTime%20lt%202021-10-23T19:42:42.028Z%20and%20status/errorCode%20eq%200%20and%20(appId%20eq%20%27Azure%20Portal%27%20or%20contains(tolower(appDisplayName),%20%27azure%20portal%27)))&$top=50&$orderby=createdDateTime%20desc&source=adfs
It is worth noting this does not work 100% of the time or on all Azure Portal blades. In my brief testing, this approach works on the following blades:
- Devices
- Groups
- Risky sign-ins
- Sign-in logs
- Users - legacy only
Additionally (and similarly to Query Designer in SSMS), this approach does not produce clean queries. At a minimum, you will likely need to tweak dates, remove redundant parameters (like $top), etc.
If you are lucky enough to need a complicated Graph API query or filter from one of the blades that support it, I hope this helps!