Microsoft Graph API Provider

Connecting to the Security Graph API follows the same format as MS Defender connections with connection variables passed to the function in the same way. The configuration format is also identical to that specified in the previous section.

Microsoft Graph Configuration

Creating a Client App for Microsoft Graph

Details for registering an application for the Microsoft Graph API can be found here.

Microsoft Graph Configuration in MSTICPy

You can store your connection details in msticpyconfig.yaml.

For more information on using and configuring msticpyconfig.yaml see msticpy Package Configuration and MSTICPy Settings Editor

The settings in the file should look like the following:

        ClientId: "CLIENT ID"
        ClientSecret: "CLIENT SECRET"
        TenantId: "TENANT ID"
        UserName: "USER NAME"

We strongly recommend storing the client secret value in Azure Key Vault. You can replace the text value with a referenced to a Key Vault secret using the MSTICPy configuration editor.

Your configuration when using Key Vault should look like the following:

      ClientId: "CLIENT ID"
      TenantId: "TENANT ID"

You can create multiple instances of Microsoft Graph settings by adding an instance string to the “MicrosoftGraph” section name.

      ClientId: "CLIENT ID"
      TenantId: "TENANT ID"
      ClientId: "CLIENT ID"
      UserName: "USER NAME"
      TenantId: "TENANT ID"

Loading a QueryProvider for Microsoft Graph

msg_prov = QueryProvider("SecurityGraph")

Connecting to Microsoft Graph

The parameters required for connection to MS Graph can be passed in a number of ways. The simplest is to configure your settings in msticpyconfig. You can then just call connect with no parameters.


If you have configured multiple instances you must specify an instance name when you call connect.


If you want to use delegated authentication for your application you can specify this when you call connect. By default, this will attempt to use browser-based authentication, however you can also use device code authentication (needed if using Azure ML) by setting auth_type to “device”.

mdatp_prov.connect(delegated_auth=True, auth_type="device")

You can also pass connection parameters as keyword arguments or a connection string.

To specify connection parameters as keyword arguments in the function call, the required parameters are:

  • tenant_id – The tenant ID of the Defender workspace to connect to.

  • client_id – The ID of the application registered for MS Defender.

  • client_secret – The secret used for by the application.

ten_id = input('Tenant ID')
client_id = input('Client ID')
client_secret = input('Client Secret')
msg_prov = QueryProvider('SecurityGraph')
msg_prov.connect(tenant_id=ten_id, client_id=client_id, client_secret=client_secret)

You can also specify these parameters as a connection string of the form:

“tenant_id=’my_tenant’; client_id=’my_appid’; client_secret=’my_secret’”

# The use of parentheses here is just to concatenate the strings
# inside the parentheses, to create a single string.
conn_str = (
    "tenant_id='243bb6be-4136-4b64-9055-fb661594199a'; "
    "client_id='a5b24e23-a96a-4472-b729-9e5310c83e20'; "

Other Microsoft Graph Documentation

Built-in Queries for Microsoft Graph.

Microsoft Graph driver API documentation