Get notified of changes in your tenant with Microsoft Graph, Azure Event Hubs and Logic Apps

Context

Microsoft Graph is the gateway to your data and intelligence in your Microsoft 365 tenant. You can use Microsoft Graph to build powerful applications and automations for your company and consumers. Microsoft Graph is a pillar (core service) in the Microsoft 365 ecosystem as it exposes REST APIs to access data on the major Microsoft cloud services like Teams, Viva and SharePoint but also Azure Active Directory and ATA/ATP.

Microsoft Graph overview in the Microsoft 365 platform.

In this new article, I’ll show you how to take advantage of Microsoft Graph to track changes like new Teams team creation in your Microsoft 365 tenant with the help of Azure Event Hubs and Logic Apps together so let’s see how it works!

Prerequisites

The following prerequisites are mandatory to be able to reproduce all the steps included in this article:

Components

The following components will be deployed in this article:

  • An Azure Event Hubs Namespace to ingest the notifications that are being send from Microsoft Graph
  • An Azure Key Vault to store and manage the secrets
  • Two Azure Logic Apps to manage the Microsoft Graph subscriptions and to trigger a workflow when a new event is available in the Event Hub like a new Teams team creation
  • An Azure AD App Registration (service principal) to manage the Microsoft Graph permissions

Create an Azure Event Hub to ingest the notifications from Microsoft Graph

  1. Go to the Azure Portal and search for Event Hubs then click on the result to access the service page
  2. Click on the (+) Create button
  3. Fill the following fields: Resource group, Namespace name, Location, Pricing tier (Basic is used for this article), leave the other fields with default value and create it
  4. Go to the new Event Hubs Namespace page and click on Event Hubs in the Entities section
  5. Click on the (+) Event Hub button
  6. Give a name to your new Event Hub and create it
  7. Go to the new Event Hub page and select Shared access policies (SAS)
  8. Click on the (+) Add button
  9. Give it a name, select Send and Listen and create it
  10. Click on the new policy name and copy the value of the Connection string–primary key field

Create an Azure Key Vault to manage the secrets

  1. Go to the Azure Portal and search for Key vaults then click on the result to access the service page
  2. Click on the (+) Create button
  3. Fill the following fields: Resource group, Key vault name, Region, Pricing tier (Standard is used for this article), leave the other fields with default value and create it
  4. Go to the new Key Vault page and click on Secrets in the Objects section
  5. Click on the Generate/Import button
  6. Fill the following fields: Name, Secret value (put the previously copied value from the Event Hub SAS) then create it
  7. Copy the name of the secret
  8. Click on Access policies and click on the (+) Create button
  9. For the Secret permissions, select Get
  10. For the Principal, select Microsoft Graph Change Tracking then create it
  11. Click on Overview and copy the Vault URI

Create an Azure AD App Registration to manage the Microsoft Graph permissions

  1. Go to the Azure Portal and search for Azure Active Directory then click on the result to access the service page
  2. Click on the App registrations in the Manage section
  3. Click on the (+) New registration button
  4. Put it a name, select the Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) value in the Supported account type section then register it
  5. Go the new App registration page and select API Permissions in the Manage section
  6. Click on the (+) Add a permission button then select Microsoft Graph
  7. In this article, I’ll track the new Teams team creation event in the tenant, so I need to add the following Application permission to my App Registration: Team.ReadBasic.All
  8. Grant admin consent for this new added permission
  9. Select Certificates and secrets in the Manage section
  10. Click on the (+) New client secret button
  11. Put it a name and then create it
  12. Copy the value of the secret
  13. In Overview, copy the values of the Application (client) ID and Directory (tenant) ID fields

Create an Azure Logic App to manage the Microsoft Graph subscriptions

  1. Go to the Azure Portal and search for Logic apps then click on the result to access the service page
  2. Fill the following fields: Resource group, Logic App name, Region and Plan type (Consumption is used in this article) then create it
  3. Go to the new Logic App page then click on Logic app designer
  4. Select the Recurrence trigger, set the Interval to 60 and Frequency to Minute
  5. Set your own timezone and the start time (optional)
  6. Click on the (+) New step button then select the HTTP action
  7. Fill the following values in the HTTP action:
{
  "changeType": "created,updated",
  "clientState": "secretClientValue",
  "expirationDateTime": "@{addHours(utcNow(), 1)}",
  "notificationUrl": "EventHub:https://<VAULT_URI>/secrets/<SECRET_NAME>?tenantId=<TENANT_ID>",
  "resource": "teams"
}

Don’t forget to replace the following tokens in the request Body with your own values:

  • <VAULT_URI>
  • <SECRET_NAME>
  • <TENANT_ID>

For the authentication section, use the previously copied values from the steps:

  • Authentication type: Azure AD OAuth
  • Tenant: tenant ID copied previously
  • Audience: https://graph.microsoft.com
  • Client ID: client ID copied previously
  • Credential Type: Secret
  • Secret: secret copied previously

To finish this step, save your workflow and then execute it with the Run Trigger button. After execution, you should get a HTTP 201 status code with the JSON structure of your created subscription in the response Body as below:

Microsoft Graph response to confirm that the subscription has been created.

If you want to verify that your subscription has been successfully created, you can query the following Microsoft Graph endpoint:

Microsoft Graph response when requesting the active subscriptions.
GET https://graph.microsoft.com/v1.0/subscriptions

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#subscriptions",
  "value": [
    {
      "id": "dbbe8e58-2196-4e56-b5e8-39d5a995f3a2",
      "resource": "teams",
      "applicationId": "a0cc5186-d3e9-494c-a6a2-e821927da12d",
      "changeType": "created,updated",
      "clientState": null,
      "notificationUrl": "EventHub:https://<VAULT_URI>/secrets/<SECRET_NAME>?tenantId=<TENANT_ID>",
      "notificationQueryOptions": null,
      "lifecycleNotificationUrl": null,
      "expirationDateTime": "2022-11-20T12:24:13.4233408Z",
      "creatorId": "469bc764-9cda-44d0-84ac-f3380eeb4047",
      "includeResourceData": null,
      "latestSupportedTlsVersion": null,
      "encryptionCertificate": null,
      "encryptionCertificateId": null,
      "notificationUrlAppId": null
    }
  ]
}

Create an Azure Logic App to trigger a workflow when a new event is available in the Event Hub

  1. Go to the Azure Portal and search for Logic apps then click on the result to access the service page
  2. Fill the following fields: Resource group, Logic App name, Region and Plan type (Consumption is used in this article) then create it
  3. Go to the new Logic App page then click on Logic app designer
  4. Select the When events are available in Event Hub trigger and connect to your Event Hubs Namespace with the authentication method of your choice (Access key is used in this article)
  5. Now you are able to add new steps to complete your workflow based on the events availability in the Event Hub created previously for this purpose

When you create a new Teams team in your tenant, Microsoft Graph will send a notification to the Event Hub and this will trigger the Logic App. You can retrieve the content of the event in your Logic App as below:

Event Hub trigger that has been fired with the availability of a new event.
{
  "value": [
    {
      "subscriptionId": "dbbe8e58-2196-4e56-b5e8-39d5a995f3a2",
      "changeType": "updated",
      "clientState": "secretClientValue",
      "subscriptionExpirationDateTime": "2022-11-20T12:24:13.4233408+00:00",
      "resource": "teams('09c15610-38d0-4efa-b197-78d6736f4361')",
      "resourceData": {
        "id": "09c15610-38d0-4efa-b197-78d6736f4361",
        "@odata.type": "#Microsoft.Graph.team",
        "@odata.id": "teams('09c15610-38d0-4efa-b197-78d6736f4361')"
      },
      "encryptedContent": null,
      "tenantId": "a301e02b-6ea7-464f-94bb-809b72d30b7a"
    }
  ]
}

As you can see, you get a JSON object that contains the Teams team ID (resource and resourceData) which is also the Microsoft 365 Group ID. Now you can manipulate this new created Teams team with the usage of other Microsoft Graph endpoints using this ID as parameter.

In my opinion, this is a perfect example of the power of Microsoft Graph supported by an Azure architecture with Event Hubs and Logic Apps services. I hope it will help you to understand better Microsoft Graph subscriptions and notifications and how to track them with Azure services.

Happy coding everyone!

Resources

https://learn.microsoft.com/en-us/graph/overview

https://learn.microsoft.com/en-us/graph/api/resources/subscription

https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-about

https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s