Microsoft Graph
Microsoft Graph is the unified REST API gateway to data and intelligence in Microsoft 365, Windows, and Enterprise Mobility + Security. It provides access to users, groups, mail, calendars, contacts, files, Teams, audit logs, directory roles, conditional access policies, applications, and service principals across a Microsoft Entra ID tenant.
It replicates data using the Microsoft Graph REST API.
See the Schema section for a list of objects available for replication.Preparing for authentication
To access your data, you need to authenticate the connection with your account credentials.
To connect to Microsoft Graph, you need:
- A Microsoft 365 tenant containing the data you want to replicate.
- An Azure subscription with access to the Azure portal or Entra Admin Center.
- Permission to register applications and grant admin consent in your Microsoft Entra ID tenant (Global Administrator or Application Administrator role).
- A Microsoft 365 license that covers the resources you intend to replicate:
- Mail, calendar, and contacts data requires a Microsoft 365 Business Basic license or higher on the underlying mailbox.
- Sign-in and directory audit logs require Microsoft Entra ID P1 or P2.
- Teams chat messages and channel messages are protected APIs and require Microsoft approval and a Microsoft 365 E5 license or an appropriate add-on.
To register a Microsoft Entra ID application and grant API permissions:
- Log into your Microsoft Entra admin center.
- Navigate to Entra ID > App registrations.
- Click New registration.
- Enter a name for the application (for example, QlikDataIntegration), select Accounts in this organizational directory only, and click Register.
- On the application's Overview page, copy the Application (client) ID and the Directory (tenant) ID and paste them into a secured file.
- Navigate to Certificates & secrets > Client secrets > New client secret.
- Enter a description and expiration date, and click Add.
Copy and paste the secret Value into a secured file.
- Navigate to API permissions > Add a permission > Microsoft Graph > Application permissions.
- Add the following permissions:
Permission Streams enabled User.Read.Allusers,calendar_events,contacts,drive_items,mail_messagesGroup.Read.Allgroups,group_member,group_owner,teams,channels,team_memberChannelMessage.Read.AllOptional. Required for Teams channel message reading (protected API). Chat.Read.Allchats,chat_messages(protected APIs)Files.Read.Alldrives,drive_itemsMail.Readmail_messagesCalendars.Readcalendar_eventsContacts.ReadcontactsApplication.Read.Allapplications,service_principalsAuditLog.Read.Allaudit_logs_directory,audit_logs_signinsPolicy.Read.Allconditional_access_policiesRoleManagement.Read.Directorydirectory_roles,directory_role_templates,directory_role_member - Click Grant admin consent for [your organization] and confirm.
All permissions must show a Granted status before the connector can access those resources.
Creating the connection
For more information, see Connecting to SaaS applications.
- Fill in the required connection properties.
Provide a name for the connection in Connection name.
Select Open connection metadata to define metadata for the connection when it has been created.
Click Create.
| Setting | Description |
|---|---|
| Data gateway | Select a Data Movement gateway if required by your use case. Information note This field is not available with the Qlik Talend Cloud Starter subscription, as it does not support Data Movement gateway. If you have another subscription tier and do not want to use Data Movement gateway, select None. For information on the benefits of Data Movement gateway and use cases that require it, see Qlik Data Gateway - Data Movement. |
| Start Date | Enter the date, in the format |
| Tenant ID | Directory (tenant) ID. |
| Client ID | Application (client) ID. |
| Client Secret | Client secret. |
| Scope | The OAuth scope sent to the Microsoft identity platform when requesting an access token. Use https://graph.microsoft.com/.default to grant access to all consented application permissions. |
| Page Size | Optional. The number of records returned per Microsoft Graph API request. Default: 999. Allowed range: 100–999. Lower values reduce the per-request payload size; higher values reduce the total number of API requests. |
Limitations and considerations
- All streams use Full Table replication — the complete set of records is retrieved on every sync. The Start Date field is captured as part of the connection configuration but does not limit the records returned.
- Admin consent is required for every Microsoft Graph permission listed in the API permissions table. Permissions without admin consent result in
403 Forbiddenerrors when the connector attempts to read those resources. - The
teamsstream queries the/groupsendpoint filtered byresourceProvisioningOptions/Any(x:x eq 'Team'). Thegroupsstream returns all groups including non-Teams groups. Teams-scoped child streams (channels,team_member) iterate only over the filtered teams parent. - Reading Teams chat messages (
chats,chat_messages) requires the application to be approved through Microsoft's protected-API request process and a Microsoft 365 E5 license or equivalent add-on. For more information, see Protected APIs in Microsoft Teams. - Audit log data (
audit_logs_directory,audit_logs_signins) is retained for 7 days on the free Entra ID tier and 30 days on P1 or P2. Records outside the retention window are not available for replication. - Field names are normalized from camelCase to snake_case during extraction. For example,
userPrincipalNamebecomesuser_principal_name. - Rate limiting is handled automatically. On
HTTP 429 Too Many Requestsresponses, the connector waits for the duration specified in theRetry-Afterheader. Transient5xxresponses are retried with exponential backoff for up to 6 attempts.
Schema
Schemas and naming conventions can change between versions. Verify your schema version before continuing.
The schema and info displayed below is for version 2.
Depending on your destination, table and column names may not appear as they are outlined below.
users
The users table contains information about users in your Microsoft Entra ID tenant.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
applications
The applications table contains information about application registrations in your Microsoft Entra ID tenant.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
service_principals
The service_principals table contains information about service principals in your Microsoft Entra ID tenant.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
groups
The groups table contains information about all groups (including Microsoft Teams groups) in your Microsoft Entra ID tenant.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
group_member
The group_member table contains information about the members of each group. This is a child stream of groups.
Replication Method | Full Table |
Primary Key | id, group_id |
| Useful links |
group_owner
The group_owner table contains information about the owners of each group. This is a child stream of groups.
Replication Method | Full Table |
Primary Key | id, group_id |
| Useful links |
teams
The teams table contains information about Microsoft Teams in your organization. Teams are retrieved as a filtered subset of groups ($filter=resourceProvisioningOptions/Any(x:x eq 'Team')).
Replication Method | Full Table |
Primary Key | id |
| Useful links |
channels
The channels table contains information about channels in each team. This is a child stream of teams.
Replication Method | Full Table |
Primary Key | id, team_id |
| Useful links |
team_member
The team_member table contains information about the members of each team. This is a child stream of teams.
Replication Method | Full Table |
Primary Key | id, team_id |
| Useful links |
chats
The chats table contains information about chats in Microsoft Teams. This is a protected API — see the Limitations section for access requirements.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
chat_messages
The chat_messages table contains messages from each chat. This is a child stream of chats. This is a protected API — see the Limitations section for access requirements.
Replication Method | Full Table |
Primary Key | id, chat_id |
| Useful links |
mail_messages
The mail_messages table contains email messages for each user. This is a child stream of users. Requires a Microsoft 365 Business Basic license or higher on the underlying mailbox.
Replication Method | Full Table |
Primary Key | id, user_id |
| Useful links |
calendar_events
The calendar_events table contains calendar events for each user. This is a child stream of users. Requires a Microsoft 365 Business Basic license or higher on the underlying mailbox.
Replication Method | Full Table |
Primary Key | id, user_id |
| Useful links |
contacts
The contacts table contains contacts for each user. This is a child stream of users. Requires a Microsoft 365 Business Basic license or higher on the underlying mailbox.
Replication Method | Full Table |
Primary Key | id, user_id |
| Useful links |
drives
The drives table contains information about drives available in your organization.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
drive_items
The drive_items table contains files and folders from each user's drive. This is a child stream of users.
Replication Method | Full Table |
Primary Key | id, user_id |
| Useful links |
audit_logs_directory
The audit_logs_directory table contains directory audit log records. Requires Microsoft Entra ID P1 or P2 — see the Limitations section for retention details.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
audit_logs_signins
The audit_logs_signins table contains sign-in activity records. Requires Microsoft Entra ID P1 or P2 — see the Limitations section for retention details.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
conditional_access_policies
The conditional_access_policies table contains information about conditional access policies in your Microsoft Entra ID tenant.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
directory_roles
The directory_roles table contains information about directory roles that are activated in the Microsoft Entra ID tenant.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
directory_role_templates
The directory_role_templates table contains information about directory role templates available in Microsoft Entra ID.
Replication Method | Full Table |
Primary Key | id |
| Useful links |
directory_role_member
The directory_role_member table contains information about the members of each directory role. This is a child stream of directory_roles.
Replication Method | Full Table |
Primary Key | id, role_id |
| Useful links |