Microsoft Graph 

Microsoft Graph is the unified REST API gateway to data and intelligence in Microsoft 365, Windows, and Enterprise Mobility + Security. It provides access to users, groups, mail, calendars, contacts, files, Teams, audit logs, directory roles, conditional access policies, applications, and service principals across a Microsoft Entra ID tenant.

It replicates data using the Microsoft Graph REST API.

Preparing for authentication

To access your data, you need to authenticate the connection with your account credentials.

To connect to Microsoft Graph, you need:

• A Microsoft 365 tenant containing the data you want to replicate.
• An Azure subscription with access to the Azure portal or Entra Admin Center.
• Permission to register applications and grant admin consent in your Microsoft Entra ID tenant (Global Administrator or Application Administrator role).
• A Microsoft 365 license that covers the resources you intend to replicate:
  • Mail, calendar, and contacts data requires a Microsoft 365 Business Basic license or higher on the underlying mailbox.
  • Sign-in and directory audit logs require Microsoft Entra ID P1 or P2.
  • Teams chat messages and channel messages are protected APIs and require Microsoft approval and a Microsoft 365 E5 license or an appropriate add-on.

To register a Microsoft Entra ID application and grant API permissions:

1. Log into your Microsoft Entra admin center.
2. Navigate to Entra ID > App registrations.
3. Click New registration.
4. Enter a name for the application (for example, QlikDataIntegration), select Accounts in this organizational directory only, and click Register.
5. On the application's Overview page, copy the Application (client) ID and the Directory (tenant) ID and paste them into a secured file.
6. Navigate to Certificates & secrets > Client secrets > New client secret.
7. Enter a description and expiration date, and click Add.

   Copy and paste the secret Value into a secured file.

8. Navigate to API permissions > Add a permission > Microsoft Graph > Application permissions.
9. Add the following permissions:

   Permission	Streams enabled
   User.Read.All	users, calendar_events, contacts, drive_items, mail_messages
   Group.Read.All	groups, group_member, group_owner, teams, channels, team_member
   ChannelMessage.Read.All	Optional. Required for Teams channel message reading (protected API).
   Chat.Read.All	chats, chat_messages (protected APIs)
   Files.Read.All	drives, drive_items
   Mail.Read	mail_messages
   Calendars.Read	calendar_events
   Contacts.Read	contacts
   Application.Read.All	applications, service_principals
   AuditLog.Read.All	audit_logs_directory, audit_logs_signins
   Policy.Read.All	conditional_access_policies
   RoleManagement.Read.Directory	directory_roles, directory_role_templates, directory_role_member

10. Click Grant admin consent for [your organization] and confirm.

    All permissions must show a Granted status before the connector can access those resources.

Creating the connection

Para más información, vea Conectar con aplicaciones SaaS.

1. Rellene las propiedades de conexión necesarias.

2. Proporcione un nombre para la conexión en Nombre de la conexión.

3. Seleccione Abrir metadatos de conexión para definir metadatos para la conexión cuando se haya creado.

4. Haga clic en Crear.

Limitations and considerations

• All streams use Full Table replication — the complete set of records is retrieved on every sync. The Start Date field is captured as part of the connection configuration but does not limit the records returned.
• Admin consent is required for every Microsoft Graph permission listed in the API permissions table. Permissions without admin consent result in 403 Forbidden errors when the connector attempts to read those resources.
• The teams stream queries the /groups endpoint filtered by resourceProvisioningOptions/Any(x:x eq 'Team'). The groups stream returns all groups including non-Teams groups. Teams-scoped child streams (channels, team_member) iterate only over the filtered teams parent.
• Reading Teams chat messages (chats, chat_messages) requires the application to be approved through Microsoft's protected-API request process and a Microsoft 365 E5 license or equivalent add-on. For more information, see Protected APIs in Microsoft Teams.
• Audit log data (audit_logs_directory, audit_logs_signins) is retained for 7 days on the free Entra ID tier and 30 days on P1 or P2. Records outside the retention window are not available for replication.
• Field names are normalized from camelCase to snake_case during extraction. For example, userPrincipalName becomes user_principal_name.
• Rate limiting is handled automatically. On HTTP 429 Too Many Requests responses, the connector waits for the duration specified in the Retry-After header. Transient 5xx responses are retried with exponential backoff for up to 6 attempts.

Schema

Depending on your destination, table and column names may not appear as they are outlined below.