3. /delta approach
Create & Update
Search
Graph vs SP Rest API
Security
considerations
Resources
Agenda
About me
Why something
new?
• Site, List, Item
Getting started
• Expand, select
OData 1
• Filter and deal with different
column types
OData 2
Items vs files
4. • Markus Moeller
• Microsoft 365 Developer Expert
• Microsoft MVP
• PnP community contributor
• Avanade Germany
• @moeller2_0
• https://mmsharepoint.wordpress.com
• Proud dad of 1 (2yrs)
About me
5. Why something new?
No matter if low-code or pro-code:
You need an Api to access data ...
• SharePoint → Microsoft 365 development
• SharePoint, Exchange, Teams, Planner, Azure AD …
• V1.0 vs beta endpoint
• Use $whatif to detect underlying product Api
7. The site as starting point
• Know ID or Url from your runtime context
• Iterate list of /me/followedSites
• Search for sites
• List groups and grab site by relationship ( {groupID} /sites/root )
• Organizations Default Site: /sites/root
11. Odata operations
• Projection recommended
• LookupListviewThreshold still a topic …
• $orderby and $expand also reduces # of calls and improves performance
• $filter server-side better than client-side …:
13. ListItem vs DriveItem
ListItem
• $filter on list &$expand=drivItem
DriveItem
• $filter on drive &$expand=listItem
• Projection on custom fields possible
and recommended
17. Create and Update
• POST vs PATCH
• Text, Choice, : „text“
• Number: number
• Date: ISOFormat
• Yes/No: true/false
• <Field>LookupID: „LookupId“
➢Use /lists/User Information List/items?$expand=fields to get
UserLookupIDs
19. Graph Search Api
• Runs in user context (delegated permissions)
• Prefer general endpoint https://graph.microsoft.com/v1.0/search/query with entityTypes
• Use KQL, Managed Properties (Refinable!) as you know from SP Rest Api
• Further checkout:
• trimDuplicates
• Search sites, lists, drives only
21. Graph vs SP Rest API
Microsoft Graph
• One API fits all
• Modern approach
• One token across M365 app
• Delta approach
• Taxonomy operations
• Expect new things „here“
SP Rest Api
• Very rich operations set
• „Known“ to many SP Devs
• „No auth handling“ in SPFx
• Necessary for Special
operations
22. Security considerations
• Pefer delegated permissions
• Use SSO wherever possible
• Consider „resource specific consent“ (RSC) when dealing with app
permissions
• Secretless / Managed Identity
23. Security considerations for SPFx
MSGraphClient
• Uses (shares!) Graph
permissions tenant-wide
• Every app can read/write
sites/user/mail ... !!!
AadHttpClient
• Uses (shares!) access_as_user
permission tenant-wide
• Every app can „call“ your
backend Api (Azure Function ...)
• Your code can secure this
further...
Microsoft Graph = 3rd party access
• Prefer AadHttpClient over MSGraphClient
• Both use „SharePoint Online Client Extensibility“ enterprise application
which grants permission tenant-wide
24. Resources
• Use Microsoft Graph to query SharePoint items (Presenter's blogpost)
• Query SharePoint items with Microsoft Graph and Search (Presenter's blogpost)
• Use Microsoft Graph to create SharePoint items (Presenter's blogpost)
• Use Microsoft Graph delta approach to increase performance getting SharePoint list
items (Presenter's blogpost)
• Graph Explorer
• API documentation (v1.0)
27. Site, List, LisItem
• Having https://<YourTeanant>.sharepoint.com/teams/GraphDemo
• We can
https://graph.microsoft.com/v1.0/sites/<YourTeanant>.sharepoint.com:/teams/G
raphDemo
• Now pick the Id and use it in https://graph.microsoft.com/v1.0/sites/{site-id}
• Having the site attach /lists to detect a list we want
• Pick one by https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-id} or {list-
title}
• Get the items by attaching /items
• Get specific item by attaching /{item-id}
• https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-id}/items/{item-id}
28. Handling custom fields
• https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-
id}/items/{item-id} has /fields by default
• https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-id}/items/
?$expand=fields
• $expand=fields($select=Title,Lastname,Salary) [Projection instead]
• ?$expand=fields&$orderby=fields/Lastname:
• "Field 'Lastname' cannot be referenced in filter or orderby as it is not indexed.
• Add to Header: Prefer HonorNonIndexedQueriesWarningMayFailRandomly
OR
• Index column!!!
29. $filter items
• Filter text based /items?$expand=fields&$filter=startswith(fields/Title, 'H')
• Filter DateTime /items?$expand=fields&$filter=fields/HireDate lt '2019-01-02’
• Filter Boolean
• $filter=fields/KeyEmployee eq 1
• $filter=fields/KeyEmployee eq 0
• Better: $filter=fields/KeyEmployee ne 1 (Will also show “empty” fields)
• Filter Lookup, Person
/items?$expand=fields&$filter=fields/ManagerLookupId eq 11
30. ListItem vs DriveItem
• Library as list: /lists/Documents/items
• ?$expand=fields,driveItem
• Switch to Drive:
• Pick parentReference | path from driveItem
• Attach /drives/{drive-ID}/root/children
• ?$expand=listItem($select=id,webUrl;$expand=fields($select=FileLeaf
Ref,Reviewer))