Summit 7 Team Blogs

Microsoft Graph Endpoints Are Live in Azure Government and Directly Impact Security and NIST 800-171 Compliance

Microsoft recently announced the availability of new Microsoft Graph endpoints for Azure Government, which is the infrastructure of Office 365 GCC High. Many of the Microsoft 365 Enterprise Mobility + Security (EM+S) products, such as Advanced Threat Protection (ATP), and Office 365’s Power Stack (Flow, PowerApps, Power BI) tap into the Microsoft Graph to make best use of your operational data. 

31DaysMSGraph_Day2_SourceGraphic from Microsoft

The Microsoft Graph endpoints have been available for the commercial Azure environment; however, the framework was delayed for Azure Government to meet requirements of the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information at Impact Levels 4 and 5 (L4/L5). These requirements apply to Controlled Unclassified Information (CUI) and other unclassified National Security Systems.

Now contractors can develop products that need to pull from multiple CUI data sources across their Azure Government environments with the Microsoft Graph APIs, while also maintaining a compliant posture.

Microsoft Graph vs Office Graph

Microsoft Graph and the Office Graph are two different technologies (proxy vs. search) so it’s important to clarify this distinction here before we go further. The Office Graph essentially captures the activities, or signals, from users interacting with data in Office 365: SharePoint, OneDrive, Teams, etc. The Office Graph also associates data and activities with Groups and Teams for a richer context. This data was the backbone for Delve at its inception because it could uncover relationships between users and their behavior with people and documents. Much of the insights you might historically derive from the Office Graph have since been folded into the Microsoft Graph and its respective API's, but this service does still exist behind the scenes.

Unfortunately, the Office Graph is not yet supported in GCC High tenants at the present time. This results in some limited signals across services as can be seen on the SharePoint home-page:

The Microsoft Graph uses Office Graph data along with signals from Azure AD, Exchange, and more sources throughout your Microsoft estate. This “full picture” is what makes the Microsoft Graph so powerful.

Some Security Implications for the Microsoft Graph and NIST Compliance

Security professionals and teams have historically struggled with having multiple tools giving a multitude of alerts, but with a limited ability to correlate them or investigate them in a quick and efficient way. With Microsoft Graph Security APIs, these folks can take advantage of a unified interface when tackling incidents.

Microsoft Cloud App Security (MCAS), for example, is a Cloud Access Security Broker (CASB) that can take the integrated data from the Microsoft Graph and automatically enact security measures without an analyst lifting a finger to investigate. Alerts flowing from multiple sources (Windows Defender ATP, Office 365 ATP, Intune, AIP, etc.) are funneled through the Microsoft Graph and powers threat protection MCAS.

MCAS Cloud Discovery screen - NIST

Here are some additional scenarios provided by Microsoft using the Graph:


  • Multiple analysts are working on a critical alert from a security product integrated with Graph Security API. One of these analysts is waiting for her turn to analyze the alert pertaining to her area. She has to go for a meeting, however would like to be notified about the status of this alert. To do so, she subscribes to receive notifications on this alert via Microsoft Graph webhooks. The alert gets assigned to her while she is in the meeting. She gets promptly notified about the change and excuses herself from the meeting to complete the investigation.
  • An alert is issued after Azure Identity Protection detects an “Impossible travel to atypical location” and sent to the analyst. Even before conducting the investigation, the analyst can enforce a multi-factor authentication. This action can be automated by a runbook.
  • An alert is raised after the discovery that a computer is establishing a communication to a malicious IP address. The analyst launches a runbook that will block the connection from the workstation to this IP address on the company's firewall and then launch (through Windows Defender) the disinfection of the workstation.

These scenarios and others tie directly into a Government Contractor's System Security Plan (SSP). Below are just a couple NIST 800-171 controls positively impacted by the use of the Microsoft Graph.

3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. 

3.1.12 Monitor and control remote access sessions. 

3.5.1 Identify system users, processes acting on behalf of users, or devices. 

3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational systems. 

3.13.4 Prevent unauthorized and unintended information transfer via shared system resources. 

3.14.3 Monitor system security alerts and advisories and take appropriate actions in response. 

3.14.6 Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. 

3.14.7 Identify unauthorized use of organizational systems.

Key Notes

There currently is no Graph Explorer for Azure Government’s MS Graph endpoints. This does not directly impact some of the native security features discussed previously; however the Graph Explorer allows you to test certain queries and parameters against your data to see if there is a proper return. This is a nice tool to explore a specific user's activities across all endpoints or look into all user behavior within a certain time period, and more..

Last, but not least - we've tested the new Microsoft Graph APIs with Power BI and it is functioning. So no fake news here.