← Back to Blog

Microsoft Graph API Explorer: The Complete Developer Guide (2026)

Microsoft Graph API Explorer is the free browser tool for testing Graph API calls. Auth, permissions, running queries, reading responses, and the gotchas.

Microsoft Graph API Explorer: The Complete Developer Guide (2026)


The Microsoft Graph API Explorer (developer.microsoft.com/graph/graph-explorer) is a free, browser-based HTTP client for Microsoft Graph. Open it, pick a method and endpoint, hit Run query, and read the JSON response — no app registration, no code, no token management. It's the fastest way to confirm what a Graph call returns and which permission scope it requires before you wire anything into an SPFx web part, a Power Automate flow, or a daemon app.

Key Takeaways

- Graph Explorer runs in the browser at developer.microsoft.com/graph/graph-explorer — no install, no app registration.

- A built-in sample tenant lets you run GET /me instantly without a Microsoft 365 account.

- The Modify permissions tab shows exactly which Entra scope a call needs; click Consent and Explorer requests it immediately.

- The Code snippets panel generates C#, JavaScript, Java, Go, and PowerShell for every query you build visually.

- Use v1.0 for production; use beta only in Explorer to preview unreleased API shapes (Microsoft Learn: Graph versioning).

- Export any tested call collection to Postman for team sharing or CI integration.

---

What Is the Microsoft Graph API Explorer?

Graph Explorer is Microsoft's official interactive testing console for the Microsoft Graph REST API, hosted at developer.microsoft.com/graph/graph-explorer. It lets you build and run any Graph REST call in the browser — selecting the HTTP method, API version, URL, headers, and request body through a UI — and shows you the full JSON response plus the exact permission scopes the call consumed (Microsoft Learn: Graph Explorer overview).

What makes it the right first stop before writing code:

  • No app registration. Explorer ships with its own first-party Entra app. You don't touch the Azure portal to start testing.

  • Built-in sample tenant. A demo tenant with pre-populated users, messages, files, and calendar entries lets you run GET /me before you've signed in with real credentials.

  • Scope discovery. The Modify permissions tab tells you which delegated scope an endpoint needs and lets you consent to it in one click. Stop guessing scopes from docs — let the tool tell you.

  • Code generation. Every query you run exports as C#, JavaScript, Java, Go, or PowerShell SDK code with a single click.

If you just want a query surface embedded alongside code examples without switching browser tabs, the Graph API Explorer tool on this site gives you the same request/response loop with a library of saved snippets for the endpoints M365 developers hit most often.

---

Prerequisites

  • A modern browser (Chromium, Edge, or Firefox). Graph Explorer is fully browser-based — no install, no CLI.

  • For sample data: nothing — the default sample tenant is always available and read-only.

  • For your own tenant: a Microsoft 365 work or school account. Write operations or .All scopes additionally require a Global Administrator to grant admin consent.

You do not need your own Entra app registration. Graph Explorer uses a first-party Microsoft application registration to request delegated permissions on your behalf. You only register your own app when you move from Explorer to production code that runs without a signed-in user (Microsoft Learn: Register an app).

---

Graph Explorer UI: Every Region Explained

Five regions matter. Knowing them means you stop hunting the UI every time you switch tasks.

1. Request Bar

HTTP method dropdown (GET / POST / PATCH / PUT / DELETE) + API version dropdown (v1.0 or beta) + URL field. The URL field auto-suggests Graph endpoints as you type — type /me/m and it offers /me/messages, /me/memberOf, and more. Enter the full path after https://graph.microsoft.com/v1.0.

2. Request Tabs

Four tabs sit below the request bar:

TabWhat it does
Request bodyJSON payload for POST / PATCH / PUT
Request headersCustom headers — ConsistencyLevel: eventual, Prefer: return=minimal, etc.
Modify permissionsWhich scopes the current endpoint needs; one-click Consent
Access tokenThe raw bearer token Explorer is using — paste it into jwt.ms to inspect claims

3. Sample Queries Panel (Left Sidebar)

Pre-built, categorized, runnable examples for Users, Mail, Files, Calendar, Teams, Sites, and more. Each entry is a one-click "load and run" — click, read the response, then edit the URL for your real parameters. Faster than reading docs when you want to see what an endpoint looks like.

4. Response Pane

Full JSON response, with response headers on a separate tab. The @odata.context field at the top of every successful response tells you exactly what resource type was returned and whether any $select projection was applied. If a field you expected is missing, check this line first.

5. Code Snippets (Below Response)

Auto-generated SDK calls in C#, JavaScript, Java, Go, and PowerShell for the current request. Build your call visually, tune the OData parameters, confirm the response shape — then copy the snippet into your project. This is the most underused feature in Graph Explorer.

---

Your First Query in Under Two Minutes

No sign-in needed. The default sample tenant is always available.

Step 1: Open Graph Explorer.

Step 2: The URL field already shows https://graph.microsoft.com/v1.0/me. Hit Run query.

Step 3: You get the sample user's profile:

{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"displayName": "Megan Bowen",
"givenName": "Megan",
"jobTitle": "Auditor",
"mail": "MeganB@M365x214355.onmicrosoft.com",
"userPrincipalName": "MeganB@M365x214355.onmicrosoft.com",
"id": "48d31887-5fad-4d73-a9f5-3c356e68a038"
}

Now add $select to trim the response to only the fields you need:

GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,jobTitle

$select is the cheapest Graph performance win: it shrinks the payload and reduces the amount of work Graph does server-side to serialize the response (Microsoft Learn: query parameters). Always include it in production calls. Try a few more sample-tenant queries before signing in to your own account:

GET https://graph.microsoft.com/v1.0/me/messages?$select=subject,from,receivedDateTime&$top=5
GET https://graph.microsoft.com/v1.0/me/drive/root/children?$select=name,size,lastModifiedDateTime
GET https://graph.microsoft.com/v1.0/users?$select=displayName,mail&$top=10

For the full OData parameter reference — $filter, $expand, $orderby, $count, $search and the syntax traps that produce 400 in production — see the Microsoft Graph OData cheat sheet.

---

Sign In and Query Your Own Tenant

Click your avatar (top right) → Sign in → use a work or school account. Once signed in, GET /me returns your profile, not the sample user's, and you can query real tenant data your account can see.

The first time you run an endpoint that needs a scope you haven't consented to, Graph returns:

403 Forbidden — Authorization_RequestDenied
"Insufficient privileges to complete the operation."

That's the cue to grant the permission, not a bug in the call. In practice, Graph Explorer's 403 flow is its best teaching tool: it forces you to discover the minimum required scope before you write any code. When you've gone through this loop in Explorer — hit 403, open Modify permissions, read the required scope, consent, re-run — you've already done the scope-design work that prevents over-permissioning in the production app you ship.

---

Permissions: What Every Developer Gets Wrong

Graph Explorer uses delegated permissions — it acts as the signed-in user. Every call is bounded by both the consented scope and what that user is allowed to do in the tenant. This differs from application permissions used in daemon apps or background jobs, which act as the app itself with no user context.

According to the Microsoft Graph permissions reference (Microsoft Learn, 2026), delegated permissions require both the scope to be consented by an admin and the signed-in user to have the underlying resource access. Granting User.Read.All doesn't let a non-admin user read all users if their Entra role blocks it — the scope grants the right to try, not blanket access.

To grant a scope in Explorer:

  • Open the Modify permissions tab.

  • Find the scope the endpoint needs.

  • Click Consent. An Entra consent dialog appears.

  • Scopes ending in .All require a Global Administrator (or an equivalent Entra role) to consent.

Here's the scope each common endpoint needs, and whether admin consent is required:

EndpointMinimum delegated scopeAdmin consent?
GET /meUser.ReadNo
GET /me/messagesMail.ReadNo
GET /me/calendarViewCalendars.ReadNo
GET /me/drive/root/childrenFiles.ReadNo
GET /me/joinedTeamsTeam.ReadBasic.AllNo
POST /me/sendMailMail.SendNo
GET /usersUser.Read.AllYes
GET /groupsGroup.Read.AllYes
GET /sites/{id}/driveSites.Read.AllYes
GET /auditLogs/signInsAuditLog.Read.AllYes
PATCH /users/{id}User.ReadWrite.AllYes
DELETE /me/messages/{id}Mail.ReadWriteNo

Source: Microsoft Learn — Microsoft Graph permissions reference (all scopes and admin-consent requirements listed there).

Pick the narrowest scope that works. User.Read over User.ReadWrite.All when you only read your own profile. For the full endpoint → scope mapping without hunting through individual Microsoft Learn pages, use the permission matrix tool.

Advanced directory queries — $filter on displayName, $count=true on /users, $search on directory objects — require an extra header. Add it under the Request headers tab:

ConsistencyLevel: eventual

And include $count=true in the URL. Without it, those queries return 400 with Request_UnsupportedQuery (Microsoft Learn: Advanced query capabilities).

---

v1.0 vs Beta: Which to Use

The API version dropdown offers two endpoints:

  • v1.0 — production: stable, supported, safe to ship. Microsoft commits to backward compatibility here.

The practical workflow: use beta in Explorer to preview what's coming or to access a property that hasn't shipped to v1.0 yet. Before you commit a call to code, switch the version to v1.0 and confirm the same endpoint works there. A property available on beta today may arrive on v1.0 under a different name — or never arrive.

---

Writing Data: POST, PATCH, DELETE

Explorer isn't read-only. Switch the method, open the Request body tab, and fire write operations.

Create a draft message:

POST https://graph.microsoft.com/v1.0/me/messages
{
"subject": "Test from Graph Explorer",
"body": {
"contentType": "Text",
"content": "Created via Graph Explorer."
},
"toRecipients": [
{ "emailAddress": { "address": "youraddress@contoso.onmicrosoft.com" } }
]
}

Scope needed: Mail.ReadWrite. Be deliberate with write operations against a real tenant — DELETE /me/messages/{id} is permanent. Test writes against the sample tenant first; switch to your real tenant only once the shape of the call is confirmed.

A PATCH example — update a user's job title (requires User.ReadWrite.All, admin consent):

PATCH https://graph.microsoft.com/v1.0/users/{id}
{
"jobTitle": "Senior Developer"
}

Graph returns 204 No Content on a successful PATCH — no body. An empty 204 is success, not an error.

---

History, Sharing, and Postman Export

Two features that speed up repeat testing:

Query History

Graph Explorer records every request you've run under the History tab (clock icon in the left sidebar). History is saved for 30 days and persists across browser sessions, so you can come back the next day and pick up where you left off (Microsoft Learn: Work with Graph Explorer). Click any entry to reload the method, URL, headers, and body — then modify and re-run.

Share a Query

Once you've built a working query, click the Share button next to Run query to copy a shareable link. Anyone who opens the link sees the same endpoint, method, headers, and body pre-loaded in their own Explorer session — useful for sharing a reproducible example with a colleague or posting to a Stack Overflow answer.

Postman Collection Export

Graph Explorer can export your requests to Postman. Open the Resources tab in the left sidebar, select the resources you want to export, then choose Download Postman collection (Microsoft Learn: Use Postman with Microsoft Graph). This is the fastest way to share a confirmed set of Graph calls with a team or run them in a CI pipeline without rebuilding the collection from scratch.

Before starting SPFx development, export your Explorer session to Postman first. The exported collection gives you a confirmed baseline of working API calls before you introduce the SPFx authentication layer — when a 403 appears in the web part, you already know the call works in isolation, which makes it straightforward to isolate whether the problem is auth configuration, permission scope, or SPFx-specific context.

---

From Explorer to Real Code

You don't have to translate a tested call by hand. Build the request visually, confirm the response, then scroll to the Code snippets panel and pick your language.

For a JavaScript app using the Microsoft Graph SDK:

const messages = await client
.api('/me/messages')
.select('subject,from,receivedDateTime')
.top(10)
.get();

For raw REST inside an SPFx web part using AadHttpClient:

const response = await this.context.aadHttpClientFactory
.getClient('https://graph.microsoft.com')
.then(client => client.get(
'https://graph.microsoft.com/v1.0/me/messages?$select=subject,from,receivedDateTime&$top=10',
AadHttpClient.configurations.v1
));
const data = await response.json();

If you're starting from scratch with Graph in SPFx — app registration, token acquisition, first authenticated call — the Getting Started with Microsoft Graph API guide covers it end to end. For the full authentication patterns (delegated vs application, MSAL, client credentials), see the Microsoft Graph API Authentication Guide.

Once your calls work in isolation, look at batching. A single POST /v1.0/$batch payload can combine up to 20 independent Graph requests into one HTTP round trip — critical for SPFx web parts that would otherwise serialize multiple GET calls on page load. See the Microsoft Graph batch requests guide.

---

Common Errors and Fixes

403 Forbidden — Authorization_RequestDenied
"Insufficient privileges to complete the operation."

Cause: the scope is not consented, or the call needs admin consent and you're not an admin.
Fix: Modify permissions → Consent. If it's a .All scope, a Global Administrator must consent. Look up the exact scope in the permission matrix.

400 Bad Request — "Request_UnsupportedQuery"

Cause: an advanced $filter or $count on directory objects without the eventual-consistency header.
Fix: add ConsistencyLevel: eventual in the Request headers tab and include $count=true in the URL (Microsoft Learn: Advanced query capabilities).

401 Unauthorized — InvalidAuthenticationToken
"Access token has expired or is not yet valid."

Cause: your Explorer session token expired (default token lifetime is ~1 hour).
Fix: sign out and back in; the token refreshes.

  • Empty response but 200 OK — you likely projected away the field with $select. Check @odata.context; it shows what you asked for.

  • Sample-tenant writes look like they fail — the sample tenant is read-only for most write operations by design. Sign in to your own tenant for write tests.

  • Single quotes in $filter — string literals use single quotes: $filter=startsWith(displayName,'Adele'). Double quotes return 400.

  • beta property missing on v1.0 — some properties are beta-only. Check if the property is documented as beta-only in Microsoft Learn before assuming a bug.

---

Frequently Asked Questions

Is Microsoft Graph Explorer free to use?

Yes — Graph Explorer is free and available at developer.microsoft.com/graph/graph-explorer with no account required for sample-tenant read queries. Sign in with a Microsoft 365 work or school account to query your own tenant's live data. There are no usage limits documented for Explorer itself; Graph API throttling limits still apply to your tenant's API quota.

Does Graph Explorer require an Azure app registration?

No. Graph Explorer ships with its own first-party Microsoft Entra application registration — you never touch the Azure portal to start testing. You only need your own app registration when you build code that calls Graph outside of Explorer, such as an SPFx web part or a Power Automate custom connector. See the Getting Started with Microsoft Graph API guide for the full registration walkthrough.

What's the difference between Graph Explorer and Postman for testing Graph APIs?

Graph Explorer is purpose-built for Microsoft Graph: it knows all Graph endpoints, auto-suggests scopes, handles Entra authentication natively, and generates SDK code snippets. Postman is a general-purpose REST client with more team collaboration and automation features. Start in Graph Explorer to validate calls and discover scopes, then export to Postman for team sharing or pipeline integration.

Why does Graph Explorer return 403 even after I grant the permission?

Three common causes: (1) you consented a user-level scope but the endpoint needs admin consent — check the Modify permissions tab for an "admin consent required" label; (2) the signed-in user lacks the in-tenant resource permission even though the Entra scope is granted — a scope grants the right to try, not blanket data access; (3) token caching — sign out and back in to force a fresh token that includes the newly consented claim.

Can I use Graph Explorer to test application permissions?

No — Graph Explorer only supports delegated permissions (signed-in user context). To test application permissions used in daemon flows or background services, you need your own Entra app with a client secret or certificate and acquire a token via the client credentials flow. See the Microsoft Graph API Authentication Guide for a walkthrough of both flows.

Does Graph Explorer support batch requests?

The standard Graph Explorer UI runs one request at a time. To test the $batch endpoint you can write the batch JSON body manually in the Request body tab and POST it to https://graph.microsoft.com/v1.0/$batch. For deep coverage of batch payloads, the 20-request limit, retry headers, and response ordering, see the Microsoft Graph batch requests guide.

---

What's Next






  • Permission matrix tool — look up the exact scope any endpoint requires without scanning the full permissions reference

Free Developer Tool

M365 Architecture Canvas

Design SharePoint, Teams, and Power Platform architectures visually. Export a structured Markdown document ready for proposals or GitHub.

Try It Free →

We use cookies for analytics (and ads if/when AdSense is enabled). By accepting, you allow these uses. See our Privacy Policy and Cookie Policy.