Does Azure AD Graph API also provide a data source against which you may authenticate?

Question

I fail to understand much of the literature that comes from Microsoft these days. Could someone please answer this basic question for me?

Does Azure ADSI also provide a back-end/directory/data-source against which authentication can be made? Or does it just provide an interface, much like ADSI itself, that queries the active directory using LDAP?

And if it does provide a storage mechanism for user authentication, what sort of a storage is it? Does the storage contain the ability to represent organizational hierarchies? Also, does the back-end contain the ability to create an object graph of relationships among users and retrieve that graph?

Answer 1

I am looking at some Azure AD Graph API code and it appears as though the graph API is merely an IQuerable<T>/IQueryProvider<T>, i.e. a LINQ to Someone Else's Active Directory service, and this service is hosted on the cloud and is available to our applications to use.

We have to provide a tenant's active directory domain name and the credentials and the Azure AD Graph API will simply authenticate against it.

So, in a nutshell, the answer to my original question is: no. No, the Azure AD Graph API does not provide a back-end storage for storing custom identity information. It merely provides an object oriented access alike LINQ to query an existing data source.

It also provides an underlying REST API, which we may use if we like, but we may also not explicitly call the REST urls and instead use the standard LINQ query operators and use the object oriented LINQ API.

My question was born out of a suggestion I received from a colleague of mine who said that Azure AD Graph API could even manage all profile data and create some kind of a graph and authenticate against it. I doubted it very much, but after looking at some code, I am able to understand that such is not the case.

Please confirm if this is true.