Microsoft Graph Explorer: The Complete Developer Guide (2026)
Microsoft Graph Explorer is the free browser tool for testing Graph API calls. Auth, permissions, running queries, reading responses, and the gotchas — 2026.
What Is Microsoft Graph Explorer?
Microsoft Graph Explorer is a free, browser-based tool — hosted at developer.microsoft.com/graph/graph-explorer — that lets you build and run Microsoft Graph API requests without writing a line of application code. You pick a method (GET, POST, PATCH, DELETE), type an endpoint like /me/messages, hit Run query, and read the raw JSON response. It is the fastest way to learn what a Graph endpoint returns and prototype an OData query. It also confirms exactly which scope a call needs before you wire it into an SPFx web part or a Power Automate flow.
Out of the box, Graph Explorer is signed in to a Microsoft-hosted sample tenant preloaded with demo users, messages, and files, so you can run read queries immediately without your own credentials. Sign in with your own work or school account when you need to query real tenant data (Microsoft Learn: Graph Explorer overview).
If you just want a no-setup query surface embedded in this site, the Graph API Explorer tool gives you the same request/response loop alongside saved query snippets. This guide explains the official Microsoft tool end to end.
---
Prerequisites
What you need:
- A modern browser (Chromium, Edge, or Firefox). No install.
- For sample data: nothing — the default sample tenant is read-only and always available.
- For your own tenant: a Microsoft 365 work or school account, and an admin willing to consent to permission scopes the first time you request them.
You do not need to register your own Entra app to use Graph Explorer — it ships with a first-party Microsoft application registration that requests delegated permissions on your behalf. You only register your own app when you move from Explorer to real code (Microsoft Learn: Register an app).
---
Anatomy of the Graph Explorer Screen
Five regions matter:
- Request bar — HTTP method dropdown, API version dropdown (
v1.0orbeta), and the URL field. Type the endpoint afterhttps://graph.microsoft.com/v1.0.
- Request body / headers / permissions / modify-permissions tabs — below the bar. The Modify permissions tab is where you consent to scopes.
- Response preview — the JSON Graph returns, with
@odata.contextat the top telling you exactly what you queried.
- Sample queries panel (left) — categorized, runnable examples for Users, Mail, Files, Teams, and more.
- Code snippets (below the response) — auto-generated C#, JavaScript, Java, Go, and PowerShell for the current request. This is the single most underused feature: build the call visually, then copy the SDK code.
---
Run Your First Query
With the default sample tenant, run a GET against the signed-in user:
GET https://graph.microsoft.com/v1.0/meClick Run query. You get the sample user's profile:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"displayName": "Megan Bowen",
"givenName": "Megan",
"jobTitle": "Auditor",
"mail": "MeganB@M365x214355.onmicrosoft.com",
"userPrincipalName": "MeganB@M365x214355.onmicrosoft.com",
"id": "48d31887-5fad-4d73-a9f5-3c356e68a038"
}Now trim the response with $select so you only pull the fields you need:
GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,jobTitle$select is the cheapest performance win in Graph — it shrinks the payload and speeds parsing. For the full set of OData parameters ($filter, $expand, $orderby, $count, $search) and the gotchas that trip people in production, see the Microsoft Graph OData cheat sheet.
---
Switching to Your Own Tenant
Click your avatar (top right) → Sign in. Use a work or school account. Once signed in, GET /me returns your profile and you can query real data your account can see.
The first time you run a query that needs a scope you have not consented to, Graph returns 403 Forbidden with an Authorization_RequestDenied error. That is the cue to grant the permission — covered next.
---
Permissions: The Part Everyone Gets Wrong
Graph Explorer uses delegated permissions — it acts as the signed-in user, so every call is bounded by both the granted scope and what that user is allowed to do. This is different from the application permissions you will often use in daemon code, which act as the app itself with no user context.
To grant a scope:
- Open the Modify permissions tab under the request bar.
- Find the scope the endpoint needs — for example,
Mail.Readfor/me/messages, orUser.Read.Allto list other users.
- Click Consent. A standard Entra consent dialog appears. Some scopes (anything
.All) require an admin to consent.
Here is the scope each common endpoint needs, and whether a tenant admin must consent:
| Endpoint | Minimum delegated scope | Admin consent? |
|---|---|---|
GET /me | User.Read | No |
GET /me/messages | Mail.Read | No |
GET /me/calendarView | Calendars.Read | No |
GET /users | User.Read.All | Yes |
GET /groups | Group.Read.All | Yes |
GET /sites/{id}/drive | Sites.Read.All | Yes |
Pick the narrowest scope that works —
User.Read over User.ReadWrite.All when you only read your own profile, because Explorer over-requests if you let it. Any .All scope needs a Global Administrator (or an equivalent Entra role) to consent; if you are not an admin, the Consent button will not complete. And a 403 is almost always a missing scope rather than a bug — read the message field in the error body, which names the blocked resource.For the full mapping of Graph endpoints to the scopes they require, use the permission matrix tool. For advanced filtering and counting on directory objects, you must also send the ConsistencyLevel: eventual header together with $count=true (Microsoft Learn: Advanced query capabilities).
---
v1.0 vs beta: Choose Deliberately
The API version dropdown offers two endpoints. v1.0 is production: stable, supported, and safe to ship against. beta is preview — new and changing surfaces land here first, and Microsoft explicitly does not support beta APIs in production because their shapes can change or be removed without notice (Microsoft Learn: Graph versioning and support).
The practical workflow: use beta in Explorer to see what is coming, then confirm the same call exists on v1.0 before you commit it to a codebase. A property that exists only on beta today may ship to v1.0 under a different name — or never ship at all.
---
Writing Data: POST, PATCH, DELETE
Explorer is not read-only. To send a request body, switch the method to POST and open the Request body tab. Example — create a draft email in your mailbox:
POST https://graph.microsoft.com/v1.0/me/messages{
"subject": "Test from Graph Explorer",
"body": {
"contentType": "Text",
"content": "Created via Graph Explorer."
},
"toRecipients": [
{ "emailAddress": { "address": "MeganB@contoso.onmicrosoft.com" } }
]
}This needs the Mail.ReadWrite scope. Be deliberate with write operations against a real tenant — DELETE /me/messages/{id} does exactly what it says, with no undo. Test writes against the sample tenant first.
---
From Explorer to Real Code
You do not have to translate your tested call by hand. Build the request visually, then scroll to the Code snippets panel and pick your language. For a JavaScript app using the Microsoft Graph SDK, Explorer generates:
const messages = await client
.api('/me/messages')
.select('subject,from,receivedDateTime')
.top(10)
.get();For raw REST — say inside an SPFx web part using AadHttpClient — copy the URL and headers directly. If you are calling Graph from SPFx, the next step is wiring auth and the client; start with Getting Started with Microsoft Graph API, which walks through Entra app registration and your first authenticated call.
---
Common Gotchas
403 Forbidden — Authorization_RequestDenied
"Insufficient privileges to complete the operation."Cause: the scope is not consented, or the call needs admin consent and you are not an admin. Fix: Modify permissions → Consent; if it is a
.All scope, ask a Global Administrator. Look up the exact scope an endpoint needs in the permission matrix.400 Bad Request — "Request_UnsupportedQuery"Cause: an advanced
$filter/$count on directory objects without the eventual-consistency header. Fix: add the header ConsistencyLevel: eventual and include $count=true (Microsoft Learn: Advanced query capabilities).401 Unauthorized — InvalidAuthenticationToken
"Access token has expired or is not yet valid."Cause: your Explorer session token expired. Fix: sign out and back in; the token refreshes.
- Empty response but 200 OK — you likely projected away the field with
$select. Check@odata.context; it shows exactly what you asked for.
- Sample-tenant writes look like they fail — the sample tenant is read-only for many operations by design. Sign in to your own tenant for write tests.
- Single quotes in
$filter— string literals use single quotes:$filter=startswith(displayName,'Meg'). Double quotes return 400.
---
What's Next
- Run queries with saved snippets in the Graph API Explorer tool, and check scopes in the permission matrix.