Graph Delta Queries for Entra ID Groups

Introduction

Managing groups in Entra ID may require precise tracking of changes such as additions, deletions, or updates. Graph Delta Queries offer an efficient method to monitor these changes. In this article, we will explore the use of Graph Delta Queries, their limitations, and practical PowerShell script examples.

Understanding Graph Delta Queries

What is a Delta Query?

A Delta Query in Microsoft Graph allows you to detect additions, modifications, or deletions of objects without requiring a complete read of the resource. This optimizes synchronization operations between a local database and storage within Entra ID.

How Delta Queries Work

To use a Delta Query, key steps include:

1. Establish an initial baseline: Collect data from the desired resource with appropriate parameters.
2. Use the deltaLink URL: The last page of results contains a special URL (deltaLink) that will be used to track subsequent changes.
3. Check for modifications: Use the deltaLink to retrieve modified objects.

1Connect-MgGraph -Scopes Group.Read.All
2$Uri = 'https://graph.microsoft.com/v1.0/groups/delta?$select=id,DisplayName,MailNickName'
3[array]$Baseline = $null
4 
5do {
6    $Data = Invoke-MgGraphRequest -Method Get -Uri $Uri
7    If ($Data.value) {
8        $Baseline += $Data.value
9    }
10    If ($Data.'@odata.deltaLink') {
11        $deltaLink = $Data.'@odata.deltaLink'
12        $Uri = $null
13    } Else {
14        $Uri = $Data.'@odata.nextLink'
15    }
16} while ($Uri)
17 
18$DeltaLink | Out-File .\groupsdeltaLink.txt

1[array]$Data = Invoke-MgGraphRequest -Uri $DeltaLink -Method Get -OutputType PsObject
2$Data.Value

Using "From Now On" Delta Queries

Microsoft Graph also allows you to create an immediate Delta Query to monitor future changes. Here is an example of the syntax:

1$Uri = "https://graph.microsoft.com/v1.0/groups/delta?`$deltatoken=latest"
2$Data = Invoke-MgGraphRequest -Uri $Uri -Method Get -OutputType PsObject
3$DeltaLink = $Data.'@odata.deltaLink'

This method is useful if you want to start monitoring changes without retrieving current states.

Limitations and Recommendations

Although Delta Queries are efficient for synchronization, they have limitations for long-term reporting:

• Delta tokens expire after seven days, making it impossible to track changes over an extended period (for example, 30 days).
• Delta Queries do not provide information about the users responsible for changes, unlike audit logs.
• Some features like expansion (expand), sorting (orderby), and selection (top) are not supported by Delta Queries.

Monitoring Specific Groups

It is possible to limit a Delta Query to a subset of specific groups by using filters on their identifiers. Here is an example:

1$Group1 = Get-MgGroup -Filter "displayName eq 'Finance Team'"
2$Group2 = Get-MgGroup -Filter "displayName eq 'HR Department'"
3$Uri = ("https://graph.microsoft.com/beta/groups/delta?$filter=id eq '{0}' or id eq '{1}'" -f $Group1.Id, $Group2.Id)
4 
5[array]$Baseline = Invoke-MgGraphRequest -Uri $Uri -Method Get -OutputType PsObject

This will allow you to monitor changes made only to these specific groups.

Alternatives and Known Issues

Issues with Graph SDK Module

The Graph SDK PowerShell module does not support delta links, which limits its capabilities for Delta Queries. This remains a known issue at Microsoft.

Alternatives

For precise tracking and complete change management, it is recommended to use Entra ID audit logs or backup solutions like Entra ID Backup and Recovery, which allow you to restore unwanted changes.

Conclusion

Graph Delta Queries are a useful solution for synchronizing and monitoring real-time data changes, but they are not suitable for long-term reporting purposes on modified objects. Explore tools like Entra ID audit logs or backup options for complete group management.

To learn more, you can explore other Microsoft Graph topics, such as API integration, or consult resources on PowerShell automation.

Visit Automating Microsoft 365 with PowerShell eBook to optimize your scripts!