Why your product should support GraphWarden
Enterprise customers adopt GraphWarden to govern Microsoft Graph API access. If your product calls Graph, those customers will ask whether you support routing through the proxy. This page explains the business case for declaring compatibility and what "support" means technically and operationally.
Applies to any product that calls Microsoft GraphPrerequisites
Why enterprise customers ask
GraphWarden customers run regulated workloads: healthcare, financial services, government, and critical infrastructure. The security, compliance, and audit teams at those organizations demand three properties from every application that touches Microsoft Graph on their tenant.
- Zero-knowledge credentials. The real Graph client secret is written to the customer's own Azure Key Vault. GraphWarden reads the secret at runtime through a Managed Identity; no third party ever holds a copy. A product that hardcodes its own Graph credentials, or ships them in an embedded configuration file, cannot satisfy this requirement.
- Ruleset enforcement. Every Graph call is evaluated against a ruleset the customer authors. Allow, filter, block, and log-only verdicts happen inside the proxy before the call reaches Microsoft. Customers need to confirm that your product continues to function when a rule removes response properties or denies a specific endpoint.
- Audit trail and retention. Each Graph call produces an audit event — method, path, caller, status, matched rule, verdict. Events ship to Elasticsearch under a retention policy the customer chooses (30 days, 90 days, 1 year, or 7 years). Compliance frameworks including HIPAA, SOC 2, ISO 27001, PCI DSS, and regional residency rules require this level of evidence.
When a prospect's security review asks "does this product support routing through a Graph governance proxy?", the answer that unblocks the deal is a published compatibility statement. A vague "yes, probably" lengthens the sales cycle; a documented statement shortens it.
What "compatible" means
GraphWarden compatibility is a configuration property, not a runtime dependency.
A compatible product reads two values from customer configuration instead of hardcoding them:
- Microsoft Graph base URL — the customer supplies a proxy URL (for example
https://proxy.customer.internal) in place of the Microsoft defaulthttps://graph.microsoft.com. - Credentials for the token endpoint — the customer supplies a Proxy Client ID and a Proxy Client Secret issued by their GraphWarden App Admin. These replace the Azure AD application credentials your product would otherwise use against
https://login.microsoftonline.com.
Your product builds Graph request URIs against the customer-supplied base URL and acquires tokens from the customer-supplied token endpoint. The SDK calls, the scopes, the response JSON shapes, and the error codes all remain the Microsoft Graph contract. The proxy is transparent to the SDK.
What it does NOT require
Compatibility does not obligate you to adopt anything GraphWarden-specific at the code level.
- No proxy SDK. The customer's proxy URL and credentials are plain strings your existing configuration surface already handles. There is no "GraphWarden SDK" to link, package, or update.
- No API key exchange or registration with GraphWarden. Your product does not authenticate to GraphWarden; the customer does, inside their own deployment of the proxy. The credentials your product uses are issued by the customer's App Admin, not by GraphWarden as a vendor.
- No ongoing subscription, licence fee, or commercial relationship with GraphWarden. Compatibility is a one-time documentation and configuration change on your side.
- No GraphWarden-specific code paths in your product. Your product does not need to reference GraphWarden by name internally. The base URL and credentials are generic configuration values; the customer owns the setup. You may choose to name the capability "GraphWarden compatibility" in your own documentation, but the source code does not need a branded flag.
- No proxy-specific endpoints. Your product continues to call the Microsoft Graph paths it already calls:
/v1.0/users,/beta/groups,/v1.0/me/messages, and so on. The proxy forwards each path unchanged.
What you get in return
Declaring compatibility is a sales and retention investment. The concrete artifacts:
- A published compatibility statement on your own documentation site. A copy-paste template lives at the compatibility statement template page; you replace the fill-in markers with your product specifics and publish the result under a title like "{Your product} compatibility with GraphWarden".
- A one-page technical integration guide your support team can reference when a customer asks how to wire your product to their proxy. The compatibility guide in this section walks through the two configuration values, the common edge cases (token caching, rate limits, ruleset denial errors), and a test checklist.
- Positioning with compliance-oriented prospects. Security reviews that ask about Graph governance treat a published compatibility statement as a hard yes and move on. The absence of one extends the review.
Troubleshooting
The questions below come up frequently during initial compatibility discussions.
Will my Microsoft Graph SDK work through the proxy?
Yes, as long as the SDK exposes a way to override the Graph base URL. Every major Microsoft-published SDK does so. For Microsoft.Graph on .NET, construct GraphServiceClient with an HttpClient whose BaseAddress points at the proxy. For @microsoft/microsoft-graph-client on Node, pass a baseUrl option. For PowerShell's Microsoft.Graph module, pass -Environment or supply a custom authentication provider that targets the proxy. The compatibility guide covers the override points per SDK.
Does compatibility require ongoing maintenance on my side?
No. Once your product reads the Graph base URL and credentials from configuration, the surface is stable. GraphWarden does not introduce breaking changes to its configuration contract; the two values your product reads are the same values every customer supplies. If Microsoft Graph changes a path or adds a new endpoint, your product handles it the same way it would against direct Graph — no proxy-specific update required.
What happens if a customer's ruleset blocks a feature my product needs?
The proxy returns HTTP 403 with a JSON body naming the matched rule. Your product surfaces the error gracefully, ideally with a message that points the end user to their GraphWarden administrator rather than to your support team. The compatibility guide covers error-surface patterns. The practical outcome: the customer's security policy is the final authority, and your product treats a 403 as "the administrator has not granted permission for this endpoint" — the same way it would treat a 403 from direct Graph.
Will this affect performance?
The proxy adds one network hop between your product and Microsoft Graph. In most enterprise network topologies the proxy sits close to the customer's clients, so the added latency is single-digit milliseconds. Token acquisition goes to the proxy rather than Azure AD directly, and the proxy-issued JWT has the same one-hour lifetime as a Graph token — your existing token-caching logic works without change.
Can I test against GraphWarden without deploying it?
GraphWarden runs as a Windows Service or container; a test deployment on a developer workstation takes well under an hour with the pre-staged prerequisites. Many ISVs negotiate a shared lab instance with a prospect during compatibility testing. The compatibility guide includes a test checklist that walks through a baseline run against direct Graph followed by a run through the proxy with an open ruleset and a denying ruleset.
Last reviewed: