Product

Introducing GraphWarden: Securing Graph API Without Changing Your Code

GraphWarden Team·March 25, 2025·7 min read

The Problem Every Enterprise Shares

If your organization runs Microsoft 365, you almost certainly have applications that access Microsoft Graph API. PowerShell scripts that sync user directories. HR platforms that read employee profiles. CRM systems that pull contact data. Third-party SaaS tools that need directory information to function.

These applications share a common pattern: they authenticate with Entra ID (Azure AD), obtain a token with broad permissions like User.Read.All, and query Graph directly. The credentials are often hardcoded in scripts, stored in configuration files, or passed through CI/CD pipelines with minimal protection.

The result is a governance gap that exists in virtually every Microsoft 365 tenant:

  • Applications have far more access than they need
  • Graph API secrets are scattered across scripts, config files, and pipelines
  • Nobody knows exactly which app reads which data, how often, or why
  • Rotating a compromised credential means hunting through every script that uses it
  • Compliance audits produce uncomfortable conversations about data minimization

Today, we are introducing GraphWarden to close this gap.

What GraphWarden Does

GraphWarden is a zero-trust HTTP proxy for Microsoft Graph API. It sits between your applications and Microsoft Graph, enforcing granular access policies, managing credentials securely, and logging every interaction.

The architecture is simple. Your applications authenticate with GraphWarden using revocable proxy credentials - unique per application. GraphWarden holds the real Graph credentials in Azure Key Vault, acquires tokens on behalf of your apps, and forwards the request to Microsoft Graph. Before the response reaches your application, GraphWarden applies your filtering rules: stripping unauthorized properties, removing objects outside the allowed scope, and transforming sensitive data.

Your applications never see the real Graph credentials. Your applications never receive data they are not authorized to access. And every call is logged with complete context for compliance and audit.

Key Features

11 Condition Types

The rule engine evaluates requests against 11 different condition types: application ID, HTTP method, endpoint pattern, AAD group membership, IP range, time window, query parameters, custom headers, request body content, response size thresholds, and composite conditions that combine multiple checks with AND/OR logic. Rules are defined in a single YAML file - readable, version-controllable, and auditable.

9 Data Transforms

Not every use case requires blocking or stripping data entirely. Sometimes you need to return a modified version. GraphWarden offers nine transform types that protect sensitive data while preserving utility: mask, redact, hash, initials, truncate, noise, regex_replace, domain_only, and constant replacement. A CRM that needs to know a user's email domain but not their full address? Apply the domain_only transform and the response returns ***@contoso.com instead of the full email.

What-If Simulator

Before deploying a new rule to production, test it against live Graph data in the What-If Simulator. See exactly which objects would be returned, which would be filtered out, and which properties would be stripped or transformed - all without affecting production traffic.

Real-Time Dashboards

The SaaS management dashboard at app.graphwarden.com provides a centralized view of all Graph API activity across your tenants. Monitor request volumes, rule triggers, blocked calls, cache hit rates, and response times in real time. Six built-in alert types cover brute force detection, orphaned identities, expiring secrets, sync timeouts, block spikes, and anomalous access patterns.

Graph Explorer

An interactive API browser built into the dashboard lets you explore Graph endpoints, visualize rule impact, and understand exactly what each application can access through the proxy. This is invaluable for onboarding new applications and debugging access issues.

How It Works

GraphWarden deploys as a self-contained Windows executable (.NET 8). No runtime dependencies to install. The setup has four steps:

  1. Download the single executable (~90 MB) to your server.
  2. Configure Entra ID. Create an App Registration with the Graph permissions your applications need. Store the client ID and secret in Azure Key Vault.
  3. Define your rules. Write a YAML file that specifies, per application, which endpoints, methods, objects, and properties are allowed.
  4. Install as a service. One PowerShell command installs GraphWarden as a Windows service, ready for production.

Migrating an application is minimal. For PowerShell scripts, change the token endpoint URL and the Graph base URL - two lines. For .NET applications using MSAL, swap the token acquisition for a simple HTTP POST to the proxy endpoint. The rest of your code stays exactly the same.

The management dashboard runs as a SaaS service, while the proxy agent runs entirely in your environment. Your Microsoft 365 data never leaves your infrastructure. This hybrid model gives you central management with complete data sovereignty.

Deploy in Under 60 Minutes

We designed GraphWarden to be deployed by a single IT administrator in under an hour. There are no complex integrations, no agent deployments to dozens of machines, and no SDK changes in your applications. The proxy sits on one server, your applications point at it, and you start seeing results immediately.

Once deployed, you gain instant visibility into every Graph API call in your environment. You see which apps call which endpoints, how often, and how much data they receive. For many organizations, this visibility alone is worth the deployment - it answers questions that no existing tool can.

From there, you incrementally tighten policies. Start with log_only mode to observe traffic without blocking anything. Then add property filters to strip sensitive data. Then scope object access by group membership. Each step reduces your attack surface without breaking any application.

Join the Beta

GraphWarden is entering beta and we are working with a select group of design partners. If your organization relies on Microsoft Graph API and you want to close the governance gap between what your apps need and what they can access, we want to hear from you.

Design partners get early access to the platform, direct support from the engineering team, and influence over the roadmap. Whether you have 5 Graph-integrated applications or 500, GraphWarden scales to fit your environment.

Request a Demo

Or read the technical documentation to see exactly how GraphWarden works under the hood.