Manage Microsoft Entra identity and network access by using Microsoft Graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

With Microsoft Graph, you can manage identity and network access capabilities, most of which are available through Microsoft Entra. The APIs in Microsoft Graph help you to automate identity and network access management tasks and integrate with any application, and are the programmatic alternative to the administrator portals such as the Microsoft Entra admin center.

Microsoft Entra is a family of identity and network access capabilities that are available in the following products. All these capabilities are available through Microsoft Graph APIs:

  • Microsoft Entra ID that groups identity and access management (IAM) capabilities.
  • Microsoft Entra ID Governance
  • Microsoft Entra External ID
  • Microsoft Entra Verified ID
  • Microsoft Entra Permissions Management
  • Microsoft Entra Internet Access and Network Access

Manage user identities

Users are the main identities in any identity and access solution. You can manage the entire lifecycle of users in your organization, and their entitlements like licenses or group memberships, using Microsoft Graph APIs. For more information, see Working with users in Microsoft Graph.

Manage groups

Groups are the containers that allow you to efficiently manage the entitlements for identities as a unit. For example, through a group, you can grant users access to a resource, such as a SharePoint site. Or you can grant them licenses to use a service. For more information, see Working with groups in Microsoft Graph.

Manage applications

You can use Microsoft Graph APIs to register and manage your applications programmatically, enabling you to use Microsoft's IAM capabilities. For more information, see Manage Microsoft Entra applications and service principals by using Microsoft Graph.


Tenant administration or directory management

A core functionality of identity and access management is managing your tenant configuration, administrative roles, and settings. Microsoft Graph provides APIs to manage your Microsoft Entra tenant for the following scenarios:

Use cases API operations
Manage administrative units including the following operations:
  • Create administrative units
  • Create and manage members and membership rules of administrative units
  • Assign administrator roles that are scoped to administrative units
  • administrativeUnit resource type and its associated APIs
    Retrieve BitLocker recovery keys bitlockerRecoveryKey resource type and its associated APIs
    Monitor licenses and subscriptions for the tenant
  • companySubscription resource type and its associated APIs
  • subscribedSku resource type and its associated APIs
  • Manage custom security attributes See Overview of custom security attributes using the Microsoft Graph API
    Manage deleted directory objects. The functionality to store deleted objects in a "recycle bin" is supported for the following objects:
  • Administrative units
  • Applications
  • External user profiles
  • Groups
  • Pending external user profiles
  • Service principals
  • Users
  • Get or List deleted objects
  • Permanently delete a deleted object
  • Restore a deleted item
  • List deleted items owned by user
  • Manage devices in the cloud device resource type and its associated APIs
    View local administrator credential information for all device objects in Microsoft Entra ID that are enabled with Local Admin Password Solution (LAPS). This feature is the cloud-based LAPS solution deviceLocalCredentialInfo resource type and its associated APIs
    Directory objects are the core objects in Microsoft Entra ID, such as users, groups, and applications. You can use the directoryObject resource type and its associated APIs to check memberships of directory objects, track changes for multiple directory objects, or validate that a Microsoft 365 group's display name or mail nickname complies with naming policies directoryObject resource type and its associated APIs
    Administrator roles, including Microsoft Entra administrator roles, are one of the most sensitive resources in a tenant. You can manage the lifecycle of their assignment in the tenant, including creating custom roles, assigning roles, tracking changes to role assignments, and removing assignees from roles directoryRole resource type and directoryRoleTemplate resource typeand their associated APIs

    roleManagement resource type and its associated APIs

    These APIs allow you to make direct role assignments. Alternatively, you can use Privileged Identity Management APIs for Microsoft Entra roles and groups to make just-in-time and time-bound role assignments, instead of direct forever active assignments.
    Define the following configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior.
  • Settings for Microsoft 365 groups such as guest user access, classifications, and naming policies
  • Password rule settings such as banned password lists and lockout duration
  • Prohibited names for applications, reserved words, and blocking trademark violations
  • Custom conditional access policy URL
  • Consent policies such as user consent requests, group-specific consent, and consent for risky apps
  • directorySetting resource type and directorySettingTemplate resource type and their associated APIs

    For more information, see Overview of group settings.
    Domain management operations such as:
  • associating a domain with your tenant
  • retrieving DNS records
  • verifying domain ownership
  • associating specific services with specific domains
  • deleting domains
  • domain resource type and its associated APIs
    Manage the profile objects for external users that you're invited to collaborate via Teams. These APIs aren't similar to the invitation APIs for Microsoft Entra External ID B2B collaboration externalUserProfile resource type and pendingExternalUserProfile resource type and their associated APIs
    Configure and manage staged rollout of specific Microsoft Entra ID features featureRolloutPolicy resource type and its associated APIs
    Manage the policies for Mobile Device Management (MDM) and Mobile Application Management (MAM) autoenrollment for Microsoft Entra joined and registered devices mobilityManagementPolicy resource type and its associated APIs
    Configure options that are available in Microsoft Entra Cloud Sync such as preventing accidental deletions and managing group writebacks. onPremisesDirectorySynchronization resource type and its associated APIs
    Manage the base settings for your Microsoft Entra tenant organization resource type and its associated APIs
    Manage the tenant-wide settings for your Microsoft Entra tenant, such as whether people and item insights are enabled for the organization organizationSettings resource type and its associated APIs
    Retrieve the organizational contacts that might be synchronized from on-premises directories or from Exchange Online orgContact resource type and its associated APIs
    Discover the basic details of other Microsoft Entra tenants by querying using the tenant ID or the domain name tenantInformation resource type and its associated APIs
    Configure trusted certificate authorities for certificates that can be assigned to apps and service principals in the tenant. certificateBasedApplicationConfiguration resource type and its associated APIs
    Manage the delegated permissions and their assignments to service principals in the tenant oAuth2PermissionGrant resource type and its associated APIs

    Identity and sign-in

    Use cases API operations
    Configure listeners that monitor events that should trigger or invoke custom logic, typically defined outside Microsoft Entra ID authenticationEventListener resource type and its associated APIs
    Manage authentication methods that are supported in Microsoft Entra ID See Microsoft Entra authentication methods API overview and Microsoft Entra authentication methods policies API overview
    Manage the authentication methods or combinations of authentication methods that you can apply as grant control in Microsoft Entra Conditional Access See Microsoft Entra authentication strengths API overview
    Manage tenant-wide authorization policies such as:
  • enable SSPR for administrator accounts
  • enable self-service join for guests
  • limit who can invite guests
  • whether users can consent to risky apps
  • block the use of MSOL
  • customize the default user permissions
  • identity private preview features enabled
  • Customize the guest user permissions between User, Guest User, and Restricted Guest User
  • authorizationPolicy resource type and its associated APIs
    Configure Continuous Access Evaluation (CAE), which allows access tokens to be revoked based on critical events and policy evaluation rather than relying on token expiry based on lifetime continuousAccessEvaluationPolicy resource type and its associated APIs
    Manage the policies for certificate-based authentication in the tenant certificateBasedAuthConfiguration resource type and its associated APIs
    Manage Microsoft Entra conditional access policies conditionalAccessRoot resource type and its associated APIs
    Manage cross-tenant access settings and manage outbound restrictions, inbound restrictions, tenant restrictions, and cross-tenant synchronization of users in multitenant organizations See Cross-tenant access settings API overview
    Manage the user profiles that are shared with you or external tenants using B2B direct connect, including removing and exporting personal data inboundSharedUserProfile resource type and outboundSharedUserProfile resource type and their associated APIs
    Configure how and which external systems interact with Microsoft Entra ID during a user authentication session customAuthenticationExtension resource type and its associated APIs
    Manage requests against user data in the organization, such as exporting personal data dataPolicyOperation resource type and its associated APIs
    Configure the policies for managing Microsoft Entra join and Microsoft Entra register devices deviceRegistrationPolicy resource type and its associated APIs
    Manage the tenant-wide policy that controls whether external users can leave a Microsoft Entra tenant via self-service controls, for example, through the organizations menu of the My Account portal externalIdentitiesPolicy resource type and its associated APIs
    Force autoacceleration sign-in to skip the username entry screen and automatically forward users to federated sign-in endpoints homeRealmDiscoveryPolicy resource type resource type and its associated APIs
    Detect, investigate, and remediate identity-based risks using Microsoft Entra ID Protection and feed the data into security information and event management (SIEM) tools for further investigation and correlation See Use the Microsoft Graph identity protection APIs
    Manage identity providers for Microsoft Entra ID, Microsoft Entra External ID, and Azure AD B2C tenants. You can perform the following operations:
  • Manage identity providers for external identities, including social identity providers, OIDC, Apple, SAML/WS-Fed, and built-in providers
  • Manage configuration for federated domains and token validation
  • identityProviderBase resource type and its associated APIs
    Invite external users to collaborate with your tenant by using Microsoft Entra External ID invitation resource type and its associated APIs
    Define a group of tenants belonging to your organization and streamline intra-organization cross-tenant collaboration See Multitenant organization API overview
    Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language organizationalBranding resource type and its associated APIs
    Customize the UI/UX in Azure AD B2C using the Identity Experience Framework (IEF) trustFrameworkKeySet resource type and trustFrameworkPolicy resource type and their associated APIs
    User flows for Microsoft Entra External ID in workforce tenants The following resource types and their associated APIs:
  • b2xIdentityUserFlow to configure the base user flow and its properties such as identity providers
  • identityUserFlowAttribute to manage built-in and custom user flow attributes
  • identityUserFlowAttributeAssignment to manage user flow attribute assignments
  • userFlowLanguageConfiguration resource type to configure custom languages for user flows
  • User flows for Azure AD B2C The following resource types and their associated APIs:
  • b2cIdentityUserFlow to configure the base user flow and its properties such as identity providers
  • identityUserFlowAttribute to manage built-in and custom user flow attributes
  • identityUserFlowAttributeAssignment to manage user flow attribute assignments
  • userFlowLanguageConfiguration resource type to configure custom languages for user flows
  • User flows for Microsoft Entra External ID in external tenants The following resource types and their associated APIs:
  • authenticationEventsFlow resource type and its associated APIs
  • identityUserFlowAttribute to manage built-in and custom user flow attributes
  • Manage app consent policies and condition sets permissionGrantPolicy resource type
    Manage app consent preapproval policies permissionGrantPreApprovalPolicy resource type
    Enable or disable security defaults in Microsoft Entra ID identitySecurityDefaultsEnforcementPolicy resource type

    Identity governance

    For more information, see Overview of Microsoft Entra ID Governance using Microsoft Graph.

    Microsoft Entra External ID in external tenants

    The following API use cases ar supported to customize how users interact with your customer-facing applications. For administrators, most of the features available in Microsoft Entra ID and also supported for Microsoft Entra External ID in external tenants. For example, domain management, application management, and conditional access.

    Use cases API operations
    User flows for Microsoft Entra External ID in external tenants and self-service sign-up experiences authenticationEventsFlow resource type and its associated APIs
    Manage identity providers for Microsoft Entra External ID. You can identify the identity providers that are supported or configured in the tenant See identityProviderBase resource type and its associated APIs
    Configuring custom URL domains in Microsoft Entra External ID in external tenants The CustomUrlDomain value for the supportedServices property of domain resource type and its associated APIs
    Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language organizationalBranding resource type and its associated APIs
    Manage identity providers for Microsoft Entra External ID, such as social identities identityProviderBase resoruce type and its associated APIs
    Manage user profiles in Microsoft Entra External ID for customers For more information, see Default user permissions in customer tenants
    Add your own business logic to the authentication experiences by integrating with systems that are external to Microsoft Entra ID authenticationEventListener resource type and customAuthenticationExtension resource type and their associated APIs

    Multicloud permissions management

    For more information, see Discover, remediate, and monitor permissions in multicloud infrastructures using permissions management APIs.

    Network access management

    For more information, see Secure access to cloud, public, and private apps using Microsoft Graph network access APIs.

    Partner tenant management

    Microsoft Graph also provides the following identity and access capabilities for Microsoft partners in the Cloud Solution Provider (CSP), Value Added Reseller (VAR), or Advisor programs to help manage their customer tenants.

    Use cases API operations
    Manage contracts for the partner with its customers contract resource type and its associated APIs
    Microsoft partners can empower their customers to ensure the partners have least privileged access to their customers' tenants. This feature gives extra control to customers over their security posture while allowing them to receive support from the Microsoft resellers See Granular delegated admin privileges (GDAP) API overview
    Get detections and security alerts for unauthorized party abuse, account takeovers, and anomalous usage of Azure subscriptions in the customer tenants that you're responsible for. See Use the partner security alert API in Microsoft Graph

    Licensing

    Microsoft Entra licenses include Microsoft Entra ID Free, P1, P2, and Governance; Microsoft Entra Permissions Management; and Microsoft Entra Workload ID.

    For detailed information about licensing for different features, see Microsoft Entra ID licensing.