Property differences between Azure AD Graph and Microsoft Graph
This article is part of step 1: review API differences of the process to migrate apps.
In general, the best way to compare the Azure Active Directory (Azure AD) Graph API to Microsoft Graph is to compare the underlying metadata for each service, especially the resource descriptions, which are available through the following endpoints:
This article highlights property differences between resources. If a property isn't shown in this list, it's already available in the v1.0 version of Microsoft Graph, with exactly the same name as in Azure AD Graph.
Because the user and group resources are so frequently used, they're listed first. Other resources are listed alphabetically.
User property differences
The Azure AD Graph User resource inherits from DirectoryObject; In Microsoft Graph, it's user and inherits from directoryObject.
The Microsoft Graph v1.0 endpoint returns a limited set of user properties by default, while Azure AD Graph returns all properties. To read other properties that aren't returned by default, specify them in a $select query. For more information, see the user resource type.
The following table lists the more property differences.
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| deletedTimestamp | beta - deletedDateTime v1.0 - deletedDateTime |
|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| facsimileTelephoneNumber | beta - faxNumber v1.0 - faxNumber |
|
| immutableId | beta - onPremisesImmutableId v1.0 - onPremisesImmutableId |
|
| isCompromised | beta - Not available v1.0 - Not available |
The Microsoft Graph identity protection APIs provide more risk detection functionality. |
| lastDirSyncDateTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
|
| mobile | beta - mobilePhone v1.0 - mobilePhone |
|
| passwordProfile/enforceChangePasswordPolicy | beta - passwordProfile/forceChangePasswordNextSignIn v1.0 - passwordProfile/forceChangePasswordNextSignIn |
|
| passwordProfile/forceChangePasswordNextLogin | beta - passwordProfile/forceChangePasswordNextSignInWithMfa v1.0 - passwordProfile/forceChangePasswordNextSignInWithMfa |
|
| provisioningErrors | beta - Not available v1.0 - Not available |
This property and its information are deprecated. However, a new property describing any AD Connect-related provisioning errors can be found in onPremisesProvisioningErrors property. |
| refreshTokensValidFromDateTime | beta - signinSessionsValidFromDateTime v1.0 - signinSessionsValidFromDateTime |
|
| signinNames | beta - identities/signInType v1.0 - identities/signInType |
This property is now part of the objectIdentity resource. |
| telephoneNumber | beta - businessPhones v1.0 - businessPhones |
|
| thumbnailPhoto | beta - photo, photos v1.0 - photo, photos |
The Microsoft Entra thumbnail photo isn't available through Microsoft Graph. Use the photo API instead. |
| userIdentities | beta - identities v1.0 - identities |
For more information, see objectIdentity resource type. |
| userState | beta - externalUserState v1.0 - externalUserState |
|
| userStateChangedOn | beta - externalUserStateChangeDateTime v1.0 - externalUserStateChangeDateTime |
Group property differences
The Azure AD Graph Group resource inherits from DirectoryObject; In Microsoft Graph, it's group and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| lastDirSyncDateTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
|
| provisioningErrors | beta - Not available v1.0 - Not available |
This property and its information are deprecated. However, a new property describing any AD Connect-related provisioning errors can be found in onPremisesProvisioningErrors property. |
Application property differences
The Azure AD Graph Application resource inherits from DirectoryObject; In Microsoft Graph, it's application and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| acceptMappedClaims | beta - api/acceptMappedClaims v1.0 - api/acceptMappedClaims |
acceptMappedClaims is now part of the new apiApplication resource. |
| availableToOtherTenants | beta - signInAudience v1.0 - signInAudience |
The default value in Azure AD Graph is false (meaning AzureADMyOrg) while for in Microsoft Graph is AzureADandPersonalMicrosoftAccount. |
| errorUrl | beta - not available v1.0 - not available |
This property is deprecated. |
| homepage | beta - web/homePageUrl v1.0 - web/homePageUrl |
The property is now part of the new webApplication resource. |
| informationalUrls | beta - info v1.0 - info |
|
| knownClientApplications | beta - api/knownClientApplications v1.0 - api/knownClientApplications |
The collection is now part of the new apiApplication resource. |
| logoutUrl | beta - web/logoutUrl v1.0 - web/logoutUrl |
The property is now part of the webApplication resource. |
| logoUrl | beta - info/logoUrl v1.0 - info/logoUrl |
The property is now part of the new informationalUrl resource. |
| mainLogo | beta - logo v1.0 - logo |
|
| oauth2AllowIdTokenImplicitFlow | beta - web/implicitGrantSettings/enableIdTokenIssuance v1.0 - web/implicitGrantSettings/enableIdTokenIssuance |
Renamed, and now part of the new implicitGrantSettings resource. |
| oauth2AllowImplicitFlow | beta - web/implicitGrantSettings/enableAccessTokenIssuance v1.0 - web/implicitGrantSettings/enableAccessTokenIssuance |
Renamed, and now part of the new implicitGrantSettings resource. |
| oauth2AllowUrlPathMatching | beta - not available v1.0 - not available |
This property is deprecated. |
| oauth2Permissions | beta - api/oauth2PermissionScopes v1.0 - api/oauth2PermissionScopes |
Renamed and now part of the new apiApplication resource. |
| publicClient | beta - isFallbackPublicClient v1.0 - isFallbackPublicClient |
This property now has a new meaning - it contains the public client settings like redirectUris. Microsoft Entra ID determines whether the app is a public or confidential client or not, with the isFallbackPublicClient property handling the one special case that Microsoft Entra ID can't determine automatically. |
| recordConsentConditions | beta - not available v1.0 - not available |
This property is deprecated. |
| replyUrls | beta - web/redirectUris, publicClient/redirectUris v1.0 - web/redirectUris, publicClient/redirectUris |
And being renamed, redirectUris is now part of the new webApplication and publicClient complex types. This grouping allows developers to use specific URIs for their web and public clients (such as an installed application on a desktop device). |
| samlMetadataUrl | beta - samlMetadataUrl v1.0 - Not yet available |
|
| serviceEndpoints | beta - Not available v1.0 - Not available |
This property is deprecated, but is available in the servicePrincipal entity. |
AppRoleAssignment differences
The Azure AD Graph AppRoleAssignment resource inherits from DirectoryObject; In Microsoft Graph, it's appRoleAssignment and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| creationTimestamp | beta - creationTimestamp v1.0 - createdDateTime |
|
| id | beta - appRoleId v1.0 - appRoleId |
Contact property differences
The Azure AD Graph Contact resource inherits from DirectoryObject; iIn Microsoft Graph, it's orgContact and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| city | beta - postalAddresses/city v1.0 - postalAddresses/city |
The city property is part of the physicalAddress resource. |
| country | beta - postalAddresses/countryOrRegion v1.0 - postalAddresses/countryOrRegion |
The countryOrRegion property is part of the physicalAddress resource. |
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| facsimileTelephoneNumber | beta - phones/businessFax v1.0 - phones/businessFax |
Now part of the phone resource that supports various phone types. |
| physicalDeliveryOfficeName | beta - officeLocation v1.0 - officeLocation |
|
| postalCode | beta - postalAddresses/postalCode v1.0 - postalAddresses/postalCode |
The postalCode property is part of the physicalAddress resource. |
| provisioningErrors | beta - not available v1.0 - not available |
This property and its information are deprecated. However, a new property describing any AD Connect-related provisioning errors can be found in onPremisesProvisioningErrors property. |
| sipProxyAddress | beta - imAddresses v1.0 - imAddresses |
|
| state | beta - postalAddresses/state v1.0 - postalAddresses/state |
The state property is part of the physicalAddress resource. |
| streetAddress | beta - postalAddresses/street v1.0 - postalAddresses/street |
The street property is part of the physicalAddress resource. |
| telephoneNumber | beta - phones/business v1.0 - phones/business |
Now part of the phone resource that supports various phone types. |
| thumbnailPhoto | beta - Not yet available v1.0 - Not yet available |
Contract property differences
The Azure AD Graph Contract resource inherits from DirectoryObject; In Microsoft Graph, it's contract and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| customerContextId | beta - customerId v1.0 - customerId |
Device property differences
The Azure AD Graph Device resource inherits from DirectoryObject; In Microsoft Graph, it's device and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| approximateLastLogonTimestamp | beta - approximateLastSignInDateTime v1.0 - approximateLastSignInDateTime |
|
| complianceExpiryTime | beta - complianceExpirationDateTime v1.0 - complianceExpirationDateTime |
|
| deviceObjectVersion | beta - deviceVersion v1.0 - deviceVersion |
|
| deviceOSType | beta - operatingSystem v1.0 - operatingSystem |
|
| deviceOSVersion | beta - operatingSystemVersion v1.0 - operatingSystemVersion |
|
| devicePhysicalIds | beta - physicalIds v1.0 - physicalIds |
|
| deviceTrustType | beta - trustType v1.0 - trustType |
|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| lastDirSyncTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
DirectoryObject property differences
The Azure AD Graph DirectoryObject resource is directoryObject in Microsoft Graph. The changes to its properties are seen in other resources that inherit from DirectoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| deletionTimestamp | beta - deletedDateTime v1.0 - deletedDateTime |
While deletionTimestamp was a DateTime type, deletedDateTime is a DateTimeOffset type. |
| objectId | beta - id v1.0 - id |
The id property in Microsoft Graph is inherited from the entity resource. |
| objectType | beta - Not available v1.0 - Not available |
This property isn't used in Microsoft Graph. Instead, Microsoft Graph returns the @odata.type property but only for APIs that might return objects of different types or derived types. For example, the List group members API might return members who are users, groups, service principals, organizational contacts, or devices. For users, the @odata.type is #microsoft.graph.user. |
DirectoryObjectReference property differences
The Azure AD Graph DirectoryObjectReference resource inherits from DirectoryObject; In Microsoft Graph, it's directoryObjectPartnerReference and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| externalContextId | beta - externalPartnerTenantId v1.0 - externalPartnerTenantId |
Domain property differences
The Azure AD Graph Domain resource is domain in Microsoft Graph. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| name | beta - id v1.0 - id |
In Microsoft Graph, the id property contains the domain name; the name property doesn't exist. |
| forceDeleteState | beta - state v1.0 - state |
In Azure AD Graph, there are separate forceDelete and domain state properties. In Microsoft Graph, the state property handles all domain states. |
| isDefaultForCloudRedirections | beta - Not yet available v1.0 - Not yet available |
OAuth2PermissionsGrant property differences
The Azure AD Graph OAuth2PermissionsGrant resource is oAuth2PermissionsGrant in Microsoft Graph. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| expiryTime | beta - expiryTime v1.0 - Removed |
This property isn't used and is removed in Microsoft Graph v1.0. |
| startTime | beta - startTime v1.0 - Removed |
This property isn't used and is removed in Microsoft Graph v1.0. |
Policy property differences
In Microsoft Graph, there are named policy types (such as tokenIssuancePolicy or tokenLifetimePolicy) rather than a generic policy resource type. More details are available in the policy overview.
ServiceEndpoint property differences
The Azure AD Graph ServiceEndpoint resource inherits from DirectoryObject; In Microsoft Graph, it's endpoint and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| serviceId | beta - providerId v1.0 - providerId |
|
| serviceName | beta - providerName v1.0 - providerName |
|
| resourceId | beta - providerResourceId v1.0 - providerResourceId |
ServicePrincipal property differences
The Azure AD Graph ServicePrincipal resource inherits from DirectoryObject; In Microsoft Graph, it's servicePrincipal and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| appOwnerTenantId | beta - appOwnerOrganizationId v1.0 - appOwnerOrganizationId |
Renamed. |
| informationalUrls | beta - info v1.0 - info |
|
| oauth2Permissions | beta - publishedPermissionScopes v1.0 - oauth2PermissionScopes |
Renamed. |
| preferredTokenSigningKeyEndDateTime | beta - Not yet available v1.0 - Not yet available |
|
| signInAudience | beta - Not yet available v1.0 - Not yet available |
|
| serviceEndpoints | beta - endpoint v1.0 - endpoint |
Renamed. |
TenantDetails property differences
The Azure AD Graph TenantDetail resource inherits from DirectoryObject; In Microsoft Graph, it's organization and inherits from directoryObject. The properties differ as follows:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| companyLastDirSyncTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| provisioningErrors | beta - Not available v1.0 - Not available |
This property and its information are deprecated. |
| telephoneNumber | beta - businessPhones v1.0 - businessPhones |
TrustedCasForPasswordlessAuth property differences
The Azure AD Graph TrustedCasForPasswordlessAuth resource is certificateBasedAuthConfiguration. There are no property differences; however, there are differences in the certificateAuthority resource type used by the certificateAuthorities property.
CertificateAuthorityInformation property differences
The Azure AD Graph CertificateAuthorityInformation is certificateAuthority in Microsoft Graph. The following are the property differences.
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| authorityType | beta - isRootAuthority v1.0 - isRootAuthority |
This property's is now a Boolean. In Azure AD Graph, this property had to be set to either RootAuthority or IntermediateAuthority. In Microsoft Graph, setting the new property to true is equivalent to RootAuthority. |
| crlDistributionPoint | beta - certificateRevocationListUrl v1.0 - certificateRevocationListUrl |
|
| deltaCrlDistributionPoint | beta - deltaCertificateRevocationListUrl v1.0 - deltaCertificateRevocationListUrl |
|
| trustedCertificate | beta - certificate v1.0 - deltaCertificateRevocationListUrl |
|
| trustedIssuer | beta - issuer v1.0 - issuer |
|
| trustedIssuerSki | beta - issuerSki v1.0 - issuerSki |