Entity and complex type reference | Graph API reference
Applies to: Graph API | Azure Active Directory
This topic discusses the entities and complex types that are exposed by the Graph API.
The Graph API is an OData 3.0 compliant REST API that provides programmatic access to directory objects in Azure Active Directory, such as users, groups, organizational contacts, and applications.
This article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see Microsoft Graph REST API v1.0 overview.
Důležité
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
Entity reference
Application Entity
Represents an application. Any application that outsources authentication to Azure AD must be registered in a directory. This involves telling Azure AD about your application, including the URL where it's located, the URL to send replies after authentication, the URI to identify your application, and more. For more information, see Basics of Registering an Application in Azure AD. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
addIns | Collection(AddIn) | POST, GET, PATCH | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. Notes: Requires version 1.6. |
appId | Edm.String in version 1.5 Edm.Guid in previous versions |
GET ($filter) | The unique identifier for the application. |
appRoles | Collection(AppRole) | POST, GET, PATCH | The collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals. Notes: Requires version 1.5, not nullable. |
availableToOtherTenants | Edm.Boolean | POST, GET ($filter), PATCH | true if the application is shared with other tenants; otherwise, false. |
deletionTimestamp | Edm.DateTime | GET | The time at which the application was deleted from the tenant. If the application has not been deleted, returns null. Deleted applications can be read from the /deletedApplications resource collection. Inherited from DirectoryObject.Notes: Requires version 1.5 or newer. |
displayName | Edm.String | POST (Required), GET, PATCH | The display name for the application. |
errorUrl | Edm.String | POST, GET, PATCH | |
groupMembershipClaims | Edm.String | POST, GET, PATCH | A bitmask that configures the "groups" claim issued in a user or OAuth 2.0 access token that the application expects. The bitmask values are: 0: None, 1: Security groups and Azure AD roles, 2: Reserved, and 4: Reserved. Setting the bitmask to 7 will get all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of. Notes: Requires version 1.5. |
homepage | Edm.String | POST, GET, PATCH | The URL to the application's homepage. |
identifierUris | Collection(Edm.String) | POST, GET ($filter), PATCH | User-defined URI(s) that uniquely identify a Web application within its Azure AD tenant, or within a verified custom domain (see "Domains" tab in the Azure classic portal) if the application is multi-tenant. The first element is populated from the Web application's "APP ID URI” field if updated via the Azure classic portal (or respective Azure AD PowerShell cmdlet parameter). Additional URIs can be added via the application manifest; see Understanding the Azure AD Application Manifest for details. This collection is also used to populate the Web application's servicePrincipalNames collection. Notes: not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
keyCredentials | Collection(KeyCredential) | POST, GET, PATCH | The collection of key credentials associated with the application Notes: not nullable |
knownClientApplications | Collection(Edm.Guid) | POST, GET, PATCH | Client applications that are tied to this resource application. Consent to any of the known client applications will result in implicit consent to the resource application through a combined consent dialog (showing the OAuth permission scopes required by the client and the resource). Notes: Requires version 1.5, not nullable. |
logoutUrl | Edm.String | POST, GET, PATCH | |
mainLogo | Edm.Stream | POST, GET, PATCH | The main logo for the application. Notes: not nullable |
oauth2AllowImplicitFlow | Edm.Boolean | POST, GET, PATCH | Specifies whether this web application can request OAuth2.0 implicit flow tokens. The default is false. Notes: Requires version 1.5, not nullable. |
oauth2AllowUrlPathMatching | Edm.Boolean | POST, GET, PATCH | Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow path matching of the redirect URI against the application's replyUrls. The default is false. Notes: Requires version 1.5, not nullable. |
oauth2Permissions | Collection(OAuth2Permission) | POST, GET, PATCH | The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent. Notes: Requires version 1.5, not nullable. |
oauth2RequiredPostResponse | Edm.Guid | POST, GET, PATCH | Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed. Notes: Requires version 1.5, not nullable. |
objectId | Edm.Guid | GET | The unique identifier for the application. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique |
objectType | Edm.String | GET | A string that identifies the object type. For applications the value is always "Application". Inherited from DirectoryObject. |
optionalClaims | OptionalClaims | POST, GET, PATCH | The optional claims returned in the token by the security token service for this specific app. |
passwordCredentials | Collection(PasswordCredential) | POST, GET, PATCH | The collection of password credentials associated with the application. Notes: not nullable |
publicClient | Edm.Boolean | POST, GET | Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false. |
recordConsentConditions | Edm.String | GET | Do not use. May be removed in future versions Notes: Requires version 1.6. |
replyUrls | Collection(Edm.String) | POST, GET, PATCH | Specifies the URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to. Notes: not nullable |
requiredResourceAccess | Collection(RequiredResourceAccess) | POST, GET, PATCH | Specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience. Notes: Requires version 1.5, not nullable. |
samlMetadataUrl | Edm.String | POST, GET, PATCH | The URL to the SAML metadata for the application. |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
extensionProperties | ExtensionProperty | */* | The extension properties associated with the application. Requires 1.5 or newer. |
owners | DirectoryObject | */* | Directory objects that are owners of the application. The owners are a set of non-admin users who are allowed to modify this object. Requires version 2013-11-08 or newer. Inherited from DirectoryObject. |
policies | Policy | */* | Policies assigned to the application. |
serviceEndpoints | ServiceEndpoint | 1/* | Service endpoints available for discovery. For more information, see the ServiceEndpoint topic. HTTP Methods: POST, GET, and DELETE. Requires version 1.6 or newer. |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on applications (HTTP methods are listed in parentheses):
- Create (POST)
- Read (GET)
- Update (PATCH)
- Delete (DELETE)
The following operations are supported on application navigation properties. Not all operations may be supported on every navigation property.
- Read (GET)
- Update (POST)
- Delete (DELETE)
The following action may be called on applications.
- restore to restore a deleted application. Requires version 1.5 or newer.
AppRoleAssignment Entity
Used to record when a user or group is assigned to an application. In this case, the role assignment will result in an application tile showing up on the user's app access panel. This entity may also be used to grant another application (modeled as a service principal) access to a resource application in a particular role. You can create, read, update, and delete role assignments. Inherits from DirectoryObject.
Important: Introduced in version 1.5.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
creationTimestamp | Edm.DateTime | GET | The time when the grant was created. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for app role assignment and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
id | Edm.Guid | POST (Required), GET, PATCH | The role id that was assigned to the principal. This role must be declared by the target resource application resourceId in its appRoles property. Where the resource does not declare any permissions, a default id (zero GUID) must be specified. Notes: not nullable. |
principalDisplayName | Edm.String | GET | The display name of the principal that was granted the access. |
objectId | Edm.String | GET | The unique identifier for the application role assignment. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For application role assignments the value is always "AppRoleAssignment". Inherited from DirectoryObject. |
principalId | Edm.Guid | POST (Required), GET, PATCH | The unique identifier (objectId) for the principal being granted the access. Notes: required. |
principalType | Edm.String | GET | The type of principal. This can either be "User", "Group" or "ServicePrincipal". |
resourceDisplayName | Edm.String | GET | The display name of the resource to which the assignment was made. |
resourceId | Edm.Guid | POST (Required), GET, PATCH | The unique identifier (objectId) for the target resource (service principal) for which the assignment was made. |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Contact Entity
Represents an organizational contact. Inherits from DirectoryObject.
Organizational contacts represent users that are not in your company directory. They are mail-enabled entities and typically represent individuals who are external to your company or organization. Organizational contacts cannot be authenticated using Azure AD, nor can they be assigned licenses.
Organizational contacts can be created in your tenant through syncing with an on-premises directory using Azure AD Connect, or they can be created through one of the Exchange Online management portals or the Exchange Online PowerShell cmdlets. For more information about Azure AD Connect, see Integrating your on-premises identities with Azure Active Directory. For more information about Exchange Online management tools, see Exchange Online Setup and Administration.
You cannot create organizational contacts with the Graph API. You can, however, update and delete contacts that are not currently synced from an on-premises directory; that is, contacts for which the dirSyncEnabled property is null or false. You cannot update or delete contacts for which the dirSyncEnabled property is true.
Note: Organizational contacts are directory entities, which represent external users. They should not be confused with O365 Outlook Personal contacts.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
city | Edm.String | GET ($filter), PATCH | The city in which the contact is located. |
country | Edm.String | GET ($filter), PATCH | The country/region in which the contact is located. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for contacts and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
department | Edm.String | GET ($filter), PATCH | The name for the department in which the contact works. |
dirSyncEnabled | Edm.Boolean | GET ($filter) | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). |
displayName | Edm.String | GET ($filter), PATCH | The display name for the contact. |
facsimileTelephoneNumber | Edm.String | GET, PATCH | The telephone number of the contact's business fax machine. |
givenName | Edm.String | GET ($filter), PATCH | The given name (first name) of the contact. |
jobTitle | Edm.String | GET ($filter), PATCH | The contact's job title. |
lastDirSyncTime | Edm.DateTime | GET ($filter) | Indicates the last time at which the object was synced with the on-premises directory. |
Edm.String | GET ($filter) | The SMTP address for the contact, for example, "jeff@contoso.onmicrosoft.com". | |
mailNickname | Edm.String | GET ($filter), PATCH | The mail alias for the contact. |
mobile | Edm.String | GET, PATCH | The primary cellular telephone number for the contact. |
objectId | Edm.String | GET | The unique identifier for the contact. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For contacts the value is always "Contact". Inherited from DirectoryObject. |
physicalDeliveryOfficeName | Edm.String | GET, PATCH | The office location in the contact's place of business. |
postalCode | Edm.String | GET, PATCH | The postal code for the contact's postal address. The postal code is specific to the contact's country/region. In the United States of America, this attribute contains the ZIP code. |
provisioningErrors | Collection(ProvisioningError) | GET, PATCH | A collection of error details that are preventing this contact from being provisioned successfully. Note: not nullable |
proxyAddresses | Collection(Edm.String) | GET ($filter) | Note: unique, not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
sipProxyAddress | Edm.String | GET | Specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the contact. Notes: Requires version 1.5 or newer. |
state | Edm.String | GET ($filter), PATCH | The state or province in the contact's address. |
streetAddress | Edm.String | GET, PATCH | The street address of the contact's place of business. |
surname | Edm.String | GET ($filter), PATCH | The contact's surname (family name or last name). |
telephoneNumber | Edm.String | GET, PATCH | The primary telephone number of the contact's place of business. |
thumbnailPhoto | Edm.Stream | GET, PATCH | A thumbnail photo to be displayed for the contact. Note: not nullable |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
manager | DirectoryObject (Only User and Contact objects are supported.) |
*/0..1 | The user or contact that is this contact's manager. Inherited from DirectoryObject. HTTP Methods: GET, PUT, DELETE |
directReports | DirectoryObject (Only User and Contact objects are supported.) |
*/* | The contact's direct reports. (The users and contacts that have their manager property set to this contact.) Inherited from DirectoryObject. HTTP Methods: GET |
memberOf | DirectoryObject (Only Group objects are supported.) |
*/* | Groups that this contact is a member of. Inherited from DirectoryObject. HTTP Methods: GET |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on contacts (the HTTP method used for each is in parentheses):
- Read (GET)
- Update (PATCH): only contacts that are not synced from an on-premises directory (dirSyncEnabled is null or false).
- Delete (DELETE)
The following operations are supported on contact navigation properties; not all operations may be supported on every navigation property.
- Read (GET)
- Update (PUT): manager property, only on contacts that are not synced from an on-premises directory (dirSyncEnabled is null or false).
- Delete (DELETE): manager property, only on contacts that are not synced from an on-premises directory (dirSyncEnabled is null or false).
The following actions and functions may be called on contacts:
- checkMemberGroups to check a contact’s membership in a list of groups. The check is transitive.
- getMemberGroups to return a list of the groups that a contact is a member of. The check is transitive.
- isMemberOf to check whether a contact is a member of a specified group. The check is transitive.
Remarks
Contacts are mail-enabled entities and cannot be created by using the Graph API. They can be updated; however, update is only supported for contacts with the dirSyncEnabled property set null or false. Contacts can be deleted.
Contract Entity
Exists in Partner Tenants only. Partner Tenants are Azure AD tenants that belong to Microsoft Partners who are either part of Office 365 Syndication, Microsoft Cloud Solution Provider, or Microsoft Advisor partner programs. Represents an existing partnership that the Partner Tenant has with a Customer Tenant. Read-only. Inherits from DirectoryObject.
Important: Introduced in version 1.5.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
contractType | Edm.String | GET | Type of the contract. Possible values are:
|
customerContextId | Edm.Guid | GET ($filter) | The unique identifier for the customer tenant referenced by this partnership. Corresponds to the objectId property of the customer tenant's TenantDetail object. |
defaultDomainName | Edm.String | GET ($filter) | A copy of the customer tenant's default domain name. The copy is made when the partnership with the customer is established. It is not automatically updated if the customer tenant's default domain name changes. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for contracts and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
displayName | Edm.String | GET ($filter) | A copy of the customer tenant's display name. The copy is made when the partnership with the customer is established. It is not automatically updated if the customer tenant's display name changes. |
objectType | Edm.String | GET | A string that identifies the object type. The value is always “Contract”. Inherited from DirectoryObject. |
objectId | Edm.String | GET | The unique identifier for the partnership. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on contracts (the HTTP method used for each is in parentheses):
- Read (GET)
Device Entity
Represents a device registered in the directory. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
accountEnabled | Edm.Boolean | POST (required), GET ($filter), PATCH | true if the account is enabled; otherwise, false. Default is true. |
alternativeSecurityIds | Collection(AlternativeSecurityId) | POST (required), GET ($filter), PATCH | Notes: For internal use only. Not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
approximateLastLogonTimeStamp | Edm.DateTime | POST, GET, PATCH | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Read-only. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for devices and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
deviceId | Edm.Guid | POST (Required), GET ($filter), PATCH | Unique identifier set by Azure Device Registration Service at the time of registration. |
deviceObjectVersion | Edm.Int32 | POST, GET, PATCH | For internal use only. |
deviceOSType | Edm.String | POST (Required), GET, PATCH | The type of operating system on the device. Required. |
deviceOSVersion | Edm.String | POST (Required), GET, PATCH | The version of the operating system on the device. Required. |
devicePhysicalIds | Collection(Edm.String) | POST, GET ($filter), PATCH | Notes: For internal use. Not nullable. |
dirSyncEnabled | Edm.Boolean | GET ($filter) | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). |
displayName | Edm.String | POST (Required), GET ($filter), PATCH | The display name for the device. Required. |
isCompliant | Edm.Boolean | POST, GET, PATCH | true if the device complies with Mobile Device Management (MDM) policies; otherwise, false. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. |
IsManaged | Edm.Boolean | POST, GET, PATCH | true if the device is managed by a Mobile Device Management (MDM) app such as Intune; otherwise, false. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. |
lastDirSyncTime | Edm.DateTime | GET ($filter) | The last time at which the object was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Read-only. |
objectId | Edm.String | GET | The unique identifier for the device. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique, read-only |
objectType | Edm.String | GET | A string that identifies the object type. For devices the value is always "Device". Inherited from DirectoryObject |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
registeredOwners | User | */* | Users that are registered owners of the device. |
registeredUsers | User | */* | Users that are registered users of the device. |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on devices (HTTP methods are listed in parentheses):
- Create (CREATE)
- Read (GET)
- Update (PATCH)
- Delete (DELETE)
The following operations are supported on device navigation properties. Not all operations may be supported on every navigation property.
- Read (GET)
- Update (PUT)
- Delete (DELETE)
No functions or actions are supported on devices.
DirectoryLinkChange Entity
A DirectoryLinkChange object is returned in the result set of a differential query to indicate that a property of a contact, a user, or a group that is represented by a link has changed since the last differential query. The DirectoryLinkChange object will represent a change to a user’s or contact’s manager property or a change to a group’s members property. For more information about differential queries, see Differential Query. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
associationType | Edm.String | GET | A string that identifies the association type to which the change applies. The value is either "Member" or "Manager". |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for directory link change objects and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
objectId | Edm.String | GET | The unique identifier for the directory link change object. For DirectoryLinkChange objects, the value is always 00000000-0000-0000-0000-000000000000. Inherited from DirectoryObject. Note: key immutable, not nullable, unique |
objectType | Edm.String | GET | A string that identifies the object type. For DirectoryLinkChange objects, the value is always "DirectoryLinkChange". DirectoryObject |
sourceObjectId | Edm.String | GET | The object ID for the source object; for example, "7373b0af-d462-406e-ad26-f2bc96d823d8". |
sourceObjectType | Edm.String | GET | A string that identifies the source object type; this will be one of the following: "Group", "User", or "Contact". |
sourceObjectUri | Edm.String | GET | The URI for the source object; for example, "https://graph.windows.net/contoso.com/groups/7373b0af-d462-406e-ad26-f2bc96d823d8" . |
targetObjectId | Edm.String | GET | The object ID for the target object; for example, "dca803ab-bf26-4753-bf20-e1c56a9c34e2". |
targetObjectType | Edm.String | GET | A string that identifies the source object type; this will be one of the following: "Group", "User", or "Contact". |
targetObjectUri | Edm.String | GET | The URI for the target object; for example, "https://graph.windows.net/contoso.com/users/dca803ab-bf26-4753-bf20-e1c56a9c34e2" . |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
DirectoryObject Entity
Represents an Azure Active Directory object. The DirectoryObject type is the base type for most of the other directory entity types.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
deletionTimestamp | Edm.DateTime | GET | The time at which the directory object was deleted. It only applies to those directory objects which can be restored. Currently it is only supported for deleted Application objects; all other entities return null for this property. Notes: Requires version 1.5 or newer. |
objectId | Edm.String | GET | A Guid that is the unique identifier for the object; for example, 12345678-9abc-def0-1234-56789abcde. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For example, for groups the value is always "Group". |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
createdObjects | DirectoryObject | */* | The directory objects that were created by the current object. Read only. Requires version 2013-11-08 or newer. |
createdOnBehalfOf | DirectoryObject | */0..1 | The directory object that that this object was created on behalf of. Read only. Requires version 2013-11-08 or newer. |
manager | DirectoryObject | */0..1 | This object's manager. Valid on users and contacts. Returns a user or a contact. |
directReports | DirectoryObject | */* | Users and contacts that report to this object. Valid on users and contacts. Returns users and contacts. Read only. |
members | DirectoryObject | */* | Objects that are members of this object. Valid on groups and roles. On groups, returns contacts, users, and groups. On roles, returns users and service principals. |
memberOf | DirectoryObject | */* | Objects that this object is a member of. Valid on contacts, groups, service principals, and users. On contacts, returns groups. On groups, returns groups. On users, returns groups and roles. On service principals, returns roles. Read only. The property is not transitive. For example, if User A is a member of Group B and Group B is a member of Group C, the memberOf property on User A will not return Group C. |
ownedObjects | DirectoryObject | */* | The directory objects that are owned by the current object. Read only. Requires version 2013-11-08 or newer. |
owners | DirectoryObject | */* | The directory objects that are owners of the current object. The owners are a set of non-admin users who are allowed to modify this object. Requires version 2013-11-08 or newer. |
Note: Not all navigation properties are necessarily valid on the entity types that inherit from DirectoryObject. If a request for a property that is not valid for a specific entity is sent, a 400 Bad Request response is returned. For more information about which navigation properties are valid on specific entities, consult the documentation for that entity type.
Supported Operations
The full set of operations that are supported on directory objects are the following (the HTTP method used for each is in parentheses): Create (POST), Read (GET), Update (PATCH), and Delete (DELETE). However, not all of these operations are supported on every entity type. The declared properties of directory object are read-only; they cannot be specified in create or update operations.
The potential set of operations supported on each of the navigation properties are:
- createdObjects: Read (GET).
- createdOnBehalfOf: Read (GET).
- manager: Read (GET), Update (PUT), and Delete (DELETE).
- directReports: Read (GET).
- members: Read (GET), Update (POST), and Delete (DELETE).
- memberOf: Read (GET).
- ownedObjects: Read (GET).
- owners: Read (GET), Update (POST), and Delete (DELETE).
Not all navigation properties are necessarily supported on every entity type, nor are the set of potential operations for a navigation property necessarily supported on every entity type.
Whether a particular directory object supports a particular action or function, depends on the type of the directory object (the objectType property). For information about which object types support which functions or actions, see the documentation of the particular object, for example, user, group, etc., or of a particular function.
Consult the documentation for the specific entity type for information about operations supported for an entity.
DirectoryRole Entity
Represents an Azure AD directory role. Azure AD directory roles are also known as administrator roles. For more information about directory (administrator) roles, see Assigning administrator roles in Azure AD.
With the Graph API, you can assign users and service principals to directory roles to grant them the permissions of the target role. You can read directory role objects and update the members navigation property of directory roles, but you cannot delete directory roles or update their declared properties. Inherits from DirectoryObject.
To read a directory role or update its members, it must first be activated in the tenant. In versions prior to 1.5, all directory roles are activated by default. Beginning with version 1.5, only the Company Administrators directory role is activated by default. To activate other available directory roles you send a POST request with the objectId of the DirectoryRoleTemplate on which the directory role is based. See Supported Operations and Remarks for more information.
Important: Beginning with version 1.5, the Role entity type is renamed to DirectoryRole.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
deletionTimestamp | Edm.DateTime | GET | This property is not valid for directory roles and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
description | Edm.String | GET | The description for the directory role. |
displayName | Edm.String | GET | The display name for the directory role. |
isSystem | Edm.Boolean | GET | true if the role is a system role; otherwise, false. |
objectId | Edm.String | GET | The unique identifier for the directory role. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For directory roles the value is always "DirectoryRole". Inherited from DirectoryObject. Note: In versions prior to 1.5, the value will be "Role". |
roleDisabled | Edm.Boolean | GET | true if the directory role is disabled; otherwise, false. |
roleTemplateId | String | POST (Required), GET | The objectId of the DirectoryRoleTemplate that this role is based on. Notes: In versions prior to version 1.5, the property is read only. In version 1.5 and later, the property must be specified when activating a directory role in a tenant with a POST operation. After the directory role has been activated, the property is read only. |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
members | DirectoryObject (User and ServicePrincipal are supported.) |
*/* | Users and service principals that are members of this directory role. Inherited from DirectoryObject. HTTP Methods: GET, POST, DELETE |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on directory roles (the HTTP method used for each is in parentheses):
- Create (POST): Supported in version 1.5 and later. Activates a directory role in the tenant using the DirectoryRoleTemplate specified by the roleTemplateId property in the request. After the directory role is activated, you can add and delete users and service principals from the role.
- Read (GET)
The following operations are supported on directory role navigation properties:
- Read (GET)
- Update (POST)
- Delete (DELETE)
No functions or actions may be called on directory roles; however, you can call getMemberObjects on a User or ServicePrincipal to determine its directory role memberships. Note that for users, this function also returns its direct and transitive group memberships.
Remarks
- In version 1.5 and later, only the Company Adminstrators role is activated (and visible) in a tenant by default. Use the Create (POST) operation to activate additional directory roles. The operation specifies the roleTemplateId property in the request. This property contains the objectId of the DirectoryRoleTemplate instance that corresponds to the role you want to activate. After the directory role is activated you can add and delete users and service principals from it with the Graph API. In versions prior to 1.5, all directory roles (represented by the Role entity) are activated by default and the Create (POST) operation is not supported.
- Directory roles cannot be deleted using the Graph API. Updates are supported on the members navigation property only. Both add and remove are supported on this property.
- Query filter expressions are not supported on directory roles.
DirectoryRoleTemplate Entity
Represents a directory role template. A directory role template specifies the property values of a directory role (DirectoryRole). There is an associated directory role template object for each of the directory roles that may be activated in a tenant. Inherits from DirectoryObject.
To read a directory role or update its members, it must first be activated in the tenant. In versions prior to 1.5, all directory roles are activated by default. Beginning with version 1.5, only the Company Administrators directory role is activated by default. To activate other available directory roles you send a POST request to the /directoryRoles endpoint with the objectId of the directory role template on which the directory role is based specified in the roleTemplateId parameter of the request. For more information, see DirectoryRole.
Note: A directory role template is exposed for the Users directory role. The Users directory role is implicit and is not visible to directory clients. Every User in the tenant is assigned to this role by the infrastructure. The role is already activated. Do not use this template.
Important: Introduced in version 1.5.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
description | Edm.String | GET | The description to set for the directory role. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for directory role templates and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
displayName | Edm.String | GET | The display name to set for the directory role. |
objectId | Edm.String | GET | The unique identifier for the template. Inherited from DirectoryObject. In version 1.5 and later, you specify the objectId of the directory role template for the roleTemplateId property in the POST request activate a DirectoryRole in a tenant. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For role templates the value is always "RoleTemplate". Inherited from DirectoryObject. |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on directory role templates (HTTP methods are listed in parentheses):
- read (GET)
Domain Entity
Represents a domain associated with the tenant.
Important: Only available in version beta.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
authenticationType | Edm.String | GET | Indicates what authentication type the domain is configured for. The value is either "Managed" or "Federated". |
availabilityStatus | Edm.String | GET | This property is always null except when the verify action is used. When the verify action is used, a Domain entity is returned in the response. The availabilityStatus property of the Domain entity in the response is either "AvailableImmediately" or "EmailVerifiedDomainTakeoverScheduled". |
isAdminManaged | Edm.Boolean | GET | false, if the DNS record management of the domain has been delegated to Office 365. Otherwise, true. Notes: not nullable |
isDefault | Edm.Boolean | GET, PATCH | Indicates whether or not this is the default domain that is used for user creation. There is only one default domain per company. Notes: not nullable |
isInitial | Edm.Boolean | GET | Indicates whether or not this is the initial domain created by Microsoft Online Services (companyname.onmicrosoft.com). There is only one initial domain per company. Notes: not nullable |
isRoot | Edm.Boolean | GET | For subdomains, this represents the root domain. Only root domains need to be verified, and all subdomains will be automatically verified. Notes: not nullable |
isVerified | Edm.Boolean | GET | Indicates whether this domain has completed domain ownership verification or not. Notes: not nullable |
name | Edm.String | POST (Required), GET ($filter) | The fully qualified name of the domain. Notes: key, immutable, not nullable, unique |
supportedServices | Collection(Edm.String) | GET, PATCH | The capabilities assigned to the domain. Can include 0, 1 or more of following values:
Most of these values are read-only. The values which you can add/remove using Graph API includes:
Notes: not nullable |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
serviceConfigurationRecords | DomainDnsRecord | */* | DNS records that the customer has to add to the DNS zone file of the domain before the domain can be used by Microsoft Online services. |
verificationDnsRecords | DomainDnsRecord | */* | DNS records that the customer has to add to the DNS zone file of the domain before the customer can complete domain ownership verification with Azure AD. |
DomainDnsRecord Entity
For each domain in the tenant, you may be required to add DNS record(s) to the DNS zone file of the domain before the domain can be used by Microsoft Online Services. The DomainDnsRecord entity is used to present such DNS records. Base entity for DomainDnsCnameRecord, DomainDnsMxRecord, DomainDnsSrvRecord and DomainDnsSrvRecord entities.
Important: Only available in version beta.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
dnsRecordId | Edm.Guid | GET | Unique identifier assigned to this entity. Notes: not nullable |
isOptional | Edm.Boolean | GET | Indicates whether this record must be configured by the customer at the DNS host for Microsoft Online Services to operate correctly with the domain. Notes: not nullable |
label | Edm.String | GET | Indicates the value to use when configuring the name of the DNS record at the DNS host. |
recordType | Edm.String | GET | Indicates what type of DNS record this entity represents. The value can be one of the following:
Notes: key |
supportedService | Edm.String | GET | Indicates which Microsoft Online Service or feature has a dependency on this DNS record. Can be one of the following values:
|
ttl | Edm.Int32 | GET | Indicates the value to use when configuring the time-to-live (ttl) property of the DNS record at the DNS host. Notes: not nullable |
DomainDnsCnameRecord Entity
Represents a CNAME record which needs to be added to the DNS zone file of a particular domain in the tenant. Inherited from DomainDnsRecord entity.
Important: Only available in version beta.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
canonicalName | Edm.String | GET | Indicates the value to use when configuring the canonical name of the CNAME record at the DNS host. |
dnsRecordId | Edm.Guid | GET | Unique identifier assigned to this entity. Notes: not nullable |
isOptional | Edm.Boolean | GET | Indicates whether this CNAME record must be configured by the customer at the DNS host for Microsoft Online Services to operate correctly with the domain. Notes: not nullable |
label | Edm.String | GET | Indicates the value to use when configuring the name of the CNAME record at the DNS host. |
recordType | Edm.String | GET | Indicates what type of DNS record this entity represents. The value is always "CName". Notes: key |
supportedService | Edm.String | GET | Indicates which Microsoft Online Service or feature has a dependency on this CNAME record. Can be one of the following values:
|
ttl | Edm.Int32 | GET | Indicates the value to use when configuring the time-to-live (ttl) property of the CNAME record at the DNS host. Notes: not nullable |
DomainDnsMxRecord Entity
Represents an MX record which needs to be added to the DNS zone file of a particular domain in the tenant. Inherited from DomainDnsRecord entity.
Important: Only available in version beta.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
dnsRecordId | Edm.Guid | GET | Unique identifier assigned to this entity. Notes: not nullable |
isOptional | Edm.Boolean | GET | Indicates whether this MX record must be configured by the customer at the DNS host for Microsoft Online Services to operate correctly with the domain. Notes: not nullable |
label | Edm.String | GET | Value to use when configuring the Alias/Host/Name property of the MX record at the DNS host. |
mailExchange | Edm.String | GET | Value to use when configuring the Answer/Destination/Value of the MX record at the DNS host. |
recordType | Edm.String | GET | Indicates what type of DNS record this entity represents. The value is always "Mx". Notes: key |
preference | Edm.Int32 | GET | Value to use when configuring the Preference/Priority property of the MX record at the DNS host. |
supportedService | Edm.String | GET | Indicates which Microsoft Online Service or feature has a dependency on this CNAME record. Can be one of the following values:
|
ttl | Edm.Int32 | GET | Value to use when configuring the time-to-live (ttl) property of the MX record at the DNS host. Notes: not nullable |
DomainDnsSrvRecord Entity
Represents an SRV record which needs to be added to the DNS zone file of a particular domain in the tenant. Inherited from DomainDnsRecord entity.
Important: Only available in version beta.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
dnsRecordId | Edm.Guid | GET | Unique identifier assigned to this entity. Notes: not nullable |
isOptional | Edm.Boolean | GET | Indicates whether this SRV record must be configured by the customer at the DNS host for Microsoft Online Services to operate correctly with the domain. Notes: not nullable |
label | Edm.String | GET | Value to use when configuring the Name property of the SRV record at the DNS host. |
nameTarget | Edm.String | GET | Value to use when configuring the Target property of the SRV record at the DNS host. |
port | Edm.Int32 | GET | Value to use when configuring the Port property of the SRV record at the DNS host. |
priority | Edm.Int32 | GET | Value to use when configuring the Priority property of the SRV record at the DNS host. |
protocol | Edm.String | GET | Value to use when configuring the Protocol property of the SRV record at the DNS host. |
recordType | Edm.String | GET | Indicates what type of DNS record this entity represents. The value is always "Srv". Notes: key |
Service | Edm.String | GET | Value to use when configuring the Service property of the SRV record at the DNS host. |
supportedService | Edm.String | GET | Indicates which Microsoft Online Service or feature has a dependency on this SRV record. Can be one of the following values:
|
ttl | Edm.Int32 | GET | Value to use when configuring the Time-To-Live property of the SRV record at the DNS host. Notes: not nullable |
weight | Edm.Int32 | GET | Value to use when configuring the Weight property of the SRV record at the DNS host. |
DomainDnsTxtRecord Entity
Represents a TXT record which needs to be added to the DNS zone file of a particular domain in the tenant. Inherited from DomainDnsRecord entity.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
dnsRecordId | Edm.Guid | GET | Unique identifier assigned to this entity. Notes: not nullable |
isOptional | Edm.Boolean | GET | Indicates whether this MX record must be configured by the customer at the DNS host for Microsoft Online Services to operate correctly with the domain. Notes: not nullable |
label | Edm.String | GET | Value to use when configuring the Alias/Host/Name property of the MX record at the DNS host. |
recordType | Edm.String | GET | Indicates what type of DNS record this entity represents. The value is always "Mx". Notes: key |
supportedService | Edm.String | GET | Indicates which Microsoft Online Service or feature has a dependency on this CNAME record. Can be one of the following values:
|
text | Edm.String | GET | |
ttl | Edm.Int32 | GET | Value (in seconds) to use when configuring the Time-To-Live property of the TXT record at the DNS host. Notes: not nullable |
DomainDnsUnavailableRecord Entity
Inherited from DomainDnsRecord entity. When you query for the navigation property serviceConfigurationRecords for a Domain entity, you may get back one or more DomainDnsCnameRecord, DomainDnsMxRecord, DomainDnsSrvRecord and/or DomainDnsTxtRecord entities. These entities indicate what DNS records you must add to the zone file of the domain, before the domain can be used by Microsoft Online Services. When it is not possible to generate such entities, a DomainDnsUnavailableRecord Entity is returned instead.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
description | Edm.String | GET | Provides the reason why the DomainDnsUnavailableRecord entity is returned. |
ExtensionProperty Entity
Allows an application to define and use a set of additional properties that can be added to directory objects (users, groups, tenant details, devices, applications, and service principals) without the application requiring an external data store. For more information about extension properties, see Directory Schema Extensions. Inherits from DirectoryObject.
Important: ExtensionProperty is introduced in version 1.5.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
appDisplayName | Edm.String | GET | |
dataType | Edm.String | POST, GET, PATCH | Specifies the type of the directory extension property being added. Supported types are: Integer, LargeInteger, DateTime (must be specified in ISO 8601 - DateTime is stored in UTC), Binary, Boolean, and String. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for extension properties and always returns null. Inherited from DirectoryObject. |
objectId | Edm.String | GET | The unique identifier for the extension property. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For extension properties the value is always "ExtensionProperty". Inherited from DirectoryObject. |
name | Edm.String | POST, GET, PATCH | Specifies the display name for the directory extension property. Notes: not nullable. |
isSyncedFromOnPremises | Edm.Boolean | GET | Indicates whether the extension property is synced from the on premises directory. Notes: not nullable. |
targetObjects | Collection(Edm.String) | POST, GET, PATCH | The directory objects to which the directory extension property is being added. Supported directory entities that can be extended are: "User", "Group", "TenantDetail", "Device", "Application" and "ServicePrincipal" Notes: not nullable. |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Group Entity
Represents an Azure Active Directory Group. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
deletionTimestamp | Edm.DateTime | GET | This property is not valid for groups and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
description | Edm.String | POST, GET, PATCH | An optional description for the group. |
dirSyncEnabled | Edm.Boolean | GET ($filter) | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). |
displayName | Edm.String | POST (Required), GET ($filter), PATCH | The display name for the group. This property is required when a group is created and it cannot be cleared during updates. |
lastDirSyncTime | Edm.DateTime | GET ($filter) | Indicates the last time at which the object was synced with the on-premises directory. |
Edm.String | GET ($filter) | The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com". | |
mailEnabled | Edm.Boolean | POST (Required), GET, PATCH | Specifies whether the group is mail-enabled. If the securityEnabled property is also true, the group is a mail-enabled security group; otherwise, the group is a Microsoft Exchange distribution group. Only (pure) security groups can be created using Azure AD Graph. For this reason, the property must be set false when creating a group and it cannot be updated using Azure AD Graph. |
mailNickname | Edm.String | POST (Required), GET ($filter), PATCH | The mail alias for the group. This property must be specified when a group is created. |
objectId | Edm.String | GET | The unique identifier for the group. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For groups the value is always "Group". Inherited from DirectoryObject. |
onPremisesSecurityIdentifier | String | GET | Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. Notes: Requires version 1.5 or newer. |
provisioningErrors | Collection(ProvisioningError) | GET | A collection of error details that are preventing this group from being provisioned successfully. Notes: not nullable. |
preferredLanguage | String | POST, GET, PATCH | The preferred language for an Office 365 group. Should follow ISO 639-1 Code; for example "en-US". |
proxyAddresses | Collection(Edm.String) | GET ($filter) | Notes: not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
securityEnabled | Edm.Boolean | POST (Required), GET ($filter), PATCH | Specifies whether the group is a security group. If the mailEnabled property is also true, the group is a mail-enabled security group; otherwise it is a security group. Only (pure) security groups can be created using Azure AD Graph. For this reason, the property must be set true when creating a group. |
theme | String | POST, GET, PATCH | Specifies an Office 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red. |
Navigation Properties
Name | To | To Multiplicity | Description |
---|---|---|---|
members | DirectoryObject (Only Contact, Group, ServicePrincipal, and User objects are supported) |
*/* | Users, contacts, groups, and service principals that are members of this group. Inherited from DirectoryObject. HTTP Methods: GET (supported for all groups), POST (supported for security groups and mail-enabled security groups), DELETE (supported only for security groups) |
memberOf | DirectoryObject (Only Group objects are supported) |
*/* | Groups that this group is a member of. Inherited from DirectoryObject. HTTP Methods: GET (supported for all groups) |
owners | DirectoryObject | */* | The owners of the group. The owners are a set of non-admin users who are allowed to modify this object. Requires version 2013-11-08 or newer. Inherited from DirectoryObject. HTTP Methods: GET (supported for all groups), POST (supported for security groups and mail-enabled security groups), DELETE (supported only for security groups) |
appRoleAssignments | DirectoryObject | */* | Contains the set of applications that a group is assigned to. Notes: Requires version 1.5 or newer. |
extensionProperties | DirectoryObject | */* | Contains the extension properties associated with the application. Notes: Requires version 1.5 or newer. |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on users (the HTTP method used for each is in parentheses):
- Create (POST): Supported only for security groups.
- Read (GET): Supported for all groups.
- Update (PATCH): Supported only for security groups and mail-enabled security groups. Not all properties can be updated.
- Delete (DELETE): Supported only for security groups.
The following operations are supported on group navigation properties:
- Read (GET): Supported for all groups.
- Update (POST): Supported only for security groups and mail-enabled security groups. (members and owners only.)
- Delete (DELETE): Supported only for security groups. (members and owners only.)
The following actions and functions may be called on groups:
- checkMemberGroups to check a group’s membership in a list of groups. The check is transitive.
- getAvailableExtensionProperties to return a list of the extension properties that have been registered for a group. Requires version 1.5 or newer.
- getMemberGroups to return a list of the groups that a group is a member of. The check is transitive.
- isMemberOf to check whether a group is a member of a specified group. The check is transitive.
Remarks
- There are three kinds of groups: mail distribution groups (mailEnabled property true and securityEnabled property false); mail-enabled security groups (mailEnabled property true and securityEnabled property true); and, (pure) security groups (mailEnabled property false and securityEnabled property true).
- You can only create security groups using the Graph API (you cannot create mail-enabled security groups or mail distribution groups). For this reason the mailEnabled property must be set false and the securityEnabled property must be set true when creating a group.
- All properties marked required must be specified when creating a security group using the Graph API. These properties are: displayName, mailNickname, mailEnabled (false), securityEnabled (true).
- You cannot update a group from a security group to a mail-enabled security group or to a mail distribution group using the Graph API.
LicenseDetail Entity
Contains information about a license assigned to a user.
The licenseDetails property of the User entity is of type LicenseDetail.
Important: Introduced in version 1.6.
Properties
Declared Properties
Property | Type | Supports | Description |
---|---|---|---|
objectId | Edm.String | GET | The unique identifier for the license detail object. Notes: key, not nullable. |
servicePlans | Collection(ServicePlanInfo) | GET | Information about the service plans assigned with the license. Notes: not nullable. |
skuId | Edm.Guid | GET | Unique identifier (GUID) for the service SKU. Equal to the skuId property on the related SubscribedSku object. |
skuPartNumber | Edm.String | GET | Unique SKU display name. Equal to the skuPartNumber on the related SubscribedSku object; for example: "AAD_Premium". |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on license detail (the HTTP method used for each is in parentheses):
- Create (POST)
- Read (GET)
- Update (PATCH)
- Delete (DELETE)
No functions or actions may be called on license detail.
OAuth2PermissionGrant Entity
Represents the OAuth 2.0 delegated permission scopes that have been granted to an application (represented by a service principal) as part of the user or admin consent process.
Important: Beginning with version 1.5, the Permission entity type is renamed to OAuth2PermissionGrant. In versions prior to 1.5, permissions created during consent were added to the permissions property of a user or service principal.
Properties
Declared Properties
Property | Type | Supports | Description |
---|---|---|---|
clientId | Edm.String | POST, GET | Specifies the objectId of the service principal granted consent to impersonate the user when accessing the resource (represented by the resourceId). |
consentType | Edm.String | POST, GET | Specifies whether consent was provided by the administrator on behalf of the organization or whether consent was provided by an individual. The possible values are "AllPrincipals" or "Principal". |
expiryTime | Edm.DateTime | POST, GET, PATCH | Reserved. Returns null. Do not use. |
objectId | Edm.String | GET | The unique identifier for the permission scope. Notes: key, not nullable. |
principalId | Edm.String | POST, GET | If consentType is "AllPrincipals" this value is null, and the consent applies to all users in the organization. If consentType is "Principal" then this property specifies the objectId of the user that granted consent, and applies only for that user. |
resourceId | Edm.String | POST, GET | Specifies the objectId of the resource service principal to which access has been granted. |
scope | Edm.String | POST, GET, PATCH | Specifies the value of the scope claim that the resource application should expect in the OAuth 2.0 access token. |
startTime | Edm.DateTime | POST, GET | Reserved. Returns null. Do not use. |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on permission scopes (the HTTP method used for each is in parentheses):
- Create (POST)
- Read (GET)
- Update (PATCH): scope property only.
- Delete (DELETE)
No functions or actions may be called on permission scopes.
Remarks
- In version 1.5 and newer, the oauth2PermissionGrants navigation property of the User entity and of the ServicePrincipal entity returns the OAuth2PermissionGrant objects associated with the user or service principal.
- Prior to version 1.5, the permissions navigation property of the User entity and of the ServicePrincipal entity returns the Permission objects associated with the user or service principal.
Policy Entity
Represents an Azure AD policy. Policies are custom rules that can be enforced on applications, service principals, groups, or the entire organization they are assigned to. Currently only two types of policy are available:
- Token Lifetime Policy - Specifies the lifetime duration of tokens issued for applications and service principals. This policy is described in further detail below.
- Token Issuance Policy - Specifies characteristics of SAML tokens issued by Azure AD. This policy is described in further detail below.
Property | Type | Supports | Description |
---|---|---|---|
definition | Edm.String | POST, GET | The string version of the specific policy. See the information regarding the format of this string in the sections below. |
displayName | Edm.String | POST, GET, PATCH | A custom name for the policy. |
IsOrganizationDefault | Edm.Boolean | POST, GET, PATCH | If set to true, activates this policy for the tenant. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
type | Edm.String | POST, GET | Specifies the type of policy. Currently must be TokenLifetimePolicy or TokenIssuancePolicy . |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
appliesTo | DirectoryObject | */* | The applications, service principals, groups, or organization the policy applies to. |
Supported Operations
The following operations are supported on permission scopes (the HTTP method used for each is in parentheses):
- Create (POST)
- Read (GET)
- Update (PATCH)
- Delete (DELETE)
Token Lifetime Policy
Specifies the lifetimes of tokens issued for various purposes. This kind of policy can be assigned to applications and service principals. There are four kinds of tokens whose lifetimes can be configured. Access/Refresh token pairs are obtained during authentication through a client, whereas ID/Session token pairs are obtained during authentication through a browser.
- Access Token contains information about the identity and privileges associated with a user account that is used by clients to access protected resources like applications.
- Refresh Token is obtained together with the access token when a user authenticates against Azure AD through a client to access a protected resource. While it is not revoked or left unused for more than the MaxInactiveTime (below), it can be used to obtain a new access/refresh token pair when the current access token expires.
- ID Token behaves like an access token, but obtained through the browser.
- Session Token behaves like a refresh token, but obtained through the browser.
Token Lifetime Policy Properties
The properties below form the JSON object that represents a token lifetime policy. This JSON object must be converted to a string with quotations escaped to be inserted into the "definition" common policy property. Examples are provided on this page.
Note: All time durations in these properties are specified in the format "dd.hh:mm:ss".
Note: Max values for properties denoted in "days" are 1 second short of the denoted number of days. For example, the max value of 1 days is specified as "23:59:59".
Property | Type | Description | Min Value | Max Value | Default Value |
---|---|---|---|---|---|
AccessTokenLifetime | String | Controls how long both access and ID tokens are considered valid. | 10 minutes | 1 day | 1 hour |
MaxInactiveTime | String | Controls how old a refresh token can be before a client can no longer use it to retrieve a new access/refresh token pair to access a resource. | 10 minutes | 90 days | 14 days |
MaxAgeSingleFactor | String | Controls how long a user can continue to use refresh tokens to get new access/refresh token pairs after the last time they authenticated successfully with only a single factor. Because single-factor is considered less secure than multi-factor authentication, it is recommended that this policy is set to an equal or lesser value than the MultiFactorRefreshTokenMaxAge. | 10 minutes | until-revoked | 365 days or until-revoked |
MaxAgeMultiFactor | String | Controls how long a user can continue to use refresh tokens to get new access/refresh token pairs after the last time they authenticated successfully with multi factors. | 10 minutes | until-revoked | 365 days or until-revoked |
MaxAgeSessionSingleFactor | String | Controls how long a user can continue to use session tokens to get new ID/session tokens after the last time they authenticated successfully with only a single factor. Because single-factor is considered less secure than multi-factor authentication, it is recommended that this policy is set to an equal or lesser value than the MultiFactorSessionTokenMaxAge | 10 minutes | until-revoked | 365 or until-revoked |
MaxAgeSessionMultiFactor | String | Controls how long a user can continue to use session tokens to get new ID/session tokens after the last time they authenticated successfully with multi factors. | 10 minutes | until-revoked | 365 or until-revoked |
Version | Integer | Set value of 1. Required. | None | None | None |
Token Issuance Policy
Token issuance policies can be used to specify certain properties of SAML tokens issued by Azure AD during the Ws-Federation authentication protocol. This kind of policy can be assigned to applications and service principals. Currently, token issuance policies can modify three properties of SAML tokens:
- The algorithm used to sign the SAML token. SHA-256 is used by default, but can be changed to use SHA-1.
- Whether the SAML token is signed, the entire SAML response is signed, or both. By default, only the SAML token is signed.
- The version of the SAML token issued. SAML 2.0 tokens are issued by default, but can be changd to use SAML 1.1.
Token Issuance Policy Properties
The properties below form the JSON object that represents a token issuance policy. This JSON object must be converted to a string with quotations escaped to be inserted into the "definition" common policy property. Examples are provided on this page.
Property | Type | Description | Values | Default Value |
---|---|---|---|---|
SamlTokenVersion | String | Controls the version of the SAML token issued. | 1.1 2.0 |
2.0 |
SigningAlgorithm | String | Controls the algorithm used for signing the SAML token and/or response. | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 http://www.w3.org/2000/09/xmldsig#rsa-sha1 |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
TokenResponseSigningPolicy | String | Controls whether the SAML token is signed, the SAML response is signed, or both. If the SAML token version is set to 1.1 , then TokenOnly is the only allowed value. |
TokenOnly ResponseOnly ResponseAndToken |
TokenOnly |
Version | Integer | The version of the token issuance policy. Required. | 1 |
None |
ServiceEndpoint Entity
The service endpoint entity contains service discovery information. Inherits from DirectoryObject.
The serviceEndpoints property of the Application and ServicePrincipal entities is of type ServiceEndpoint. Other services can use the information stored in the ServiceEndpoint entity to find this service and its addressable endpoints.
Important: Introduced in version 1.6.
Properties
Declared Properties
Property | Type | Supports | Description |
---|---|---|---|
capability | Edm.String | POST (Required), GET | A text identifier for the service's capability. Examples are "Documents" and "Mail". |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for service endpoints and always returns null. Inherited from DirectoryObject. |
objectId | Edm.String | GET | The unique identifier for the service endpoint. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For service endpoints the value is always "ServiceEndpoint". Inherited from DirectoryObject. |
serviceId | Edm.String | POST, GET | The identifier of the service |
serviceName | Edm.String | POST, GET | The display name of the service. |
Uri | Edm.String | POST (Required), GET | Uri of the service’s endpoint. |
resourceId | Edm.String | POST, GET | An identifier for a specific resource within the service. |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
No direct operations may be performed on service endpoints. They are only addressable through the serviceEndpoints property on an Application or a ServicePrincipal. The following operations are supported (the HTTP method used for each is in parentheses):
- Create (POST) -- only on the serviceEndpoints navigation property of an Application.
- Read (GET) -- on the serviceEndpoints navigation property of an Application or ServicePrincipal.
- Delete (DELETE) -- only on the serviceEndpoints property of an Application.
No functions or actions may be called on service endpoints.
Remarks
- The capability and uri properties are required when you add a service endpoint to an Application.
ServicePrincipal Entity
Represents an instance of an application in a directory. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
accountEnabled | Edm.Boolean | POST, GET ($filter), PATCH | true if the service principal account is enabled; otherwise, false. |
addIns | Collection(AddIn) | GET | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications which can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. Notes: Requires version 1.6. |
appDisplayName | Edm.String | GET | The display name exposed by the associated application. |
appId | Edm.Guid | POST (Required), GET ($filter), PATCH | The unique identifier for the associated application (its appId property). |
appOwnerTenantId | Edm.Guid | GET | |
appRoleAssignmentRequired | Edm.Boolean | POST, GET, PATCH | Specifies whether an AppRoleAssignment to a user or group is required before Azure AD will issue a user or access token to the application. Notes: Requires version 1.5 or newer, not nullable. |
appRoles | Collection(AppRole) | GET | The application roles exposed by the associated application. For more information see the appRoles property definition on the Application entity Notes: Requires version 1.5 or newer, not nullable. |
authenticationPolicy | ServicePrincipalAuthenticationPolicy | GET | Reserved for internal use only. Do not use. Removed in version 1.5. Notes: Available in version 2013-11-08 only. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for service principals and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
displayName | Edm.String | POST, GET ($filter), PATCH | The display name for the service principal. |
errorUrl | Edm.String | POST, GET, PATCH | |
homepage | Edm.String | POST, GET, PATCH | The URL to the homepage of the associated application. |
keyCredentials | Collection(KeyCredential) | POST, GET, PATCH | The collection of key credentials associated with the service principal. Notes: not nullable. |
logoutUrl | Edm.String | POST, GET, PATCH | |
oauth2Permissions | Collection(OAuth2Permission) | GET | The OAuth 2.0 permissions exposed by the associated application. For more information see the oauth2Permissions property definition on the Application entity. Notes: Requires version 1.5 or newer, not nullable. |
objectId | Edm.String | GET | The unique identifier for the service principal. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For service principals the value is always "ServicePrincipal". Inherited from DirectoryObject. |
passwordCredentials | Collection(PasswordCredential) | POST, GET, PATCH | The collection of password credentials associated with the service principal. Notes: not nullable. |
preferredTokenSigningKeyThumbprint | Edm.String | GET | Reserved for internal use only. Do not write or otherwise rely on this property. May be removed in future versions. Notes: Requires version 1.5 or newer. |
publisherName | Edm.String | POST, GET ($filter), PATCH | The display name of the tenant in which the associated application is specified. |
replyUrls | Collection(Edm.String) | POST, GET, PATCH | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. Notes: not nullable. |
samlMetadataUrl | Edm.String | POST, GET, PATCH | |
servicePrincipalNames | Collection(Edm.String) | POST, GET ($filter), PATCH | Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. A client will use these to: • populate requiredResourceAccess, via "Permissions to other applications” in the Azure classic portal. • specify a resource URI to acquire an access token, which is the URI returned in the “aud” claim. See identifierURIs in the Application entity for details on how to update. Notes: not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
tags | Collection(Edm.String) | POST, GET ($filter), PATCH | Notes: not nullable. |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
appRoleAssignedTo | AppRoleAssignment | */* | Principals (users, groups, and service principals) that are assigned to this service principal. Requires version 1.5 or newer. |
appRoleAssignments | AppRoleAssignment | */* | Applications that the service principal is assigned to. Requires version 1.5 or newer. |
createdObjects | DirectoryObject | */* | Directory objects created by this service principal. Inherited from DirectoryObject. Requires version 2013-11-08 or newer. |
memberOf | DirectoryObject (Only DirectoryRole and Group objects are supported) |
*/* | Roles and groups that this service principal is a direct member of. Inherited from DirectoryObject. HTTP Methods: GET |
oauth2PermissionGrants | OAuth2PermissionGrant | */* | User impersonation grants associated with this service principal. Requires version 1.5 or newer. |
ownedObjects | DirectoryObject | */* | Directory objects that are owned by this service principal. Inherited from DirectoryObject. Requires version 2013-11-08 or newer. |
owners | DirectoryObject | */* | Directory objects that are owners of this service principal. The owners are a set of non-admin users who are allowed to modify this object. Inherited from DirectoryObject. Requires version 2013-11-08 or newer. |
permissions | Permission | */* | Renamed to oauth2PermissionGrants in version 1.5 and newer. In previous versions pointed to the permissions associated with the service principal. For information about the Permission entity type, see OAuth2PermissionGrant. |
policies | Policy | */* | Policies assigned to the service principal. |
serviceEndpoints | ServiceEndpoint | 1/* | Service endpoints available for discovery. For more information, see the ServiceEndpoint topic. HTTP Methods: GET. Requires version 1.6 or newer. |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on service principals (the HTTP method used for each is in parentheses):
- Create (POST)
- Read (GET)
- Update (PATCH)
- Delete (DELETE)
The following operation is supported on navigation properties:
- Read (GET)
The following actions and functions may be called on groups:
- checkMemberGroups to check a service principal’s membership in a list of groups. The check is transitive.
- getMemberGroups to return a list of the groups that a service principal is a member of. The check is transitive.
- getMemberObjects to return a list of the groups and directory roles that a service principal is a member of. The check is transitive.
A principal must be in the Company Administrator role to perform operations on service principals.
Remarks
You must set the appId property to the ID of an application in the directory when you create a service principal.
SubscribedSku Entity
Contains information about a service SKU that a company is subscribed to.
Only the read operation is supported on subscribed SKUs; create, update, and delete are not supported. Query filter expressions are not supported.
Properties
Declared Properties
Property | Type | Supports | Description |
---|---|---|---|
appliesTo | Edm.String | GET | For example, "User" or "Company". Notes: Requires version 1.6. |
capabilityStatus | Edm.String | GET | For example, "Enabled". |
consumedUnits | Edm.Int32 | GET | The number of licenses that have been assigned. |
objectId | Edm.String | GET | The unique identifier for the subscribed sku object. Notes: key, not nullable. |
prepaidUnits | LicenseUnitsDetail | GET | Information about the number and status of prepaid licenses. |
servicePlans | Collection(ServicePlanInfo) | GET | Information about the service plans that are available with the SKU. Notes: not nullable. |
skuId | Edm.Guid | GET | The unique identifier (GUID) for the service SKU. |
skuPartNumber | Edm.String | GET | The SKU part number; for example: "AAD_PREMIUM" or "RMSBASIC". |
Navigation Properties
None.
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on subscribed SKUs (the HTTP method used for each is in parentheses):
- Read (GET)
Subscribed SKUs do not expose any navigation properties.
No functions or actions may be called on subscribed SKUs.
TenantDetail Entity
Represents an Azure Active Directory tenant. Only the read and update operations are supported on tenants; create and delete are not supported. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
assignedPlans | Collection(AssignedPlan) | GET | The collection of service plans associated with the tenant. Notes: not nullable. |
city | Edm.String | GET | |
companyLastDirSyncTime | Edm.DateTime | GET | The time and date at which the tenant was last synced with the on-premise directory. |
country | Edm.String | GET | |
countryLetterCode | Edm.String | GET | |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for tenants and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
dirSyncEnabled | Edm.Boolean | GET | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). |
displayName | Edm.String | GET | The display name for the tenant. |
marketingNotificationEmails | Collection(Edm.String) | GET, PATCH | Notes: not nullable. |
objectId | Edm.String | GET | The unique identifier for the tenant. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For tenants the value is always "Company". Inherited from DirectoryObject. |
postalCode | Edm.String | GET | |
preferredLanguage | Edm.String | GET | |
provisionedPlans | Collection(ProvisionedPlan) | GET | Notes: not nullable. |
provisioningErrors | Collection(ProvisioningError) | GET | Notes: not nullable. |
state | Edm.String | GET | |
street | Edm.String | GET | |
technicalNotificationMails | Collection(Edm.String) | GET, PATCH | Notes: not nullable. |
telephoneNumber | Edm.String | GET | |
tenantType | Edm.String | GET | Notes: removed in version 1.5 and newer. |
verifiedDomains | Collection(VerifiedDomain) | GET | The collection of domains associated with this tenant. Notes: not nullable. |
Navigation Properties
Name | To | To Multiplicity | Description |
---|---|---|---|
trustedCAsForPasswordlessAuth | TrustedCAsForPasswordlessAuth | 1/1 | The set of certificate authorities used to validate the trust chain while performing password-less authentication. For more information, see Remarks. Notes: Requires version 1.6 or newer. |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on tenants (the HTTP method used for each is in parentheses):
- Read (GET)
- Update (PATCH); only the marketingNotificationMails and technicalNotificationMails properties can be updated using the Graph API.
The following operations are supported on tenant navigation properties:
- Read (GET)
- Update (POST)
- Delete (DELETE)
No functions or actions may be called on tenants.
Remarks
- You cannot create or delete tenants using the Graph API.
- Only the marketingNotificationMails and technicalNotificationMails properties can be updated using the Graph API.
- Trusted certificate authorities enable users in a federated tenant to sign in using certificate-based authentication. To enable this scenario, configure the public certificates of the certificate authorities trusted for sign-in by setting the trustedCAsForPasswordlessAuth navigation property.
- Query filter expressions are not supported on tenants.
TrustedCAsForPasswordlessAuth Entity
Represents a set of certificate authorities to validate the trust chain while performing password-less authentication.
The trustedCAsForPasswordlessAuth navigation property of the TenantDetail entity is a collection of trustedCAsForPasswordlessAuth. Clients can use this property to configure the public certificates of the authorities trusted for sign-in in order to enable users in a federated tenant to sign in using certificate-based authentication.
Important: Introduced in version 1.6.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
id | Edm.String | GET | Unique identifier. Notes: key, not nullable. |
certificateAuthorities | Collection(CertificateAuthorityInformation) | POST (Required), GET, PATCH | Collection of certificate authority information. |
Navigation Properties
None.
Supported Operations
The following operations are supported on trusted certificate authorities (the HTTP method used for each is in parentheses):
- Create (POST); only the certificateAuthorities property can be specified.
- Read (GET)
- Update (PATCH); only the certificateAuthorities property
Trusted certificates do not expose any navigation properties.
No functions or actions may be called on trusted certificate authorities.
User Entity
Represents an Azure AD user account. Inherits from DirectoryObject.
Properties
Declared Properties
Name | Type | Supports | Description |
---|---|---|---|
accountEnabled | Edm.Boolean | POST (Required), GET ($filter), PATCH | true if the account is enabled; otherwise, false. This property is required when a user is created. |
assignedLicenses | Collection(AssignedLicense) | POST, GET, PATCH | The licenses that are assigned to the user. Notes: not nullable. |
assignedPlans | Collection(AssignedPlan) | GET | The plans that are assigned to the user. Notes: not nullable. |
city | Edm.String | POST, GET ($filter), PATCH | The city in which the user is located. |
country | Edm.String | POST, GET ($filter), PATCH | The country/region in which the user is located; for example, "US" or "UK". |
creationType | Edm.String | POST (Required for local accounts), GET ($filter) | Indicates whether the user account is a local account for an Azure Active Directory B2C tenant. Possible values are "LocalAccount" and null. When creating a local account, the property is required and you must set it to "LocalAccount". When creating a work or school account, do not specify the property or set it to null. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation. Notes: Requires version 1.6 or newer. |
deletionTimestamp | Edm.DateTime | GET | This property is not valid for users and always returns null. Inherited from DirectoryObject. Notes: Requires version 1.5 or newer. |
department | Edm.String | POST, GET ($filter), PATCH | The name for the department in which the user works. |
dirSyncEnabled | Edm.Boolean | GET ($filter) | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). |
displayName | Edm.String | POST (Required), GET ($filter), PATCH (but cannot be cleared) | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. |
employeeId | Edm.String | POST, GET ($filter), PATCH | The employee identifier assigned to the user by the organization. |
facsimileTelephoneNumber | Edm.String | POST, GET, PATCH | The telephone number of the user's business fax machine. |
givenName | Edm.String | POST, GET ($filter), PATCH | The given name (first name) of the user. |
immutableId | Edm.String | POST (Required if using a federated domain for the UPN), GET ($filter), PATCH | This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property. Important: The $ and _ characters cannot be used when specifying this property. Notes: Requires version 2013-11-08 or newer. |
jobTitle | Edm.String | POST, GET ($filter), PATCH | The user's job title. |
lastDirSyncTime | Edm.DateTime | GET ($filter) | Indicates the last time at which the object was synced with the on-premises directory; for example: "2013-02-16T03:04:54Z" |
Edm.String | POST, GET ($filter) | The SMTP address for the user, for example, "jeff@contoso.onmicrosoft.com". | |
mailNickname | Edm.String | POST (Required for work or school accounts), GET ($filter), PATCH | The mail alias for the user. This property is required when you create a work or school account; it is optional for a local account. |
mobile | Edm.String | POST, GET, PATCH | The primary cellular telephone number for the user. |
objectId | Edm.Guid | GET | The unique identifier for the user. Inherited from DirectoryObject. Notes: key, immutable, not nullable, unique. |
objectType | Edm.String | GET | A string that identifies the object type. For users the value is always "User". Inherited from DirectoryObject. |
onPremisesSecurityIdentifier | Edm.String | GET | Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Notes: Requires version 1.5 or newer. |
otherMails | Collection(Edm.String) | POST, GET ($filter), PATCH | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. Notes: not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
passwordPolicies | Edm.String | POST, GET, PATCH | Specifies password policies for the user. This value is an enumeration with one possible value being "DisableStrongPassword", which allows weaker passwords than the default policy to be specified. "DisablePasswordExpiration" can also be specified. The two may be specified together; for example: "DisablePasswordExpiration, DisableStrongPassword". |
passwordProfile | PasswordProfile | POST (Required), PATCH | Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. For information about the constraints that must be satisfied for a strong password, see Password policy under Change your password in the Microsoft Office 365 help pages. The passwordProfile is a write only property. |
physicalDeliveryOfficeName | Edm.String | POST, GET, PATCH | The office location in the user's place of business. |
postalCode | Edm.String | POST, GET, PATCH | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. |
preferredLanguage | Edm.String | POST, GET, PATCH | The preferred language for the user. Should follow ISO 639-1 Code; for example "en-US". |
provisionedPlans | Collection(ProvisionedPlan) | GET | The plans that are provisioned for the user. Notes: not nullable. |
provisioningErrors | Collection(ProvisioningError) | GET | A collection of error details that are preventing this user from being provisioned successfully. |
proxyAddresses | Collection(Edm.String) | GET ($filter) | Fpr example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"] Notes: unique, not nullable, the any operator is required for filter expressions on multi-valued properties; for more information, see Supported Queries, Filters, and Paging Options. |
refreshTokensValidFromDateTime | Edm.DateTime | POST, GET, PATCH | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as AD Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. Use Invalidate all refresh tokens to reset. |
showInAddressList | Edm.Boolean | POST, GET, PATCH | true if the Outlook global address list should contain this user, otherwise false. If not set, this will be treated as true. For users invited through the invitation manager, this property will be set to false. |
signInNames | Collection(SignInName) | POST (Required for local accounts), GET ($filter) | Specifies the collection of sign-in names for a local account in an Azure Active Directory B2C tenant. Each sign-in name must be unique in the tenant. The property must be specified when you create a local account user; do not specify it when you create a work or school account. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation. Notes: Requires version 1.6 or newer. |
sipProxyAddress | Edm.String | GET | Specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the user. Notes: Requires version 1.5 or newer. |
state | Edm.String | POST, GET ($filter), PATCH | The state or province in the user's address. |
streetAddress | Edm.String | POST, GET, PATCH | The street address of the user's place of business. |
surname | Edm.String | POST, GET ($filter), PATCH | The user's surname (family name or last name). Notes: filterable, must be between 1 and 64 characters. |
telephoneNumber | Edm.String | POST, GET, PATCH | The primary telephone number of the user's place of business. |
thumbnailPhoto | Edm.Stream | POST, GET, PATCH | A thumbnail photo to be displayed for the user. Notes: not nullable. |
usageLocation | Edm.String | POST, GET ($filter), PATCH | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: "US", "JP", and "GB". Notes: not nullable. |
userIdentities | Collection(UserIdentity) | POST (Required for social accounts), GET ($filter) | Specifies the collection of userIdentities for a social user account in an Azure Active Directory B2C tenant. Each userIdentity (issuer and issuerIdentity as a pair) must be unique in the tenant. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation. Notes: Requires version 1.6 or newer. |
userPrincipalName | Edm.String | POST (Required for work or school accounts), GET ($filter), PATCH | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is "alias@domain". For work or school accounts, the domain must be present in the tenant's collection of verified domains. This property is required when a work or school account is created; it is optional for local accounts. The verified domains for the tenant can be accessed from the VerifiedDomains property of TenantDetail. Notes: key, unique. |
userType | Edm.String | POST, GET ($filter), PATCH | A string value that can be used to classify user types in your directory, such as "Member" and "Guest". Notes: Requires version 2013-11-08 or newer. |
Navigation Properties
Name | To | Multiplicity (From/To) |
Description |
---|---|---|---|
manager | DirectoryObject (Only User and Contact objects are supported.) |
*/0..1 | The user or contact that is this user's manager. Inherited from DirectoryObject. HTTP Methods: GET, PUT, DELETE |
directReports | DirectoryObject (Only User and Contact objects are supported.) |
*/* | The users and contacts that report to the user. (The users and contacts that have their manager property set to this user.) Inherited from DirectoryObject. HTTP Methods: GET |
licenseDetails | LicenseDetail | */* | Notes: Requires version 1.6 or later. |
memberOf | DirectoryObject (Only Group and DirectoryRole objects are supported.) |
*/* | The groups and directory roles that the user is a member of. Inherited from DirectoryObject. HTTP Methods: GET |
ownedDevices | Device | */* | Devices that are owned by the user. |
permissions | Permission | */* | The permissions associated with the user. The property is renamed to oauth2PermissionGrants and the Permission entity is renamed to OAuth2PermissionGrant in version 1.5 and newer. See the documentation for OAuth2PermssionGrant for documentation of the Permission entity type. |
registeredDevices | Device | */* | Devices that are registered for the user. |
createdObjects | DirectoryObject | */* | Directory objects that were created by the user. Requires version 2013-11-08 or newer. |
ownedObjects | DirectoryObject | */* | Directory objects that are owned by the user. Requires version 2013-11-08 or newer. |
appRoleAssignments | AppRoleAssignment | */* | The set of applications that this user is assigned to. Requires version 1.5 or newer. HTTP Methods: GET, POST, DELETE |
oauth2PermissionGrants | OAuth2PermissionGrant | */* | The set of applications that are granted consent to impersonate this user. Requires version 1.5 or newer. HTTP Methods: GET, POST, DELETE |
Note: Inherited navigation properties that are not listed are not supported. Requests addressed to unsupported navigation properties return 400 Bad Request.
Supported Operations
The following operations are supported on users (the HTTP method used for each is in parentheses):
- Create (POST)
- Read (GET)
- Update (PATCH)
- Delete (DELETE)
The following operations are supported on user navigation properties; not all operations are supported on every navigation property.
- Read (GET)
- Update (PUT)
- Delete (DELETE)
The following actions and functions may be called on users:
- assignLicense to assign and/or remove a specified list of licenses from a user. Requires version 2013-11-08 or newer.
- checkMemberGroups to check the user’s membership in a list of groups. The check is transitive.
- getAvailableExtensionProperties to return a list of the extension properties that have been registered for a user. Requires version 1.5 or newer.
- getMemberGroups to return a list of the groups that a user is a member of. The check is transitive.
- getMemberObjects to return a list of the groups and directory roles that a user is a member of. The check is transitive.
- isMemberOf to check whether a user is a member of a specified group. The check is transitive.
Remarks
- To create a work or school account, the required properties are: accountEnabled, displayName, mailNickname, passwordProfile, and userPrincipalName. The password specified in the passwordProfile property must meet the tenant’s password complexity requirements. For more information, see the passwordPolicies property.
- To create a local account, the required properties are: accountEnabled, creationType (must be set to “LocalAccount”), displayName, passwordProfile, and signInNames. The password specified in the passwordProfile property must meet the tenant’s password complexity requirements. For more information, see the passwordPolicies property.
- In version 2013-11-08 and newer, the immutableId property must be specified when creating a new user account in the Graph if you are using a federated domain for the user’s userPrincipalName (UPN) property.
- The displayName property cannot be cleared on updates.
- The passwordProfile property always returns null. This is to prevent the user’s password from being displayed. You can reset the user’s password by updating the passwordProfile property.
- In addition to the standard addressing available for all directory entities, users may be addressed by using the userPrincipalName property; for example,
https://graph.windows.net/contoso.onmicrosoft.com/users/john@contoso.onmicrosoft.com?api-version=1.5
.
Complex type reference
AddIn Type
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications which can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in context of the document the user is working on. The addins property of the Application and ServicePrincipal entities is a collection of AddIn.
Important: Introduced in version 1.6.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
id | Edm.Guid | R | A unique identifier within the addins collection on a specific Application. |
type | Edm.String | RW | The unique name for the functionality exposed by the app. |
properties | Collection(KeyValue) | RW (Required on writes) | The collection of key-value pairs that define parameters the consuming service can use or call. You must specify this property when performing a POST or a PATCH operation on the addIns collection. |
AlternativeSecurityId Type
Contains an alternative security ID associated with a device. The alternativeSecurityIds property of the Device entity is a collection of AlternativeSecurityId.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
identityProvider | Edm.String | ||
key | Edm.Binary | ||
type | Edm.Int32 |
AppRole Type
Represents an application role that may be requested by a client application calling another application or that may be used to assign an application to users or groups in a specified application role. The appRoles property of the ServicePrincipal entity and of the Application entity is a collection of AppRole.
Important: Requires version 1.5 or newer.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
allowedMemberTypes | Collection(Edm.String) | RW | Specifies whether this app role definition can be assigned to users and groups by setting to "User", or to other applications (that are accessing this application in daemon service scenarios) by setting to "Application", or to both. Notes: not nullable. |
description | Edm.String | RW | Permission help text that appears in the admin app assignment and consent experiences. |
displayName | Edm.String | RW | Display name for the permission that appears in the admin consent and app assignment experiences. |
id | Edm.Guid | RW | Unique role identifier inside the appRoles collection. |
isEnabled | Edm.Boolean | RW | When creating or updating a role definition, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed. |
value | Edm.String | RW | Specifies the value of the roles claim that the application should expect in the authentication and access tokens. |
AssignedLicense Type
Represents a license assigned to a user. The assignedLicenses property of the User entity is a collection of AssignedLicense.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
disabledPlans | Collection(Edm.Guid) | R | A collection of the unique identifiers for plans that have been disabled. Notes: not nullable. |
skuId | Edm.Guid | R | The unique identifier for the service SKU. Same value as the skuId property of the related SubscribedSku object. |
AssignedPlan Type
The assignedPlans property of both the User entity and the TenantDetail entity is a collection of AssignedPlan.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
assignedTimestamp | Edm.DateTime | R | The date and time at which the plan was assigned; for example: 2013-01-02T19:32:30Z. |
capabilityStatus | Edm.String | R | For example, "Enabled". |
service | Edm.String | R | The name of the service; for example, "SharePoint", "MicrosoftOffice", or "Exchange". |
servicePlanId | Edm.Guid | R | A GUID that identifies the service plan. |
CertificateAuthorityInformation Type
Represents a certificate authority used when validating the trust chain while performing password-less authentication. The certificateAuthorities property of the TrustedCAsForPasswordlessAuth entity is a collection of CertificateAuthorityInformation.
Important: Introduced in version 1.6.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
authorityType | Edm.String | RW (Required on POST) | Required. Must be set to one of two possible values: “RootAuthority” or “IntermediateAuthority”. It is used while validating certificates during authentication. |
crlDistributionPoint | Edm.String | RW | Certificate Revocation List (CRL) distribution points hold files which store the serial numbers of all certificates that have been revoked. This is typically a URI. |
deltaCrlDistributionPoint | Edm.String | RW | A URI that contains the list of all revoked certificates since the last time a full CRL was created. |
trustedCertificate | Edm.Binary | RW (Required on POST) | Required. The public certificate in binary form. |
trustedIssuer | Edm.String | R | Read only. Calculated from the trustedCertificate value. |
trustedIssuerSki | Edm.String | R | Read only. The subject key identifier is calculated from the trustedCertificate value. |
KeyCredential Type
Contains a key credential associated with an application or a service principal. The keyCredentials property of the Application and ServicePrincipal entities is a collection of KeyCredential.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
customKeyIdentifier | Edm.Binary | ||
endDate | Edm.DateTime | The date and time at which the credential expires. | |
keyId | Edm.Guid | The unique identifier (GUID) for the key. | |
startDate | Edm.DateTime | The date and time at which the credential becomes valid. | |
type | Edm.String | The type of key credential; for example, "Symmetric". | |
usage | Edm.String | A string that describes the purpose for which the key can be used; for example, "Verify". | |
value | Edm.String |
KeyValue Type
Contains a key-value pair that defines a parameter that a consuming service can use or call on an application specified in an AddIn. The properties property of the AddIn type is a collection of KeyValue.
Important: Introduced in version 1.6.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
key | Edm.String | RW | The key in the key value pair. |
value | Edm.String | RW | The value of the key value pair. |
LicenseUnitsDetail Type
Contains information and status about the prepaid units of a service SKU that a company is subscribed to.
The prepaidUnits property of the SubscribedSku entity is of type LicenseUnitsDetail.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
enabled | Edm.Int32 | R | The number of units that are enabled. |
suspended | Edm.Int32 | R | The number of units that are suspended. |
warning | Edm.Int32 | R | The number of units that are in warning status. |
OAuth2Permission Type
Represents an OAuth 2.0 delegated permission scope. The specified OAuth 2.0 delegated permission scopes may be requested by client applications (through the requiredResourceAccess collection on the Application object) when calling a resource application. The oauth2Permissions property of the ServicePrincipal entity and of the Application entity is a collection of OAuth2Permission.
Important: Requires version 1.5 or newer.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
adminConsentDescription | Edm.String | RW | Permission help text that appears in the admin consent and app assignment experiences. |
adminConsentDisplayName | Edm.String | RW | Display name for the permission that appears in the admin consent and app assignment experiences. |
id | Edm. Guid | RW | Unique scope permission identifier inside the oauth2Permissions collection. |
isEnabled | Edm.Boolean | RW | When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed. Notes: not nullable. |
type | Edm.String | RW | Specifies whether this scope permission can be consented to by an end user, or whether it is a tenant-wide permission that must be consented to by a Company Administrator. Possible values are "User" or "Admin". |
userConsentDescription | Edm.String | RW | Permission help text that appears in the end user consent experience. |
userConsentDisplayName | Edm.String | RW | Display name for the permission that appears in the end user consent experience. |
value | Edm.String | RW | The value of the scope claim that the resource application should expect in the OAuth 2.0 access token. |
OptionalClaims Type
Contains optional claims associated with an application. An application can configure optional claims to be returned in each of three types of tokens (ID token, access token, SAML 2 token) it receives from the security token service. The application can configure a different set of optional claims to be returned in each token type. The OptionalClaims property of the Application entity is an OptionalClaims object.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
idToken | Collection (OptionalClaim) | RW | The optional claims returned in the JWT ID token. |
accessToken | Collection (OptionalClaim) | RW | The optional claims returned in the JWT access token. |
saml2Token | Collection (OptionalClaim) | RW | The optional claims returned in the SAML2 token. |
OptionalClaim Type
Contains an optional claim associated with an application or a service principal. The idToken, accessToken, and saml2Token properties of the of the OptionalClaims type is a collection of OptionalClaim.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
name | Edm.String | RW | The name of the optional claim. |
source | Edm.String | RW | The source (directory object) of the claim. There are predefined claims and user defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. |
essential | Edm.Boolean | RW | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. |
additionalProperties | Collection (Edm.String) | RW | Additional boolean properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. |
PasswordCredential Type
Contains a password credential associated with an application or a service principal. The passwordCredentials property of the ServicePrincipal entity and of the Application entity is a collection of PasswordCredential.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
customKeyIdentifier | Edm.Binary | ||
endDate | Edm.DateTime | The date and time at which the password expires. | |
keyId | Edm.Guid | ||
startDate | Edm.DateTime | The date and time at which the password becomes valid. | |
value | Edm.String |
PasswordProfile Type
Contains the password profile associated with a user. The passwordProfile property of the User entity is a PasswordProfile object.
Properties
Name | Type | Notes | Description |
---|---|---|---|
password | Edm.String | W | The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next login. The password must satisfy minimum requirements as specified by the user's PasswordPolicies property. By default, a strong password is required. The password property is write only. |
forceChangePasswordNextLogin | Edm.Boolean | RW | true if the user must change her password on the next login; otherwise false. |
ProvisionedPlan Type
The provisionedPlans property of the User entity and the TenantDetail entity is a collection of ProvisionedPlan.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
capabilityStatus | Edm.String | R | For example, "Enabled" or "Deleted". |
provisioningStatus | Edm.String | R | For example, "Success". |
service | Edm.String | R | The name of the service; for example, "SharePoint", "MicrosoftOffice", or "Exchange". |
ProvisioningError Type
The provisioningErrors property of the Contact, User, and Group entities is a collection of ProvisioningError.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
errorDetail | Edm.String | R | A description of the error. |
resolved | Edm.Boolean | R | true if the error was resolved; otherwise, false. |
serviceInstance | Edm.String | R | The service instance for which the error occurred. |
timestamp | Edm.DateTime | R | The date and time at which the error occurred. |
RequiredResourceAccess Type
Specifies the set of OAuth 2.0 permission scopes and app roles under the specified resource that an application requires access to. The specified OAuth 2.0 permission scopes may be requested by client applications (through the requiredResourceAccess collection) when calling a resource application. The requiredResourceAccess property of the Application entity is a collection of ReqiredResourceAccess.
Important: Requires version 1.5 or newer.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
resourceAppId | Edm.String | RW | The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application. |
resourceAccess | Collection(ResourceAccess) | RW | The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource. Notes: not nullable. |
ResourceAccess Type
Specifies an OAuth 2.0 permission scope or an app role that an application requires. The resourceAccess property of the RequiredResourceAccess type is a collection of ResourceAccess.
Important: Requires version 1.5 or newer.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
id | Edm.Guid | RW | The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Notes: not nullable. |
type | Edm.String | RW | Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are "scope" or "role". |
ServicePlanInfo Type
Contains information about a service plan associated with a subscribed SKU or a license assigned to a user. The servicePlans property of the SubscribedSku and LicenseDetail entity is a collection of ServicePlanInfo.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
appliesTo | Edm.String | R | The object the service plan can be assigned to. Possible values: "User" - service plan can be assigned to individual users. "Company" - service plan can be assigned to the entire tenant. Notes: Requires version 1.6. |
provisioningStatus | Edm.String | R | Possible values: "Success" - Service is fully provisioned. "Disabled" - Service has been disabled. "PendingInput" - Service is not yet provisioned; awaiting service confirmation. "PendingActivation" - Service is provisioned but requires explicit activation by administrator (e.g. Intune_O365 service plan) "PendingProvisioning" - Microsoft has added a new service to the product SKU and it has not been activated in the tenant, yet. Notes: Requires version 1.6. |
servicePlanId | Edm.Guid | R | The unique identifier (GUID) of the service plan. |
servicePlanName | Edm.String | R | The name of the service plan. For example, "MFA_PREMIUM", "AAD_PREMIUM", or "RMS_S_BASIC". |
ServicePrincipalAuthenticationPolicy Type
Contains the authentication policy of a service principal.
Important: Available only in version 2013-11-08; however it is reserved for internal use only and is removed in version 1.5 and newer.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
defaultPolicy | Edm.String | RW | Reserved for internal use only. Do not use. Removed in version 1.5. |
allowedPolicies | Collection(Edm.String) | RW | Reserved for internal use only. Do not use. Removed in version 1.5. Notes: not nullable. |
SignInName Type
Contains information about a sign-in name of a local account user in an Azure Active Directory B2C tenant. The signInNames property of the User entity is a collection of SignInName. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation.
Important: Introduced in version 1.6.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
type | Edm.String | RW | A string value that can be used to classify user sign-in types in your directory, such as "emailAddress" or "userName". |
value | Edm.String | RW | The sign-in used by the local account. Must be unique across the company/tenant. For example, "johnc@example.com". |
UserIdentity Type
Contains information about a identity of a social account user in an Azure Active Directory B2C tenant. The userIdentities property of the User entity is a collection of userIdentity. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation.
Important: Introduced in version 1.6.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
issuer | Edm.String | RW | The string representation of the identity provider that issued the user identifier, such as facebook.com . |
issuerUserId | Edm.Binary | RW | The unique user identifier used by the social identity provider. |
VerifiedDomain Type
Specifies a domain for a tenant. The verifiedDomains property of the TenantDetail entity is a collection of VerifiedDomain.
Properties
Name | Type | Read/Write | Description |
---|---|---|---|
capabilities | Edm.String | R | For example, "Email", "OfficeCommunicationsOnline". |
default | Edm.Boolean | R | true if this is the default domain associated with the tenant; otherwise, false. |
id | Edm.String | R | For example, "00057FFE80187238". |
initial | Edm.Boolean | R | |
name | Edm.String | R | The domain name; for example, "contoso.onmicrosoft.com" |
type | Edm.String | R | For example, "Managed". |
Additional Resources
- Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts