This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 10%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
In the Active Directory GUI within Azure I can search an ID and this will return the user in the organization with that id (including managed identities, service principles and app registrations) - does anyone know the endpoint to retrieve this using a Rest API?
Are their any permissions associated with this I will need to seek?
Thanks in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 0%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi Aidan,
you can use the graph REST API to retrieve that data.
https://graph.microsoft.com/v1.0/users
Permissions needed would be Directory.Read.All
A good place to test the out the REST APIs is the graph explorer.
https://developer.microsoft.com/en-us/graph/graph-explorer
Let me know if this what you were looking for or if theres anything further i can help with.
Thanks for the response, and I did look here, I'm wondering is there an alternative to giving a permission that broad? (could maybe assign to a function app) I don't have this permission yet can do this search on the GUI, is there another API that could be being called here?
The attached image is where I'm talking about.
My guess is this endpoint is redirecting from within Azure which has this directory read all permission?
Added this reply by accident sorry (edited)!
Hi Aidan, If you open your dev tools in your browser (F12). you'll see the same graph api is being run. it also checks the permission.
You can create a service principle ( Enterprise Application) and give it the delegated application permission Directory.read.all so it can run the query using powershell.
Hi @Aidan Dowling
This is a global search box that can search users/groups/applications within a tenant by a given value. As far as I know, there is currently no Graph API endpoint available for global search, you must call the corresponding API endpoint based on the given value.
Each API endpoint has its corresponding API permissions. Based on the principle of least privilege, we recommend that you grant the lowest privilege to the call principal to perform fine-grained access.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Hello @Aidan Dowling , extending answers provided by my colleagues, there's actually an endpoint that will allow you to get any Azure AD object that inherits from directory object (application, servicePrincipal, user, administrativeUnit, appRoleAssignment, directoryRole, device, group, and orgContact) using its object id. Please take a look to Get directoryObject. Both user and application permissions are supported.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.
Hi @Alfredo Revilla (MSFT) ,
You are right, thanks @Alfredo for confirming this :)