objectIdentity resource type

Namespace: microsoft.graph

Represents an identity used to sign in to a user account. An identity can be provided by Microsoft, by organizations, or by social identity providers such as Facebook, Google, or Microsoft, that are tied to a user account. This enables the user to sign in to the user account with any of those associated identities.

The identities property of the user resource is an objectIdentity object.


Property Type Description
issuer string Specifies the issuer of the identity, for example facebook.com.
For local accounts (where signInType isn't federated), this property is the local B2C tenant default domain name, for example contoso.onmicrosoft.com.
For guests from other Microsoft Entra organization, this is the domain of the federated organization, for example contoso.com.

Supports $filter. 512 character limit.
issuerAssignedId string Specifies the unique identifier assigned to the user by the issuer. The combination of issuer and issuerAssignedId must be unique within the organization. Represents the sign-in name for the user, when signInType is set to emailAddress or userName (also known as local accounts).
When signInType is set to:
  • emailAddress, (or a custom string that starts with emailAddress like emailAddress1) issuerAssignedId must be a valid email address
  • userName, issuerAssignedId must begin with alphabetical character or number, and can only contain alphanumeric characters and the following symbols: - or _
Supports $filter. 64 character limit.
signInType String Specifies the user sign-in types in your directory, such as emailAddress, userName, federated, or userPrincipalName. federated represents a unique identifier for a user from an issuer, that can be in any format chosen by the issuer. Setting or updating a userPrincipalName identity will update the value of the userPrincipalName property on the user object. The validations performed on the userPrincipalName property on the user object, for example, verified domains and acceptable characters, will be performed when setting or updating a userPrincipalName identity. Other validation is enforced on issuerAssignedId when the sign-in type is set to emailAddress or userName. This property can also be set to any custom string.


When filtering on the identities property for an issuerAssignedId, you must supply both issuer and issuerAssignedId. In addition:

  • Filtering for entries with a signInType of federated requires a valid issuer and issuerAssignedId.
  • Filtering for entries with a signInType of userName or emailAddress ignores the issuer value. This is by design.
  • Filtering for entries with a signInType of userPrincipalName isn't supported. This can instead be accomplished by filtering on the userPrincipalName property on the user object.

Filtering on issuer alone is supported for the following values: google.com, facebook.com, mail, and phone.

JSON representation

Here's a JSON representation of the resource.

  "signInType": "string",
  "issuer": "string",
  "issuerAssignedId": "string"