Property differences between Azure AD Graph and Microsoft Graph
This article is part of step 1: review API differences of the process to migrate apps.
In general, the best way to compare the Azure Active Directory (Azure AD) Graph API to Microsoft Graph is to compare the underlying metadata for each service, especially the resource descriptions:
This article highlights property differences between resources. If a property is not shown in this list, it is already available in the v1.0 version of Microsoft Graph, with exactly the same name as in Azure AD Graph.
Because the user and group resources are so frequently used, they're listed first. Other resources are listed alphabetically.
User property differences
The Azure AD Graph User resource inherits from DirectoryObject; it has been renamed to user in Microsoft Graph and inherits from directoryObject.
The Microsoft Graph v1.0 endpoint returns a limited set of user properties by default, while Azure AD Graph returns all properties. To read other properties that aren't returned by default, specify them in a $select query. For more information, see the user resource type.
The following table lists the additional property differences.
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| deletedTimestamp | beta - deletedDateTime v1.0 - deletedDateTime |
|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| facsimileTelephoneNumber | beta - faxNumber v1.0 - faxNumber |
|
| immutableId | beta - onPremisesImmutableId v1.0 - onPremisesImmutableId |
|
| isCompromised | beta - Not available v1.0 - Not available |
The Microsoft Graph identity protection API provides more sophisticated functionality. |
| lastDirSyncDateTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
|
| mobile | beta - mobilePhone v1.0 - mobilePhone |
|
| passwordProfile/enforceChangePasswordPolicy | beta - passwordProfile/forceChangePasswordNextSignIn v1.0 - passwordProfile/forceChangePasswordNextSignIn |
|
| passwordProfile/forceChangePasswordNextLogin | beta - passwordProfile/forceChangePasswordNextSignInWithMfa v1.0 - passwordProfile/forceChangePasswordNextSignInWithMfa |
|
| provisioningErrors | beta - Not available v1.0 - Not available |
This property and its information is deprecated. However, a new property describing any AD Connect related provisioning errors can be found in onPremisesProvisioningErrors |
| refreshTokensValidFromDateTime | beta - signinSessionsValidFromDateTime v1.0 - signinSessionsValidFromDateTime |
|
| signinNames | beta - identities/signInType v1.0 - identities/signInType |
This property is now part of the objectIdentity resource. |
| telephoneNumber | beta - businessPhones v1.0 - businessPhones |
|
| thumbnailPhoto | beta - photo, photos v1.0 - photo, photos |
The Azure AD thumbnail photo is not available through Microsoft Graph. Use the photo API instead. |
| userIdentities | beta - identities v1.0 - identities |
See objectIdentity resource type for more details. |
| userState | beta - externalUserState v1.0 - externalUserState |
|
| userStateChangedOn | beta - externalUserStateChangeDateTime v1.0 - externalUserStateChangeDateTime |
Group property differences
The Azure AD Graph Group resource inherits from DirectoryObject; it has been renamed to group in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| lastDirSyncDateTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
|
| provisioningErrors | beta - Not available v1.0 - Not available |
This property and its information is deprecated. However, a new property describing any AD Connect related provisioning errors can be found in onPremisesProvisioningErrors |
Application property differences
The Azure AD Graph Application resource inherits from DirectoryObject; it has been renamed to application in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| acceptMappedClaims | beta - api/acceptMappedClaims v1.0 - api/acceptMappedClaims |
acceptMappedClaims is now part of the new api resource. |
| availableToOtherTenants | beta - signInAudience v1.0 - signInAudience |
The default value for availableToOtherTenants is false (meaning AzureADMyOrg) while for signInAudience is AzureADandPersonalMicrosoftAccount. |
| errorUrl | beta - not available v1.0 - not available |
This property is deprecated. |
| homepage | beta - web/homePageUrl v1.0 - web/homePageUrl |
homepage is now part of the new web resource. |
| informationalUrls | beta - info v1.0 - info |
|
| knownClientApplications | beta - api/knownClientApplications v1.0 - api/knownClientApplications |
knownClientApplications is now part of the new api resource. |
| logoutUrl | beta - web/logoutUrl v1.0 - web/logoutUrl |
logoutUrl is now part of the web resource. |
| logoUrl | beta - info/logoUrl v1.0 - info/logoUrl |
logoUrl is now part of the new info resource. |
| mainLogo | beta - logo v1.0 - logo |
|
| oauth2AllowIdTokenImplicitFlow | beta - web/implicitGrantSettings/enableIdTokenIssuance v1.0 - web/implicitGrantSettings/enableIdTokenIssuance |
Renamed, and now part of the new implicitGrantSettings resource. |
| oauth2AllowImplicitFlow | beta - web/implicitGrantSettings/enableAccessTokenIssuance v1.0 - web/implicitGrantSettings/enableAccessTokenIssuance |
Renamed, and now part of the new implicitGrantSettings resource. |
| oauth2AllowUrlPathMatching | beta - not available v1.0 - not available |
This property is deprecated. |
| oauth2Permissions | beta - api/oauth2PermissionScopes v1.0 - api/oauth2PermissionScopes |
Renamed and now part of the new api resource. |
| publicClient | beta - isFallbackPublicClient v1.0 - isFallbackPublicClient |
This property now has a new meaning - it contains the public client settings like redirectUris. Determining whether the app is a public or confidential client or not is now done automatically, with the isFallbackPublicClient property handling the one special case that cannot be determined automatically. |
| recordConsentConditions | beta - not available v1.0 - not available |
This property is deprecated. |
| replyUrls | beta - web/redirectUris, publicClient/redirectUris v1.0 - web/redirectUris, publicClient/redirectUris |
As well as being renamed, redirectUris is now part of the new web and publicClient resources. This allows developers to use specific URIs for their web and public clients (such as an installed application on a desktop device). |
| samlMetadataUrl | beta - samlMetadataUrl v1.0 - Not yet available |
|
| serviceEndpoints | beta - Not available v1.0 - Not available |
This property is deprecated, but is planned for servicePrincipal. |
AppRoleAssignment differences
The Azure AD Graph AppRoleAssignment resource inherits from DirectoryObject; it has been renamed to appRoleAssignment in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| creationTimestamp | beta - creationTimestamp v1.0 - createdDateTime |
|
| id | beta - appRoleId v1.0 - appRoleId |
Contact property differences
The Azure AD Graph Contact resource inherits from DirectoryObject; it has been renamed to orgContact in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| city | beta - addresse/city v1.0 - addresses/city |
The city property is part of the addresses resource collection. |
| country | beta - addresses/countryOrRegion v1.0 - addresses/countryOrRegion |
The countryOrRegion property is part of the addresses resource collection. |
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| facsimileTelephoneNumber | beta - phones/businessFax v1.0 - phones/businessFax |
Now part of the phones collection which supports various phone types. |
| physicalDeliveryOfficeName | beta - officeLocation v1.0 - officeLocation |
|
| postalCode | beta - addresses/postalCode v1.0 - addresses/postalCode |
The postalCode property is part of the addresses resource collection. |
| provisioningErrors | beta - not available v1.0 - not available |
This property and its information is deprecated. However, a new property describing any AD Connect related provisioning errors can be found in onPremisesProvisioningErrors. Currently this is only available in beta. |
| sipProxyAddress | beta - imAddresses v1.0 - imAddresses |
|
| state | beta - addresses/state v1.0 - addresses/state |
The state property is part of the addresses resource collection. |
| streetAddress | beta - addresses/street v1.0 - addresses/street |
The street property is part of the addresses resource collection. |
| telephoneNumber | beta - phones/business v1.0 - phones/business |
Now part of the phones collection which supports various phone types. |
| thumbnailPhoto | beta - Not yet available v1.0 - Not yet available |
Contract property differences
The Azure AD Graph Contract resource inherits from DirectoryObject; it has been renamed to contract in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| customerContextId | beta - customerId v1.0 - customerId |
Device property differences
The Azure AD Graph Device resource inherits from DirectoryObject; it has been renamed to device in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| approximateLastLogonTimestamp | beta - approximateLastSignInDateTime v1.0 - approximateLastSignInDateTime |
|
| complianceExpiryTime | beta - complianceExpirationDateTime v1.0 - complianceExpirationDateTime |
|
| deviceObjectVersion | beta - deviceVersion v1.0 - deviceVersion |
|
| deviceOSType | beta - operatingSystem v1.0 - operatingSystem |
|
| deviceOSVersion | beta - operatingSystemVersion v1.0 - operatingSystemVersion |
|
| devicePhysicalIds | beta - physicalIds v1.0 - physicalIds |
|
| deviceTrustType | beta - trustType v1.0 - trustType |
|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| lastDirSyncTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
DirectoryObject property differences
The Azure AD Graph DirectoryObject resource has been renamed to directoryObject in Microsoft Graph. The changes to its properties will also be seen in other resources that inherit from DirectoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| deletionTimestamp | beta - deletedDateTime v1.0 - deletedDateTime |
While deletionTimestamp was a DateTime type, deletedDateTime is a DateTimeOffset type. |
| objectId | beta - id v1.0 - id |
The id property in Microsoft Graph is inherited from the entity resource. |
| objectType | beta - Not available v1.0 - Not available |
This property is not used in Microsoft Graph. Instead, Microsoft Graph returns the @odata.type property but only for APIs that might return objects of different types or derived types. For example, the List group members API might return members who are users, groups, service principals, organizational contacts, or devices. For users, the @odata.type is #microsoft.graph.user. |
DirectoryObjectReference property differences
The Azure AD Graph DirectoryObjectReference resource inherits from DirectoryObject; it has been renamed to directoryObjectPartnerReference in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| externalContextId | beta - externalPartnerTenantId v1.0 - externalPartnerTenantId |
Domain property differences
The Azure AD Graph Domain resource has been renamed to domain in Microsoft Graph. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| name | beta - id v1.0 - id |
In Microsoft Graph, the unique identifier (id) contains the domain name; the name property doesn't exist. |
| forceDeleteState | beta - state v1.0 - state |
In Azure AD Graph, there are separate forceDelete and domain state properties. In Microsoft Graph, all domain states are handled by the state property. |
| isDefaultForCloudRedirections | beta - Not yet available v1.0 - Not yet available |
OAuth2PermissionsGrant property differences
The Azure AD Graph OAuth2PermissionsGrant resource has been renamed to oAuth2PermissionsGrant in Microsoft Graph. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| expiryTime | beta - expiryTime v1.0 - Removed |
This property is not used and is removed in Microsoft Graph v1.0. |
| startTime | beta - startTime v1.0 - Removed |
This property is not used and is removed in Microsoft Graph v1.0. |
Policy property differences
In Microsoft Graph, there are named policy types (such as tokenIssuancePolicy or tokenLifetimePolicy) rather than a generic policy resource type. More details are available in the policy overview.
ServiceEndpoint property differences
The Azure AD Graph ServiceEndpoint resource inherits from DirectoryObject; it has been renamed to endpoint in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| serviceId | beta - providerId v1.0 - providerId |
|
| serviceName | beta - providerName v1.0 - providerName |
|
| resourceId | beta - providerResourceId v1.0 - providerResourceId |
ServicePrincipal property differences
The Azure AD Graph ServicePrincipal resource inherits from DirectoryObject; it has been renamed to servicePrincipal in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| appOwnerTenantId | beta - appOwnerOrganizationId v1.0 - appOwnerOrganizationId |
Renamed. |
| informationalUrls | beta - info v1.0 - info |
|
| oauth2Permissions | beta - publishedPermissionScopes v1.0 - oauth2PermissionScopes |
Renamed. |
| preferredTokenSigningKeyEndDateTime | beta - Not yet available v1.0 - Not yet available |
|
| signInAudience | beta - Not yet available v1.0 - Not yet available |
|
| serviceEndpoints | beta - endpoint v1.0 - endpoint |
Renamed. |
TenantDetails property differences
The Azure AD Graph TenantDetail resource inherits from DirectoryObject; it has been renamed to organization in Microsoft Graph and inherits from directoryObject. Here are the property differences:
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| companyLastDirSyncTime | beta - onPremisesLastSyncDateTime v1.0 - onPremisesLastSyncDateTime |
|
| dirSyncEnabled | beta - onPremisesSyncEnabled v1.0 - onPremisesSyncEnabled |
|
| provisioningErrors | beta - Not available v1.0 - Not available |
This property and its information is deprecated. |
| telephoneNumber | beta - businessPhones v1.0 - businessPhones |
TrustedCasForPasswordlessAuth property differences
The Azure AD Graph TrustedCasForPasswordlessAuth resource has been renamed to certificateBasedAuthConfiguration. There are no property differences; however, there are differences in the certificateAuthority resource type used by the certificateAuthorities property.
CertificateAuthorityInformation property differences
The Azure AD Graph CertificateAuthorityInformation has been renamed to certificateAuthority in Microsoft Graph. The following are the property differences.
| Azure AD Graph (v1.6) property |
Microsoft Graph property |
Comments |
|---|---|---|
| authorityType | beta - isRootAuthority v1.0 - isRootAuthority |
This property's type has also changed into a Boolean. Previously this property had to be set to either "RootAuthority" or "IntermediateAuthority". Setting the new property to true is equivalent to "RootAuthority". |
| crlDistributionPoint | beta - certificateRevocationListUrl v1.0 - certificateRevocationListUrl |
|
| deltaCrlDistributionPoint | beta - deltaCertificateRevocationListUrl v1.0 - deltaCertificateRevocationListUrl |
|
| trustedCertificate | beta - certificate v1.0 - deltaCertificateRevocationListUrl |
|
| trustedIssuer | beta - issuer v1.0 - issuer |
|
| trustedIssuerSki | beta - issuerSki v1.0 - issuerSki |
Next Steps
- Learn about method differences between Azure AD Graph and Microsoft Graph.
- Review the checklist again.
Feedback
Submit and view feedback for