What's new in Microsoft Graph

Microsoft Graph provides a unified programmability model that you can use to access data in Microsoft 365, Windows, and Enterprise Mobility + Security. This article provides information about what's new in Microsoft Graph APIs, documentation, SDKs, and more.

For more detailed API-level updates, see the Microsoft Graph API changelog.

For details about previous updates to Microsoft Graph, see Microsoft Graph what's new history.

Important

Features in preview status are subject to change without notice, and might not be promoted to generally available (GA) status. Don't use preview features in production apps.

May 2026: New and generally available

Agents

• Added the agentUser resource type and related methods for managing the lifecycle of agent user identities.
• Added verifiedIdProfile resources and related profile configuration for configuring Microsoft Entra Verified ID.

Identity and access | Directory management

Use the deviceRegistrationPolicy resource type and its related methods to manage the policy that controls device registration quota restrictions, additional authentication, and authorization policies for your Microsoft Entra tenant.

Identity and access | Identity and sign-in

• Added the onVerifiedIdClaimValidationCustomExtension and onVerifiedIdClaimValidationListener resource types and associated methods to support custom logic for claim validation from Verified ID credential presentations during authentication flows through Microsoft Entra custom authentication extensions in External ID.
• Added claim validation and match-confidence capabilities to Verified ID profiles, enabling stronger claim verification and more flexible matching.

May 2026: New in preview only

Identity and access | Identity and sign-in

Added the onVerifiedIdClaimValidationCustomExtension and onVerifiedIdClaimValidationListener resource types and associated methods to support custom logic for claim validation from Verified ID credential presentations during authentication flows through Microsoft Entra custom authentication extensions in External ID.

April 2026: New and generally available

Applications

• Added the approvedClientApp resource type for managing approved client applications for remote desktop access.
• Added the managerApplications property to the application and agentIdentityBlueprint resources to enable Microsoft first-party applications to be designated as managers of agent blueprints.

Backup storage

• When a protection policy is deactivated, backup activity stops immediately, no new backups are taken, and the protected resources are no longer covered by the policy. Any backups taken before deactivation are retained according to the retention policy, after which they're offboarded. You can restore data using previous restore points even after deactivation.
• A protection policy can be deleted only after it was deactivated. When you delete a policy, all associated protection units are removed, and backup protection stops for the resources previously covered by the policy. Existing backup data is retained according to the retention policy before it's offboarded. You can restore data using previous restore points even after deletion.

Files

• Use the height and width parameters to download a file in another format when format=jpg.
• Use the List activities API to retrieve recent activities that took place on a drive, list, item, or within an item hierarchy.
• Added support for sharePointGroup and its members in a SharePoint Embedded container, enabling apps to work with SharePoint permission groups and manage their members.

Identity and access | Governance

Use approverRemove as a new supported value for the requestType property of the accessPackageAssignmentRequest resource. For more information, see accessPackageAssignmentRequest.

Identity and access | Identity and sign-in

• Use riskRemediation as part of conditional access grant controls to enforce a User Risk conditional access policy. When you select "Require risk remediation" in your policy's grant controls, Microsoft Entra ID Protection manages the appropriate remediation flow based on the threat observed and the user's authentication method. In passwordless Risky User sessions, it updates risk details with microsoftRevokedSessions.

Teamwork and communications | Apps

Manage Teams apps at the channel level within a team using the following APIs:

• List apps in a channel.
• Get an app in a channel.
• Enable a new Teams app in a channel.
• Disable an app in a channel.

Teamwork and communications | Messaging

• Removed the model parameters and payment-model guidance from Microsoft Teams export APIs and related change-notification documentation. The model query parameter is no longer required and is ignored if supplied. For more information, see Payment models and licensing requirements for Microsoft Teams APIs.
• The following Microsoft Teams APIs support @odata.nextLink pagination to handle increased channel limits. When the result set spans multiple pages, the response includes the @odata.nextLink property with a URL for retrieving the next page of results:
  • List channels
  • List incomingChannels
  • List allChannels

April 2026: New in preview only

Agents

Added deprecation notices to the agentRegistry, agentCardManifest, agentCollection, and agentInstance resources and their related operations. These Agent Registry APIs will be replaced by Agent 365-based APIs starting May 1, 2026.

Applications

Added the deprecationDate property to the applicationTemplate resource to indicate when an application will be removed from the Microsoft Entra application gallery.

Backup storage

• When a protection policy is deactivated, backup activity stops immediately, no new backups are taken, and the protected resources are no longer covered by the policy. Any backups taken before deactivation are retained according to the retention policy, after which they're offboarded. You can restore data using previous restore points even after deactivation.
• A protection policy can be deleted only after it was deactivated. When you delete a policy, all associated protection units are removed, and backup protection stops for the resources previously covered by the policy. Existing backup data is retained according to the retention policy before it's offboarded. You can restore data using previous restore points even after deletion.
• Use the billingPolicyId property on protectionUnitBase, driveProtectionUnit, mailboxProtectionUnit, and siteProtectionUnit to get or set the unique identifier of the billing policy assigned to the protection unit for cost allocation.
• Update the billingPolicyId property on a driveProtectionUnit object.
• Update the billingPolicyId property on a mailboxProtectionUnit object.
• Update the billingPolicyId property on a siteProtectionUnit object.

Device and app management | Cloud PC

• The /me/cloudPCs/{cloudPCId}/getCloudPcLaunchInfo and /users/{userId}/cloudPCs/{cloudPCId}/getCloudPcLaunchInfo endpoints are deprecated and will stop returning data on October 30, 2026. Going forward, use the retrieveCloudPcLaunchDetail API.
• Added the cloudPcOnPremisesConnectionSubnetIpDetail resource type to represent the subnet IP details of a Cloud PC on-premises connection.
• Use the subnetPrivateIpDetail property on cloudPcOnPremisesConnection to get detailed information about the subnet's private IP addresses associated with the subnet.

Files

• Use the height and width query parameters on the driveItem content conversion API to download a file in another format when format=jpg.
• Use the itemCount property on the list resource to quickly access the total number of items in a SharePoint list without retrieving all items or making additional queries.

Identity and access | Directory management

Added the inheritedAppRoleAssignments and inheritedOauth2PermissionGrants relationships to the agentIdentity resource to retrieve inherited permissions from the parent Agent Identity Blueprint Service Principal.

Identity and access | Governance

• Use default, notVisible, and visible as supported values for the approverInformationVisibility property of the accessPackageApprovalStage and approvalStage resources to indicate whether approver information is visible to the requestor.
• Added the cancelProcessing method to the workflow resource to cancel workflow runs that are currently in progress or queued.
• Added the referenceId property and the files relationship to customDataProvidedResourceUploadSession resource to identify the context for which data is being uploaded, such as an access review instance ID, and identify files uploaded during an upload session, respectively. Also added enhanced support for query capabilities for the List customDataProvidedResourceUploadSession objects API operation.

Identity and access | Identity and sign-in

Added the blueprintId and source agent-descriptive properties to agentRiskDetection and riskyAgent resources.

Mail

Introduced the new notes API that enables users to create and manage simple notes in their Notes folder. Notes support text content with optional inline image attachments, and are suitable for quick capture scenarios. Use the note resource and the following APIs:

• List notes in the user's Notes folder.
• Create a note in the user's Notes folder.
• Get a note.
• Update a note.
• Delete a note.
• Get delta to track changes to notes.
• List attachments for a note.
• Create an attachment on a note.
• Delete an attachment from a note.

Mailbox import and export

Learn how to handle HTTP redirects when accessing folders and items in archive mailboxes with autoexpanded folders using the mailbox import and export APIs. For more information, see Handle archive mailbox redirects.

People and workplace intelligence | Profile

Use the activities, awards, and fieldsOfStudy properties on educationalActivityDetail to get or set collections of activities, awards, or fields of study.

Reports | Identity and access reports

Added the azureADPremiumLicenseInsight resource and its associated APIs for getting insights into the Microsoft Entra ID P1 and P2 premium license utilization for the tenant, including feature utilization breakdowns for P1, P2, Internet Access, and Private Access features.

Security | Compliance

Updated the capabilities of the auditLogQuery resource type and its associated methods as follows:

• Updated the auditLogRecordType enumeration to represent over 400 types of audit log operations across Microsoft cloud services.
• Added 135 new derived types of the auditData resource to represent audit log data for specific services and features, including AI and Copilot interactions, agent management, compliance and data lifecycle management (Microsoft Purview, eDiscovery, DLP), cloud services (Azure Firewall, Microsoft Defender, Sentinel), and collaboration services (Teams, Planner, SharePoint, Viva). For a complete list of audit data types, see auditData derived types.

Security | Microsoft Defender for Identity

Use the sensorTypes property on sensorCandidate to get the list of device types for the sensor.

Teamwork and communications | Messaging

• Use the targeted messages APIs to manage messages in Microsoft Teams that are visible only to specified recipients within group chats or channels:
  • Use the targetedChatMessage resource type to represent a targeted message in a chat or channel.
  • Get all targeted messages sent to a user in group chats and channels for compliance and archiving purposes.
  • Get all retained targeted messages for a user, including messages deleted by the sender but preserved due to organizational retention policies.
  • Delete a targeted message from a channel by providing the team ID, channel ID, and message ID.
  • Delete a targeted message from a chat by providing the chat ID and message ID.
• Organize chats, channels, and meetings into custom sections in a user's Microsoft Teams chat list using the new teamworkSection and teamworkSectionItem resources. Use the section management APIs to list, create, get, update, and delete sections, and add, remove, and move items within sections.

Contribute to Microsoft Graph

Are there scenarios you'd like Microsoft Graph to support?

• Suggest and vote for new features by using the Microsoft Graph Feedback Portal. Some new features originate as popular requests from the developer community. The Microsoft Graph team regularly evaluates customer needs and releases new features to the beta (https://graph.microsoft.com/beta) and v1.0 (https://graph.microsoft.com/v1.0) endpoints.

• Join the weekly Microsoft 365 platform community call and become an active member of the Microsoft Graph community. To discover the full calendar of developer calls, visit the Microsoft 365 and Power Platform community page.

• Join our research panel to provide your input on our developer experiences.

Related content

• Microsoft Graph developer blog.
• Microsoft Graph API changelog.
• Microsoft Graph what's new history.