Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Create or update the ownerlessGroupPolicy for the tenant. If the policy doesn't exist, it creates a new one; if the policy exists, it updates the existing policy.
To disable the policy, set isEnabled to false. Setting isEnabled to false clears the values of all other policy parameters.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ❌ | ❌ | ❌ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Group.ReadWrite.All | Not available. |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Not supported. | Not supported. |
Important
In delegated scenarios, the calling user must be assigned the Groups Administrator or Exchange Administrator Microsoft Entra roles.
HTTP request
PATCH /policies/ownerlessGroupPolicy
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Request body
In the request body, supply a JSON representation of the ownerlessGroupPolicy object. For create operations and for update operations that enable the policy or change its configuration, all required properties must be provided because the API performs a full replacement of the policy configuration. To disable the policy, you can send only isEnabled set to false; when you do so, the service clears the values of all other policy parameters. Unlike the admin portal, the API doesn't apply default values for most properties, except for targetOwners, which defaults to allowing all members to become owners.
| Property | Type | Description |
|---|---|---|
| emailInfo | emailDetails | The email notification details for the ownerless group policy. Required when creating the policy or when enabling or updating the policy configuration. |
| enabledGroupIds | String collection | The collection of IDs for Microsoft 365 groups for which the policy is enabled. If empty, the policy is enabled for all groups in the tenant. Required when creating the policy or when enabling or updating the policy configuration. |
| isEnabled | Boolean | Indicates whether the ownerless group policy is enabled. Required. Setting this property to false clears the values of all other policy parameters; to disable the policy, you can send only this property with the value false. |
| maxMembersToNotify | Int64 | The maximum number of members to notify. Value range is 0-90. Required when creating the policy or when enabling or updating the policy configuration. |
| notificationDurationInWeeks | Int64 | The number of weeks for the notification duration. Value range is 1-7. Required when creating the policy or when enabling or updating the policy configuration. |
| policyWebUrl | String | The URL to the policy documentation. Optional. |
| targetOwners | targetOwners | Specifies which members are eligible to become owners. If not specified, all members are eligible. Optional. |
Response
If successful, this method returns a 200 OK response code and an updated ownerlessGroupPolicy object in the response body when the policy already exists, or a 201 Created response code and a new ownerlessGroupPolicy object in the response body when the policy is created.
Errors
| Condition | Status code | Error code |
|---|---|---|
| notificationDurationInWeeks is not in range 1-7 | 400 Bad Request | badRequest |
| maxMembersToNotify is not in range 0-90 | 400 Bad Request | badRequest |
Examples
Example 1: Create or update the ownerless group policy
Request
The following example shows a request.
PATCH https://graph.microsoft.com/v1.0/policies/ownerlessGroupPolicy
Content-Type: application/json
{
"isEnabled": true,
"notificationDurationInWeeks": 3,
"maxMembersToNotify": 40,
"policyWebUrl": "https://contoso.com/policies/ownerless-groups",
"targetOwners": {
"notifyMembers": "allowSelected",
"securityGroups": [
"security-group1@contoso.com",
"security-group2@contoso.com"
]
},
"enabledGroupIds": [
"b14e5eb2-a0a1-4c8f-b83e-940526219200",
"454dde77-ac2b-421b-a6ab-165be910e0fc"
],
"emailInfo": {
"senderEmailAddress": "admin@contoso.com",
"subject": "Need your help with $Group.Name group",
"body": "Hi $User.DisplayName, \n\nYou'\''re receiving this email because you'\''ve been an active member of the $Group.Name group. This group currently does not have an owner. \n\nPer your organization'\''s policy, the group requires an owner.\n\nThank you"
}
}
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.ownerlessGroupPolicy",
"isEnabled": true,
"notificationDurationInWeeks": 3,
"maxMembersToNotify": 40,
"enabledGroupIds": [
"b14e5eb2-a0a1-4c8f-b83e-940526219200",
"454dde77-ac2b-421b-a6ab-165be910e0fc"
],
"emailInfo": {
"@odata.type": "microsoft.graph.emailDetails",
"senderEmailAddress": "admin@contoso.com",
"subject": "Need your help with $Group.Name group",
"body": "Hi $User.DisplayName, \n\nYou'\''re receiving this email because you'\''ve been an active member of the $Group.Name group. This group currently does not have an owner. \n\nPer your organization'\''s policy, the group requires an owner.\n\nThank you"
},
"policyWebUrl": "https://contoso.com/policies/ownerless-groups",
"targetOwners": {
"@odata.type": "microsoft.graph.targetOwners",
"notifyMembers": "allowSelected",
"securityGroups": [
"security-group1@contoso.com",
"security-group2@contoso.com"
]
}
}
Example 2: Disable the ownerless group policy
Request
The following example shows a request.
PATCH https://graph.microsoft.com/v1.0/policies/ownerlessGroupPolicy
Content-Type: application/json
{
"isEnabled": false
}
Response
The following example shows the response.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.ownerlessGroupPolicy",
"isEnabled": false,
"notificationDurationInWeeks": 0,
"maxMembersToNotify": 0,
"enabledGroupIds": [],
"emailInfo": {
"@odata.type": "microsoft.graph.emailDetails",
"senderEmailAddress": "",
"subject": "",
"body": ""
},
"policyWebUrl": "",
"targetOwners": {
"@odata.type": "microsoft.graph.targetOwners",
"notifyMembers": "all",
"securityGroups": []
}
}