Functions and actions | Graph API reference
Applies to: Graph API | Azure Active Directory
This topic discusses the functions and actions that are exposed by Azure AD Graph API and how you can call them.
The Azure AD Graph API is an OData 3.0 compliant REST API that provides programmatic access to directory objects in Azure Active Directory, such as users, groups, organizational contacts, and applications.
This article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see directoryObject resource type.
Importante
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
Using the Graph API to call actions and functions
To call an action or a function with the Graph API, you send POST requests to the appropriate endpoint.
Graph API requests use the following basic URL:
https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]
Importante
Requests sent to the Graph API must be well-formed, target a valid endpoint and version of the Graph API, and carry a valid access token obtained from Azure AD in their Authorization
header. For more detailed information about creating requests and receiving responses with the Graph API, see Operations Overview.
Functions or actions that are called on the directory service itself do not require a resource path. For functions or operations that are called on a specific resource, you will specify the {resource_path}
differently depending on the resource that you are targeting. The resource path will have the following parts:
(resource_collection}
specifies the resource collection, such as users, contacts, or groups.{resource_id}
identifies the specific resource to target in the resource collection. Typically an object ID (GUID), but, in the case of a user, you can also use the user principal name (UPN).
You can use the me
alias to target the signed-in user. This alias replaces the following URL path segments: {tenant_id}/users/{user_id}
. When you use this alias, the Graph API gets the user and tenant from the bearer token attached to the request.
For example, the following POST request can be used to assign a license to the signed-in user (you must also include an appropriate request body) :
POST https://graph.windows.net/me/assignLicense?api-version=1.6
For more information about performing operations using the me
alias, see REST operations on the signed-in user.
Functions
Functions have no side effects in the directory. That is, when you call a function, it only returns data, it does not modify any data in the directory. The following topics show you how to call functions with the Graph API.
applications: Get application properties by object ID
Call the applications function specifying the objectID to return the details of an application.
Important: Requires version 1.6 or newer.
GET https://graph.windows.net/myorganization/applications/{application_oid}?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
application_oid | string | 00009987-f6d8-4957-a6ca-7848d986ffff | The object id of the application. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
GET https://graph.windows.net/myorganization/applications/00009987-f6d8-4957-a6ca-7848d986ffff?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.directoryObjects/@Element)",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
"deletionTimestamp": null,
"addIns": [],
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
"appMetadata": {
"version": 0,
"data": [
{
"key": "ApplicationMetadata",
"value": "eyJBcHBsaWNhd..."
}
]
},
"appRoles": [],
"availableToOtherTenants": true,
"displayName": "Test App",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": "None",
"homepage": null,
"identifierUris": [],
"keyCredentials": [
{
"customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "dceb697c-477a-4a25-be87-38282995ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
},
{
"customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
"endDate": "2017-06-19T07:00:00Z",
"keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
"startDate": "2012-05-19T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": false,
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"supportsConvergence": false,
"tokenEncryptionKeyId": null
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
Request Body None.
Response Body
Type | Description |
---|---|
Application | Application properties for the specified object ID. |
applicationsByAppId: Get application properties by application ID
Call the applicationsByAppId function specifying the appID to return details of an application.
Important: Requires version 1.6 or newer.
GET https://graph.windows.net/myorganization/applicationsByAppId/{application_id}?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the application. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Required. |
GET https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
"deletionTimestamp": null,
"addIns": [],
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
"appMetadata": {
"version": 0,
"data": [
{
"key": "ApplicationMetadata",
"value": "eyJBcHBsaWNhd..."
}
]
},
"appRoles": [],
"availableToOtherTenants": true,
"displayName": "Test App",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": "None",
"homepage": null,
"identifierUris": [],
"keyCredentials": [
{
"customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "dceb697c-477a-4a25-be87-38282995ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
},
{
"customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
"endDate": "2017-06-19T07:00:00Z",
"keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
"startDate": "2012-05-19T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": false,
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"supportsConvergence": false,
"tokenEncryptionKeyId": null
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the application object ID. |
Request Body None.
Response Body
Type | Description |
---|---|
Application | Application properties for the specified object ID. |
checkMemberGroups: Check for membership in a list of groups
Call checkMemberGroups to check the membership of a user, contact, group, or service principal in a list of groups. The operation is transitive.
You can check up to a maximum of 20 groups per request.
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/checkMemberGroups?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which membership is to be checked. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/checkMemberGroups?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6"
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. The object IDs of the groups in the request that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
groupIds | Collection(Edm.String) | Yes | A collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified. |
Response Body
Property Name | Type | Description |
---|---|---|
value | Collection(Edm.String) | A collection that contains the object IDs of the groups specified in the request that the contact, user, group, or service principal is a member of. |
getAvailableExtensionProperties: Get the registered extension properties in a directory
Call the getAvailableExtensionProperties function to return all or a filtered list of the extension properties that have been registered in a directory. The following entities support extension properties: User, Group, TenantDetail, Device, Application, and ServicePrincipal. To learn more about how extension properties are registered and unregistered in a directory and how you can modify their values, see Directory Schema Extensions.
Important: Requires version 1.5 or newer.
POST https://graph.windows.net/myorganization/getAvailableExtensionProperties?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "d6a8bfec-893d-46e4-88fd-7db5fcc0fa62",
"deletionTimestamp": null,
"appDisplayName": "SampleApp",
"name": "extension_4d405aa8baa04fb494d3e0571fd9fd71_skypeId",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. A collection that contains the extension properties is returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
isSyncedFromOnPremises | Edm.Boolean | No | true to specify that only extension properties that are synced from the on-premises directory should be returned; false to specify that only extension properties that are not synced from the on-premises directory should be returned. If the parameter is omitted then all extension properties (both synced and non-synced) are returned. |
Response Body
Property Name | Type | Description |
---|---|---|
value | Collection(ExtensionProperty) | A collection that contains the extension properties registered with the directory filtered according to the request. |
getMemberGroups: Get group memberships (transitive)
Call the getMemberGroups function on a user, contact, group, or service principal to get the groups that it is a member of. The function is transitive.
Note: The maximum number of groups that can be returned is 2046. If the target object has direct or transitive membership in more than 2046 groups, the function returns an HTTP error response with an error code of Directory_ResultSizeLimitExceeded.
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which group memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/getMemberGroups?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
"5e624f44-d38d-4943-b07c-2bad078f52ff"
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. The object IDs of the groups that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
securityEnabledOnly | Edm.Boolean | Yes | true to specify that only security groups that the entity is a member of should be returned; false to specify that all groups that the entity is a member of should be returned. Note: The function can only be called on a user if the parameter is true. |
Response Body
Property Name | Type | Description |
---|---|---|
value | Collection(Edm.String) | A collection that contains the object IDs of the groups that the contact, user, group, or service principal is a member of. |
getMemberObjects: Get group and directory role memberships (transitive)
Call the getMemberObjects function on a user, contact, group, or service principal to get the groups and directory roles that it is a member of. The function is transitive.
Note: The maximum number of groups and directory roles that can be returned is 2046. If the target object has direct or transitive membership in more than 2046 groups and directory roles, the function returns an HTTP error response with an error code of Directory_ResultSizeLimitExceeded.
Important: Requires version 1.5 or newer.
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberObjects?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which group and directory role memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/getMemberObjects?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myortanization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
"5e624f44-d38d-4943-b07c-2bad078f52ff"
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. The object IDs of the groups and directory roles that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
securityEnabledOnly | Edm.Boolean | Yes | true to specify that only security groups that the entity is a member of should be returned; false to specify that all groups and directory roles that the entity is a member of should be returned. Note: The function can only be called on a user if the parameter is true. |
Response Body
Property Name | Type | Description |
---|---|---|
value | Collection(Edm.String) | A collection that contains the object IDs of the groups and directory roles that the contact, user, group, or service principal is a member of. |
getObjectsByObjectIds: Get objects from a list of object IDs
Call the getObjectsByObjectIds function on the directory service to return the directory objects specified in a list of object IDs. You can also specify which resource collections (users, groups, etc.) should be searched by specifying the optional types parameter.
Some common uses for this function are to:
- Resolve the object IDs returned by functions that return collections of object IDs such as getMemberObjects or getMemberGroups to their backing directory objects.
- Resolve object IDs persisted in an external store by the application to their backing directory objects.
Important: Requires version 1.5 or newer.
POST https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
"deletionTimestamp": null,
"description": "Marketing Group",
"dirSyncEnabled": null,
"displayName": "Marketing",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "cdf76b17-0734-41bc-9c24-9a7af93f3502",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
},
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "cc9869f0-6ac0-4d00-bc24-621a2d949d35",
"deletionTimestamp": null,
"description": "Engineering Group",
"dirSyncEnabled": null,
"displayName": "Engineering",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "ef3b8cc1-721b-4452-9e30-9867d1de80ea",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
}
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. A collection that contains the directory objects that match the search criterea is returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
objectIds | Collection(Edm.String) | Yes | The collection of object IDs for which to return objects. You can specify up to 1000 object IDs. |
types | Collection(Edm.String) | No | A collection of object types that specifies the set of resource collections (entity sets) to search. If not specified, the default is DirectoryObject, which contains all of the objects in the directory. Any object that derives from DirectoryObject may be specified in the collection; for example: User, Group, ServicePrincipal, and so on. The values are not case sensitive. |
Response Body
Property Name | Type | Description |
---|---|---|
value | Collection(DirectoryObject) | A collection of objects found for the specified Object IDs and resource collections. |
isMemberOf: Check membership in a specific group (transitive)
Call the isMemberOf function on the directory service to check whether a specified user, group, contact, or service principal is a member of a specified group. The operation is transitive,
POST https://graph.windows.net/myorganization/isMemberOf?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.Boolean",
"value": true
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns true if the user, contact, group, or service principal is a member of the specified group; otherwsie, false. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
groupId | Edm.String | Yes | The object ID of the group to check. |
memberId | Edm.String | Yes | The object ID of the contact, group, user, or service principal to check for membership in the specified group. |
Response Body
Property Name | Type | Description |
---|---|---|
value | Edm.Boolean | true if the specified user, group, contact, or service principal has either direct or transitive membership in the specified group; otherwise, false. |
servicePrincipalsByAppId: Get service principal object ID by application ID
Call the servicePrincipalsByAppId function on the directory service to return the the object ID of the specified application ID.
Important: Requires version 1.6 or newer.
GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/{application_id}/objectId?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the service principal. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Required. |
GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/objectId?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.String",
"value": [
"00b4e797-7017-4720-b187-b01981c820d6"
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the service principal object ID of the specified application ID. |
Request Body
None.
Response Body
Property Name | Type | Description |
---|---|---|
value | Edm.String | The Object ID of the service principal with the specified application ID. |
verify: Verify ownership of a domain
Call the verify action on a domain to validate the ownership of the domain.
Important: Only applies to an unverified domain (the isVerified property of the [Domain] is false). Only supported in version beta.
POST https://graph.windows.net/myorganization/domains({domain_name})/verify?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
domain_name | string | contoso.com | The fully qualified domain name of the target domain. Must be enclosed in single quotes. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Required. |
POST https://graph.windows.net/myorganization/domains(contoso.com)/verify?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#domains/@Element",
"authenticationType": "Managed",
"availabilityStatus": "AvailableImmediately",
"isAdminManaged": true,
"isDefault": false,
"isInitial": false,
"isRoot": true,
"isVerified": true,
"name": "contoso.com",
"supportedServices": []
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the Domain object. The isVerified property indicates whether the ownership of the domain has been verified successfully. |
Request Body
None.
Response Body
Type | Description |
---|---|
[Domain] | The domain being verified. The isVerified property indicates whether the ownership of the domain has been verified successfully. |
Actions
Actions have side effects in the directory. That is, when you call an action, it may alter data in the directory. For example, it may assign a license to a user or restore an application that has previously been deleted.
addKey: Add a KeyCredential for an application
Call the addKey action to add a KeyCredential for an application.
Important: Requires version v1.6 or newer
Nota
Tenant administrators can also add application keys in the Azure portal.
POST https://graph.windows.net/myorganization/applications/{application_oid}/addKey?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
application_oid | string | 00009987-f6d8-4957-a6ca-7848d986ffff | The object id of the application. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST
https://graph.windows.net/myorganization/applications/00009987-f6d8-4957-a6ca-7848d986ffff/addKey?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"keyCredential": {
"customKeyIdentifier": "6uv7gh",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": "MIZB9jVCACfEw="
},
"passwordCredential": null,
"proof": "eyJ0eXAiOiJKv1"
}
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/addKey?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the application. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/addKey?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"keyCredential": {
"customKeyIdentifier": "JXyLFwBmN=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Sign",
"value": null
}
},
{
"keyCredential": {
"customKeyIdentifier": "JXyLFwBmN=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "Password",
"usage": "Sign",
"value": null
}
}
]
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
keyCredential | KeyCredential | Yes | The application key credential to add. Note: keyId value should be null. |
passwordCredential | PasswordCredential | Yes | The application password credential to add. Note: keyId value should be null. |
proof | Edm.String | Yes | A signed JWT token used as a proof of possession of the existing keys. |
This request adds a new key credential and password credential to an application. In this example, only a key credential was added to the application.
POST https://graph.windows.net/myorganization/application/8bea0f8d-83eb-4e89-bfca-1f41c8a22ffff/addKey?api-version=1.6 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 406
{
"keyCredential":
{
"customKeyIdentifier": "6vu7hglDaiwXLbvVeRBIRgSTKXc=",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": "MIIB9jCCAVANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlEdW..."
}
"passwordCredential": null ,
"proof":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFHZGdvdW5aWlc1bU50Mmg2dmJTM1ZBTHJBVSJ9...."
}
As part of the request validation for this service action, a proof of possession of an existing key is verified before the action can be performed. The proof is represented by a self-signed JWT token. The requesting application needs to generate a self-signed JWT token with the following requirements.
Required claims:
- aud - Audience needs to be AAD Graph SPN
- iss - Issuer needs to be one of the application identifier URIs of the application that is making the call or the App ID GUID
- nbf - not before
- exp - expiration time
The X5T, base64 url encoded signing certificate thumbprint header parameter is required
The token signing key is the private key of one of the application existing certificates. The certificate needs to meet the following criteria to be valid:
- Its public key is part of application keys with Asymmetric/Verify type/usage.
- Its public key has not yet expired.
Applications that don’t have any existing valid certificates (i.e.: no certificates have been added yet, or all certificates have expired), won’t be able to use this service action and separate process will be needed to perform an update instead.
The token lifespan should not exceed 10 minutes. Where token lifespan is the difference between EXP and NBF claims.
assignLicense: Add or remove licenses from a user
Call the assignLicense action on a user to add or remove subscriptions for the user. You can also enable and disable specific plans associated with a subscription.
Important: Requires version 2013-11-08 or newer.
POST https://graph.windows.net/myorganization/users/{user_id}/assignLicense?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
user_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | The user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.6
Response
Status Code:200
Content-Type: application/json
none
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. No response body is returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
addLicenses | Collection(AssignedPlan) | Yes | A collection of AssignedLicense objects that specify the licenses to add. You can disable plans associated with a license by setting the disabledPlans property on an AssignedLicense object. |
removeLicenses | Collection(Edm.Guid) | Yes | A collection of GUIDs that identify the licenses to remove. |
Note: Subscription SKU IDs and plan IDs can be read from the tenant object. For example, performing a GET request to https://graph.windows.net/myorganization/subscribedSkus
returns the subscriptions available for the tenant of the signed-in user. These are returned as SubscribedSku entities and the SKU ID can be read from the skuId property. You can get the plan IDs associated with the subscription from the servicePlans collection. Availability of subscriptions can be calculated from the consumedUnits property and values from the prepaidUnits property, which includes counts of units that are “enabled”, “suspended” and in “warning” states.
Addtitional Examples
This request shows an initial license assignment of the Enterprise Office SKU, which contains SharePoint Online, Lync Online and the Exchange Online service plans.
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[{"disabledPlans":[ ],"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"}],
"removeLicenses":[ ]
}
This request updates the user’s license by disabling specific plans. In this example, there are two disabledPlans (SharePointOnline and LyncOnline"), leaving only the Exchange Service Plan enabled.
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[ { "disabledPlans": [”5dbe027f-2339-4123-9542-606e4d348a72”,
“0feaeb32-d00e-4d66-bd5a-43b5b83db82c” ],
"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"
}
],
"removeLicenses":[ ]
}
This final request shows how to remove the license from the user.
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[ ],
"removeLicenses":["6fd2c87f-b296-42f0-b197-1e91e994b900"]
}
changePassword: Change password of the signed-in user
Call the changePassword action for the signed-in user to change their own password.
Note: This action can only be called on the signed-in user. In addition to addressing the operation by using the me
alias as shown below, you can use /users/<objectId>/changePassword
or /users/userPrincipalName/changePassword
, but if you use these addressing modes, the target user must be the signed-in user.
Important: Requires version 1.6 or newer.
POST https://graph.windows.net/me/changePassword?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
Query | |||
api-version | string | 1.6 | Specifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
Response
Status Code:204
Content-Type: application/json
none
Response List
Status Code | Description |
---|---|
204 | No Content. Indicates success. No response body is returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
currentPassword | Edm.String | Yes | The current password of the signed-in user. |
newPassword | Edm.String | Yes | The new password. |
Response Body
None.
removeKey: Remove a KeyCredential for an application
Call the removeKey action on an application to remove a KeyCredential.
Important: Requires version v1.6 or newer.
Nota
Tenant administrators can also remove application keys in the Azure portal.
POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version
POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version=1.6
Response
Status Code:204
Content-Type: none
none
Response List
Status Code | Description |
---|---|
204 | No Content. Indicates success. No response body is returned. |
POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/removeKey?api-version
POST https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/removeKey?api-version=1.6
Response
Status Code:204
Content-Type: none
none
Response List
Status Code | Description |
---|---|
204 | No Content. Indicates success. No response body is returned. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
keyId | Edm.Guid | Yes | The keyId that identifies the application key credentials to remove. |
proof | Edm.String | Yes | A signed JWT token used as a proof of possession of the existing keys. |
This request adds a new key credential and password credential to an application. In this example, only a key credential was added to the application.
POST https://graph.windows.net/myorganization/application/8bea0f8d-83eb-4e89-bfca-1f41c8a22ffff/removeKey?api-version=1.6 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 166
{
"keyId": "739c5e5b-ebcc-43b5-b44a-459e1b4dffff",
"proof":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFHZGdvdW5aWlc1bU50Mmg2dmJTM1ZBTHJBVSJ9...."
}
As part of the request validation for this service action, a proof of possession of an existing key is verified before the action can be performed. The proof is represented by a self-signed JWT token. The requesting application needs to generate a self-signed JWT token with the following requirements.
Required claims:
- aud - Audience needs to be AAD Graph SPN
- iss - Issuer needs to be one of the application identifier URIs of the application that is making the call or the App ID GUID
- nbf - not before
- exp - expiration time
The X5T, base64 url encoded signing certificate thumbprint header parameter is required
The token signing key is the private key of one of the application existing certificates. The certificate needs to meet the following criteria to be valid:
- Its public key is part of application keys with Asymmetric/Verify type/usage.
- Its public key has not yet expired.
Applications that don’t have any existing valid certificates (i.e.: no certificates have been added yet, or all certificates have expired), won’t be able to use this service action and separate process will be needed to perform an update instead.
The token lifespan should not exceed 10 minutes. Where token lifespan is the difference between EXP and NBF claims.
restore: Restore a deleted application
Call the restore action on a deleted application to restore it to the directory.
Note: You can find deleted applications by reading the deletedApplications resource collection. For example, performing a GET to the following URL returns the deleted applications associated with the organization: https://graph.windows.net/myorganization/deletedApplications?api-version=1.5
.
Important: Requires version 1.5 or newer.
POST https://graph.windows.net/myorganization/deletedApplications/{application_id}/restore?api-version
Parameters
Parameter | Type | Value | Notes |
---|---|---|---|
URL | |||
application_id | string | 1e22de0f-0ed1-4c01-b725-a822632467e3 | The object ID (GUID) of the application to restore. |
Query | |||
api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
Body | |||
Content-Type: application/json
|
POST https://graph.windows.net/myorganization/deletedApplications/1e22de0f-0ed1-4c01-b725-a822632467e3/restore?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "1e22de0f-0ed1-4c01-b725-a822632467e3",
"deletionTimestamp": null,
"appId": "f4ecf40c-e94f-4d79-af83-f920f81bcb66",
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "Sample App 1",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": "https://localhost",
"identifierUris": [
"https://restoredApp/"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": null,
"replyUrls": [
"https://localhost"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null
}
Response List
Status Code | Description |
---|---|
200 | OK. Indicates success. Returns the restored Application object. The identifierUris property in the restored application is set or restored according to the identifierUris collection specified in the request. |
Request Body
Property Name | Type | Required | Description |
---|---|---|---|
identifierUris | Collection(Edm.String) | No | The collection of identifier URIs for the application. These will be set in the identifierUris property in the restored Application. If the parameter is omitted, the identifierUris property will retain its original value. |
Response Body
Type | Description |
---|---|
Application | The restored application. |
Additional Resources
- Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts