Working with Microsoft Entra resources in Microsoft Graph

With Microsoft Graph, you can access Microsoft Entra resources to enable scenarios like managing administrator (directory) roles, inviting external users to an organization, and, if you are a Cloud Solution Provider (CSP), managing your customer's data. Microsoft Graph also provides methods that apps can use to, for example, discover information about users' transitive group and role memberships.

Note: Some Microsoft Entra resources are documented in other sections of the API reference. For more information, see Users and Groups.

Authorization

To call the Microsoft Graph APIs on Microsoft Entra resources, your app will need the appropriate permissions. Many of the APIs exposed on Microsoft Entra resources require one of the Directory permissions. Directory permissions are highly privileged and always require administrator consent.

If your app is acting on behalf of a user (delegated permissions), that user will likely need to be a member of an appropriate administrator role for your app to successfully call many of the Microsoft Entra APIs.

For more information about permissions, including delegated and application permissions, see Permissions.

Common use cases

The following table lists some common use cases for Microsoft Entra resources.

Use cases REST resources See also
Directory object and methods
directoryObject is the base class that many directory resources, like users and groups, inherit from. Microsoft Graph exposes several methods that you can use to discover information about users, groups, and other directory objects. For example, you can check for transitive membership in a list of groups, return all the groups and directory roles that a directory object is a transitive member of, or get all the resources of a specified type (like user or group) from a list of generic resource IDs. directoryObject N/A
Manage directory (administrator) roles
Activate directory roles in a Microsoft Entra tenant and manage user memberships in directory roles. Directory roles are also known as administrator roles. directoryRole
directoryRoleTemplate
Assigning Microsoft Entra administrator roles
Apply predefined group settings across a tenant or to individual resource instances. Group settings control behaviors like blocked word lists for group display names, whether guest users are allowed to be group owners, and much more. groupSetting
groupSettingTemplate
Microsoft Entra cmdlets for configuring group settings
Manage devices
Manage devices registered in the organization. Devices are registered to users and include items like laptops, desktops, tablets, and mobile phones. Devices are typically created in the cloud using the Device Registration Service or by Microsoft Intune. They're used by conditional access policies for multifactor authentication. device Getting started with Microsoft Entra device registration.

What is Intune?

Enroll devices for management in Intune
Partner tenant management
Get information about partnerships with customer tenants.

Note: This applies to partner tenants only. Partner tenants are Microsoft Entra tenants that belong to Microsoft partners who are either part of the Microsoft Cloud Solution Provider, Office 365 Syndication, or Microsoft Advisor partner programs.
contract Call Microsoft Graph from a Cloud Solution Provider application
Manage domains associated with a tenant. Domain operations enable registrars to automate domain association for services such as Microsoft 365. domain Add a custom domain name to Microsoft Entra ID
Tenant management
Get information about an organization, such as its business address, technical and notification contacts, the service plans that it's subscribed to, and the domains associated with it. organization N/A
Get information about the service SKUs that a company is subscribed to. subscribedSku N/A
Invite external (guest) users to an organization. invitation What is Microsoft Entra B2B collaboration?
Manage branding for the sign-in experience of an organization. organizationalbranding Add branding to your organization's Microsoft Entra sign-in page
Consent requests
Manage the consent request workflow for users attempting to access apps that require admin authorization. Consent requests API Configure the admin consent workflow

Next steps

Directory resources and APIs can open up new ways for you to engage with users and manage their experiences with Microsoft Graph. To learn more:

  • Drill down on the methods and properties of the resources most helpful to your scenario.
  • Try the API in the Graph Explorer.