函數和動作 | Graph API 參考
**適用於︰**Graph API | Azure Active Directory
本主題討論 Azure AD Graph API 所公開的函數和動作,以及其呼叫方式。
Graph API 是 OData 3.0 相容的 REST API,可讓您以程式設計方式存取 Azure Active Directory 中的目錄物件,例如使用者、群組、組織連絡人和應用程式。
重要
您也可以透過 Microsoft Graph 取得 Azure AD Graph API 功能,這個統一 API 同時也包含如 Outlook、OneDrive、OneNote、Planner 和 Office Graph 等其他 Microsoft 服務 API,讓您可以使用單一的存取權杖透過單一端點存取所有 API。
使用 Graph API 呼叫動作和函數
若要使用 Graph API 呼叫動作或函數,您可以將 POST 要求傳送至適當的端點。
Graph API 要求使用下列基本 URL:
https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]
重要
傳送到 Graph API 之要求的格式必須正確、目標設為有效的端點和Graph API 版本,而且其 Authorization 標頭中攜帶取自 Azure AD 的有效存取權杖。 如需使用 Graph API 建立要求以及接收回應的詳細資訊,請參閱[Operations Overview]。
對目錄服務本身呼叫的函數或動作不需要資源路徑。 針對在特定資源上呼叫的函數或作業,您可以根據設為目標的資源,透過不同的方式指定 {resource_path}。 此資源路徑將具有下列幾部分:
(resource_collection}指定資源集合,例如使用者、連絡人或群組。{resource_id}識別要在資源集合中設為目標的特定資源。 通常是物件識別碼 (GUID),但如果是使用者,您也可以使用使用者主體名稱 (UPN)。
您可以使用 me 別名將目標設為登入使用者。 此別名會取代下列 URL 路徑區段︰{tenant_id}/users/{user_id}。 當您使用此別名時,Graph API 會從附加至要求的持有人權杖取得使用者和租用戶。
例如,您可以使用下列 POST 要求,將授權指派給登入使用者 (您也必須包含適當的要求主體)︰
POST https://graph.windows.net/me/assignLicense?api-version=1.6
如需使用 me 別名執行作業的詳細資訊,請參閱登入使用者的 REST 作業。
函數
在目錄中沒有副作用的函數。 也就是說,當您呼叫函數時,它只會傳回資料,而不會修改目錄中的任何資料。 下列主題示範如何使用 Graph API 來呼叫函數。
checkMemberGroups:檢查群組清單中的成員資格
呼叫 checkMemberGroups 來檢查使用者、連絡人、群組或服務主體在群組清單中的成員資格。 此作業可轉移。
您最多可以在每個要求中檢查 20 個群組。
{
"api": "Functions",
"operation": "checkMemberGroups"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| isSyncedFromOnPremises | Collection(Edm.String) | 是 | 集合,其中包含要檢查成員資格之群組的物件識別碼。 最多可指定 20 個群組。 |
回應本文
| 屬性名稱 | 類型 | 說明 |
|---|---|---|
| 值 | Collection(Edm.String) | 集合,其中包含連絡人、使用者、群組或服務主體所屬之群組 (在要求中指定) 的物件識別碼。 |
getAvailableExtensionProperties:取得目錄中的已註冊擴充功能屬性
呼叫 getAvailableExtensionProperties 函數來傳回所有已註冊在目錄中的擴充功能屬性或篩選過的擴充功能屬性清單。 下列實體支援擴充功能屬性︰[User]、[Group]、[TenantDetail]、[Device]、[Application] 和 [ServicePrincipal]。 若要深入了解如何在目錄中註冊和取消註冊擴充功能屬性,以及如何修改它們的值,請參閱[Directory Schema Extensions]。
重要:需要 1.5 版或更新版本。
{
"api": "Functions",
"operation": "getAvailableExtensionProperties"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| isSyncedFromOnPremises | Edm.Boolean | 否 | true 指定只傳回從內部部署目錄同步處理的擴充功能屬性;false 指定只傳回未從內部部署目錄同步處理的擴充功能屬性。 如果省略此參數,則會傳回所有延伸模組屬性 (同步處理和非同步處理)。 |
回應本文
| 屬性名稱 | 類型 | 說明 |
|---|---|---|
| 值 | Collection([ExtensionProperty]) | 包含已在目錄中註冊並根據要求而篩選之擴充功能屬性的集合。 |
getMemberGroups:取得群組成員資格 (可轉移)
對使用者、連絡人、群組或服務主體呼叫 getMemberGroups 函數,以取得其所屬的群組。 此函數可遞移。
注意︰可傳回的最大群組數目是 2046。 如果目標物件在 2046 個以上的群組中有直接或可轉移的成員資格,此函數就會傳回 HTTP 錯誤回應,且錯誤碼為 Directory_ResultSizeLimitExceeded。
{
"api": "Functions",
"operation": "getMemberGroups",
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| securityEnabledOnly | Edm.Boolean | 是 | true 指定只傳回實體所屬的安全性群組;false 指定傳回實體所屬的所有群組。 注意:如果參數是 true,則只能對使用者呼叫此函數。 |
回應本文
| 屬性名稱 | 類型 | 說明 |
|---|---|---|
| 值 | Collection(Edm.String) | 集合,其中包含連絡人、使用者、群組或服務主體所屬之群組的物件識別碼。 |
getMemberObjects:取得群組和目錄角色成員資格 (可轉移)
對使用者、連絡人、群組或服務主體呼叫 getMemberObjects 函數,以取得其所屬的群組和目錄角色。 此函數可遞移。
注意︰可傳回的最大群組和目錄角色數目是 2046。 如果目標物件在 2046 個以上的群組和目錄角色中有直接或可轉移的成員資格,此函數就會傳回 HTTP 錯誤回應,且錯誤碼為 Directory_ResultSizeLimitExceeded。
重要:需要 1.5 版或更新版本。
{
"api": "Functions",
"operation": "getMemberObjects"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| securityEnabledOnly | Edm.Boolean | 是 | true 指定只傳回實體所屬的安全性群組;false 指定傳回實體所屬的所有群組和目錄角色。 注意:如果參數是 true,則只能對使用者呼叫此函數。 |
回應本文
| 屬性名稱 | 類型 | 說明 |
|---|---|---|
| 值 | Collection(Edm.String) | 集合,其中包含連絡人、使用者、群組或服務主體所屬之群組和目錄角色的物件識別碼。 |
getObjectsByObjectIds:從物件識別碼清單中取得物件
在目錄服務上呼叫 getObjectsByObjectIds 函數,可傳回物件識別碼清單中指定的目錄物件。 您也可以指定選擇性 types 參數,進而指定應該搜尋的資源集合 (使用者、群組等)。
此函數的一些常見用法如下:
- 將可傳回物件識別碼集合 (例如 [getMemberObjects] 或 [getMemberGroups]) 的函數所傳回的物件識別碼,解析為其備份目錄物件。
- 將應用程式保存在外部存放區中的物件識別碼解析為其備份目錄物件。
重要:需要 1.5 版或更新版本。
{
"api": "Functions",
"operation": "getObjectsByObjectIds"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| objectIds | Collection(Edm.String) | 是 | 會傳回物件的物件識別碼集合。 您最多可以指定 1000 個物件識別碼。 |
| 類型 | Collection(Edm.String) | 否 | 指定要搜尋的資源集合 (實體集) 的物件類型集合。 若未指定,預設值是 [DirectoryObject],其中包含目錄中的所有物件。 集合中可指定任何衍生自 [DirectoryObject] 的物件,例如:[User]、[Group]、[ServicePrincipal] 等。 這些值不會區分大小寫。 |
回應本文
| 屬性名稱 | 類型 | 說明 |
|---|---|---|
| 值 | Collection([DirectoryObject]) | 針對指定的物件識別碼與資源集合找到的物件集合。 |
isMemberOf:檢查特定群組中的成員資格 (可轉移)
對目錄服務呼叫 isMemberOf 函數,以檢查指定的使用者、群組、連絡人或服務主體是否為指定之群組的成員。 此作業可轉移。
{
"api": "Functions",
"operation": "isMemberOf"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| groupId | Edm.String | 是 | 要檢查之群組的物件識別碼。 |
| memberId | Edm.String | 是 | 要在指定群組中檢查是否具有成員資格之連絡人、群組、使用者或服務主體的物件識別碼。 |
回應本文
| 屬性名稱 | 類型 | 說明 |
|---|---|---|
| 值 | Edm.Boolean | 若指定的使用者、群組、連絡人或服務主體在指定的群組中有直接或可轉移的成員資格,則為 true;否則為 false。 |
動作
在目錄中有副作用的動作。 也就是說,當您呼叫動作時,它可能會改變目錄中的資料。 例如,它可能會將授權指派給使用者,或還原之前刪除的應用程式。
assignLicense︰加入或移除使用者的授權
對使用者呼叫 assignLicense 動作,以加入或移除使用者的訂用帳戶。 您也可以啟用和停用與訂閱相關聯的特定方案。
重要:需要 2013-11-08 版或更新版本。
{
"api": "Functions",
"operation": "assignLicense"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| addLicenses | Collection([AssinedPlan]) | 是 | 指定要加入授權的 [AssignedLicense] 物件集合。 您可以在 [AssignedLicense] 物件上設定 disabledPlans 屬性,以停用與授權相關聯的方案。 |
| removeLicenses | Collection(Edm.Guid) | 是 | 識別要移除之授權的 GUID 集合。 |
注意:從租用戶物件中可以讀取訂用帳戶 SKU 識別碼和方案識別碼。 例如,對 https://graph.windows.net/myorganization/subscribedSkus 執行 GET 要求會傳回登入使用者之租用戶可用的訂用帳戶。 這些會以 [SubscribedSku] 實體傳回,而從 skuId 屬性中可以讀取 SKU 識別碼。 您可以從 servicePlans 集合取得與訂用帳戶相關聯的方案識別碼。 從 consumedUnits 屬性和 prepaidUnits 屬性的值可以計算訂用帳戶的可用性,其中包括處於 “enabled”、“suspended” 和 “warning” 狀態的單位計數。
其他範例
此要求顯示 Enterprise Office SKU 的初始授權指派,其中包含 SharePoint Online、Lync Online 和 Exchange Online 服務方案。
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[{"disabledPlans":[ ],"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"}],
"removeLicenses":[ ]
}
此要求會停用特定的方案以更新使用者的授權。 此範例中有兩個 disabledPlans (SharePointOnline 和 LyncOnline),僅將 Exchange 服務方案保留為啟用。
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[ { "disabledPlans": [”5dbe027f-2339-4123-9542-606e4d348a72”,
“0feaeb32-d00e-4d66-bd5a-43b5b83db82c” ],
"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"
}
],
"removeLicenses":[ ]
}
這最後一項要求示範如何移除使用者的授權。
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[ ],
"removeLicenses":["6fd2c87f-b296-42f0-b197-1e91e994b900"]
}
changePassword:變更登入使用者的密碼
呼叫 changePassword 動作,讓登入使用者變更其密碼。
注意︰您只能對登入使用者呼叫此動作。 除了如下所示使用 me 別名定址作業之外,您還可以使用 /users/<objectId>/changePassword 或 /users/userPrincipalName/changePassword,但如果您使用這些定址模式,目標使用者必須是登入使用者。
重要:需要 1.6 版或更新版本。
{
"api": "MeOps",
"operation": "changePassword"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| currentPassword | Edm.String | 是 | 登入使用者的目前密碼。 |
| newPassword | Edm.String | 是 | 新密碼。 |
回應本文
無。
restore:還原已刪除的應用程式
對已刪除的應用程式呼叫 restore 動作,將應用程式還原至目錄中。
注意:您可以讀取 deletedApplications 資源集合來尋找已刪除的應用程式。 例如,對下列 URL 執行 GET 會傳回與組織相關聯的已刪除應用程式:https://graph.windows.net/myorganization/deletedApplications?api-version=1.5。
重要:需要 1.5 版或更新版本。
{
"api": "Functions",
"operation": "restore"
}
要求本文
| 屬性名稱 | 類型 | 必要 | 說明 |
|---|---|---|---|
| identifierUris | Collection(Edm.String) | 否 | 應用程式的識別碼 URI 集合。 這些將在還原之 [Application] 的 identifierUris 屬性中設定。 如果省略此參數,identifierUris 屬性會保留其原始值。 |
回應本文
| 類型 | 說明 |
|---|---|
| [應用程式] | 已還原的應用程式。 |
verify︰驗證網域的擁有權 (預覽)
對網域呼叫 verify 動作,以驗證該網域的擁有權。
重要︰僅適用於未經驗證的網域 ([Domain] 的 isVerified 屬性是 false)。 只有在搶鮮版 (Beta) 中才受支援。
{
"api": "Functions",
"operation": "verify"
}
要求本文
無。
回應本文
| 類型 | 說明 |
|---|---|
| [Domain] | 正在驗證的網域。 IsVerified 屬性指出是否已成功驗證網域的擁有權。 |
其他資源
- 在 Graph API 概念中深入了解 Graph API 支援的功能、能力和預覽功能。
applications: Get application properties by object ID
GET https://graph.windows.net/myorganization/applications/{application_oid}?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_oid | string | 00009987-f6d8-4957-a6ca-7848d986ffff | The object id of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
GET https://graph.windows.net/myorganization/applications/00009987-f6d8-4957-a6ca-7848d986ffff?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.directoryObjects/@Element)",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
"deletionTimestamp": null,
"addIns": [],
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
"appMetadata": {
"version": 0,
"data": [
{
"key": "ApplicationMetadata",
"value": "eyJBcHBsaWNhd..."
}
]
},
"appRoles": [],
"availableToOtherTenants": true,
"displayName": "Test App",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": "None",
"homepage": null,
"identifierUris": [],
"keyCredentials": [
{
"customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "dceb697c-477a-4a25-be87-38282995ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
},
{
"customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
"endDate": "2017-06-19T07:00:00Z",
"keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
"startDate": "2012-05-19T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": false,
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"supportsConvergence": false,
"tokenEncryptionKeyId": null
}
applicationsByAppId: Get application properties by application ID
GET https://graph.windows.net/myorganization/applicationsByAppId/{application_id}?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Required. |
GET https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
"deletionTimestamp": null,
"addIns": [],
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
"appMetadata": {
"version": 0,
"data": [
{
"key": "ApplicationMetadata",
"value": "eyJBcHBsaWNhd..."
}
]
},
"appRoles": [],
"availableToOtherTenants": true,
"displayName": "Test App",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": "None",
"homepage": null,
"identifierUris": [],
"keyCredentials": [
{
"customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "dceb697c-477a-4a25-be87-38282995ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
},
{
"customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
"endDate": "2017-06-19T07:00:00Z",
"keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
"startDate": "2012-05-19T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": false,
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"supportsConvergence": false,
"tokenEncryptionKeyId": null
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the application object ID. |
checkMemberGroups: Check for membership in a list of groups
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/checkMemberGroups?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
| resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which membership is to be checked. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/checkMemberGroups?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. The object IDs of the groups in the request that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
getAvailableExtensionProperties: Get the registered extension properties in a directory
POST https://graph.windows.net/myorganization/getAvailableExtensionProperties?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "d6a8bfec-893d-46e4-88fd-7db5fcc0fa62",
"deletionTimestamp": null,
"appDisplayName": "SampleApp",
"name": "extension_4d405aa8baa04fb494d3e0571fd9fd71_skypeId",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. A collection that contains the extension properties is returned. |
getMemberGroups: Get group memberships (transitive)
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
| resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which group memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/getMemberGroups?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
"5e624f44-d38d-4943-b07c-2bad078f52ff"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. The object IDs of the groups that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
getMemberObjects: Get group and directory role memberships (transitive)
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberObjects?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
| resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which group and directory role memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/getMemberObjects?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myortanization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
"5e624f44-d38d-4943-b07c-2bad078f52ff"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. The object IDs of the groups and directory roles that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
getObjectsByObjectIds: Get objects from a list of object IDs
POST https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
"deletionTimestamp": null,
"description": "Marketing Group",
"dirSyncEnabled": null,
"displayName": "Marketing",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "cdf76b17-0734-41bc-9c24-9a7af93f3502",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
},
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "cc9869f0-6ac0-4d00-bc24-621a2d949d35",
"deletionTimestamp": null,
"description": "Engineering Group",
"dirSyncEnabled": null,
"displayName": "Engineering",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "ef3b8cc1-721b-4452-9e30-9867d1de80ea",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. A collection that contains the directory objects that match the search criterea is returned. |
isMemberOf: Check membership in a specific group (transitive)
POST https://graph.windows.net/myorganization/isMemberOf?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.Boolean",
"value": true
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns true if the user, contact, group, or service principal is a member of the specified group; otherwsie, false. |
servicePrincipalsByAppId: Get service principal object ID by application ID
GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/{application_id}/objectId?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the service principal. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Required. |
GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/objectId?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.String",
"value": [
"00b4e797-7017-4720-b187-b01981c820d6"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the service principal object ID of the specified application ID. |
verify: Verify ownership of a domain
POST https://graph.windows.net/myorganization/domains({domain_name})/verify?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| domain_name | string | contoso.com | The fully qualified domain name of the target domain. Must be enclosed in single quotes. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Required. |
POST https://graph.windows.net/myorganization/domains(contoso.com)/verify?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#domains/@Element",
"authenticationType": "Managed",
"availabilityStatus": "AvailableImmediately",
"isAdminManaged": true,
"isDefault": false,
"isInitial": false,
"isRoot": true,
"isVerified": true,
"name": "contoso.com",
"supportedServices": []
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the Domain object. The isVerified property indicates whether the ownership of the domain has been verified successfully. |
addKey: Add a KeyCredential for an application
POST https://graph.windows.net/myorganization/applications/{application_oid}/addKey?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_oid | string | 00009987-f6d8-4957-a6ca-7848d986ffff | The object id of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST
https://graph.windows.net/myorganization/applications/00009987-f6d8-4957-a6ca-7848d986ffff/addKey?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"keyCredential": {
"customKeyIdentifier": "6uv7gh",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": "MIZB9jVCACfEw="
},
"passwordCredential": null,
"proof": "eyJ0eXAiOiJKv1"
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/addKey?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/addKey?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"keyCredential": {
"customKeyIdentifier": "JXyLFwBmN=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Sign",
"value": null
}
},
{
"keyCredential": {
"customKeyIdentifier": "JXyLFwBmN=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "Password",
"usage": "Sign",
"value": null
}
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
assignLicense: Add or remove licenses from a user
POST https://graph.windows.net/myorganization/users/{user_id}/assignLicense?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| user_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | The user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.6
Response
Status Code:200
Content-Type: application/json
none
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. No response body is returned. |
changePassword: Change password of the signed-in user
POST https://graph.windows.net/me/changePassword?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | Specifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:204
Content-Type: application/json
none
Response List
| Status Code | Description |
|---|---|
| 204 | No Content. Indicates success. No response body is returned. |
removeKey: Remove a KeyCredential for an application
POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version
POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version=1.6
Response
Status Code:204
Content-Type: none
none
Response List
| Status Code | Description |
|---|---|
| 204 | No Content. Indicates success. No response body is returned. |
POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/removeKey?api-version
POST https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/removeKey?api-version=1.6
Response
Status Code:204
Content-Type: none
none
Response List
| Status Code | Description |
|---|---|
| 204 | No Content. Indicates success. No response body is returned. |
restore: Restore a deleted application
POST https://graph.windows.net/myorganization/deletedApplications/{application_id}/restore?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1e22de0f-0ed1-4c01-b725-a822632467e3 | The object ID (GUID) of the application to restore. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/deletedApplications/1e22de0f-0ed1-4c01-b725-a822632467e3/restore?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "1e22de0f-0ed1-4c01-b725-a822632467e3",
"deletionTimestamp": null,
"appId": "f4ecf40c-e94f-4d79-af83-f920f81bcb66",
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "Sample App 1",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": "https://localhost",
"identifierUris": [
"https://restoredApp/"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": null,
"replyUrls": [
"https://localhost"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the restored Application object. The identifierUris property in the restored application is set or restored according to the identifierUris collection specified in the request. |