Application.Read.All
Allows the app to read applications and service principals on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
Application.Read.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 | c79f8feb-a9db-4090-85f9-90d820caa0eb |
| DisplayText | Read all applications | Read applications |
| Description | Allows the app to read all applications and service principals without a signed-in user. | Allows the app to read applications and service principals on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.Read.All ▪️ Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.Read.All ▪️ Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Application.Read.All and Policy.Read.PermissionGrant ▪️ Application.Read.All and Policy.ReadWrite.PermissionGrant |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Application.Read.All and Policy.Read.All ▪️ Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Application.Read.All and Policy.Read.All ▪️ Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Policy.Read.All and Application.Read.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.Read.All |
|
Application.Read.All and Policy.Read.PermissionGrant ▪️ Application.Read.All and Policy.ReadWrite.PermissionGrant |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
AppRoleAssignment.ReadWrite.All and Application.Read.All |
|
Application.Read.All and Policy.ReadWrite.ApplicationConfiguration |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
|
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- administrativeUnit
- application
- appManagementPolicy
- appRoleAssignment
- certificateAuthorityDetail
- certificateBasedAuthPki
- claimsMappingPolicy
- conditionalAccessApplications
- conditionalAccessGrantControls
- conditionalAccessPolicy
- conditionalAccessSessionControls
- conditionalAccessUsers
- continuousAccessEvaluationPolicy
- delegatedPermissionClassification
- device
- directory
- directoryObject
- directoryRole
- extensionproperty
- externalUserProfile
- federatedIdentityCredential
- group
- homeRealmDiscoveryPolicy
- conditionalAccessPolicyCoverage
- orgContact
- pendingExternalUserProfile
- permissionGrantPreApprovalPolicy
- remoteDesktopSecurityConfiguration
- schemaextension
- servicePrincipal
- targetDeviceGroup
- tenantAppManagementPolicy
- tokenIssuancePolicy
- tokenLifetimePolicy
- user
Graph reference: administrativeUnit
| Property | Type | Description |
|---|---|---|
| description | String | An optional description for the administrative unit. Supports $filter (eq, ne, in, startsWith), $search. |
| displayName | String | Display name for the administrative unit. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
| id | String | Unique identifier for the administrative unit. Read-only. Supports $filter (eq). |
| membershipRule | String | The dynamic membership rule for the administrative unit. For more information about the rules you can use for dynamic administrative units and dynamic groups, see Manage rules for dynamic membership groups in Microsoft Entra ID. |
| membershipRuleProcessingState | String | Controls whether the dynamic membership rule is actively processed. Set to On to activate the dynamic membership rule, or Paused to stop updating membership dynamically. |
| membershipType | String | Indicates the membership type for the administrative unit. The possible values are: dynamic, assigned. If not set, the default value is null and the default behavior is assigned. |
| visibility | String | Controls whether the administrative unit and its members are hidden or public. Can be set to HiddenMembership. If not set, the default value is null and the default behavior is public. When set to HiddenMembership, only members of the administrative unit can list other members of the administrative unit. |
Graph reference: application
| Property | Type | Description |
|---|---|---|
| addIns | addIn collection | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams can set the addIns property for its "FileHandler" functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
| api | apiApplication | Specifies settings for an application that implements a web API. |
| appId | String | The unique identifier for the application that is assigned to an application by Microsoft Entra ID. Not nullable. Read-only. Alternate key. Supports $filter (eq). |
| applicationTemplateId | String | Unique identifier of the applicationTemplate. Supports $filter (eq, not, ne). Read-only. null if the app wasn't created from an application template. |
| appRoles | appRole collection | The collection of roles defined for the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable. |
| certification | certification | Specifies the certification status of the application. |
| createdDateTime | DateTimeOffset | The date and time the application was registered. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, in, and eq on null values) and $orderby. |
| deletedDateTime | DateTimeOffset | The date and time the application was deleted. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | Free text field to provide a description of the application object to end users. The maximum allowed size is 1,024 characters. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Supports $filter (eq, ne, not). |
| displayName | String | The display name for the application. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
| groupMembershipClaims | String | Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None, SecurityGroup (for security groups and Microsoft Entra roles), All (this gets all of the security groups, distribution groups, and Microsoft Entra directory roles that the signed-in user is a member of). |
| id | String | Unique identifier for the application object. This property is referred to as Object ID in the Microsoft Entra admin center. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| identifierUris | String collection | Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<appId>, or specify a more readable URI like https://contoso.com/api. For more information on valid identifierUris patterns and best practices, see Microsoft Entra application registration security best practices. Not nullable. Supports $filter (eq, ne, ge, le, startsWith). |
| info | informationalUrl | Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Microsoft Entra apps. Supports $filter (eq, ne, not, ge, le, and eq on null values). |
| isDeviceOnlyAuthSupported | Boolean | Specifies whether this application supports device authentication without a user. The default is false. |
| isFallbackPublicClient | Boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false, which means the fallback application type is confidential client such as a web app. There are certain scenarios where Microsoft Entra ID can't determine the client application type. For example, the ROPC flow where it's configured without specifying a redirect URI. In those cases, Microsoft Entra ID interprets the application type based on the value of this property. |
| keyCredentials | keyCredential collection | The collection of key credentials associated with the application. Not nullable. Supports $filter (eq, not, ge, le). |
| logo | Stream | The main logo for the application. Not nullable. |
| nativeAuthenticationApisEnabled | nativeAuthenticationApisEnabled | Specifies whether the Native Authentication APIs are enabled for the application. The possible values are: none and all. Default is none. For more information, see Native Authentication. |
| notes | String | Notes relevant for the management of the application. |
| oauth2RequiredPostResponse | Boolean | Specifies whether, as part of OAuth 2.0 token requests, Microsoft Entra ID allows POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests are allowed. |
| optionalClaims | optionalClaims | Application developers can configure optional claims in their Microsoft Entra applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see How to: Provide optional claims to your app. |
| parentalControlSettings | parentalControlSettings | Specifies parental control settings for an application. |
| passwordCredentials | passwordCredential collection | The collection of password credentials associated with the application. Not nullable. |
| publicClient | publicClientApplication | Specifies settings for installed clients such as desktop or mobile devices. |
| publisherDomain | String | The verified publisher domain for the application. Read-only. For more information, see How to: Configure an application's publisher domain. Supports $filter (eq, ne, ge, le, startsWith). |
| requestSignatureVerification | requestSignatureVerification | Specifies whether this application requires Microsoft Entra ID to verify the signed authentication requests. |
| requiredResourceAccess | requiredResourceAccess collection | Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. For more information, see Limits on requested permissions per app. Not nullable. Supports $filter (eq, not, ge, le). |
| samlMetadataUrl | String | The URL where the service exposes SAML metadata for federation. This property is valid only for single-tenant applications. Nullable. |
| serviceManagementReference | String | References application or service contact information from a Service or Asset Management database. Nullable. |
| servicePrincipalLockConfiguration | servicePrincipalLockConfiguration | Specifies whether sensitive properties of a multitenant application should be locked for editing after the application is provisioned in a tenant. Nullable. null by default. |
| signInAudience | String | Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg (default), AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, and PersonalMicrosoftAccount. See more in the table. The value of this object also limits the number of permissions an app can request. For more information, see Limits on requested permissions per app. The value for this property has implications on other app object properties. As a result, if you change this property, you might need to change other properties first. For more information, see Validation differences for signInAudience. Supports $filter (eq, ne, not). |
| spa | spaApplication | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens. |
| tags | String collection | Custom strings that can be used to categorize and identify the application. Not nullable. Strings added here will also appear in the tags property of any associated service principals. Supports $filter (eq, not, ge, le, startsWith) and $search. |
| tokenEncryptionKeyId | String | Specifies the keyId of a public key from the keyCredentials collection. When configured, Microsoft Entra ID encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
| uniqueName | String | The unique identifier that can be assigned to an application and used as an alternate key. Immutable. Read-only. |
| verifiedPublisher | verifiedPublisher | Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification. |
| web | webApplication | Specifies settings for a web application. |
Graph reference: appManagementPolicy
| Property | Type | Description |
|---|---|---|
| displayName | String | The display name of the policy. Inherited from policyBase. |
| description | String | The description of the policy. Inherited from policyBase. |
| id | String | The unique identifier for the policy. |
| isEnabled | Boolean | Denotes whether the policy is enabled. |
| restrictions | appManagementConfiguration | Restrictions that apply to an application or service principal object. |
Graph reference: appRoleAssignment
| Property | Type | Description |
|---|---|---|
| appRoleId | Guid | The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |
| createdDateTime | DateTimeOffset | The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| deletedDateTime | DateTimeOffset | The date and time when the app role assignment was deleted. Always null for an appRoleAssignment object that hasn't been deleted. Inherited from directoryObject. |
| id | String | A unique identifier for the appRoleAssignment key. Not nullable. Read-only. |
| principalDisplayName | String | The display name of the user, group, or service principal that was granted the app role assignment. Read-only. Supports $filter (eq and startswith). |
| principalId | Guid | The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create. |
| principalType | String | The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only. |
| resourceDisplayName | String | The display name of the resource app's service principal to which the assignment is made. |
| resourceId | Guid | The unique identifier (**i |
Graph reference: certificateAuthorityDetail
| Property | Type | Description |
|---|---|---|
| certificate | Binary | The public key of the certificate authority. |
| certificateAuthorityType | certificateAuthorityType | The type of certificate authority. The possible values are: root, intermediate, unknownFutureValue. Supports $filter (eq). |
| certificateRevocationListUrl | String | The URL to check if the certificate is revoked. |
| createdDateTime | DateTimeOffset | The date and time when the certificate authority was created. |
| deletedDateTime | DateTimeOffset | The date and time when the certificate authority was soft deleted. Inherited from base class and null for objects that are not deleted. Inherited from directoryObject. |
| deltacertificateRevocationListUrl | String | The URL to check to find out whether the certificate is revoked. |
| displayName | String | The display name of the certificate authority. |
| expirationDateTime | DateTimeOffset | The date and time when the certificate authority expires. Supports $filter (eq) and $orderby. |
| id | String | The ID of the certificate authority. Inherited from entity. |
| isIssuerHintEnabled | Boolean | Indicates whether the certificate picker presents the certificate authority to the user to use for authentication. Default value is false. Optional. |
| issuer | String | The issuer of the certificate authority. |
| issuerSubjectKeyIdentifier | String | The subject key identifier of certificate authority. |
| thumbprint | String | The thumbprint of certificate authority certificate. Supports $filter (eq, startswith). |
Graph reference: certificateBasedAuthPki
| Property | Type | Description |
|---|---|---|
| deletedDateTime | DateTimeOffset | The date and time when the object was soft deleted. Inherited from base class and null for objects that are not deleted. Inherited from directoryObject. |
| displayName | String | The name of the object. |
| id | String | The ID of the object. Inherited from entity. |
| lastModifiedDateTime | DateTimeOffset | The date and time when the object was created or last modified. |
| status | String | The status of any asynchronous jobs runs on the object which can be upload or delete. |
| statusDetails | String | The status details of the upload/deleted operation of PKI (Public Key Infrastructure). |
Graph reference: claimsMappingPolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. For more information about the JSON schema for this property, see Properties of a claims-mapping policy definition. Required. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | Ignore this property. The claims-mapping policy can only be applied to service principals and can't be set globally for the organization. |
Graph reference: conditionalAccessApplications
| Property | Type | Description |
|---|---|---|
| excludeApplications | String collection | Can be one of the following: Office365 - For the list of apps included in Office365, see Apps included in Conditional Access Office 365 app suite MicrosoftAdminPortals - For more information, see Conditional Access Target resources: Microsoft Admin Portals |
| includeApplications | String collection | Can be one of the following: All Office365 - For the list of apps included in Office365, see Apps included in Conditional Access Office 365 app suite MicrosoftAdminPortals - For more information, see Conditional Access Target resources: Microsoft Admin Portals |
| includeUserActions | String collection | User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice |
Graph reference: conditionalAccessGrantControls
| Property | Type | Description |
|---|---|---|
| builtInControls | conditionalAccessGrantControl collection | List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue. |
| customAuthenticationFactors | String collection | List of custom controls IDs required by the policy. For more information, see Custom controls. |
| operator | String | Defines the relationship of the grant controls. Possible values: AND, OR. |
| termsOfUse | String collection | List of terms of use IDs required by the policy. |
Graph reference: conditionalAccessPolicy
| Property | Type | Description |
|---|---|---|
| conditions | conditionalAccessConditionSet | Specifies the rules that must be met for the policy to apply. Required. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| displayName | String | Specifies a display name for the conditionalAccessPolicy object. |
| grantControls | conditionalAccessGrantControls | Specifies the grant controls that must be fulfilled to pass the policy. |
| id | String | Specifies the identifier of a conditionalAccessPolicy object. Read-only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| sessionControls | conditionalAccessSessionControls | Specifies the session controls that are enforced after sign-in. |
| state | conditionalAccessPolicyState | Specifies the state of the conditionalAccessPolicy object. Possible values are: enabled, disabled, enabledForReportingButNotEnforced. Required. |
Graph reference: conditionalAccessSessionControls
| Property | Type | Description |
|---|---|---|
| applicationEnforcedRestrictions | applicationEnforcedRestrictionsSessionControl | Session control to enforce application restrictions. Only Exchange Online and Sharepoint Online support this session control. |
| cloudAppSecurity | cloudAppSecuritySessionControl | Session control to apply cloud app security. |
| disableResilienceDefaults | Boolean | Session control that determines whether it is acceptable for Microsoft Entra ID to extend existing sessions based on information collected prior to an outage or not. |
| persistentBrowser | persistentBrowserSessionControl | Session control to define whether to persist cookies or not. All apps should be selected for this session control to work correctly. |
| signInFrequency | signInFrequencySessionControl | Session control to enforce signin frequency. |
Graph reference: conditionalAccessUsers
| Property | Type | Description |
|---|---|---|
| excludeGroups | String collection | Group IDs excluded from scope of policy. |
| excludeGuestsOrExternalUsers | conditionalAccessGuestsOrExternalUsers | Internal guests or external users excluded from the policy scope. Optionally populated. |
| excludeRoles | String collection | Role IDs excluded from scope of policy. |
| excludeUsers | String collection | User IDs excluded from scope of policy and/or GuestsOrExternalUsers. |
| includeGroups | String collection | Group IDs in scope of policy unless explicitly excluded. |
| includeGuestsOrExternalUsers | conditionalAccessGuestsOrExternalUsers | Internal guests or external users included in the policy scope. Optionally populated. |
| includeRoles | String collection | Role IDs in scope of policy unless explicitly excluded. |
| includeUsers | String collection | User IDs in scope of policy unless explicitly excluded, None, All, or GuestsOrExternalUsers. |
Graph reference: continuousAccessEvaluationPolicy
| Property | Type | Description |
|---|---|---|
| description | String | Continuous access evaluation automatically blocks access to resources and applications in near real time when a user's access is removed or a client IP address changes. Read-only. |
| displayName | String | The value is always Continuous Access Evaluation. Read-only. |
| groups | String collection | The collection of group identifiers in scope for evaluation. All groups are in scope when the collection is empty. Read-only. |
| id | String | Specifies the identifier of a continuousAccessEvaluationPolicy object. Read-only. |
| isEnabled | Boolean | true to indicate whether continuous access evaluation should be performed; otherwise false. Read-only. |
| users | String collection | The collection of user identifiers in scope for evaluation. All users are in scope when the collection is empty. Read-only. |
| migrate | Boolean | true to indicate that the continuous access evaluation policy settings should be or has been migrated to the conditional access policy. |
Graph reference: delegatedPermissionClassification
| Property | Type | Description |
|---|---|---|
| classification | permissionClassificationType | The classification value. Possible values: low, medium (preview), high (preview). Doesn't support $filter. |
| id | String | A unique identifier for the delegatedPermissionClassification Key. Not nullable. Read-only. |
| permissionId | String | The unique identifier (id) for the delegated permission listed in the oauth2PermissionScopes collection of the servicePrincipal. Required on create. Doesn't support $filter. |
| permissionName | String | The claim value (**v |
Graph reference: device
| Property | Type | Description |
|---|---|---|
| accountEnabled | Boolean | true if the account is enabled; otherwise, false. Required. Default is true. Supports $filter (eq, ne, not, in). Only callers with at least the Cloud Device Administrator role can set this property. |
| alternativeSecurityIds | alternativeSecurityId collection | For internal use only. Not nullable. Supports $filter (eq, not, ge, le). |
| approximateLastSignInDateTime | DateTimeOffset | The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, and eq on null values) and $orderby. |
| complianceExpirationDateTime | DateTimeOffset | The timestamp when the device is no longer deemed compliant. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| deviceCategory | String | User-defined property set by Intune to automatically add devices to groups and simplify managing devices. |
| deviceId | String | Unique identifier set by Azure Device Registration Service at the time of registration. This alternate key can be used to reference the device object. Supports $filter (eq, ne, not, startsWith). |
| deviceMetadata | String | For internal use only. Set to null. |
| deviceOwnership | String | Ownership of the device. Intune sets this property. Possible values are: unknown, company, personal. |
| deviceVersion | Int32 | For internal use only. |
| displayName | String | The display name for the device. Required. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
| enrollmentProfileName | String | Enrollment profile applied to the device. For example, Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers, or Windows Autopilot profile name. This property is set by Intune. |
| enrollmentType | String | Enrollment type of the device. Intune sets this property. Possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth,appleUserEnrollment, appleUserEnrollmentWithServiceAccount. NOTE: This property might return other values apart from those listed. |
| extensionAttributes | onPremisesExtensionAttributes | Contains extension attributes 1-15 for the device. The individual extension attributes aren't selectable. These properties are mastered in the cloud and can be set during creation or update of a device object in Microsoft Entra ID. Supports $filter (eq, not, startsWith, and eq on null values). |
| id | String | The unique identifier for the device. Inherited from directoryObject. Key, Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| isCompliant | Boolean | true if the device complies with Mobile Device Management (MDM) policies; otherwise, false. Read-only. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not). |
| isManaged | Boolean | true if the device is managed by a Mobile Device Management (MDM) app; otherwise, false. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not). |
| manufacturer | String | Manufacturer of the device. Read-only. |
| isRooted | Boolean | true if the device is rooted or jail-broken. This property can only be updated by Intune. |
| managementType | String | The management channel of the device. This property is set by Intune. Possible values are: eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController. |
| mdmAppId | String | Application identifier used to register device into MDM. Read-only. Supports $filter (eq, ne, not, startsWith). |
| model | String | Model of the device. Read-only. |
| onPremisesLastSyncDateTime | DateTimeOffset | The last time at which the object was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z Read-only. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesSecurityIdentifier | String | The on-premises security identifier (SID) for the user who was synchronized from on-premises to the cloud. Read-only. Returned only on $select. Supports $filter (eq). |
| onPremisesSyncEnabled | Boolean | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). Read-only. Supports $filter (eq, ne, not, in, and eq on null values). |
| operatingSystem | String | The type of operating system on the device. Required. Supports $filter (eq, ne, not, ge, le, startsWith, and eq on null values). |
| operatingSystemVersion | String | The version of the operating system on the device. Required. Supports $filter (eq, ne, not, ge, le, startsWith, and eq on null values). |
| physicalIds | String collection | For internal use only. Not nullable. Supports $filter (eq, not, ge, le, startsWith,/$count eq 0, /$count ne 0). |
| profileType | deviceProfileType | The profile type of the device. Possible values: RegisteredDevice (default), SecureVM, Printer, Shared, IoT. |
| registrationDateTime | DateTimeOffset | Date and time of when the device was registered. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| systemLabels | String collection | List of labels applied to the device by the system. Supports $filter (/$count eq 0, /$count ne 0). |
| trustType | String | Type of trust for the joined device. Read-only. Possible values: Workplace (indicates *b |
Graph reference: directory
| Property | Type | Description |
|---|---|---|
| id | String | A unique identifier for the object; for example, 12345678-9abc-def0-1234-56789abcde. Key. Not nullable. Read-only. Inherited from entity. |
Graph reference: directoryObject
| Property | Type | Description |
|---|---|---|
| deletedDateTime | DateTimeOffset | Date and time when this object was deleted. Always null when the object hasn't been deleted. |
| id | String | The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde. The value of the **i |
Graph reference: directoryRole
| Property | Type | Description |
|---|---|---|
| description | String | The description for the directory role. Read-only. Supports $filter (eq), $search, $select. |
| displayName | String | The display name for the directory role. Read-only. Supports $filter (eq), $search, $select. |
| id | String | The unique identifier for the directory role. Inherited from directoryObject. Key, Not nullable, Read-only. Supports $filter (eq), $select. |
| roleTemplateId | String | The **i |
Graph reference: extensionproperty
| Property | Type | Description |
|---|---|---|
| appDisplayName | String | Display name of the application object on which this extension property is defined. Read-only. |
| dataType | String | Specifies the data type of the value the extension property can hold. Following values are supported.
|
| deletedDateTime | DateTimeOffset | Date and time when this object was deleted. Always null when the object hasn't been deleted. Inherited from directoryObject. |
| isSyncedFromOnPremises | Boolean | Indicates if this extension property was synced from on-premises active directory using Microsoft Entra Connect. Read-only. |
| name | String | Name of the extension property. Not nullable. Supports $filter (eq). |
| isMultiValued | Boolean | Defines the directory extension as a multi-valued property. When true, the directory extension property can store a collection of objects of the dataType; for example, a collection of string types such as "extension_b7b1c57b532f40b8b5ed4b7a7ba67401_jobGroupTracker": ["String 1", "String 2"]. The default value is false. Supports $filter (eq). |
| targetObjects | String collection | Following values are supported. Not nullable.
|
Graph reference: externalUserProfile
| Property | Type | Description |
|---|---|---|
| address | physicalOfficeAddress | The office address of the external user profile. Inherited from externalProfile. |
| createdBy | String | The object ID of the user who created the external user profile. Inherited from externalProfile. Read-only. Not nullable. |
| createdDateTime | DateTimeOffset | Date and time when this external user was created. Inherited from externalProfile. Not nullable. Read-only. |
| companyName | String | The company name of the external user profile. Inherited from externalProfile. Supports $filter (eq, startswith). |
| deletedDateTime | DateTimeOffset | Date and time when this external user profile was deleted. Always null when the object isn't deleted. Inherited from externalProfile. |
| department | String | The department of the external user profile. Inherited from externalProfile. |
| displayName | String | The display name of the external user profile. Inherited from externalProfile. |
| id | String | The unique identifier for the external user profile. For example, 12345678-9abc-def0-1234-56789abcde. The value of the id property is often but not exclusively in the form of a GUID; treat it as an opaque identifier and don't rely on it being a GUID. Key. Not nullable. Read-only. |
| isDiscoverable | Boolean | Represents whether the external user profile is discoverable in the directory. When true, this external profile shows up in Teams search. When false, this external profile doesn't show up in Teams search. Inherited from externalProfile. |
| isEnabled | Boolean | Represents whether the external user profile is enabled in the directory. This property is peer to the accountEnabled property on the User object. |
| jobTitle | String | The job title of the external user profile. Inherited from externalProfile. |
| phoneNumber | String | The phone number of the external user profile. Must be in E164 format. Inherited from externalProfile. |
| supervisorId | String | The object ID of the supervisor of the external user profile. Inherited from externalProfile. Supports $filter (eq, startswith). |
Graph reference: federatedIdentityCredential
| Property | Type | Description |
|---|---|---|
| audiences | String collection | The audience that can appear in the external token. This field is mandatory and should be set to api://AzureADTokenExchange for Microsoft Entra ID. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Microsoft Entra ID in your external identity provider and has no fixed value across identity providers - you might need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required. |
| description | String | The unvalidated description of the federated identity credential, provided by the user. It has a limit of 600 characters. Optional. |
| id | String | The unique identifier for the federated identity. Required. Read-only. |
| issuer | String | The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique within the app. It has a limit of 600 characters. Required. |
| name | String | The unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. The string is immutable after it's created. Alternate key. Required. Not nullable. Supports $filter (eq). |
| subject | String | Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format; each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Microsoft Entra ID. The combination of **i |
Graph reference: group
| Property | Type | Description |
|---|---|---|
| allowExternalSenders | Boolean | Indicates if people external to the organization can send messages to the group. The default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| assignedLabels | assignedLabel collection | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on $select. This property can be updated only in delegated scenarios where the caller requires both the Microsoft Graph permission and a supported administrator role. |
| assignedLicenses | assignedLicense collection | The licenses that are assigned to the group. Returned only on $select. Supports $filter (eq).Read-only. |
| autoSubscribeNewMembers | Boolean | Indicates if new members added to the group are autosubscribed to receive email notifications. You can set this property in a PATCH request for the group; don't set it in the initial POST request that creates the group. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| classification | String | Describes a classification for the group (such as low, medium, or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
| createdDateTime | DateTimeOffset | Timestamp of when the group was created. The value can't be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Read-only. |
| deletedDateTime | DateTimeOffset | For some Microsoft Entra objects (user, group, application), if the object is deleted, it's first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. Inherited from directoryObject. |
| description | String | An optional description for the group. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| displayName | String | The display name for the group. This property is required when a group is created and can't be cleared during updates. Maximum length is 256 characters. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
| expirationDateTime | DateTimeOffset | Timestamp of when the group is set to expire. It's null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| groupTypes | String collection | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. Returned by default. Supports $filter (eq, not). |
| hasMembersWithLicenseErrors | Boolean | Indicates whether there are members in this group that have license errors from its group-based license assignment. This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. Supports $filter (eq). |
| hideFromAddressLists | Boolean | True if the group isn't displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. The default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| hideFromOutlookClients | Boolean | True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| id | String | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| isArchived | Boolean | When a group is associated with a team, this property determines whether the team is in read-only mode. To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs. |
| isAssignableToRole | Boolean | Indicates whether this group can be assigned to a Microsoft Entra role. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group can't be a dynamic group (that is, groupTypes can't contain DynamicMembership). Only callers with at least the Privileged Role Administrator role can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Microsoft Entra role assignments Using this feature requires a Microsoft Entra ID P1 license. Returned by default. Supports $filter (eq, ne, not). |
| isSubscribedByMail | Boolean | Indicates whether the signed-in user is subscribed to receive email conversations. The default value is true. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| licenseProcessingState | String | Indicates the status of the group license assignment to all group members. The default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete.Returned only on $select. Read-only. |
| String | The SMTP address for the group, for example, "[email protected]". Returned by default. Read-only. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
|
| mailEnabled | Boolean | Specifies whether the group is mail-enabled. Required. Returned by default. Supports $filter (eq, ne, not). |
| mailNickname | String | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following characters: @ () \ [] " ; : <> , SPACE. Required. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| membershipRule | String | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
| membershipRuleProcessingState | String | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. Returned by default. Supports $filter (eq, ne, not, in). |
| onPremisesDomainName | String | Contains the on-premises domain FQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Read-only. |
| onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the group was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Read-only. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesNetBiosName | String | Contains the on-premises netBios name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Read-only. |
| onPremisesProvisioningErrors | onPremisesProvisioningError collection | Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports $filter (eq, not). |
| onPremisesSamAccountName | String | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith). Read-only. |
| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud. Read-only. Returned by default. Supports $filter (eq including on null values). |
| onPremisesSyncEnabled | Boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never synced from an on-premises directory (default). Returned by default. Read-only. Supports $filter (eq, ne, not, in, and eq on null values). |
| preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling app must be granted the Directory.ReadWrite.All permission and the user be assigned at least one of the following Microsoft Entra roles:
For more information about this property, see OneDrive Online Multi-Geo. Nullable. Returned by default. |
| preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example, en-US. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: [email protected]", "smtp: [email protected]"]. The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports $filter (eq, not, ge, le, startsWith, endsWith, /$count eq 0, /$count ne 0). |
| renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This value can't be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| securityEnabled | Boolean | Specifies whether the group is a security group. Required. Returned by default. Supports $filter (eq, ne, not, in). |
| securityIdentifier | String | Security identifier of the group, used in Windows scenarios. Read-only. Returned by default. |
| serviceProvisioningErrors | serviceProvisioningError collection | Errors published by a federated service describing a nontransient, service-specific error regarding the properties or link from a group object. Supports $filter (eq, not, for isResolved and serviceInstance). |
| theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange, or Red. Returned by default. |
| uniqueName | String | The unique identifier that can be assigned to a group and used as an alternate key. Immutable. Read-only. |
| unseenCount | Int32 | Count of conversations that received new posts since the signed-in user last visited the group. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| visibility | String | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value isn't specified during group creation on Microsoft Graph, a security group is created as Private by default, and the Microsoft 365 group is Public. Groups assignable to roles are always Private. To learn more, see group visibility options. Returned by default. Nullable. |
Graph reference: homeRealmDiscoveryPolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. For more information about the JSON schema for this property, see Properties of a home realm discovery policy definition. Required. |
| description | String | Description for this policy. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
Graph reference: conditionalAccessPolicyCoverage
| Property | Type | Description |
|---|---|---|
| conditionalAccessPolicyState | String | The state for the conditional access policy. Possible values are: enabled, disabled, enabledForReportingButNotEnforced. Required. Read-only. |
| id | String | The unique identifier for this entity. Required. Read-only. |
| latestPolicyModifiedDateTime | DateTimeOffset | The date and time the conditional access policy was last modified. Required. Read-only. |
| requiresDeviceCompliance | Boolean | A flag indicating whether the conditional access policy requires device compliance. Required. Read-only. |
| tenantDisplayName | String | The display name for the managed tenant. Required. Read-only. |
Graph reference: orgContact
| Property | Type | Description |
|---|---|---|
| addresses | physicalOfficeAddress collection | Postal addresses for this organizational contact. For now a contact can only have one physical address. |
| companyName | String | Name of the company that this organizational contact belongs to. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
| department | String | The name for the department in which the contact works. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
| displayName | String | Display name for this organizational contact. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values), $search, and $orderby. |
| givenName | String | First name for this organizational contact. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
| id | String | Unique identifier for this organizational contact. Supports $filter (eq, ne, not, in). |
| jobTitle | String | Job title for this organizational contact. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
| String | The SMTP address for the contact, for example, "[email protected]". Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
|
| mailNickname | String | Email alias (portion of email address pre-pending the @ symbol) for this organizational contact. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
| serviceProvisioningErrors | serviceProvisioningError collection | Errors published by a federated service describing a non-transient, service-specific error regarding the properties or link from an organizational contact object . Supports $filter (eq, not, for isResolved and serviceInstance). |
| onPremisesLastSyncDateTime | DateTimeOffset | Date and time when this organizational contact was last synchronized from on-premises AD. This date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesProvisioningErrors | onPremisesProvisioningError collection | List of any synchronization provisioning errors for this organizational contact. Supports $filter (eq, not for category and propertyCausingError), /$count eq 0, /$count ne 0. |
| onPremisesSyncEnabled | Boolean | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced and now mastered in Exchange; null if this object has never been synced from an on-premises directory (default). Supports $filter (eq, ne, not, in, and eq for null values). |
| phones | phone collection | List of phones for this organizational contact. Phone types can be mobile, business, and businessFax. Only one of each type can ever be present in the collection. |
| proxyAddresses | String collection | For example: "SMTP: [email protected]", "smtp: [email protected]". The any operator is required for filter expressions on multi-valued properties. Supports $filter (eq, not, ge, le, startsWith, /$count eq 0, /$count ne 0). |
| surname | String | Last name for this organizational contact. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq for null values). |
Graph reference: pendingExternalUserProfile
| Property | Type | Description |
|---|---|---|
| address | physicalOfficeAddress | The office address of the pending external user profile. Inherited from externalProfile. |
| createdBy | String | The object ID of the user or principal who created the pending external user profile or invited the external user. Inherited from externalProfile. Read-only. Not nullable. |
| createdDateTime | DateTimeOffset | Date and time when this pending external user profile was created. Inherited from externalProfile. Not nullable. Read-only. |
| companyName | String | The company name of the pending external user profile. Inherited from externalProfile. Supports the $filter (eq, startswith) query parameter. |
| deletedDateTime | DateTimeOffset | Date and time when the pending external user profile was deleted. Always null when the object isn't deleted. Inherited from externalProfile. |
| department | String | The department of the pending external user profile. Inherited from externalProfile. |
| displayName | String | The display name of the pending external user profile. Inherited from externalProfile. |
| id | String | The unique identifier for the pending external user profile. Not nullable. Read-only. |
| isDiscoverable | Boolean | Represents whether the pending external user profile is discoverable in the directory. When true, this external profile shows up in Teams search. Inherited from externalProfile. |
| isEnabled | Boolean | Represents whether the pending external user profile is enabled in the directory. Inherited from externalProfile. |
| jobTitle | String | The job title of the external user profile. Inherited from externalProfile. |
| phoneNumber | String | The phone number of the pending external user profile. Must be in E.164 format. Inherited from externalProfile. |
| supervisorId | String | The object ID of the supervisor of the pending external user profile. Inherited from externalProfile. Supports the $filter (eq, startswith) query parameter. |
Graph reference: permissionGrantPreApprovalPolicy
| Property | Type | Description |
|---|---|---|
| conditions | preApprovalDetail collection | A list of condition sets describing the conditions under which the permission to grant consent for the app has been preapproved. |
| deletedDateTime | DateTimeOffset | Null. Inherited from directoryObject. |
| id | String | The unique identifier for the permission grant preapproval policy. Inherited from entity. |
Graph reference: remoteDesktopSecurityConfiguration
| Property | Type | Description |
|---|---|---|
| id | String | Unique identifier for the RDS security configuration. Inherited from entity. |
| isRemoteDesktopProtocolEnabled | Boolean | Determines if Microsoft Entra ID RDS authentication protocol for RDP is enabled. |
Graph reference: schemaextension
| Property | Type | Description |
|---|---|---|
| description | String | Description for the schema extension. Supports $filter (eq). |
| id | String | The unique identifier for the schema extension definition. You can assign a value in one of two ways:
$filter (eq). Note: We recommend that your id starts with an alphabetic letter between A-Z because query capabilities might be limited for IDs that begin with integers. Supports $filter (eq). |
| owner | String | The appId of the application that is the owner of the schema extension. The owner of the schema definition must be explicitly specified during the Create and Update operations, or it will be implied and auto-assigned by Microsoft Entra ID as follows:
So, for example, if creating a new schema extension definition using Graph Explorer, you must supply the owner property. Once set, this property is read-only and cannot be changed. Supports $filter (eq). |
| properties | extensionSchemaProperty collection | The collection of property names and types that make up the schema extension definition. |
| status | String | The lifecycle state of the schema extension. Possible states are InDevelopment, Available, and Deprecated. Automatically set to InDevelopment on creation. For more information about the possible state transitions and behaviors, see Schema extensions lifecycle. Supports $filter (eq). |
| targetTypes | String collection | Set of Microsoft Graph types (that can support extensions) that the schema extension can be applied to. Select from **a |
Graph reference: servicePrincipal
| Property | Type | Description |
|---|---|---|
| accountEnabled | Boolean | true if the service principal account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Supports $filter (eq, ne, not, in). |
| addIns | addIn collection | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
| alternativeNames | String collection | Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
| appDescription | String | The description exposed by the associated application. |
| appDisplayName | String | The display name exposed by the associated application. |
| appId | String | The unique identifier for the associated application (its appId property). Alternate key. Supports $filter (eq, ne, not, in, startsWith). |
| applicationTemplateId | String | Unique identifier of the applicationTemplate. Supports $filter (eq, not, ne). Read-only. null if the service principal wasn't created from an application template. |
| appOwnerOrganizationId | Guid | Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
| appRoleAssignmentRequired | Boolean | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. Not nullable. Supports $filter (eq, ne, NOT). |
| appRoles | appRole collection | The roles exposed by the application that's linked to this service principal. For more information, see the appRoles property definition on the application entity. Not nullable. |
| customSecurityAttributes | customSecurityAttributeValue | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Returned only on $select. Supports $filter (eq, ne, not, startsWith). Filter value is case sensitive. |
| deletedDateTime | DateTimeOffset | The date and time the service principal was deleted. Read-only. |
| description | String | Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps displays the application description in this field. The maximum allowed size is 1,024 characters. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Supports $filter (eq, ne, not). |
| displayName | String | The display name for the service principal. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby. |
| homepage | String | Home page or landing page of the application. |
| id | String | The unique identifier for the service principal. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| info | informationalUrl | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Microsoft Entra apps. Supports $filter (eq, ne, not, ge, le, and eq on null values). |
| keyCredentials | keyCredential collection | The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le). |
| loginUrl | String | Specifies the URL where the service provider redirects the user to Microsoft Entra ID to authenticate. Microsoft Entra ID uses the URL to launch the application from Microsoft 365 or the Microsoft Entra My Apps. When blank, Microsoft Entra ID performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Microsoft Entra My Apps, or the Microsoft Entra SSO URL. |
| logoutUrl | String | Specifies the URL that the Microsoft's authorization service uses to sign out a user using OpenID Connect front-channel, back-channel, or SAML sign out protocols. |
| notes | String | Free text field to capture information about the service principal, typically used for operational purposes. Maximum allowed size is 1,024 characters. |
| notificationEmailAddresses | String collection | Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications. |
| oauth2PermissionScopes | permissionScope collection | The delegated permissions exposed by the application. For more information, see the oauth2PermissionScopes property on the application entity's api property. Not nullable. |
| passwordCredentials | passwordCredential collection | The collection of password credentials associated with the application. Not nullable. |
| preferredSingleSignOnMode | string | Specifies the single sign-on mode configured for this application. Microsoft Entra ID uses the preferred single sign-on mode to launch the application from Microsoft 365 or the My Apps portal. The supported values are password, saml, notSupported, and oidc. Note: This field might be null for older SAML apps and for OIDC applications where it isn't set automatically. |
| preferredTokenSigningKeyThumbprint | String | This property can be used on SAML applications (apps that have preferredSingleSignOnMode set to saml) to control which certificate is used to sign the SAML responses. For applications that aren't SAML, don't write or otherwise rely on this property. |
| replyUrls | String collection | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. Not nullable. |
| resourceSpecificApplicationPermissions | resourceSpecificPermission collection | The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph. Read-only. |
| samlSingleSignOnSettings | samlSingleSignOnSettings | The collection for settings related to saml single sign-on. |
| servicePrincipalNames | String collection | Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Microsoft Entra ID. For example,
The any operator is required for filter expressions on multi-valued properties. Not nullable. Supports $filter (eq, not, ge, le, startsWith). |
| servicePrincipalType | String | Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Microsoft Entra ID internally. The servicePrincipalType property can be set to three different values:
|
| signInAudience | String | Specifies the Microsoft accounts that are supported for the current application. Read-only. Supported values are:
|
| tags | String collection | Custom strings that can be used to categorize and identify the service principal. Not nullable. The value is the union of strings set here and on the associated application entity's tags property. Supports $filter (eq, not, ge, le, startsWith). |
| tokenEncryptionKeyId | String | Specifies the keyId of a public key from the keyCredentials collection. When configured, Microsoft Entra ID issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
| verifiedPublisher | verifiedPublisher | Specifies the verified publisher of the application that's linked to this service principal. |
Graph reference: targetDeviceGroup
| Property | Type | Description |
|---|---|---|
| displayName | String | Display name for the target device group. |
| id | String | Object identifier of the group. Inherited from entity. |
Graph reference: tenantAppManagementPolicy
| Property | Type | Description |
|---|---|---|
| applicationRestrictions | appManagementConfiguration | Restrictions that apply as default to all application objects in the tenant. |
| description | String | The description of the default policy. Inherited from policyBase. |
| displayName | String | The display name of the default policy. Inherited from policyBase. |
| id | String | The default policy identifier. |
| isEnabled | Boolean | Denotes whether the policy is enabled. Default value is false. |
| servicePrincipalRestrictions | appManagementConfiguration | Restrictions that apply as default to all service principal objects in the tenant. |
Graph reference: tokenIssuancePolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
| description | String | Description for this policy. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | Ignore this property. The token-issuance policy can only be applied to service principals and can't be set globally for the organization. |
Graph reference: tokenLifetimePolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. For more information about the JSON schema for this property, see Properties of a token lifetime policy definition . Required. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
Graph reference: user
| Property | Type | Description |
|---|---|---|
| aboutMe | String | A freeform text entry field for the user to describe themselves. Returned only on $select. |
| accountEnabled | Boolean | true if the account is enabled; otherwise, false. This property is required when a user is created. Returned only on $select. Supports $filter (eq, ne, not, and in). |
| ageGroup | ageGroup | Sets the age group of the user. Allowed values: null, Minor, NotAdult, and Adult. For more information, see legal age group property definitions. Returned only on $select. Supports $filter (eq, ne, not, and in). |
| assignedLicenses | assignedLicense collection | The licenses that are assigned to the user, including inherited (group-based) licenses. This property doesn't differentiate between directly assigned and inherited licenses. Use the licenseAssignmentStates property to identify the directly assigned and inherited licenses. Not nullable. Returned only on $select. Supports $filter (eq, not, /$count eq 0, /$count ne 0). |
| assignedPlans | assignedPlan collection | The plans that are assigned to the user. Read-only. Not nullable. Returned only on $select. Supports $filter (eq and not). |
| birthday | DateTimeOffset | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. Returned only on $select. |
| businessPhones | String collection | The telephone numbers for the user. NOTE: Although it's a string collection, only one number can be set for this property. Read-only for users synced from the on-premises directory. Returned by default. Supports $filter (eq, not, ge, le, startsWith). |
| city | String | The city where the user is located. Maximum length is 128 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| companyName | String | The name of the company that the user is associated with. This property can be useful for describing the company that a guest comes from. The maximum length is 64 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| consentProvidedForMinor | consentProvidedForMinor | Sets whether consent was obtained for minors. Allowed values: null, Granted, Denied, and NotRequired. For more information, see legal age group property definitions. Returned only on $select. Supports $filter (eq, ne, not, and in). |
| country | String | The country/region where the user is located; for example, US or UK. Maximum length is 128 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| createdDateTime | DateTimeOffset | The date and time the user was created, in ISO 8601 format and UTC. The value can't be modified and is automatically populated when the entity is created. Nullable. For on-premises users, the value represents when they were first created in Microsoft Entra ID. Property is null for some users created before June 2018 and on-premises users that were synced to Microsoft Entra ID before June 2018. Read-only. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in). |
| creationType | String | Indicates whether the user account was created through one of the following methods:
Read-only. Returned only on $select. Supports $filter (eq, ne, not, in). |
| customSecurityAttributes | customSecurityAttributeValue | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Returned only on $select. Supports $filter (eq, ne, not, startsWith). The filter value is case-sensitive. |
| deletedDateTime | DateTimeOffset | The date and time the user was deleted. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in). |
| department | String | The name of the department in which the user works. Maximum length is 64 characters. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in, and eq on null values). |
| displayName | String | The name displayed in the address book for the user. This value is usually the combination of the user's first name, middle initial, and family name. This property is required when a user is created and it can't be cleared during updates. Maximum length is 256 characters. Returned by default. Supports $filter (eq, ne, not , ge, le, in, startsWith, and eq on null values), $orderby, and $search. |
| employeeHireDate | DateTimeOffset | The date and time when the user was hired or will start work in a future hire. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in). |
| employeeLeaveDateTime | DateTimeOffset | The date and time when the user left or will leave the organization. Supports $filter (eq, ne, not , ge, le, in). For more information, see Configure the employeeLeaveDateTime property for a user. |
| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in, startsWith, and eq on null values). |
| employeeOrgData | employeeOrgData | Represents organization data (for example, division and costCenter) associated with a user. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in). |
| employeeType | String | Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in, startsWith). |
| externalUserState | String | For a guest invited to the tenant using the invitation API, this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users. Returned only on $select. Supports $filter (eq, ne, not , in). |
| externalUserStateChangeDateTime | DateTimeOffset | Shows the timestamp for the latest change to the externalUserState property. Returned only on $select. Supports $filter (eq, ne, not , in). |
| faxNumber | String | The fax number of the user. Returned only on $select. Supports $filter (eq, ne, not , ge, le, in, startsWith, and eq on null values). |
| givenName | String | The given name (first name) of the user. Maximum length is 64 characters. Returned by default. Supports $filter (eq, ne, not , ge, le, in, startsWith, and eq on null values). |
| hireDate | DateTimeOffset | The hire date of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. Returned only on $select. Note: This property is specific to SharePoint in Microsoft 365. We recommend using the native employeeHireDate property to set and update hire date values using Microsoft Graph APIs. |
| id | String | The unique identifier for the user. Should be treated as an opaque identifier. Inherited from directoryObject. Key. Not nullable. Read-only. Returned by default. Supports $filter (eq, ne, not, in). |
| identities | objectIdentity collection | Represents the identities that can be used to sign in to this user account. Microsoft (also known as a local account), organizations, or social identity providers such as Facebook, Google, and Microsoft can provide identity and tie it to a user account. It might contain multiple items with the same signInType value. Returned only on $select. Supports $filter (eq) with limitations. |
| imAddresses | String collection | The instant message voice-over IP (VOIP) session initiation protocol (SIP) addresses for the user. Read-only. Returned only on $select. Supports $filter (eq, not, ge, le, startsWith). |
| interests | String collection | A list for the user to describe their interests. Returned only on $select. |
| isResourceAccount | Boolean | Don't use – reserved for future use. |
| jobTitle | String | The user's job title. Maximum length is 128 characters. Returned by default. Supports $filter (eq, ne, not , ge, le, in, startsWith, and eq on null values). |
| lastPasswordChangeDateTime | DateTimeOffset | The time when this Microsoft Entra user last changed their password or when their password was created, whichever date the latest action was performed. The date and time information uses ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned only on $select. |
| legalAgeGroupClassification | legalAgeGroupClassification | Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: null, MinorWithOutParentalConsent, MinorWithParentalConsent, MinorNoParentalConsentRequired, NotAdult, and Adult. For more information, see legal age group property definitions. Returned only on $select. |
| licenseAssignmentStates | licenseAssignmentState collection | State of license assignments for this user. Also indicates licenses that are directly assigned or the user inherited through group memberships. Read-only. Returned only on $select. |
| String | The SMTP address for the user, for example, [email protected]. Changes to this property update the user's proxyAddresses collection to include the value as an SMTP address. This property can't contain accent characters. NOTE: We don't recommend updating this property for Azure AD B2C user profiles. Use the otherMails property instead. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, endsWith, and eq on null values). |
|
| mailboxSettings | mailboxSettings | Settings for the primary mailbox of the signed-in user. You can get or update settings for sending automatic replies to incoming messages, locale, and time zone. Returned only on $select. |
| mailNickname | String | The mail alias for the user. This property must be specified when a user is created. Maximum length is 64 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| mobilePhone | String | The primary cellular telephone number for the user. Read-only for users synced from the on-premises directory. Maximum length is 64 characters. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values) and $search. |
| mySite | String | The URL for the user's site. Returned only on $select. |
| officeLocation | String | The office location in the user's place of business. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| onPremisesDistinguishedName | String | Contains the on-premises Active Directory distinguished name or DN. The property is only populated for customers who are synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. Returned only on $select. |
| onPremisesDomainName | String | Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. Returned only on $select. |
| onPremisesExtensionAttributes | onPremisesExtensionAttributes | Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes 1-15. Each attribute can store up to 1024 characters. false), these properties can be set during the creation or update of a user object. Returned only on $select. Supports $filter (eq, ne, not, in). |
| onPremisesImmutableId | String | This property is used to associate an on-premises Active Directory user account to their Microsoft Entra user object. This property must be specified when creating a new user account in the Graph if you're using a federated domain for the user's userPrincipalName (UPN) property. NOTE: The $ and _ characters can't be used when specifying this property. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the object was synced with the on-premises directory; for example: 2013-02-16T03:04:54Z. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesProvisioningErrors | onPremisesProvisioningError collection | Errors when using Microsoft synchronization product during provisioning. Returned only on $select. Supports $filter (eq, not, ge, le). |
| onPremisesSamAccountName | String | Contains the on-premises samAccountName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith). |
| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Read-only. Returned only on $select. Supports $filter (eq including on null values). |
| onPremisesSyncEnabled | Boolean | true if this user object is currently being synced from an on-premises Active Directory (AD); otherwise the user isn't being synced and can be managed in Microsoft Entra ID. Read-only. Returned only on $select. Supports $filter (eq, ne, not, in, and eq on null values). |
| onPremisesUserPrincipalName | String | Contains the on-premises userPrincipalName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Read-only. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith). |
| otherMails | String collection | A list of other email addresses for the user; for example: ["[email protected]", "[email protected]"]. NOTE: This property can't contain accent characters. Returned only on $select. Supports $filter (eq, not, ge, le, in, startsWith, endsWith, /$count eq 0, /$count ne 0). |
| passwordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two might be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. Returned only on $select. For more information on the default password policies, see Microsoft Entra password policies. Supports $filter (ne, not, and eq on null values). |
| passwordProfile | passwordProfile | Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. Returned only on $select. Supports $filter (eq, ne, not, in, and eq on null values). To update this property: |
| pastProjects | String collection | A list for the user to enumerate their past projects. Returned only on $select. |
| postalCode | String | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. Maximum length is 40 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| preferredDataLocation | String | The preferred data location for the user. For more information, see OneDrive Online Multi-Geo. |
| preferredLanguage | String | The preferred language for the user. The preferred language format is based on RFC 4646. The name is a combination of an ISO 639 two-letter lowercase culture code associated with the language, and an ISO 3166 two-letter uppercase subculture code associated with the country or region. Example: "en-US", or "es-ES". Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values) |
| preferredName | String | The preferred name for the user. Not Supported. This attribute returns an empty string. Returned only on $select. |
| provisionedPlans | provisionedPlan collection | The plans that are provisioned for the user. Read-only. Not nullable. Returned only on $select. Supports $filter (eq, not, ge, le). |
| proxyAddresses | String collection | For example: "SMTP: [email protected]", "smtp: [email protected]"]. Changes to the mail property update this collection to include the value as an SMTP address. For more information, see [mail and proxyAddresses properties. The proxy address prefixed with SMTP (capitalized) is the primary proxy address, while those addresses prefixed with smtp are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of 10 unique addresses. Read-only in Microsoft Graph; you can update this property only through the Microsoft 365 admin center. Not nullable. Returned only on $select. Supports $filter (eq, not, ge, le, startsWith, endsWith, /$count eq 0, /$count ne 0). |
| refreshTokensValidFromDateTime | DateTimeOffset | Any refresh tokens or session tokens (session cookies) issued before this time are invalid. Applications get an error when using an invalid refresh or session token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application needs to acquire a new refresh token by requesting the authorized endpoint. Returned only on $select. Read-only. |
| responsibilities | String collection | A list for the user to enumerate their responsibilities. Returned only on $select. |
| serviceProvisioningErrors | serviceProvisioningError collection | Errors published by a federated service describing a nontransient, service-specific error regarding the properties or link from a user object. Supports $filter (eq, not, for isResolved and serviceInstance). |
| schools | String collection | A list for the user to enumerate the schools they attended. Returned only on $select. |
| securityIdentifier | String | Security identifier (SID) of the user, used in Windows scenarios. Read-only. Returned by default. Supports $select and $filter (eq, not, ge, le, startsWith). |
| showInAddressList | Boolean | Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list. See Known issue. |
| signInActivity | signInActivity | Get the last signed-in date and request ID of the sign-in for a given user. Read-only. Returned only on $select. Supports $filter (eq, ne, not, ge, le) but not with any other filterable properties. Note: |
| signInSessionsValidFromDateTime | DateTimeOffset | Any refresh tokens or session tokens (session cookies) issued before this time are invalid. Applications get an error when using an invalid refresh or session token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application needs to acquire a new refresh token by requesting the authorized endpoint. Read-only. Use revokeSignInSessions to reset. Returned only on $select. |
| skills | String collection | A list for the user to enumerate their skills. Returned only on $select. |
| state | String | The state or province in the user's address. Maximum length is 128 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| streetAddress | String | The street address of the user's place of business. Maximum length is 1,024 characters. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| surname | String | The user's surname (family name or last name). Maximum length is 64 characters. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| usageLocation | String | A two-letter country code (ISO standard 3166). Required for users that are assigned licenses due to legal requirements to check for availability of services in countries. Examples include: US, JP, and GB. Not nullable. Returned only on $select. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| userPrincipalName | String | The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this value should map to the user's email name. The general format is alias@domain, where the domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. NOTE: This property can't contain accent characters. Only the following characters are allowed A - Z, a - z, 0 - 9, ' . - _ ! # ^ ~. For the complete list of allowed characters, see username policies. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, endsWith) and $orderby. |
| userType | String | A string value that can be used to classify user types in your directory. The possible values are Member and Guest. Returned only on $select. Supports $filter (eq, ne, not, in, and eq on null values). **N |