Show / Hide Table of Contents

Domain.Read.All

Allows the app to read all domain properties on behalf of the signed-in user.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A,D GET /directory/federationConfigurations/graph.samlOrWsFedExternalDomainFederation?$filter=domains/any(x: x/id eq 'domainName-value')
V1 A,D GET /domains
V1 A,D GET /domains/{domainsId}/federationConfiguration/{internalDomainFederationId}
V1 A,D GET /domains/{id}
V1 A,D GET /domains/{id}/domainNameReferences
V1 A,D GET /domains/{id}/serviceConfigurationRecords
V1 A,D GET /domains/{id}/verificationDnsRecords

Delegate Permission

Id 2f9ee017-59c1-4f1d-9472-bd5529a7b311
Consent Type Admin
Display String Read domains.
Description Allows the app to read all domain properties on behalf of the signed-in user.

Application Permission

Id dbb9058a-0e50-45d7-ae91-66909b5d4664
Display String Read domains
Description Allows the app to read all domain properties without a signed-in user.

Resources

directoryObject

Property Type Description
deletedDateTime DateTimeOffset Date and time when this object was deleted. Always null when the object hasn't been deleted.
id String The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde. The value of the **i

domain

Property Type Description
authenticationType String Indicates the configured authentication type for the domain. The value is either Managed or Federated. Managed indicates a cloud managed domain where Azure AD performs user authentication. Federated indicates authentication is federated with an identity provider such as the tenant's on-premises Active Directory via Active Directory Federation Services. This property is read-only and is not nullable.
availabilityStatus String This property is always null except when the verify action is used. When the verify action is used, a domain entity is returned in the response. The availabilityStatus property of the domain entity in the response is either AvailableImmediately or EmailVerifiedDomainTakeoverScheduled.
id String The fully qualified name of the domain. Key, immutable, not nullable, unique.
isAdminManaged Boolean The value of the property is false if the DNS record management of the domain has been delegated to Microsoft 365. Otherwise, the value is true. Not nullable
isDefault Boolean true if this is the default domain that is used for user creation. There is only one default domain per company. Not nullable
isInitial Boolean true if this is the initial domain created by Microsoft Online Services (companyname.onmicrosoft.com). There is only one initial domain per company. Not nullable
isRoot Boolean true if the domain is a verified root domain. Otherwise, false if the domain is a subdomain or unverified. Not nullable
isVerified Boolean true if the domain has completed domain ownership verification. Not nullable
passwordNotificationWindowInDays Int32 Specifies the number of days before a user receives notification that their password will expire. If the property is not set, a default value of 14 days will be used.
passwordValidityPeriodInDays Int32 Specifies the length of time that a password is valid before it must be changed. If the property is not set, a default value of 90 days will be used.
state domainState Status of asynchronous operations scheduled for the domain.
supportedServices String collection The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values which you can add/remove using Graph API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.

domainDnsRecord

Property Type Description
id String Unique identifier assigned to this entity. Not nullable, Read-only.
isOptional Boolean If false, this record must be configured by the customer at the DNS host for Microsoft Online Services to operate correctly with the domain.
label String Value used when configuring the name of the DNS record at the DNS host.
recordType String Indicates what type of DNS record this entity represents.
The value can be one of the following: CName, Mx, Srv, Txt.
supportedService String Microsoft Online Service or feature that has a dependency on this DNS record.
Can be one of the following values: null, Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune.
ttl Int32 Value to use when configuring the time-to-live (ttl) property of the DNS record at the DNS host. Not nullable.

externalDomainName

Property Type Description
id String Domain name of the external organization that the Azure AD tenant is federating with. Inherited from entity.

internalDomainFederation

Property Type Description
activeSignInUri String URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Azure Active Directory (Azure AD). Corresponds to the ActiveLogOnUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.
displayName String The display name of the federated identity Provider (IdP). Inherited from identityProviderBase.
federatedIdpMfaBehavior federatedIdpMfaBehavior Determines whether Azure AD accepts the MFA performed by the federated IdP when a federated user accesses an application that is governed by a conditional access policy that requires MFA. The possible values are: acceptIfMfaDoneByFederatedIdp, enforceMfaByFederatedIdp, rejectMfaByFederatedIdp, unknownFutureValue. For more information, see federatedIdpMfaBehavior values.
id String The identifier of the federated identity provider. Inherited from entity.
isSignedAuthenticationRequestRequired Boolean If true, when SAML authentication requests are sent to the federated SAML IdP, Azure AD will sign those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP are not signed.
issuerUri String Issuer URI of the federation server. Inherited from samlOrWsFedProvider.
metadataExchangeUri String URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider.
nextSigningCertificate String Fallback token signing certificate that is used to sign tokens when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate is not present in the federation properties after the federation service certificate has been updated.
passiveSignInUri String URI that web-based clients are directed to when signing into Azure AD services. Inherited from samlOrWsFedProvider.
preferredAuthenticationProtocol authenticationProtocol Preferred authentication protocol. The possible values are: wsFed, saml, unknownFutureValue. Inherited from samlOrWsFedProvider.
promptLoginBehavior promptLoginBehavior Sets the preferred behavior for the sign-in prompt. The possible values are: translateToFreshPasswordAuthentication, nativeSupport, disabled, unknownFutureValue.
signingCertificate String Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class.
This property is used in the following scenarios:
  • If a rollover is required outside of the autorollover update
  • A new federation service is being set up
  • If the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.
    Azure AD updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Azure AD monitors the metadata daily and will update the federation settings for the domain when a new certificate is available. Inherited from samlOrWsFedProvider.
  • signingCertificateUpdateStatus signingCertificateUpdateStatus Provides status and timestamp of the last update of the signing certificate.
    signOutUri String URI that clients are redirected to when they sign out of Azure AD services. Corresponds to the **L

    samlOrWsFedExternalDomainFederation

    Property Type Description
    displayName String The display name of the SAML or WS-Fed based IdP. Inherited from identityProviderBase.
    id String The identifier of the identity provider. Inherited from entity.
    issuerUri String Issuer URI of the federation server. Inherited from samlOrWsFedProvider.
    metadataExchangeUri String URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider.
    passiveSignInUri String URI that web-based clients are directed to when signing in to Azure AD services. Inherited from samlOrWsFedProvider.
    preferredAuthenticationProtocol authenticationProtocol Preferred authentication protocol. The possible values are: wsFed, saml, unknownFutureValue. Inherited from samlOrWsFedProvider.
    signingCertificate String Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class.

    This property is used in the following scenarios:
    • if a rollover is required outside of the autorollover update
    • a new federation service is being set up
    • if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.


    Azure AD updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Azure AD monitors the metadata daily and will update the federation settings for the domain when a new certificate is available.

    Inherited from samlOrWsFedProvider.
    In This Article
    Back to top Created by merill | Submit feedback