EntitlementManagement.Read.All
Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
| Id | 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2 |
| Consent Type | Admin |
| Display String | Read all entitlement management resources |
| Description | Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user. |
Application Permission
| Id | c74fd47d-ed3c-45c3-9a9e-b8676de685d2 |
| Display String | Read all entitlement management resources |
| Description | Allows the app to read access packages and related entitlement management resources without a signed-in user. |
Resources
accessPackage
| Property | Type | Description |
|---|---|---|
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | The description of the access package. |
| displayName | String | The display name of the access package. Supports $filter (eq, contains). |
| id | String | Read-only. |
| isHidden | Boolean | Whether the access package is hidden from the requestor. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
accessPackageAssignment
| Property | Type | Description |
|---|---|---|
| expiredDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| id | String | Read-only. |
| schedule | entitlementManagementSchedule | When the access assignment is to be in place. Read-only. |
| state | accessPackageAssignmentState | The state of the access package assignment. The possible values are: delivering, partiallyDelivered, delivered, expired, deliveryFailed, unknownFutureValue. Read-only. Supports $filter (eq). |
| status | String | More information about the assignment lifecycle. Possible values include Delivering, Delivered, NearExpiry1DayNotificationTriggered, or ExpiredNotificationTriggered. Read-only. |
accesspackageassignment-accesspackageassignmentfilterbycurrentuseroptions
accessPackageAssignmentPolicy
| Property | Type | Description |
|---|---|---|
| allowedTargetScope | allowedTargetScope | Principals that can be assigned the access package through this policy. The possible values are: notSpecified, specificDirectoryUsers, specificConnectedOrganizationUsers, specificDirectoryServicePrincipals, allMemberUsers, allDirectoryUsers, allDirectoryServicePrincipals, allConfiguredConnectedOrganizationUsers, allExternalUsers, unknownFutureValue. |
| automaticRequestSettings | accessPackageAutomaticRequestSettings | This property is only present for an auto assignment policy; if absent, this is a request-based policy. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| description | String | The description of the policy. |
| displayName | String | The display name of the policy. |
| expiration | expirationPattern | The expiration date for assignments created in this policy. |
| id | String | Read only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| requestApprovalSettings | accessPackageAssignmentApprovalSettings | Specifies the settings for approval of requests for an access package assignment through this policy. For example, if approval is required for new requests. |
| requestorSettings | accessPackageAssignmentRequestorSettings | Provides additional settings to select who can create a request for an access package assignment through this policy, and what they can include in their request. |
| reviewSettings | accessPackageAssignmentReviewSettings | Settings for access reviews of assignments through this policy. |
| specificAllowedTargets | subjectSet collection | The principals that can be assigned access from an access package through this policy. |
accessPackageAssignmentRequest
| Property | Type | Description |
|---|---|---|
| completedDateTime | DateTimeOffset | The date of the end of processing, either successful or failure, of a request. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter. |
| id | String | Read-only. |
| requestType | accessPackageRequestType | The type of the request. The possible values are: notSpecified, userAdd, UserExtend, userUpdate, userRemove, adminAdd, adminUpdate, adminRemove, systemAdd, systemUpdate, systemRemove, onBehalfAdd (not supported), unknownFutureValue. A request from the user themselves would have requestType of userAdd, userUpdate or userRemove. This property cannot be changed once set. |
| schedule | entitlementManagementSchedule | The range of dates that access is to be assigned to the requestor. This property cannot be changed once set. |
| state | accessPackageRequestState | The state of the request. The possible values are: submitted, pendingApproval, delivering, delivered, deliveryFailed, denied, scheduled, canceled, partiallyDelivered, unknownFutureValue. Read-only. Supports $filter (eq). |
| status | String | More information on the request processing status. Read-only. |
accesspackageassignmentrequest-accesspackageassignmentrequestfilterbycurrentuseroptions
accessPackageAssignmentRequestRequirements
| Property | Type | Description |
|---|---|---|
| allowCustomAssignmentSchedule | Boolean | Indicates whether the requestor is allowed to set a custom schedule. |
| isApprovalRequiredForAdd | Boolean | Indicates whether a request to add must be approved by an approver. |
| isApprovalRequiredForUpdate | Boolean | Indicates whether a request to update must be approved by an approver. |
| policyDescription | String | The description of the policy that the user is trying to request access using. |
| policyDisplayName | String | The display name of the policy that the user is trying to request access using. |
| policyId | String | The identifier of the policy that these requirements are associated with. This identifier can be used when creating a new assignment request. |
| schedule | entitlementManagementSchedule | Schedule restrictions enforced, if any. |
accessPackageAssignmentResourceRole
| Property | Type | Description |
|---|---|---|
| id | String | Read-only. |
| originId | String | A unique identifier relative to the origin system, corresponding to the originId property of the accessPackageResourceRole. |
| originSystem | String | The system where the role assignment is to be created or has been created for an access package assignment, such as SharePointOnline, AadGroup or AadApplication, corresponding to the originSystem property of the accessPackageResourceRole. |
| status | String | The value is PendingFulfillment when the access package assignment has not yet been delivered to the origin system, and Fulfilled when the access package assignment has been delivered to the origin system. |
accessPackageCatalog
| Property | Type | Description |
|---|---|---|
| catalogType | accessPackageCatalogType | Whether the catalog is created by a user or entitlement management. The possible values are: userManaged, serviceDefault, serviceManaged, unknownFutureValue. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | The description of the access package catalog. |
| displayName | String | The display name of the access package catalog. |
| id | String | Read-only. |
| isExternallyVisible | Boolean | Whether the access packages in this catalog can be requested by users outside of the tenant. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| state | accessPackageCatalogState | Has the value published if the access packages are available for management. The possible values are: unpublished, published, unknownFutureValue. |
accessPackageResource
| Property | Type | Description |
|---|---|---|
| attributes | accessPackageResourceAttribute collection | Contains information about the attributes to be collected from the requestor and sent to the resource application. |
| addedBy | String | The name of the user or application that first added this resource. Read-only. |
| addedOn | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | A description for the resource. |
| displayName | String | The display name of the resource, such as the application name, group name or site name. |
| id | String | Read-only. |
| isPendingOnboarding | Boolean | True if the resource is not yet available for assignment. Read-only. |
| originId | String | The unique identifier of the resource in the origin system. In the case of an Azure AD group, this is the identifier of the group. |
| originSystem | String | The type of the resource in the origin system, such as SharePointOnline, AadApplication or AadGroup. |
| resourceType | String | The type of the resource, such as Application if it is an Azure AD connected application, or SharePoint Online Site for a SharePoint Online site. |
| url | String | A unique resource locator for the resource, such as the URL for signing a user into an application. |
accessPackageResourceEnvironment
| Property | Type | Description |
|---|---|---|
| connectionInfo | connectionInfo | Connection information of an environment used to connect to a resource. |
| createdBy | String | The display name of the user that created this object. |
| createdDateTime | DateTimeOffset | The date and time that this object was created. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| description | String | The description of this object. |
| displayName | String | The display name of this object. |
| id | String | The system-assigned unique identifier of the object. |
| isDefaultEnvironment | Boolean | Determines whether this is default environment or not. It is set to true for all static origin systems, such as Azure AD groups and Azure AD Applications. |
| modifiedBy | String | The display name of the entity that last modified this object. |
| modifiedDateTime | DateTimeOffset | The date and time that this object was last modified. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| originId | String | The unique identifier of this environment in the origin system. |
| originSystem | String | The type of the resource in the origin system, that is, SharePointOnline. Requires $filter (eq). |
accessPackageResourceRequest
| Property | Type | Description |
|---|---|---|
| catalogId | String | The unique ID of the access package catalog. |
| expirationDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| id | String | Read-only. |
| isValidationOnly | Boolean | If set, does not add the resource. |
| justification | String | The requestor's justification for adding or removing the resource. |
| requestState | String | The outcome of whether the service was able to add the resource to the catalog. The value is Delivered if the resource was added or removed. Read-Only. |
| requestStatus | String | Read-only. |
| requestType | String | Use AdminAdd to add a resource, if the caller is an administrator or resource owner, AdminUpdate to update a resource, or AdminRemove to remove a resource. |
accessPackageResourceRole
| Property | Type | Description |
|---|---|---|
| description | String | A description for the resource role. |
| displayName | String | The display name of the resource role such as the role defined by the application. |
| id | String | Read-only. |
| originId | String | The unique identifier of the resource role in the origin system. For a SharePoint Online site, the originId will be the sequence number of the role in the site. |
| originSystem | String | The type of the resource in the origin system, such as SharePointOnline, AadApplication or AadGroup. |
accessPackageResourceRoleScope
| Property | Type | Description |
|---|---|---|
| createdBy | String | Read-only. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| id | String | Read-only. |
| modifiedBy | String | Read-only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
accessPackageResourceScope
| Property | Type | Description |
|---|---|---|
| description | String | The description of the scope. |
| displayName | String | The display name of the scope. |
| id | String | Read-only. |
| isRootScope | Boolean | True if the scopes are arranged in a hierarchy and this is the top or root scope of the resource. |
| originId | String | The unique identifier for the scope in the resource as defined in the origin system. |
| originSystem | String | The origin system for the scope. |
| roleOriginId | String | The origin system for the role, if different. |
| url | String | A resource locator for the scope. |
approval
| Property | Type | Description |
|---|---|---|
| id | String | Identifier of the approval decision. |
approvalStage
| Property | Type | Description |
|---|---|---|
| assignedToMe | Boolean | Indicates whether the stage is assigned to the calling user to review. Read-only. |
| displayName | String | The label provided by the policy creator to identify an approval stage. Read-only. |
| id | String | The identifier of the stage associated with an approval object. Read-only. |
| justification | String | The justification associated with the approval stage decision. |
| reviewResult | String | The result of this approval record. Possible values include: NotReviewed, Approved, Denied. |
| reviewedBy | identity | The identifier of the reviewer. 00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't reviewed. Read-only. |
| reviewedDateTime | DateTimeOffset | The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| status | String | The stage status. Possible values: InProgress, Initializing, Completed, Expired. Read-only. |
approvalStep
| Property | Type | Description |
|---|---|---|
| assignedToMe | Boolean | Indicates whether the step is assigned to the calling user to review. Read-only. |
| displayName | String | The label provided by the policy creator to identify an approval step. Read-only. |
| id | String | The identifier of the step associated with an approval object. Read-only. |
| justification | String | The justification associated with the approval step decision. |
| reviewResult | String | The result of this approval record. Possible values include: NotReviewed, Approved, Denied. |
| reviewedBy | userIdentity collection | The identifier of the reviewer. 00000000-0000-0000-0000-000000000000 if the assigned reviewer hasn't reviewed. Read-only. |
| reviewedDateTime | DateTimeOffset | The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| status | String | The step status. Possible values: InProgress, Initializing, Completed, Expired. Read-only. |
connectedOrganization
| Property | Type | Description |
|---|---|---|
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | The description of the connected organization. |
| displayName | String | The display name of the connected organization. Supports $filter (eq). |
| id | String | Read-only. |
| identitySources | identitySource collection | The identity sources in this connected organization, one of azureActiveDirectoryTenant, domainIdentitySource, externalDomainFederation or crossCloudAzureActiveDirectoryTenant. Nullable. |
| modifiedDateTime | DateTimeOffset | *The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| state | connectedOrganizationState | The state of a connected organization defines whether assignment policies with requestor scope type AllConfiguredConnectedOrganizationSubjects are applicable or not. The possible values are: configured, proposed, unknownFutureValue. |
customAccessPackageWorkflowExtension
| Property | Type | Description |
|---|---|---|
| authenticationConfiguration | customExtensionAuthenticationConfiguration | Configuration for securing the API call to the logic app. For example, using OAuth client credentials flow. Inherited from customCalloutExtension. |
| clientConfiguration | customExtensionClientConfiguration | HTTP connection settings that define how long Azure AD can wait for a connection to a logic app, how many times you can retry a timed-out connection and the exception scenarios when retries are allowed. Inherited from customCalloutExtension. |
| createdDateTime | DateTimeOffset | Represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | Description for the customAccessPackageWorkflowExtension object. Inherited from customCalloutExtension. Read only. |
| displayName | String | Display name for the customAccessPackageWorkflowExtension object. Inherited from customCalloutExtension. Read only. Supports $filter (contains). |
| endpointConfiguration | customExtensionEndpointConfiguration | The type and details for configuring the endpoint to call the logic app's workflow. Inherited from customCalloutExtension. |
| id | String | Identifier for the customAccessPackageWorkflowExtension object. Inherited from entity. |
| lastModifiedDateTime | DateTimeOffset | Represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
directoryObject
| Property | Type | Description |
|---|---|---|
| deletedDateTime | DateTimeOffset | Date and time when this object was deleted. Always null when the object hasn't been deleted. |
| id | String | The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde. The value of the **i |
entitlementmanagement-overview
entitlementManagementSettings
| Property | Type | Description |
|---|---|---|
| durationUntilExternalUserDeletedAfterBlocked | Duration | If externalUserLifecycleAction is blockSignInAndDelete, the duration, typically a number of days, after an external user is blocked from sign in before their account is deleted. |
| externalUserLifecycleAction | accessPackageExternalUserLifecycleAction | Automatic action that the service should take when an external user's last access package assignment is removed. The possible values are: none, blockSignIn, blockSignInAndDelete, unknownFutureValue. |
| id | String | A constant. Read-only. |
externalsponsors
group
| Property | Type | Description |
|---|---|---|
| allowExternalSenders | Boolean | Indicates if people external to the organization can send messages to the group. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| assignedLabels | assignedLabel collection | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on $select. |
| assignedLicenses | assignedLicense collection | The licenses that are assigned to the group. Returned only on $select. Supports $filter (eq).Read-only. |
| autoSubscribeNewMembers | Boolean | Indicates if new members added to the group will be auto-subscribed to receive email notifications. You can set this property in a PATCH request for the group; do not set it in the initial POST request that creates the group. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| classification | String | Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
| createdDateTime | DateTimeOffset | Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| deletedDateTime | DateTimeOffset | For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. |
| description | String | An optional description for the group. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| displayName | String | The display name for the group. This property is required when a group is created and cannot be cleared during updates. Maximum length is 256 characters. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderBy. |
| expirationDateTime | DateTimeOffset | Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| groupTypes | String collection | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. Returned by default. Supports $filter (eq, not). |
| hasMembersWithLicenseErrors | Boolean | Indicates whether there are members in this group that have license errors from its group-based license assignment. This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. Supports $filter (eq). |
| hideFromAddressLists | Boolean | True if the group is not displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| hideFromOutlookClients | Boolean | True if the group is not displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| id | String | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| isArchived | Boolean | When a group is associated with a team this property determines whether the team is in read-only mode. To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs. |
| isAssignableToRole | Boolean | Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership). Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Azure AD role assignments Using this feature requires a Azure AD Premium P1 license. Returned by default. Supports $filter (eq, ne, not). |
| isSubscribedByMail | Boolean | Indicates whether the signed-in user is subscribed to receive email conversations. Default value is true. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| licenseProcessingState | String | Indicates status of the group license assignment to all members of the group. Default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete.Returned only on $select. Read-only. |
| String | The SMTP address for the group, for example, "[email protected]". Returned by default. Read-only. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
|
| mailEnabled | Boolean | Specifies whether the group is mail-enabled. Required. Returned by default. Supports $filter (eq, ne, not). |
| mailNickname | String | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE. Required. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| membershipRule | String | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
| membershipRuleProcessingState | String | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. Returned by default. Supports $filter (eq, ne, not, in). |
| onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the group was synced with the on-premises directory.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Read-only. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesProvisioningErrors | onPremisesProvisioningError collection | Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports $filter (eq, not). |
| onPremisesSamAccountName | String | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith). Read-only. |
| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. Returned by default. Supports $filter (eq including on null values). Read-only. |
| onPremisesSyncEnabled | Boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). Returned by default. Read-only. Supports $filter (eq, ne, not, in, and eq on null values). |
| preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling user must be assigned one of the following Azure AD roles:
For more information about this property, see OneDrive Online Multi-Geo. Nullable. Returned by default. |
| preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example en-US. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: [email protected]", "smtp: [email protected]"]. The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports $filter (eq, not, ge, le, startsWith, endsWith, /$count eq 0, /$count ne 0). |
| renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| resourceBehaviorOptions | String collection | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled. For more information, see Set Microsoft 365 group behaviors and provisioning options. |
| resourceProvisioningOptions | String collection | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team. For more information, see Set Microsoft 365 group behaviors and provisioning options. |
| securityEnabled | Boolean | Specifies whether the group is a security group. Required. Returned by default. Supports $filter (eq, ne, not, in). |
| securityIdentifier | String | Security identifier of the group, used in Windows scenarios. Returned by default. |
| theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red. Returned by default. |
| unseenCount | Int32 | Count of conversations that have received new posts since the signed-in user last visited the group. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| visibility | String | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups, when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default and Microsoft 365 group is Public. Groups assignable to roles are always Private. See group visibility options to learn more. Returned by default. Nullable. |
internalsponsors
unifiedRoleAssignment
| Property | Type | Description |
|---|---|---|
| appScopeId | String | Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, in). |
| directoryScopeId | String | Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, in). |
| id | String | The unique identifier for the role assignment. Key, not nullable, Read-only. Inherited from entity. |
| roleDefinitionId | String | Identifier of the role definition the assignment is for. Read only. Supports $filter (eq, in). |
| principalId | String | Identifier of the principal to which the assignment is granted. Supports $filter (eq, in). |
unifiedRoleDefinition
| Property | Type | Description |
|---|---|---|
| description | String | The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true. |
| displayName | String | The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in). |
| id | String | The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, in). |
| isBuiltIn | Boolean | Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. Read-only. Supports $filter (eq, in). |
| isEnabled | Boolean | Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. |
| resourceScopes | String collection | List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment. |
| rolePermissions | unifiedRolePermission collection | List of permissions included in the role. Read-only when isBuiltIn is true. Required. |
| templateId | String | Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories. |
| version | String | Indicates version of the role definition. Read-only when **i |