Azure AD Graph API reference

  • Article

The Azure Active Directory (AD) Graph API is an OData 3.0 compliant service that you can use to read and modify objects such as users, groups, and contacts in a tenant. Azure AD Graph API exposes REST endpoints that you send HTTP requests to in order to perform operations using the service. The reference topics in this guide show you how to perform specific operations against the resources exposed by the Graph API. Many of the topics are interactive. They expose a Try It feature that you can use to change the parameters of selected operations and observe the responses that are returned from a demo tenant.

This article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see Major services and features in Microsoft Graph.

Important

Azure Active Directory (Azure AD) Graph is deprecated. Going forward, we will make no further investment in Azure AD Graph, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.

June 30, 2023 will mark the end of the three-year deprecation period for Azure AD Graph. Before June 30, 2023, existing applications using Azure AD Graph will not be impacted. After June 30, 2023, Azure AD Graph will enter its retirement phase where we will retire it in incremental steps to allow you sufficient time to migrate your applications to Microsoft Graph APIs. The first step in this plan, and at a later date that we will announce, we will block the creation of any new applications using Azure AD Graph.

For more details on the latest announcement, see Important: Azure AD Graph Retirement and Powershell Module Deprecation.

Click the appropriate link below to see the documentation and example for a specific operation. For more general information about the Graph API and its supported features, as well as advanced topics such as differential query, batch processing, directory schema extensions, and others, see Graph API concepts.

Signed-in user (me) operations

Signed-in user operations overview | Get user | Update user | Get manager | Assign manager

User operations

User operations overview | Get users | Get a user | Create users (work or school account) | Create user (local account) | Update user | Reset a user's password | Delete user | Get manager | Assign manager | Get direct reports | Get memberships | Invalidate all refresh tokens | User functions and actions

Group operations

Group operations overview | Get groups | Get a group | Create group | Update group | Delete group | Get members | Add members | Delete member | Group functions and actions

Contact operations

Contact operations overview | Get contacts | Get a contact | Update contact | Delete contact | Get manager | Assign manager | Get direct reports | Get memberships | Contact functions and actions

Directory Role operations

Directory roles operations overview | Get directory roles | Get a directory role | Get directory role templates | Activate a directory role | Get members | Add members | Delete member | Directory role functions and actions

Domain operations

Domains operations overview | Get domains | Get a domain | Create a domain | Update a domain | Delete a domain | Get domain verification records | Get domain service configuration records | Domain functions and actions

Policy operations

Policy overview | Get policy | Create policy | List policies | Update policy | Delete policy | Assign policy | List applications and service principals with specific policy assigned | List policies assigned to application or service principal

Functions and actions

assignLicense | changePassword | checkMemberGroups | getAvailableExtensionProperties | getMemberGroups | getMemberObjects | getObjectsByObjectIds | isMemberOf | servicePrincipalsByAppId | restore | verify

Entities and complex types

Entities

Application | AppRoleAssignment | Contact | Contract | Device | DirectoryLinkChange | DirectoryObject | DirectoryRole | DirectoryRoleTemplate | Domain | DomainDnsRecord | DomainDnsCnameRecord | DomainDnsMxRecord | DomainDnsSrvRecord | DomainDnsTxtRecord | DomainDnsUnavailableRecord | ExtensionProperty | Group | LicenseDetail | OAuth2PermissionGrant | Policy | ServiceEndpoint | ServicePrincipal | SubscribedSku | TenantDetail | TrustedCAsForPasswordlessAuth | User

Complex types

AddIn | AlternativeSecurityId | AppRole | AssignedLicense | AssignedPlan | CertificateAuthorityInformation | KeyCredential | KeyValue | LicenseUnitsDetail | OAuth2Permission | PasswordCredential | PasswordProfile | ProvisionedPlan | ProvisioningError | RequiredResourceAccess | ResourceAccess | ServicePlanInfo | ServicePrincipalAuthenticationPolicy | SignInName | UserIdentity | VerifiedDomain

Additional resources

  • Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts
  • See Permission scopes to learn how the Graph API exposes permission scopes to secure access to Azure AD data, and how to configure your client to use them.