Table of contents

Operations on users | Graph API reference

Bryan Lamos|Last Updated: 11/12/2018
|
6 Contributors

Applies to: Graph API | Azure Active Directory

This topic discusses how to perform operations on users using the Azure Active Directory (AD) Graph API. With the Azure AD Graph API, you can create, read, update, and delete users. You can also query and modify a user's relationships to other directory entities. For example, you can assign the user's manager, query the user's direct reports, manage group memberships, app roles, and devices assigned to the user, and much more.

The Graph API is an OData 3.0 compliant REST API that provides programmatic access to directory objects in Azure Active Directory, such as users, groups, organizational contacts, and applications.

This article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see Working with users in Microsoft Graph.

Important

We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.

Performing REST operations on users

To perform operations on users with the Graph API, you send HTTP requests with a supported method (GET, POST, PATCH, PUT, or DELETE) to an endpoint that targets the users resource collection, a specific user, a navigation property of a user, or a function or action that can be called on a user.

Graph API requests use the following basic URL:

https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]
Important

Requests sent to the Graph API must be well-formed, target a valid endpoint and version of the Graph API, and carry a valid access token obtained from Azure AD in their Authorization header. For more detailed information about creating requests and receiving responses with the Graph API, see Operations Overview.

You specify the resource path differently depending on whether you are targeting the collection of all users in your tenant, an individual user, or a navigation property of a specific user.

  • /users targets the user resource collection. You can use this resource path to read all users or a filtered list of users in your tenant or to create one or more new users in your tenant.
  • /users/{user_id} targets an individual user in your tenant. You specify the user_id either as the object ID (GUID) or the user principal name (UPN) of the target user. You can use this resource path to get the declared properties of a user, to modify the declared properties of a user, or to delete a user. Note: For an external user, you must specify the user’s object ID (GUID).
  • /users/{user_id}/{property} targets the specified navigation property of a user. You can use it to return the object or objects referenced by the target navigation property of the specified user. Note: This form of addressing is only available for reads.
  • /users/{user_id}/$links/{property} targets the specified navigation property of a user. You can use this form of addressing to both read and modify a navigation property. On reads, the objects referenced by the property are returned as one or more links in the response body. On writes, the objects are specified as one or more links in the request body.

For example, the following request returns a link to the specified user's manager:

GET https://graph.windows.net/myorganization/users/john@contoso.onmicrosoft.com/$links/manager?api-version=1.6

Note: You can use the me alias to target the signed-in user. For more information about performing operations using the me alias, see Operations on the Signed-in User.

Basic operations on users

You can perform basic create, read, update, and delete (CRUD) operations on users and their declared properties by targeting either the user resource collection or a specific user. The following topics show you how.


Get users

Gets a collection of users. You can add OData query parameters to the request to filter, sort, and page the response. For more information, see Supported Queries, Filters, and Paging Options.

On success, returns a collection of User objects; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Note: Password property will be null.

Request

GET https://graph.windows.net/myorganization/users?api-version[&$filter]

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
$filterstringA filter to apply to the request. Optional. (Leave blank to omit the $filter parameter.)

Requested URL

GET https://graph.windows.net/myorganization/users?api-version[&$filter]

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.User",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "e61ff361-5baf-41f0-b2fd-380a6a5e406a",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "signInNames": [],
      "assignedLicenses": [
        {
          "disabledPlans": [],
          "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
        }
      ],
      "assignedPlans": [
        {
          "assignedTimestamp": "2014-10-14T02:54:57Z",
          "capabilityStatus": "Enabled",
          "service": "exchange",
          "servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:57Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "5dbe027f-2339-4123-9542-606e4d348a72"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:57Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "e95bec33-7c88-4a70-8e19-b10bd9d0c014"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:57Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftCommunicationsOnline",
          "servicePlanId": "0feaeb32-d00e-4d66-bd5a-43b5b83db82c"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:57Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftOffice",
          "servicePlanId": "43de0ff5-c92c-492b-9116-175376d08c38"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:57Z",
          "capabilityStatus": "Enabled",
          "service": "RMSOnline",
          "servicePlanId": "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
        }
      ],
      "city": null,
      "country": null,
      "creationType": null,
      "department": null,
      "dirSyncEnabled": null,
      "displayName": "Rob Young",
      "facsimileTelephoneNumber": null,
      "givenName": "Rob",
      "immutableId": null,
      "jobTitle": null,
      "lastDirSyncTime": null,
      "mail": "roby@a830edad9050849NDA1.onmicrosoft.com",
      "mailNickname": "roby",
      "mobile": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [],
      "passwordPolicies": "None",
      "passwordProfile": null,
      "physicalDeliveryOfficeName": null,
      "postalCode": null,
      "preferredLanguage": null,
      "provisionedPlans": [
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "exchange"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftCommunicationsOnline"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftOffice"
        }
      ],
      "provisioningErrors": [],
      "proxyAddresses": [
        "SMTP:roby@a830edad9050849NDA1.onmicrosoft.com"
      ],
      "sipProxyAddress": "roby@a830edad9050849NDA1.onmicrosoft.com",
      "state": null,
      "streetAddress": null,
      "surname": "Young",
      "telephoneNumber": null,
      "usageLocation": "US",
      "userPrincipalName": "roby@a830edad9050849NDA1.onmicrosoft.com",
      "userType": "Member"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "fec3faba-6a15-4e3e-8a9e-5c63f7510377",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "signInNames": [],
      "assignedLicenses": [
        {
          "disabledPlans": [],
          "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
        }
      ],
      "assignedPlans": [
        {
          "assignedTimestamp": "2014-10-14T02:54:32Z",
          "capabilityStatus": "Enabled",
          "service": "exchange",
          "servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:32Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "5dbe027f-2339-4123-9542-606e4d348a72"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:32Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "e95bec33-7c88-4a70-8e19-b10bd9d0c014"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:32Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftCommunicationsOnline",
          "servicePlanId": "0feaeb32-d00e-4d66-bd5a-43b5b83db82c"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:32Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftOffice",
          "servicePlanId": "43de0ff5-c92c-492b-9116-175376d08c38"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:32Z",
          "capabilityStatus": "Enabled",
          "service": "RMSOnline",
          "servicePlanId": "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
        }
      ],
      "city": "Pittsburgh",
      "country": "United States",
      "creationType": null,
      "department": "Finance",
      "dirSyncEnabled": null,
      "displayName": "Katie Jordan",
      "facsimileTelephoneNumber": null,
      "givenName": "Katie",
      "immutableId": null,
      "jobTitle": "Auditor",
      "lastDirSyncTime": null,
      "mail": "katiej@a830edad9050849NDA1.onmicrosoft.com",
      "mailNickname": "katiej",
      "mobile": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [],
      "passwordPolicies": "None",
      "passwordProfile": null,
      "physicalDeliveryOfficeName": "12/1110",
      "postalCode": "15212",
      "preferredLanguage": "en-US",
      "provisionedPlans": [
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "exchange"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftCommunicationsOnline"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftOffice"
        }
      ],
      "provisioningErrors": [],
      "proxyAddresses": [
        "SMTP:katiej@a830edad9050849NDA1.onmicrosoft.com"
      ],
      "sipProxyAddress": "katiej@a830edad9050849NDA1.onmicrosoft.com",
      "state": "PA",
      "streetAddress": "30 Isabella St., Second Floor",
      "surname": "Jordan",
      "telephoneNumber": "+1 412 555 0109",
      "usageLocation": "US",
      "userPrincipalName": "katiej@a830edad9050849NDA1.onmicrosoft.com",
      "userType": "Member"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "6816d6c4-5c13-44a5-baaa-2dae2cc07461",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "signInNames": [],
      "assignedLicenses": [
        {
          "disabledPlans": [],
          "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
        }
      ],
      "assignedPlans": [
        {
          "assignedTimestamp": "2014-10-14T02:55:27Z",
          "capabilityStatus": "Enabled",
          "service": "exchange",
          "servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
        },
        {
          "assignedTimestamp": "2014-10-14T02:55:27Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "5dbe027f-2339-4123-9542-606e4d348a72"
        },
        {
          "assignedTimestamp": "2014-10-14T02:55:27Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "e95bec33-7c88-4a70-8e19-b10bd9d0c014"
        },
        {
          "assignedTimestamp": "2014-10-14T02:55:27Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftCommunicationsOnline",
          "servicePlanId": "0feaeb32-d00e-4d66-bd5a-43b5b83db82c"
        },
        {
          "assignedTimestamp": "2014-10-14T02:55:27Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftOffice",
          "servicePlanId": "43de0ff5-c92c-492b-9116-175376d08c38"
        },
        {
          "assignedTimestamp": "2014-10-14T02:55:27Z",
          "capabilityStatus": "Enabled",
          "service": "RMSOnline",
          "servicePlanId": "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
        }
      ],
      "city": "Iselin",
      "country": "United States",
      "creationType": null,
      "department": "Sales & Marketing",
      "dirSyncEnabled": null,
      "displayName": "Pavel Bansky",
      "facsimileTelephoneNumber": null,
      "givenName": "Pavel",
      "immutableId": null,
      "jobTitle": "VP Sales",
      "lastDirSyncTime": null,
      "mail": "pavelb@a830edad9050849NDA1.onmicrosoft.com",
      "mailNickname": "pavelb",
      "mobile": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [],
      "passwordPolicies": "None",
      "passwordProfile": null,
      "physicalDeliveryOfficeName": "19/3123",
      "postalCode": "8830",
      "preferredLanguage": null,
      "provisionedPlans": [
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "exchange"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftCommunicationsOnline"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftOffice"
        }
      ],
      "provisioningErrors": [],
      "proxyAddresses": [
        "SMTP:pavelb@a830edad9050849NDA1.onmicrosoft.com"
      ],
      "sipProxyAddress": "pavelb@a830edad9050849NDA1.onmicrosoft.com",
      "state": "NJ",
      "streetAddress": "101 Wood Avenue South, Suite 900",
      "surname": "Bansky",
      "telephoneNumber": "+1 732 555 0102",
      "usageLocation": "US",
      "userPrincipalName": "pavelb@a830edad9050849NDA1.onmicrosoft.com",
      "userType": "Member"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "13addec1-c5ae-47f5-a1fe-202be14b1570",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "signInNames": [],
      "assignedLicenses": [
        {
          "disabledPlans": [],
          "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
        }
      ],
      "assignedPlans": [
        {
          "assignedTimestamp": "2014-10-14T02:54:04Z",
          "capabilityStatus": "Enabled",
          "service": "exchange",
          "servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:04Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "5dbe027f-2339-4123-9542-606e4d348a72"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:04Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "e95bec33-7c88-4a70-8e19-b10bd9d0c014"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:04Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftCommunicationsOnline",
          "servicePlanId": "0feaeb32-d00e-4d66-bd5a-43b5b83db82c"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:04Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftOffice",
          "servicePlanId": "43de0ff5-c92c-492b-9116-175376d08c38"
        },
        {
          "assignedTimestamp": "2014-10-14T02:54:04Z",
          "capabilityStatus": "Enabled",
          "service": "RMSOnline",
          "servicePlanId": "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
        }
      ],
      "city": "Tulsa",
      "country": "United States",
      "creationType": null,
      "department": "Sales & Marketing",
      "dirSyncEnabled": null,
      "displayName": "Garth Fort",
      "facsimileTelephoneNumber": null,
      "givenName": "Garth",
      "immutableId": null,
      "jobTitle": "Web Marketing Manager",
      "lastDirSyncTime": null,
      "mail": "garthf@a830edad9050849NDA1.onmicrosoft.com",
      "mailNickname": "garthf",
      "mobile": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [],
      "passwordPolicies": "None",
      "passwordProfile": null,
      "physicalDeliveryOfficeName": "20/1101",
      "postalCode": "74133",
      "preferredLanguage": "en-US",
      "provisionedPlans": [
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "exchange"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftCommunicationsOnline"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftOffice"
        }
      ],
      "provisioningErrors": [],
      "proxyAddresses": [
        "SMTP:garthf@a830edad9050849NDA1.onmicrosoft.com"
      ],
      "sipProxyAddress": "garthf@a830edad9050849NDA1.onmicrosoft.com",
      "state": "OK",
      "streetAddress": "7633 E. 63rd Place, Suite 300",
      "surname": "Fort",
      "telephoneNumber": "+1 918 555 0101",
      "usageLocation": "US",
      "userPrincipalName": "garthf@a830edad9050849NDA1.onmicrosoft.com",
      "userType": "Member"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.User",
      "objectType": "User",
      "objectId": "89efe8ed-d141-4151-a3e4-570a70022dff",
      "deletionTimestamp": null,
      "accountEnabled": true,
      "signInNames": [],
      "assignedLicenses": [
        {
          "disabledPlans": [],
          "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
        }
      ],
      "assignedPlans": [
        {
          "assignedTimestamp": "2014-10-14T02:53:29Z",
          "capabilityStatus": "Enabled",
          "service": "exchange",
          "servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
        },
        {
          "assignedTimestamp": "2014-10-14T02:53:29Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "5dbe027f-2339-4123-9542-606e4d348a72"
        },
        {
          "assignedTimestamp": "2014-10-14T02:53:29Z",
          "capabilityStatus": "Enabled",
          "service": "SharePoint",
          "servicePlanId": "e95bec33-7c88-4a70-8e19-b10bd9d0c014"
        },
        {
          "assignedTimestamp": "2014-10-14T02:53:29Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftCommunicationsOnline",
          "servicePlanId": "0feaeb32-d00e-4d66-bd5a-43b5b83db82c"
        },
        {
          "assignedTimestamp": "2014-10-14T02:53:29Z",
          "capabilityStatus": "Enabled",
          "service": "MicrosoftOffice",
          "servicePlanId": "43de0ff5-c92c-492b-9116-175376d08c38"
        },
        {
          "assignedTimestamp": "2014-10-14T02:53:29Z",
          "capabilityStatus": "Enabled",
          "service": "RMSOnline",
          "servicePlanId": "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
        }
      ],
      "city": "Bellevue",
      "country": "United States",
      "creationType": null,
      "department": "Sales & Marketing",
      "dirSyncEnabled": null,
      "displayName": "Janet Schorr",
      "facsimileTelephoneNumber": null,
      "givenName": "Janet",
      "immutableId": null,
      "jobTitle": "Product Marketing Manager",
      "lastDirSyncTime": null,
      "mail": "janets@a830edad9050849NDA1.onmicrosoft.com",
      "mailNickname": "janets",
      "mobile": null,
      "onPremisesSecurityIdentifier": null,
      "otherMails": [],
      "passwordPolicies": "None",
      "passwordProfile": null,
      "physicalDeliveryOfficeName": "18/2111",
      "postalCode": "98004",
      "preferredLanguage": null,
      "provisionedPlans": [
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "exchange"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftCommunicationsOnline"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "SharePoint"
        },
        {
          "capabilityStatus": "Enabled",
          "provisioningStatus": "Success",
          "service": "MicrosoftOffice"
        }
      ],
      "provisioningErrors": [],
      "proxyAddresses": [
        "SMTP:janets@a830edad9050849NDA1.onmicrosoft.com"
      ],
      "sipProxyAddress": "janets@a830edad9050849NDA1.onmicrosoft.com",
      "state": "WA",
      "streetAddress": "205 108th Ave. NE, Suite 400",
      "surname": "Schorr",
      "telephoneNumber": "+1 425 555 0109",
      "usageLocation": "US",
      "userPrincipalName": "janets@a830edad9050849NDA1.onmicrosoft.com",
      "userType": "Member"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. The results are returned in the response body.

Code Samples


using System;
using System.Net.Http.Headers;
using System.Text;
using System.Net.Http;
using System.Web;

namespace CSHttpClientSample
{
    static class Program
    {
	    static void Main()
        {
            MakeRequest();

            Console.WriteLine("Hit ENTER to exit...");
            Console.ReadLine();
        }

        static async void MakeRequest()
        {
            var client = new HttpClient();
            var queryString = HttpUtility.ParseQueryString(string.Empty);

            /* OAuth2 is required to access this API. For more information visit:
               https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks */



		   // Specify values for the following required parameters
			queryString["api-version"] = "1.6";

			// Specify values for optional parameters, as needed
			// queryString["$filter"] = "startswith(displayName,'A')";
            // Specify values for path parameters (shown as {...})
            var uri = "https://graph.windows.net/myorganization/users?" + queryString;


            var response = await client.GetAsync(uri);

            if (response.Content != null)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                Console.WriteLine(responseString);
            }
        }
    }
}
@ECHO OFF

REM OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks
REM Specify values for path parameters (shown as {...}), values for query parameters
curl -v -X GET "https://graph.windows.net/myorganization/users?api-version=1.6&$filter=startswith(displayName%2c%27A%27)&"^

// This sample uses the Apache HTTP client from HTTP Components (http://hc.apache.org/httpcomponents-client-ga/)
import java.net.URI;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

public class JavaSample {

  public static void main(String[] args) {
	HttpClient httpclient = HttpClients.createDefault();

	try
	{
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		// Specify values for path parameters (shown as {...})
		URIBuilder builder = new URIBuilder("https://graph.windows.net/myorganization/users");
		// Specify values for the following required parameters
		builder.setParameter("api-version", "1.6");
		// Specify values for optional parameters, as needed
		// builder.setParameter("$filter", "startswith(displayName,'A')");
		URI uri = builder.build();
		HttpGet request = new HttpGet(uri);
		HttpResponse response = httpclient.execute(request);
		HttpEntity entity = response.getEntity();
		if (entity != null) {
			System.out.println(EntityUtils.toString(entity));
		}
	}
	catch (Exception e)
	{
		System.out.println(e.getMessage());
	}
  }
}

<!DOCTYPE html>
<html>
<head>
<title>JSSample</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>
</head>
<body>
<script type="text/javascript">
	$(function() {
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		var params = {
			// Specify values for the following required parameters
			'api-version': "1.6",
			// Specify values for optional parameters, as needed
			// $filter: "startswith(displayName,'A')",
		};
		
		$.ajax({
			// Specify values for path parameters (shown as {...})
			url: 'https://graph.windows.net/myorganization/users?' + $.param(params),
			type: 'GET',
		})
		.done(function(data) {
			alert("success");
		})
		.fail(function() {
			alert("error");
		});
	});
</script>
</body>
</html>

#import <Foundation/Foundation.h>

int main(int argc, const char * argv[])
{
    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
    
	// OAuth2 is required to access this API. For more information visit:
	// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

	// Specify values for path parameters (shown as {...})
    NSString* path = @"https://graph.windows.net/myorganization/users";
    NSArray* array = @[
                         @"entities=true",
                      ];
    
    NSString* string = [array componentsJoinedByString:@"&"];
    path = [path stringByAppendingFormat:@"?%@", string];
    NSLog(@"%@", path);

    NSMutableURLRequest* _request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:path]];
    [_request setHTTPMethod:@"GET"];
    
    NSURLResponse *response = nil;
    NSError *error = nil;
    NSData* _connectionData = [NSURLConnection sendSynchronousRequest:_request returningResponse:&response error:&error];
    if(nil != error)
    {
        NSLog(@"Error: %@", error);
    }
    else
    {
        NSError* error = nil;
        NSMutableDictionary* json = nil;
        
        NSString* dataString = [[NSString alloc] initWithData:_connectionData encoding:NSUTF8StringEncoding];
        NSLog(@"%@", dataString);
        
        if(nil != _connectionData)
        {
            json = [NSJSONSerialization JSONObjectWithData:_connectionData options:NSJSONReadingMutableContainers error:&error];
        }
        
        if (error || !json)
        {
            NSLog(@"Could not parse loaded json with error:%@", error);
        }
        
        NSLog(@"%@", json);
        _connectionData = nil;
    }
    
    [pool drain];
    return 0;
}
<?php

// This sample uses the pecl_http package. (for more information: http://pecl.php.net/package/pecl_http)
require_once 'HTTP/Request2.php';
$headers = array(
);

$query_params = array(
	// Specify values for the following required parameters
	'api-version' => '1.6',
	// Specify values for optional parameters, as needed
	//'$filter' => 'startswith(displayName,'A')',
);

$request = new Http_Request2('https://graph.windows.net/myorganization/users');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setHeader($headers);

// OAuth2 is required to access this API. For more information visit:
// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

$url = $request->getUrl();
$url->setQueryVariables($query_params);

try
{
	$response = $request->send();
	
	echo $response->getBody();
}
catch (HttpException $ex)
{
	echo $ex;
}

?>

########### Python 2.7 #############
import httplib, urllib, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
	# Specify values for optional parameters, as needed
	#'$filter': 'startswith(displayName,'A')',
})

try:
	conn = httplib.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/users?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################

########### Python 3.2 #############
import http.client, urllib.request, urllib.parse, urllib.error, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.parse.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
	# Specify values for optional parameters, as needed
	#'$filter': 'startswith(displayName,'A')',
})

try:
	conn = http.client.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/users?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################
require 'net/http'

uri = URI('https://graph.windows.net/myorganization/users')

uri.query = URI.encode_www_form({
	# Specify values for the following required parameters
	'api-version' => '1.6',
	# Specify values for optional parameters, as needed
	# '$filter' => 'startswith(displayName,'A')',
})

request = Net::HTTP::Get.new(uri.request_uri)

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks



response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
    http.request(request)
end

puts response.body

Get a user

Gets a specified user. You can use either the object ID (GUID) or the user principal name (UPN) to identify the target user.

Note: For an external user, you must specify the user’s object ID (GUID). Password property will be null.

On success, returns the User object for the specified user; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

GET https://graph.windows.net/myorganization/users/{user_id}?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringSpecifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/users/{user_id}?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.User/@Element",
  "odata.type": "Microsoft.DirectoryServices.User",
  "objectType": "User",
  "objectId": "13addec1-c5ae-47f5-a1fe-202be14b1570",
  "deletionTimestamp": null,
  "accountEnabled": true,
  "signInNames": [],
  "assignedLicenses": [
    {
      "disabledPlans": [],
      "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
    }
  ],
  "assignedPlans": [
    {
      "assignedTimestamp": "2014-10-14T02:54:04Z",
      "capabilityStatus": "Enabled",
      "service": "exchange",
      "servicePlanId": "efb87545-963c-4e0d-99df-69c6916d9eb0"
    },
    {
      "assignedTimestamp": "2014-10-14T02:54:04Z",
      "capabilityStatus": "Enabled",
      "service": "SharePoint",
      "servicePlanId": "5dbe027f-2339-4123-9542-606e4d348a72"
    },
    {
      "assignedTimestamp": "2014-10-14T02:54:04Z",
      "capabilityStatus": "Enabled",
      "service": "SharePoint",
      "servicePlanId": "e95bec33-7c88-4a70-8e19-b10bd9d0c014"
    },
    {
      "assignedTimestamp": "2014-10-14T02:54:04Z",
      "capabilityStatus": "Enabled",
      "service": "MicrosoftCommunicationsOnline",
      "servicePlanId": "0feaeb32-d00e-4d66-bd5a-43b5b83db82c"
    },
    {
      "assignedTimestamp": "2014-10-14T02:54:04Z",
      "capabilityStatus": "Enabled",
      "service": "MicrosoftOffice",
      "servicePlanId": "43de0ff5-c92c-492b-9116-175376d08c38"
    },
    {
      "assignedTimestamp": "2014-10-14T02:54:04Z",
      "capabilityStatus": "Enabled",
      "service": "RMSOnline",
      "servicePlanId": "bea4c11e-220a-4e6d-8eb8-8ea15d019f90"
    }
  ],
  "city": "Tulsa",
  "country": "United States",
  "creationType": null,
  "department": "Sales & Marketing",
  "dirSyncEnabled": null,
  "displayName": "Garth Fort",
  "facsimileTelephoneNumber": null,
  "givenName": "Garth",
  "immutableId": null,
  "jobTitle": "Web Marketing Manager",
  "lastDirSyncTime": null,
  "mail": "garthf@a830edad9050849NDA1.onmicrosoft.com",
  "mailNickname": "garthf",
  "mobile": null,
  "onPremisesSecurityIdentifier": null,
  "otherMails": [],
  "passwordPolicies": "None",
  "passwordProfile": null,
  "physicalDeliveryOfficeName": "20/1101",
  "postalCode": "74133",
  "preferredLanguage": "en-US",
  "provisionedPlans": [
    {
      "capabilityStatus": "Enabled",
      "provisioningStatus": "Success",
      "service": "exchange"
    },
    {
      "capabilityStatus": "Enabled",
      "provisioningStatus": "Success",
      "service": "MicrosoftCommunicationsOnline"
    },
    {
      "capabilityStatus": "Enabled",
      "provisioningStatus": "Success",
      "service": "SharePoint"
    },
    {
      "capabilityStatus": "Enabled",
      "provisioningStatus": "Success",
      "service": "SharePoint"
    },
    {
      "capabilityStatus": "Enabled",
      "provisioningStatus": "Success",
      "service": "MicrosoftOffice"
    }
  ],
  "provisioningErrors": [],
  "proxyAddresses": [
    "SMTP:garthf@a830edad9050849NDA1.onmicrosoft.com"
  ],
  "sipProxyAddress": "garthf@a830edad9050849NDA1.onmicrosoft.com",
  "state": "OK",
  "streetAddress": "7633 E. 63rd Place, Suite 300",
  "surname": "Fort",
  "telephoneNumber": "+1 918 555 0101",
  "usageLocation": "US",
  "userPrincipalName": "garthf@a830edad9050849NDA1.onmicrosoft.com",
  "userType": "Member"
}

Response List

Status CodeDescription
200OK. Indicates success. The user is returned in the response body.

Code Samples


using System;
using System.Net.Http.Headers;
using System.Text;
using System.Net.Http;
using System.Web;

namespace CSHttpClientSample
{
    static class Program
    {
	    static void Main()
        {
            MakeRequest();

            Console.WriteLine("Hit ENTER to exit...");
            Console.ReadLine();
        }

        static async void MakeRequest()
        {
            var client = new HttpClient();
            var queryString = HttpUtility.ParseQueryString(string.Empty);

            /* OAuth2 is required to access this API. For more information visit:
               https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks */



		   // Specify values for the following required parameters
			queryString["api-version"] = "1.6";
            // Specify values for path parameters (shown as {...})
            var uri = "https://graph.windows.net/myorganization/users/{user_id}?" + queryString;


            var response = await client.GetAsync(uri);

            if (response.Content != null)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                Console.WriteLine(responseString);
            }
        }
    }
}
@ECHO OFF

REM OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks
REM Specify values for path parameters (shown as {...}), values for query parameters
curl -v -X GET "https://graph.windows.net/myorganization/users/{user_id}?api-version=1.6&amp;"^

// This sample uses the Apache HTTP client from HTTP Components (http://hc.apache.org/httpcomponents-client-ga/)
import java.net.URI;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

public class JavaSample {

  public static void main(String[] args) {
	HttpClient httpclient = HttpClients.createDefault();

	try
	{
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		// Specify values for path parameters (shown as {...})
		URIBuilder builder = new URIBuilder("https://graph.windows.net/myorganization/users/{user_id}");
		// Specify values for the following required parameters
		builder.setParameter("api-version", "1.6");
		URI uri = builder.build();
		HttpGet request = new HttpGet(uri);
		HttpResponse response = httpclient.execute(request);
		HttpEntity entity = response.getEntity();
		if (entity != null) {
			System.out.println(EntityUtils.toString(entity));
		}
	}
	catch (Exception e)
	{
		System.out.println(e.getMessage());
	}
  }
}

<!DOCTYPE html>
<html>
<head>
<title>JSSample</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>
</head>
<body>
<script type="text/javascript">
	$(function() {
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		var params = {
			// Specify values for the following required parameters
			'api-version': "1.6",
		};
		
		$.ajax({
			// Specify values for path parameters (shown as {...})
			url: 'https://graph.windows.net/myorganization/users/{user_id}?' + $.param(params),
			type: 'GET',
		})
		.done(function(data) {
			alert("success");
		})
		.fail(function() {
			alert("error");
		});
	});
</script>
</body>
</html>

#import <Foundation/Foundation.h>

int main(int argc, const char * argv[])
{
    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
    
	// OAuth2 is required to access this API. For more information visit:
	// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

	// Specify values for path parameters (shown as {...})
    NSString* path = @"https://graph.windows.net/myorganization/users/{user_id}";
    NSArray* array = @[
                         @"entities=true",
                      ];
    
    NSString* string = [array componentsJoinedByString:@"&"];
    path = [path stringByAppendingFormat:@"?%@", string];
    NSLog(@"%@", path);

    NSMutableURLRequest* _request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:path]];
    [_request setHTTPMethod:@"GET"];
    
    NSURLResponse *response = nil;
    NSError *error = nil;
    NSData* _connectionData = [NSURLConnection sendSynchronousRequest:_request returningResponse:&response error:&error];
    if(nil != error)
    {
        NSLog(@"Error: %@", error);
    }
    else
    {
        NSError* error = nil;
        NSMutableDictionary* json = nil;
        
        NSString* dataString = [[NSString alloc] initWithData:_connectionData encoding:NSUTF8StringEncoding];
        NSLog(@"%@", dataString);
        
        if(nil != _connectionData)
        {
            json = [NSJSONSerialization JSONObjectWithData:_connectionData options:NSJSONReadingMutableContainers error:&error];
        }
        
        if (error || !json)
        {
            NSLog(@"Could not parse loaded json with error:%@", error);
        }
        
        NSLog(@"%@", json);
        _connectionData = nil;
    }
    
    [pool drain];
    return 0;
}
<?php

// This sample uses the pecl_http package. (for more information: http://pecl.php.net/package/pecl_http)
require_once 'HTTP/Request2.php';
$headers = array(
);

$query_params = array(
	// Specify values for the following required parameters
	'api-version' => '1.6',
);

$request = new Http_Request2('https://graph.windows.net/myorganization/users/{user_id}');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setHeader($headers);

// OAuth2 is required to access this API. For more information visit:
// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

$url = $request->getUrl();
$url->setQueryVariables($query_params);

try
{
	$response = $request->send();
	
	echo $response->getBody();
}
catch (HttpException $ex)
{
	echo $ex;
}

?>

########### Python 2.7 #############
import httplib, urllib, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = httplib.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/users/{user_id}?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################

########### Python 3.2 #############
import http.client, urllib.request, urllib.parse, urllib.error, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.parse.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = http.client.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/users/{user_id}?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################
require 'net/http'

uri = URI('https://graph.windows.net/myorganization/users/{user_id}')

uri.query = URI.encode_www_form({
	# Specify values for the following required parameters
	'api-version' => '1.6',
})

request = Net::HTTP::Get.new(uri.request_uri)

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks



response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
    http.request(request)
end

puts response.body

Get a user's thumbnail photo

Gets the thumbnail photo for a specified user from the thumbnailPhoto property. You can use either the object ID (GUID) or the user principal name (UPN) to identify the target user. Note: For an external user, you must specify the user’s object ID (GUID).

On success, returns the thumbnail photo for the specified user; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Important: The media type depends on the image type stored in Azure AD and is returned in the Content-Type header; for example, image/jpeg. If the media type cannot be determined, the Graph API returns a Content-Type of */*. The Graph API does not convert between media (image) types.

Request

GET https://graph.windows.net/myorganization/users/{user_id}/thumbnailPhoto?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringSpecifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/users/{user_id}/thumbnailPhoto?api-version

Response

Status Code:200
Content-Type:
  • image/jpeg
image data

Response List

Status CodeDescription
200OK. Indicates success. The thumbnail photo is returned in the response body. Check the Content-Type header for the media type.
404Not Found. The requested resource was not found. This can occur if the thumbnailPhoto property is not currently set for the specified user. It can also have other causes, for example, a bad domain. A code and associated message is returned with the error.

Create a user (work or school account)

Adds a user to the tenant by creating a work or school account. Such users are also known as organizational accounts or organizational users. The request body contains the properties of the user to create. At a minimum, you must specify the required properties for the user. You can optionally specify any other writable properties except for creationType, signInNames, or userIdentities, which are only valid for local and social accounts. To add a local account user to an Azure Active Directory B2C tenant, see Create a user (local account).

Important

Using scopes User.ReadWrite.All, Directory.ReadWrite.All (both of these for delegated and app only) and Directory.ActAsUser.All, the password can be set as part of user creation (POST)." Note that for the delegated permissions the signed-in user will need permissions to create users in the directory.

The following table shows the properties that are required when you create a user.

Required parameterTypeDescription
accountEnabledbooleantrue if the account is enabled; otherwise, false.
displayNamestringThe name to display in the address book for the user.
immutableIdstringOnly needs to be specified when creating a new user account if you are using a federated domain for the user's userPrincipalName (UPN) property.
mailNicknamestringThe mail alias for the user.
passwordProfilePasswordProfileThe password profile for the user. Note: The password can be set when creating a user.
userPrincipalNamestringThe user principal name (someuser@contoso.com). The user principal name must contain one of the verified domains for the tenant.

On success, returns the newly created User; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

POST https://graph.windows.net/myorganization/users?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "accountEnabled": true,
  "displayName": "Alex Wu",
  "mailNickname": "AlexW",
  "passwordProfile": {
    "password": "Test1234",
    "forceChangePasswordNextLogin": false
  },
  "userPrincipalName": "Alex@a830edad9050849NDA1.onmicrosoft.com"
}

Requested URL

POST https://graph.windows.net/myorganization/users?api-version

Response

Status Code:201
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.User/@Element",
  "odata.type": "Microsoft.DirectoryServices.User",
  "objectType": "User",
  "objectId": "84fba1e8-b942-47c9-a10e-a4bee353ce60",
  "deletionTimestamp": null,
  "accountEnabled": true,
  "signInNames": [],
  "assignedLicenses": [],
  "assignedPlans": [],
  "city": null,
  "country": null,
  "creationType": null,
  "department": null,
  "dirSyncEnabled": null,
  "displayName": "Alex Wu",
  "facsimileTelephoneNumber": null,
  "givenName": null,
  "immutableId": null,
  "jobTitle": null,
  "lastDirSyncTime": null,
  "mail": null,
  "mailNickname": "AlexW",
  "mobile": null,
  "onPremisesSecurityIdentifier": null,
  "otherMails": [],
  "passwordPolicies": null,
  "passwordProfile": null,
  "physicalDeliveryOfficeName": null,
  "postalCode": null,
  "preferredLanguage": null,
  "provisionedPlans": [],
  "provisioningErrors": [],
  "proxyAddresses": [],
  "sipProxyAddress": null,
  "state": null,
  "streetAddress": null,
  "surname": null,
  "telephoneNumber": null,
  "usageLocation": null,
  "userPrincipalName": "alex@a830edad9050849NDA1.com",
  "userType": "Member"
}

Response List

Status CodeDescription
201Created. Indicates success. The new user is returned in the response body.

Create a user (local or social account)

Beginning with version 1.6, Graph API supports creating local and social account users for Azure Active Directory B2C tenants. Unlike users associated with a work or school account, which require sign-in with an email address that contains one of the tenant's verified domains, local account users support signing in with app-specific credentials; for example, with a 3rd-party email address or an app-specific user name. Social account users sign-in using popular social identity providers such as Facebook, Google, LinkedIn or Microsoft Account. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation.

The request body contains the properties of the local account user or social account user to create. At a minimum, you must specify the required properties. These are somewhat different than those specified for work or school accounts as you can see in the table below. For local account users, the creationType property must be specified to indicate that the user is a local account and the signInNames property must be specified to pass the sign-in names for the user. For social account users, the userIdentities collection must contain one userIdentity specifying the issuer such as facebook.com and the issuerUserId which is a unique user identifier for the issuer. For social account users, the creationType can be left null and the signInNames collection can be left empty. For a user to sign in either a local account or social account, the user creationType should be set to LocalAccount, signInNames should specify the local sign-in name for the user, and userIdentities should specify the social accounts for the user.

In addition to the required properties, you can optionally specify any other writable properties on the User entity; however, this is generally limited to app-defined extension properties and a subset of the available properties on the User entity. You cannot assign licenses or subscriptions to local account users.

The following table shows the properties that are required when you create a local account user:

Required parameterTypeDescription
accountEnabledbooleantrue if the account is enabled; otherwise, false.
creationTypestringMust be set to LocalAccount to create a local account user.
displayNamestringThe name to display in the address book for the user.
passwordProfilePasswordProfileThe password profile for the user.
signInNamescollection(SignInName)One or more SignInName records that specify the sign-in names for the user. Each sign-in name must be unique across the company/tenant.

The following table shows the properties that are required when you create a social account user:

Required parameterTypeDescription
accountEnabledbooleantrue if the account is enabled; otherwise, false.
userIdentitiescollection(UserIdentity)One or more UserIdentity records that specify the social account type and the unique user identifier from the social identity provider.

On success, returns the newly created User; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

POST https://graph.windows.net/myorganization/users?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "accountEnabled": true,
  "creationType": "LocalAccount",
  "displayName": "Alex Wu",
  "passwordProfile": {
    "password": "Test1234",
    "forceChangePasswordNextLogin": false
  },
  "signInNames": [
    {
      "type": "userName",
      "value": "AlexW"
    },
    {
      "type": "emailAddress",
      "value": "AlexW@example.com"
    }
  ],
  "userIdentities": [
    {
      "issuer": "facebook.com",
      "issuerUserId": "MATxTNg5MzYyMzMyMNY1Njc="
    }
  ]
}

Requested URL

POST https://graph.windows.net/myorganization/users?api-version

Response

Status Code:201
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.User/@Element",
  "odata.type": "Microsoft.DirectoryServices.User",
  "objectType": "User",
  "objectId": "84fba1e8-b942-47c9-a10e-a4bee353ce60",
  "deletionTimestamp": null,
  "accountEnabled": true,
  "signInNames": [
    {
      "type": "userName",
      "value": "AlexW"
    },
    {
      "type": "emailAddress",
      "value": "AlexW@example.com"
    }
  ],
  "userIdentities": [
    {
      "issuer": "facebook.com",
      "issuerUserId": "MATxTNg5MzYyMzMyMNY1Njc="
    }
  ],
  "assignedLicenses": [],
  "assignedPlans": [],
  "city": null,
  "country": null,
  "creationType": "LocalAccount",
  "department": null,
  "dirSyncEnabled": null,
  "displayName": "Alex Wu",
  "facsimileTelephoneNumber": null,
  "givenName": null,
  "immutableId": null,
  "jobTitle": null,
  "lastDirSyncTime": null,
  "mail": null,
  "mailNickname": "AlexW_example.com#EXT#",
  "mobile": null,
  "onPremisesSecurityIdentifier": null,
  "otherMails": [],
  "passwordPolicies": null,
  "passwordProfile": null,
  "physicalDeliveryOfficeName": null,
  "postalCode": null,
  "preferredLanguage": null,
  "provisionedPlans": [],
  "provisioningErrors": [],
  "proxyAddresses": [],
  "sipProxyAddress": null,
  "state": null,
  "streetAddress": null,
  "surname": null,
  "telephoneNumber": null,
  "usageLocation": null,
  "userPrincipalName": "AlexW_example.com#EXT#@a830edad9050849NDA1.com",
  "userType": "Member"
}

Response List

Status CodeDescription
201Created. Indicates success. The new user is returned in the response body.

Update a user

Update a user's properties. Specify any writable User property in the request body. Only the properties that you specify are changed.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "department": "Sales",
  "usageLocation": "US"
}

Requested URL

PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Reset a user's password

Reset a user's password. Resetting a user's password is a special case of the update user operation. Specify the passwordProfile property for the User. The request contains a valid PasswordProfile object that specifies a password that satisfies the tenant’s password complexity policy. The password policy typically imposes constraints on the complexity, length, and re-use of a password. For more information, see the PasswordProfile topic.

Important

Either delegated scope User.ReadWrite.All or Directory.AccessAsUser.All is required to reset a user's password. In addition to the correct scope, the signed-in user would need sufficient privileges to reset another user's password.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "passwordProfile": {
    "password": "Test123456",
    "forceChangePasswordNextLogin": false
  }
}

Requested URL

PATCH https://graph.windows.net/myorganization/users/{user_id}?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Delete a user

Deletes a user. Deleted users might not be recoverable.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

DELETE https://graph.windows.net/myorganization/users/{user_id}[?api-version]

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringSpecifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

DELETE https://graph.windows.net/myorganization/users/{user_id}[?api-version]

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success.

Invalidate all refresh tokens for a user

Invalidates all of the user's refresh tokens issued to applications (as well as session cookies in a user's browser), by resetting the refreshTokensValidFromDateTime user property to the current date-time. Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation would prevent access to any of the organization's data accessed through applications on the device without the user first being required to sign in again. In fact, this operation would force the user to sign in again for all applications that they have previously consented to, independent of device.

For developers, if the application attempts to redeem a delegated access token for this user by using an invalidated refresh token, the application will get an error. If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint, which will force the user to sign in.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringSpecifies the version of the Graph API to target. Required.

Requested URL

POST https://graph.windows.net/myorganization/users/{user_id}/invalidateAllRefreshTokens?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Operations on user navigation properties

Relationships between a user and other objects in the directory such as the user's manager, direct group memberships, and direct reports are exposed through navigation properties. You can read and, in some cases, modify these relationships by targeting these navigation properties in your requests.

Get a user's manager

Gets the user's manager from the manager navigation property.

On success, returns a link to the User or Contact assigned as the user's manager; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Note: You can remove the "$links" segment from the URL to return the User or Contact object instead of a link.

Request

GET https://graph.windows.net/myorganization/users/{user_id}/$links/manager?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/users/{user_id}/$links/manager?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/$links/manager",
  "url": "https://graph.windows.net/myorganization/directoryObjects/fabeb27a-0481-4a80-b43e-a5c02c125874/Microsoft.WindowsAzure.ActiveDirectory.User"
}

Response List

Status CodeDescription
200OK. Indicates success. A link to the user's manager is returned.
404Not Found. The requested resource was not found. This can occur if the manager property is not currently set for the specified user. It can also have other causes, for example, a bad domain. A code and associated message is returned with the error.

Code Samples


Assign a user's manager

Assigns a user's manager through the manager property. Either a user or a contact may be assigned. The request body contains a link to the User or Contact to assign.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

PUT https://graph.windows.net/myorganization/users/{user_id}/$links/manager?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "url": "https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects/fabeb27a-0481-4a80-b43e-a5c02c125874"
}

Requested URL

PUT https://graph.windows.net/myorganization/users/{user_id}/$links/manager?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Get a user's direct reports

Gets the user's direct reports from the directReports navigation property.

On success, returns a collection of links to the User's and Contact's for whom this user is assigned as manager; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Note: You can remove the "$links" segment from the URL to return DirectoryObjects for the users and contacts instead of links.

Request

GET https://graph.windows.net/myorganization/users/{user_id}/$links/directReports?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/users/{user_id}/$links/directReports?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/$links/directReports",
  "value": [
    {
      "url": "https://graph.windows.net/myorganization/directoryObjects/84fba1e8-b942-47c9-a10e-a4bee353ce60/Microsoft.DirectoryServices.User"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. One or more direct reports are returned.

Code Samples


Get a user's group and directory role memberships

Gets the user's group and directory role memberships from the memberOf navigation property.

This property returns only groups or directory roles that the user is a direct member of. To get all of the groups that the user has direct or transitive membership in, call the getMemberGroups function. To get all of the groups or directory roles that the user has direct or transitive membership in, call the getMemberObjects function.

On success, returns a collection of links to the Group's and DirectoryRole's that this user is a member of; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Note: You can remove the "$links" segment from the URL to return the DirectoryObjects for the groups and directory roles instead of links.

Request

GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/$links/memberOf",
  "value": [
    {
      "url": "https://graph.windows.net/myorganization/directoryObjects/12345678-b942-47c9-a10e-a4bee353ce60/Microsoft.DirectoryServices.Group"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. One or more groups and/or directory roles are returned.

Code Samples


Other navigation properties

By using the same patterns shown above, you can target other navigation properties exposed by users. Some properties are read-only and others may be modified. For more information about user navigation properties, see the documentation for User.


Functions and actions on users

You can call any of the following functions or actions on a user.

Assign a license to a user

You can call the assignLicense action to assign or remove licenses for a user and to enable or disable specific plans for the user.

Change password of the signed-in user

You can call the changePassword action on the signed-in user to enable them to change their password.

Check membership in a specific group (transitive)

You can call the isMemberOf function to check for membership in a specific group. The check is transitive.

Check membership in a list of groups (transitive)

You can call the checkMemberGroups function to check for membership in a list of groups. The check is transitive.

Get all group memberships (transitive)

You can call the getMemberGroups function to return all the groups that the user is a member of. The check is transitive, unlike reading the memberOf navigation property, which returns only the groups that the user is a direct member of.

Get all group and directory role memberships (transitive)

You can call the getMemberObjects function to return all of the groups and directory roles that the user is a member of. The check is transitive, unlike reading the memberOf navigation property, which returns only the groups that the user is a direct member of.


Additional Resources

  • Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts
© 2018 Microsoft