Export (0) Print
Expand All

DirectoryObject

Updated: May 12, 2015

Try the new interactive Graph API documentation for the most up-to-date reference documentation for Azure AD Graph API. With the interactive documentation, you can try REST operations against a sample tenant from inside the documentation itself.

  • Applies To: Azure AD Graph

Represents an Azure Active Directory object. This topic provides descriptions of the properties and navigation properties of the DirectoryObject entity type. The DirectoryObject type is the base type for most of the other directory entity types.

Namespace: Microsoft.DirectoryServices for version 1.5 and newer, Microsoft.WindowsAzure.ActiveDirectory for versions prior to 1.5.

The DirectoryObject entity type is defined as follows:

Namespace: Microsoft.WindowsAzure.ActiveDirectory

Declared Properties

Name Type Create (POST) Read (GET) Update (PATCH) Description

deletionTimestamp

Edm.DateTime

No

Yes

No

The time at which the directory object was deleted. It only applies to those directory objects which can be restored. Currently it is only supported for deleted Application objects; all other entities return null for this property.

Notes: Requires version 1.5 or newer.

objectId

Edm.String

No

Yes

No

A Guid that is the unique identifier for the object; for example, 12345678-9abc-def0-1234-56789abcde.

Notes: key, immutable, not nullable, unique.

objectType

Edm.String

No

Yes

No

A string that identifies the object type. For example, for groups the value is always “Group”.

Navigation Properties

Name From Multiplicity To To Multiplicity Description

createdObjects

*

DirectoryObject

*

The directory objects that were created by the current object. Read only. Requires version 2013-11-08 or newer.

createdOnBehalfOf

*

DirectoryObject

0..1

The directory object that that this object was created on behalf of. Read only. Requires version 2013-11-08 or newer.

manager

*

DirectoryObject

0..1

This object’s manager. Valid on users and contacts. Returns a user or a contact.

directReports

*

DirectoryObject

*

Users and contacts that report to this object. Valid on users and contacts. Returns users and contacts. Read only.

members

*

DirectoryObject

*

Objects that are members of this object. Valid on groups and roles. On groups, returns contacts, users, and groups. On roles, returns users and service principals.

memberOf

*

DirectoryObject

*

Objects that this object is a member of. Valid on contacts, groups, service principals, and users. On contacts, returns groups. On groups, returns groups. On users, returns groups and roles. On service principals, returns roles. Read only.

The property is not transitive. For example, if User A is a member of Group B and Group B is a member of Group C, the memberOf property on User A will not return Group C.

ownedObjects

*

DirectoryObject

*

The directory objects that are owned by the current object. Read only. Requires version 2013-11-08 or newer.

owners

*

DirectoryObject

*

The directory objects that are owners of the current object. The owners are a set of non-admin users who are allowed to modify this object. Requires version 2013-11-08 or newer.

noteNote
Not all navigation properties are necessarily valid on the entity types that inherit from DirectoryObject. If a request for a property that is not valid for a specific entity is sent, a 400 Bad Request response is returned. For more information about which navigation properties are valid on specific entities, consult the documentation for that entity type.

For information about the primitive types exposed by the EDM, see Entity Data Model: Primitive Data Types.

The following table shows how to address the directory object resource set, which spans all the directory objects in the directory; an individual directory object; and the navigation properties of a directory object. The examples in the table use the tenant domain to address the tenant. For other ways of addressing the tenant, see Addressing Entities and Operations in the Graph API.

 

Artifact URL fragment Example

Resource Set (all directory objects)

/directoryObjects

https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects?api-version=1.5.

Individual directory object

/directoryObjects/{objectId}

https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects/12345678-9abc-def0-1234-56789abcde?api-version=1.5

Navigation property

/directoryObjects/{objectId}/$(links)/{property-name}

https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects/12345678-9abc-def0-1234-56789abcde/$links/owners?api-version=1.5

noteNote
Remove the “$links” segment of the navigation property URL to return the objects referenced by a navigation property rather than links to them. This mode of addressing can be used for read operations only. Entities that inherit from DirectoryObject can also typically be addressed using their resource set by replacing “directoryObjects” with a string that identifies the resource set -- for example, “users” -- in the URL. Not all addressing modes are available for all entity types.

For more comprehensive information about querying directory objects, see Azure AD Graph API Common Queries and Azure AD Graph API Differential Query.

The full set of operations that are supported on directory objects are the following (the HTTP method used for each is in parentheses): Create (POST), Read (GET), Update (PATCH), and Delete (DELETE). However, not all of these operations are supported on every entity type. The declared properties of directory object are read-only; they cannot be specified in create or update operations.

The potential set of operations supported on each of the navigation properties are:

  • createdObjects: Read (GET).

  • createdOnBehalfOf: Read (GET).

  • manager: Read (GET), Update (PUT), and Delete (DELETE).

  • directReports: Read (GET).

  • members: Read (GET), Update (POST), and Delete (DELETE).

  • memberOf: Read (GET).

  • ownedObjects: Read (GET).

  • owners: Read (GET), Update (POST), and Delete (DELETE).

Not all navigation properties are necessarily supported on every entity type, nor are the set of potential operations for a navigation property necessarily supported on every entity type.

Whether a particular directory object supports a particular action or function, depends on the type of the directory object (the objectType property). For information about which object types support which functions or actions, see the documentation of the particular object, for example, user, group, etc., or of a particular function.

In general, the principal that represents an application must be in an administrator role that has directory WRITE privileges to send PATCH, POST, PUT or DELETE requests. It must be in a role that has directory READ privileges to send GET requests. However, the permissions required for operations on a specific entity type can be different.

It is best to consult the documentation for the specific entity type for information about operations supported for and permissions required for an entity.

DirectoryObject is the base type for the following entity types: Application, Device, DirectoryLinkChange, Contact, Group, DirectoryRole, ServicePrincipal, TenantDetail, and User.

See Also

Show:
© 2015 Microsoft