Table of contents

Functions and actions | Graph API reference

Jimaco Brannian|Last Updated: 3/28/2018
|
2 Contributors

Applies to: Graph API | Azure Active Directory

This topic discusses the functions and actions that are exposed by Azure AD Graph API and how you can call them.

The Graph API is an OData 3.0 compliant REST API that provides programmatic access to directory objects in Azure Active Directory, such as users, groups, organizational contacts, and applications.

Important

We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.

Using the Graph API to call actions and functions

To call an action or a function with the Graph API, you send POST requests to the appropriate endpoint.

Graph API requests use the following basic URL:

https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]
Important

Requests sent to the Graph API must be well-formed, target a valid endpoint and version of the Graph API, and carry a valid access token obtained from Azure AD in their Authorization header. For more detailed information about creating requests and receiving responses with the Graph API, see Operations Overview.

Functions or actions that are called on the directory service itself do not require a resource path. For functions or operations that are called on a specific resource, you will specify the {resource_path} differently depending on the resource that you are targeting. The resource path will have the following parts:

  • (resource_collection} specifies the resource collection, such as users, contacts, or groups.
  • {resource_id} identifies the specific resource to target in the resource collection. Typically an object ID (GUID), but, in the case of a user, you can also use the user principal name (UPN).

You can use the me alias to target the signed-in user. This alias replaces the following URL path segments: {tenant_id}/users/{user_id}. When you use this alias, the Graph API gets the user and tenant from the bearer token attached to the request.

For example, the following POST request can be used to assign a license to the signed-in user (you must also include an appropriate request body) :

POST https://graph.windows.net/me/assignLicense?api-version=1.6

For more information about performing operations using the me alias, see REST operations on the signed-in user.

Functions

Functions have no side effects in the directory. That is, when you call a function, it only returns data, it does not modify any data in the directory. The following topics show you how to call functions with the Graph API.


applications: Get application properties by object ID

Call the applications function specifying the objectID to return the details of an application.

Important: Requires version 1.6 or newer.

Request

GET https://graph.windows.net/myorganization/applications/{application_oid}?api-version

Parameters

ParameterTypeValueNotes
URL
application_oidstringThe object id of the application.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/applications/{application_oid}?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.directoryObjects/@Element)",
  "odata.type": "Microsoft.DirectoryServices.Application",
  "objectType": "Application",
  "objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
  "deletionTimestamp": null,
  "addIns": [],
  "allowActAsForAllClients": null,
  "appBranding": null,
  "appCategory": null,
  "appData": null,
  "appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
  "appMetadata": {
    "version": 0,
    "data": [
      {
        "key": "ApplicationMetadata",
        "value": "eyJBcHBsaWNhd..."
      }
    ]
  },
  "appRoles": [],
  "availableToOtherTenants": true,
  "displayName": "Test App",
  "encryptedMsiApplicationSecret": null,
  "errorUrl": null,
  "groupMembershipClaims": "None",
  "homepage": null,
  "identifierUris": [],
  "keyCredentials": [
    {
      "customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
      "endDate": "2017-10-11T07:00:00Z",
      "keyId": "dceb697c-477a-4a25-be87-38282995ffff",
      "startDate": "2012-09-11T07:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    },
    {
      "customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
      "endDate": "2017-06-19T07:00:00Z",
      "keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
      "startDate": "2012-05-19T07:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    }
  ],
  "knownClientApplications": [],
  "logoUrl": null,
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "passwordCredentials": [],
  "publicClient": false,
  "recordConsentConditions": null,
  "replyUrls": [],
  "requiredResourceAccess": [],
  "samlMetadataUrl": null,
  "supportsConvergence": false,
  "tokenEncryptionKeyId": null
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the application's new key credential and password credential directory object.

Request Body

None.

Response Body

TypeDescription
ApplicationApplication properties for the specified object ID.

applicationsByAppId: Get application properties by application ID

Call the applicationsByAppId function specifying the appID to return details of an application.

Important: Requires version 1.6 or newer.

Request

GET https://graph.windows.net/myorganization/applicationsByAppId/{application_id}?api-version

Parameters

ParameterTypeValueNotes
URL
application_idstringThe application ID (GUID) of the application.
Query
api-versionstringThe version of the Graph API to target. Required.

Requested URL

GET https://graph.windows.net/myorganization/applicationsByAppId/{application_id}?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
  "odata.type": "Microsoft.DirectoryServices.Application",
  "objectType": "Application",
  "objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
  "deletionTimestamp": null,
  "addIns": [],
  "allowActAsForAllClients": null,
  "appBranding": null,
  "appCategory": null,
  "appData": null,
  "appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
  "appMetadata": {
    "version": 0,
    "data": [
      {
        "key": "ApplicationMetadata",
        "value": "eyJBcHBsaWNhd..."
      }
    ]
  },
  "appRoles": [],
  "availableToOtherTenants": true,
  "displayName": "Test App",
  "encryptedMsiApplicationSecret": null,
  "errorUrl": null,
  "groupMembershipClaims": "None",
  "homepage": null,
  "identifierUris": [],
  "keyCredentials": [
    {
      "customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
      "endDate": "2017-10-11T07:00:00Z",
      "keyId": "dceb697c-477a-4a25-be87-38282995ffff",
      "startDate": "2012-09-11T07:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    },
    {
      "customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
      "endDate": "2017-06-19T07:00:00Z",
      "keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
      "startDate": "2012-05-19T07:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    }
  ],
  "knownClientApplications": [],
  "logoUrl": null,
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "passwordCredentials": [],
  "publicClient": false,
  "recordConsentConditions": null,
  "replyUrls": [],
  "requiredResourceAccess": [],
  "samlMetadataUrl": null,
  "supportsConvergence": false,
  "tokenEncryptionKeyId": null
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the application object ID.

Request Body

None.

Response Body

TypeDescription
ApplicationApplication properties for the specified object ID.

checkMemberGroups: Check for membership in a list of groups

Call checkMemberGroups to check the membership of a user, contact, group, or service principal in a list of groups. The operation is transitive.

You can check up to a maximum of 20 groups per request.

Request

POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/checkMemberGroups?api-version

Parameters

ParameterTypeValueNotes
URL
resource_collectionstringSpecifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals.
resource_idstringSpecifies the user, contact, group, or service principal for which membership is to be checked. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN)..
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "groupIds": [
    "8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
    "be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
    "cf61b8c9-3626-4fe4-b2f7-ac31fa905605"
  ]
}

Requested URL

POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/checkMemberGroups?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
  "value": [
    "8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
    "be78b7e2-a94a-4ab0-9bb4-403977cc7ec6"
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. The object IDs of the groups in the request that the target user, contact, group, or service principal has either direct or transitive membership in are returned.

Request Body

Property NameTypeRequiredDescription
groupIdsCollection(Edm.String)YesA collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

Response Body

Property NameTypeDescription
valueCollection(Edm.String)A collection that contains the object IDs of the groups specified in the request that the contact, user, group, or service principal is a member of.

getAvailableExtensionProperties: Get the registered extension properties in a directory

Call the getAvailableExtensionProperties function to return all or a filtered list of the extension properties that have been registered in a directory. The following entities support extension properties: User, Group, TenantDetail, Device, Application, and ServicePrincipal. To learn more about how extension properties are registered and unregistered in a directory and how you can modify their values, see Directory Schema Extensions.

Important: Requires version 1.5 or newer.

Request

POST https://graph.windows.net/myorganization/getAvailableExtensionProperties?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "isSyncedFromOnPremises": false
}

Requested URL

POST https://graph.windows.net/myorganization/getAvailableExtensionProperties?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
      "objectType": "ExtensionProperty",
      "objectId": "d6a8bfec-893d-46e4-88fd-7db5fcc0fa62",
      "deletionTimestamp": null,
      "appDisplayName": "SampleApp",
      "name": "extension_4d405aa8baa04fb494d3e0571fd9fd71_skypeId",
      "dataType": "String",
      "isSyncedFromOnPremises": false,
      "targetObjects": [
        "User"
      ]
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. A collection that contains the extension properties is returned.

Request Body

Property NameTypeRequiredDescription
isSyncedFromOnPremisesEdm.BooleanNotrue to specify that only extension properties that are synced from the on-premises directory should be returned; false to specify that only extension properties that are not synced from the on-premises directory should be returned. If the parameter is omitted then all extension properties (both synced and non-synced) are returned.

Response Body

Property NameTypeDescription
valueCollection(ExtensionProperty)A collection that contains the extension properties registered with the directory filtered according to the request.

getMemberGroups: Get group memberships (transitive)

Call the getMemberGroups function on a user, contact, group, or service principal to get the groups that it is a member of. The function is transitive.

Note: The maximum number of groups that can be returned is 2046. If the target object has direct or transitive membership in more than 2046 groups, the function returns an HTTP error response with an error code of Directory_ResultSizeLimitExceeded.

Request

POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version

Parameters

ParameterTypeValueNotes
URL
resource_collectionstringSpecifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals.
resource_idstringSpecifies the user, contact, group, or service principal for which group memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN)..
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "securityEnabledOnly": false
}

Requested URL

POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
  "value": [
    "8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
    "be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
    "5e624f44-d38d-4943-b07c-2bad078f52ff"
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. The object IDs of the groups that the target user, contact, group, or service principal has either direct or transitive membership in are returned.

Request Body

Property NameTypeRequiredDescription
securityEnabledOnlyEdm.BooleanYestrue to specify that only security groups that the entity is a member of should be returned; false to specify that all groups that the entity is a member of should be returned. Note: The function can only be called on a user if the parameter is true.

Response Body

Property NameTypeDescription
valueCollection(Edm.String)A collection that contains the object IDs of the groups that the contact, user, group, or service principal is a member of.

getMemberObjects: Get group and directory role memberships (transitive)

Call the getMemberObjects function on a user, contact, group, or service principal to get the groups and directory roles that it is a member of. The function is transitive.

Note: The maximum number of groups and directory roles that can be returned is 2046. If the target object has direct or transitive membership in more than 2046 groups and directory roles, the function returns an HTTP error response with an error code of Directory_ResultSizeLimitExceeded.

Important: Requires version 1.5 or newer.

Request

POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberObjects?api-version

Parameters

ParameterTypeValueNotes
URL
resource_collectionstringSpecifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals.
resource_idstringSpecifies the user, contact, group, or service principal for which group and directory role memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN)..
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "securityEnabledOnly": false
}

Requested URL

POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberObjects?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myortanization/$metadata#Collection(Edm.String)",
  "value": [
    "8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
    "be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
    "5e624f44-d38d-4943-b07c-2bad078f52ff"
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. The object IDs of the groups and directory roles that the target user, contact, group, or service principal has either direct or transitive membership in are returned.

Request Body

Property NameTypeRequiredDescription
securityEnabledOnlyEdm.BooleanYestrue to specify that only security groups that the entity is a member of should be returned; false to specify that all groups and directory roles that the entity is a member of should be returned. Note: The function can only be called on a user if the parameter is true.

Response Body

Property NameTypeDescription
valueCollection(Edm.String)A collection that contains the object IDs of the groups and directory roles that the contact, user, group, or service principal is a member of.

getObjectsByObjectIds: Get objects from a list of object IDs

Call the getObjectsByObjectIds function on the directory service to return the directory objects specified in a list of object IDs. You can also specify which resource collections (users, groups, etc.) should be searched by specifying the optional types parameter.

Some common uses for this function are to:

  • Resolve the object IDs returned by functions that return collections of object IDs such as getMemberObjects or getMemberGroups to their backing directory objects.
  • Resolve object IDs persisted in an external store by the application to their backing directory objects.

Important: Requires version 1.5 or newer.

Request

POST https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "objectIds": [
    "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
    "cc9869f0-6ac0-4d00-bc24-621a2d949d35",
    "477c2fe9-b0e7-4661-8564-ba170666f058",
    "beb9a3bb-2fff-4d5f-99d8-0ce169e8bed7"
  ],
  "types": [
    "group"
  ]
}

Requested URL

POST https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.Group",
      "objectType": "Group",
      "objectId": "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
      "deletionTimestamp": null,
      "description": "Marketing Group",
      "dirSyncEnabled": null,
      "displayName": "Marketing",
      "lastDirSyncTime": null,
      "mail": null,
      "mailNickname": "cdf76b17-0734-41bc-9c24-9a7af93f3502",
      "mailEnabled": false,
      "onPremisesSecurityIdentifier": null,
      "provisioningErrors": [],
      "proxyAddresses": [],
      "securityEnabled": true
    },
    {
      "odata.type": "Microsoft.DirectoryServices.Group",
      "objectType": "Group",
      "objectId": "cc9869f0-6ac0-4d00-bc24-621a2d949d35",
      "deletionTimestamp": null,
      "description": "Engineering Group",
      "dirSyncEnabled": null,
      "displayName": "Engineering",
      "lastDirSyncTime": null,
      "mail": null,
      "mailNickname": "ef3b8cc1-721b-4452-9e30-9867d1de80ea",
      "mailEnabled": false,
      "onPremisesSecurityIdentifier": null,
      "provisioningErrors": [],
      "proxyAddresses": [],
      "securityEnabled": true
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. A collection that contains the directory objects that match the search criterea is returned.

Request Body

Property NameTypeRequiredDescription
objectIdsCollection(Edm.String)YesThe collection of object IDs for which to return objects. You can specify up to 1000 object IDs.
typesCollection(Edm.String)NoA collection of object types that specifies the set of resource collections (entity sets) to search. If not specified, the default is DirectoryObject, which contains all of the objects in the directory. Any object that derives from DirectoryObject may be specified in the collection; for example: User, Group, ServicePrincipal, and so on. The values are not case sensitive.

Response Body

Property NameTypeDescription
valueCollection(DirectoryObject)A collection of objects found for the specified Object IDs and resource collections.

isMemberOf: Check membership in a specific group (transitive)

Call the isMemberOf function on the directory service to check whether a specified user, group, contact, or service principal is a member of a specified group. The operation is transitive,

Request

POST https://graph.windows.net/myorganization/isMemberOf?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "groupId": "5e624f44-d38d-4943-b07c-2bad078f52ff",
  "memberId": "ea59e4d3-a7a1-4b5b-b65f-a25fcc0c0f99"
}

Requested URL

POST https://graph.windows.net/myorganization/isMemberOf?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.Boolean",
  "value": true
}

Response List

Status CodeDescription
200OK. Indicates success. Returns true if the user, contact, group, or service principal is a member of the specified group; otherwsie, false.

Request Body

Property NameTypeRequiredDescription
groupIdEdm.StringYesThe object ID of the group to check.
memberIdEdm.StringYesThe object ID of the contact, group, user, or service principal to check for membership in the specified group.

Response Body

Property NameTypeDescription
valueEdm.Booleantrue if the specified user, group, contact, or service principal has either direct or transitive membership in the specified group; otherwise, false.

servicePrincipalsByAppId: Get service principal object ID by application ID

Call the servicePrincipalsByAppId function on the directory service to return the the object ID of the specified application ID.

Important: Requires version 1.6 or newer.

Request

GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/{application_id}/objectId?api-version

Parameters

ParameterTypeValueNotes
URL
application_idstringThe application ID (GUID) of the service principal.
Query
api-versionstringThe version of the Graph API to target. Required.

Requested URL

GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/{application_id}/objectId?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.String",
  "value": [
    "00b4e797-7017-4720-b187-b01981c820d6"
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the service principal object ID of the specified application ID.

Request Body

None.

Response Body

Property NameTypeDescription
valueEdm.StringThe Object ID of the service principal with the specified application ID.

verify: Verify ownership of a domain

Call the verify action on a domain to validate the ownership of the domain.

Important: Only applies to an unverified domain (the isVerified property of the [Domain] is false). Only supported in version beta.

Request

POST https://graph.windows.net/myorganization/domains({domain_name})/verify?api-version

Parameters

ParameterTypeValueNotes
URL
domain_namestringThe fully qualified domain name of the target domain. Must be enclosed in single quotes.
Query
api-versionstringThe version of the Graph API to target. Required.

Requested URL

POST https://graph.windows.net/myorganization/domains({domain_name})/verify?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#domains/@Element",
  "authenticationType": "Managed",
  "availabilityStatus": "AvailableImmediately",
  "isAdminManaged": true,
  "isDefault": false,
  "isInitial": false,
  "isRoot": true,
  "isVerified": true,
  "name": "contoso.com",
  "supportedServices": []
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the Domain object. The isVerified property indicates whether the ownership of the domain has been verified successfully.

Request Body

None.

Response Body

TypeDescription
[Domain]The domain being verified. The isVerified property indicates whether the ownership of the domain has been verified successfully.

Actions

Actions have side effects in the directory. That is, when you call an action, it may alter data in the directory. For example, it may assign a license to a user or restore an application that has previously been deleted.

addKey: Add a KeyCredential for an application

Call the addKey action to add a KeyCredential for an application.

Important: Requires version v1.6 or newer

Note

Tenant administrators can also add application keys in the Azure portal.

Request

POST https://graph.windows.net/myorganization/applications/{application_oid}/addKey?api-version

Parameters

ParameterTypeValueNotes
URL
application_oidstringThe object id of the application.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "keyCredential": {
    "customKeyIdentifier": "6uv7gh",
    "endDate": "endDate=2017-10-11T07:00:00Z",
    "keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
    "type": "AsymmetricX509Cert",
    "usage": "Verify",
    "value": null
  },
  "passwordCredential": null,
  "proof": "Bearer eyJ0eXAiOiJKv1..."
}

Requested URL

POST https://graph.windows.net/myorganization/applications/{application_oid}/addKey?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
  "value": [
    {
      "keyCredential": {
        "customKeyIdentifier": "6uv7gh",
        "type": "AsymmetricX509Cert",
        "usage": "Verify",
        "value": "MIZB9jVCACfEw="
      },
      "passwordCredential": null,
      "proof": "eyJ0eXAiOiJKv1"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the application's new key credential and password credential directory object.

Request

POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/addKey?api-version

Parameters

ParameterTypeValueNotes
URL
application_idstringThe application ID (GUID) of the application.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "keyCredential": {
    "customKeyIdentifier": "6uv7gh",
    "type": "X509CertAndPassword",
    "usage": "Sign",
    "value": "MIIJgIBAzCCCbYGCSqGSIb3gX1MIIF..."
  },
  "passwordCredential": {
    "value": "MKTr0w1ytHhemMDY"
  },
  "proof": "Bearer eyJ0eXAiOiJKv1..."
}

Requested URL

POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/addKey?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
  "value": [
    {
      "keyCredential": {
        "customKeyIdentifier": "JXyLFwBmN=",
        "endDate": "2017-10-11T07:00:00Z",
        "keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
        "startDate": "2012-09-11T07:00:00Z",
        "type": "AsymmetricX509Cert",
        "usage": "Sign",
        "value": null
      }
    },
    {
      "keyCredential": {
        "customKeyIdentifier": "JXyLFwBmN=",
        "endDate": "2017-10-11T07:00:00Z",
        "keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
        "startDate": "2012-09-11T07:00:00Z",
        "type": "Password",
        "usage": "Sign",
        "value": null
      }
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the application's new key credential and password credential directory object.

Request Body

Property NameTypeRequiredDescription
keyCredentialKeyCredentialYesThe application key credential to add. Note: keyId value should be null.
passwordCredentialPasswordCredentialYesThe application password credential to add. Note: keyId value should be null.
proofEdm.StringYesA signed JWT token used as a proof of possession of the existing keys.

This request adds a new key credential and password credential to an application. In this example, only a key credential was added to the application.

POST https://graph.windows.net/myorganization/application/8bea0f8d-83eb-4e89-bfca-1f41c8a22ffff/addKey?api-version=1.6 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 406

{ 
  "keyCredential": 
       { 
           "customKeyIdentifier": "6vu7hglDaiwXLbvVeRBIRgSTKXc=", 
            "type": "AsymmetricX509Cert", 
            "usage": "Verify", 
            "value": "MIIB9jCCAVANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwlEdW..." 
        } 
"passwordCredential": null , 
"proof":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFHZGdvdW5aWlc1bU50Mmg2dmJTM1ZBTHJBVSJ9...." 
} 

As part of the request validation for this service action, a proof of possession of an existing key is verified before the action can be performed. The proof is represented by a self-signed JWT token. The requesting application needs to generate a self-signed JWT token with the following requirements.

Required claims:

  • aud - Audience needs to be AAD Graph SPN
  • iss - Issuer needs to be one of the application identifier URIs of the application that is making the call or the App ID GUID
  • nbf - not before
  • exp - expiration time

The X5T, base64 url encoded signing certificate thumbprint header parameter is required

The token signing key is the private key of one of the application existing certificates. The certificate needs to meet the following criteria to be valid:

  • Its public key is part of application keys with Asymmetric/Verify type/usage.
  • Its public key has not yet expired.

Applications that don’t have any existing valid certificates (i.e.: no certificates have been added yet, or all certificates have expired), won’t be able to use this service action and separate process will be needed to perform an update instead.

The token lifespan should not exceed 10 minutes. Where token lifespan is the difference between EXP and NBF claims.


assignLicense: Add or remove licenses from a user

Call the assignLicense action on a user to add or remove subscriptions for the user. You can also enable and disable specific plans associated with a subscription.

Important: Requires version 2013-11-08 or newer.

Request

POST https://graph.windows.net/myorganization/users/{user_id}/assignLicense?api-version

Parameters

ParameterTypeValueNotes
URL
user_idstringThe user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "addLicenses": [
    {
      "disabledPlans": [],
      "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900"
    }
  ],
  "removeLicenses": []
}

Requested URL

POST https://graph.windows.net/myorganization/users/{user_id}/assignLicense?api-version

Response

Status Code:200
Content-Type:
  • application/json

Response List

Status CodeDescription
200OK. Indicates success. No response body is returned.

Request Body

Property NameTypeRequiredDescription
addLicensesCollection(AssignedPlan)YesA collection of AssignedLicense objects that specify the licenses to add. You can disable plans associated with a license by setting the disabledPlans property on an AssignedLicense object.
removeLicensesCollection(Edm.Guid)YesA collection of GUIDs that identify the licenses to remove.

Note: Subscription SKU IDs and plan IDs can be read from the tenant object. For example, performing a GET request to https://graph.windows.net/myorganization/subscribedSkus returns the subscriptions available for the tenant of the signed-in user. These are returned as SubscribedSku entities and the SKU ID can be read from the skuId property. You can get the plan IDs associated with the subscription from the servicePlans collection. Availability of subscriptions can be calculated from the consumedUnits property and values from the prepaidUnits property, which includes counts of units that are “enabled”, “suspended” and in “warning” states.

Addtitional Examples

This request shows an initial license assignment of the Enterprise Office SKU, which contains SharePoint Online, Lync Online and the Exchange Online service plans.

POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35

{
  "addLicenses":[{"disabledPlans":[ ],"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"}],
  "removeLicenses":[ ]
}

This request updates the user’s license by disabling specific plans. In this example, there are two disabledPlans (SharePointOnline and LyncOnline"), leaving only the Exchange Service Plan enabled.

POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35

{ 
  "addLicenses":[  { "disabledPlans":  [”5dbe027f-2339-4123-9542-606e4d348a72”,
                                        “0feaeb32-d00e-4d66-bd5a-43b5b83db82c” ], 

                      "skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"
                   }  

                 ],
   "removeLicenses":[ ]

 }

This final request shows how to remove the license from the user.

POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35

{
  "addLicenses":[ ],

  "removeLicenses":["6fd2c87f-b296-42f0-b197-1e91e994b900"]
}

changePassword: Change password of the signed-in user

Call the changePassword action for the signed-in user to change their own password.

Note: This action can only be called on the signed-in user. In addition to addressing the operation by using the me alias as shown below, you can use /users/<objectId>/changePassword or /users/userPrincipalName/changePassword, but if you use these addressing modes, the target user must be the signed-in user.

Important: Requires version 1.6 or newer.

Request

POST https://graph.windows.net/me/changePassword?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringSpecifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "currentPassword": "Test1234!",
  "newPassword": "Test5678!"
}

Requested URL

POST https://graph.windows.net/me/changePassword?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Request Body

Property NameTypeRequiredDescription
currentPasswordEdm.StringYesThe current password of the signed-in user.
newPasswordEdm.StringYesThe new password.

Response Body

None.


removeKey: Remove a KeyCredential for an application

Call the removeKey action on an application to remove a KeyCredential.

Important: Requires version v1.6 or newer.

Note

Tenant administrators can also remove application keys in the Azure portal.

Request

POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version

Parameters

ParameterTypeValueNotes
URL
application_idstringThe the object id of the application.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "keyId": "739c5e5b-ebcc-43b5-b44a-459e1b4dffff",
  "proof": "eyJ0eXAiOiJKV1QiLCJhbG"
}

Requested URL

POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version

Response

Status Code:204
Content-Type:
  • none

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Request

POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/removeKey?api-version

Parameters

ParameterTypeValueNotes
URL
application_idstringThe application ID (GUID) of the application.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
  "proof": "Bearer eyJ0eXAiOiJKv1..."
}

Requested URL

POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/removeKey?api-version

Response

Status Code:204
Content-Type:
  • none

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Request Body

Property NameTypeRequiredDescription
keyIdEdm.GuidYesThe keyId that identifies the application key credentials to remove.
proofEdm.StringYesA signed JWT token used as a proof of possession of the existing keys.

This request adds a new key credential and password credential to an application. In this example, only a key credential was added to the application.

POST https://graph.windows.net/myorganization/application/8bea0f8d-83eb-4e89-bfca-1f41c8a22ffff/removeKey?api-version=1.6 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 166

{ 
    "keyId": "739c5e5b-ebcc-43b5-b44a-459e1b4dffff", 
    "proof":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImFHZGdvdW5aWlc1bU50Mmg2dmJTM1ZBTHJBVSJ9...." 
} 

As part of the request validation for this service action, a proof of possession of an existing key is verified before the action can be performed. The proof is represented by a self-signed JWT token. The requesting application needs to generate a self-signed JWT token with the following requirements.

Required claims:

  • aud - Audience needs to be AAD Graph SPN
  • iss - Issuer needs to be one of the application identifier URIs of the application that is making the call or the App ID GUID
  • nbf - not before
  • exp - expiration time

The X5T, base64 url encoded signing certificate thumbprint header parameter is required

The token signing key is the private key of one of the application existing certificates. The certificate needs to meet the following criteria to be valid:

  • Its public key is part of application keys with Asymmetric/Verify type/usage.
  • Its public key has not yet expired.

Applications that don’t have any existing valid certificates (i.e.: no certificates have been added yet, or all certificates have expired), won’t be able to use this service action and separate process will be needed to perform an update instead.

The token lifespan should not exceed 10 minutes. Where token lifespan is the difference between EXP and NBF claims.


restore: Restore a deleted application

Call the restore action on a deleted application to restore it to the directory.

Note: You can find deleted applications by reading the deletedApplications resource collection. For example, performing a GET to the following URL returns the deleted applications associated with the organization: https://graph.windows.net/myorganization/deletedApplications?api-version=1.5.

Important: Requires version 1.5 or newer.

Request

POST https://graph.windows.net/myorganization/deletedApplications/{application_id}/restore?api-version

Parameters

ParameterTypeValueNotes
URL
application_idstringThe object ID (GUID) of the application to restore.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "identifierUris": [
    "https://restoredApp/"
  ]
}

Requested URL

POST https://graph.windows.net/myorganization/deletedApplications/{application_id}/restore?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
  "odata.type": "Microsoft.DirectoryServices.Application",
  "objectType": "Application",
  "objectId": "1e22de0f-0ed1-4c01-b725-a822632467e3",
  "deletionTimestamp": null,
  "appId": "f4ecf40c-e94f-4d79-af83-f920f81bcb66",
  "appRoles": [],
  "availableToOtherTenants": false,
  "displayName": "Sample App 1",
  "errorUrl": null,
  "groupMembershipClaims": null,
  "homepage": "https://localhost",
  "identifierUris": [
    "https://restoredApp/"
  ],
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoutUrl": null,
  "oauth2AllowImplicitFlow": false,
  "oauth2AllowUrlPathMatching": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "passwordCredentials": [],
  "publicClient": null,
  "replyUrls": [
    "https://localhost"
  ],
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ]
    }
  ],
  "samlMetadataUrl": null
}

Response List

Status CodeDescription
200OK. Indicates success. Returns the restored Application object. The identifierUris property in the restored application is set or restored according to the identifierUris collection specified in the request.

Request Body

Property NameTypeRequiredDescription
identifierUrisCollection(Edm.String)NoThe collection of identifier URIs for the application. These will be set in the identifierUris property in the restored Application. If the parameter is omitted, the identifierUris property will retain its original value.

Response Body

TypeDescription
ApplicationThe restored application.

Additional Resources

  • Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts
© 2018 Microsoft