Table of contents

Operations on directory roles | Graph API reference

Jimaco Brannian|Last Updated: 3/28/2018
|
2 Contributors

Applies to: Graph API | Azure Active Directory

This topic discusses how to perform operations on Azure AD directory roles using the Azure Active Directory (AD) Graph API. Directory roles (DirectoryRole) carry specific sets of rights within the directory. Azure AD grants the users and service principals that are members of a directory role the rights associated with that role. Azure AD directory roles are also known as administrator roles. For more information about directory (administrator) roles, see Assigning administrator roles in Azure AD.

Important

We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.

With the Graph API, you can read the properties of directory roles, query members of a directory role, and add and delete members to and from a directory role. Directory Roles may have users and service principals as members. Adding groups to directory roles is not currently supported.

In versions prior to 1.5 all directory roles are present in the tenant by default. In versions 1.5 and newer, only the Company Administrators directory role is present by default. To access and assign members to another directory role, you must first activate it by using its corresponding directory role template (DirectoryRoleTemplate). For more information, see Activate a directory role.

The Graph API is an OData 3.0 compliant REST API that provides programmatic access to directory objects in Azure Active Directory, such as users, groups, organizational contacts, and applications.

Performing REST operations on directory roles

To perform operations on directory roles with the Graph API, you send HTTP requests with a supported method (GET, POST, PATCH, PUT, or DELETE) to an endpoint that targets the directoryRoles resource collection, a specific directory role, a navigation property of a directory role, or a function or action that can be called on a directory role.

Graph API requests use the following basic URL:

https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]
Important

Requests sent to the Graph API must be well-formed, target a valid endpoint and version of the Graph API, and carry a valid access token obtained from Azure AD in their Authorization header. For more detailed information about creating requests and receiving responses with the Graph API, see Operations Overview.

You specify the {resource_path} differently depending on whether you are targeting the collection of all directory roles in your tenant, an individual directory role, or a navigation property of a specific directory role.

  • /directoryRoles targets the directoryRoles resource collection. You can use this resource path to read all directory roles in your tenant and, in version 1.5 and newer, to activate a directory role in your tenant.
  • /directoryRoleTemplates targets the directoryRoleTemplates resource collection. You can use this resource path to read all directory role templates available in your tenant. In version 1.5 and newer, you use directory role templates to activate a directory roles in your tenant.
  • /directoryRoles/{object_id} targets an individual directory role in your tenant. You specify the target role with its object ID (GUID). You can use this resource path to get the declared properties of a specified directory role.
  • /directoryRoles/{object_id}/members targets the members navigation property of a directory role. You can use it to return the users and service principals that are members of the specified directory role. Note: This form of addressing is only available for reads.
  • /directoryRoles/{object_id}/$links/members targets the members navigation property of a directory role. You can use this form of addressing to both read and modify the members of the role. On reads, the users and service principals referenced by the property are returned as one or more links in the response body. On writes, the users and service principals are specified as one or more links in the request body.

For example, the following request returns a a collection of links to the members of the specified directory role:

GET https://graph.windows.net/myorganization/directoryRoles/ffffffff-ffff-ffff-ffff-ffffffffffff/$links/members?api-version=1.6

Basic operations on directory roles

You can perform the following basic operations on directory roles and directory role templates.

  • Read the properties of all directory roles or an individual role.
  • Read the properties of all directory role templates or an individual template (version 1.5 and newer).
  • Activate a directory role using a POST request (version 1.5 and newer).

The following topics show you how.


Get directory roles

Gets the collection directory roles that are activated in the tenant. (For versions prior to 1.5, all directory roles were activated by default.)

On success, returns the collection of DirectoryRole objects that are activated; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

GET https://graph.windows.net/myorganization/directoryRoles?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/directoryRoles?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.DirectoryRole",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRole",
      "objectType": "Role",
      "objectId": "02618ff0-e643-450d-b9b2-2f812364eb2c",
      "deletionTimestamp": null,
      "description": "Helpdesk Administrator has access to perform common helpdesk related tasks.",
      "displayName": "Helpdesk Administrator",
      "isSystem": true,
      "roleDisabled": false,
      "roleTemplateId": "729827e3-9c14-49f7-bb1b-9608f156bbb8"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRole",
      "objectType": "Role",
      "objectId": "044ca859-dc72-47cb-b466-7f6e78398979",
      "deletionTimestamp": null,
      "description": "Allows access read tasks and a subset of write tasks in the directory.",
      "displayName": "Directory Writers",
      "isSystem": true,
      "roleDisabled": false,
      "roleTemplateId": "9360feb5-f418-4baa-8175-e2a00bac4301"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRole",
      "objectType": "Role",
      "objectId": "44261f4c-b686-44c1-8997-310171ed4ca8",
      "deletionTimestamp": null,
      "description": "Allows access to various read only tasks in the directory. ",
      "displayName": "Directory Readers",
      "isSystem": true,
      "roleDisabled": false,
      "roleTemplateId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRole",
      "objectType": "Role",
      "objectId": "cb5d9ae9-6e2c-41a0-9194-0d4aef426ba8",
      "deletionTimestamp": null,
      "description": "Company Administrator role has full access to perform any operation in the company scope.",
      "displayName": "Company Administrator",
      "isSystem": true,
      "roleDisabled": false,
      "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. The results are returned in the response body.

Code Samples


using System;
using System.Net.Http.Headers;
using System.Text;
using System.Net.Http;
using System.Web;

namespace CSHttpClientSample
{
    static class Program
    {
	    static void Main()
        {
            MakeRequest();

            Console.WriteLine("Hit ENTER to exit...");
            Console.ReadLine();
        }

        static async void MakeRequest()
        {
            var client = new HttpClient();
            var queryString = HttpUtility.ParseQueryString(string.Empty);

            /* OAuth2 is required to access this API. For more information visit:
               https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks */



		   // Specify values for the following required parameters
			queryString["api-version"] = "1.6";
            // Specify values for path parameters (shown as {...})
            var uri = "https://graph.windows.net/myorganization/directoryRoles?" + queryString;


            var response = await client.GetAsync(uri);

            if (response.Content != null)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                Console.WriteLine(responseString);
            }
        }
    }
}
@ECHO OFF

REM OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks
REM Specify values for path parameters (shown as {...}), values for query parameters
curl -v -X GET "https://graph.windows.net/myorganization/directoryRoles?api-version=1.6&"^

// This sample uses the Apache HTTP client from HTTP Components (http://hc.apache.org/httpcomponents-client-ga/)
import java.net.URI;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

public class JavaSample {

  public static void main(String[] args) {
	HttpClient httpclient = HttpClients.createDefault();

	try
	{
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		// Specify values for path parameters (shown as {...})
		URIBuilder builder = new URIBuilder("https://graph.windows.net/myorganization/directoryRoles");
		// Specify values for the following required parameters
		builder.setParameter("api-version", "1.6");
		URI uri = builder.build();
		HttpGet request = new HttpGet(uri);
		HttpResponse response = httpclient.execute(request);
		HttpEntity entity = response.getEntity();
		if (entity != null) {
			System.out.println(EntityUtils.toString(entity));
		}
	}
	catch (Exception e)
	{
		System.out.println(e.getMessage());
	}
  }
}

<!DOCTYPE html>
<html>
<head>
<title>JSSample</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>
</head>
<body>
<script type="text/javascript">
	$(function() {
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		var params = {
			// Specify values for the following required parameters
			'api-version': "1.6",
		};
		
		$.ajax({
			// Specify values for path parameters (shown as {...})
			url: 'https://graph.windows.net/myorganization/directoryRoles?' + $.param(params),
			type: 'GET',
		})
		.done(function(data) {
			alert("success");
		})
		.fail(function() {
			alert("error");
		});
	});
</script>
</body>
</html>

#import <Foundation/Foundation.h>

int main(int argc, const char * argv[])
{
    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
    
	// OAuth2 is required to access this API. For more information visit:
	// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

	// Specify values for path parameters (shown as {...})
    NSString* path = @"https://graph.windows.net/myorganization/directoryRoles";
    NSArray* array = @[
                         @"entities=true",
                      ];
    
    NSString* string = [array componentsJoinedByString:@"&"];
    path = [path stringByAppendingFormat:@"?%@", string];
    NSLog(@"%@", path);

    NSMutableURLRequest* _request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:path]];
    [_request setHTTPMethod:@"GET"];
    
    NSURLResponse *response = nil;
    NSError *error = nil;
    NSData* _connectionData = [NSURLConnection sendSynchronousRequest:_request returningResponse:&response error:&error];
    if(nil != error)
    {
        NSLog(@"Error: %@", error);
    }
    else
    {
        NSError* error = nil;
        NSMutableDictionary* json = nil;
        
        NSString* dataString = [[NSString alloc] initWithData:_connectionData encoding:NSUTF8StringEncoding];
        NSLog(@"%@", dataString);
        
        if(nil != _connectionData)
        {
            json = [NSJSONSerialization JSONObjectWithData:_connectionData options:NSJSONReadingMutableContainers error:&error];
        }
        
        if (error || !json)
        {
            NSLog(@"Could not parse loaded json with error:%@", error);
        }
        
        NSLog(@"%@", json);
        _connectionData = nil;
    }
    
    [pool drain];
    return 0;
}
<?php

// This sample uses the pecl_http package. (for more information: http://pecl.php.net/package/pecl_http)
require_once 'HTTP/Request2.php';
$headers = array(
);

$query_params = array(
	// Specify values for the following required parameters
	'api-version' => '1.6',
);

$request = new Http_Request2('https://graph.windows.net/myorganization/directoryRoles');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setHeader($headers);

// OAuth2 is required to access this API. For more information visit:
// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

$url = $request->getUrl();
$url->setQueryVariables($query_params);

try
{
	$response = $request->send();
	
	echo $response->getBody();
}
catch (HttpException $ex)
{
	echo $ex;
}

?>

########### Python 2.7 #############
import httplib, urllib, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = httplib.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/directoryRoles?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################

########### Python 3.2 #############
import http.client, urllib.request, urllib.parse, urllib.error, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.parse.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = http.client.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/directoryRoles?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################
require 'net/http'

uri = URI('https://graph.windows.net/myorganization/directoryRoles')

uri.query = URI.encode_www_form({
	# Specify values for the following required parameters
	'api-version' => '1.6',
})

request = Net::HTTP::Get.new(uri.request_uri)

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks



response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
    http.request(request)
end

puts response.body

Get a directory role

Gets a specified directory role. Specify the directory role by its object ID (GUID).

On success, returns the DirectoryRole object for the specified role; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

GET https://graph.windows.net/myorganization/directoryRoles/{object_id}?api-version

Parameters

ParameterTypeValueNotes
URL
object_idstringThe object ID (GUID) of the target directory role.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/directoryRoles/{object_id}?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.DirectoryRole/@Element",
  "odata.type": "Microsoft.DirectoryServices.DirectoryRole",
  "objectType": "Role",
  "objectId": "cb5d9ae9-6e2c-41a0-9194-0d4aef426ba8",
  "deletionTimestamp": null,
  "description": "Company Administrator role has full access to perform any operation in the company scope.",
  "displayName": "Company Administrator",
  "isSystem": true,
  "roleDisabled": false,
  "roleTemplateId": "62e90394-69f5-4237-9190-012177145e10"
}

Response List

Status CodeDescription
200OK. Indicates success. The directory role is returned in the response body.

Code Samples


using System;
using System.Net.Http.Headers;
using System.Text;
using System.Net.Http;
using System.Web;

namespace CSHttpClientSample
{
    static class Program
    {
	    static void Main()
        {
            MakeRequest();

            Console.WriteLine("Hit ENTER to exit...");
            Console.ReadLine();
        }

        static async void MakeRequest()
        {
            var client = new HttpClient();
            var queryString = HttpUtility.ParseQueryString(string.Empty);

            /* OAuth2 is required to access this API. For more information visit:
               https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks */



		   // Specify values for the following required parameters
			queryString["api-version"] = "1.6";
            // Specify values for path parameters (shown as {...})
            var uri = "https://graph.windows.net/myorganization/directoryRoles/{object_id}?" + queryString;


            var response = await client.GetAsync(uri);

            if (response.Content != null)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                Console.WriteLine(responseString);
            }
        }
    }
}
@ECHO OFF

REM OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks
REM Specify values for path parameters (shown as {...}), values for query parameters
curl -v -X GET "https://graph.windows.net/myorganization/directoryRoles/{object_id}?api-version=1.6&amp;"^

// This sample uses the Apache HTTP client from HTTP Components (http://hc.apache.org/httpcomponents-client-ga/)
import java.net.URI;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

public class JavaSample {

  public static void main(String[] args) {
	HttpClient httpclient = HttpClients.createDefault();

	try
	{
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		// Specify values for path parameters (shown as {...})
		URIBuilder builder = new URIBuilder("https://graph.windows.net/myorganization/directoryRoles/{object_id}");
		// Specify values for the following required parameters
		builder.setParameter("api-version", "1.6");
		URI uri = builder.build();
		HttpGet request = new HttpGet(uri);
		HttpResponse response = httpclient.execute(request);
		HttpEntity entity = response.getEntity();
		if (entity != null) {
			System.out.println(EntityUtils.toString(entity));
		}
	}
	catch (Exception e)
	{
		System.out.println(e.getMessage());
	}
  }
}

<!DOCTYPE html>
<html>
<head>
<title>JSSample</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>
</head>
<body>
<script type="text/javascript">
	$(function() {
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		var params = {
			// Specify values for the following required parameters
			'api-version': "1.6",
		};
		
		$.ajax({
			// Specify values for path parameters (shown as {...})
			url: 'https://graph.windows.net/myorganization/directoryRoles/{object_id}?' + $.param(params),
			type: 'GET',
		})
		.done(function(data) {
			alert("success");
		})
		.fail(function() {
			alert("error");
		});
	});
</script>
</body>
</html>

#import <Foundation/Foundation.h>

int main(int argc, const char * argv[])
{
    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
    
	// OAuth2 is required to access this API. For more information visit:
	// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

	// Specify values for path parameters (shown as {...})
    NSString* path = @"https://graph.windows.net/myorganization/directoryRoles/{object_id}";
    NSArray* array = @[
                         @"entities=true",
                      ];
    
    NSString* string = [array componentsJoinedByString:@"&"];
    path = [path stringByAppendingFormat:@"?%@", string];
    NSLog(@"%@", path);

    NSMutableURLRequest* _request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:path]];
    [_request setHTTPMethod:@"GET"];
    
    NSURLResponse *response = nil;
    NSError *error = nil;
    NSData* _connectionData = [NSURLConnection sendSynchronousRequest:_request returningResponse:&response error:&error];
    if(nil != error)
    {
        NSLog(@"Error: %@", error);
    }
    else
    {
        NSError* error = nil;
        NSMutableDictionary* json = nil;
        
        NSString* dataString = [[NSString alloc] initWithData:_connectionData encoding:NSUTF8StringEncoding];
        NSLog(@"%@", dataString);
        
        if(nil != _connectionData)
        {
            json = [NSJSONSerialization JSONObjectWithData:_connectionData options:NSJSONReadingMutableContainers error:&error];
        }
        
        if (error || !json)
        {
            NSLog(@"Could not parse loaded json with error:%@", error);
        }
        
        NSLog(@"%@", json);
        _connectionData = nil;
    }
    
    [pool drain];
    return 0;
}
<?php

// This sample uses the pecl_http package. (for more information: http://pecl.php.net/package/pecl_http)
require_once 'HTTP/Request2.php';
$headers = array(
);

$query_params = array(
	// Specify values for the following required parameters
	'api-version' => '1.6',
);

$request = new Http_Request2('https://graph.windows.net/myorganization/directoryRoles/{object_id}');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setHeader($headers);

// OAuth2 is required to access this API. For more information visit:
// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

$url = $request->getUrl();
$url->setQueryVariables($query_params);

try
{
	$response = $request->send();
	
	echo $response->getBody();
}
catch (HttpException $ex)
{
	echo $ex;
}

?>

########### Python 2.7 #############
import httplib, urllib, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = httplib.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/directoryRoles/{object_id}?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################

########### Python 3.2 #############
import http.client, urllib.request, urllib.parse, urllib.error, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.parse.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = http.client.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/directoryRoles/{object_id}?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################
require 'net/http'

uri = URI('https://graph.windows.net/myorganization/directoryRoles/{object_id}')

uri.query = URI.encode_www_form({
	# Specify values for the following required parameters
	'api-version' => '1.6',
})

request = Net::HTTP::Get.new(uri.request_uri)

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks



response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
    http.request(request)
end

puts response.body

Get directory role templates

Gets the collection of directory role templates that are available in the tenant. In version 1.5 and newer, directory role templates are used to activate directory roles. Not available in versions prior to 1.5.

On success, returns the collection of DirectoryRoleTemplate objects for the tenant; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

GET https://graph.windows.net/myorganization/directoryRoleTemplates?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/directoryRoleTemplates?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.DirectoryRoleTemplate",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "729827e3-9c14-49f7-bb1b-9608f156bbb8",
      "deletionTimestamp": null,
      "description": "Helpdesk Administrator has access to perform common helpdesk related tasks.",
      "displayName": "Helpdesk Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "f023fd81-a637-4b56-95fd-791ac0226033",
      "deletionTimestamp": null,
      "description": "Service Support Administrator has access to perform common support tasks.",
      "displayName": "Service Support Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
      "deletionTimestamp": null,
      "description": "Billing Administrator has access to perform common billing related tasks.",
      "displayName": "Billing Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "b5468a13-3945-4a40-b0b1-5d78c2676bbf",
      "deletionTimestamp": null,
      "description": "Allows access and management of users mailboxes.",
      "displayName": "Mailbox Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "4ba39ca4-527c-499a-b93d-d9b492c50246",
      "deletionTimestamp": null,
      "description": "Allows ability to perform tier1 support tasks.",
      "displayName": "Partner Tier1 Support"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8",
      "deletionTimestamp": null,
      "description": "Allows ability to perform tier2 support tasks.",
      "displayName": "Partner Tier2 Support"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
      "deletionTimestamp": null,
      "description": "Allows access to various read only tasks in the directory. ",
      "displayName": "Directory Readers"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "29232cdf-9323-42fd-ade2-1d097af3e4de",
      "deletionTimestamp": null,
      "description": "Exchange Service Administrator.",
      "displayName": "Exchange Service Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "75941009-915a-4869-abe7-691bff18279e",
      "deletionTimestamp": null,
      "description": "Lync Service Administrator.",
      "displayName": "Lync Service Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
      "deletionTimestamp": null,
      "description": "User Account Administrator has access to perform common user management related tasks.",
      "displayName": "User Account Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "9360feb5-f418-4baa-8175-e2a00bac4301",
      "deletionTimestamp": null,
      "description": "Allows access read tasks and a subset of write tasks in the directory.",
      "displayName": "Directory Writers"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "62e90394-69f5-4237-9190-012177145e10",
      "deletionTimestamp": null,
      "description": "Company Administrator role has full access to perform any operation in the company scope.",
      "displayName": "Company Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "a0b1b346-4d3e-4e8b-98f8-753987be4970",
      "deletionTimestamp": null,
      "description": "Every user is implicitly considered to be a member of the User Role.",
      "displayName": "User"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "d65e02d2-0214-4674-8e5d-766fb330e2c0",
      "deletionTimestamp": null,
      "description": "Allows creation of new email verified users.",
      "displayName": "Email Verified User Creator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "eb1d8c34-acf5-460d-8424-c1f1a6fbdb85",
      "deletionTimestamp": null,
      "description": "Allows access manage AdHoc license.",
      "displayName": "AdHoc License Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
      "deletionTimestamp": null,
      "description": "SharePoint Service Administrator.",
      "displayName": "SharePoint Service Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "d405c6df-0af8-4e3b-95e4-4d06e542189e",
      "deletionTimestamp": null,
      "description": "Device Users",
      "displayName": "Device Users"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "9f06204d-73c1-4d4c-880a-6edb90606fd8",
      "deletionTimestamp": null,
      "description": "Device Administrators",
      "displayName": "Device Administrators"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "9c094953-4995-41c8-84c8-3ebb9b32c93f",
      "deletionTimestamp": null,
      "description": "Device Join",
      "displayName": "Device Join"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "c34f683f-4d5a-4403-affd-6615e00e3a7f",
      "deletionTimestamp": null,
      "description": "Workplace Device Join",
      "displayName": "Workplace Device Join"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "17315797-102d-40b4-93e0-432062caca18",
      "deletionTimestamp": null,
      "description": "Compliance administrator.",
      "displayName": "Compliance Administrator"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "d29b2b05-8046-44ba-8758-1e26182fcf32",
      "deletionTimestamp": null,
      "description": "Directory Synchronization Accounts",
      "displayName": "Directory Synchronization Accounts"
    },
    {
      "odata.type": "Microsoft.DirectoryServices.DirectoryRoleTemplate",
      "objectType": "RoleTemplate",
      "objectId": "2b499bcd-da44-4968-8aec-78e1674fa64d",
      "deletionTimestamp": null,
      "description": "Allows access to read and edit device properties. ",
      "displayName": "Device Managers"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. The results are returned in the response body.

Code Samples


using System;
using System.Net.Http.Headers;
using System.Text;
using System.Net.Http;
using System.Web;

namespace CSHttpClientSample
{
    static class Program
    {
	    static void Main()
        {
            MakeRequest();

            Console.WriteLine("Hit ENTER to exit...");
            Console.ReadLine();
        }

        static async void MakeRequest()
        {
            var client = new HttpClient();
            var queryString = HttpUtility.ParseQueryString(string.Empty);

            /* OAuth2 is required to access this API. For more information visit:
               https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks */



		   // Specify values for the following required parameters
			queryString["api-version"] = "1.6";
            // Specify values for path parameters (shown as {...})
            var uri = "https://graph.windows.net/myorganization/directoryRoleTemplates?" + queryString;


            var response = await client.GetAsync(uri);

            if (response.Content != null)
            {
                var responseString = await response.Content.ReadAsStringAsync();
                Console.WriteLine(responseString);
            }
        }
    }
}
@ECHO OFF

REM OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks
REM Specify values for path parameters (shown as {...}), values for query parameters
curl -v -X GET "https://graph.windows.net/myorganization/directoryRoleTemplates?api-version=1.6&amp;"^

// This sample uses the Apache HTTP client from HTTP Components (http://hc.apache.org/httpcomponents-client-ga/)
import java.net.URI;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;

public class JavaSample {

  public static void main(String[] args) {
	HttpClient httpclient = HttpClients.createDefault();

	try
	{
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		// Specify values for path parameters (shown as {...})
		URIBuilder builder = new URIBuilder("https://graph.windows.net/myorganization/directoryRoleTemplates");
		// Specify values for the following required parameters
		builder.setParameter("api-version", "1.6");
		URI uri = builder.build();
		HttpGet request = new HttpGet(uri);
		HttpResponse response = httpclient.execute(request);
		HttpEntity entity = response.getEntity();
		if (entity != null) {
			System.out.println(EntityUtils.toString(entity));
		}
	}
	catch (Exception e)
	{
		System.out.println(e.getMessage());
	}
  }
}

<!DOCTYPE html>
<html>
<head>
<title>JSSample</title>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js"></script>
</head>
<body>
<script type="text/javascript">
	$(function() {
		// OAuth2 is required to access this API. For more information visit:
		// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

		var params = {
			// Specify values for the following required parameters
			'api-version': "1.6",
		};
		
		$.ajax({
			// Specify values for path parameters (shown as {...})
			url: 'https://graph.windows.net/myorganization/directoryRoleTemplates?' + $.param(params),
			type: 'GET',
		})
		.done(function(data) {
			alert("success");
		})
		.fail(function() {
			alert("error");
		});
	});
</script>
</body>
</html>

#import <Foundation/Foundation.h>

int main(int argc, const char * argv[])
{
    NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
    
	// OAuth2 is required to access this API. For more information visit:
	// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

	// Specify values for path parameters (shown as {...})
    NSString* path = @"https://graph.windows.net/myorganization/directoryRoleTemplates";
    NSArray* array = @[
                         @"entities=true",
                      ];
    
    NSString* string = [array componentsJoinedByString:@"&"];
    path = [path stringByAppendingFormat:@"?%@", string];
    NSLog(@"%@", path);

    NSMutableURLRequest* _request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:path]];
    [_request setHTTPMethod:@"GET"];
    
    NSURLResponse *response = nil;
    NSError *error = nil;
    NSData* _connectionData = [NSURLConnection sendSynchronousRequest:_request returningResponse:&response error:&error];
    if(nil != error)
    {
        NSLog(@"Error: %@", error);
    }
    else
    {
        NSError* error = nil;
        NSMutableDictionary* json = nil;
        
        NSString* dataString = [[NSString alloc] initWithData:_connectionData encoding:NSUTF8StringEncoding];
        NSLog(@"%@", dataString);
        
        if(nil != _connectionData)
        {
            json = [NSJSONSerialization JSONObjectWithData:_connectionData options:NSJSONReadingMutableContainers error:&error];
        }
        
        if (error || !json)
        {
            NSLog(@"Could not parse loaded json with error:%@", error);
        }
        
        NSLog(@"%@", json);
        _connectionData = nil;
    }
    
    [pool drain];
    return 0;
}
<?php

// This sample uses the pecl_http package. (for more information: http://pecl.php.net/package/pecl_http)
require_once 'HTTP/Request2.php';
$headers = array(
);

$query_params = array(
	// Specify values for the following required parameters
	'api-version' => '1.6',
);

$request = new Http_Request2('https://graph.windows.net/myorganization/directoryRoleTemplates');
$request->setMethod(HTTP_Request2::METHOD_GET);
$request->setHeader($headers);

// OAuth2 is required to access this API. For more information visit:
// https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

$url = $request->getUrl();
$url->setQueryVariables($query_params);

try
{
	$response = $request->send();
	
	echo $response->getBody();
}
catch (HttpException $ex)
{
	echo $ex;
}

?>

########### Python 2.7 #############
import httplib, urllib, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = httplib.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/directoryRoleTemplates?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################

########### Python 3.2 #############
import http.client, urllib.request, urllib.parse, urllib.error, base64

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks

headers = {
}

params = urllib.parse.urlencode({
	# Specify values for the following required parameters
	'api-version': '1.6',
})

try:
	conn = http.client.HTTPSConnection('graph.windows.net')
	# Specify values for path parameters (shown as {...}) and request body if needed
	conn.request("GET", "/myorganization/directoryRoleTemplates?%s" % params, "", headers)
	response = conn.getresponse()
	data = response.read()
	print(data)
	conn.close()
except Exception as e:
	print("[Errno {0}] {1}".format(e.errno, e.strerror))

####################################
require 'net/http'

uri = URI('https://graph.windows.net/myorganization/directoryRoleTemplates')

uri.query = URI.encode_www_form({
	# Specify values for the following required parameters
	'api-version' => '1.6',
})

request = Net::HTTP::Get.new(uri.request_uri)

# OAuth2 is required to access this API. For more information visit: https://msdn.microsoft.com/en-us/office/office365/howto/common-app-authentication-tasks



response = Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https') do |http|
    http.request(request)
end

puts response.body

Activate a directory role

Activates a directory role in the tenant. Available in version 1.5 and newer only. The request body contains the object ID of the directory role template for the directory role you want to activate.

Note: In versions prior to 1.5 all directory roles are present in the tenant by default. In versions 1.5 and newer, only the Company Administrators directory role is present by default. To access and assign members to another directory role, you must first activate it with its corresponding directory role template (DirectoryRoleTemplate).

The following table shows the properties that are required when you activate a directory role.

Required parameterTypeDescription
roleTemplateIdstringThe objectId of the DirectoryRoleTemplate that the role is based on.

On success, returns the newly created DirectoryRole; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

POST https://graph.windows.net/myorganization/directoryRoles?api-version

Parameters

ParameterTypeValueNotes
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "roleTemplateId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}

Requested URL

POST https://graph.windows.net/myorganization/directoryRoles?api-version

Response

Status Code:201
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.DirectoryRole/@Element",
  "odata.type": "Microsoft.DirectoryServices.DirectoryRole",
  "objectType": "Role",
  "objectId": "ebabdd59-04ba-46f0-bd7f-bef08fe8fa9b",
  "deletionTimestamp": null,
  "description": "Allows access to various read only tasks in the directory. ",
  "displayName": "Directory Readers",
  "isSystem": true,
  "roleDisabled": false,
  "roleTemplateId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
}

Response List

Status CodeDescription
201Created. Indicates success. The newly activated directory role is returned in the response body.

Operations on directory role navigation properties

Navigation properties represent relationships between an instance of an entity and other objects in the directory. Directory roles expose only a single navigation property, the members property. This property contains users and service principals that have been added to the directory role. You can read (GET), add (POST), and delete (DELETE) members from the directory role by targeting the members property.

Get a directory role's members

Gets the directory role's members from the members navigation property.

On success, returns a collection of links to the Users, and ServicePrincipals that are members of the directory role; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Note: You can remove the "$links" segment from the URL to return DirectoryObjects for the users and service principals instead of links.

Request

GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version

Parameters

ParameterTypeValueNotes
URL
object_idstringThe object ID (GUID) of the target directory role.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version

Response

Status Code:200
Content-Type:
  • application/json
{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/$links/members",
  "value": [
    {
      "url": "https://graph.windows.net/myorganization/directoryObjects/f19096bf-a58c-46ba-9ffd-0344f1daecf8/Microsoft.DirectoryServices.User"
    }
  ]
}

Response List

Status CodeDescription
200OK. Indicates success. A collection of links to the directory role members is returned.

Code Samples


Add directory role members

Adds one or more members to a directory role through the members navigation property. You can add users or service principals. The request body contains one or more links to the Users and ServicePrincipals to add.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

POST https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version

Parameters

ParameterTypeValueNotes
URL
object_idstringThe object ID (GUID) of the target directory role.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.
Body
Content-Type: application/json
{
  "url": "https://graph.windows.net/myorganization/directoryObjects/3eb6055a-baeb-44d4-a1ea-2fee86d8891b"
}

Requested URL

POST https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Delete a directory role member

Deletes a specified member from a directory role through the members navigation property. Specify the object ID of the User or ServicePrincipal to delete in the terminal URL segment.

On success, no response body is returned; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

Request

DELETE https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members/{member_id}?api-version

Parameters

ParameterTypeValueNotes
URL
object_idstringThe object ID (GUID) of the target directory role.
member_idstringThe object ID (GUID) of the member to be removed. Can be a user or a service principal.
Query
api-versionstringThe version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required.

Requested URL

DELETE https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members/{member_id}?api-version

Response

Status Code:204
Content-Type:
  • application/json

Response List

Status CodeDescription
204No Content. Indicates success. No response body is returned.

Functions and actions on directory roles

You can call any of the following functions for directory roles.

Get all group and directory role memberships (transitive)

You can call the getMemberObjects function to return all of the groups and directory roles that a user, contact, group, or service principal is a member of. The check is transitive for groups (directory roles cannot have groups or other directory roles as members).

Get objects from a list of object IDs

Call the getObjectsByObjectIds function on the directory service to return the directory objects specified in a list of object IDs. You can also specify which resource collections (users, groups, etc.) should be searched by specifying the optional types parameter. For example, you could use this function to find the directory roles in the list of object IDs returned by the getMemberObjects function above.


Additional Resources

  • Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts
© 2018 Microsoft