Select Friend
Azure AD
Resource Type
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| unreviewedRiskEventsExist | boolean | If true, then there are new risk events that need to be reviewed at https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskDetections. | |
| globalAdminUserCount | number | The total number of global admin users. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| appRoleId | string | The identifier (id) for the app role which is assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application has not declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. | |
| principalId | string | The unique identifier (id) for the user, group, or service principal being granted the app role. | |
| resourceDisplayName | string | The display name of the resource app's service principal to which the assignment is made. | |
| resourceId | string | ServicePrincipal | The unique identifier (id) for the resource service principal for which the assignment is made. |
| userId | string | User | The unique identifier (id) for the user being granted the app role. |
| createdDateTime | number | The time when the app role assignment was created. | |
| id | string | A unique identifier for the appRoleAssignment key. Not nullable. | |
| principalDisplayName | string | The display name of the user, group, or service principal that was granted the app role assignment. | |
| principalType | string | The type of the assigned principal. This can either be User, Group, or ServicePrincipal. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| appRoles | list<object> | The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable. | |
| createdDateTime | number | The date and time the application was registered. | |
| description | string | Free text field to provide a description of the application object to end users. | |
| disabledByMicrosoftStatus | string | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). | |
| notes | string | Notes relevant for the management of the application. | |
| addIns | list<object> | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. | |
| appId | string | The unique identifier for the application that is assigned to an application by Azure AD. Not nullable. | |
| displayName | string | The display name for the application. | |
| groupMembershipClaims | string | Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None, SecurityGroup (for security groups and Azure AD roles), All (this gets all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of). | |
| info | object | Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. | |
| supportUrl | string | Link to the application's support page. | |
| termsOfServiceUrl | string | Link to the application's terms of service statement. | |
| logoUrl | string | CDN URL to the application's logo, Read-only. | |
| marketingUrl | string | Link to the application's marketing page. | |
| privacyStatementUrl | string | Link to the application's privacy statement. | |
| passwordCredentials | list<object> | The collection of password credentials associated with the application. Not nullable. | |
| signInAudience | string | Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount | |
| spa | object | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens. | |
| redirectUris | list<string> | Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. | |
| id | string | Unique identifier for the application object. This property is referred to as Object ID in the Azure portal. Inherited from directoryObject Key. Not nullable. | |
| identifierUris | list<string> | Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api. | |
| oauth2RequiredPostResponse | boolean | Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests are allowed. | |
| optionalClaims | object | Application developers can configure optional claims in their Azure AD applications to specify the claims that are sent to their application by the Microsoft security token service. | |
| idToken | list<object> | The optional claims returned in the JWT ID token. | |
| additionalProperties | list<string> | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. | |
| essential | boolean | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. | |
| name | string | The name of the optional claim. | |
| source | string | The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. | |
| accessToken | list<object> | The optional claims returned in the JWT access token. | |
| additionalProperties | list<string> | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. | |
| essential | boolean | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. | |
| name | string | The name of the optional claim. | |
| source | string | The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. | |
| saml2Token | list<object> | The optional claims returned in the SAML token. | |
| additionalProperties | list<string> | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. | |
| essential | boolean | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. | |
| name | string | The name of the optional claim. | |
| source | string | The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. | |
| keyCredentials | list<object> | The collection of key credentials associated with the application. Not nullable. | |
| logo | string | The main logo for the application. | |
| publicClient | object | Specifies settings for installed clients such as desktop or mobile devices. | |
| redirectUris | list<string> | Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. | |
| web | object | Specifies settings for a web application. | |
| redirectUris | list<string> | Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. | |
| homePageUrl | string | Home page or landing page of the application. | |
| implicitGrantSettings | object | Specifies whether this web application can request tokens using the OAuth 2.0 implicit flow. | |
| enableIdTokenIssuance | boolean | Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow. | |
| enableAccessTokenIssuance | boolean | Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow. | |
| logoutUrl | string | Specifies the URL that will be used by Microsoft's authorization service to logout an user using front-channel, back-channel or SAML logout protocols. | |
| applicationTemplateId | string | Unique identifier of the applicationTemplate. | |
| certification | object | Specifies the certification status of the application. | |
| certificationDetailsUrl | string | URL that shows certification details for the application. | |
| certificationExpirationDateTime | number | The timestamp when the current certification for the application will expire. | |
| isCertifiedByMicrosoft | boolean | Indicates whether the application is certified by Microsoft. | |
| isPublisherAttested | boolean | Indicates whether the application has been self-attested by the application developer or the publisher. | |
| lastCertificationDateTime | number | The timestamp when the certification for the application was most recently added or updated. | |
| publisherDomain | string | The verified publisher domain for the application. | |
| parentalControlSettings | object | Specifies parental control settings for an application. | |
| legalAgeGroupRule | string | Specifies the legal age group rule that applies to users of the app. Can be set to one of the following values: Allow(Default. Enforces the legal minimum. This means parental consent is required for minors in the European Union and Korea), RequireConsentForPrivacyServices(Enforces the user to specify date of birth to comply with COPPA rules), RequireConsentForMinors(Requires parental consent for ages below 18, regardless of country minor rules), RequireConsentForKids(Requires parental consent for ages below 14, regardless of country minor rules), BlockMinors(Blocks minors from using the app) | |
| countriesBlockedForMinors | list<string> | Specifies the two-letter ISO country codes. Access to the application will be blocked for minors from the countries specified in this list. | |
| requiredResourceAccess | list<object> | Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. Not nullable. | |
| tags | list<string> | Custom strings that can be used to categorize and identify the application. Not nullable. | |
| tokenEncryptionKeyId | string | Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. | |
| deletedDateTime | number | The date and time the application was deleted. | |
| serviceManagementReference | string | References application or service contact information from a Service or Asset Management database. Nullable. | |
| api | object | Specifies settings for an application that implements a web API. | |
| oauth2PermissionScopes | list<object> | The definition of the delegated permissions exposed by the web API represented by this application registration. These delegated permissions may be requested by a client application, and may be granted by users or administrators during consent. Delegated permissions are sometimes referred to as OAuth 2.0 scopes. | |
| id | string | Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application. | |
| isEnabled | boolean | When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed. | |
| type | string | The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission). | |
| userConsentDescription | string | A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves. | |
| userConsentDisplayName | string | A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves. | |
| value | string | Specifies the value to include in the scp (scope) claim in access tokens. | |
| adminConsentDescription | string | A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences. | |
| adminConsentDisplayName | string | The permission's title, intended to be read by an administrator granting the permission on behalf of all users. | |
| preAuthorizedApplications | list<object> | Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs. Users are not required to consent to any pre-authorized application (for the permissions specified). However, any additional permissions not listed in preAuthorizedApplications (requested through incremental consent for example) will require user consent. | |
| appId | string | The unique identifier for the application. | |
| delegatedPermissionIds | list<string> | The unique identifier for the oauth2PermissionScopes the application requires. | |
| requestedAccessTokenVersion | number | Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token. | |
| acceptMappedClaims | boolean | When true, allows an application to use claims mapping without specifying a custom signing key. | |
| knownClientApplications | list<string> | Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you set the appID of the client app to this value, the user only consents once to the client app. Azure AD knows that consenting to the client means implicitly consenting to the web API and automatically provisions service principals for both APIs at the same time. Both the client and the web API app must be registered in the same tenant. | |
| isDeviceOnlyAuthSupported | boolean | Specifies whether this application supports device authentication without a user. The default is false. | |
| isFallbackPublicClient | boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app. There are certain scenarios where Azure AD cannot determine the client application type. For example, the ROPC flow where it is configured without specifying a redirect URI. In those cases Azure AD interprets the application type based on the value of this property | |
| verifiedPublisher | object | Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification. | |
| addedDateTime | number | The timestamp when the verified publisher was first added or most recently updated. | |
| displayName | string | The verified publisher name from the app publisher's Partner Center account. | |
| verifiedPublisherId | string | The ID of the verified publisher from the app publisher's Partner Center account. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| allowInvitesFrom | string | Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. | |
| guestUserRoleId | string | Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b). | |
| defaultUserRolePermissions | object | Default user role permissions for the AAD tenant. | |
| allowedToCreateApps | boolean | Indicates whether the default user role can create applications. | |
| allowedToCreateSecurityGroups | boolean | Indicates whether the default user role can create security groups. | |
| allowedToReadOtherUsers | boolean | Indicates whether the default user role can read other users. | |
| allowUserConsentForRiskyApps | boolean | Description pending. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| invitationsAllowedAndBlockedDomainsPolicy | object | This policy specifies domain restrictions with regards to inviting external users to collaborate. Only one of the blockedDomains and allowedDomains list can be populated at once. If blockedDomains is populated, any domain outside of blockedDomains can be invited to collaborate. If allowedDomains is populated, any domain outside of allowedDomains will be blocked. If both lists are empty, then there are no domain restrictions on invitations to collaborate. | |
| blockedDomains | list<string> | Domains in this list are not allowed to be sent invitations to collaborate. | |
| allowedDomains | list<string> | Domains in this list are allowed to be sent invitations to collaborate. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| id | string | Specifies the identifier of a conditionalAccessPolicy object. | |
| state | string | Specifies the state of the conditionalAccessPolicy object. Possible values are "enabled", "disabled", "enabledForReportingButNotEnforced". | |
| conditions | object | Specifies the rules that must be met for the policy to apply. | |
| clientAppTypes | list<string> | Client application types included in the policy. Possible values are "all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other". | |
| users | object | Users, groups, and roles included in and excluded from the policy. | |
| includeGroups | list<string> | A list of group IDs in the scope of the policy (unless the group ID is explicitly excluded, i.e. the group ID is in the "excludeGroups" list), or "All". | |
| excludeGroups | list<string> | Group IDs excluded from scope of policy. | |
| includeRoles | list<string> | A list of role IDs in scope of policy (unless explicitly excluded, i.e. the role ID is in the "excludeRoles" list), or "All". | |
| excludeRoles | list<string> | Role IDs excluded from scope of policy. | |
| includeUsers | list<string> | A list of user IDs in the scope of the policy (unless the user ID explicitly excluded, i.e. the user ID is in the "excludeUsers" list), or one of "None", "All", or "GuestsOrExternalUsers", . | |
| excludeUsers | list<string> | A list of user IDs excluded from the scope of the policy and/or "GuestsOrExternalUsers". | |
| grantControls | object | Specifies the grant controls that must be fulfilled to pass the policy. | |
| builtInControls | list<string> | List of values of built-in controls required by the policy. Possible values are "block", "mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange". |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| id | string | The ID of the compliance policy. | |
| odatatype | string | The OData type of the entity, e.g. "#microsoft.graph.iosCompliancePolicy". | |
| securityBlockJailbrokenDevices | boolean | If true, block jailbroken or rooted devices. | |
| managedEmailProfileRequired | boolean | If true, the owner of the device will only be able to use a managed email account. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| passcodeBlockSimple | boolean | Block simple passwords. (iOS) | |
| passwordRequired | boolean | Require the use of a password. | |
| storageRequireDeviceEncryption | boolean | Indicates whether or not to require device encryption. | |
| passcodeSignInFailureCountBeforeWipe | number | Number of failed authentication attempts before a device is wiped. (iOS) | |
| passcodeMinutesOfInactivityBeforeScreenTimeout | number | Minutes of inactivity before the screen times out. | |
| passwordRequireWhenResumeFromIdleState | boolean | Require the user to provide a password when the device is resumed from idle status. | |
| passwordExpirationDays | number | Password expiration in days. "null" if no expiration. | |
| passcodeRequiredType | string | The password type (e.g. alphanumeric). (iOS) | |
| passcodeMinutesOfInactivityBeforeLock | number | Minutes of inactivity before the screen locks. (iOS) | |
| passcodePreviousPasscodeBlockCount | number | For iOS to prevent reuse of previous passwords. | |
| passwordRequiredType | string | The password type (e.g. alphanumeric). | |
| passcodeMinimumLength | number | Minimum length of the password. (iOS) | |
| passwordBlockSimple | boolean | Block simple passwords. | |
| passcodeRequired | boolean | Require the use of a password. (iOS) | |
| passwordSignInFailureCountBeforeFactoryReset | number | Number of failed authentication attempts before a device is wiped. (Windows 8) | |
| passwordMinutesOfInactivityBeforeScreenTimeout | number | Minutes of inactivity before the screen times out. | |
| odatatype | string | To distinguish between different platforms (Android, iOS). | |
| passcodeExpirationDays | number | Passcode expiration in days. "null" if no expiration. (iOS) | |
| passwordPreviousPasswordCountToBlock | number | Prevent reuse of previous passwords. | |
| passwordMinimumLength | number | Minimum length of the password. | |
| passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before the screen locks. (macOS) | |
| id | string | The ID of the compliance policy. | |
| passwordPreviousPasswordBlockCount | number | Prevent reuse of previous passwords. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| state | string | The current state of the email authentication method configuration. Valid values are "enabled" or "disabled". | |
| allowExternalIdToUseEmailOtp | string | Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who did not use public preview will automatically have email OTP enabled beginning in October 2021. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| assignedLicenses | list<object> | The licenses that are assigned to the group. | |
| licenseProcessingState | string | Indicates status of the group license assignment to all members of the group. Default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete. | |
| onPremisesProvisioningErrors | list<object> | Errors when using Microsoft synchronization product during provisioning. | |
| preferredDataLocation | string | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. | |
| assignedLabels | list<object> | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. | |
| membershipRuleProcessingState | string | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. | |
| string | The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com". | ||
| onPremisesSamAccountName | string | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
| onPremisesSecurityIdentifier | string | Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. | |
| preferredLanguage | string | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example en-US. | |
| classification | string | Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. | |
| description | string | An optional description for the group. | |
| id | string | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. | |
| isAssignableToRole | boolean | Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership). Only callers in Global administrator and Privileged role administrator roles can set this property. The caller must be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. | |
| visibility | string | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or Hiddenmembership. Hiddenmembership can be set only for Microsoft 365 groups, when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation. If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default and Microsoft 365 group is Public. Groups assignable to roles are always Private. | |
| resourceProvisioningOptions | list<string> | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team. | |
| expirationDateTime | number | Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created. | |
| mailEnabled | boolean | Specifies whether the group is mail-enabled. Required. | |
| onPremisesSyncEnabled | boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). | |
| renewedDateTime | number | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. | |
| resourceBehaviorOptions | list<string> | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled. | |
| deletedDateTime | number | For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. | |
| onPremisesLastSyncDateTime | number | Indicates the last time at which the group was synced with the on-premises directory. | |
| proxyAddresses | list<string> | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties. | |
| theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red. | |
| createdDateTime | number | Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. | |
| securityEnabled | boolean | Specifies whether the group is a security group. Required. | |
| securityIdentifier | string | Security identifier of the group, used in Windows scenarios. | |
| displayName | string | The display name for the group. This property is required when a group is created and cannot be cleared during updates. | |
| groupTypes | list<string> | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see groups overview. If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. | |
| mailNickname | string | The mail alias for the group, unique for Microsoft 365 groups in the organization. | |
| membershipRule | string | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| isTrusted | boolean | true if this location is explicitly trusted. | |
| ipRanges | list<object> | List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. | |
| id | string | The id of the named location. | |
| odatatype | string | To distinguish between different types of named locations. Value can be #microsoft.graph.countryNamedLocation or #microsoft.graph.ipNamedLocation. | |
| displayName | string | The display name of the named location. | |
| countriesAndRegions | list<string> | List of countries and/or regions in two-letter format specified by ISO 3166-2. | |
| includeUnknownCountriesAndRegions | boolean | true if IP addresses that don't map to a country or region should be included in the named location. | |
| countryLookupMethod | string | Determines what method is used to decide which country the user is located in. Possible values are clientIpAddress(default) and authenticatorAppGps. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| id | string | The unique identifier for this domain. (e.g. "dev-o365.yourcompany.com" or "yourcompany.onmicrosoft.com") | |
| supportedServices | list<string> | List of supported services for this domain (e.g. "Intune") |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| id | string | The ID of the OAuth2PermissionGrant. | |
| clientId | string | The ID of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API. Corresponds to the 'objectId' field inside the Azure 'Enterprise applications' page. | |
| consentType | string | Indicates if authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. | |
| principalId | string | The ID of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'. | |
| resourceId | string | The ID of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user. | |
| scope | string | A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, 'openid User.Read GroupMember.Read.All'. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the publishedPermissionScopes property of the resource service principal. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| applicationTemplateId | string | Unique identifier of the applicationTemplate that the servicePrincipal was created from. | |
| keyCredentials | list<object> | The collection of key credentials associated with the service principal. | |
| accountEnabled | boolean | true if the service principal account is enabled; otherwise, false. | |
| signInAudience | string | Specifies the Microsoft accounts that are supported for the current application. Supported values are: AzureADMyOrg-Users with a Microsoft work or school account in my organization’s Azure AD tenant (single-tenant). AzureADMultipleOrgs-Users with a Microsoft work or school account in any organization’s Azure AD tenant (multi-tenant). AzureADandPersonalMicrosoftAccount-Users with a personal Microsoft account, or a work or school account in any organization’s Azure AD tenant. PersonalMicrosoftAccount-Users with a personal Microsoft account only. | |
| appDisplayName | string | The display name exposed by the associated application. | |
| appOwnerOrganizationId | string | Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications. | |
| notes | string | Free text field to capture information about the service principal, typically used for operational purposes. | |
| oauth2PermissionScopes | list<object> | The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes property on the application entity's api property. | |
| appDescription | string | The description exposed by the associated application. | |
| appRoleAssignmentRequired | boolean | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. | |
| description | string | Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps will display the application description in this field. | |
| samlSingleSignOnSettings | object | The collection for settings related to saml single sign-on. | |
| relayState | string | The relative URI the service provider would redirect to after completion of the single sign-on flow. | |
| disabledByMicrosoftStatus | string | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). | |
| notificationEmailAddresses | list<string> | Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. | |
| replyUrls | list<string> | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. | |
| servicePrincipalType | string | Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Azure AD internally. The servicePrincipalType property can be set to three different values: Application - A service principal that represents an application or service. The appId property identifies the associated app registration, and matches the appId of an application, possibly from a different tenant. If the associated app registration is missing, tokens are not issued for the service principal. ManagedIdentity - A service principal that represents a managed identity. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly. Legacy - A service principal that represents an app created before app registrations, or through legacy experiences. Legacy service principal can have credentials, service principal names, reply URLs, and other properties which are editable by an authorized user, but does not have an associated app registration. The appId value does not associate the service principal with an app registration. The service principal can only be used in the tenant where it was created. | |
| resourceSpecificApplicationPermissions | list<object> | The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph. | |
| alternativeNames | list<string> | Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. | |
| appRoles | list<object> | The roles exposed by the application which this service principal represents. For more information see the appRoles property definition on the application entity. Not nullable. | |
| deletedDateTime | number | The date and time the service principal was deleted. | |
| logoutUrl | string | Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. | |
| passwordCredentials | list<object> | The collection of password credentials associated with the application. | |
| preferredSingleSignOnMode | string | Specifies the single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. The supported values are password, saml, notSupported, and oidc. | |
| tags | list<string> | Custom strings that can be used to categorize and identify the service principal. | |
| tokenEncryptionKeyId | string | Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. | |
| addIns | list<object> | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. | |
| displayName | string | The display name for the service principal. | |
| homepage | string | Home page or landing page of the application. | |
| id | string | The unique identifier for the service principal. Inherited from directoryObject Key | |
| loginUrl | string | Specifies the URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Azure AD My Apps, or the Azure AD SSO URL. | |
| appId | string | Application | The unique identifier for the associated application (its appId property). |
| info | object | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. | |
| supportUrl | string | Link to the application's support page. | |
| termsOfServiceUrl | string | Link to the application's terms of service statement. | |
| logoUrl | string | CDN URL to the application's logo. | |
| marketingUrl | string | Link to the application's marketing page. | |
| privacyStatementUrl | string | Link to the application's privacy statement. | |
| servicePrincipalNames | list<string> | Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Azure AD. | |
| verifiedPublisher | object | Specifies the verified publisher of the application which this service principal represents. | |
| addedDateTime | number | The timestamp when the verified publisher was first added or most recently updated. | |
| displayName | string | The verified publisher name from the app publisher's Partner Center account. | |
| verifiedPublisherId | string | The ID of the verified publisher from the app publisher's Partner Center account. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|---|---|---|
| faxNumber | string | The fax number of the user. | |
| jobTitle | string | The user's job title. | |
| proxyAddresses | list<string> | For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. Changes to the mail property will also update this collection to include the value as an SMTP address. For more information, see mail and proxyAddresses properties. The proxy address prefixed with SMTP (capitalized) is the primary proxy address while those prefixed with smtp are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. | |
| streetAddress | string | The street address of the user's place of business. | |
| assignedLicenses | list<object> | The licenses that are assigned to the user, including inherited (group-based) licenses. | |
| givenName | string | The given name (first name) of the user. | |
| id | string | The unique identifier for the user. | |
| department | string | The name for the department in which the user works. | |
| externalUserState | string | For an external user invited to the tenant using the invitation API, this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users. | |
| hireDate | number | The hire date of the user. Note: This property is specific to SharePoint Online. We recommend using the native employeeHireDate property to set and update hire date values using Microsoft Graph APIs. | |
| onPremisesSecurityIdentifier | string | Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. | |
| surname | string | The user's surname (family name or last name). | |
| userPrincipalName | string | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. | |
| companyName | string | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. | |
| country | string | The country/region in which the user is located; for example, US or UK. | |
| onPremisesLastSyncDateTime | number | Indicates the last time at which the object was synced with the on-premises directory | |
| preferredLanguage | string | The preferred language for the user. Should follow ISO 639-1 Code; for example en-US. | |
| refreshTokensValidFromDateTime | number | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. | |
| signInSessionsValidFromDateTime | number | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. | |
| businessPhones | list<string> | The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. Read-only for users synced from on-premises directory. | |
| city | string | The city in which the user is located. | |
| legalAgeGroupClassification | string | Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: null, MinorWithOutParentalConsent, MinorWithParentalConsent, MinorNoParentalConsentRequired, NotAdult and Adult. | |
| otherMails | list<string> | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. | |
| employeeId | string | The employee identifier assigned to the user by the organization. | |
| externalUserStateChangeDateTime | number | Shows the timestamp for the latest change to the externalUserState property. | |
| usageLocation | string | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB. | |
| onPremisesSyncEnabled | boolean | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). | |
| postalCode | string | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. | |
| deletedDateTime | number | The date and time the user was deleted. | |
| licenseAssignmentStates | list<object> | State of license assignments for this user. | |
| mailNickname | string | The mail alias for the user. This property must be specified when a user is created. | |
| mobilePhone | string | The primary cellular telephone number for the user. Read-only for users synced from on-premises directory. | |
| identities | list<object> | Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. May contain multiple items with the same signInType value. | |
| imAddresses | list<string> | The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user. | |
| employeeHireDate | number | The date and time when the user was hired or will start work in case of a future hire. | |
| isResourceAccount | boolean | Do not use – reserved for future use. | |
| string | The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. | ||
| onPremisesSamAccountName | string | Contains the on-premises samAccountName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
| createdDateTime | number | The created date of the user object. | |
| employeeOrgData | object | Represents organization data (e.g. division and costCenter) associated with a user. | |
| division | string | The name of the division in which the user works. | |
| costCenter | string | The cost center associated with the user. | |
| lastPasswordChangeDateTime | number | The time when this Azure AD user last changed their password or when their password was created, whichever date the latest action was performed. | |
| onPremisesDomainName | string | Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
| onPremisesProvisioningErrors | list<object> | Errors when using Microsoft synchronization product during provisioning. | |
| state | string | The state or province in the user's address. | |
| consentProvidedForMinor | string | Sets whether consent has been obtained for minors. Allowed values: null, Granted, Denied and NotRequired. | |
| employeeType | string | Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor. | |
| onPremisesImmutableId | string | This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property. | |
| passwordProfile | object | Specifies the password profile for the user. The profile contains the user’s password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. | |
| forceChangePasswordNextSignIn | boolean | true if the user must change her password on the next login; otherwise false. If not set, default is false. | |
| forceChangePasswordNextSignInWithMfa | boolean | If true, at next sign-in, the user must perform a multi-factor authentication (MFA) before being forced to change their password. The behavior is identical to forceChangePasswordNextSignIn except that the user is required to first perform a multi-factor authentication before password change. After a password change, this property will be automatically reset to false. If not set, default is false. | |
| password | string | The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next login. The password must satisfy minimum requirements as specified by the user’s passwordPolicies property. By default, a strong password is required. | |
| ageGroup | string | Sets the age group of the user. Allowed values: null, Minor, NotAdult and Adult. | |
| displayName | string | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. | |
| onPremisesUserPrincipalName | string | Contains the on-premises userPrincipalName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
| passwordPolicies | string | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two may be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. | |
| userType | string | A string value that can be used to classify user types in your directory, such as Member and Guest. | |
| onPremisesExtensionAttributes | object | Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes 1-15. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. For a cloud-only user (where onPremisesSyncEnabled is false), these properties can be set during creation or update of a user object. For a cloud-only user previously synced from on-premises Active Directory, these properties are read-only in Microsoft Graph but can be fully managed through the Exchange Admin Center or the Exchange Online V2 module in PowerShell. | |
| extensionAttribute15 | string | Fifteenth customizable extension attribute. | |
| extensionAttribute7 | string | Seventh customizable extension attribute. | |
| extensionAttribute12 | string | Twelfth customizable extension attribute. | |
| extensionAttribute8 | string | Eighth customizable extension attribute. | |
| extensionAttribute10 | string | Tenth customizable extension attribute. | |
| extensionAttribute14 | string | Fourteenth customizable extension attribute. | |
| extensionAttribute4 | string | Fourth customizable extension attribute. | |
| extensionAttribute5 | string | Fifth customizable extension attribute. | |
| extensionAttribute9 | string | Ninth customizable extension attribute. | |
| extensionAttribute13 | string | Thirteenth customizable extension attribute. | |
| extensionAttribute2 | string | Second customizable extension attribute. | |
| extensionAttribute3 | string | Third customizable extension attribute. | |
| extensionAttribute11 | string | Eleventh customizable extension attribute. | |
| extensionAttribute1 | string | First customizable extension attribute. | |
| extensionAttribute6 | string | Sixth customizable extension attribute. | |
| accountEnabled | boolean | true if the account is enabled; otherwise, false. This property is required when a user is created. | |
| creationType | string | Indicates whether the user account was created through one of the following methods: As a regular school or work account (null), As an external account (Invitation), As a local account for an Azure Active Directory B2C tenant (LocalAccount), Through self-service sign-up by an internal user using email verification (EmailVerified), Through self-service sign-up by an external user signing up through a link that is part of a user flow (SelfServiceSignUp). | |
| officeLocation | string | The office location in the user's place of business. | |
| onPremisesDistinguishedName | string | Contains the on-premises Active Directory distinguished name or DN. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
| schools | list<string> | A list for the user to enumerate the schools they have attended. | |
| showInAddressList | boolean | Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list. |
| ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
|---|