ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Key of the entity.
displayName string Admin provided name of the device configuration.
passwordRequired boolean Require a password to unlock device.
requiredPasswordComplexity string Indicates the required password complexity on Android. One of: NONE, LOW, MEDIUM, HIGH. This is a new API targeted to Android 11+. Possible values are: none, low, medium, high.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
storageRequireEncryption boolean Require encryption on Android devices.
securityRequireGooglePlayServices boolean Require Google Play Services to be installed and enabled on the device.
createdDateTime number DateTime the object was created.
version number Version of the device configuration.
odatatype string Microsoft Graph data type.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
passwordPreviousPasswordBlockCount number Number of previous passwords to block. Valid values 1 to 24.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, numeric, numericComplex, any.
securityPreventInstallAppsFromUnknownSources boolean Require that devices disallow installation of apps from unknown sources.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
securityRequireCompanyPortalAppIntegrity boolean Require the device to pass the Company Portal client app runtime integrity check.
conditionStatementId string Condition statement id.
lastModifiedDateTime number DateTime the object was last modified.
passwordSignInFailureCountBeforeFactoryReset number Number of sign-in failures allowed before factory reset. Valid values 1 to 16.
osMaximumVersion string Maximum Android version.
restrictedApps list<object> Require the device to not have the specified apps installed. This collection can contain a maximum of 100 elements.
 name string The application name.
 publisher string The publisher of the application.
 appStoreUrl string The Store URL of the application.
 appId string The application or bundle identifier of the application.
 odatatype string The application data type.
description string Admin provided description of the Device Configuration.
securityDisableUsbDebugging boolean Disable USB debugging on Android devices.
securityRequireVerifyApps boolean Require the Android Verify apps feature is turned on.
osMinimumVersion string Minimum Android version.
securityRequireSafetyNetAttestationBasicIntegrity boolean Require the device to pass the SafetyNet basic integrity check.
securityRequireSafetyNetAttestationCertifiedDevice boolean Require the device to pass the SafetyNet certified device check.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 365.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
securityBlockDeviceAdministratorManagedDevices boolean Block device administrator managed devices.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
securityRequireUpToDateSecurityProviders boolean Require the device to have up to date security providers. The device will require Google Play Services to be enabled and up to date.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
osMaximumVersion string Maximum Android version.
passwordMinimumLowerCaseCharacters number Indicates the minimum number of lower case characters required for device password. Valid values 1 to 16.
passwordMinimumSymbolCharacters number Indicates the minimum number of symbol characters required for device password. Valid values 1 to 16.
passwordPreviousPasswordCountToBlock number Number of previous passwords to block. Valid values 1 to 24.
version number Version of the device configuration.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
passwordMinimumLetterCharacters number Indicates the minimum number of letter characters required for device password. Valid values 1 to 16.
storageRequireEncryption boolean Require encryption on Android devices.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, required, numeric, numericComplex, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, customPassword.
odatatype string Microsoft graph android device owner compliance policy type.
createdDateTime number DateTime the object was created.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
passwordMinimumUpperCaseCharacters number Indicates the minimum number of upper case letter characters required for device password. Valid values 1 to 16.
id string Key of the entity.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
lastModifiedDateTime number DateTime the object was last modified.
securityRequireSafetyNetAttestationBasicIntegrity boolean Require the device to pass the SafetyNet basic integrity check.
passwordMinimumNumericCharacters number Indicates the minimum number of numeric characters required for device password. Valid values 1 to 16.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
description string Admin provided description of the Device Configuration.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
securityRequireSafetyNetAttestationCertifiedDevice boolean Require the device to pass the SafetyNet certified device check.
osMinimumVersion string Minimum Android version.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 365.
securityRequireIntuneAppIntegrity boolean If setting is set to true, checks that the Intune app installed on fully managed, dedicated, or corporate-owned work profile Android Enterprise enrolled devices, is the one provided by Microsoft from the Managed Google Playstore. If the check fails, the device will be reported as non-compliant.
displayName string Admin provided name of the device configuration.
passwordRequired boolean Require a password to unlock device.
passwordMinimumNonLetterCharacters number Indicates the minimum number of non-letter characters required for device password. Valid values 1 to 16.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
osMinimumVersion string Minimum Android version.
lastModifiedDateTime number DateTime the object was last modified.
securityPreventInstallAppsFromUnknownSources boolean Require that devices disallow installation of apps from unknown sources.
osMaximumVersion string Maximum Android version.
securityDisableUsbDebugging boolean Disable USB debugging on Android devices.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
securityRequireSafetyNetAttestationCertifiedDevice boolean Require the device to pass the SafetyNet certified device check.
version number Version of the device configuration.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 365.
passwordPreviousPasswordBlockCount number Number of previous passwords to block. Valid values 1 to 24.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
securityRequireSafetyNetAttestationBasicIntegrity boolean Require the device to pass the SafetyNet basic integrity check.
securityRequireGooglePlayServices boolean Require Google Play Services to be installed and enabled on the device.
description string Admin provided description of the Device Configuration.
securityRequireVerifyApps boolean Require the Android Verify apps feature is turned on.
storageRequireEncryption boolean Require encryption on Android devices.
securityRequireUpToDateSecurityProviders boolean Require the device to have up to date security providers. The device will require Google Play Services to be enabled and up to date.
odatatype string Microsoft graph device compliance policy type.
id string Key of the entity.
createdDateTime number DateTime the object was created.
passwordRequired boolean Require a password to unlock device.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
passwordSignInFailureCountBeforeFactoryReset number Number of sign-in failures allowed before factory reset. Valid values 1 to 16.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
securityRequiredAndroidSafetyNetEvaluationType string Require a specific SafetyNet evaluation type for compliance. Possible values are: basic, hardwareBacked.
displayName string Admin provided name of the device configuration.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, numeric, numericComplex, any.
requiredPasswordComplexity string Indicates the required device password complexity on Android. One of: NONE, LOW, MEDIUM, HIGH. This is a new API targeted to Android API 12+. Possible values are: none, low, medium, high.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
securityRequireCompanyPortalAppIntegrity boolean Require the device to pass the Company Portal client app runtime integrity check.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
version number Version of the device configuration.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
odatatype string Microsoft graph aosp device compliance policy type.
displayName string Admin provided name of the device configuration.
storageRequireEncryption boolean Require encryption on Android devices.
description string Admin provided description of the Device Configuration.
lastModifiedDateTime number DateTime the object was last modified.
osMaximumVersion string Maximum Android version.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
createdDateTime number DateTime the object was created.
osMinimumVersion string Minimum Android version.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
passwordRequired boolean Require a password to unlock device.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, required, numeric, numericComplex, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, customPassword.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required. Valid values 1 to 8640.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
id string Key of the entity.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string A unique identifier for the appRoleAssignment key. Not nullable.
principalDisplayName string The display name of the user, group, or service principal that was granted the app role assignment.
principalId string User Group ServicePrincipal The unique identifier (id) for the user, group, or service principal being granted the app role.
principalType string The type of the assigned principal. This can either be User, Group, or ServicePrincipal.
resourceDisplayName string The display name of the resource app's service principal to which the assignment is made.
resourceId string ServicePrincipal The unique identifier (id) for the resource service principal for which the assignment is made.
appRoleId string The identifier (id) for the app role which is assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application has not declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles.
createdDateTime number The time when the app role assignment was created.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
publicClient object Specifies settings for installed clients such as desktop or mobile devices.
 redirectUris list<string> Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
certification object Specifies the certification status of the application.
 certificationDetailsUrl string URL that shows certification details for the application.
 certificationExpirationDateTime number The timestamp when the current certification for the application will expire.
 isCertifiedByMicrosoft boolean Indicates whether the application is certified by Microsoft.
 isPublisherAttested boolean Indicates whether the application has been self-attested by the application developer or the publisher.
 lastCertificationDateTime number The timestamp when the certification for the application was most recently added or updated.
id string Unique identifier for the application object. This property is referred to as Object ID in the Azure portal. Inherited from directoryObject Key. Not nullable.
info object Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience.
 logoUrl string CDN URL to the application's logo, Read-only.
 marketingUrl string Link to the application's marketing page.
 privacyStatementUrl string Link to the application's privacy statement.
 supportUrl string Link to the application's support page.
 termsOfServiceUrl string Link to the application's terms of service statement.
identifierUris list<string> Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api.
serviceManagementReference string References application or service contact information from a Service or Asset Management database. Nullable.
tags list<string> Custom strings that can be used to categorize and identify the application. Not nullable.
notes string Notes relevant for the management of the application.
appRoles list<object> The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable.
 value string Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal.
 allowedMemberTypes list<string> Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities.
 description string The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
 displayName string Display name for the permission that appears in the app role assignment and consent experiences.
 id string Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided.
 isEnabled boolean When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed.
 origin string Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests.
description string Free text field to provide a description of the application object to end users.
keyCredentials list<object> The collection of key credentials associated with the application. Not nullable.
 startDateTime number The date and time at which the credential becomes valid.
 type string The type of key credential; for example, Symmetric, AsymmetricX509Cert.
 usage string A string that describes the purpose for which the key can be used; for example, Verify.
 customKeyIdentifier string Custom key identifier
 displayName string Friendly name for the key.
 endDateTime number The date and time at which the credential expires.
 key string The certificate's raw data in byte array converted to Base64 string.
 keyId string The unique identifier (GUID) for the key.
deletedDateTime number The date and time the application was deleted.
disabledByMicrosoftStatus string Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement).
isFallbackPublicClient boolean Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app. There are certain scenarios where Azure AD cannot determine the client application type. For example, the ROPC flow where it is configured without specifying a redirect URI. In those cases Azure AD interprets the application type based on the value of this property
spa object Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens.
 redirectUris list<string> Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
addIns list<object> Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on.
 id string id of an addIn.
 properties list<object> property of an addIn.
 key string Key for the key-value pair.
 value string Value for the key-value pair.
 type string type of an addIn.
api object Specifies settings for an application that implements a web API.
 acceptMappedClaims boolean When true, allows an application to use claims mapping without specifying a custom signing key.
 knownClientApplications list<string> Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you set the appID of the client app to this value, the user only consents once to the client app. Azure AD knows that consenting to the client means implicitly consenting to the web API and automatically provisions service principals for both APIs at the same time. Both the client and the web API app must be registered in the same tenant.
 oauth2PermissionScopes list<object> The definition of the delegated permissions exposed by the web API represented by this application registration. These delegated permissions may be requested by a client application, and may be granted by users or administrators during consent. Delegated permissions are sometimes referred to as OAuth 2.0 scopes.
 adminConsentDisplayName string The permission's title, intended to be read by an administrator granting the permission on behalf of all users.
 id string Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.
 isEnabled boolean When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed.
 type string The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission).
 userConsentDescription string A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 userConsentDisplayName string A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 value string Specifies the value to include in the scp (scope) claim in access tokens.
 adminConsentDescription string A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences.
 preAuthorizedApplications list<object> Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs. Users are not required to consent to any pre-authorized application (for the permissions specified). However, any additional permissions not listed in preAuthorizedApplications (requested through incremental consent for example) will require user consent.
 appId string The unique identifier for the application.
 delegatedPermissionIds list<string> The unique identifier for the oauth2PermissionScopes the application requires.
 requestedAccessTokenVersion number Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.
applicationTemplateId string Unique identifier of the applicationTemplate.
oauth2RequiredPostResponse boolean Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests are allowed.
optionalClaims object Application developers can configure optional claims in their Azure AD applications to specify the claims that are sent to their application by the Microsoft security token service.
 accessToken list<object> The optional claims returned in the JWT access token.
 name string The name of the optional claim.
 source string The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object.
 additionalProperties list<string> Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property.
 essential boolean If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false.
 saml2Token list<object> The optional claims returned in the SAML token.
 additionalProperties list<string> Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property.
 essential boolean If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false.
 name string The name of the optional claim.
 source string The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object.
 idToken list<object> The optional claims returned in the JWT ID token.
 additionalProperties list<string> Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property.
 essential boolean If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false.
 name string The name of the optional claim.
 source string The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object.
passwordCredentials list<object> The collection of password credentials associated with the application. Not nullable.
 endDateTime number The date and time at which the password expires represented using ISO 8601 format and is always in UTC time.
 hint string Contains the first three characters of the password.
 keyId string The unique identifier for the password.
 secretText string Contains the strong passwords generated by Azure AD that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future.
 startDateTime number The date and time at which the password becomes valid.
 customKeyIdentifier string Do not use.
 displayName string Friendly name for the password.
publisherDomain string The verified publisher domain for the application.
tokenEncryptionKeyId string Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.
groupMembershipClaims string Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None, SecurityGroup (for security groups and Azure AD roles), All (this gets all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of).
isDeviceOnlyAuthSupported boolean Specifies whether this application supports device authentication without a user. The default is false.
logo string The main logo for the application.
verifiedPublisher object Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification.
 addedDateTime number The timestamp when the verified publisher was first added or most recently updated.
 displayName string The verified publisher name from the app publisher's Partner Center account.
 verifiedPublisherId string The ID of the verified publisher from the app publisher's Partner Center account.
createdDateTime number The date and time the application was registered.
displayName string The display name for the application.
signInAudience string Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount
web object Specifies settings for a web application.
 homePageUrl string Home page or landing page of the application.
 implicitGrantSettings object Specifies whether this web application can request tokens using the OAuth 2.0 implicit flow.
 enableIdTokenIssuance boolean Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow.
 enableAccessTokenIssuance boolean Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow.
 logoutUrl string Specifies the URL that will be used by Microsoft's authorization service to logout an user using front-channel, back-channel or SAML logout protocols.
 redirectUris list<string> Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
appId string The unique identifier for the application that is assigned to an application by Azure AD. Not nullable.
parentalControlSettings object Specifies parental control settings for an application.
 countriesBlockedForMinors list<string> Specifies the two-letter ISO country codes. Access to the application will be blocked for minors from the countries specified in this list.
 legalAgeGroupRule string Specifies the legal age group rule that applies to users of the app. Can be set to one of the following values: Allow(Default. Enforces the legal minimum. This means parental consent is required for minors in the European Union and Korea), RequireConsentForPrivacyServices(Enforces the user to specify date of birth to comply with COPPA rules), RequireConsentForMinors(Requires parental consent for ages below 18, regardless of country minor rules), RequireConsentForKids(Requires parental consent for ages below 14, regardless of country minor rules), BlockMinors(Blocks minors from using the app)
requiredResourceAccess list<object> Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. Not nullable.
 resourceAccess list<object> The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource.
 id string The unique identifier of an app role or delegated permission exposed by the resource application. For delegated permissions, this should match the id property of one of the delegated permissions in the oauth2PermissionScopes collection of the resource application's service principal. For app roles (application permissions), this should match the id property of an app role in the appRoles collection of the resource application's service principal.
 type string Specifies whether the id property references a delegated permission or an app role (application permission). The possible values are: Scope (for delegated permissions) or Role (for app roles).
 resourceAppId string The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
blockMsolPowerShell boolean To disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph.
description string Description of this policy.
allowUserConsentForRiskyApps boolean Description pending.
id string ID of the authorization policy.
allowedToSignUpEmailBasedSubscriptions boolean Indicates whether users can sign up for email based subscriptions.
allowedToUseSSPR boolean Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant.
displayName string Display name for this policy.
allowInvitesFrom string Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government.
guestUserRoleId string Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
defaultUserRolePermissions object Default user role permissions for the AAD tenant.
 allowedToCreateApps boolean Indicates whether the default user role can create applications.
 allowedToCreateSecurityGroups boolean Indicates whether the default user role can create security groups.
 allowedToCreateTenants boolean Indicates whether the default user role can create tenants.
 allowedToReadOtherUsers boolean Indicates whether the default user role can read other users.
 permissionGrantPoliciesAssigned list<string> Indicates if user consent to apps is allowed, and if it is, which permission to grant consent and which app consent policy (permissionGrantPolicy) govern the permission for users to grant consent. Value should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled.
 allowedToReadBitlockerKeysForOwnedDevice boolean Indicates whether a user is allowed to read bitlocker keys for owned device.
allowEmailVerifiedUsersToJoinOrganization boolean Indicates whether a user can join the tenant by email validation.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
invitationsAllowedAndBlockedDomainsPolicy object This policy specifies domain restrictions with regards to inviting external users to collaborate. Only one of the blockedDomains and allowedDomains list can be populated at once. If blockedDomains is populated, any domain outside of blockedDomains can be invited to collaborate. If allowedDomains is populated, any domain outside of allowedDomains will be blocked. If both lists are empty, then there are no domain restrictions on invitations to collaborate.
 blockedDomains list<string> Domains in this list are not allowed to be sent invitations to collaborate.
 allowedDomains list<string> Domains in this list are allowed to be sent invitations to collaborate.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Specifies the identifier of a conditionalAccessPolicy object.
state string Specifies the state of the conditionalAccessPolicy object. Possible values are "enabled", "disabled", "enabledForReportingButNotEnforced".
conditions object Specifies the rules that must be met for the policy to apply.
 clientAppTypes list<string> Client application types included in the policy. Possible values are "all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other".
 users object Users, groups, and roles included in and excluded from the policy.
 excludeUsers list<string> A list of user IDs excluded from the scope of the policy and/or "GuestsOrExternalUsers".
 includeGroups list<string> A list of group IDs in the scope of the policy (unless the group ID is explicitly excluded, i.e. the group ID is in the "excludeGroups" list), or "All".
 excludeGroups list<string> Group IDs excluded from scope of policy.
 includeRoles list<string> A list of role IDs in scope of policy (unless explicitly excluded, i.e. the role ID is in the "excludeRoles" list), or "All".
 excludeRoles list<string> Role IDs excluded from scope of policy.
 includeUsers list<string> A list of user IDs in the scope of the policy (unless the user ID explicitly excluded, i.e. the user ID is in the "excludeUsers" list), or one of "None", "All", or "GuestsOrExternalUsers", .
grantControls object Specifies the grant controls that must be fulfilled to pass the policy.
 builtInControls list<string> List of values of built-in controls required by the policy. Possible values are "block", "mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange".
ATTRIBUTE TYPE REFERS TO DESCRIPTION
appID string The unique identifier of Connected Application
riskLevel string The risk level associated with the Connected Application.
permissions list<string> The permissions associated with the Connected Application.
connectedAppName string Name of the Connected Application.
riskScore number The risk score associated with the Connected Application.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string The ID of the compliance policy.
odatatype string The OData type of the entity, e.g. "#microsoft.graph.iosCompliancePolicy".
securityBlockJailbrokenDevices boolean If true, block jailbroken or rooted devices.
managedEmailProfileRequired boolean If true, the owner of the device will only be able to use a managed email account.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
passwordRequired boolean Require the use of a password.
storageRequireDeviceEncryption boolean Indicates whether or not to require device encryption.
odatatype string To distinguish between different platforms (Android, iOS).
passcodePreviousPasscodeBlockCount number For iOS to prevent reuse of previous passwords.
passwordPreviousPasswordCountToBlock number Prevent reuse of previous passwords.
passwordMinimumLength number Minimum length of the password.
passcodeRequiredType string The password type (e.g. alphanumeric). (iOS)
passwordBlockSimple boolean Block simple passwords.
passwordSignInFailureCountBeforeFactoryReset number Number of failed authentication attempts before a device is wiped. (Windows 8)
passwordMinutesOfInactivityBeforeScreenTimeout number Minutes of inactivity before the screen times out.
id string The ID of the compliance policy.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before the screen locks. (macOS)
passcodeMinutesOfInactivityBeforeScreenTimeout number Minutes of inactivity before the screen times out.
passwordRequireWhenResumeFromIdleState boolean Require the user to provide a password when the device is resumed from idle status.
passcodeSignInFailureCountBeforeWipe number Number of failed authentication attempts before a device is wiped. (iOS)
passwordExpirationDays number Password expiration in days. "null" if no expiration.
passcodeExpirationDays number Passcode expiration in days. "null" if no expiration. (iOS)
passcodeMinimumLength number Minimum length of the password. (iOS)
passwordRequiredType string The password type (e.g. alphanumeric).
passcodeBlockSimple boolean Block simple passwords. (iOS)
passcodeRequired boolean Require the use of a password. (iOS)
passcodeMinutesOfInactivityBeforeLock number Minutes of inactivity before the screen locks. (iOS)
passwordPreviousPasswordBlockCount number Prevent reuse of previous passwords.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
lastModifiedDateTime number Policy last modification date and time.
settingCount number Number of settings.
priorityMetaData object Indicates the priority of each policies that are selected by the admin during enrollment process.
 odatatype string PriorityMetaData data type.
 priority number Priority of the policy. Valid values 1 to 500.
id string Key of the policy document. Automatically generated.
platforms string Platforms for this policy. Possible values are: none, android, iOS, macOS, windows10X, windows10, linux, unknownFutureValue.
createdDateTime number Policy creation date and time.
isAssigned boolean Policy assignment status.
name string Policy name.
technologies string Technologies for this policy. Possible values are: none, mdm, windows10XManagement, configManager, appleRemoteManagement, microsoftSense, exchangeOnline, mobileApplicationManagement, linuxMdm, enrollment, endpointPrivilegeManagement, unknownFutureValue.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
templateReference object Template reference information.
 odatatype string Template reference data type.
 templateId string Template id.
 templateFamily string Template Family of the referenced Template. This property is read-only. Possible values are: none, endpointSecurityAntivirus, endpointSecurityDiskEncryption, endpointSecurityFirewall, endpointSecurityEndpointDetectionAndResponse, endpointSecurityAttackSurfaceReduction, endpointSecurityAccountProtection, endpointSecurityApplicationControl, endpointSecurityEndpointPrivilegeManagement, enrollmentConfiguration, appQuietTime, baseline, unknownFutureValue, deviceConfigurationScripts, deviceConfigurationPolicies.
 templateDisplayName string Template Display Name of the referenced template.
 templateDisplayVersion string Template Display Version of the referenced Template.
creationSource string Policy creation source.
odatatype string Device configuration policy type.
description string Policy description.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
odatatype string Device configuration policy setting data type.
id string Device configuration policy setting id.
policyId string DeviceConfigurationPolicy Device configuration policy id.
settingInstance object settingInstance
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 children list<object> children
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 settingInstanceTemplateId string settingInstanceTemplateId
 odatatype string odatatype
 choiceSettingValue object choiceSettingValue
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 settingInstanceTemplateId string settingInstanceTemplateId
 odatatype string odatatype
 choiceSettingValue object choiceSettingValue
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 children list<object> children
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 settingValueTemplateReference object settingValueTemplateReference
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 value string value
 odatatype string odatatype
 odatatype string odatatype
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 odatatype string odatatype
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 odatatype string odatatype
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 odatatype string odatatype
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 value string value
 odatatype string odatatype
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
state string The current state of the email authentication method configuration. Valid values are "enabled" or "disabled".
allowExternalIdToUseEmailOtp string Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who did not use public preview will automatically have email OTP enabled beginning in October 2021.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
visibility string Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or Hiddenmembership. Hiddenmembership can be set only for Microsoft 365 groups, when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation. If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default and Microsoft 365 group is Public. Groups assignable to roles are always Private.
assignedLabels list<object> The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group.
 labelId string The unique identifier of the label.
 displayName string The display name of the label.
assignedLicenses list<object> The licenses that are assigned to the group.
 disabledPlans list<string> A collection of the unique identifiers for plans that have been disabled.
 skuId string The unique identifier for the SKU.
classification string Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition.
displayName string The display name for the group. This property is required when a group is created and cannot be cleared during updates.
mail string The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com".
renewedDateTime number Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action.
theme string Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red.
id string The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable.
membershipRule string The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership).
membershipRuleProcessingState string Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused.
preferredLanguage string The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example en-US.
proxyAddresses list<string> Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties.
groupTypes list<string> Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see groups overview. If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static.
isAssignableToRole boolean Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership). Only callers in Global administrator and Privileged role administrator roles can set this property. The caller must be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups.
mailEnabled boolean Specifies whether the group is mail-enabled. Required.
mailNickname string The mail alias for the group, unique for Microsoft 365 groups in the organization.
onPremisesSamAccountName string Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
deletedDateTime number For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
description string An optional description for the group.
securityIdentifier string Security identifier of the group, used in Windows scenarios.
onPremisesProvisioningErrors list<object> Errors when using Microsoft synchronization product during provisioning.
 value string Value of the property causing the error.
 category string Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
 occurredDateTime number The date and time at which the error occurred.
 propertyCausingError string Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
onPremisesSyncEnabled boolean true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default).
resourceBehaviorOptions list<string> Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled.
securityEnabled boolean Specifies whether the group is a security group. Required.
expirationDateTime number Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created.
licenseProcessingState string Indicates status of the group license assignment to all members of the group. Default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete.
onPremisesSecurityIdentifier string Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud.
createdDateTime number Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created.
preferredDataLocation string The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location.
resourceProvisioningOptions list<string> Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
mailNickname string The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE.
onPremisesSecurityIdentifier string Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud.
jobTitle string The user's job title. Maximum length is 128 characters.
mail string The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. Changes to this property will also update the user's proxyAddresses collection to include the value as an SMTP address. This property can't contain accent characters.
preferredDataLocation string The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location.
parent_group_id string Group The parent group id for which the member(user/group) belongs.
preferredLanguage string The preferred language for the user. The preferred language format is based on RFC 4646. The name is a combination of an ISO 639 two-letter lowercase culture code associated with the language, and an ISO 3166 two-letter uppercase subculture code associated with the country or region. Example: "en-US", or "es-ES".
description string An optional description for the group.
resourceBehaviorOptions list<string> Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled.
onPremisesProvisioningErrors list<object> Errors when using Microsoft synchronization product during provisioning.
 category string Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
 occurredDateTime number The date and time at which the error occurred.
 propertyCausingError string Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
 value string Value of the property causing the error.
serviceProvisioningErrors list<string> The list of Service Provisioning Errors.
createdDateTime number Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
proxyAddresses list<string> Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties.
isAssignableToRole boolean Indicates whether this group can be assigned to a Microsoft Entra role. Optional.This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership).Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups.
givenName string The given name (first name) of the user. Maximum length is 64 characters.
deletedDateTime number For some Microsoft Entra objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
onPremisesSyncEnabled string true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default).
renewedDateTime number Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
resource_id string User Group The actual resource id for which the member refers to.
surname string The user's surname (family name or last name). Maximum length is 64 characters.
id string The member id. It is groupid_userid
userPrincipalName string The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization.
officeLocation string The office location in the user's place of business.
classification string Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition.
creationOptions list<string> Creation options.
expirationDateTime number Timestamp of when the group is set to expire. It is null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
groupTypes list<string> Specifies the group type and its membership.If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static.
membershipRule string The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership).
odatatype string The grpah data type, either User or Graph
displayName string The name displayed in the address book for the user/group. This property is required when a user/group is created and it cannot be cleared during updates. Maximum length is 256 characters.
securityIdentifier string Security identifier of the group, used in Windows scenarios.
onPremisesDomainName string The on-premise domain name.
onPremisesNetBiosName string The on-premise net bios name.
onPremisesSamAccountName string Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect.
resourceProvisioningOptions list<string> Specifies the group resources provisioned as part of Microsoft 365 group creation that are not normally part of default group creation. The possible value is Team.
securityEnabled boolean Specifies whether the group is a security group. Required.
theme string Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red.
mailEnabled boolean Specifies whether the group is mail-enabled. Required.
membershipRuleProcessingState string Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused.
visibility string Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default, and the Microsoft 365 group is Public. Groups assignable to roles are always Private.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
displayName string Admin provided name of the device configuration.
passcodeBlockSimple boolean Indicates whether or not to block simple passcodes.
osMaximumBuildVersion string Maximum IOS build version.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection .
lastModifiedDateTime number DateTime the object was last modified.
passcodeMinutesOfInactivityBeforeScreenTimeout number Minutes of inactivity before the screen times out.
osMaximumVersion string Maximum IOS version.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
createdDateTime number DateTime the object was created.
osMinimumVersion string Minimum IOS version.
restrictedApps list<object> Require the device to not have the specified apps installed. This collection can contain a maximum of 100 elements.
 appStoreUrl string The Store URL of the application.
 appId string The application or bundle identifier of the application.
 odatatype string The application data type.
 name string The application name.
 publisher string The publisher of the application.
osMinimumBuildVersion string Minimum IOS build version.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
passcodeExpirationDays number Number of days before the passcode expires. Valid values 1 to 65535.
passcodeMinimumLength number Minimum length of passcode. Valid values 4 to 14.
passcodeMinimumCharacterSetCount number The number of character sets required in the password.
id string Key of the entity.
description string Admin provided description of the Device Configuration.
passcodeRequiredType string The required passcode type. Possible values are: deviceDefault, alphanumeric, numeric.
odatatype string Microsoft graph ios compliance policy type.
passcodeRequired boolean Indicates whether or not to require a passcode.
version number Version of the device configuration.
passcodeMinutesOfInactivityBeforeLock number Minutes of inactivity before a passcode is required.
passcodePreviousPasscodeBlockCount number Number of previous passcodes to block. Valid values 1 to 24.
managedEmailProfileRequired boolean Indicates whether or not to require a managed email profile.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
passwordPreviousPasswordBlockCount number Number of previous passwords to block. Valid values 1 to 24.
osMinimumVersion string Minimum MacOS version.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
firewallEnabled boolean Whether the firewall should be enabled or not.
passwordBlockSimple boolean Indicates whether or not to block simple passwords.
firewallEnableStealthMode boolean Corresponds to 'Enable stealth mode'.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
description string Admin provided description of the Device Configuration.
version number Version of the device configuration.
passwordRequired boolean Whether or not to require a password.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
passwordRequiredType string The required password type. Possible values are: deviceDefault, alphanumeric, numeric.
passwordMinimumLength number Minimum length of password. Valid values 4 to 14.
lastModifiedDateTime number DateTime the object was last modified.
displayName string Admin provided name of the device configuration.
osMaximumBuildVersion string Maximum MacOS build version.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
storageRequireEncryption boolean Require encryption on Mac OS devices.
firewallBlockAllIncoming boolean Corresponds to the "Block all incoming connections" option.
createdDateTime number DateTime the object was created.
systemIntegrityProtectionEnabled boolean Require that devices have enabled system integrity protection.
gatekeeperAllowedAppSource string System and Privacy setting that determines which download locations apps can be run from on a macOS device. Possible values are: notConfigured, macAppStore, macAppStoreAndIdentifiedDevelopers, anywhere.
odatatype string Microsoft graph mac os compliance type.
passwordMinimumCharacterSetCount number The number of character sets required in the password.
osMaximumVersion string Maximum MacOS version.
id string Key of the entity.
osMinimumBuildVersion string Minimum MacOS build version.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 65535.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
userId string Unique Identifier for the user associated with the device.
osVersion string Operating system version of the device.
activationLockBypassCode string The code that allows the Activation Lock on managed device to be bypassed. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity in LIST call. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
emailAddress string Email(s) for the user associated with the device.
operatingSystem string Operating system of the device. Windows, iOS, etc.
wiFiMacAddress string Wi-Fi MAC address.
totalStorageSpaceInBytes number Total Storage in Bytes.
phoneNumber string Phone number of the device.
freeStorageSpaceInBytes number Free Storage in Bytes. Default value is 0.
iccid string Integrated Circuit Card Identifier, it is A SIM card's unique identification number. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
model string Model of the device.
id string Unique Identifier for the device.
easDeviceId string Exchange ActiveSync Id of the device.
meid string MEID.
managementAgent string Management channel of the device. Examples: Intune, EAS, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. Possible values are: eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
isSupervised boolean Device supervised status.
exchangeAccessState string The Access State of the device in Exchange. Possible values are: none, unknown, allowed, blocked, quarantined.
remoteAssistanceSessionUrl string Url that allows a Remote Assistance session to be established with the device. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter.
complianceGracePeriodExpirationDateTime number The DateTime when device compliance grace period expires.
managedDeviceName string Automatically generated name to identify a device.
easActivationDateTime number Exchange ActivationSync activation time of the device.
userDisplayName string User display name.
notes string Notes on the device created by IT Admin. Default is null. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
deviceRegistrationState string Device registration state. Possible values are: notRegistered, registered, revoked, keyConflict, approvalPending, certificateReset, notRegisteredPendingEnrollment, unknown.
exchangeAccessStateReason string The reason for the device's access state in Exchange. Possible values are: none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
udid string Unique Device Identifier for iOS and macOS devices. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
ethernetMacAddress string Indicates Ethernet MAC Address of the device. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity. Individual get call with select query options is needed to retrieve actual values. Example: deviceManagement/managedDevices({managedDeviceId})?$select=ethernetMacAddress Supports: $select. $Search is not supported.
physicalMemoryInBytes number Total Memory in Bytes. Default is 0. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select.
jailBroken string Whether the device is jail broken or rooted. Default is an empty string. Supports $filter operator 'eq' and 'or'.
easActivated boolean Whether the device is Exchange ActiveSync activated.
deviceEnrollmentType string Enrollment type of the device. Possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth, appleUserEnrollment, appleUserEnrollmentWithServiceAccount.
isEncrypted boolean Device encryption status.
azureADDeviceId string The unique identifier for the Azure Active Directory device. Read only.
manufacturer string Manufacturer of the device.
androidSecurityPatchLevel string Android security patch level.
managementCertificateExpirationDate number Reports device management certificate expiration date.
odatatype string To distinguish between different platforms (Android, iOS).
deviceActionResults list<object> List of ComplexType deviceActionResult objects.
 actionState string State of the action. Possible values are: none, pending, canceled, active, done, failed, notSupported.
 startDateTime number Time the action was initiated.
 lastUpdatedDateTime number Time the action state was last updated.
 odatatype string deviceActionResult type
 actionName string Action name
enrolledDateTime number Enrollment time of the device. Supports $filter operator 'lt' and 'gt'.
deviceCategoryDisplayName string Device category display name. Default is an empty string. Supports $filter operator 'eq' and 'or'.
partnerReportedThreatState string Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are: unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.
exchangeLastSuccessfulSyncDateTime number Last time the device contacted Exchange.
subscriberCarrier string Subscriber Carrier.
deviceName string Name of the device.
azureADRegistered boolean Whether the device is Azure Active Directory registered.
userPrincipalName string Device user principal name.
serialNumber string SerialNumber.
configurationManagerClientEnabledFeatures object ConfigrMgr client enabled features.
 deviceConfiguration boolean Whether device configuration is managed by Intune.
 compliancePolicy boolean Whether compliance policy is managed by Intune.
 windowsUpdateForBusiness boolean Whether Windows Update for Business is managed by Intune.
 odatatype string Configuration manage client enabled feature types
 inventory boolean Whether inventory is managed by Intune.
 modernApps boolean Whether modern application is managed by Intune.
 resourceAccess boolean Whether resource access is managed by Intune.
requireUserEnrollmentApproval boolean Reports if the managed iOS device is user approval enrollment.
complianceState string Compliance state of the device. Examples: Compliant, Conflict, Error, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. Possible values are: unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager.
remoteAssistanceSessionErrorDetails string An error string that identifies issues when creating Remote Assistance session objects.
managedDeviceOwnerType string Ownership of the device. Can be 'company' or 'personal'.Possible values are: unknown, company, personal.
lastSyncDateTime number The date and time that the device last completed a successful sync with Intune. Supports $filter operator 'lt' and 'gt'.
imei string IMEI string.
deviceHealthAttestationState object The device health attestation state.
 bootManagerVersion string The version of the Boot Manager.
 restartCount number The number of times a PC device has rebooted.
 resetCount number The number of times a PC device has hibernated or resumed.
 operatingSystemKernelDebugging string When operatingSystemKernelDebugging is enabled, the device is used in development and testing.
 virtualSecureMode string VSM is a container that protects high value assets from a compromised kernel.
 bootAppSecurityVersion string The security version number of the Boot Application.
 lastUpdateDateTime number The Timestamp of the last update.
 operatingSystemRevListInfo string The Operating System Revision List that was loaded during initial boot on the attested device.
 bootDebugging string When bootDebugging is enabled, the device is used in development and testing.
 attestationIdentityKey string TWhen an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate.
 dataExcutionPolicy string DEP Policy defines a set of hardware and software technologies that perform additional checks on memory.
 safeMode string Safe mode is a troubleshooting option for Windows that starts your computer in a limited state.
 windowsPE string Operating system running with limited services that is used to prepare a computer for Windows.
 earlyLaunchAntiMalwareDriverProtection string ELAM provides protection for the computers in your network when they start up.
 deviceHealthAttestationStatus string The DHA report version. (Namespace version).
 contentVersion string The HealthAttestation state schema version.
 bitLockerStatus string On or Off of BitLocker Drive Encryption.
 secureBoot string When Secure Boot is enabled, the core components must have the correct cryptographic signatures.
 bootManagerSecurityVersion string The security version number of the Boot Application.
 tpmVersion string The security version number of the Boot Application.
 secureBootConfigurationPolicyFingerPrint string Fingerprint of the Custom Secure Boot Configuration Policy.
 healthStatusMismatchInfo string This attribute appears if DHA-Service detects an integrity issue.
 odatatype string Device health attestation state type.
 pcrHashAlgorithm string Informational attribute that identifies the HASH algorithm that was used by TPM.
 codeIntegrityCheckVersion string The version of the Boot Manager
 pcr0 string The measurement that is captured in PCR[0].
 codeIntegrityPolicy string The Code Integrity policy that is controlling the security of the boot environment.
 bootRevisionListInfo string The Boot Revision List that was loaded during initial boot on the attested device.
 issuedDateTime number The DateTime when device was evaluated or issued to MDM.
 codeIntegrity string When code integrity is enabled, code execution is restricted to integrity verified code.
 testSigning string When test signing is allowed, the device does not enforce signature validation during boot.
 healthAttestationSupportedStatus string This attribute indicates if DHA is supported for the device.
 contentNamespaceUrl string The DHA report version. (Namespace version).
ATTRIBUTE TYPE REFERS TO DESCRIPTION
countriesAndRegions list<string> List of countries and/or regions in two-letter format specified by ISO 3166-2.
includeUnknownCountriesAndRegions boolean true if IP addresses that don't map to a country or region should be included in the named location.
countryLookupMethod string Determines what method is used to decide which country the user is located in. Possible values are clientIpAddress(default) and authenticatorAppGps.
isTrusted boolean true if this location is explicitly trusted.
ipRanges list<object> List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596.
 odatatype string Used to distinguish between different types of ip ranges. Possible values are #microsoft.graph.iPv4CidrRange and #microsoft.graph.iPv6CidrRange.
 cidrAddress string IPv4 or IPv6 address in CIDR notation.
id string The id of the named location.
odatatype string To distinguish between different types of named locations. Value can be #microsoft.graph.countryNamedLocation or #microsoft.graph.ipNamedLocation.
displayName string The display name of the named location.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
scope string A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, 'openid User.Read GroupMember.Read.All'. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the publishedPermissionScopes property of the resource service principal.
id string The ID of the OAuth2PermissionGrant.
clientId string ServicePrincipal The ID of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API. Corresponds to the 'objectId' field inside the Azure 'Enterprise applications' page.
consentType string Indicates if authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions.
principalId string User The ID of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'.
resourceId string ServicePrincipal The ID of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string The unique identifier for the service principal. Inherited from directoryObject Key
info object Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience.
 logoUrl string CDN URL to the application's logo.
 marketingUrl string Link to the application's marketing page.
 privacyStatementUrl string Link to the application's privacy statement.
 supportUrl string Link to the application's support page.
 termsOfServiceUrl string Link to the application's terms of service statement.
servicePrincipalNames list<string> Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Azure AD.
displayName string The display name for the service principal.
homepage string Home page or landing page of the application.
appRoles list<object> The roles exposed by the application which this service principal represents. For more information see the appRoles property definition on the application entity. Not nullable.
 displayName string Display name for the permission that appears in the app role assignment and consent experiences.
 id string Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided.
 isEnabled boolean When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed.
 origin string Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests.
 value string Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal.
 allowedMemberTypes list<string> Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities.
 description string The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
notes string Free text field to capture information about the service principal, typically used for operational purposes.
servicePrincipalType string Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Azure AD internally. The servicePrincipalType property can be set to three different values: Application - A service principal that represents an application or service. The appId property identifies the associated app registration, and matches the appId of an application, possibly from a different tenant. If the associated app registration is missing, tokens are not issued for the service principal. ManagedIdentity - A service principal that represents a managed identity. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly. Legacy - A service principal that represents an app created before app registrations, or through legacy experiences. Legacy service principal can have credentials, service principal names, reply URLs, and other properties which are editable by an authorized user, but does not have an associated app registration. The appId value does not associate the service principal with an app registration. The service principal can only be used in the tenant where it was created.
tags list<string> Custom strings that can be used to categorize and identify the service principal.
addIns list<object> Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on.
 id string id of an addIn.
 properties list<object> property of an addIn.
 key string Key for the key-value pair.
 value string Value for the key-value pair.
 type string type of an addIn.
appOwnerOrganizationId string Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications.
verifiedPublisher object Specifies the verified publisher of the application which this service principal represents.
 addedDateTime number The timestamp when the verified publisher was first added or most recently updated.
 displayName string The verified publisher name from the app publisher's Partner Center account.
 verifiedPublisherId string The ID of the verified publisher from the app publisher's Partner Center account.
resourceSpecificApplicationPermissions list<object> The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph.
 description string Describes the level of access that the resource-specific permission represents.
 displayName string The display name for the resource-specific permission.
 id string The unique identifier for the resource-specific application permission.
 isEnabled boolean Indicates whether the permission is enabled.
 value string The value of the permission.
tokenEncryptionKeyId string Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.
passwordCredentials list<object> The collection of password credentials associated with the application.
 hint string Contains the first three characters of the password.
 keyId string The unique identifier for the password.
 secretText string Contains the strong passwords generated by Azure AD that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future.
 startDateTime number The date and time at which the password becomes valid.
 customKeyIdentifier string Do not use.
 displayName string Friendly name for the password.
 endDateTime number The date and time at which the password expires represented using ISO 8601 format and is always in UTC time.
replyUrls list<string> The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.
disabledByMicrosoftStatus string Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement).
oauth2PermissionScopes list<object> The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes property on the application entity's api property.
 userConsentDisplayName string A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 value string Specifies the value to include in the scp (scope) claim in access tokens.
 adminConsentDescription string A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences.
 adminConsentDisplayName string The permission's title, intended to be read by an administrator granting the permission on behalf of all users.
 id string Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.
 isEnabled boolean When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed.
 type string The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission).
 userConsentDescription string A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
notificationEmailAddresses list<string> Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
alternativeNames list<string> Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appDescription string The description exposed by the associated application.
applicationTemplateId string Unique identifier of the applicationTemplate that the servicePrincipal was created from.
keyCredentials list<object> The collection of key credentials associated with the service principal.
 displayName string Friendly name for the key.
 endDateTime number The date and time at which the credential expires.
 key string The certificate's raw data in byte array converted to Base64 string.
 keyId string The unique identifier (GUID) for the key.
 startDateTime number The date and time at which the credential becomes valid.
 type string The type of key credential; for example, Symmetric, AsymmetricX509Cert.
 usage string A string that describes the purpose for which the key can be used; for example, Verify.
 customKeyIdentifier string Custom key identifier
loginUrl string Specifies the URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Azure AD My Apps, or the Azure AD SSO URL.
preferredSingleSignOnMode string Specifies the single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. The supported values are password, saml, notSupported, and oidc.
samlSingleSignOnSettings object The collection for settings related to saml single sign-on.
 relayState string The relative URI the service provider would redirect to after completion of the single sign-on flow.
signInAudience string Specifies the Microsoft accounts that are supported for the current application. Supported values are: AzureADMyOrg-Users with a Microsoft work or school account in my organization's Azure AD tenant (single-tenant). AzureADMultipleOrgs-Users with a Microsoft work or school account in any organization's Azure AD tenant (multi-tenant). AzureADandPersonalMicrosoftAccount-Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant. PersonalMicrosoftAccount-Users with a personal Microsoft account only.
accountEnabled boolean true if the service principal account is enabled; otherwise, false.
appDisplayName string The display name exposed by the associated application.
description string Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps will display the application description in this field.
logoutUrl string Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols.
deletedDateTime number The date and time the service principal was deleted.
appId string Application The unique identifier for the associated application (its appId property).
appRoleAssignmentRequired boolean Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
roleDefinitionId string UnifiedRoleDefinition Identifier of the role definition the assignment is for. Read only.
principalId string User Group Identifier of the principal to which the assignment is granted.
principal object Details of the principal the assignment is for. Read only.
 mail string email id of the principal user.
 displayName string display of the principal user.
 odatatype string Type of principal, can be a user or group.
 id string Identifier of the principal to which the assignment is granted.
id string The unique identifier for the role assignment. Key, not nullable, Read-only.
appScopeId string Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only
directoryScopeId string Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
description string The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
isEnabled boolean Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes string List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true.
templateId string Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.
version string Indicates version of the role definition. Read-only when isBuiltIn is true.
displayName string The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
id string The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity.
isBuiltIn boolean Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition.
rolePermissions list<object> List of permissions included in the role. Read-only when isBuiltIn is true.
 condition string Optional constraints that must be met for the permission to be effective. Not supported for custom roles.
 excludedResourceActions list<string> Set of tasks that may not be performed on a resource. Not yet supported.
 allowedResourceActions list<string> Set of tasks that can be performed on a resource.
inheritsPermissionsFrom list<object> Read-only collection of role definitions that the given role definition inherits from. Only Azure AD built-in roles (isBuiltIn is true) support this attribute.
 id string The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
accountEnabled boolean true if the account is enabled; otherwise, false. This property is required when a user is created.
creationType string Indicates whether the user account was created through one of the following methods: As a regular school or work account (null), As an external account (Invitation), As a local account for an Azure Active Directory B2C tenant (LocalAccount), Through self-service sign-up by an internal user using email verification (EmailVerified), Through self-service sign-up by an external user signing up through a link that is part of a user flow (SelfServiceSignUp).
department string The name for the department in which the user works.
displayName string The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates.
employeeHireDate number The date and time when the user was hired or will start work in case of a future hire.
identities list<object> Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. May contain multiple items with the same signInType value.
 signInType string Specifies the user sign-in types in your directory, such as emailAddress, userName, federated, or userPrincipalName. federated represents a unique identifier for a user from an issuer, that can be in any format chosen by the issuer. Setting or updating a userPrincipalName identity will update the value of the userPrincipalName property on the user object. The validations performed on the userPrincipalName property on the user object, for example, verified domains and acceptable characters, will be performed when setting or updating a userPrincipalName identity. Additional validation is enforced on issuerAssignedId when the sign-in type is set to emailAddress or userName. This property can also be set to any custom string.
 issuer string Specifies the issuer of the identity, for example facebook.com. For local accounts (where signInType is not federated), this property is the local B2C tenant default domain name, for example contoso.onmicrosoft.com. For external users from other Azure AD organization, this will be the domain of the federated organization, for example contoso.com.
 issuerAssignedId string Specifies the unique identifier assigned to the user by the issuer. The combination of issuer and issuerAssignedId must be unique within the organization. Represents the sign-in name for the user, when signInType is set to emailAddress or userName (also known as local accounts). When signInType is set to: emailAddress, (or a custom string that starts with emailAddress like emailAddress1) issuerAssignedId must be a valid email address userName, issuerAssignedId must be a valid local part of an email address
onPremisesImmutableId string This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property.
country string The country/region in which the user is located; for example, US or UK.
licenseAssignmentStates list<object> State of license assignments for this user.
 state string Indicate the current state of this assignment. Read-Only. The possible values are Active, ActiveWithError, Disabled, and Error.
 assignedByGroup string The id of the group that assigns this license. If the assignment is a direct-assigned license, this field will be Null.
 disabledPlans list<string> The service plans that are disabled in this assignment.
 error string License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. The possible values are CountViolation, MutuallyExclusiveViolation, DependencyViolation, ProhibitedInUsageLocationViolation, UniquenessViolation, and Other.
 lastUpdatedDateTime number The timestamp when the state of the license assignment was last updated.
 skuId string The unique identifier for the SKU.
proxyAddresses list<string> For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. Changes to the mail property will also update this collection to include the value as an SMTP address. For more information, see mail and proxyAddresses properties. The proxy address prefixed with SMTP (capitalized) is the primary proxy address while those prefixed with smtp are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses.
refreshTokensValidFromDateTime number Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint.
streetAddress string The street address of the user's place of business.
ageGroup string Sets the age group of the user. Allowed values: null, Minor, NotAdult and Adult.
companyName string The company name which the user is associated. This property can be useful for describing the company that an external user comes from.
legalAgeGroupClassification string Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: null, MinorWithOutParentalConsent, MinorWithParentalConsent, MinorNoParentalConsentRequired, NotAdult and Adult.
usageLocation string A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB.
mobilePhone string The primary cellular telephone number for the user. Read-only for users synced from on-premises directory.
consentProvidedForMinor string Sets whether consent has been obtained for minors. Allowed values: null, Granted, Denied and NotRequired.
onPremisesDistinguishedName string Contains the on-premises Active Directory distinguished name or DN. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
showInAddressList boolean Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list.
businessPhones list<string> The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. Read-only for users synced from on-premises directory.
externalUserState string For an external user invited to the tenant using the invitation API, this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users.
employeeId string The employee identifier assigned to the user by the organization.
imAddresses list<string> The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user.
mailNickname string The mail alias for the user. This property must be specified when a user is created.
passwordPolicies string Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two may be specified together; for example: DisablePasswordExpiration, DisableStrongPassword.
preferredLanguage string The preferred language for the user. Should follow ISO 639-1 Code; for example en-US.
schools list<string> A list for the user to enumerate the schools they have attended.
onPremisesSecurityIdentifier string Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
onPremisesUserPrincipalName string Contains the on-premises userPrincipalName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
jobTitle string The user's job title.
city string The city in which the user is located.
deletedDateTime number The date and time the user was deleted.
externalUserStateChangeDateTime number Shows the timestamp for the latest change to the externalUserState property.
mail string The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com.
officeLocation string The office location in the user's place of business.
userType string A string value that can be used to classify user types in your directory, such as Member and Guest.
createdDateTime number The created date of the user object.
employeeOrgData object Represents organization data (e.g. division and costCenter) associated with a user.
 division string The name of the division in which the user works.
 costCenter string The cost center associated with the user.
userRegistrationDetails object Represents the state of a user's authentication methods, including which methods are registered and which features the user is registered and capable of.
 isMfaCapable boolean Indicates whether the user has registered a strong authentication method for multifactor authentication.
 isMfaRegistered boolean Indicates whether the user has registered a strong authentication method for multifactor authentication.
 isPasswordlessCapable boolean Indicates whether the user has registered a passwordless strong authentication method.
 isSsprCapable boolean Indicates whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy.
 isSsprEnabled boolean Indicates whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset.
 isSystemPreferredAuthenticationMethodEnabled boolean Indicates whether system preferred authentication method is enabled. If enabled, the system dynamically determines the most secure authentication method among the methods registered by the user.
 methodsRegistered list<string> Collection of authentication methods registered.
 isAdmin boolean Indicates whether the user has an admin role in the tenant.
 userPreferredMethodForSecondaryAuthentication string The method the user selected as the default second-factor for performing multifactor authentication.
 systemPreferredAuthenticationMethods list<string> Collection of authentication methods that the system determined to be the most secure authentication methods among the registered methods for second factor authentication.
 lastUpdatedDateTime number The date and time (UTC) when the record was last updated.
 isSsprRegistered boolean Indicates whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy.
onPremisesDomainName string Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
postalCode string The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.
surname string The user's surname (family name or last name).
hireDate number The hire date of the user. Note: This property is specific to SharePoint Online. We recommend using the native employeeHireDate property to set and update hire date values using Microsoft Graph APIs.
id string The unique identifier for the user.
isResourceAccount boolean Do not use - reserved for future use.
onPremisesProvisioningErrors list<object> Errors when using Microsoft synchronization product during provisioning.
 propertyCausingError string Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
 value string Value of the property causing the error.
 category string Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
 occurredDateTime number The date and time at which the error occurred.
onPremisesSamAccountName string Contains the on-premises samAccountName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
otherMails list<string> A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"].
signInSessionsValidFromDateTime number Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint.
userPrincipalName string The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization.
assignedLicenses list<object> The licenses that are assigned to the user, including inherited (group-based) licenses.
 disabledPlans list<string> A collection of the unique identifiers for plans that have been disabled.
 skuId string The unique identifier for the SKU.
givenName string The given name (first name) of the user.
onPremisesExtensionAttributes object Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes 1-15. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. For a cloud-only user (where onPremisesSyncEnabled is false), these properties can be set during creation or update of a user object. For a cloud-only user previously synced from on-premises Active Directory, these properties are read-only in Microsoft Graph but can be fully managed through the Exchange Admin Center or the Exchange Online V2 module in PowerShell.
 extensionAttribute5 string Fifth customizable extension attribute.
 extensionAttribute10 string Tenth customizable extension attribute.
 extensionAttribute11 string Eleventh customizable extension attribute.
 extensionAttribute7 string Seventh customizable extension attribute.
 extensionAttribute9 string Ninth customizable extension attribute.
 extensionAttribute14 string Fourteenth customizable extension attribute.
 extensionAttribute2 string Second customizable extension attribute.
 extensionAttribute3 string Third customizable extension attribute.
 extensionAttribute4 string Fourth customizable extension attribute.
 extensionAttribute6 string Sixth customizable extension attribute.
 extensionAttribute12 string Twelfth customizable extension attribute.
 extensionAttribute13 string Thirteenth customizable extension attribute.
 extensionAttribute1 string First customizable extension attribute.
 extensionAttribute8 string Eighth customizable extension attribute.
 extensionAttribute15 string Fifteenth customizable extension attribute.
employeeType string Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor.
faxNumber string The fax number of the user.
lastPasswordChangeDateTime number The time when this Azure AD user last changed their password or when their password was created, whichever date the latest action was performed.
onPremisesSyncEnabled boolean true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default).
passwordProfile object Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required.
 forceChangePasswordNextSignIn boolean true if the user must change her password on the next login; otherwise false. If not set, default is false.
 forceChangePasswordNextSignInWithMfa boolean If true, at next sign-in, the user must perform a multi-factor authentication (MFA) before being forced to change their password. The behavior is identical to forceChangePasswordNextSignIn except that the user is required to first perform a multi-factor authentication before password change. After a password change, this property will be automatically reset to false. If not set, default is false.
 password string The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next login. The password must satisfy minimum requirements as specified by the user's passwordPolicies property. By default, a strong password is required.
state string The state or province in the user's address.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
passwordRequired boolean Require a password to unlock Windows device.
passwordMinimumLength number The minimum password length.
passwordPreviousPasswordBlockCount number The number of previous passwords to prevent re-use of.
codeIntegrityEnabled boolean Require devices to be reported as healthy by Windows Device Health Attestation.
odatatype string Microsoft graph windows10 compliance policy type.
passwordBlockSimple boolean Indicates whether or not to block simple password.
deviceThreatProtectionRequiredSecurityLevel string Require Device Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
osMaximumVersion string Maximum Windows 10 version.
mobileOsMinimumVersion string Minimum Windows Phone version.
defenderEnabled boolean Require Windows Defender Antimalware on Windows devices.
signatureOutOfDate boolean Require Windows Defender Antimalware Signature to be up to date on Windows devices.
rtpEnabled boolean Require Windows Defender Antimalware Real-Time Protection on Windows devices.
activeFirewallRequired boolean Require active firewall on Windows devices.
defenderVersion string Require Windows Defender Antimalware minimum version on Windows devices.
version number Version of the device configuration.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
passwordRequiredType string The required password type. Possible values are: deviceDefault, alphanumeric, numeric.
bitLockerEnabled boolean Require devices to be reported healthy by Windows Device Health Attestation - bit locker is enabled.
secureBootEnabled boolean Require devices to be reported as healthy by Windows Device Health Attestation - secure boot is enabled.
antiSpywareRequired boolean Require any AntiSpyware solution registered with Windows Decurity Center to be on and monitoring (e.g. Symantec, Windows Defender).
validOperatingSystemBuildRanges list<object> The valid operating system build ranges on Windows devices. This collection can contain a maximum of 10000 elements.
 odatatype string Operating system build range data type.
 description string The description of this range (e.g. Valid 1702 builds)
 lowestVersion string The lowest inclusive version that this range contains.
 highestVersion string The highest inclusive version that this range contains.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
createdDateTime number DateTime the object was created.
passwordRequiredToUnlockFromIdle boolean Require a password to unlock an idle device.
mobileOsMaximumVersion string Maximum Windows Phone version.
earlyLaunchAntiMalwareDriverEnabled boolean Require devices to be reported as healthy by Windows Device Health Attestation - early launch antimalware driver is enabled.
antivirusRequired boolean Require any Antivirus solution registered with Windows Decurity Center to be on and monitoring (e.g. Symantec, Windows Defender).
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
configurationManagerComplianceRequired boolean Require to consider SCCM Compliance state into consideration for Intune Compliance State.
description string Admin provided description of the Device Configuration.
displayName string Admin provided name of the device configuration.
passwordMinimumCharacterSetCount number The number of character sets required in the password.
requireHealthyDeviceReport boolean Require devices to be reported as healthy by Windows Device Health Attestation.
storageRequireEncryption boolean Require encryption on windows devices.
deviceCompliancePolicyScript object Device compliance policy script object.
 odatatype string Device compliance policy script data type.
 deviceComplianceScriptId string Device compliance script Id.
 rulesContent string Json of the rules.
id string Key of the entity.
lastModifiedDateTime number DateTime the object was last modified.
passwordExpirationDays number The password expiration in days.
osMinimumVersion string Minimum Windows 10 version.
tpmRequired boolean Require Trusted Platform Module(TPM) to be present.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
createdDateTime number DateTime the object was created.
passwordMinimumCharacterSetCount number The number of character sets required in the password.
odatatype string Microsoft graph windows 8.1 compliance policy type.
passwordRequired boolean Require a password to unlock Windows device.
passwordBlockSimple boolean Indicates whether or not to block simple password.
passwordExpirationDays number Password expiration in days.
osMinimumVersion string Minimum Windows 8.1 version.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
id string Key of the entity.
lastModifiedDateTime number DateTime the object was last modified.
version number Version of the device configuration.
passwordMinimumLength number The minimum password length.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
passwordPreviousPasswordBlockCount number The number of previous passwords to prevent re-use of. Valid values 0 to 24.
osMaximumVersion string Maximum Windows 8.1 version.
storageRequireEncryption boolean Indicates whether or not to require encryption on a windows 8.1 device.
description string Admin provided description of the Device Configuration.
displayName string Admin provided name of the device configuration.
passwordRequiredType string The required password type. Possible values are: deviceDefault, alphanumeric, numeric.