ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
unreviewedRiskEventsExist | boolean | If true, then there are new risk events that need to be reviewed at https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskDetections. | |
globalAdminUserCount | number | The total number of global admin users. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
id | string | Key of the entity. | |
displayName | string | Admin provided name of the device configuration. | |
passwordRequired | boolean | Require a password to unlock device. | |
requiredPasswordComplexity | string | Indicates the required password complexity on Android. One of: NONE, LOW, MEDIUM, HIGH. This is a new API targeted to Android 11+. Possible values are: none, low, medium, high. | |
deviceThreatProtectionEnabled | boolean | Require that devices have enabled device threat protection. | |
storageRequireEncryption | boolean | Require encryption on Android devices. | |
securityRequireGooglePlayServices | boolean | Require Google Play Services to be installed and enabled on the device. | |
createdDateTime | number | DateTime the object was created. | |
version | number | Version of the device configuration. | |
odatatype | string | Microsoft Graph data type. | |
passwordMinimumLength | number | Minimum password length. Valid values 4 to 16. | |
passwordPreviousPasswordBlockCount | number | Number of previous passwords to block. Valid values 1 to 24. | |
advancedThreatProtectionRequiredSecurityLevel | string | MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
passwordRequiredType | string | Type of characters in password. Possible values are: deviceDefault, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, numeric, numericComplex, any. | |
securityPreventInstallAppsFromUnknownSources | boolean | Require that devices disallow installation of apps from unknown sources. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. | |
deviceThreatProtectionRequiredSecurityLevel | string | Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
securityRequireCompanyPortalAppIntegrity | boolean | Require the device to pass the Company Portal client app runtime integrity check. | |
conditionStatementId | string | Condition statement id. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
passwordSignInFailureCountBeforeFactoryReset | number | Number of sign-in failures allowed before factory reset. Valid values 1 to 16. | |
osMaximumVersion | string | Maximum Android version. | |
restrictedApps | list<object> | Require the device to not have the specified apps installed. This collection can contain a maximum of 100 elements. | |
name | string | The application name. | |
publisher | string | The publisher of the application. | |
appStoreUrl | string | The Store URL of the application. | |
appId | string | The application or bundle identifier of the application. | |
odatatype | string | The application data type. | |
description | string | Admin provided description of the Device Configuration. | |
securityDisableUsbDebugging | boolean | Disable USB debugging on Android devices. | |
securityRequireVerifyApps | boolean | Require the Android Verify apps feature is turned on. | |
osMinimumVersion | string | Minimum Android version. | |
securityRequireSafetyNetAttestationBasicIntegrity | boolean | Require the device to pass the SafetyNet basic integrity check. | |
securityRequireSafetyNetAttestationCertifiedDevice | boolean | Require the device to pass the SafetyNet certified device check. | |
passwordExpirationDays | number | Number of days before the password expires. Valid values 1 to 365. | |
securityBlockJailbrokenDevices | boolean | Devices must not be jailbroken or rooted. | |
securityBlockDeviceAdministratorManagedDevices | boolean | Block device administrator managed devices. | |
minAndroidSecurityPatchLevel | string | Minimum Android security patch level. | |
securityRequireUpToDateSecurityProviders | boolean | Require the device to have up to date security providers. The device will require Google Play Services to be enabled and up to date. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
osMaximumVersion | string | Maximum Android version. | |
passwordMinimumLowerCaseCharacters | number | Indicates the minimum number of lower case characters required for device password. Valid values 1 to 16. | |
passwordMinimumSymbolCharacters | number | Indicates the minimum number of symbol characters required for device password. Valid values 1 to 16. | |
passwordPreviousPasswordCountToBlock | number | Number of previous passwords to block. Valid values 1 to 24. | |
version | number | Version of the device configuration. | |
advancedThreatProtectionRequiredSecurityLevel | string | MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
passwordMinimumLetterCharacters | number | Indicates the minimum number of letter characters required for device password. Valid values 1 to 16. | |
storageRequireEncryption | boolean | Require encryption on Android devices. | |
passwordMinimumLength | number | Minimum password length. Valid values 4 to 16. | |
passwordRequiredType | string | Type of characters in password. Possible values are: deviceDefault, required, numeric, numericComplex, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, customPassword. | |
odatatype | string | Microsoft graph android device owner compliance policy type. | |
createdDateTime | number | DateTime the object was created. | |
minAndroidSecurityPatchLevel | string | Minimum Android security patch level. | |
passwordMinimumUpperCaseCharacters | number | Indicates the minimum number of upper case letter characters required for device password. Valid values 1 to 16. | |
id | string | Key of the entity. | |
deviceThreatProtectionRequiredSecurityLevel | string | Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
securityRequireSafetyNetAttestationBasicIntegrity | boolean | Require the device to pass the SafetyNet basic integrity check. | |
passwordMinimumNumericCharacters | number | Indicates the minimum number of numeric characters required for device password. Valid values 1 to 16. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. | |
description | string | Admin provided description of the Device Configuration. | |
deviceThreatProtectionEnabled | boolean | Require that devices have enabled device threat protection. | |
securityRequireSafetyNetAttestationCertifiedDevice | boolean | Require the device to pass the SafetyNet certified device check. | |
osMinimumVersion | string | Minimum Android version. | |
passwordExpirationDays | number | Number of days before the password expires. Valid values 1 to 365. | |
securityRequireIntuneAppIntegrity | boolean | If setting is set to true, checks that the Intune app installed on fully managed, dedicated, or corporate-owned work profile Android Enterprise enrolled devices, is the one provided by Microsoft from the Managed Google Playstore. If the check fails, the device will be reported as non-compliant. | |
displayName | string | Admin provided name of the device configuration. | |
passwordRequired | boolean | Require a password to unlock device. | |
passwordMinimumNonLetterCharacters | number | Indicates the minimum number of non-letter characters required for device password. Valid values 1 to 16. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
deviceThreatProtectionRequiredSecurityLevel | string | Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
osMinimumVersion | string | Minimum Android version. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
securityPreventInstallAppsFromUnknownSources | boolean | Require that devices disallow installation of apps from unknown sources. | |
osMaximumVersion | string | Maximum Android version. | |
securityDisableUsbDebugging | boolean | Disable USB debugging on Android devices. | |
minAndroidSecurityPatchLevel | string | Minimum Android security patch level. | |
securityRequireSafetyNetAttestationCertifiedDevice | boolean | Require the device to pass the SafetyNet certified device check. | |
version | number | Version of the device configuration. | |
passwordMinimumLength | number | Minimum password length. Valid values 4 to 16. | |
passwordExpirationDays | number | Number of days before the password expires. Valid values 1 to 365. | |
passwordPreviousPasswordBlockCount | number | Number of previous passwords to block. Valid values 1 to 24. | |
securityBlockJailbrokenDevices | boolean | Devices must not be jailbroken or rooted. | |
securityRequireSafetyNetAttestationBasicIntegrity | boolean | Require the device to pass the SafetyNet basic integrity check. | |
securityRequireGooglePlayServices | boolean | Require Google Play Services to be installed and enabled on the device. | |
description | string | Admin provided description of the Device Configuration. | |
securityRequireVerifyApps | boolean | Require the Android Verify apps feature is turned on. | |
storageRequireEncryption | boolean | Require encryption on Android devices. | |
securityRequireUpToDateSecurityProviders | boolean | Require the device to have up to date security providers. The device will require Google Play Services to be enabled and up to date. | |
odatatype | string | Microsoft graph device compliance policy type. | |
id | string | Key of the entity. | |
createdDateTime | number | DateTime the object was created. | |
passwordRequired | boolean | Require a password to unlock device. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. | |
passwordSignInFailureCountBeforeFactoryReset | number | Number of sign-in failures allowed before factory reset. Valid values 1 to 16. | |
advancedThreatProtectionRequiredSecurityLevel | string | MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
securityRequiredAndroidSafetyNetEvaluationType | string | Require a specific SafetyNet evaluation type for compliance. Possible values are: basic, hardwareBacked. | |
displayName | string | Admin provided name of the device configuration. | |
passwordRequiredType | string | Type of characters in password. Possible values are: deviceDefault, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, numeric, numericComplex, any. | |
requiredPasswordComplexity | string | Indicates the required device password complexity on Android. One of: NONE, LOW, MEDIUM, HIGH. This is a new API targeted to Android API 12+. Possible values are: none, low, medium, high. | |
deviceThreatProtectionEnabled | boolean | Require that devices have enabled device threat protection. | |
securityRequireCompanyPortalAppIntegrity | boolean | Require the device to pass the Company Portal client app runtime integrity check. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
version | number | Version of the device configuration. | |
minAndroidSecurityPatchLevel | string | Minimum Android security patch level. | |
odatatype | string | Microsoft graph aosp device compliance policy type. | |
displayName | string | Admin provided name of the device configuration. | |
storageRequireEncryption | boolean | Require encryption on Android devices. | |
description | string | Admin provided description of the Device Configuration. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
osMaximumVersion | string | Maximum Android version. | |
passwordMinimumLength | number | Minimum password length. Valid values 4 to 16. | |
createdDateTime | number | DateTime the object was created. | |
osMinimumVersion | string | Minimum Android version. | |
securityBlockJailbrokenDevices | boolean | Devices must not be jailbroken or rooted. | |
passwordRequired | boolean | Require a password to unlock device. | |
passwordRequiredType | string | Type of characters in password. Possible values are: deviceDefault, required, numeric, numericComplex, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, customPassword. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. Valid values 1 to 8640. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
id | string | Key of the entity. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
id | string | A unique identifier for the appRoleAssignment key. Not nullable. | |
principalDisplayName | string | The display name of the user, group, or service principal that was granted the app role assignment. | |
principalId | string | User Group ServicePrincipal | The unique identifier (id) for the user, group, or service principal being granted the app role. |
principalType | string | The type of the assigned principal. This can either be User, Group, or ServicePrincipal. | |
resourceDisplayName | string | The display name of the resource app's service principal to which the assignment is made. | |
resourceId | string | ServicePrincipal | The unique identifier (id) for the resource service principal for which the assignment is made. |
appRoleId | string | The identifier (id) for the app role which is assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application has not declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. | |
createdDateTime | number | The time when the app role assignment was created. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
publicClient | object | Specifies settings for installed clients such as desktop or mobile devices. | |
redirectUris | list<string> | Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. | |
certification | object | Specifies the certification status of the application. | |
certificationDetailsUrl | string | URL that shows certification details for the application. | |
certificationExpirationDateTime | number | The timestamp when the current certification for the application will expire. | |
isCertifiedByMicrosoft | boolean | Indicates whether the application is certified by Microsoft. | |
isPublisherAttested | boolean | Indicates whether the application has been self-attested by the application developer or the publisher. | |
lastCertificationDateTime | number | The timestamp when the certification for the application was most recently added or updated. | |
id | string | Unique identifier for the application object. This property is referred to as Object ID in the Azure portal. Inherited from directoryObject Key. Not nullable. | |
info | object | Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. | |
logoUrl | string | CDN URL to the application's logo, Read-only. | |
marketingUrl | string | Link to the application's marketing page. | |
privacyStatementUrl | string | Link to the application's privacy statement. | |
supportUrl | string | Link to the application's support page. | |
termsOfServiceUrl | string | Link to the application's terms of service statement. | |
identifierUris | list<string> | Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api. | |
serviceManagementReference | string | References application or service contact information from a Service or Asset Management database. Nullable. | |
tags | list<string> | Custom strings that can be used to categorize and identify the application. Not nullable. | |
notes | string | Notes relevant for the management of the application. | |
appRoles | list<object> | The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable. | |
value | string | Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. | |
allowedMemberTypes | list<string> | Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities. | |
description | string | The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences. | |
displayName | string | Display name for the permission that appears in the app role assignment and consent experiences. | |
id | string | Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided. | |
isEnabled | boolean | When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed. | |
origin | string | Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests. | |
description | string | Free text field to provide a description of the application object to end users. | |
keyCredentials | list<object> | The collection of key credentials associated with the application. Not nullable. | |
startDateTime | number | The date and time at which the credential becomes valid. | |
type | string | The type of key credential; for example, Symmetric, AsymmetricX509Cert. | |
usage | string | A string that describes the purpose for which the key can be used; for example, Verify. | |
customKeyIdentifier | string | Custom key identifier | |
displayName | string | Friendly name for the key. | |
endDateTime | number | The date and time at which the credential expires. | |
key | string | The certificate's raw data in byte array converted to Base64 string. | |
keyId | string | The unique identifier (GUID) for the key. | |
deletedDateTime | number | The date and time the application was deleted. | |
disabledByMicrosoftStatus | string | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). | |
isFallbackPublicClient | boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app. There are certain scenarios where Azure AD cannot determine the client application type. For example, the ROPC flow where it is configured without specifying a redirect URI. In those cases Azure AD interprets the application type based on the value of this property | |
spa | object | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens. | |
redirectUris | list<string> | Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. | |
addIns | list<object> | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. | |
id | string | id of an addIn. | |
properties | list<object> | property of an addIn. | |
key | string | Key for the key-value pair. | |
value | string | Value for the key-value pair. | |
type | string | type of an addIn. | |
api | object | Specifies settings for an application that implements a web API. | |
acceptMappedClaims | boolean | When true, allows an application to use claims mapping without specifying a custom signing key. | |
knownClientApplications | list<string> | Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you set the appID of the client app to this value, the user only consents once to the client app. Azure AD knows that consenting to the client means implicitly consenting to the web API and automatically provisions service principals for both APIs at the same time. Both the client and the web API app must be registered in the same tenant. | |
oauth2PermissionScopes | list<object> | The definition of the delegated permissions exposed by the web API represented by this application registration. These delegated permissions may be requested by a client application, and may be granted by users or administrators during consent. Delegated permissions are sometimes referred to as OAuth 2.0 scopes. | |
adminConsentDisplayName | string | The permission's title, intended to be read by an administrator granting the permission on behalf of all users. | |
id | string | Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application. | |
isEnabled | boolean | When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed. | |
type | string | The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission). | |
userConsentDescription | string | A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves. | |
userConsentDisplayName | string | A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves. | |
value | string | Specifies the value to include in the scp (scope) claim in access tokens. | |
adminConsentDescription | string | A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences. | |
preAuthorizedApplications | list<object> | Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs. Users are not required to consent to any pre-authorized application (for the permissions specified). However, any additional permissions not listed in preAuthorizedApplications (requested through incremental consent for example) will require user consent. | |
appId | string | The unique identifier for the application. | |
delegatedPermissionIds | list<string> | The unique identifier for the oauth2PermissionScopes the application requires. | |
requestedAccessTokenVersion | number | Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token. | |
applicationTemplateId | string | Unique identifier of the applicationTemplate. | |
oauth2RequiredPostResponse | boolean | Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests are allowed. | |
optionalClaims | object | Application developers can configure optional claims in their Azure AD applications to specify the claims that are sent to their application by the Microsoft security token service. | |
accessToken | list<object> | The optional claims returned in the JWT access token. | |
name | string | The name of the optional claim. | |
source | string | The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. | |
additionalProperties | list<string> | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. | |
essential | boolean | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. | |
saml2Token | list<object> | The optional claims returned in the SAML token. | |
additionalProperties | list<string> | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. | |
essential | boolean | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. | |
name | string | The name of the optional claim. | |
source | string | The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. | |
idToken | list<object> | The optional claims returned in the JWT ID token. | |
additionalProperties | list<string> | Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. | |
essential | boolean | If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. | |
name | string | The name of the optional claim. | |
source | string | The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. | |
passwordCredentials | list<object> | The collection of password credentials associated with the application. Not nullable. | |
endDateTime | number | The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. | |
hint | string | Contains the first three characters of the password. | |
keyId | string | The unique identifier for the password. | |
secretText | string | Contains the strong passwords generated by Azure AD that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future. | |
startDateTime | number | The date and time at which the password becomes valid. | |
customKeyIdentifier | string | Do not use. | |
displayName | string | Friendly name for the password. | |
publisherDomain | string | The verified publisher domain for the application. | |
tokenEncryptionKeyId | string | Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. | |
groupMembershipClaims | string | Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None, SecurityGroup (for security groups and Azure AD roles), All (this gets all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of). | |
isDeviceOnlyAuthSupported | boolean | Specifies whether this application supports device authentication without a user. The default is false. | |
logo | string | The main logo for the application. | |
verifiedPublisher | object | Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification. | |
addedDateTime | number | The timestamp when the verified publisher was first added or most recently updated. | |
displayName | string | The verified publisher name from the app publisher's Partner Center account. | |
verifiedPublisherId | string | The ID of the verified publisher from the app publisher's Partner Center account. | |
createdDateTime | number | The date and time the application was registered. | |
displayName | string | The display name for the application. | |
signInAudience | string | Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount | |
web | object | Specifies settings for a web application. | |
homePageUrl | string | Home page or landing page of the application. | |
implicitGrantSettings | object | Specifies whether this web application can request tokens using the OAuth 2.0 implicit flow. | |
enableIdTokenIssuance | boolean | Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow. | |
enableAccessTokenIssuance | boolean | Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow. | |
logoutUrl | string | Specifies the URL that will be used by Microsoft's authorization service to logout an user using front-channel, back-channel or SAML logout protocols. | |
redirectUris | list<string> | Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. | |
appId | string | The unique identifier for the application that is assigned to an application by Azure AD. Not nullable. | |
parentalControlSettings | object | Specifies parental control settings for an application. | |
countriesBlockedForMinors | list<string> | Specifies the two-letter ISO country codes. Access to the application will be blocked for minors from the countries specified in this list. | |
legalAgeGroupRule | string | Specifies the legal age group rule that applies to users of the app. Can be set to one of the following values: Allow(Default. Enforces the legal minimum. This means parental consent is required for minors in the European Union and Korea), RequireConsentForPrivacyServices(Enforces the user to specify date of birth to comply with COPPA rules), RequireConsentForMinors(Requires parental consent for ages below 18, regardless of country minor rules), RequireConsentForKids(Requires parental consent for ages below 14, regardless of country minor rules), BlockMinors(Blocks minors from using the app) | |
requiredResourceAccess | list<object> | Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. Not nullable. | |
resourceAccess | list<object> | The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource. | |
id | string | The unique identifier of an app role or delegated permission exposed by the resource application. For delegated permissions, this should match the id property of one of the delegated permissions in the oauth2PermissionScopes collection of the resource application's service principal. For app roles (application permissions), this should match the id property of an app role in the appRoles collection of the resource application's service principal. | |
type | string | Specifies whether the id property references a delegated permission or an app role (application permission). The possible values are: Scope (for delegated permissions) or Role (for app roles). | |
resourceAppId | string | The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
blockMsolPowerShell | boolean | To disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph. | |
description | string | Description of this policy. | |
allowUserConsentForRiskyApps | boolean | Description pending. | |
id | string | ID of the authorization policy. | |
allowedToSignUpEmailBasedSubscriptions | boolean | Indicates whether users can sign up for email based subscriptions. | |
allowedToUseSSPR | boolean | Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant. | |
displayName | string | Display name for this policy. | |
allowInvitesFrom | string | Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. | |
guestUserRoleId | string | Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b). | |
defaultUserRolePermissions | object | Default user role permissions for the AAD tenant. | |
allowedToCreateApps | boolean | Indicates whether the default user role can create applications. | |
allowedToCreateSecurityGroups | boolean | Indicates whether the default user role can create security groups. | |
allowedToCreateTenants | boolean | Indicates whether the default user role can create tenants. | |
allowedToReadOtherUsers | boolean | Indicates whether the default user role can read other users. | |
permissionGrantPoliciesAssigned | list<string> | Indicates if user consent to apps is allowed, and if it is, which permission to grant consent and which app consent policy (permissionGrantPolicy) govern the permission for users to grant consent. Value should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled. | |
allowedToReadBitlockerKeysForOwnedDevice | boolean | Indicates whether a user is allowed to read bitlocker keys for owned device. | |
allowEmailVerifiedUsersToJoinOrganization | boolean | Indicates whether a user can join the tenant by email validation. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
invitationsAllowedAndBlockedDomainsPolicy | object | This policy specifies domain restrictions with regards to inviting external users to collaborate. Only one of the blockedDomains and allowedDomains list can be populated at once. If blockedDomains is populated, any domain outside of blockedDomains can be invited to collaborate. If allowedDomains is populated, any domain outside of allowedDomains will be blocked. If both lists are empty, then there are no domain restrictions on invitations to collaborate. | |
blockedDomains | list<string> | Domains in this list are not allowed to be sent invitations to collaborate. | |
allowedDomains | list<string> | Domains in this list are allowed to be sent invitations to collaborate. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
id | string | Specifies the identifier of a conditionalAccessPolicy object. | |
state | string | Specifies the state of the conditionalAccessPolicy object. Possible values are "enabled", "disabled", "enabledForReportingButNotEnforced". | |
conditions | object | Specifies the rules that must be met for the policy to apply. | |
clientAppTypes | list<string> | Client application types included in the policy. Possible values are "all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other". | |
users | object | Users, groups, and roles included in and excluded from the policy. | |
excludeUsers | list<string> | A list of user IDs excluded from the scope of the policy and/or "GuestsOrExternalUsers". | |
includeGroups | list<string> | A list of group IDs in the scope of the policy (unless the group ID is explicitly excluded, i.e. the group ID is in the "excludeGroups" list), or "All". | |
excludeGroups | list<string> | Group IDs excluded from scope of policy. | |
includeRoles | list<string> | A list of role IDs in scope of policy (unless explicitly excluded, i.e. the role ID is in the "excludeRoles" list), or "All". | |
excludeRoles | list<string> | Role IDs excluded from scope of policy. | |
includeUsers | list<string> | A list of user IDs in the scope of the policy (unless the user ID explicitly excluded, i.e. the user ID is in the "excludeUsers" list), or one of "None", "All", or "GuestsOrExternalUsers", . | |
grantControls | object | Specifies the grant controls that must be fulfilled to pass the policy. | |
builtInControls | list<string> | List of values of built-in controls required by the policy. Possible values are "block", "mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange". |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
appID | string | The unique identifier of Connected Application | |
riskLevel | string | The risk level associated with the Connected Application. | |
permissions | list<string> | The permissions associated with the Connected Application. | |
connectedAppName | string | Name of the Connected Application. | |
riskScore | number | The risk score associated with the Connected Application. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
id | string | The ID of the compliance policy. | |
odatatype | string | The OData type of the entity, e.g. "#microsoft.graph.iosCompliancePolicy". | |
securityBlockJailbrokenDevices | boolean | If true, block jailbroken or rooted devices. | |
managedEmailProfileRequired | boolean | If true, the owner of the device will only be able to use a managed email account. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
passwordRequired | boolean | Require the use of a password. | |
storageRequireDeviceEncryption | boolean | Indicates whether or not to require device encryption. | |
odatatype | string | To distinguish between different platforms (Android, iOS). | |
passcodePreviousPasscodeBlockCount | number | For iOS to prevent reuse of previous passwords. | |
passwordPreviousPasswordCountToBlock | number | Prevent reuse of previous passwords. | |
passwordMinimumLength | number | Minimum length of the password. | |
passcodeRequiredType | string | The password type (e.g. alphanumeric). (iOS) | |
passwordBlockSimple | boolean | Block simple passwords. | |
passwordSignInFailureCountBeforeFactoryReset | number | Number of failed authentication attempts before a device is wiped. (Windows 8) | |
passwordMinutesOfInactivityBeforeScreenTimeout | number | Minutes of inactivity before the screen times out. | |
id | string | The ID of the compliance policy. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before the screen locks. (macOS) | |
passcodeMinutesOfInactivityBeforeScreenTimeout | number | Minutes of inactivity before the screen times out. | |
passwordRequireWhenResumeFromIdleState | boolean | Require the user to provide a password when the device is resumed from idle status. | |
passcodeSignInFailureCountBeforeWipe | number | Number of failed authentication attempts before a device is wiped. (iOS) | |
passwordExpirationDays | number | Password expiration in days. "null" if no expiration. | |
passcodeExpirationDays | number | Passcode expiration in days. "null" if no expiration. (iOS) | |
passcodeMinimumLength | number | Minimum length of the password. (iOS) | |
passwordRequiredType | string | The password type (e.g. alphanumeric). | |
passcodeBlockSimple | boolean | Block simple passwords. (iOS) | |
passcodeRequired | boolean | Require the use of a password. (iOS) | |
passcodeMinutesOfInactivityBeforeLock | number | Minutes of inactivity before the screen locks. (iOS) | |
passwordPreviousPasswordBlockCount | number | Prevent reuse of previous passwords. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
lastModifiedDateTime | number | Policy last modification date and time. | |
settingCount | number | Number of settings. | |
priorityMetaData | object | Indicates the priority of each policies that are selected by the admin during enrollment process. | |
odatatype | string | PriorityMetaData data type. | |
priority | number | Priority of the policy. Valid values 1 to 500. | |
id | string | Key of the policy document. Automatically generated. | |
platforms | string | Platforms for this policy. Possible values are: none, android, iOS, macOS, windows10X, windows10, linux, unknownFutureValue. | |
createdDateTime | number | Policy creation date and time. | |
isAssigned | boolean | Policy assignment status. | |
name | string | Policy name. | |
technologies | string | Technologies for this policy. Possible values are: none, mdm, windows10XManagement, configManager, appleRemoteManagement, microsoftSense, exchangeOnline, mobileApplicationManagement, linuxMdm, enrollment, endpointPrivilegeManagement, unknownFutureValue. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
templateReference | object | Template reference information. | |
odatatype | string | Template reference data type. | |
templateId | string | Template id. | |
templateFamily | string | Template Family of the referenced Template. This property is read-only. Possible values are: none, endpointSecurityAntivirus, endpointSecurityDiskEncryption, endpointSecurityFirewall, endpointSecurityEndpointDetectionAndResponse, endpointSecurityAttackSurfaceReduction, endpointSecurityAccountProtection, endpointSecurityApplicationControl, endpointSecurityEndpointPrivilegeManagement, enrollmentConfiguration, appQuietTime, baseline, unknownFutureValue, deviceConfigurationScripts, deviceConfigurationPolicies. | |
templateDisplayName | string | Template Display Name of the referenced template. | |
templateDisplayVersion | string | Template Display Version of the referenced Template. | |
creationSource | string | Policy creation source. | |
odatatype | string | Device configuration policy type. | |
description | string | Policy description. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
odatatype | string | Device configuration policy setting data type. | |
id | string | Device configuration policy setting id. | |
policyId | string | DeviceConfigurationPolicy | Device configuration policy id. |
settingInstance | object | settingInstance | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
children | list<object> | children | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
children | list<object> | children | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
children | list<object> | children | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
odatatype | string | odatatype | |
choiceSettingValue | object | choiceSettingValue | |
children | list<object> | children | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
odatatype | string | odatatype | |
choiceSettingValue | object | choiceSettingValue | |
value | string | value | |
children | list<object> | children | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
children | list<object> | children | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
children | list<object> | children | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
children | list<object> | children | |
choiceSettingValue | object | choiceSettingValue | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
children | list<object> | children | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
children | list<object> | children | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
choiceSettingValue | object | choiceSettingValue | |
settingValueTemplateReference | object | settingValueTemplateReference | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
odatatype | string | odatatype | |
value | string | value | |
odatatype | string | odatatype | |
odatatype | string | odatatype | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
settingInstanceTemplateReference | object | settingInstanceTemplateReference | |
odatatype | string | odatatype | |
settingInstanceTemplateId | string | settingInstanceTemplateId | |
odatatype | string | odatatype | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
odatatype | string | odatatype | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
value | string | value | |
odatatype | string | odatatype | |
odatatype | string | odatatype | |
settingDefinitionId | string | settingDefinitionId | |
odatatype | string | odatatype | |
odatatype | string | odatatype | |
settingValueTemplateReference | object | settingValueTemplateReference | |
settingValueTemplateId | string | settingValueTemplateId | |
useTemplateDefault | boolean | useTemplateDefault | |
odatatype | string | odatatype | |
value | string | value | |
odatatype | string | odatatype |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
state | string | The current state of the email authentication method configuration. Valid values are "enabled" or "disabled". | |
allowExternalIdToUseEmailOtp | string | Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who did not use public preview will automatically have email OTP enabled beginning in October 2021. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
visibility | string | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or Hiddenmembership. Hiddenmembership can be set only for Microsoft 365 groups, when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation. If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default and Microsoft 365 group is Public. Groups assignable to roles are always Private. | |
assignedLabels | list<object> | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. | |
labelId | string | The unique identifier of the label. | |
displayName | string | The display name of the label. | |
assignedLicenses | list<object> | The licenses that are assigned to the group. | |
disabledPlans | list<string> | A collection of the unique identifiers for plans that have been disabled. | |
skuId | string | The unique identifier for the SKU. | |
classification | string | Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. | |
displayName | string | The display name for the group. This property is required when a group is created and cannot be cleared during updates. | |
string | The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com". | ||
renewedDateTime | number | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. | |
theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red. | |
id | string | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. | |
membershipRule | string | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). | |
membershipRuleProcessingState | string | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. | |
preferredLanguage | string | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example en-US. | |
proxyAddresses | list<string> | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties. | |
groupTypes | list<string> | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see groups overview. If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. | |
isAssignableToRole | boolean | Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership). Only callers in Global administrator and Privileged role administrator roles can set this property. The caller must be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. | |
mailEnabled | boolean | Specifies whether the group is mail-enabled. Required. | |
mailNickname | string | The mail alias for the group, unique for Microsoft 365 groups in the organization. | |
onPremisesSamAccountName | string | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
deletedDateTime | number | For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. | |
description | string | An optional description for the group. | |
securityIdentifier | string | Security identifier of the group, used in Windows scenarios. | |
onPremisesProvisioningErrors | list<object> | Errors when using Microsoft synchronization product during provisioning. | |
value | string | Value of the property causing the error. | |
category | string | Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property. | |
occurredDateTime | number | The date and time at which the error occurred. | |
propertyCausingError | string | Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress | |
onPremisesSyncEnabled | boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). | |
resourceBehaviorOptions | list<string> | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled. | |
securityEnabled | boolean | Specifies whether the group is a security group. Required. | |
expirationDateTime | number | Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created. | |
licenseProcessingState | string | Indicates status of the group license assignment to all members of the group. Default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete. | |
onPremisesSecurityIdentifier | string | Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. | |
createdDateTime | number | Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. | |
preferredDataLocation | string | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. | |
resourceProvisioningOptions | list<string> | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
mailNickname | string | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE. | |
onPremisesSecurityIdentifier | string | Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud. | |
jobTitle | string | The user's job title. Maximum length is 128 characters. | |
string | The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. Changes to this property will also update the user's proxyAddresses collection to include the value as an SMTP address. This property can't contain accent characters. | ||
preferredDataLocation | string | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. | |
parent_group_id | string | Group | The parent group id for which the member(user/group) belongs. |
preferredLanguage | string | The preferred language for the user. The preferred language format is based on RFC 4646. The name is a combination of an ISO 639 two-letter lowercase culture code associated with the language, and an ISO 3166 two-letter uppercase subculture code associated with the country or region. Example: "en-US", or "es-ES". | |
description | string | An optional description for the group. | |
resourceBehaviorOptions | list<string> | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled. | |
onPremisesProvisioningErrors | list<object> | Errors when using Microsoft synchronization product during provisioning. | |
category | string | Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property. | |
occurredDateTime | number | The date and time at which the error occurred. | |
propertyCausingError | string | Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress | |
value | string | Value of the property causing the error. | |
serviceProvisioningErrors | list<string> | The list of Service Provisioning Errors. | |
createdDateTime | number | Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | |
proxyAddresses | list<string> | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties. | |
isAssignableToRole | boolean | Indicates whether this group can be assigned to a Microsoft Entra role. Optional.This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership).Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. | |
givenName | string | The given name (first name) of the user. Maximum length is 64 characters. | |
deletedDateTime | number | For some Microsoft Entra objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. | |
onPremisesSyncEnabled | string | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). | |
renewedDateTime | number | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | |
resource_id | string | User Group | The actual resource id for which the member refers to. |
surname | string | The user's surname (family name or last name). Maximum length is 64 characters. | |
id | string | The member id. It is groupid_userid | |
userPrincipalName | string | The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. | |
officeLocation | string | The office location in the user's place of business. | |
classification | string | Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. | |
creationOptions | list<string> | Creation options. | |
expirationDateTime | number | Timestamp of when the group is set to expire. It is null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | |
groupTypes | list<string> | Specifies the group type and its membership.If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. | |
membershipRule | string | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). | |
odatatype | string | The grpah data type, either User or Graph | |
displayName | string | The name displayed in the address book for the user/group. This property is required when a user/group is created and it cannot be cleared during updates. Maximum length is 256 characters. | |
securityIdentifier | string | Security identifier of the group, used in Windows scenarios. | |
onPremisesDomainName | string | The on-premise domain name. | |
onPremisesNetBiosName | string | The on-premise net bios name. | |
onPremisesSamAccountName | string | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. | |
resourceProvisioningOptions | list<string> | Specifies the group resources provisioned as part of Microsoft 365 group creation that are not normally part of default group creation. The possible value is Team. | |
securityEnabled | boolean | Specifies whether the group is a security group. Required. | |
theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red. | |
mailEnabled | boolean | Specifies whether the group is mail-enabled. Required. | |
membershipRuleProcessingState | string | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. | |
visibility | string | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default, and the Microsoft 365 group is Public. Groups assignable to roles are always Private. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
displayName | string | Admin provided name of the device configuration. | |
passcodeBlockSimple | boolean | Indicates whether or not to block simple passcodes. | |
osMaximumBuildVersion | string | Maximum IOS build version. | |
advancedThreatProtectionRequiredSecurityLevel | string | MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
deviceThreatProtectionEnabled | boolean | Require that devices have enabled device threat protection . | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
passcodeMinutesOfInactivityBeforeScreenTimeout | number | Minutes of inactivity before the screen times out. | |
osMaximumVersion | string | Maximum IOS version. | |
securityBlockJailbrokenDevices | boolean | Devices must not be jailbroken or rooted. | |
createdDateTime | number | DateTime the object was created. | |
osMinimumVersion | string | Minimum IOS version. | |
restrictedApps | list<object> | Require the device to not have the specified apps installed. This collection can contain a maximum of 100 elements. | |
appStoreUrl | string | The Store URL of the application. | |
appId | string | The application or bundle identifier of the application. | |
odatatype | string | The application data type. | |
name | string | The application name. | |
publisher | string | The publisher of the application. | |
osMinimumBuildVersion | string | Minimum IOS build version. | |
deviceThreatProtectionRequiredSecurityLevel | string | Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
passcodeExpirationDays | number | Number of days before the passcode expires. Valid values 1 to 65535. | |
passcodeMinimumLength | number | Minimum length of passcode. Valid values 4 to 14. | |
passcodeMinimumCharacterSetCount | number | The number of character sets required in the password. | |
id | string | Key of the entity. | |
description | string | Admin provided description of the Device Configuration. | |
passcodeRequiredType | string | The required passcode type. Possible values are: deviceDefault, alphanumeric, numeric. | |
odatatype | string | Microsoft graph ios compliance policy type. | |
passcodeRequired | boolean | Indicates whether or not to require a passcode. | |
version | number | Version of the device configuration. | |
passcodeMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a passcode is required. | |
passcodePreviousPasscodeBlockCount | number | Number of previous passcodes to block. Valid values 1 to 24. | |
managedEmailProfileRequired | boolean | Indicates whether or not to require a managed email profile. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. | |
passwordPreviousPasswordBlockCount | number | Number of previous passwords to block. Valid values 1 to 24. | |
osMinimumVersion | string | Minimum MacOS version. | |
advancedThreatProtectionRequiredSecurityLevel | string | MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
firewallEnabled | boolean | Whether the firewall should be enabled or not. | |
passwordBlockSimple | boolean | Indicates whether or not to block simple passwords. | |
firewallEnableStealthMode | boolean | Corresponds to 'Enable stealth mode'. | |
deviceThreatProtectionRequiredSecurityLevel | string | Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
description | string | Admin provided description of the Device Configuration. | |
version | number | Version of the device configuration. | |
passwordRequired | boolean | Whether or not to require a password. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
passwordRequiredType | string | The required password type. Possible values are: deviceDefault, alphanumeric, numeric. | |
passwordMinimumLength | number | Minimum length of password. Valid values 4 to 14. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
displayName | string | Admin provided name of the device configuration. | |
osMaximumBuildVersion | string | Maximum MacOS build version. | |
deviceThreatProtectionEnabled | boolean | Require that devices have enabled device threat protection. | |
storageRequireEncryption | boolean | Require encryption on Mac OS devices. | |
firewallBlockAllIncoming | boolean | Corresponds to the "Block all incoming connections" option. | |
createdDateTime | number | DateTime the object was created. | |
systemIntegrityProtectionEnabled | boolean | Require that devices have enabled system integrity protection. | |
gatekeeperAllowedAppSource | string | System and Privacy setting that determines which download locations apps can be run from on a macOS device. Possible values are: notConfigured, macAppStore, macAppStoreAndIdentifiedDevelopers, anywhere. | |
odatatype | string | Microsoft graph mac os compliance type. | |
passwordMinimumCharacterSetCount | number | The number of character sets required in the password. | |
osMaximumVersion | string | Maximum MacOS version. | |
id | string | Key of the entity. | |
osMinimumBuildVersion | string | Minimum MacOS build version. | |
passwordExpirationDays | number | Number of days before the password expires. Valid values 1 to 65535. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
userId | string | Unique Identifier for the user associated with the device. | |
osVersion | string | Operating system version of the device. | |
activationLockBypassCode | string | The code that allows the Activation Lock on managed device to be bypassed. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity in LIST call. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported. | |
emailAddress | string | Email(s) for the user associated with the device. | |
operatingSystem | string | Operating system of the device. Windows, iOS, etc. | |
wiFiMacAddress | string | Wi-Fi MAC address. | |
totalStorageSpaceInBytes | number | Total Storage in Bytes. | |
phoneNumber | string | Phone number of the device. | |
freeStorageSpaceInBytes | number | Free Storage in Bytes. Default value is 0. | |
iccid | string | Integrated Circuit Card Identifier, it is A SIM card's unique identification number. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported. | |
model | string | Model of the device. | |
id | string | Unique Identifier for the device. | |
easDeviceId | string | Exchange ActiveSync Id of the device. | |
meid | string | MEID. | |
managementAgent | string | Management channel of the device. Examples: Intune, EAS, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. Possible values are: eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController. | |
isSupervised | boolean | Device supervised status. | |
exchangeAccessState | string | The Access State of the device in Exchange. Possible values are: none, unknown, allowed, blocked, quarantined. | |
remoteAssistanceSessionUrl | string | Url that allows a Remote Assistance session to be established with the device. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. | |
complianceGracePeriodExpirationDateTime | number | The DateTime when device compliance grace period expires. | |
managedDeviceName | string | Automatically generated name to identify a device. | |
easActivationDateTime | number | Exchange ActivationSync activation time of the device. | |
userDisplayName | string | User display name. | |
notes | string | Notes on the device created by IT Admin. Default is null. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported. | |
deviceRegistrationState | string | Device registration state. Possible values are: notRegistered, registered, revoked, keyConflict, approvalPending, certificateReset, notRegisteredPendingEnrollment, unknown. | |
exchangeAccessStateReason | string | The reason for the device's access state in Exchange. Possible values are: none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp. | |
udid | string | Unique Device Identifier for iOS and macOS devices. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported. | |
ethernetMacAddress | string | Indicates Ethernet MAC Address of the device. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity. Individual get call with select query options is needed to retrieve actual values. Example: deviceManagement/managedDevices({managedDeviceId})?$select=ethernetMacAddress Supports: $select. $Search is not supported. | |
physicalMemoryInBytes | number | Total Memory in Bytes. Default is 0. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. | |
jailBroken | string | Whether the device is jail broken or rooted. Default is an empty string. Supports $filter operator 'eq' and 'or'. | |
easActivated | boolean | Whether the device is Exchange ActiveSync activated. | |
deviceEnrollmentType | string | Enrollment type of the device. Possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth, appleUserEnrollment, appleUserEnrollmentWithServiceAccount. | |
isEncrypted | boolean | Device encryption status. | |
azureADDeviceId | string | The unique identifier for the Azure Active Directory device. Read only. | |
manufacturer | string | Manufacturer of the device. | |
androidSecurityPatchLevel | string | Android security patch level. | |
managementCertificateExpirationDate | number | Reports device management certificate expiration date. | |
odatatype | string | To distinguish between different platforms (Android, iOS). | |
deviceActionResults | list<object> | List of ComplexType deviceActionResult objects. | |
actionState | string | State of the action. Possible values are: none, pending, canceled, active, done, failed, notSupported. | |
startDateTime | number | Time the action was initiated. | |
lastUpdatedDateTime | number | Time the action state was last updated. | |
odatatype | string | deviceActionResult type | |
actionName | string | Action name | |
enrolledDateTime | number | Enrollment time of the device. Supports $filter operator 'lt' and 'gt'. | |
deviceCategoryDisplayName | string | Device category display name. Default is an empty string. Supports $filter operator 'eq' and 'or'. | |
partnerReportedThreatState | string | Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are: unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured. | |
exchangeLastSuccessfulSyncDateTime | number | Last time the device contacted Exchange. | |
subscriberCarrier | string | Subscriber Carrier. | |
deviceName | string | Name of the device. | |
azureADRegistered | boolean | Whether the device is Azure Active Directory registered. | |
userPrincipalName | string | Device user principal name. | |
serialNumber | string | SerialNumber. | |
configurationManagerClientEnabledFeatures | object | ConfigrMgr client enabled features. | |
deviceConfiguration | boolean | Whether device configuration is managed by Intune. | |
compliancePolicy | boolean | Whether compliance policy is managed by Intune. | |
windowsUpdateForBusiness | boolean | Whether Windows Update for Business is managed by Intune. | |
odatatype | string | Configuration manage client enabled feature types | |
inventory | boolean | Whether inventory is managed by Intune. | |
modernApps | boolean | Whether modern application is managed by Intune. | |
resourceAccess | boolean | Whether resource access is managed by Intune. | |
requireUserEnrollmentApproval | boolean | Reports if the managed iOS device is user approval enrollment. | |
complianceState | string | Compliance state of the device. Examples: Compliant, Conflict, Error, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. Possible values are: unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager. | |
remoteAssistanceSessionErrorDetails | string | An error string that identifies issues when creating Remote Assistance session objects. | |
managedDeviceOwnerType | string | Ownership of the device. Can be 'company' or 'personal'.Possible values are: unknown, company, personal. | |
lastSyncDateTime | number | The date and time that the device last completed a successful sync with Intune. Supports $filter operator 'lt' and 'gt'. | |
imei | string | IMEI string. | |
deviceHealthAttestationState | object | The device health attestation state. | |
bootManagerVersion | string | The version of the Boot Manager. | |
restartCount | number | The number of times a PC device has rebooted. | |
resetCount | number | The number of times a PC device has hibernated or resumed. | |
operatingSystemKernelDebugging | string | When operatingSystemKernelDebugging is enabled, the device is used in development and testing. | |
virtualSecureMode | string | VSM is a container that protects high value assets from a compromised kernel. | |
bootAppSecurityVersion | string | The security version number of the Boot Application. | |
lastUpdateDateTime | number | The Timestamp of the last update. | |
operatingSystemRevListInfo | string | The Operating System Revision List that was loaded during initial boot on the attested device. | |
bootDebugging | string | When bootDebugging is enabled, the device is used in development and testing. | |
attestationIdentityKey | string | TWhen an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. | |
dataExcutionPolicy | string | DEP Policy defines a set of hardware and software technologies that perform additional checks on memory. | |
safeMode | string | Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. | |
windowsPE | string | Operating system running with limited services that is used to prepare a computer for Windows. | |
earlyLaunchAntiMalwareDriverProtection | string | ELAM provides protection for the computers in your network when they start up. | |
deviceHealthAttestationStatus | string | The DHA report version. (Namespace version). | |
contentVersion | string | The HealthAttestation state schema version. | |
bitLockerStatus | string | On or Off of BitLocker Drive Encryption. | |
secureBoot | string | When Secure Boot is enabled, the core components must have the correct cryptographic signatures. | |
bootManagerSecurityVersion | string | The security version number of the Boot Application. | |
tpmVersion | string | The security version number of the Boot Application. | |
secureBootConfigurationPolicyFingerPrint | string | Fingerprint of the Custom Secure Boot Configuration Policy. | |
healthStatusMismatchInfo | string | This attribute appears if DHA-Service detects an integrity issue. | |
odatatype | string | Device health attestation state type. | |
pcrHashAlgorithm | string | Informational attribute that identifies the HASH algorithm that was used by TPM. | |
codeIntegrityCheckVersion | string | The version of the Boot Manager | |
pcr0 | string | The measurement that is captured in PCR[0]. | |
codeIntegrityPolicy | string | The Code Integrity policy that is controlling the security of the boot environment. | |
bootRevisionListInfo | string | The Boot Revision List that was loaded during initial boot on the attested device. | |
issuedDateTime | number | The DateTime when device was evaluated or issued to MDM. | |
codeIntegrity | string | When code integrity is enabled, code execution is restricted to integrity verified code. | |
testSigning | string | When test signing is allowed, the device does not enforce signature validation during boot. | |
healthAttestationSupportedStatus | string | This attribute indicates if DHA is supported for the device. | |
contentNamespaceUrl | string | The DHA report version. (Namespace version). |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
countriesAndRegions | list<string> | List of countries and/or regions in two-letter format specified by ISO 3166-2. | |
includeUnknownCountriesAndRegions | boolean | true if IP addresses that don't map to a country or region should be included in the named location. | |
countryLookupMethod | string | Determines what method is used to decide which country the user is located in. Possible values are clientIpAddress(default) and authenticatorAppGps. | |
isTrusted | boolean | true if this location is explicitly trusted. | |
ipRanges | list<object> | List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. | |
odatatype | string | Used to distinguish between different types of ip ranges. Possible values are #microsoft.graph.iPv4CidrRange and #microsoft.graph.iPv6CidrRange. | |
cidrAddress | string | IPv4 or IPv6 address in CIDR notation. | |
id | string | The id of the named location. | |
odatatype | string | To distinguish between different types of named locations. Value can be #microsoft.graph.countryNamedLocation or #microsoft.graph.ipNamedLocation. | |
displayName | string | The display name of the named location. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
scope | string | A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, 'openid User.Read GroupMember.Read.All'. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the publishedPermissionScopes property of the resource service principal. | |
id | string | The ID of the OAuth2PermissionGrant. | |
clientId | string | ServicePrincipal | The ID of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API. Corresponds to the 'objectId' field inside the Azure 'Enterprise applications' page. |
consentType | string | Indicates if authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. | |
principalId | string | User | The ID of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'. |
resourceId | string | ServicePrincipal | The ID of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
id | string | The unique identifier for the service principal. Inherited from directoryObject Key | |
info | object | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. | |
logoUrl | string | CDN URL to the application's logo. | |
marketingUrl | string | Link to the application's marketing page. | |
privacyStatementUrl | string | Link to the application's privacy statement. | |
supportUrl | string | Link to the application's support page. | |
termsOfServiceUrl | string | Link to the application's terms of service statement. | |
servicePrincipalNames | list<string> | Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Azure AD. | |
displayName | string | The display name for the service principal. | |
homepage | string | Home page or landing page of the application. | |
appRoles | list<object> | The roles exposed by the application which this service principal represents. For more information see the appRoles property definition on the application entity. Not nullable. | |
displayName | string | Display name for the permission that appears in the app role assignment and consent experiences. | |
id | string | Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided. | |
isEnabled | boolean | When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed. | |
origin | string | Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests. | |
value | string | Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. | |
allowedMemberTypes | list<string> | Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities. | |
description | string | The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences. | |
notes | string | Free text field to capture information about the service principal, typically used for operational purposes. | |
servicePrincipalType | string | Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Azure AD internally. The servicePrincipalType property can be set to three different values: Application - A service principal that represents an application or service. The appId property identifies the associated app registration, and matches the appId of an application, possibly from a different tenant. If the associated app registration is missing, tokens are not issued for the service principal. ManagedIdentity - A service principal that represents a managed identity. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly. Legacy - A service principal that represents an app created before app registrations, or through legacy experiences. Legacy service principal can have credentials, service principal names, reply URLs, and other properties which are editable by an authorized user, but does not have an associated app registration. The appId value does not associate the service principal with an app registration. The service principal can only be used in the tenant where it was created. | |
tags | list<string> | Custom strings that can be used to categorize and identify the service principal. | |
addIns | list<object> | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. | |
id | string | id of an addIn. | |
properties | list<object> | property of an addIn. | |
key | string | Key for the key-value pair. | |
value | string | Value for the key-value pair. | |
type | string | type of an addIn. | |
appOwnerOrganizationId | string | Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications. | |
verifiedPublisher | object | Specifies the verified publisher of the application which this service principal represents. | |
addedDateTime | number | The timestamp when the verified publisher was first added or most recently updated. | |
displayName | string | The verified publisher name from the app publisher's Partner Center account. | |
verifiedPublisherId | string | The ID of the verified publisher from the app publisher's Partner Center account. | |
resourceSpecificApplicationPermissions | list<object> | The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph. | |
description | string | Describes the level of access that the resource-specific permission represents. | |
displayName | string | The display name for the resource-specific permission. | |
id | string | The unique identifier for the resource-specific application permission. | |
isEnabled | boolean | Indicates whether the permission is enabled. | |
value | string | The value of the permission. | |
tokenEncryptionKeyId | string | Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. | |
passwordCredentials | list<object> | The collection of password credentials associated with the application. | |
hint | string | Contains the first three characters of the password. | |
keyId | string | The unique identifier for the password. | |
secretText | string | Contains the strong passwords generated by Azure AD that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future. | |
startDateTime | number | The date and time at which the password becomes valid. | |
customKeyIdentifier | string | Do not use. | |
displayName | string | Friendly name for the password. | |
endDateTime | number | The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. | |
replyUrls | list<string> | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. | |
disabledByMicrosoftStatus | string | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). | |
oauth2PermissionScopes | list<object> | The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes property on the application entity's api property. | |
userConsentDisplayName | string | A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves. | |
value | string | Specifies the value to include in the scp (scope) claim in access tokens. | |
adminConsentDescription | string | A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences. | |
adminConsentDisplayName | string | The permission's title, intended to be read by an administrator granting the permission on behalf of all users. | |
id | string | Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application. | |
isEnabled | boolean | When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed. | |
type | string | The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission). | |
userConsentDescription | string | A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves. | |
notificationEmailAddresses | list<string> | Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. | |
alternativeNames | list<string> | Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. | |
appDescription | string | The description exposed by the associated application. | |
applicationTemplateId | string | Unique identifier of the applicationTemplate that the servicePrincipal was created from. | |
keyCredentials | list<object> | The collection of key credentials associated with the service principal. | |
displayName | string | Friendly name for the key. | |
endDateTime | number | The date and time at which the credential expires. | |
key | string | The certificate's raw data in byte array converted to Base64 string. | |
keyId | string | The unique identifier (GUID) for the key. | |
startDateTime | number | The date and time at which the credential becomes valid. | |
type | string | The type of key credential; for example, Symmetric, AsymmetricX509Cert. | |
usage | string | A string that describes the purpose for which the key can be used; for example, Verify. | |
customKeyIdentifier | string | Custom key identifier | |
loginUrl | string | Specifies the URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Azure AD My Apps, or the Azure AD SSO URL. | |
preferredSingleSignOnMode | string | Specifies the single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. The supported values are password, saml, notSupported, and oidc. | |
samlSingleSignOnSettings | object | The collection for settings related to saml single sign-on. | |
relayState | string | The relative URI the service provider would redirect to after completion of the single sign-on flow. | |
signInAudience | string | Specifies the Microsoft accounts that are supported for the current application. Supported values are: AzureADMyOrg-Users with a Microsoft work or school account in my organization's Azure AD tenant (single-tenant). AzureADMultipleOrgs-Users with a Microsoft work or school account in any organization's Azure AD tenant (multi-tenant). AzureADandPersonalMicrosoftAccount-Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant. PersonalMicrosoftAccount-Users with a personal Microsoft account only. | |
accountEnabled | boolean | true if the service principal account is enabled; otherwise, false. | |
appDisplayName | string | The display name exposed by the associated application. | |
description | string | Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps will display the application description in this field. | |
logoutUrl | string | Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. | |
deletedDateTime | number | The date and time the service principal was deleted. | |
appId | string | Application | The unique identifier for the associated application (its appId property). |
appRoleAssignmentRequired | boolean | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
roleDefinitionId | string | UnifiedRoleDefinition | Identifier of the role definition the assignment is for. Read only. |
principalId | string | User Group | Identifier of the principal to which the assignment is granted. |
principal | object | Details of the principal the assignment is for. Read only. | |
string | email id of the principal user. | ||
displayName | string | display of the principal user. | |
odatatype | string | Type of principal, can be a user or group. | |
id | string | Identifier of the principal to which the assignment is granted. | |
id | string | The unique identifier for the role assignment. Key, not nullable, Read-only. | |
appScopeId | string | Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only | |
directoryScopeId | string | Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
description | string | The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true. | |
isEnabled | boolean | Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. | |
resourceScopes | string | List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. | |
templateId | string | Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories. | |
version | string | Indicates version of the role definition. Read-only when isBuiltIn is true. | |
displayName | string | The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. | |
id | string | The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. | |
isBuiltIn | boolean | Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. | |
rolePermissions | list<object> | List of permissions included in the role. Read-only when isBuiltIn is true. | |
condition | string | Optional constraints that must be met for the permission to be effective. Not supported for custom roles. | |
excludedResourceActions | list<string> | Set of tasks that may not be performed on a resource. Not yet supported. | |
allowedResourceActions | list<string> | Set of tasks that can be performed on a resource. | |
inheritsPermissionsFrom | list<object> | Read-only collection of role definitions that the given role definition inherits from. Only Azure AD built-in roles (isBuiltIn is true) support this attribute. | |
id | string | The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
accountEnabled | boolean | true if the account is enabled; otherwise, false. This property is required when a user is created. | |
creationType | string | Indicates whether the user account was created through one of the following methods: As a regular school or work account (null), As an external account (Invitation), As a local account for an Azure Active Directory B2C tenant (LocalAccount), Through self-service sign-up by an internal user using email verification (EmailVerified), Through self-service sign-up by an external user signing up through a link that is part of a user flow (SelfServiceSignUp). | |
department | string | The name for the department in which the user works. | |
displayName | string | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. | |
employeeHireDate | number | The date and time when the user was hired or will start work in case of a future hire. | |
identities | list<object> | Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. May contain multiple items with the same signInType value. | |
signInType | string | Specifies the user sign-in types in your directory, such as emailAddress, userName, federated, or userPrincipalName. federated represents a unique identifier for a user from an issuer, that can be in any format chosen by the issuer. Setting or updating a userPrincipalName identity will update the value of the userPrincipalName property on the user object. The validations performed on the userPrincipalName property on the user object, for example, verified domains and acceptable characters, will be performed when setting or updating a userPrincipalName identity. Additional validation is enforced on issuerAssignedId when the sign-in type is set to emailAddress or userName. This property can also be set to any custom string. | |
issuer | string | Specifies the issuer of the identity, for example facebook.com. For local accounts (where signInType is not federated), this property is the local B2C tenant default domain name, for example contoso.onmicrosoft.com. For external users from other Azure AD organization, this will be the domain of the federated organization, for example contoso.com. | |
issuerAssignedId | string | Specifies the unique identifier assigned to the user by the issuer. The combination of issuer and issuerAssignedId must be unique within the organization. Represents the sign-in name for the user, when signInType is set to emailAddress or userName (also known as local accounts). When signInType is set to: emailAddress, (or a custom string that starts with emailAddress like emailAddress1) issuerAssignedId must be a valid email address userName, issuerAssignedId must be a valid local part of an email address | |
onPremisesImmutableId | string | This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property. | |
country | string | The country/region in which the user is located; for example, US or UK. | |
licenseAssignmentStates | list<object> | State of license assignments for this user. | |
state | string | Indicate the current state of this assignment. Read-Only. The possible values are Active, ActiveWithError, Disabled, and Error. | |
assignedByGroup | string | The id of the group that assigns this license. If the assignment is a direct-assigned license, this field will be Null. | |
disabledPlans | list<string> | The service plans that are disabled in this assignment. | |
error | string | License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. The possible values are CountViolation, MutuallyExclusiveViolation, DependencyViolation, ProhibitedInUsageLocationViolation, UniquenessViolation, and Other. | |
lastUpdatedDateTime | number | The timestamp when the state of the license assignment was last updated. | |
skuId | string | The unique identifier for the SKU. | |
proxyAddresses | list<string> | For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. Changes to the mail property will also update this collection to include the value as an SMTP address. For more information, see mail and proxyAddresses properties. The proxy address prefixed with SMTP (capitalized) is the primary proxy address while those prefixed with smtp are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. | |
refreshTokensValidFromDateTime | number | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. | |
streetAddress | string | The street address of the user's place of business. | |
ageGroup | string | Sets the age group of the user. Allowed values: null, Minor, NotAdult and Adult. | |
companyName | string | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. | |
legalAgeGroupClassification | string | Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: null, MinorWithOutParentalConsent, MinorWithParentalConsent, MinorNoParentalConsentRequired, NotAdult and Adult. | |
usageLocation | string | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB. | |
mobilePhone | string | The primary cellular telephone number for the user. Read-only for users synced from on-premises directory. | |
consentProvidedForMinor | string | Sets whether consent has been obtained for minors. Allowed values: null, Granted, Denied and NotRequired. | |
onPremisesDistinguishedName | string | Contains the on-premises Active Directory distinguished name or DN. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
showInAddressList | boolean | Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list. | |
businessPhones | list<string> | The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. Read-only for users synced from on-premises directory. | |
externalUserState | string | For an external user invited to the tenant using the invitation API, this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users. | |
employeeId | string | The employee identifier assigned to the user by the organization. | |
imAddresses | list<string> | The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user. | |
mailNickname | string | The mail alias for the user. This property must be specified when a user is created. | |
passwordPolicies | string | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two may be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. | |
preferredLanguage | string | The preferred language for the user. Should follow ISO 639-1 Code; for example en-US. | |
schools | list<string> | A list for the user to enumerate the schools they have attended. | |
onPremisesSecurityIdentifier | string | Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. | |
onPremisesUserPrincipalName | string | Contains the on-premises userPrincipalName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
jobTitle | string | The user's job title. | |
city | string | The city in which the user is located. | |
deletedDateTime | number | The date and time the user was deleted. | |
externalUserStateChangeDateTime | number | Shows the timestamp for the latest change to the externalUserState property. | |
string | The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. | ||
officeLocation | string | The office location in the user's place of business. | |
userType | string | A string value that can be used to classify user types in your directory, such as Member and Guest. | |
createdDateTime | number | The created date of the user object. | |
employeeOrgData | object | Represents organization data (e.g. division and costCenter) associated with a user. | |
division | string | The name of the division in which the user works. | |
costCenter | string | The cost center associated with the user. | |
userRegistrationDetails | object | Represents the state of a user's authentication methods, including which methods are registered and which features the user is registered and capable of. | |
isMfaCapable | boolean | Indicates whether the user has registered a strong authentication method for multifactor authentication. | |
isMfaRegistered | boolean | Indicates whether the user has registered a strong authentication method for multifactor authentication. | |
isPasswordlessCapable | boolean | Indicates whether the user has registered a passwordless strong authentication method. | |
isSsprCapable | boolean | Indicates whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy. | |
isSsprEnabled | boolean | Indicates whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset. | |
isSystemPreferredAuthenticationMethodEnabled | boolean | Indicates whether system preferred authentication method is enabled. If enabled, the system dynamically determines the most secure authentication method among the methods registered by the user. | |
methodsRegistered | list<string> | Collection of authentication methods registered. | |
isAdmin | boolean | Indicates whether the user has an admin role in the tenant. | |
userPreferredMethodForSecondaryAuthentication | string | The method the user selected as the default second-factor for performing multifactor authentication. | |
systemPreferredAuthenticationMethods | list<string> | Collection of authentication methods that the system determined to be the most secure authentication methods among the registered methods for second factor authentication. | |
lastUpdatedDateTime | number | The date and time (UTC) when the record was last updated. | |
isSsprRegistered | boolean | Indicates whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy. | |
onPremisesDomainName | string | Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
postalCode | string | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. | |
surname | string | The user's surname (family name or last name). | |
hireDate | number | The hire date of the user. Note: This property is specific to SharePoint Online. We recommend using the native employeeHireDate property to set and update hire date values using Microsoft Graph APIs. | |
id | string | The unique identifier for the user. | |
isResourceAccount | boolean | Do not use - reserved for future use. | |
onPremisesProvisioningErrors | list<object> | Errors when using Microsoft synchronization product during provisioning. | |
propertyCausingError | string | Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress | |
value | string | Value of the property causing the error. | |
category | string | Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property. | |
occurredDateTime | number | The date and time at which the error occurred. | |
onPremisesSamAccountName | string | Contains the on-premises samAccountName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. | |
otherMails | list<string> | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. | |
signInSessionsValidFromDateTime | number | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. | |
userPrincipalName | string | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. | |
assignedLicenses | list<object> | The licenses that are assigned to the user, including inherited (group-based) licenses. | |
disabledPlans | list<string> | A collection of the unique identifiers for plans that have been disabled. | |
skuId | string | The unique identifier for the SKU. | |
givenName | string | The given name (first name) of the user. | |
onPremisesExtensionAttributes | object | Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes 1-15. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. For a cloud-only user (where onPremisesSyncEnabled is false), these properties can be set during creation or update of a user object. For a cloud-only user previously synced from on-premises Active Directory, these properties are read-only in Microsoft Graph but can be fully managed through the Exchange Admin Center or the Exchange Online V2 module in PowerShell. | |
extensionAttribute5 | string | Fifth customizable extension attribute. | |
extensionAttribute10 | string | Tenth customizable extension attribute. | |
extensionAttribute11 | string | Eleventh customizable extension attribute. | |
extensionAttribute7 | string | Seventh customizable extension attribute. | |
extensionAttribute9 | string | Ninth customizable extension attribute. | |
extensionAttribute14 | string | Fourteenth customizable extension attribute. | |
extensionAttribute2 | string | Second customizable extension attribute. | |
extensionAttribute3 | string | Third customizable extension attribute. | |
extensionAttribute4 | string | Fourth customizable extension attribute. | |
extensionAttribute6 | string | Sixth customizable extension attribute. | |
extensionAttribute12 | string | Twelfth customizable extension attribute. | |
extensionAttribute13 | string | Thirteenth customizable extension attribute. | |
extensionAttribute1 | string | First customizable extension attribute. | |
extensionAttribute8 | string | Eighth customizable extension attribute. | |
extensionAttribute15 | string | Fifteenth customizable extension attribute. | |
employeeType | string | Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor. | |
faxNumber | string | The fax number of the user. | |
lastPasswordChangeDateTime | number | The time when this Azure AD user last changed their password or when their password was created, whichever date the latest action was performed. | |
onPremisesSyncEnabled | boolean | true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). | |
passwordProfile | object | Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. | |
forceChangePasswordNextSignIn | boolean | true if the user must change her password on the next login; otherwise false. If not set, default is false. | |
forceChangePasswordNextSignInWithMfa | boolean | If true, at next sign-in, the user must perform a multi-factor authentication (MFA) before being forced to change their password. The behavior is identical to forceChangePasswordNextSignIn except that the user is required to first perform a multi-factor authentication before password change. After a password change, this property will be automatically reset to false. If not set, default is false. | |
password | string | The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next login. The password must satisfy minimum requirements as specified by the user's passwordPolicies property. By default, a strong password is required. | |
state | string | The state or province in the user's address. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
passwordRequired | boolean | Require a password to unlock Windows device. | |
passwordMinimumLength | number | The minimum password length. | |
passwordPreviousPasswordBlockCount | number | The number of previous passwords to prevent re-use of. | |
codeIntegrityEnabled | boolean | Require devices to be reported as healthy by Windows Device Health Attestation. | |
odatatype | string | Microsoft graph windows10 compliance policy type. | |
passwordBlockSimple | boolean | Indicates whether or not to block simple password. | |
deviceThreatProtectionRequiredSecurityLevel | string | Require Device Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet. | |
osMaximumVersion | string | Maximum Windows 10 version. | |
mobileOsMinimumVersion | string | Minimum Windows Phone version. | |
defenderEnabled | boolean | Require Windows Defender Antimalware on Windows devices. | |
signatureOutOfDate | boolean | Require Windows Defender Antimalware Signature to be up to date on Windows devices. | |
rtpEnabled | boolean | Require Windows Defender Antimalware Real-Time Protection on Windows devices. | |
activeFirewallRequired | boolean | Require active firewall on Windows devices. | |
defenderVersion | string | Require Windows Defender Antimalware minimum version on Windows devices. | |
version | number | Version of the device configuration. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. | |
passwordRequiredType | string | The required password type. Possible values are: deviceDefault, alphanumeric, numeric. | |
bitLockerEnabled | boolean | Require devices to be reported healthy by Windows Device Health Attestation - bit locker is enabled. | |
secureBootEnabled | boolean | Require devices to be reported as healthy by Windows Device Health Attestation - secure boot is enabled. | |
antiSpywareRequired | boolean | Require any AntiSpyware solution registered with Windows Decurity Center to be on and monitoring (e.g. Symantec, Windows Defender). | |
validOperatingSystemBuildRanges | list<object> | The valid operating system build ranges on Windows devices. This collection can contain a maximum of 10000 elements. | |
odatatype | string | Operating system build range data type. | |
description | string | The description of this range (e.g. Valid 1702 builds) | |
lowestVersion | string | The lowest inclusive version that this range contains. | |
highestVersion | string | The highest inclusive version that this range contains. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
createdDateTime | number | DateTime the object was created. | |
passwordRequiredToUnlockFromIdle | boolean | Require a password to unlock an idle device. | |
mobileOsMaximumVersion | string | Maximum Windows Phone version. | |
earlyLaunchAntiMalwareDriverEnabled | boolean | Require devices to be reported as healthy by Windows Device Health Attestation - early launch antimalware driver is enabled. | |
antivirusRequired | boolean | Require any Antivirus solution registered with Windows Decurity Center to be on and monitoring (e.g. Symantec, Windows Defender). | |
deviceThreatProtectionEnabled | boolean | Require that devices have enabled device threat protection. | |
configurationManagerComplianceRequired | boolean | Require to consider SCCM Compliance state into consideration for Intune Compliance State. | |
description | string | Admin provided description of the Device Configuration. | |
displayName | string | Admin provided name of the device configuration. | |
passwordMinimumCharacterSetCount | number | The number of character sets required in the password. | |
requireHealthyDeviceReport | boolean | Require devices to be reported as healthy by Windows Device Health Attestation. | |
storageRequireEncryption | boolean | Require encryption on windows devices. | |
deviceCompliancePolicyScript | object | Device compliance policy script object. | |
odatatype | string | Device compliance policy script data type. | |
deviceComplianceScriptId | string | Device compliance script Id. | |
rulesContent | string | Json of the rules. | |
id | string | Key of the entity. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
passwordExpirationDays | number | The password expiration in days. | |
osMinimumVersion | string | Minimum Windows 10 version. | |
tpmRequired | boolean | Require Trusted Platform Module(TPM) to be present. |
ATTRIBUTE | TYPE | REFERS TO | DESCRIPTION |
---|---|---|---|
createdDateTime | number | DateTime the object was created. | |
passwordMinimumCharacterSetCount | number | The number of character sets required in the password. | |
odatatype | string | Microsoft graph windows 8.1 compliance policy type. | |
passwordRequired | boolean | Require a password to unlock Windows device. | |
passwordBlockSimple | boolean | Indicates whether or not to block simple password. | |
passwordExpirationDays | number | Password expiration in days. | |
osMinimumVersion | string | Minimum Windows 8.1 version. | |
roleScopeTagIds | list<string> | List of Scope Tags for this Entity instance. | |
id | string | Key of the entity. | |
lastModifiedDateTime | number | DateTime the object was last modified. | |
version | number | Version of the device configuration. | |
passwordMinimumLength | number | The minimum password length. | |
passwordMinutesOfInactivityBeforeLock | number | Minutes of inactivity before a password is required. | |
passwordPreviousPasswordBlockCount | number | The number of previous passwords to prevent re-use of. Valid values 0 to 24. | |
osMaximumVersion | string | Maximum Windows 8.1 version. | |
storageRequireEncryption | boolean | Indicates whether or not to require encryption on a windows 8.1 device. | |
description | string | Admin provided description of the Device Configuration. | |
displayName | string | Admin provided name of the device configuration. | |
passwordRequiredType | string | The required password type. Possible values are: deviceDefault, alphanumeric, numeric. |