Resource Type
Account
IdentityAndSignIn
ConditionalAccess
NamedLocation ConditionalAccessPolicy
Policies
AuthenticationMethodsPolicy
EmailAuthenticationMethodConfiguration
AuthorizationPolicy B2BManagementPolicy
OAuth2PermissionGrant UserSignInActivity
RoleManagement
RBACApplication
UnifiedRoleDefinitions
UnifiedRoleDefinition
UnifiedRoleAssignments
UnifiedRoleAssignment
Applications
ServicePrincipals
ServicePrincipal
ConnectedAppRisk
AppRoleAssignment Application
DeviceManagement
DeviceConfigurationPolicy
DeviceConfigurationPolicySetting
MacOsCompliancePolicy Windows81CompliancePolicy AndroidDeviceOwnerCompliancePolicy DeviceConfiguration Windows10CompliancePolicy ManagedDevice AospDeviceOwnerCompliancePolicy IosCompliancePolicy AndroidCompliancePolicy AndroidWorkProfileCompliancePolicy DeviceCompliancePolicy
Groups
Group
GroupMembers
GroupMember
Users
User
DirectoryManagement

ATTRIBUTE TYPE REFERS TO DESCRIPTION
lastModifiedDateTime number DateTime the object was last modified.
displayName string Admin provided name of the device configuration.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
osMaximumVersion string Maximum Android version.
securityRequireCompanyPortalAppIntegrity boolean Require the device to pass the Company Portal client app runtime integrity check.
createdDateTime number DateTime the object was created.
securityRequireVerifyApps boolean Require the Android Verify apps feature is turned on.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
restrictedApps list<object> Require the device to not have the specified apps installed. This collection can contain a maximum of 100 elements.
 appStoreUrl string The Store URL of the application.
 appId string The application or bundle identifier of the application.
 odatatype string The application data type.
 name string The application name.
 publisher string The publisher of the application.
requiredPasswordComplexity string Indicates the required password complexity on Android. One of: NONE, LOW, MEDIUM, HIGH. This is a new API targeted to Android 11+. Possible values are: none, low, medium, high.
securityBlockDeviceAdministratorManagedDevices boolean Block device administrator managed devices.
osMinimumVersion string Minimum Android version.
id string Key of the entity.
passwordSignInFailureCountBeforeFactoryReset number Number of sign-in failures allowed before factory reset. Valid values 1 to 16.
securityRequireGooglePlayServices boolean Require Google Play Services to be installed and enabled on the device.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
securityDisableUsbDebugging boolean Disable USB debugging on Android devices.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
passwordPreviousPasswordBlockCount number Number of previous passwords to block. Valid values 1 to 24.
securityPreventInstallAppsFromUnknownSources boolean Require that devices disallow installation of apps from unknown sources.
securityRequireUpToDateSecurityProviders boolean Require the device to have up to date security providers. The device will require Google Play Services to be enabled and up to date.
conditionStatementId string Condition statement id.
version number Version of the device configuration.
passwordRequired boolean Require a password to unlock device.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 365.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
storageRequireEncryption boolean Require encryption on Android devices.
securityRequireSafetyNetAttestationCertifiedDevice boolean Require the device to pass the SafetyNet certified device check.
odatatype string Microsoft Graph data type.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
description string Admin provided description of the Device Configuration.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, numeric, numericComplex, any.
securityRequireSafetyNetAttestationBasicIntegrity boolean Require the device to pass the SafetyNet basic integrity check.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
description string Admin provided description of the Device Configuration.
lastModifiedDateTime number DateTime the object was last modified.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 365.
displayName string Admin provided name of the device configuration.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
passwordMinimumLowerCaseCharacters number Indicates the minimum number of lower case characters required for device password. Valid values 1 to 16.
passwordMinimumUpperCaseCharacters number Indicates the minimum number of upper case letter characters required for device password. Valid values 1 to 16.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
storageRequireEncryption boolean Require encryption on Android devices.
odatatype string Microsoft graph android device owner compliance policy type.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
passwordRequired boolean Require a password to unlock device.
version number Version of the device configuration.
securityRequireSafetyNetAttestationCertifiedDevice boolean Require the device to pass the SafetyNet certified device check.
passwordMinimumNonLetterCharacters number Indicates the minimum number of non-letter characters required for device password. Valid values 1 to 16.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, required, numeric, numericComplex, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, customPassword.
securityRequireIntuneAppIntegrity boolean If setting is set to true, checks that the Intune app installed on fully managed, dedicated, or corporate-owned work profile Android Enterprise enrolled devices, is the one provided by Microsoft from the Managed Google Playstore. If the check fails, the device will be reported as non-compliant.
securityRequireSafetyNetAttestationBasicIntegrity boolean Require the device to pass the SafetyNet basic integrity check.
osMinimumVersion string Minimum Android version.
passwordMinimumNumericCharacters number Indicates the minimum number of numeric characters required for device password. Valid values 1 to 16.
passwordMinimumSymbolCharacters number Indicates the minimum number of symbol characters required for device password. Valid values 1 to 16.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
createdDateTime number DateTime the object was created.
osMaximumVersion string Maximum Android version.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
passwordMinimumLetterCharacters number Indicates the minimum number of letter characters required for device password. Valid values 1 to 16.
passwordPreviousPasswordCountToBlock number Number of previous passwords to block. Valid values 1 to 24.
id string Key of the entity.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
securityRequireGooglePlayServices boolean Require Google Play Services to be installed and enabled on the device.
securityPreventInstallAppsFromUnknownSources boolean Require that devices disallow installation of apps from unknown sources.
securityRequireVerifyApps boolean Require the Android Verify apps feature is turned on.
osMaximumVersion string Maximum Android version.
securityRequireSafetyNetAttestationBasicIntegrity boolean Require the device to pass the SafetyNet basic integrity check.
securityRequireUpToDateSecurityProviders boolean Require the device to have up to date security providers. The device will require Google Play Services to be enabled and up to date.
id string Key of the entity.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
version number Version of the device configuration.
requiredPasswordComplexity string Indicates the required device password complexity on Android. One of: NONE, LOW, MEDIUM, HIGH. This is a new API targeted to Android API 12+. Possible values are: none, low, medium, high.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
securityRequiredAndroidSafetyNetEvaluationType string Require a specific SafetyNet evaluation type for compliance. Possible values are: basic, hardwareBacked.
description string Admin provided description of the Device Configuration.
displayName string Admin provided name of the device configuration.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, numeric, numericComplex, any.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 365.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
createdDateTime number DateTime the object was created.
passwordSignInFailureCountBeforeFactoryReset number Number of sign-in failures allowed before factory reset. Valid values 1 to 16.
osMinimumVersion string Minimum Android version.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
securityRequireCompanyPortalAppIntegrity boolean Require the device to pass the Company Portal client app runtime integrity check.
lastModifiedDateTime number DateTime the object was last modified.
securityDisableUsbDebugging boolean Disable USB debugging on Android devices.
passwordPreviousPasswordBlockCount number Number of previous passwords to block. Valid values 1 to 24.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
storageRequireEncryption boolean Require encryption on Android devices.
securityRequireSafetyNetAttestationCertifiedDevice boolean Require the device to pass the SafetyNet certified device check.
odatatype string Microsoft graph device compliance policy type.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
passwordRequired boolean Require a password to unlock device.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
createdDateTime number DateTime the object was created.
version number Version of the device configuration.
passwordRequired boolean Require a password to unlock device.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required. Valid values 1 to 8640.
id string Key of the entity.
minAndroidSecurityPatchLevel string Minimum Android security patch level.
passwordMinimumLength number Minimum password length. Valid values 4 to 16.
displayName string Admin provided name of the device configuration.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
passwordRequiredType string Type of characters in password. Possible values are: deviceDefault, required, numeric, numericComplex, alphabetic, alphanumeric, alphanumericWithSymbols, lowSecurityBiometric, customPassword.
storageRequireEncryption boolean Require encryption on Android devices.
osMaximumVersion string Maximum Android version.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
description string Admin provided description of the Device Configuration.
lastModifiedDateTime number DateTime the object was last modified.
osMinimumVersion string Minimum Android version.
odatatype string Microsoft graph aosp device compliance policy type.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
resourceId string ServicePrincipal The unique identifier (id) for the resource service principal for which the assignment is made.
appRoleId string The identifier (id) for the app role which is assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application has not declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles.
createdDateTime number The time when the app role assignment was created.
id string A unique identifier for the appRoleAssignment key. Not nullable.
principalDisplayName string The display name of the user, group, or service principal that was granted the app role assignment.
principalId string Group ServicePrincipal User The unique identifier (id) for the user, group, or service principal being granted the app role.
principalType string The type of the assigned principal. This can either be User, Group, or ServicePrincipal.
resourceDisplayName string The display name of the resource app's service principal to which the assignment is made.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
isFallbackPublicClient boolean Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app. There are certain scenarios where Azure AD cannot determine the client application type. For example, the ROPC flow where it is configured without specifying a redirect URI. In those cases Azure AD interprets the application type based on the value of this property
optionalClaims object Application developers can configure optional claims in their Azure AD applications to specify the claims that are sent to their application by the Microsoft security token service.
 idToken list<object> The optional claims returned in the JWT ID token.
 additionalProperties list<string> Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property.
 essential boolean If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false.
 name string The name of the optional claim.
 source string The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object.
 accessToken list<object> The optional claims returned in the JWT access token.
 source string The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object.
 additionalProperties list<string> Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property.
 essential boolean If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false.
 name string The name of the optional claim.
 saml2Token list<object> The optional claims returned in the SAML token.
 essential boolean If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false.
 name string The name of the optional claim.
 source string The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object.
 additionalProperties list<string> Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property.
publisherDomain string The verified publisher domain for the application.
appRoles list<object> The collection of roles assigned to the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable.
 description string The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
 displayName string Display name for the permission that appears in the app role assignment and consent experiences.
 id string Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided.
 isEnabled boolean When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed.
 origin string Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests.
 value string Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal.
 allowedMemberTypes list<string> Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities.
info object Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience.
 marketingUrl string Link to the application's marketing page.
 privacyStatementUrl string Link to the application's privacy statement.
 supportUrl string Link to the application's support page.
 termsOfServiceUrl string Link to the application's terms of service statement.
 logoUrl string CDN URL to the application's logo, Read-only.
tokenEncryptionKeyId string Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.
web object Specifies settings for a web application.
 logoutUrl string Specifies the URL that will be used by Microsoft's authorization service to logout an user using front-channel, back-channel or SAML logout protocols.
 redirectUris list<string> Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
 homePageUrl string Home page or landing page of the application.
 implicitGrantSettings object Specifies whether this web application can request tokens using the OAuth 2.0 implicit flow.
 enableAccessTokenIssuance boolean Specifies whether this web application can request an access token using the OAuth 2.0 implicit flow.
 enableIdTokenIssuance boolean Specifies whether this web application can request an ID token using the OAuth 2.0 implicit flow.
createdDateTime number The date and time the application was registered.
parentalControlSettings object Specifies parental control settings for an application.
 countriesBlockedForMinors list<string> Specifies the two-letter ISO country codes. Access to the application will be blocked for minors from the countries specified in this list.
 legalAgeGroupRule string Specifies the legal age group rule that applies to users of the app. Can be set to one of the following values: Allow(Default. Enforces the legal minimum. This means parental consent is required for minors in the European Union and Korea), RequireConsentForPrivacyServices(Enforces the user to specify date of birth to comply with COPPA rules), RequireConsentForMinors(Requires parental consent for ages below 18, regardless of country minor rules), RequireConsentForKids(Requires parental consent for ages below 14, regardless of country minor rules), BlockMinors(Blocks minors from using the app)
isDeviceOnlyAuthSupported boolean Specifies whether this application supports device authentication without a user. The default is false.
spa object Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens.
 redirectUris list<string> Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
deletedDateTime number The date and time the application was deleted.
displayName string The display name for the application.
oauth2RequiredPostResponse boolean Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests are allowed.
publicClient object Specifies settings for installed clients such as desktop or mobile devices.
 redirectUris list<string> Specifies the URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent.
description string Free text field to provide a description of the application object to end users.
id string Unique identifier for the application object. This property is referred to as Object ID in the Azure portal. Inherited from directoryObject Key. Not nullable.
identifierUris list<string> Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api.
requiredResourceAccess list<object> Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. Not nullable.
 resourceAccess list<object> The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource.
 id string The unique identifier of an app role or delegated permission exposed by the resource application. For delegated permissions, this should match the id property of one of the delegated permissions in the oauth2PermissionScopes collection of the resource application's service principal. For app roles (application permissions), this should match the id property of an app role in the appRoles collection of the resource application's service principal.
 type string Specifies whether the id property references a delegated permission or an app role (application permission). The possible values are: Scope (for delegated permissions) or Role (for app roles).
 resourceAppId string The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
tags list<string> Custom strings that can be used to categorize and identify the application. Not nullable.
addIns list<object> Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on.
 id string id of an addIn.
 properties list<object> property of an addIn.
 key string Key for the key-value pair.
 value string Value for the key-value pair.
 type string type of an addIn.
applicationTemplateId string Unique identifier of the applicationTemplate.
certification object Specifies the certification status of the application.
 certificationDetailsUrl string URL that shows certification details for the application.
 certificationExpirationDateTime number The timestamp when the current certification for the application will expire.
 isCertifiedByMicrosoft boolean Indicates whether the application is certified by Microsoft.
 isPublisherAttested boolean Indicates whether the application has been self-attested by the application developer or the publisher.
 lastCertificationDateTime number The timestamp when the certification for the application was most recently added or updated.
verifiedPublisher object Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification.
 addedDateTime number The timestamp when the verified publisher was first added or most recently updated.
 displayName string The verified publisher name from the app publisher's Partner Center account.
 verifiedPublisherId string The ID of the verified publisher from the app publisher's Partner Center account.
notes string Notes relevant for the management of the application.
passwordCredentials list<object> The collection of password credentials associated with the application. Not nullable.
 customKeyIdentifier string Do not use.
 displayName string Friendly name for the password.
 endDateTime number The date and time at which the password expires represented using ISO 8601 format and is always in UTC time.
 hint string Contains the first three characters of the password.
 keyId string The unique identifier for the password.
 secretText string Contains the strong passwords generated by Azure AD that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future.
 startDateTime number The date and time at which the password becomes valid.
signInAudience string Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount
api object Specifies settings for an application that implements a web API.
 knownClientApplications list<string> Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you set the appID of the client app to this value, the user only consents once to the client app. Azure AD knows that consenting to the client means implicitly consenting to the web API and automatically provisions service principals for both APIs at the same time. Both the client and the web API app must be registered in the same tenant.
 oauth2PermissionScopes list<object> The definition of the delegated permissions exposed by the web API represented by this application registration. These delegated permissions may be requested by a client application, and may be granted by users or administrators during consent. Delegated permissions are sometimes referred to as OAuth 2.0 scopes.
 id string Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.
 isEnabled boolean When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed.
 type string The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission).
 userConsentDescription string A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 userConsentDisplayName string A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 value string Specifies the value to include in the scp (scope) claim in access tokens.
 adminConsentDescription string A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences.
 adminConsentDisplayName string The permission's title, intended to be read by an administrator granting the permission on behalf of all users.
 preAuthorizedApplications list<object> Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs. Users are not required to consent to any pre-authorized application (for the permissions specified). However, any additional permissions not listed in preAuthorizedApplications (requested through incremental consent for example) will require user consent.
 appId string The unique identifier for the application.
 delegatedPermissionIds list<string> The unique identifier for the oauth2PermissionScopes the application requires.
 requestedAccessTokenVersion number Specifies the access token version expected by this resource. This changes the version and format of the JWT produced independent of the endpoint or client used to request the access token.
 acceptMappedClaims boolean When true, allows an application to use claims mapping without specifying a custom signing key.
disabledByMicrosoftStatus string Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement).
keyCredentials list<object> The collection of key credentials associated with the application. Not nullable.
 type string The type of key credential; for example, Symmetric, AsymmetricX509Cert.
 usage string A string that describes the purpose for which the key can be used; for example, Verify.
 customKeyIdentifier string Custom key identifier
 displayName string Friendly name for the key.
 endDateTime number The date and time at which the credential expires.
 key string The certificate's raw data in byte array converted to Base64 string.
 keyId string The unique identifier (GUID) for the key.
 startDateTime number The date and time at which the credential becomes valid.
logo string The main logo for the application.
serviceManagementReference string References application or service contact information from a Service or Asset Management database. Nullable.
appId string Application The unique identifier for the application that is assigned to an application by Azure AD. Not nullable.
groupMembershipClaims string Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None, SecurityGroup (for security groups and Azure AD roles), All (this gets all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of).
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
defaultUserRolePermissions object Default user role permissions for the AAD tenant.
 allowedToCreateApps boolean Indicates whether the default user role can create applications.
 allowedToCreateSecurityGroups boolean Indicates whether the default user role can create security groups.
 allowedToCreateTenants boolean Indicates whether the default user role can create tenants.
 allowedToReadOtherUsers boolean Indicates whether the default user role can read other users.
 permissionGrantPoliciesAssigned list<string> Indicates if user consent to apps is allowed, and if it is, which permission to grant consent and which app consent policy (permissionGrantPolicy) govern the permission for users to grant consent. Value should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled.
 allowedToReadBitlockerKeysForOwnedDevice boolean Indicates whether a user is allowed to read bitlocker keys for owned device.
allowUserConsentForRiskyApps boolean Description pending.
id string ID of the authorization policy.
allowedToSignUpEmailBasedSubscriptions boolean Indicates whether users can sign up for email based subscriptions.
allowedToUseSSPR boolean Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant.
allowEmailVerifiedUsersToJoinOrganization boolean Indicates whether a user can join the tenant by email validation.
allowInvitesFrom string Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government.
guestUserRoleId string UnifiedRoleDefinition Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
description string Description of this policy.
blockMsolPowerShell boolean To disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph.
displayName string Display name for this policy.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
invitationsAllowedAndBlockedDomainsPolicy object This policy specifies domain restrictions with regards to inviting external users to collaborate. Only one of the blockedDomains and allowedDomains list can be populated at once. If blockedDomains is populated, any domain outside of blockedDomains can be invited to collaborate. If allowedDomains is populated, any domain outside of allowedDomains will be blocked. If both lists are empty, then there are no domain restrictions on invitations to collaborate.
 blockedDomains list<string> Domains in this list are not allowed to be sent invitations to collaborate.
 allowedDomains list<string> Domains in this list are allowed to be sent invitations to collaborate.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
sessionControls object Specifies the session controls that are enforced after sign-in.
 applicationEnforcedRestrictions object Session control to enforce application restrictions. Only Exchange Online and Sharepoint Online support this session control
 isEnabled boolean Specifies whether the session control is enabled or not
 cloudAppSecurity object Session control to apply cloud app security
 isEnabled boolean Specifies whether the session control is enabled
 cloudAppSecurityType string Possible values are: mcasConfigured, monitorOnly, blockDownloads, unknownFutureValue
 persistentBrowser object Session control to define whether to persist cookies or not. All apps should be selected for this session control to work correctly
 isEnabled boolean Specifies whether the session control is enabled
 mode string Possible values are: always, never
 signInFrequency object Session control to enforce signin frequency
 isEnabled boolean Specifies whether the session control is enabled
 value number The number of days or hours
 type string Possible values are: days, hours
 frequencyInterval string The possible values are timeBased, everyTime, unknownFutureValue. Sign-in frequency of everyTime is available for risky users, risky sign-ins, and Intune device enrollment
 authenticationType string The possible values are primaryAndSecondaryAuthentication, secondaryAuthentication, unknownFutureValue. This property isn't required when using frequencyInterval with the value of timeBased
 disableResilienceDefaults boolean Session control that determines whether it is acceptable for Microsoft Entra ID to extend existing sessions based on information collected prior to an outage or not
id string Specifies the identifier of a conditionalAccessPolicy object.
state string Specifies the state of the conditionalAccessPolicy object. Possible values are "enabled", "disabled", "enabledForReportingButNotEnforced".
conditions object Specifies the rules that must be met for the policy to apply.
 applications object Applications and user actions included in and excluded from the policy
 excludeApplications list<string> Can be one of the following - The list of client IDs (appId) explicitly excluded from the policy, Office365, MicrosoftAdminPortals.
 includeApplications list<string> Can be one of the following - The list of client IDs (appId) the policy applies to, unless explicitly excluded (in excludeApplications), All, Office365, MicrosoftAdminPortals
 includeUserActions list<string> User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice
 users object Users, groups, and roles included in and excluded from the policy.
 excludeUsers list<string> A list of user IDs excluded from the scope of the policy and/or "GuestsOrExternalUsers".
 includeGroups list<string> A list of group IDs in the scope of the policy (unless the group ID is explicitly excluded, i.e. the group ID is in the "excludeGroups" list), or "All".
 excludeGroups list<string> Group IDs excluded from scope of policy.
 includeRoles list<string> A list of role IDs in scope of policy (unless explicitly excluded, i.e. the role ID is in the "excludeRoles" list), or "All".
 excludeRoles list<string> Role IDs excluded from scope of policy.
 includeUsers list<string> A list of user IDs in the scope of the policy (unless the user ID explicitly excluded, i.e. the user ID is in the "excludeUsers" list), or one of "None", "All", or "GuestsOrExternalUsers", .
 userRiskLevels list<string> User risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue
 servicePrincipalRiskLevels list<string> Service principal risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue
 locations object Locations included in and excluded from the policy
 excludeLocations list<string> Location IDs excluded from scope of policy
 includeLocations list<string> Location IDs in scope of policy unless explicitly excluded, All, or AllTrusted
 clientApplications object Client applications (service principals and workload identities) included in and excluded from the policy
 excludeServicePrincipals list<string> Service principal IDs excluded from the policy scope
 includeServicePrincipals list<string> Service principal IDs included in the policy scope, or ServicePrincipalsInMyTenant
 clientAppTypes list<string> Client application types included in the policy. Possible values are "all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other".
 signInRiskLevels list<string> Sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue
 platforms object Platforms included in and excluded from the policy
 includePlatforms list<string> Platforms included in the policy. Possible values are: android, iOS, windows, windowsPhone, macOS, linux, all, unknownFutureValue
 excludePlatforms list<string> Platforms excluded from the policy. Possible values are: android, iOS, windows, windowsPhone, macOS, linux, all, unknownFutureValue
 devices object Devices in the policy
 deviceFilter object Filter that defines the dynamic-device-syntax rule to include/exclude devices. A filter can use device properties (such as extension attributes) to include/exclude them.
 mode string Mode to use for the filter. Possible values are include or exclude
 rule string Rule syntax is similar to that used for membership rules for groups in Microsoft Entra ID.
grantControls object Specifies the grant controls that must be fulfilled to pass the policy.
 builtInControls list<string> List of values of built-in controls required by the policy. Possible values are "block", "mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange".
 customAuthenticationFactors list<string> List of custom controls IDs required by the policy
 operator string Defines the relationship of the grant controls. Possible values: AND, OR
 termsOfUse list<string> List of terms of use IDs required by the policy
createdDateTime number conditionalAccessPolicy created time
modifiedDateTime number conditionalAccessPolicy modified time
displayName string Specifies a display name for the conditionalAccessPolicy object.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
connectedAppName string Name of the Connected Application.
riskScore number The risk score associated with the Connected Application.
appID string The unique identifier of Connected Application
riskLevel string The risk level associated with the Connected Application.
permissions list<string> The permissions associated with the Connected Application.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string The ID of the compliance policy.
odatatype string The OData type of the entity, e.g. "#microsoft.graph.iosCompliancePolicy".
securityBlockJailbrokenDevices boolean If true, block jailbroken or rooted devices.
managedEmailProfileRequired boolean If true, the owner of the device will only be able to use a managed email account.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
passwordMinutesOfInactivityBeforeScreenTimeout number Minutes of inactivity before the screen times out.
passwordPreviousPasswordBlockCount number Prevent reuse of previous passwords.
passwordPreviousPasswordCountToBlock number Prevent reuse of previous passwords.
passcodeRequiredType string The password type (e.g. alphanumeric). (iOS)
passwordBlockSimple boolean Block simple passwords.
passcodeBlockSimple boolean Block simple passwords. (iOS)
passwordSignInFailureCountBeforeFactoryReset number Number of failed authentication attempts before a device is wiped. (Windows 8)
passcodeMinimumLength number Minimum length of the password. (iOS)
passwordRequiredType string The password type (e.g. alphanumeric).
passcodeSignInFailureCountBeforeWipe number Number of failed authentication attempts before a device is wiped. (iOS)
passwordRequireWhenResumeFromIdleState boolean Require the user to provide a password when the device is resumed from idle status.
passcodeRequired boolean Require the use of a password. (iOS)
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before the screen locks. (macOS)
id string The ID of the compliance policy.
odatatype string To distinguish between different platforms (Android, iOS).
passcodePreviousPasscodeBlockCount number For iOS to prevent reuse of previous passwords.
passcodeExpirationDays number Passcode expiration in days. "null" if no expiration. (iOS)
passwordMinimumLength number Minimum length of the password.
passwordRequired boolean Require the use of a password.
passcodeMinutesOfInactivityBeforeLock number Minutes of inactivity before the screen locks. (iOS)
passwordExpirationDays number Password expiration in days. "null" if no expiration.
storageRequireDeviceEncryption boolean Indicates whether or not to require device encryption.
passcodeMinutesOfInactivityBeforeScreenTimeout number Minutes of inactivity before the screen times out.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Key of the policy document. Automatically generated.
lastModifiedDateTime number Policy last modification date and time.
creationSource string Policy creation source.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
isAssigned boolean Policy assignment status.
templateReference object Template reference information.
 odatatype string Template reference data type.
 templateId string Template id.
 templateFamily string Template Family of the referenced Template. This property is read-only. Possible values are: none, endpointSecurityAntivirus, endpointSecurityDiskEncryption, endpointSecurityFirewall, endpointSecurityEndpointDetectionAndResponse, endpointSecurityAttackSurfaceReduction, endpointSecurityAccountProtection, endpointSecurityApplicationControl, endpointSecurityEndpointPrivilegeManagement, enrollmentConfiguration, appQuietTime, baseline, unknownFutureValue, deviceConfigurationScripts, deviceConfigurationPolicies.
 templateDisplayName string Template Display Name of the referenced template.
 templateDisplayVersion string Template Display Version of the referenced Template.
odatatype string Device configuration policy type.
name string Policy name.
description string Policy description.
technologies string Technologies for this policy. Possible values are: none, mdm, windows10XManagement, configManager, appleRemoteManagement, microsoftSense, exchangeOnline, mobileApplicationManagement, linuxMdm, enrollment, endpointPrivilegeManagement, unknownFutureValue.
platforms string Platforms for this policy. Possible values are: none, android, iOS, macOS, windows10X, windows10, linux, unknownFutureValue.
createdDateTime number Policy creation date and time.
settingCount number Number of settings.
priorityMetaData object Indicates the priority of each policies that are selected by the admin during enrollment process.
 odatatype string PriorityMetaData data type.
 priority number Priority of the policy. Valid values 1 to 500.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
policyId string Device configuration policy id.
settingInstance object settingInstance
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 settingInstanceTemplateId string settingInstanceTemplateId
 odatatype string odatatype
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 children list<object> children
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 children list<object> children
 settingInstanceTemplateReference object settingInstanceTemplateReference
 settingInstanceTemplateId string settingInstanceTemplateId
 odatatype string odatatype
 choiceSettingValue object choiceSettingValue
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 value string value
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 odatatype string odatatype
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 value string value
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 settingValueTemplateId string settingValueTemplateId
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 odatatype string odatatype
 settingDefinitionId string settingDefinitionId
 settingInstanceTemplateReference object settingInstanceTemplateReference
 odatatype string odatatype
 settingInstanceTemplateId string settingInstanceTemplateId
 odatatype string odatatype
 settingValueTemplateReference object settingValueTemplateReference
 useTemplateDefault boolean useTemplateDefault
 odatatype string odatatype
 settingValueTemplateId string settingValueTemplateId
 value string value
odatatype string Device configuration policy setting data type.
id string Device configuration policy setting id.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
state string The current state of the email authentication method configuration. Valid values are "enabled" or "disabled".
allowExternalIdToUseEmailOtp string Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who did not use public preview will automatically have email OTP enabled beginning in October 2021.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
assignedLabels list<object> The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group.
 labelId string The unique identifier of the label.
 displayName string The display name of the label.
classification string Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition.
mail string The SMTP address for the group, for example, "serviceadmins@contoso.onmicrosoft.com".
onPremisesProvisioningErrors list<object> Errors when using Microsoft synchronization product during provisioning.
 category string Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
 occurredDateTime number The date and time at which the error occurred.
 propertyCausingError string Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
 value string Value of the property causing the error.
onPremisesSyncEnabled boolean true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default).
visibility string Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or Hiddenmembership. Hiddenmembership can be set only for Microsoft 365 groups, when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation. If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default and Microsoft 365 group is Public. Groups assignable to roles are always Private.
expirationDateTime number Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created.
licenseProcessingState string Indicates status of the group license assignment to all members of the group. Default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete.
membershipRuleProcessingState string Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused.
renewedDateTime number Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action.
theme string Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red.
assignedLicenses list<object> The licenses that are assigned to the group.
 disabledPlans list<string> A collection of the unique identifiers for plans that have been disabled.
 skuId string The unique identifier for the SKU.
displayName string The display name for the group. This property is required when a group is created and cannot be cleared during updates.
membershipRule string The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership).
preferredDataLocation string The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location.
resourceBehaviorOptions list<string> Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled.
createdDateTime number Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created.
deletedDateTime number For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
description string An optional description for the group.
groupTypes list<string> Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see groups overview. If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static.
isAssignableToRole boolean Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership). Only callers in Global administrator and Privileged role administrator roles can set this property. The caller must be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups.
onPremisesSamAccountName string Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
securityIdentifier string Security identifier of the group, used in Windows scenarios.
id string The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable.
onPremisesSecurityIdentifier string Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud.
preferredLanguage string The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example en-US.
proxyAddresses list<string> Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties.
mailEnabled boolean Specifies whether the group is mail-enabled. Required.
mailNickname string The mail alias for the group, unique for Microsoft 365 groups in the organization.
resourceProvisioningOptions list<string> Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team.
securityEnabled boolean Specifies whether the group is a security group. Required.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
classification string Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition.
creationOptions list<string> Creation options.
description string An optional description for the group.
membershipRule string The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership).
securityEnabled boolean Specifies whether the group is a security group. Required.
id string The member id. It is groupid_userid
jobTitle string The user's job title. Maximum length is 128 characters.
officeLocation string The office location in the user's place of business.
mailEnabled boolean Specifies whether the group is mail-enabled. Required.
onPremisesDomainName string The on-premise domain name.
resourceProvisioningOptions list<string> Specifies the group resources provisioned as part of Microsoft 365 group creation that are not normally part of default group creation. The possible value is Team.
groupTypes list<string> Specifies the group type and its membership.If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static.
mailNickname string The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE.
onPremisesNetBiosName string The on-premise net bios name.
onPremisesSecurityIdentifier string Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud.
theme string Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red.
onPremisesProvisioningErrors list<object> Errors when using Microsoft synchronization product during provisioning.
 occurredDateTime number The date and time at which the error occurred.
 propertyCausingError string Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
 value string Value of the property causing the error.
 category string Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
serviceProvisioningErrors list<string> The list of Service Provisioning Errors.
resource_id string User Group The actual resource id for which the member refers to.
surname string The user's surname (family name or last name). Maximum length is 64 characters.
deletedDateTime number For some Microsoft Entra objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
securityIdentifier string Security identifier of the group, used in Windows scenarios.
odatatype string The graph data type, either User or Graph
givenName string The given name (first name) of the user. Maximum length is 64 characters.
preferredLanguage string The preferred language for the user. The preferred language format is based on RFC 4646. The name is a combination of an ISO 639 two-letter lowercase culture code associated with the language, and an ISO 3166 two-letter uppercase subculture code associated with the country or region. Example: "en-US", or "es-ES".
userPrincipalName string The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization.
onPremisesSamAccountName string Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect.
resourceBehaviorOptions list<string> Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled.
createdDateTime number Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
isAssignableToRole boolean Indicates whether this group can be assigned to a Microsoft Entra role. Optional.This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership).Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups.
membershipRuleProcessingState string Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused.
proxyAddresses list<string> Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. The any operator is required to filter expressions on multi-valued properties.
displayName string The name displayed in the address book for the user/group. This property is required when a user/group is created and it cannot be cleared during updates. Maximum length is 256 characters.
preferredDataLocation string The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location.
renewedDateTime number Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
visibility string Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default, and the Microsoft 365 group is Public. Groups assignable to roles are always Private.
mail string The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. Changes to this property will also update the user's proxyAddresses collection to include the value as an SMTP address. This property can't contain accent characters.
expirationDateTime number Timestamp of when the group is set to expire. It is null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
onPremisesSyncEnabled string true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default).
parent_group_id string Group The parent group id for which the member(user/group) belongs.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Key of the entity.
osMaximumVersion string Maximum IOS version.
restrictedApps list<object> Require the device to not have the specified apps installed. This collection can contain a maximum of 100 elements.
 odatatype string The application data type.
 name string The application name.
 publisher string The publisher of the application.
 appStoreUrl string The Store URL of the application.
 appId string The application or bundle identifier of the application.
createdDateTime number DateTime the object was created.
passcodeExpirationDays number Number of days before the passcode expires. Valid values 1 to 65535.
securityBlockJailbrokenDevices boolean Devices must not be jailbroken or rooted.
managedEmailProfileRequired boolean Indicates whether or not to require a managed email profile.
passcodeRequiredType string The required passcode type. Possible values are: deviceDefault, alphanumeric, numeric.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
displayName string Admin provided name of the device configuration.
odatatype string Microsoft graph ios compliance policy type.
passcodeMinutesOfInactivityBeforeLock number Minutes of inactivity before a passcode is required.
passcodeMinutesOfInactivityBeforeScreenTimeout number Minutes of inactivity before the screen times out.
osMaximumBuildVersion string Maximum IOS build version.
lastModifiedDateTime number DateTime the object was last modified.
version number Version of the device configuration.
passcodeBlockSimple boolean Indicates whether or not to block simple passcodes.
passcodeMinimumLength number Minimum length of passcode. Valid values 4 to 14.
osMinimumBuildVersion string Minimum IOS build version.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection .
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
description string Admin provided description of the Device Configuration.
osMinimumVersion string Minimum IOS version.
passcodePreviousPasscodeBlockCount number Number of previous passcodes to block. Valid values 1 to 24.
passcodeMinimumCharacterSetCount number The number of character sets required in the password.
passcodeRequired boolean Indicates whether or not to require a passcode.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
osMaximumVersion string Maximum MacOS version.
firewallBlockAllIncoming boolean Corresponds to the "Block all incoming connections" option.
passwordExpirationDays number Number of days before the password expires. Valid values 1 to 65535.
passwordPreviousPasswordBlockCount number Number of previous passwords to block. Valid values 1 to 24.
systemIntegrityProtectionEnabled boolean Require that devices have enabled system integrity protection.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
deviceThreatProtectionRequiredSecurityLevel string Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
firewallEnableStealthMode boolean Corresponds to 'Enable stealth mode'.
version number Version of the device configuration.
osMaximumBuildVersion string Maximum MacOS build version.
displayName string Admin provided name of the device configuration.
passwordRequired boolean Whether or not to require a password.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
odatatype string Microsoft graph mac os compliance type.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
advancedThreatProtectionRequiredSecurityLevel string MDATP Require Mobile Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
gatekeeperAllowedAppSource string System and Privacy setting that determines which download locations apps can be run from on a macOS device. Possible values are: notConfigured, macAppStore, macAppStoreAndIdentifiedDevelopers, anywhere.
passwordMinimumLength number Minimum length of password. Valid values 4 to 14.
osMinimumBuildVersion string Minimum MacOS build version.
passwordBlockSimple boolean Indicates whether or not to block simple passwords.
storageRequireEncryption boolean Require encryption on Mac OS devices.
passwordRequiredType string The required password type. Possible values are: deviceDefault, alphanumeric, numeric.
id string Key of the entity.
description string Admin provided description of the Device Configuration.
passwordMinimumCharacterSetCount number The number of character sets required in the password.
osMinimumVersion string Minimum MacOS version.
firewallEnabled boolean Whether the firewall should be enabled or not.
createdDateTime number DateTime the object was created.
lastModifiedDateTime number DateTime the object was last modified.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
enrolledDateTime number Enrollment time of the device. Supports $filter operator 'lt' and 'gt'.
azureADRegistered boolean Whether the device is Azure Active Directory registered.
complianceGracePeriodExpirationDateTime number The DateTime when device compliance grace period expires.
partnerReportedThreatState string Indicates the threat state of a device when a Mobile Threat Defense partner is in use by the account and device. Read Only. Possible values are: unknown, activated, deactivated, secured, lowSeverity, mediumSeverity, highSeverity, unresponsive, compromised, misconfigured.
userId string Unique Identifier for the user associated with the device.
operatingSystem string Operating system of the device. Windows, iOS, etc.
isSupervised boolean Device supervised status.
userDisplayName string User display name.
manufacturer string Manufacturer of the device.
imei string IMEI string.
easDeviceId string Exchange ActiveSync Id of the device.
requireUserEnrollmentApproval boolean Reports if the managed iOS device is user approval enrollment.
physicalMemoryInBytes number Total Memory in Bytes. Default is 0. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select.
freeStorageSpaceInBytes number Free Storage in Bytes. Default value is 0.
remoteAssistanceSessionUrl string Url that allows a Remote Assistance session to be established with the device. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter.
configurationManagerClientEnabledFeatures object ConfigrMgr client enabled features.
 inventory boolean Whether inventory is managed by Intune.
 modernApps boolean Whether modern application is managed by Intune.
 resourceAccess boolean Whether resource access is managed by Intune.
 deviceConfiguration boolean Whether device configuration is managed by Intune.
 compliancePolicy boolean Whether compliance policy is managed by Intune.
 windowsUpdateForBusiness boolean Whether Windows Update for Business is managed by Intune.
 odatatype string Configuration manage client enabled feature types
subscriberCarrier string Subscriber Carrier.
managedDeviceOwnerType string Ownership of the device. Can be 'company' or 'personal'.Possible values are: unknown, company, personal.
remoteAssistanceSessionErrorDetails string An error string that identifies issues when creating Remote Assistance session objects.
totalStorageSpaceInBytes number Total Storage in Bytes.
osVersion string Operating system version of the device.
emailAddress string Email(s) for the user associated with the device.
easActivationDateTime number Exchange ActivationSync activation time of the device.
azureADDeviceId string The unique identifier for the Azure Active Directory device. Read only.
odatatype string To distinguish between different platforms (Android, iOS).
iccid string Integrated Circuit Card Identifier, it is A SIM card's unique identification number. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
ethernetMacAddress string Indicates Ethernet MAC Address of the device. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity. Individual get call with select query options is needed to retrieve actual values. Example: deviceManagement/managedDevices({managedDeviceId})?$select=ethernetMacAddress Supports: $select. $Search is not supported.
managementAgent string Management channel of the device. Examples: Intune, EAS, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. Possible values are: eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
managedDeviceName string Automatically generated name to identify a device.
id string Unique Identifier for the device.
exchangeAccessStateReason string The reason for the device's access state in Exchange. Possible values are: none, unknown, exchangeGlobalRule, exchangeIndividualRule, exchangeDeviceRule, exchangeUpgrade, exchangeMailboxPolicy, other, compliant, notCompliant, notEnrolled, unknownLocation, mfaRequired, azureADBlockDueToAccessPolicy, compromisedPassword, deviceNotKnownWithManagedApp.
udid string Unique Device Identifier for iOS and macOS devices. Default is an empty string. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
jailBroken string Whether the device is jail broken or rooted. Default is an empty string. Supports $filter operator 'eq' and 'or'.
deviceEnrollmentType string Enrollment type of the device. Possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth, appleUserEnrollment, appleUserEnrollmentWithServiceAccount.
exchangeAccessState string The Access State of the device in Exchange. Possible values are: none, unknown, allowed, blocked, quarantined.
complianceState string Compliance state of the device. Examples: Compliant, Conflict, Error, etc. Default is unknown. Supports $filter operator 'eq' and 'or'. Possible values are: unknown, compliant, noncompliant, conflict, error, inGracePeriod, configManager.
exchangeLastSuccessfulSyncDateTime number Last time the device contacted Exchange.
model string Model of the device.
serialNumber string SerialNumber.
deviceCategoryDisplayName string Device category display name. Default is an empty string. Supports $filter operator 'eq' and 'or'.
meid string MEID.
managementCertificateExpirationDate number Reports device management certificate expiration date.
wiFiMacAddress string Wi-Fi MAC address.
deviceRegistrationState string Device registration state. Possible values are: notRegistered, registered, revoked, keyConflict, approvalPending, certificateReset, notRegisteredPendingEnrollment, unknown.
isEncrypted boolean Device encryption status.
userPrincipalName string Device user principal name.
phoneNumber string Phone number of the device.
deviceHealthAttestationState object The device health attestation state.
 restartCount number The number of times a PC device has rebooted.
 safeMode string Safe mode is a troubleshooting option for Windows that starts your computer in a limited state.
 bootRevisionListInfo string The Boot Revision List that was loaded during initial boot on the attested device.
 deviceHealthAttestationStatus string The DHA report version. (Namespace version).
 operatingSystemKernelDebugging string When operatingSystemKernelDebugging is enabled, the device is used in development and testing.
 bootManagerSecurityVersion string The security version number of the Boot Application.
 operatingSystemRevListInfo string The Operating System Revision List that was loaded during initial boot on the attested device.
 healthStatusMismatchInfo string This attribute appears if DHA-Service detects an integrity issue.
 lastUpdateDateTime number The Timestamp of the last update.
 contentNamespaceUrl string The DHA report version. (Namespace version).
 secureBoot string When Secure Boot is enabled, the core components must have the correct cryptographic signatures.
 bootAppSecurityVersion string The security version number of the Boot Application.
 tpmVersion string The security version number of the Boot Application.
 healthAttestationSupportedStatus string This attribute indicates if DHA is supported for the device.
 odatatype string Device health attestation state type.
 codeIntegrityCheckVersion string The version of the Boot Manager
 virtualSecureMode string VSM is a container that protects high value assets from a compromised kernel.
 pcrHashAlgorithm string Informational attribute that identifies the HASH algorithm that was used by TPM.
 issuedDateTime number The DateTime when device was evaluated or issued to MDM.
 testSigning string When test signing is allowed, the device does not enforce signature validation during boot.
 windowsPE string Operating system running with limited services that is used to prepare a computer for Windows.
 codeIntegrityPolicy string The Code Integrity policy that is controlling the security of the boot environment.
 earlyLaunchAntiMalwareDriverProtection string ELAM provides protection for the computers in your network when they start up.
 secureBootConfigurationPolicyFingerPrint string Fingerprint of the Custom Secure Boot Configuration Policy.
 resetCount number The number of times a PC device has hibernated or resumed.
 bitLockerStatus string On or Off of BitLocker Drive Encryption.
 bootDebugging string When bootDebugging is enabled, the device is used in development and testing.
 codeIntegrity string When code integrity is enabled, code execution is restricted to integrity verified code.
 pcr0 string The measurement that is captured in PCR[0].
 contentVersion string The HealthAttestation state schema version.
 attestationIdentityKey string TWhen an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate.
 dataExcutionPolicy string DEP Policy defines a set of hardware and software technologies that perform additional checks on memory.
 bootManagerVersion string The version of the Boot Manager.
notes string Notes on the device created by IT Admin. Default is null. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
easActivated boolean Whether the device is Exchange ActiveSync activated.
deviceActionResults list<object> List of ComplexType deviceActionResult objects.
 startDateTime number Time the action was initiated.
 lastUpdatedDateTime number Time the action state was last updated.
 odatatype string deviceActionResult type
 actionName string Action name
 actionState string State of the action. Possible values are: none, pending, canceled, active, done, failed, notSupported.
lastSyncDateTime number The date and time that the device last completed a successful sync with Intune. Supports $filter operator 'lt' and 'gt'.
activationLockBypassCode string The code that allows the Activation Lock on managed device to be bypassed. Default, is Null (Non-Default property) for this property when returned as part of managedDevice entity in LIST call. To retrieve actual values GET call needs to be made, with device id and included in select parameter. Supports: $select. $Search is not supported.
androidSecurityPatchLevel string Android security patch level.
deviceName string Name of the device.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
displayName string The display name of the named location.
countriesAndRegions list<string> List of countries and/or regions in two-letter format specified by ISO 3166-2.
includeUnknownCountriesAndRegions boolean true if IP addresses that don't map to a country or region should be included in the named location.
countryLookupMethod string Determines what method is used to decide which country the user is located in. Possible values are clientIpAddress(default) and authenticatorAppGps.
isTrusted boolean true if this location is explicitly trusted.
ipRanges list<object> List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596.
 odatatype string Used to distinguish between different types of ip ranges. Possible values are #microsoft.graph.iPv4CidrRange and #microsoft.graph.iPv6CidrRange.
 cidrAddress string IPv4 or IPv6 address in CIDR notation.
id string The id of the named location.
odatatype string To distinguish between different types of named locations. Value can be #microsoft.graph.countryNamedLocation or #microsoft.graph.ipNamedLocation.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string The ID of the OAuth2PermissionGrant.
clientId string ServicePrincipal The ID of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API. Corresponds to the 'objectId' field inside the Azure 'Enterprise applications' page.
consentType string Indicates if authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions.
principalId string User The ID of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'.
resourceId string ServicePrincipal The ID of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user.
scope string A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, 'openid User.Read GroupMember.Read.All'. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the publishedPermissionScopes property of the resource service principal.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
preferredSingleSignOnMode string Specifies the single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. The supported values are password, saml, notSupported, and oidc.
servicePrincipalType string Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Azure AD internally. The servicePrincipalType property can be set to three different values: Application - A service principal that represents an application or service. The appId property identifies the associated app registration, and matches the appId of an application, possibly from a different tenant. If the associated app registration is missing, tokens are not issued for the service principal. ManagedIdentity - A service principal that represents a managed identity. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly. Legacy - A service principal that represents an app created before app registrations, or through legacy experiences. Legacy service principal can have credentials, service principal names, reply URLs, and other properties which are editable by an authorized user, but does not have an associated app registration. The appId value does not associate the service principal with an app registration. The service principal can only be used in the tenant where it was created.
appRoleAssignmentRequired boolean Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false.
description string Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps will display the application description in this field.
keyCredentials list<object> The collection of key credentials associated with the service principal.
 customKeyIdentifier string Custom key identifier
 displayName string Friendly name for the key.
 endDateTime number The date and time at which the credential expires.
 key string The certificate's raw data in byte array converted to Base64 string.
 keyId string The unique identifier (GUID) for the key.
 startDateTime number The date and time at which the credential becomes valid.
 type string The type of key credential; for example, Symmetric, AsymmetricX509Cert.
 usage string A string that describes the purpose for which the key can be used; for example, Verify.
replyUrls list<string> The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.
samlSingleSignOnSettings object The collection for settings related to saml single sign-on.
 relayState string The relative URI the service provider would redirect to after completion of the single sign-on flow.
tags list<string> Custom strings that can be used to categorize and identify the service principal.
accountEnabled boolean true if the service principal account is enabled; otherwise, false.
applicationTemplateId string Unique identifier of the applicationTemplate that the servicePrincipal was created from.
homepage string Home page or landing page of the application.
id string The unique identifier for the service principal. Inherited from directoryObject Key
loginUrl string Specifies the URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Azure AD My Apps, or the Azure AD SSO URL.
resourceSpecificApplicationPermissions list<object> The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph.
 isEnabled boolean Indicates whether the permission is enabled.
 value string The value of the permission.
 description string Describes the level of access that the resource-specific permission represents.
 displayName string The display name for the resource-specific permission.
 id string The unique identifier for the resource-specific application permission.
signInAudience string Specifies the Microsoft accounts that are supported for the current application. Supported values are: AzureADMyOrg-Users with a Microsoft work or school account in my organization's Azure AD tenant (single-tenant). AzureADMultipleOrgs-Users with a Microsoft work or school account in any organization's Azure AD tenant (multi-tenant). AzureADandPersonalMicrosoftAccount-Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant. PersonalMicrosoftAccount-Users with a personal Microsoft account only.
appRoles list<object> The roles exposed by the application which this service principal represents. For more information see the appRoles property definition on the application entity. Not nullable.
 allowedMemberTypes list<string> Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities.
 description string The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
 displayName string Display name for the permission that appears in the app role assignment and consent experiences.
 id string Unique role identifier inside the appRoles collection. When creating a new app role, a new GUID identifier must be provided.
 isEnabled boolean When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed.
 origin string Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests.
 value string Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal.
displayName string The display name for the service principal.
logoutUrl string Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols.
notes string Free text field to capture information about the service principal, typically used for operational purposes.
appOwnerOrganizationId string Account Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications.
notificationEmailAddresses list<string> Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
verifiedPublisher object Specifies the verified publisher of the application which this service principal represents.
 verifiedPublisherId string The ID of the verified publisher from the app publisher's Partner Center account.
 addedDateTime number The timestamp when the verified publisher was first added or most recently updated.
 displayName string The verified publisher name from the app publisher's Partner Center account.
alternativeNames list<string> Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appDescription string The description exposed by the associated application.
appId string Application The unique identifier for the associated application (its appId property).
deletedDateTime number The date and time the service principal was deleted.
info object Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience.
 logoUrl string CDN URL to the application's logo.
 marketingUrl string Link to the application's marketing page.
 privacyStatementUrl string Link to the application's privacy statement.
 supportUrl string Link to the application's support page.
 termsOfServiceUrl string Link to the application's terms of service statement.
oauth2PermissionScopes list<object> The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes property on the application entity's api property.
 id string Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.
 isEnabled boolean When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed.
 type string The possible values are: User and Admin. Specifies whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator consent should always be required. While Microsoft Graph defines the default consent requirement for each permission, the tenant administrator may override the behavior in their organization (by allowing, restricting, or limiting user consent to this delegated permission).
 userConsentDescription string A description of the delegated permissions, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 userConsentDisplayName string A title for the permission, intended to be read by a user granting the permission on their own behalf. This text appears in consent experiences where the user is consenting only on behalf of themselves.
 value string Specifies the value to include in the scp (scope) claim in access tokens.
 adminConsentDescription string A description of the delegated permissions, intended to be read by an administrator granting the permission on behalf of all users. This text appears in tenant-wide admin consent experiences.
 adminConsentDisplayName string The permission's title, intended to be read by an administrator granting the permission on behalf of all users.
appDisplayName string The display name exposed by the associated application.
disabledByMicrosoftStatus string Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement).
passwordCredentials list<object> The collection of password credentials associated with the application.
 customKeyIdentifier string Do not use.
 displayName string Friendly name for the password.
 endDateTime number The date and time at which the password expires represented using ISO 8601 format and is always in UTC time.
 hint string Contains the first three characters of the password.
 keyId string The unique identifier for the password.
 secretText string Contains the strong passwords generated by Azure AD that are 16-64 characters in length. The generated password value is only returned during the initial POST request to addPassword. There is no way to retrieve this password in the future.
 startDateTime number The date and time at which the password becomes valid.
tokenEncryptionKeyId string Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.
addIns list<object> Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on.
 id string id of an addIn.
 properties list<object> property of an addIn.
 key string Key for the key-value pair.
 value string Value for the key-value pair.
 type string type of an addIn.
servicePrincipalNames list<string> Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Azure AD.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string The unique identifier for the role assignment. Key, not nullable, Read-only.
appScopeId string Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only
directoryScopeId string Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications.
roleDefinitionId string UnifiedRoleDefinition Identifier of the role definition the assignment is for. Read only.
principalId string Group ServicePrincipal User Identifier of the principal to which the assignment is granted.
principal object Details of the principal the assignment is for. Read only.
 id string Identifier of the principal to which the assignment is granted.
 mail string email id of the principal user.
 displayName string display of the principal user.
 odatatype string Type of principal, can be a user or group.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
version string Indicates version of the role definition. Read-only when isBuiltIn is true.
inheritsPermissionsFrom list<object> Read-only collection of role definitions that the given role definition inherits from. Only Azure AD built-in roles (isBuiltIn is true) support this attribute.
 id string The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity.
id string The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity.
rolePermissions list<object> List of permissions included in the role. Read-only when isBuiltIn is true.
 excludedResourceActions list<string> Set of tasks that may not be performed on a resource. Not yet supported.
 allowedResourceActions list<string> Set of tasks that can be performed on a resource.
 condition string Optional constraints that must be met for the permission to be effective. Not supported for custom roles.
templateId string Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.
isEnabled boolean Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes string List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true.
description string The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
displayName string The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
isBuiltIn boolean Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
userRegistrationDetails object Represents the state of a user's authentication methods, including which methods are registered and which features the user is registered and capable of.
 lastUpdatedDateTime number The date and time (UTC) when the record was last updated.
 isAdmin boolean Indicates whether the user has an admin role in the tenant.
 isSsprEnabled boolean Indicates whether the user is allowed to perform self-service password reset by policy. The user may not necessarily have registered the required number of authentication methods for self-service password reset.
 isSsprRegistered boolean Indicates whether the user has registered the required number of authentication methods for self-service password reset. The user may not necessarily be allowed to perform self-service password reset by policy.
 isSystemPreferredAuthenticationMethodEnabled boolean Indicates whether system preferred authentication method is enabled. If enabled, the system dynamically determines the most secure authentication method among the methods registered by the user.
 methodsRegistered list<string> Collection of authentication methods registered.
 systemPreferredAuthenticationMethods list<string> Collection of authentication methods that the system determined to be the most secure authentication methods among the registered methods for second factor authentication.
 isMfaCapable boolean Indicates whether the user has registered a strong authentication method for multifactor authentication.
 isMfaRegistered boolean Indicates whether the user has registered a strong authentication method for multifactor authentication.
 isPasswordlessCapable boolean Indicates whether the user has registered a passwordless strong authentication method.
 isSsprCapable boolean Indicates whether the user has registered the required number of authentication methods for self-service password reset and the user is allowed to perform self-service password reset by policy.
 userPreferredMethodForSecondaryAuthentication string The method the user selected as the default second-factor for performing multifactor authentication.
mobilePhone string The primary cellular telephone number for the user. Read-only for users synced from on-premises directory.
onPremisesUserPrincipalName string Contains the on-premises userPrincipalName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
schools list<string> A list for the user to enumerate the schools they have attended.
onPremisesProvisioningErrors list<object> Errors when using Microsoft synchronization product during provisioning.
 category string Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property.
 occurredDateTime number The date and time at which the error occurred.
 propertyCausingError string Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress
 value string Value of the property causing the error.
refreshTokensValidFromDateTime number Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint.
showInAddressList boolean Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. Represents whether the user should be included in the Outlook global address list.
companyName string The company name which the user is associated. This property can be useful for describing the company that an external user comes from.
isResourceAccount boolean Do not use - reserved for future use.
usageLocation string A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB.
creationType string Indicates whether the user account was created through one of the following methods: As a regular school or work account (null), As an external account (Invitation), As a local account for an Azure Active Directory B2C tenant (LocalAccount), Through self-service sign-up by an internal user using email verification (EmailVerified), Through self-service sign-up by an external user signing up through a link that is part of a user flow (SelfServiceSignUp).
passwordPolicies string Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two may be specified together; for example: DisablePasswordExpiration, DisableStrongPassword.
userType string A string value that can be used to classify user types in your directory, such as Member and Guest.
ageGroup string Sets the age group of the user. Allowed values: null, Minor, NotAdult and Adult.
businessPhones list<string> The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. Read-only for users synced from on-premises directory.
licenseAssignmentStates list<object> State of license assignments for this user.
 assignedByGroup string The id of the group that assigns this license. If the assignment is a direct-assigned license, this field will be Null.
 disabledPlans list<string> The service plans that are disabled in this assignment.
 error string License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. The possible values are CountViolation, MutuallyExclusiveViolation, DependencyViolation, ProhibitedInUsageLocationViolation, UniquenessViolation, and Other.
 lastUpdatedDateTime number The timestamp when the state of the license assignment was last updated.
 skuId string The unique identifier for the SKU.
 state string Indicate the current state of this assignment. Read-Only. The possible values are Active, ActiveWithError, Disabled, and Error.
onPremisesSamAccountName string Contains the on-premises samAccountName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
signInSessionsValidFromDateTime number Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint.
employeeOrgData object Represents organization data (e.g. division and costCenter) associated with a user.
 division string The name of the division in which the user works.
 costCenter string The cost center associated with the user.
externalUserStateChangeDateTime number Shows the timestamp for the latest change to the externalUserState property.
jobTitle string The user's job title.
onPremisesSyncEnabled boolean true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default).
country string The country/region in which the user is located; for example, US or UK.
department string The name for the department in which the user works.
employeeType string Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor.
givenName string The given name (first name) of the user.
identities list<object> Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. May contain multiple items with the same signInType value.
 signInType string Specifies the user sign-in types in your directory, such as emailAddress, userName, federated, or userPrincipalName. federated represents a unique identifier for a user from an issuer, that can be in any format chosen by the issuer. Setting or updating a userPrincipalName identity will update the value of the userPrincipalName property on the user object. The validations performed on the userPrincipalName property on the user object, for example, verified domains and acceptable characters, will be performed when setting or updating a userPrincipalName identity. Additional validation is enforced on issuerAssignedId when the sign-in type is set to emailAddress or userName. This property can also be set to any custom string.
 issuer string Specifies the issuer of the identity, for example facebook.com. For local accounts (where signInType is not federated), this property is the local B2C tenant default domain name, for example contoso.onmicrosoft.com. For external users from other Azure AD organization, this will be the domain of the federated organization, for example contoso.com.
 issuerAssignedId string Specifies the unique identifier assigned to the user by the issuer. The combination of issuer and issuerAssignedId must be unique within the organization. Represents the sign-in name for the user, when signInType is set to emailAddress or userName (also known as local accounts). When signInType is set to: emailAddress, (or a custom string that starts with emailAddress like emailAddress1) issuerAssignedId must be a valid email address userName, issuerAssignedId must be a valid local part of an email address
surname string The user's surname (family name or last name).
hireDate number The hire date of the user. Note: This property is specific to SharePoint Online. We recommend using the native employeeHireDate property to set and update hire date values using Microsoft Graph APIs.
lastPasswordChangeDateTime number The time when this Azure AD user last changed their password or when their password was created, whichever date the latest action was performed.
preferredLanguage string The preferred language for the user. Should follow ISO 639-1 Code; for example en-US.
createdDateTime number The created date of the user object.
employeeId string The employee identifier assigned to the user by the organization.
faxNumber string The fax number of the user.
mailNickname string The mail alias for the user. This property must be specified when a user is created.
proxyAddresses list<string> For example: ["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]. Changes to the mail property will also update this collection to include the value as an SMTP address. For more information, see mail and proxyAddresses properties. The proxy address prefixed with SMTP (capitalized) is the primary proxy address while those prefixed with smtp are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses.
displayName string The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates.
externalUserState string For an external user invited to the tenant using the invitation API, this property represents the invited user's invitation status. For invited users, the state can be PendingAcceptance or Accepted, or null for all other users.
imAddresses list<string> The instant message voice over IP (VOIP) session initiation protocol (SIP) addresses for the user.
mail string The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com.
onPremisesExtensionAttributes object Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes 1-15. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. For a cloud-only user (where onPremisesSyncEnabled is false), these properties can be set during creation or update of a user object. For a cloud-only user previously synced from on-premises Active Directory, these properties are read-only in Microsoft Graph but can be fully managed through the Exchange Admin Center or the Exchange Online V2 module in PowerShell.
 extensionAttribute3 string Third customizable extension attribute.
 extensionAttribute5 string Fifth customizable extension attribute.
 extensionAttribute7 string Seventh customizable extension attribute.
 extensionAttribute9 string Ninth customizable extension attribute.
 extensionAttribute14 string Fourteenth customizable extension attribute.
 extensionAttribute2 string Second customizable extension attribute.
 extensionAttribute4 string Fourth customizable extension attribute.
 extensionAttribute8 string Eighth customizable extension attribute.
 extensionAttribute13 string Thirteenth customizable extension attribute.
 extensionAttribute6 string Sixth customizable extension attribute.
 extensionAttribute10 string Tenth customizable extension attribute.
 extensionAttribute11 string Eleventh customizable extension attribute.
 extensionAttribute12 string Twelfth customizable extension attribute.
 extensionAttribute1 string First customizable extension attribute.
 extensionAttribute15 string Fifteenth customizable extension attribute.
onPremisesImmutableId string This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user's userPrincipalName (UPN) property.
assignedLicenses list<object> The licenses that are assigned to the user, including inherited (group-based) licenses.
 disabledPlans list<string> A collection of the unique identifiers for plans that have been disabled.
 skuId string The unique identifier for the SKU.
city string The city in which the user is located.
accountEnabled boolean true if the account is enabled; otherwise, false. This property is required when a user is created.
postalCode string The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.
userPrincipalName string The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. This property is required when a user is created. The verified domains for the tenant can be accessed from the verifiedDomains property of organization.
employeeHireDate number The date and time when the user was hired or will start work in case of a future hire.
legalAgeGroupClassification string Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties. Allowed values: null, MinorWithOutParentalConsent, MinorWithParentalConsent, MinorNoParentalConsentRequired, NotAdult and Adult.
onPremisesSecurityIdentifier string Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
state string The state or province in the user's address.
consentProvidedForMinor string Sets whether consent has been obtained for minors. Allowed values: null, Granted, Denied and NotRequired.
deletedDateTime number The date and time the user was deleted.
officeLocation string The office location in the user's place of business.
onPremisesDistinguishedName string Contains the on-premises Active Directory distinguished name or DN. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
otherMails list<string> A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"].
passwordProfile object Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required.
 forceChangePasswordNextSignIn boolean true if the user must change her password on the next login; otherwise false. If not set, default is false.
 forceChangePasswordNextSignInWithMfa boolean If true, at next sign-in, the user must perform a multi-factor authentication (MFA) before being forced to change their password. The behavior is identical to forceChangePasswordNextSignIn except that the user is required to first perform a multi-factor authentication before password change. After a password change, this property will be automatically reset to false. If not set, default is false.
 password string The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next login. The password must satisfy minimum requirements as specified by the user's passwordPolicies property. By default, a strong password is required.
streetAddress string The street address of the user's place of business.
id string The unique identifier for the user.
onPremisesDomainName string Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string User The ID of the User for which sign activity is fetched.
signInActivity object signInActivity
 lastSuccessfulSignInRequestId string The request ID of the last successful sign-in.
 lastSignInDateTime number The last interactive sign-in date and time for a specific user.
 lastSignInRequestId string Request identifier of the last interactive sign-in performed by this user.
 lastNonInteractiveSignInDateTime number The last non-interactive sign-in date for a specific user.
 lastNonInteractiveSignInRequestId string Request identifier of the last non-interactive sign-in performed by this user.
 lastSuccessfulSignInDateTime number The date and time of the user's most recent successful sign-in activity.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
ATTRIBUTE TYPE REFERS TO DESCRIPTION
id string Key of the entity.
passwordMinimumCharacterSetCount number The number of character sets required in the password.
deviceThreatProtectionRequiredSecurityLevel string Require Device Threat Protection minimum risk level to report noncompliance. Possible values are: unavailable, secured, low, medium, high, notSet.
osMinimumVersion string Minimum Windows 10 version.
bitLockerEnabled boolean Require devices to be reported healthy by Windows Device Health Attestation - bit locker is enabled.
secureBootEnabled boolean Require devices to be reported as healthy by Windows Device Health Attestation - secure boot is enabled.
signatureOutOfDate boolean Require Windows Defender Antimalware Signature to be up to date on Windows devices.
description string Admin provided description of the Device Configuration.
passwordBlockSimple boolean Indicates whether or not to block simple password.
mobileOsMaximumVersion string Maximum Windows Phone version.
rtpEnabled boolean Require Windows Defender Antimalware Real-Time Protection on Windows devices.
storageRequireEncryption boolean Require encryption on windows devices.
deviceCompliancePolicyScript object Device compliance policy script object.
 odatatype string Device compliance policy script data type.
 deviceComplianceScriptId string Device compliance script Id.
 rulesContent string Json of the rules.
lastModifiedDateTime number DateTime the object was last modified.
version number Version of the device configuration.
passwordRequiredToUnlockFromIdle boolean Require a password to unlock an idle device.
requireHealthyDeviceReport boolean Require devices to be reported as healthy by Windows Device Health Attestation.
earlyLaunchAntiMalwareDriverEnabled boolean Require devices to be reported as healthy by Windows Device Health Attestation - early launch antimalware driver is enabled.
activeFirewallRequired boolean Require active firewall on Windows devices.
defenderEnabled boolean Require Windows Defender Antimalware on Windows devices.
deviceThreatProtectionEnabled boolean Require that devices have enabled device threat protection.
odatatype string Microsoft graph windows10 compliance policy type.
displayName string Admin provided name of the device configuration.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
antiSpywareRequired boolean Require any AntiSpyware solution registered with Windows Decurity Center to be on and monitoring (e.g. Symantec, Windows Defender).
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
passwordRequiredType string The required password type. Possible values are: deviceDefault, alphanumeric, numeric.
passwordPreviousPasswordBlockCount number The number of previous passwords to prevent re-use of.
osMaximumVersion string Maximum Windows 10 version.
mobileOsMinimumVersion string Minimum Windows Phone version.
createdDateTime number DateTime the object was created.
passwordRequired boolean Require a password to unlock Windows device.
passwordExpirationDays number The password expiration in days.
passwordMinimumLength number The minimum password length.
configurationManagerComplianceRequired boolean Require to consider SCCM Compliance state into consideration for Intune Compliance State.
tpmRequired boolean Require Trusted Platform Module(TPM) to be present.
codeIntegrityEnabled boolean Require devices to be reported as healthy by Windows Device Health Attestation.
defenderVersion string Require Windows Defender Antimalware minimum version on Windows devices.
antivirusRequired boolean Require any Antivirus solution registered with Windows Decurity Center to be on and monitoring (e.g. Symantec, Windows Defender).
validOperatingSystemBuildRanges list<object> The valid operating system build ranges on Windows devices. This collection can contain a maximum of 10000 elements.
 odatatype string Operating system build range data type.
 description string The description of this range (e.g. Valid 1702 builds)
 lowestVersion string The lowest inclusive version that this range contains.
 highestVersion string The highest inclusive version that this range contains.
ATTRIBUTE TYPE REFERS TO DESCRIPTION
odatatype string Microsoft graph windows 8.1 compliance policy type.
displayName string Admin provided name of the device configuration.
passwordBlockSimple boolean Indicates whether or not to block simple password.
passwordExpirationDays number Password expiration in days.
storageRequireEncryption boolean Indicates whether or not to require encryption on a windows 8.1 device.
roleScopeTagIds list<string> List of Scope Tags for this Entity instance.
id string Key of the entity.
createdDateTime number DateTime the object was created.
version number Version of the device configuration.
passwordMinutesOfInactivityBeforeLock number Minutes of inactivity before a password is required.
description string Admin provided description of the Device Configuration.
lastModifiedDateTime number DateTime the object was last modified.
passwordMinimumCharacterSetCount number The number of character sets required in the password.
passwordRequiredType string The required password type. Possible values are: deviceDefault, alphanumeric, numeric.
passwordPreviousPasswordBlockCount number The number of previous passwords to prevent re-use of. Valid values 0 to 24.
osMinimumVersion string Minimum Windows 8.1 version.
osMaximumVersion string Maximum Windows 8.1 version.
passwordRequired boolean Require a password to unlock Windows device.
passwordMinimumLength number The minimum password length.