Update user
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Update the properties of a user object. Not all properties can be updated by Member or Guest users with their default permissions without Administrator roles. Compare member and guest default permissions to see properties they can manage.
Permissions
One of the following pefrmissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | User.ReadWrite |
| Application | User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All |
Note
- Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader, and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD built-in roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions. Only a Global Administrator assigned the Directory.AccessAsUser.All permission can update these properties for more privileged administrators.
- Your personal Microsoft account must be tied to an AAD tenant to update your profile with the User.ReadWrite delegated permission on a personal Microsoft account.
- Updating the identities property requires the User.ManageIdentities.All permission. Also, adding a B2C local account to an existing user object is not allowed, unless the user object already contains a local account identity.
HTTP request
PATCH /users/{id | userPrincipalName}
Request headers
| Header | Value |
|---|---|
| Authorization | Bearer {token}. Required. |
| Content-Type | application/json |
Request body
In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't changed.
| Property | Type | Description |
|---|---|---|
| aboutMe | String | A freeform text entry field for the user to describe themselves. |
| accountEnabled | Boolean | true if the account is enabled; otherwise, false. This property is required when a user is created. A global administrator assigned the Directory.AccessAsUser.All delegated permission can update the accountEnabled status of all administrators in the tenant. |
| ageGroup | ageGroup | Sets the age group of the user. Allowed values: null, Minor, NotAdult and Adult. Refer to the legal age group property definitions for further information. |
| assignedLicenses | assignedLicense collection | The licenses that are assigned to the user. Not nullable. |
| birthday | DateTimeOffset | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| businessPhones | String collection | The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. |
| city | String | The city in which the user is located. |
| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters. |
| consentProvidedForMinor | consentProvidedForMinor | Sets whether consent has been obtained for minors. Allowed values: null, Granted, Denied and NotRequired. Refer to the legal age group property definitions for further information. |
| country | String | The country/region in which the user is located; for example, US or UK. |
| customSecurityAttributes | customSecurityAttributeValue | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. To update this property, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.ReadWrite.All permission. |
| department | String | The name for the department in which the user works. |
| displayName | String | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. |
| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. |
| employeeType | String | Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor. |
| givenName | String | The given name (first name) of the user. |
| employeeHireDate | DateTimeOffset | The hire date of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| identities | objectIdentity collection | Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft, by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. Any update to identities will replace the entire collection and you must supply the userPrincipalName signInType identity in the collection. |
| interests | String collection | A list for the user to describe their interests. |
| jobTitle | String | The user’s job title. |
| String | The SMTP address for the user, for example, jeff@contoso.onmicrosoft.com. For Azure AD B2C accounts, this property can be updated up to only ten times with unique SMTP addresses. Changes to this property will also update the user's proxyAddresses collection to include the value as a SMTP address. |
|
| mailNickname | String | The mail alias for the user. This property must be specified when a user is created. |
| mobilePhone | String | The primary cellular telephone number for the user. |
| mySite | String | The URL for the user's personal site. |
| officeLocation | String | The office location in the user's place of business. |
| onPremisesExtensionAttributes | onPremisesExtensionAttributes | Contains extensionAttributes 1-15 for the user. Note that the individual extension attributes are neither selectable nor filterable. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only and is read-only. These extension attributes are also known as Exchange custom attributes 1-15. |
| onPremisesImmutableId | String | This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user’s userPrincipalName (UPN) property. Important: The $ and _ characters cannot be used when specifying this property. |
| otherMails | String collection | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. |
| passwordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two may be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. |
| passwordProfile | PasswordProfile | Specifies the password profile for the user. The profile contains the user’s password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user. In application-only access, the calling app must be assigned the User.ReadWrite.All application permission and at least the User Administrator Azure AD role. |
| pastProjects | String collection | A list for the user to enumerate their past projects. |
| postalCode | String | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. |
| preferredLanguage | String | The preferred language for the user. Should follow ISO 639-1 Code; for example en-US. |
| responsibilities | String collection | A list for the user to enumerate their responsibilities. |
| schools | String collection | A list for the user to enumerate the schools they have attended. |
| skills | String collection | A list for the user to enumerate their skills. |
| state | String | The state or province in the user's address. |
| streetAddress | String | The street address of the user's place of business. |
| surname | String | The user's surname (family name or last name). |
| usageLocation | String | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB. Not nullable. |
| userPrincipalName | String | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. NOTE: This property cannot contain accent characters. Only the following characters are allowed A - Z, a - z, 0 - 9, ' . - _ ! # ^ ~. For the complete list of allowed characters, see username policies. |
| userType | String | A string value that can be used to classify user types in your directory, such as Member and Guest. |
Because the user resource supports extensions, you can use the PATCH operation to
add, update, or delete your own app-specific data in custom properties of an extension in an existing user instance.
Note
- The following properties cannot be updated by an app with only application permissions: aboutMe, birthday, employeeHireDate, interests, mySite, pastProjects, responsibilities, schools, and skills.
- To update the following properties, you must specify them in their own PATCH request, without including the other properties listed in the table above: aboutMe, birthday, interests, mySite, pastProjects, responsibilities, schools, and skills.
Manage extensions and associated data
Use this API to manage the directory, schema, and open extensions and their data for users, as follows:
- Add, update and store data in the extensions for an existing user
- For directory and schema extensions, remove any stored data by setting the value of the custom extension property to
null. For open extensions, use the Delete open extension API.
Response
If successful, this method returns a 204 No Content response code.
Example
Example 1: Update properties of the signed-in user
Request
The following example shows a request.
PATCH https://graph.microsoft.com/beta/me
Content-type: application/json
{
"businessPhones": [
"+1 425 555 0109"
],
"officeLocation": "18/2111"
}
Response
The following example shows the response.
HTTP/1.1 204 No Content
Example 2: Update properties of the specified user
Request
The following example shows a request.
PATCH https://graph.microsoft.com/beta/users/{id}
Content-type: application/json
{
"businessPhones": [
"+1 425 555 0109"
],
"officeLocation": "18/2111"
}
Response
The following example shows the response.
HTTP/1.1 204 No Content
Example 3: Update the passwordProfile of a user to reset their password
The following example shows a request that resets the password of another user.
Request
PATCH https://graph.microsoft.com/beta/users/{id}
Content-type: application/json
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "xWwvJ]6NMw+bWH-d"
}
}
Response
HTTP/1.1 204 No Content
Example 4: Assign a custom security attribute with a string value to a user
The following example shows how to assign a custom security attribute with a string value to a user.
- Attribute set:
Engineering - Attribute:
ProjectDate - Attribute data type: String
- Attribute value:
"2022-10-01"
To assign custom security attributes, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.ReadWrite.All permission.
For more examples for users, see Assign, update, or remove custom security attributes using the Microsoft Graph API.
Request
PATCH https://graph.microsoft.com/beta/users/{id}
Content-type: application/json
{
"customSecurityAttributes":
{
"Engineering":
{
"@odata.type":"#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
"ProjectDate":"2022-10-01"
}
}
}
Response
HTTP/1.1 204 No Content
Example 5: Add or update the values of a schema extension for a user
You can update or assign a value to a single property or all properties in the extension.
Request
PATCH https://graph.microsoft.com/beta/users/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e
Content-type: application/json
{
"ext55gb1l09_msLearnCourses": {
"courseType": "Admin"
}
}
Response
HTTP/1.1 204 No Content
Note: To remove the value of the schema extension from the user object, set the property to
null. For example:PATCH https://graph.microsoft.com/v1.0/users/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e Content-type: application/json { "ext55gb1l09_msLearnCourses": null }
See also
Feedback
Submit and view feedback for