Versioning | Graph API concepts
Applies to: Graph API | Azure Active Directory (AD)
This topic summarizes the version differences for Azure Active Directory (AD) Graph API entities and operations. You must specify the version of an operation that you want to use by including the api-version query string parameter in your request. Requests without an api-version parameter will be rejected and return a (400) Bad Request response. If your service calls an older version of an operation, you can choose to continue calling the older version, or modify your code to call a newer version. Any differences in functionality between versions are outlined in the documentation for the entity upon which you are performing the call.
This article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see Versioning, support, and breaking change policies for Microsoft Graph.
Important
Azure Active Directory (Azure AD) Graph is deprecated. Going forward, we will make no further investment in Azure AD Graph, and Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.
June 30, 2023 will mark the end of the three-year deprecation period for Azure AD Graph. Before June 30, 2023, existing applications using Azure AD Graph will not be impacted. After June 30, 2023, Azure AD Graph will enter its retirement phase where we will retire it in incremental steps to allow you sufficient time to migrate your applications to Microsoft Graph APIs. The first step in this plan, and at a later date that we will announce, we will block the creation of any new applications using Azure AD Graph.
For more details on the latest announcement, see Important: Azure AD Graph Retirement and Powershell Module Deprecation.
Beginning with Azure AD Graph API version 1.5, the api-version parameter value for General Availability (GA) versions is specified as a numeric value. The following URL shows how to query the top-level resources for tenant domain contoso.com using Graph API version 1.5: https://graph.windows.net/contoso.com?api-version=1.5. For previous versions of Graph API, the api-version parameter value is specified as a date string in the following format: YYYY-MM-DD. The following URL shows how to query the top-level resources of the same tenant using the 2013-11-08 version of the Graph API: https://graph.windows.net/contoso.com?api-version=2013-11-08. For preview features, the api-version parameter value is specified using the string “beta” as follows: https://graph.windows.net/contoso.com?api-version=beta.
API contract, versioning and breaking changes
We will increment the API version number for any breaking changes to the API, in order to protect client applications. We may choose to increment the API version for non-breaking changes too (for example, if we add some significantly large new capabilities).
So, what constitutes a breaking change?
- Removing or renaming APIs or API parameters
- Changes in behavior for an existing API
- Changes in Error Codes & Fault Contracts
- Anything that would violate the Principle of Least Astonishment
Note:The addition of new JSON fields to responses does not constitute a breaking change. For developers who generate their own client proxies (like WCF clients) our guidance is your client applications should be prepared to receive properties and derived types not previously defined by the Graph API service. Although Graph API is not yet OData V4 compliant at the time of this writing, it still follows the guidance described in the Model Versioning section in the OData V4 spec.
When we increment the major version of the API (for example from 1.5 to 2.0), we are signaling that all support for existing clients using previous 1.x or earlier versions will be deprecated and no longer supported after 12 months. Please see the Microsoft Online Services Support Lifecycle Policy for more details.
Supported versions
The following versions have been released for the Graph API.
Version beta
The Graph API features currently in preview can be found in either the Preview Features section in Graph API concepts, or on the Graph Team Blog. Beta features require the “api-version=beta” query string parameter. When the Graph API team believes that a preview feature is ready for GA, we will add that feature to the latest GA version (or if it constitutes a breaking change this would result in an incremented new version number). We make no guarantees that a preview feature will be promoted to GA.
For the beta version, we will try to avoid any breaking changes as much as possible, but we will not guarantee it. Client applications using the beta version should expect breaking changes from time to time. Please see Supplemental Terms of Use for Microsoft Azure Previews.
Version 1.6
This section lists the changes for Graph API version 1.6.
Graph API version 1.6 introduces the following feature changes:
Added support for Azure Active Directory B2C local account users. This involves new properties on the User entity and a new complex type SignInName to support local account sign-in to Azure Active Directory B2C tenants. For more information about Azure Active Directory B2C, see the Azure Active Directory B2C documentation.
Added support for service discovery with the ServiceEndpoint entity and the serviceEndpoints navigation property on the Application and ServicePrincipal entities.
Added support for customized app behavior that can be invoked by consuming services with the AddIn and KeyValue types and the addIns property on the Application and ServicePrincipal entities.
Added support for password-less authentication with the TrustedCAsForPasswordlessAuth entity, the CertificateAuthorityInformation type, and the trustedCAsForPasswordlessAuth property on the TenantDetail entity.
Added the changePassword action, which can be called to enable the signed-in user to change their password.
Graph Client versions 2.1.x require Graph API version 1.6; Graph Client versions 2.0.x require Graph API 1.5.
Entity changes
| Entity | Change Description |
|---|---|
| Application | Added the addIns property, which defines custom behavior that a consuming service can use to call an app in specific contexts. Added the serviceEndpoints navigation property, which contains the collection of service endpoints that are available for discovery. |
| LicenseDetail | New entity that contains license details for a user. |
| ServiceEndpoint | New entity that contains service discovery information. |
| ServicePrincipal | Added the addIns property, which defines custom behavior that a consuming service can use to call an app in specific contexts. Added the serviceEndpoints navigation property, which contains the collection of service endpoints that are available for discovery. |
| SubscribedSku | Added the appliesTo property. |
| TenantDetail | Added the trustedCAsForPasswordlessAuth property, which contains the set of certificate authorities used to validate the trust chain while performing password-less authentication. |
| TrustedCAsForPasswordlessAuth | New entity that represents a set of certificate authorities to validate the trust chain while performing password-less authentication. |
| User | Added the creationType property, which is used to indicate that the user is a local account. Added the signInNames property, which contains the collection of sign-in names used by a local account user to sign in to an Azure Active Directory B2C tenant. This property is renamed from alternativeSignInNamesInfo in beta. Added the licenseDetails navigation property. |
Complex type changes
| Type | Change Description |
|---|---|
| AddIn | New type used to define custom behavior that a consuming service can use to call an app in specific contexts. |
| CertificateAuthorityInformation | New type that represents a certificate authority used when validating the trust chain while performing password-less authentication. |
| KeyValue | New type that contains a key-value pair that defines a parameter that a consuming service can use or call on an application specified in an AddIn. |
| ServicePlanInfo | Added the appliesTo property. Added the provisioningStatus property. |
| SignInName | New type to hold information about a sign-in name that can be used by a local account user to sign in to an Azure Active Directory B2C tenant. This type is renamed from LogonIdentifier in beta. |
Action and function changes
| Function | Change Description |
|---|---|
| changePassword | New action that that can be called to enable the signed-in user to change their password. |
Version 1.5
This section lists the changes for Graph API version 1.5.
Graph API version 1.5 introduces the following feature changes:
The schema namespace of Graph API has changed from Microsoft.WindowsAzure.ActiveDirectory to Microsoft.DirectoryServices. This affects all entities and complex types exposed by Graph API.
Support for directory schema extensions has been added. This allows you to add properties that are required by your application to directory objects. The following entities support schema extensions: User, Group, TenantDetail, Device, Application, and ServicePrincipal. To support directory schema extensions: the ExtensionProperty entity has been added, the extensionProperties navigation property has been added to the Application entity, and a new function, getAvailableExtensionProperties, has been added to return the registered extension properties of supported directory objects. For more information about extending the directory schema, see Directory schema extensions.
The way in which permissions are represented has changed and is more tightly aligned with OAuth 2.0 concepts as well as with the way permissions are represented in other Azure components. The Permission entity has been removed and has been replaced with the OAuth2PermissionGrant entity. This entity represents delegated OAuth 2.0 permissions scopes that arrive in an OAuth 2.0 access token scope claim. Additionally, the new AppRoleAssignment entity represents application roles that can be assigned to users, groups and service principals. Two related complex types have also been added: AppRole and OAuth2Permission. This change has precipitated renaming some properties and adding others in the following entities: Application, Group, ServicePrincipal, and User.
The Role entity is renamed to DirectoryRole.
The RoleTemplate entity is renamed to DirectoryRoleTemplate.
The following tables list the entities, complex types, and functions that have been added, changed, or removed for this release.
Entity changes
| Entity | Change Description |
|---|---|
| Application | Updated the appId property from Edm.Guid to Edm.String. Added the appRoles property, which contains the collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals. Added the groupMembershipClaims property, which is a bitmask that configures the "groups" claim issued in a user or OAuth 2.0 access token that your application expects. The bitmask values are: 0: None, 1: Security groups and Azure AD roles, 2: Reserved, and 4: Reserved. Setting the bitmask to 7 will get all of the security groups, distribution groups, and Azure AD roles that the signed-in user is a member of. Added the knownClientApplications property, which contains a list of client applications that are tied to this resource application. Consent to any of the known client applications will result in implicit consent to the resource application through a combined consent dialog (showing the OAuth permission scopes required by the client and the resource). Added the oauth2AllowImplicitFlow property, which specifies whether this web application can request OAuth2.0 implicit flow tokens. The default is false. Added the oauth2AllowUrlPathMatching property, which specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow path matching of the redirect URI against the application's replyUrls. The default is false. Added the oauth2Permissions property, which contains the collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent. Added the oauth2RequiredPostResponse property, which specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. Default is false, which specifies that only GET requests will be allowed. Added the requiredResourceAccess property, which specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the end-user consent experience. Added the extensionProperties navigation property, which contains the extension properties associated with the application. |
| AppRoleAssignment | New entity that is used to record when a user or group is assigned to an application. In this case it will result in an application tile showing up on the user's app access panel. This entity may also be used to grant another application (modeled as a service principal) access to a resource application in a particular role. |
| Contact | Added the sipProxyAddress property, which specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the contact. |
| DirectoryObject | Added the deletionTimestamp property, which indicates the time at which a directory object was deleted. It only applies to those directory objects which can be restored. Currently this is only supported for Application. |
| DirectoryRole | Renamed from Role. Added the roleTemplateId property |
| DirectoryRoleTemplate | Renamed from RoleTemplate. |
| ExtensionProperty | New entity that allows an application to define and use a set of additional properties that can be added to directory objects (users, groups, tenant details, devices, applications, and service principals) without the application requiring an external data store. |
| Group | Added the onPremisesSecurityIdentifier property, which contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. Added the appRoleAssignments navigation property, which points to the set of applications (service principals) that this group is assigned to. |
| OAuth2PermissionGrant | New entity that specifies an OAuth2.0 delegated permission scope. The specified OAuth delegated permission scope may be requested by client applications (through the requiredResourceAccess collection) calling this resource application. Replaces the Permission entity which is removed from this version. |
| Permission | Renamed to OAuth2PermissionGrant. |
| Role | Renamed to DirectoryRole. |
| RoleTemplate | Renamed to DirectoryRoleTemplate. |
| ServicePrincipal | Added the appDisplayName property, which specifies the display name exposed by the associated application. Added the appRoleAssignmentRequired property, which specifies whether an AppRoleAssignment to a user or group is required before Azure AD will issue a user or access token to the application. Added the appRoles property, which contains the application roles exposed by the associated application. For more information see the appRoles property definition on the Application entity. Added the oauth2Permissions property, which contains the OAuth 2.0 permissions exposed by the associated application. For more information see the oauth2Permisions property definition on the Application entity. Added the preferredTokenSigningKeyThumbprint property. Reserved for internal use only. Do not write or otherwise rely on this property. May be removed in future versions. Added the appRoleAssignedTo navigation property, which points to the set of applications that the service principal is assigned to. Added the appRoleAssignments navigation property, which points to the set of principals (users, groups, and service principals) that are assigned to this service principal. Added the oauth2PermissionGrants navigation property, which points to the set of user impersonation grants associated with this service principal. Removed the permissions navigation property |
| TenantDetail | Removed the tenantType property. |
| User | Added the onPremisesSecurityIdentifier property, which contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Added the sipProxyAddress property, which specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the user. Added the appRoleAssignments navigation property, which points to the set of applications (service principals) that this user is assigned to. Added the oauth2PermissionGrants navigation property, which points to the set of OAuth 2.0 user impersonation grants associated with this user. Removed the permissions navigation property. |
Complex type changes
| Type | Change Description |
|---|---|
| AppRole | New type that specifies application roles that may be requested by client applications calling this application, or that may be used to assign the application to users or groups in one of the specified application roles. |
| OAuth2Permission | New type that represents an OAuth 2.0 permission scope. The specified OAuth 2.0 permission scope may be requested by client applications (through the requiredResourceAccess collection) calling this resource application. |
| RequiredResourceAccess | New type that specifies the set of OAuth 2.0 permission scopes and app roles under the specified resource that this application requires access to. |
| ResourceAccess | New type that represents a permission that this application requires. |
Action and function changes
| Function | Change Description |
|---|---|
| getAvailableExtensionProperties | New function that returns the full list of extension properties that have been registered in a directory. Extension properties can be registered for the following entities: User, Group, Device, TenantDetail, Application, and ServicePrincipal. |
| getMemberObjects | New function that returns all of the Group and DirectoryRole objects that a user, contact, group, or service principal is transitively a member of. |
| getObjectsByObjectIds | New function that returns the directory objects specified in a list of object IDs. You can also specify which resource collections (users, groups, etc.) should be searched by specifying the optional types parameter. |
| restore | New service action that allows a deleted application to be restored. |
Version 2013-11-08
This section lists the changes for Graph API version 2013-11-08.
The following tables list the entities, complex types, and functions that have been added, changed, or removed for this release.
Entity changes
| Entity | Change Description |
|---|---|
| Application | Added the owners navigation property, which points to the set of directory objects that are owners of the application. The owners are a set of non-admin users who are allowed to modify this object. Inherited from DirectoryObject. |
| DeviceConfiguration | New entity that represents the configuration for a device. |
| DirectoryObject | Added the createdOnBehalfOf navigation property, which points to directory object that that this object was created on behalf of. Added the createdObjects navigation property, which points to the set of directory objects that were created by the current object. Added the owners navigation property, which points to the set of directory objects that are owners of the current object. The owners are a set of non-admin users who are allowed to modify this object. Added the ownedObjects navigation property, which points to the set of directory objects that are owned by the current object. Important: Entities that derive from DirectoryObject inherit its properties and may inherit its navigation properties. |
| Group | Added the owners navigation property, which points to the set of directory objects that are owners of the group. The owners are a set of non-admin users who are allowed to modify this object. Inherited from DirectoryObject. |
| Role | Added the ownedObjects navigation property, which points to the set of directory objects that are owned by the role. Inherited from DirectoryObject.The Role entity was renamed to DirectoryRole beginning with version 1.5. For information about Role, see DirectoryRole. |
| ServicePrincipal | Added the appOwnerTenantID property. Added the autheniticationPolicy property. Reserved for internal use only. Do not use. Removed in version 1.5. Added the createdObjects navigation property, which points to the set of directory objects that were created by the service principal. Inherited from DirectoryObject. Added the owners navigation property, which points to the set of directory objects that are owners of the service principal. The owners are a set of non-admin users who are allowed to modify this object. Inherited from DirectoryObject. Added the ownedObjects navigation property, which points to the set of directory objects that are owned by the service principal. Inherited from DirectoryObject. |
| User | Added the immutableId property, which associates an on-premises Active Directory user account to its Azure AD user object. This property must be specified when creating a new user account in the Graph if you are using a federated domain for the user’s userPrincipalName (UPN) property. Added the userType property, which is a string value that can be used to classify user types in your directory, such as “Member” and “Guest”. Added the createdObjects navigation property, which points to the set of directory objects that were created by the user. Inherited from DirectoryObject. Added the ownedObjects navigation property, which points to the set of directory objects that are owned by the user. Inherited from DirectoryObject. |
Complex type changes
| Type | Change Description |
|---|---|
| ServicePrincipalAuthenticationPolicy | Reserved for internal use only. Do not use. Removed in version 1.5. |
Action and function changes
| Function | Change Description |
|---|---|
| assignLicense | New service action that updates a user with a list of licenses to add and/or remove. |
Version 2013-04-05
This is the base version of the Graph API.