This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
With Microsoft Graph, you can manage identity and network access capabilities, most of which are available through Microsoft Entra. The APIs in Microsoft Graph help you to automate identity and network access management tasks and integrate with any application, and are the programmatic alternative to the administrator portals such as the Microsoft Entra admin center.
Microsoft Entra is a family of identity and network access capabilities that are available in the following products. All these capabilities are available through Microsoft Graph APIs:
Users are the main identities in any identity and access solution. You can manage the entire lifecycle of users in your organization, including guests, and their entitlements like licenses or group memberships, using Microsoft Graph APIs. For more information, see Working with users in Microsoft Graph.
Groups are the containers that allow you to efficiently manage the entitlements for identities as a unit. For example, through a group, you can grant users access to a resource, such as a SharePoint site. Or you can grant them licenses to use a service. For more information, see Working with groups in Microsoft Graph.
You can use Microsoft Graph APIs to register and manage your applications programmatically, enabling you to use Microsoft's IAM capabilities. For more information, see Manage Microsoft Entra applications and service principals by using Microsoft Graph.
A core functionality of identity and access management is managing your tenant configuration, administrative roles, and settings. Microsoft Graph provides APIs to manage your Microsoft Entra tenant for the following scenarios:
| Use cases | API operations |
|---|---|
| Manage administrative units including the following operations: |
administrativeUnit resource type and its associated APIs |
| Grant, revoke, and retrieve app roles on a resource application for users, groups, or service principals | appRoleAssignment resource type and its associated APIs |
| Retrieve BitLocker recovery keys | bitlockerRecoveryKey resource type and its associated APIs |
| Manage custom security attributes | See Overview of custom security attributes using the Microsoft Graph API |
| Manage deleted directory objects. The functionality to store deleted objects in a "recycle bin" is supported for the following objects: |
|
| Manage devices in the cloud | device resource type and its associated APIs |
| View local administrator credential information for all device objects in Microsoft Entra ID that are enabled with Local Admin Password Solution (LAPS). This feature is the cloud-based LAPS solution | deviceLocalCredentialInfo resource type and its associated APIs |
| Directory objects are the core objects in Microsoft Entra ID, such as users, groups, and applications. You can use the directoryObject resource type and its associated APIs to check memberships of directory objects, track changes for multiple directory objects, or validate that a Microsoft 365 group's display name or mail nickname complies with naming policies | directoryObject resource type and its associated APIs |
| Administrator roles, including Microsoft Entra administrator roles, are one of the most sensitive resources in a tenant. You can manage the lifecycle of their assignment in the tenant, including creating custom roles, assigning roles, tracking changes to role assignments, and removing assignees from roles | directoryRole resource type and directoryRoleTemplate resource type and their associated APIs roleManagement resource type and its associated APIs (recommended) These APIs allow you to make direct role assignments. Alternatively, you can use Privileged Identity Management APIs for Microsoft Entra roles and groups to make just-in-time and time-bound role assignments, instead of direct forever active assignments. |
| Define the following configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior. |
groupSetting resource type and groupSettingTemplate resource type and their associated APIs For more information, see Overview of group settings. |
| Domain management operations such as: |
domain resource type and its associated APIs |
| Configure and manage staged rollout of specific Microsoft Entra ID features | featureRolloutPolicy resource type and its associated APIs |
| Monitor licenses and subscriptions for the tenant | |
| Configure options that are available in Microsoft Entra Cloud Sync such as preventing accidental deletions and managing group writebacks | onPremisesDirectorySynchronization resource type and its associated APIs |
| Manage the base settings for your Microsoft Entra tenant | organization resource type and its associated APIs |
| Retrieve the organizational contacts that might be synchronized from on-premises directories or from Exchange Online | orgContact resource type and its associated APIs |
| Discover the basic details of other Microsoft Entra tenants by querying using the tenant ID or the domain name | tenantInformation resource type and its associated APIs |
| Manage the delegated permissions and their assignments to service principals in the tenant | oAuth2PermissionGrant resource type and its associated APIs |
| Use cases | API operations |
|---|---|
| Configure listeners that monitor events that should trigger or invoke custom logic, typically defined outside Microsoft Entra ID | authenticationEventListener resource type and its associated APIs |
| Manage authentication methods that are supported in Microsoft Entra ID | See Microsoft Entra authentication methods API overview and Microsoft Entra authentication methods policies API overview |
| Manage the authentication methods or combinations of authentication methods that you can apply as grant control in Microsoft Entra Conditional Access | See Microsoft Entra authentication strengths API overview |
| Manage tenant-wide authorization policies such as: |
authorizationPolicy resource type and its associated APIs |
| Manage the policies for certificate-based authentication in the tenant | certificateBasedAuthConfiguration resource type and its associated APIs |
| Manage Microsoft Entra conditional access policies | conditionalAccessRoot resource type and its associated APIs |
| Manage cross-tenant access settings and manage outbound restrictions, inbound restrictions, tenant restrictions, and cross-tenant synchronization of users in multitenant organizations | See Cross-tenant access settings API overview |
| Configure how and which external systems interact with Microsoft Entra ID during a user authentication session | customAuthenticationExtension resource type and its associated APIs |
| Manage requests against user data in the organization, such as exporting personal data | dataPolicyOperation resource type and its associated APIs |
| Force autoacceleration sign-in to skip the username entry screen and automatically forward users to federated sign-in endpoints | homeRealmDiscoveryPolicy resource type resource type and its associated APIs |
| Detect, investigate, and remediate identity-based risks using Microsoft Entra ID Protection and feed the data into security information and event management (SIEM) tools for further investigation and correlation | See Use the Microsoft Graph identity protection APIs |
| Manage identity providers for Microsoft Entra ID, Microsoft Entra External ID, and Azure AD B2C tenants. You can perform the following operations: |
identityProviderBase resource type and its associated APIs |
| Define a group of tenants belonging to your organization and streamline intra-organization cross-tenant collaboration | See Multitenant organization API overview |
| Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language | organizationalBranding resource type and its associated APIs |
| User flows for Microsoft Entra External ID in workforce tenants | The following resource types and their associated APIs: |
| User flows for Microsoft Entra External ID in external tenants | The following resource types and their associated APIs: |
| Manage app consent policies and condition sets | permissionGrantPolicy resource type |
| Enable or disable security defaults in Microsoft Entra ID | identitySecurityDefaultsEnforcementPolicy resource type |
For more information, see Overview of Microsoft Entra ID Governance using Microsoft Graph.
The following API use cases ar supported to customize how users interact with your customer-facing applications. For administrators, most of the features available in Microsoft Entra ID and also supported for Microsoft Entra External ID in external tenants. For example, domain management, application management, and conditional access.
| Use cases | API operations |
|---|---|
| User flows for Microsoft Entra External ID in external tenants and self-service sign-up experiences | authenticationEventsFlow resource type and its associated APIs |
| Manage identity providers for Microsoft Entra External ID. You can identify the identity providers that are supported or configured in the tenant | See identityProviderBase resource type and its associated APIs |
| Configuring custom URL domains in Microsoft Entra External ID in external tenants | The CustomUrlDomain value for the supportedServices property of domain resource type and its associated APIs |
| Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language | organizationalBranding resource type and its associated APIs |
| Manage identity providers for Microsoft Entra External ID, such as social identities | identityProviderBase resoruce type and its associated APIs |
| Manage user profiles in Microsoft Entra External ID for customers | For more information, see Default user permissions in customer tenants |
| Add your own business logic to the authentication experiences by integrating with systems that are external to Microsoft Entra ID | authenticationEventListener resource type and customAuthenticationExtension resource type and their associated APIs |
Microsoft Graph also provides the following identity and access capabilities for Microsoft partners in the Cloud Solution Provider (CSP), Value Added Reseller (VAR), or Advisor programs to help manage their customer tenants.
| Use cases | API operations |
|---|---|
| Manage contracts for the partner with its customers | contract resource type and its associated APIs |
| Microsoft partners can empower their customers to ensure the partners have least privileged access to their customers' tenants. This feature gives extra control to customers over their security posture while allowing them to receive support from the Microsoft resellers | See Granular delegated admin privileges (GDAP) API overview |
Microsoft Entra records every activity in your tenant and produces reports and audit logs that you can analyze for monitoring, compliance, and troubleshooting. Records of these activities are also available through Microsoft Graph reporting and audit logs APIs, which allow you to analyze the activities with Azure Monitor logs and Log Analytics, or stream to third-party SIEM tools for further investigations. For more information, see Identity and access reports API overview.
This feature helps organizations to align their tenants with the three guiding principles of a Zero Trust architecture:
To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.
Microsoft Entra licenses include Microsoft Entra ID Free, P1, P2, and Governance; Microsoft Entra Permissions Management; and Microsoft Entra Workload ID.
For detailed information about licensing for different features, see Microsoft Entra ID licensing.
Training
Learning path
Configure and govern entitlement with Microsoft Entra ID SC-5008 - Training
Use Microsoft Entra to manage access by using entitlements, access reviews, privileged access tools, and monitor access events. (SC-5008)
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.