函数和操作 |Graph API 参考
**适用范围: ** Graph API | Azure Active Directory
本主题讨论由 Azure AD Graph API 公开的函数和操作以及调用它们的方式。
Graph API 是与 OData 3.0 兼容的 REST API,它提供对 Azure Active Directory 中的目录对象(如用户、组、组织联系人和应用程序)的编程访问。
重要
Azure AD Graph API 功能也可通过 Microsoft Graph 使用。Microsoft Graph 是一个统一的 API,它还包括其他 Microsoft 服务(如 Outlook、OneDrive、OneNote、Planner 和 Office Graph)的 API,这些都可以使用单个访问令牌通过单个终结点进行访问。
使用 Graph API 调用操作和函数
若要使用 Graph API 调用操作或函数,请向相应的终结点发送 POST 请求。
Graph API 请求使用以下基本 URL:
https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]
重要
发送到 Graph API 的请求必须格式良好,以有效的终结点和 Graph API 版本为目标并且具有从 Authorization 标头中的 Azure AD 获取的有效访问令牌。 有关使用 Graph API 创建请求和接收响应的更多详细信息,请参阅 [Operations Overview]。
对目录服务调用的函数或操作本身不需要资源路径。 对于针对特定资源调用的函数或操作,将以不同的方式指定 {resource_path},具体取决于面向的资源。 资源路径分为以下几个部分:
(resource_collection}指定资源集合,例如用户、联系人或组。{resource_id}标识要在资源集合中作为目标的特定资源。 通常为对象 ID (GUID),但如果是用户,也可以使用用户主体名称 (UPN)。
可以使用 me 别名将已登录用户作为目标。 此别名会替换以下 URL 路径段: {tenant_id}/users/{user_id}。 当使用此别名时,Graph API 从附加到请求的持有者令牌中获取用户和租户。
例如,下面的 POST 请求可用于将许可证分配给已登录的用户(也要必须包含相应的请求正文):
POST https://graph.windows.net/me/assignLicense?api-version=1.6
有关使用 me 别名执行操作的详细信息,请参阅已登录用户的 REST 操作。
函数
函数在目录中没有任何副作用。 也就是说,当调用函数时,它仅会返回数据而不会修改目录中的任何数据。 以下主题将向你说明如何使用 Graph API 来调用函数。
checkMemberGroups: 检查组列表中的成员身份
调用 checkMemberGroups 函数,以检查组列表中用户、联系人、组或服务主体的成员身份。 此操作是可传递的。
每个请求最多可以检查 20 个组。
{
"api": "Functions",
"operation": "checkMemberGroups"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| isSyncedFromOnPremises | Collection(Edm.String) | 是 | 包含要在其中检查成员身份的组的对象 ID 的集合。 最多可以指定 20 个组。 |
响应正文
| 属性名称 | 类型 | 描述 |
|---|---|---|
| value | Collection(Edm.String) | 一个集合,其中包含请求中指定的并且联系人、用户、组或服务主体是其成员的组和目录角色的对象 ID。 |
getAvailableExtensionProperties: 获取目录中已注册的扩展属性
调用 getAvailableExtensionProperties 函数以返回目录中已注册的所有或筛选的扩展属性列表。 以下实体支持扩展属性: [User]、[Group]、[TenantDetail]、[Device]、[Application] 和 [ServicePrincipal]。 若要了解有关如何在目录中注册和注销扩展属性,以及如何修改其值得详细信息,请参阅[Directory Schema Extensions]。
重要提示: 需要 1.5版或更高版本。
{
"api": "Functions",
"operation": "getAvailableExtensionProperties"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| isSyncedFromOnPremises | Edm.Boolean | 否 | 为 True 时指定只应返回已从本地目录同步的扩展属性;为 False 时指定应返回尚未从本地目录同步的扩展属性。 如果省略该参数,则返回所有扩展属性(已同步和未同步)。 |
响应正文
| 属性名称 | 类型 | 描述 |
|---|---|---|
| value | Collection([ExtensionProperty]) | 包含扩展属性的集合,这些扩展属性已注册到根据请求筛选出来的目录中。 |
getMemberGroups: 获取组成员身份(可传递)
对某个用户、联系人、组或服务主体调用 getMemberGroups 函数,以获取该对象所属的组。 此函数是可传递的。
注意: 可以返回的最大组数为 2046。 如果目标对象在超过 2046 个组中拥有直接或可传递的成员身份,那么函数将返回 HTTP 错误响应,其错误代码为 Directory_ResultSizeLimitExceeded。
{
"api": "Functions",
"operation": "getMemberGroups",
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| securityEnabledOnly | Edm.Boolean | 是 | 为 True 时指定只应返回实体所属的安全组;为 False 时指定应返回实体所属的所有组。 注意: 如果参数是 True,则只能对用户调用该函数。 |
响应正文
| 属性名称 | 类型 | 描述 |
|---|---|---|
| value | Collection(Edm.String) | 一个集合,其中包含联系人、用户、组或服务主体所属的组的对象 ID。 |
getMemberObjects: 获取组和目录角色成员身份(可传递)
对某个用户、联系人、组或服务主体调用 getMemberObjects 函数,以获取该对象所属的组和目录角色。 此函数是可传递的。
注意: 可以返回的组和目录角色的最大数目为 2046。 如果目标对象超过 2046 个组和目录角色中拥有直接或可传递的成员身份,那么函数将返回 HTTP 错误响应,其错误代码为 Directory_ResultSizeLimitExceeded。
重要提示: 需要 1.5版或更高版本。
{
"api": "Functions",
"operation": "getMemberObjects"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| securityEnabledOnly | Edm.Boolean | 是 | 为 True 时指定只应返回实体所属的安全组;为 False 时指定应返回实体所属的所有组和目录角色。 注意: 如果参数是 True,则只能对用户调用该函数。 |
响应正文
| 属性名称 | 类型 | 描述 |
|---|---|---|
| value | Collection(Edm.String) | 一个集合,其中包含联系人、用户、组或服务主体所属的组和目录角色的对象 ID。 |
getObjectsByObjectIds: 从对象 ID 列表获取对象
对目录服务调用 getObjectsByObjectIds 函数可返回对象 ID 列表中指定的目录对象。 还可以通过指定可选的 types 参数指定应搜索的资源集合(用户、组等)。
此函数的一些常见用途包括:
- 将返回对象 ID 集合的函数(如 [getMemberObjects] 或 [getMemberGroups])返回的对象 ID 解析为其后备目录对象。
- 将应用程序保存在外部存储中的对象 ID 解析为其后备目录对象。
重要提示: 需要 1.5版或更高版本。
{
"api": "Functions",
"operation": "getObjectsByObjectIds"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| objectIds | Collection(Edm.String) | 是 | 要为其返回对象的对象 ID 集合。 你最多可以指定 1000 个对象 ID。 |
| 类型 | Collection(Edm.String) | 否 | 指定要搜索的资源集(实体集)的对象类型集合。 如果未指定,默认值为 [DirectoryObject],它包含目录中的所有对象。 可以在集合中指定派生自 [DirectoryObject] 的任何对象;例如: [User]、[Group] 和 [ServicePrincipal] 等。 这些值不区分大小写。 |
响应正文
| 属性名称 | 类型 | 描述 |
|---|---|---|
| value | Collection([DirectoryObject]) | 为指定的对象 ID 和资源集合找到的对象的集合。 |
isMemberOf: 检查特定组中的成员身份(可传递)
对目录服务调用 isMemberOf 函数可以检查指定的用户、组、联系人或服务主体是否为指定组的成员。 此操作是可传递的。
{
"api": "Functions",
"operation": "isMemberOf"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| groupId | Edm.String | 是 | 要检查的组的对象 ID。 |
| memberId | Edm.String | 是 | 要在指定组的中检查成员身份的联系人、组、用户或服务主体的对象 ID。 |
响应正文
| 属性名称 | 类型 | 描述 |
|---|---|---|
| value | Edm.Boolean | 如果指定的用户、组、联系人或服务主体在指定的组中是直接或可传递的成员身份,则为 True;否则为 False。 |
操作
操作在目录中有副作用。 也就是说,当调用操作时,它可能会更改目录中的数据。 例如,它可能将许可证分配给用户或还原之前已删除的应用程序。
assignLicense: 向用户添加或删除许可证
对用户调用 assignLicense 操作以添加或删除用户的订阅。 还可以启用和禁用与订阅关联的特定计划。
重要提示: 需要 2013-11-08 版或更高版本。
{
"api": "Functions",
"operation": "assignLicense"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| addLicenses | Collection([AssinedPlan]) | 是 | [AssignedLicense] 对象的一个集合,用于指定要添加的许可证。 可以通过对 [AssignedLicense] 对象设置 disabledPlans 属性来禁用与许可证相关联的计划。 |
| removeLicenses | Collection(Edm.Guid) | 是 | 用于标识要删除的许可证的 GUID 集合。 |
注意: 可从租户对象中读取订阅 SKU ID 和计划 ID。 例如,对 https://graph.windows.net/myorganization/subscribedSkus 执行 GET 请求会返回已登录用户的租户可用的订阅。 这些将作为 [SubscribedSku] 实体返回,并且可以从 skuId 属性中读取 SKU ID。 可以从 servicePlans 集合中获取与订阅关联的计划 ID。 可以从 consumedUnits 属性和 prepaidUnits 属性中的值计算订阅的可用性,其中包括处于“已启用”、“已暂停”和“警告”状态的单元计数。
其他示例
此请求显示 Enterprise Office SKU 的初始许可证分配,其中包含 SharePoint Online、Lync Online 和 Exchange Online 服务计划。
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[{"disabledPlans":[ ],"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"}],
"removeLicenses":[ ]
}
此请求通过禁用特定的计划来更新用户的许可证。 在此示例中,有两个 disabledPlans(SharePointOnline 和 LyncOnline),只有 Exchange 服务计划保持启用状态。
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[ { "disabledPlans": [”5dbe027f-2339-4123-9542-606e4d348a72”,
“0feaeb32-d00e-4d66-bd5a-43b5b83db82c” ],
"skuId":"6fd2c87f-b296-42f0-b197-1e91e994b900"
}
],
"removeLicenses":[ ]
}
此最终请求显示如何从用户中删除许可证。
POST https://graph.windows.net/myorganization/users/alexd@a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.5 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net
Content-Length: 35
{
"addLicenses":[ ],
"removeLicenses":["6fd2c87f-b296-42f0-b197-1e91e994b900"]
}
changePassword: 更改已登录用户的密码
对已登录用户调用 changePassword 操作可更改其密码。
注意: 仅可对已登录用户调用此操作。 除了通过使用如下所示的 me 别名寻址操作之外,还可以使用 /users/<objectId>/changePassword 或 /users/userPrincipalName/changePassword,但如果使用这些寻址模式,那么目标用户必须为已登录用户。
重要提示: 需要 1.6 版或更高版本。
{
"api": "MeOps",
"operation": "changePassword"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| currentPassword | Edm.String | 是 | 已登录用户的当前密码。 |
| newPassword | Edm.String | 是 | 新密码。 |
响应正文
无。
restore: 还原已删除的应用程序
对已删除的应用程序调用 restore 函数可将其还原到目录中。
注意: 可通过读取 deletedApplications 资源集合找到已删除的应用程序。 例如,对以下 URL 执行 GET 将返回与组织关联的已删除应用程序: https://graph.windows.net/myorganization/deletedApplications?api-version=1.5。
重要提示: 需要 1.5版或更高版本。
{
"api": "Functions",
"operation": "restore"
}
请求正文
| 属性名称 | 类型 | 必需 | 描述 |
|---|---|---|---|
| identifierUris | Collection(Edm.String) | 否 | 应用程序标识符 URI 的集合。 这些 URI 将设置在已还原的 [Application] 的 identifierUris 属性中。 如果省略此参数,则 identifierUris 属性将保留其原始值。 |
响应正文
| 类型 | 描述 |
|---|---|
| [应用程序] | 已还原的应用程序。 |
verify: 验证域的所有权(预览版)
对域调用 verify 操作可验证域的所有权。
重要提示: 仅适用于未验证的域([Domain] 的 isVerified 属性为 False)。 仅在测试版中支持。
{
"api": "Functions",
"operation": "verify"
}
请求正文
无。
响应正文
| 类型 | 描述 |
|---|---|
| [Domain] | 正在进行验证的域。 isVerified 属性指示是否已成功验证域的所有权。 |
其他资源
- 在 Graph API 概念中了解有关 Graph API 支持的特性、功能和预览功能的详细信息
applications: Get application properties by object ID
GET https://graph.windows.net/myorganization/applications/{application_oid}?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_oid | string | 00009987-f6d8-4957-a6ca-7848d986ffff | The object id of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
GET https://graph.windows.net/myorganization/applications/00009987-f6d8-4957-a6ca-7848d986ffff?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.directoryObjects/@Element)",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
"deletionTimestamp": null,
"addIns": [],
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
"appMetadata": {
"version": 0,
"data": [
{
"key": "ApplicationMetadata",
"value": "eyJBcHBsaWNhd..."
}
]
},
"appRoles": [],
"availableToOtherTenants": true,
"displayName": "Test App",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": "None",
"homepage": null,
"identifierUris": [],
"keyCredentials": [
{
"customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "dceb697c-477a-4a25-be87-38282995ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
},
{
"customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
"endDate": "2017-06-19T07:00:00Z",
"keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
"startDate": "2012-05-19T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": false,
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"supportsConvergence": false,
"tokenEncryptionKeyId": null
}
applicationsByAppId: Get application properties by application ID
GET https://graph.windows.net/myorganization/applicationsByAppId/{application_id}?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Required. |
GET https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "35418b3b-476c-4271-81a8-6db65d397ff4",
"deletionTimestamp": null,
"addIns": [],
"allowActAsForAllClients": null,
"appBranding": null,
"appCategory": null,
"appData": null,
"appId": "1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1",
"appMetadata": {
"version": 0,
"data": [
{
"key": "ApplicationMetadata",
"value": "eyJBcHBsaWNhd..."
}
]
},
"appRoles": [],
"availableToOtherTenants": true,
"displayName": "Test App",
"encryptedMsiApplicationSecret": null,
"errorUrl": null,
"groupMembershipClaims": "None",
"homepage": null,
"identifierUris": [],
"keyCredentials": [
{
"customKeyIdentifier": "pZMUkCG+igju29A1o/BYhnWffff=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "dceb697c-477a-4a25-be87-38282995ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
},
{
"customKeyIdentifier": "pEFcLQgJrxgCgQwBbtV/G5Cffff=",
"endDate": "2017-06-19T07:00:00Z",
"keyId": "fed7d654-4ae7-4a53-bd60-71dc7eb0ffff",
"startDate": "2012-05-19T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": false,
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"supportsConvergence": false,
"tokenEncryptionKeyId": null
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the application object ID. |
checkMemberGroups: Check for membership in a list of groups
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/checkMemberGroups?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
| resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which membership is to be checked. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/checkMemberGroups?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. The object IDs of the groups in the request that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
getAvailableExtensionProperties: Get the registered extension properties in a directory
POST https://graph.windows.net/myorganization/getAvailableExtensionProperties?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "d6a8bfec-893d-46e4-88fd-7db5fcc0fa62",
"deletionTimestamp": null,
"appDisplayName": "SampleApp",
"name": "extension_4d405aa8baa04fb494d3e0571fd9fd71_skypeId",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. A collection that contains the extension properties is returned. |
getMemberGroups: Get group memberships (transitive)
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
| resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which group memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/getMemberGroups?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
"5e624f44-d38d-4943-b07c-2bad078f52ff"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. The object IDs of the groups that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
getMemberObjects: Get group and directory role memberships (transitive)
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberObjects?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| resource_collection | string | users | Specifies the resource collection to target. Acceptable values are users, groups, contacts, and servicePrincipals. |
| resource_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | Specifies the user, contact, group, or service principal for which group and directory role memberships are to be returned. For contacts, groups, and service principals the entity-identifier should be an object ID (GUID); for users, it can be either the object ID or the user principal name (UPN).. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/getMemberObjects?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myortanization/$metadata#Collection(Edm.String)",
"value": [
"8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
"be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
"5e624f44-d38d-4943-b07c-2bad078f52ff"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. The object IDs of the groups and directory roles that the target user, contact, group, or service principal has either direct or transitive membership in are returned. |
getObjectsByObjectIds: Get objects from a list of object IDs
POST https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "c57cdc98-0dcd-4f90-a82f-c911b288bab9",
"deletionTimestamp": null,
"description": "Marketing Group",
"dirSyncEnabled": null,
"displayName": "Marketing",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "cdf76b17-0734-41bc-9c24-9a7af93f3502",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
},
{
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "cc9869f0-6ac0-4d00-bc24-621a2d949d35",
"deletionTimestamp": null,
"description": "Engineering Group",
"dirSyncEnabled": null,
"displayName": "Engineering",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "ef3b8cc1-721b-4452-9e30-9867d1de80ea",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. A collection that contains the directory objects that match the search criterea is returned. |
isMemberOf: Check membership in a specific group (transitive)
POST https://graph.windows.net/myorganization/isMemberOf?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.Boolean",
"value": true
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns true if the user, contact, group, or service principal is a member of the specified group; otherwsie, false. |
servicePrincipalsByAppId: Get service principal object ID by application ID
GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/{application_id}/objectId?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the service principal. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Required. |
GET https://graph.windows.net/myorganization/servicePrincipalsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/objectId?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.String",
"value": [
"00b4e797-7017-4720-b187-b01981c820d6"
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the service principal object ID of the specified application ID. |
verify: Verify ownership of a domain
POST https://graph.windows.net/myorganization/domains({domain_name})/verify?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| domain_name | string | contoso.com | The fully qualified domain name of the target domain. Must be enclosed in single quotes. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Required. |
POST https://graph.windows.net/myorganization/domains(contoso.com)/verify?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#domains/@Element",
"authenticationType": "Managed",
"availabilityStatus": "AvailableImmediately",
"isAdminManaged": true,
"isDefault": false,
"isInitial": false,
"isRoot": true,
"isVerified": true,
"name": "contoso.com",
"supportedServices": []
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the Domain object. The isVerified property indicates whether the ownership of the domain has been verified successfully. |
addKey: Add a KeyCredential for an application
POST https://graph.windows.net/myorganization/applications/{application_oid}/addKey?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_oid | string | 00009987-f6d8-4957-a6ca-7848d986ffff | The object id of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST
https://graph.windows.net/myorganization/applications/00009987-f6d8-4957-a6ca-7848d986ffff/addKey?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"keyCredential": {
"customKeyIdentifier": "6uv7gh",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": "MIZB9jVCACfEw="
},
"passwordCredential": null,
"proof": "eyJ0eXAiOiJKv1"
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/addKey?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1 | The application ID (GUID) of the application. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/addKey?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"keyCredential": {
"customKeyIdentifier": "JXyLFwBmN=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "AsymmetricX509Cert",
"usage": "Sign",
"value": null
}
},
{
"keyCredential": {
"customKeyIdentifier": "JXyLFwBmN=",
"endDate": "2017-10-11T07:00:00Z",
"keyId": "633b1614-b669-47c5-961e-f4a45978ffff",
"startDate": "2012-09-11T07:00:00Z",
"type": "Password",
"usage": "Sign",
"value": null
}
}
]
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the application's new key credential and password credential directory object. |
assignLicense: Add or remove licenses from a user
POST https://graph.windows.net/myorganization/users/{user_id}/assignLicense?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| user_id | string | alexd@a830edad9050849NDA1.onmicrosoft.com | The user ID. Can be the object ID (GUID) or the user principal name (someuser@a830edad9050849NDA1.onmicrosoft.com) of the target user. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/users/alexd%40a830edad9050849NDA1.onmicrosoft.com/assignLicense?api-version=1.6
Response
Status Code:200
Content-Type: application/json
none
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. No response body is returned. |
changePassword: Change password of the signed-in user
POST https://graph.windows.net/me/changePassword?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| Query | |||
| api-version | string | 1.6 | Specifies the version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
Response
Status Code:204
Content-Type: application/json
none
Response List
| Status Code | Description |
|---|---|
| 204 | No Content. Indicates success. No response body is returned. |
removeKey: Remove a KeyCredential for an application
POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version
POST https://graph.windows.net/myorganization/applications/{application_oid}/removeKey?api-version=1.6
Response
Status Code:204
Content-Type: none
none
Response List
| Status Code | Description |
|---|---|
| 204 | No Content. Indicates success. No response body is returned. |
POST https://graph.windows.net/myorganization/applicationsByAppId/{application_id}/removeKey?api-version
POST https://graph.windows.net/myorganization/applicationsByAppId/1062a13d-f7e5-4ea7-8d24-427f6ff1e5e1/removeKey?api-version=1.6
Response
Status Code:204
Content-Type: none
none
Response List
| Status Code | Description |
|---|---|
| 204 | No Content. Indicates success. No response body is returned. |
restore: Restore a deleted application
POST https://graph.windows.net/myorganization/deletedApplications/{application_id}/restore?api-version
Parameters
| Parameter | Type | Value | Notes |
|---|---|---|---|
| URL | |||
| application_id | string | 1e22de0f-0ed1-4c01-b725-a822632467e3 | The object ID (GUID) of the application to restore. |
| Query | |||
| api-version | string | 1.6 | The version of the Graph API to target. Beginning with version 1.5, the api-version string is represented in major.minor format. Prior releases were represented as date strings: '2013-11-08' and '2013-04-05'. Required. |
| Body | |||
|
Content-Type: application/json | |||
POST https://graph.windows.net/myorganization/deletedApplications/1e22de0f-0ed1-4c01-b725-a822632467e3/restore?api-version=1.6
Response
Status Code:200
Content-Type: application/json
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Application/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"objectId": "1e22de0f-0ed1-4c01-b725-a822632467e3",
"deletionTimestamp": null,
"appId": "f4ecf40c-e94f-4d79-af83-f920f81bcb66",
"appRoles": [],
"availableToOtherTenants": false,
"displayName": "Sample App 1",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": "https://localhost",
"identifierUris": [
"https://restoredApp/"
],
"keyCredentials": [],
"knownClientApplications": [],
"logoutUrl": null,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"passwordCredentials": [],
"publicClient": null,
"replyUrls": [
"https://localhost"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null
}
Response List
| Status Code | Description |
|---|---|
| 200 | OK. Indicates success. Returns the restored Application object. The identifierUris property in the restored application is set or restored according to the identifierUris collection specified in the request. |