Update user
Namespace: microsoft.graph
Update the properties of a user object.
- Not all properties can be updated by Member or Guest users with their default permissions without administrator roles. Compare member and guest default permissions to see properties they can manage.
- Customers through Microsoft Entra ID for customers can also use this API operation to update their details. See Default user permissions in external tenants for the list of properties they can update.
- For synced users, the ability to update certain properties is additionally determined by the source of authority and whether synchronization is enabled.
This API is available in the following national cloud deployments.
Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
---|---|---|---|
✅ | ✅ | ✅ | ✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Permission type | Least privileged permissions | Higher privileged permissions |
---|---|---|
Delegated (work or school account) | User.ReadWrite | User.ManageIdentities.All, User.EnableDisableAccount.All, User.ReadWrite.All, Directory.ReadWrite.All |
Delegated (personal Microsoft account) | User.ReadWrite | Not available. |
Application | User.ManageIdentities.All | User.EnableDisableAccount.All, User.ReadWrite.All, Directory.ReadWrite.All |
Permissions for specific scenarios
- Your personal Microsoft account must be tied to a Microsoft Entra tenant to update your profile with the User.ReadWrite delegated permission on a personal Microsoft account.
- To update sensitive user properties, such as accountEnabled, mobilePhone, and otherMails for users with privileged administrator roles:
- In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission and the signed-in user must have a higher privileged administrator role as indicated in Who can perform sensitive actions.
- In app-only scenarios in addition to Microsoft Graph permissions, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions.
- To update the employeeLeaveDateTime property:
- In delegated scenarios, the admin needs the Global Administrator role; the app must be granted the User.Read.All and User-LifeCycleInfo.ReadWrite.All delegated permissions.
- In app-only scenarios with Microsoft Graph permissions, the app must be granted the User.Read.All and User-LifeCycleInfo.ReadWrite.All permissions.
- To update the customSecurityAttributes property:
- In delegated scenarios, the admin must be assigned the Attribute Assignment Administrator role and the app granted the CustomSecAttributeAssignment.ReadWrite.All permission.
- In app-only scenarios with Microsoft Graph permissions, the app must be granted the CustomSecAttributeAssignment.ReadWrite.All permission.
- User-Mail.ReadWrite.All is the least privileged permission to update the otherMails property.
- User-PasswordProfile.ReadWrite.All is the least privileged permission to update the passwordProfile property.
- User-Phone.ReadWrite.All is the least privileged permission to update the businessPhones and mobilePhone properties.
- User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions to update the accountEnabled property.
- User.ManageIdentities.All is required to update the identities property.
HTTP request
PATCH /users/{id | userPrincipalName}
Request headers
Header | Value |
---|---|
Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
Content-Type | application/json |
Request body
In the request body, supply only the values for properties to update. Existing properties that aren't included in the request body maintain their previous values or are recalculated based on changes to other property values.
The following table specifies the properties that can be updated.
Property | Type | Description |
---|---|---|
aboutMe | String | A freeform text entry field for the user to describe themselves. |
accountEnabled | Boolean | true if the account is enabled; otherwise, false . This property is required when a user is created. |
ageGroup | ageGroup | Sets the age group of the user. Allowed values: null , Minor , NotAdult , and Adult . Refer to the legal age group property definitions for further information. |
birthday | DateTimeOffset | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
businessPhones | String collection | The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. User-Phone.ReadWrite.All is the least privileged permission to update this property. |
city | String | The city in which the user is located. |
companyName | String | The name of the company that the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters. |
consentProvidedForMinor | consentProvidedForMinor | Sets whether consent has been obtained for minors. Allowed values: null , Granted , Denied and NotRequired . Refer to the legal age group property definitions for further information. |
country | String | The country/region in which the user is located; for example, US or UK . |
customSecurityAttributes | customSecurityAttributeValue | An open complex type that holds the value of a custom security attribute that is assigned to a directory object. |
department | String | The name for the department in which the user works. |
displayName | String | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial, and last name. This property is required when a user is created and it can't be cleared during updates. |
employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. |
employeeType | String | Captures enterprise worker type. For example, Employee , Contractor , Consultant , or Vendor . Returned only on $select . |
givenName | String | The given name (first name) of the user. |
employeeHireDate | DateTimeOffset | The hire date of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
employeeLeaveDateTime | DateTimeOffset | The date and time when the user left or will leave the organization. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . |
employeeOrgData | employeeOrgData | Represents organization data (for example, division and costCenter) associated with a user. |
identities | objectIdentity collection | Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft, by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. Any update to identities replaces the entire collection and you must supply the userPrincipalName signInType identity in the collection. NOTE: Adding a B2C local account to an existing user object isn't allowed, unless the user object already contains a local account identity. |
interests | String collection | A list for the user to describe their interests. |
jobTitle | String | The user's job title. |
String | The SMTP address for the user, for example, jeff@contoso.com . Changes to this property also update the user's proxyAddresses collection to include the value as an SMTP address. For Azure AD B2C accounts, this property can be updated up to only 10 times with unique SMTP addresses. Can't be updated to null . |
|
mailNickname | String | The mail alias for the user. This property must be specified when a user is created. |
mobilePhone | String | The primary cellular telephone number for the user. User-Phone.ReadWrite.All is the least privileged permission to update this property. |
mySite | String | The URL for the user's personal site. |
officeLocation | String | The office location in the user's place of business. |
onPremisesExtensionAttributes | onPremisesExtensionAttributes | Contains extensionAttributes 1-15 for the user. The individual extension attributes aren't selectable or filterable. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. These extension attributes are also known as Exchange custom attributes 1-15. |
onPremisesImmutableId | String | This property is used to associate an on-premises Active Directory user account to their Microsoft Entra user object. This property must be specified when creating a new user account in the Graph if you're using a federated domain for the user's userPrincipalName (UPN) property. Important: The $ and _ characters can't be used when specifying this property. |
otherMails | String collection | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"] . To update this property, pass in all the email addresses that you want the user to have; otherwise, existing values get overwritten by the values you specify. User-Mail.ReadWrite.All is the least privileged permission to update this property. |
passwordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword , which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two can be specified together; for example: DisablePasswordExpiration, DisableStrongPassword . |
passwordProfile | PasswordProfile | Specifies the password profile for the user. The profile contains the user's password. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. As a best practice, always set the forceChangePasswordNextSignIn to true . This can't be used for federated users. |
pastProjects | String collection | A list for the user to enumerate their past projects. |
postalCode | String | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. |
preferredLanguage | String | The preferred language for the user. Should follow ISO 639-1 Code; for example, en-US . |
responsibilities | String collection | A list for the user to enumerate their responsibilities. |
schools | String collection | A list for the user to enumerate the schools they attended. |
skills | String collection | A list for the user to enumerate their skills. |
state | String | The state or province in the user's address. |
streetAddress | String | The street address of the user's place of business. |
surname | String | The user's surname (family name or last name). |
usageLocation | String | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US , JP , and GB . Not nullable. |
userPrincipalName | String | The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. NOTE: This property can't contain accent characters. Only the following characters are allowed A - Z , a - z , 0 - 9 , ' . - _ ! # ^ ~ . For the complete list of allowed characters, see username policies. |
userType | String | A string value that can be used to classify user types in your directory, such as Member and Guest . |
Note
- The following properties cannot be updated by an app with only application permissions: aboutMe, birthday, employeeHireDate, interests, mySite, pastProjects, responsibilities, schools, and skills.
- To update the following properties, you must specify them in their own PATCH request, without including the other properties: aboutMe, birthday, interests, mySite, pastProjects, responsibilities, schools, and skills.
Manage extensions and associated data
Use this API to manage the directory, schema, and open extensions and their data for users, as follows:
- Add, update, and store data in the extensions for an existing user
- For directory and schema extensions, remove any stored data by setting the value of the custom extension property to
null
. For open extensions, use the Delete open extension API.
Response
If successful, this method returns a 204 No Content
response code.
Example
Example 1: Update properties of the signed-in user
Request
The following example shows a request.
PATCH https://graph.microsoft.com/v1.0/me
Content-type: application/json
{
"businessPhones": [
"+1 425 555 0109"
],
"officeLocation": "18/2111"
}
Response
The following example shows the response.
HTTP/1.1 204 No Content
Example 2: Update properties of the specified user
Request
The following example shows a request.
PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-type: application/json
{
"businessPhones": [
"+1 425 555 0109"
],
"officeLocation": "18/2111"
}
Response
The following example shows the response.
HTTP/1.1 204 No Content
Example 3: Update the passwordProfile of a user and reset their password
The following example shows a request to reset the password of another user. As a best practice, always set the forceChangePasswordNextSignIn to true
.
- In delegated access, the calling app must be assigned the Directory.AccessAsUser.All delegated permission on behalf of the signed-in user.
- In application-only access, the calling app must be assigned the User.ReadWrite.All (least privilege) or Directory.ReadWrite.All (higher privilege) application permission and at least the User Administrator Microsoft Entra role.
Request
PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-type: application/json
{
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "xWwvJ]6NMw+bWH-d"
}
}
Response
HTTP/1.1 204 No Content
Example 4: Add or update the values of a schema extension for a user
You can update or assign a value to a single property or all properties in the extension.
Request
PATCH https://graph.microsoft.com/v1.0/users/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e
Content-type: application/json
{
"ext55gb1l09_msLearnCourses": {
"courseType": "Admin"
}
}
To remove the value of the schema extension from the user object, set the ext55gb1l09_msLearnCourses property to null
.
Response
HTTP/1.1 204 No Content
Example 5: Assign a custom security attribute with a string value to a user
The following example shows how to assign a custom security attribute with a string value to a user.
- Attribute set:
Engineering
- Attribute:
ProjectDate
- Attribute data type: String
- Attribute value:
"2022-10-01"
To assign custom security attributes, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.ReadWrite.All permission.
For examples of custom security attribute assignments, see Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API.
Request
PATCH https://graph.microsoft.com/v1.0/users/{id}
Content-type: application/json
{
"customSecurityAttributes":
{
"Engineering":
{
"@odata.type":"#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
"ProjectDate":"2022-10-01"
}
}
}
Response
HTTP/1.1 204 No Content