Manage Microsoft Entra identity and network access by using Microsoft Graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
With Microsoft Graph, you can manage identity and network access capabilities, most of which are available through Microsoft Entra. The APIs in Microsoft Graph help you to automate identity and network access management tasks and integrate with any application, and are the programmatic alternative to the administrator portals such as the Microsoft Entra admin center.
Microsoft Entra is a family of identity and network access capabilities that are available in the following products. All these capabilities are available through Microsoft Graph APIs:
- Microsoft Entra ID that groups identity and access management (IAM) capabilities.
- Microsoft Entra ID Governance
- Microsoft Entra External ID
- Microsoft Entra Verified ID
- Microsoft Entra Permissions Management
- Microsoft Entra Internet Access and Network Access
Manage user identities
Users are the main identities in any identity and access solution. You can manage the entire lifecycle of users in your organization, and their entitlements like licenses or group memberships, using Microsoft Graph APIs. For more information, see Working with users in Microsoft Graph.
Manage groups
Groups are the containers that allow you to efficiently manage the entitlements for identities as a unit. For example, through a group, you can grant users access to a resource, such as a SharePoint site. Or you can grant them licenses to use a service. For more information, see Working with groups in Microsoft Graph.
Manage applications
You can use Microsoft Graph APIs to register and manage your applications programmatically, enabling you to use Microsoft's IAM capabilities. For more information, see Manage Microsoft Entra applications and service principals by using Microsoft Graph.
Tenant administration or directory management
A core functionality of identity and access management is managing your tenant configuration, administrative roles, and settings. Microsoft Graph provides APIs to manage your Microsoft Entra tenant for the following scenarios:
Use cases | API operations |
---|---|
Manage administrative units including the following operations: |
administrativeUnit resource type and its associated APIs |
Retrieve BitLocker recovery keys | bitlockerRecoveryKey resource type and its associated APIs |
Monitor licenses and subscriptions for the tenant | |
Manage custom security attributes | See Overview of custom security attributes using the Microsoft Graph API |
Manage deleted directory objects. The functionality to store deleted objects in a "recycle bin" is supported for the following objects: |
|
Manage devices in the cloud | device resource type and its associated APIs |
View local administrator credential information for all device objects in Microsoft Entra ID that are enabled with Local Admin Password Solution (LAPS). This feature is the cloud-based LAPS solution | deviceLocalCredentialInfo resource type and its associated APIs |
Directory objects are the core objects in Microsoft Entra ID, such as users, groups, and applications. You can use the directoryObject resource type and its associated APIs to check memberships of directory objects, track changes for multiple directory objects, or validate that a Microsoft 365 group's display name or mail nickname complies with naming policies | directoryObject resource type and its associated APIs |
Administrator roles, including Microsoft Entra administrator roles, are one of the most sensitive resources in a tenant. You can manage the lifecycle of their assignment in the tenant, including creating custom roles, assigning roles, tracking changes to role assignments, and removing assignees from roles | directoryRole resource type and directoryRoleTemplate resource typeand their associated APIs roleManagement resource type and its associated APIs These APIs allow you to make direct role assignments. Alternatively, you can use Privileged Identity Management APIs for Microsoft Entra roles and groups to make just-in-time and time-bound role assignments, instead of direct forever active assignments. |
Define the following configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior. |
directorySetting resource type and directorySettingTemplate resource type and their associated APIs For more information, see Overview of group settings. |
Domain management operations such as: |
domain resource type and its associated APIs |
Manage the profile objects for external users that you're invited to collaborate via Teams. These APIs aren't similar to the invitation APIs for Microsoft Entra External ID B2B collaboration | externalUserProfile resource type and pendingExternalUserProfile resource type and their associated APIs |
Configure and manage staged rollout of specific Microsoft Entra ID features | featureRolloutPolicy resource type and its associated APIs |
Manage the policies for Mobile Device Management (MDM) and Mobile Application Management (MAM) autoenrollment for Microsoft Entra joined and registered devices | mobilityManagementPolicy resource type and its associated APIs |
Configure options that are available in Microsoft Entra Cloud Sync such as preventing accidental deletions and managing group writebacks. | onPremisesDirectorySynchronization resource type and its associated APIs |
Manage the base settings for your Microsoft Entra tenant | organization resource type and its associated APIs |
Manage the tenant-wide settings for your Microsoft Entra tenant, such as whether people and item insights are enabled for the organization | organizationSettings resource type and its associated APIs |
Retrieve the organizational contacts that might be synchronized from on-premises directories or from Exchange Online | orgContact resource type and its associated APIs |
Discover the basic details of other Microsoft Entra tenants by querying using the tenant ID or the domain name | tenantInformation resource type and its associated APIs |
Configure trusted certificate authorities for certificates that can be assigned to apps and service principals in the tenant. | certificateBasedApplicationConfiguration resource type and its associated APIs |
Manage the delegated permissions and their assignments to service principals in the tenant | oAuth2PermissionGrant resource type and its associated APIs |
Identity and sign-in
Use cases | API operations |
---|---|
Configure listeners that monitor events that should trigger or invoke custom logic, typically defined outside Microsoft Entra ID | authenticationEventListener resource type and its associated APIs |
Manage authentication methods that are supported in Microsoft Entra ID | See Microsoft Entra authentication methods API overview and Microsoft Entra authentication methods policies API overview |
Manage the authentication methods or combinations of authentication methods that you can apply as grant control in Microsoft Entra Conditional Access | See Microsoft Entra authentication strengths API overview |
Manage tenant-wide authorization policies such as: |
authorizationPolicy resource type and its associated APIs |
Configure Continuous Access Evaluation (CAE), which allows access tokens to be revoked based on critical events and policy evaluation rather than relying on token expiry based on lifetime | continuousAccessEvaluationPolicy resource type and its associated APIs |
Manage the policies for certificate-based authentication in the tenant | certificateBasedAuthConfiguration resource type and its associated APIs |
Manage Microsoft Entra conditional access policies | conditionalAccessRoot resource type and its associated APIs |
Manage cross-tenant access settings and manage outbound restrictions, inbound restrictions, tenant restrictions, and cross-tenant synchronization of users in multitenant organizations | See Cross-tenant access settings API overview |
Manage the user profiles that are shared with you or external tenants using B2B direct connect, including removing and exporting personal data | inboundSharedUserProfile resource type and outboundSharedUserProfile resource type and their associated APIs |
Configure how and which external systems interact with Microsoft Entra ID during a user authentication session | customAuthenticationExtension resource type and its associated APIs |
Manage requests against user data in the organization, such as exporting personal data | dataPolicyOperation resource type and its associated APIs |
Configure the policies for managing Microsoft Entra join and Microsoft Entra register devices | deviceRegistrationPolicy resource type and its associated APIs |
Manage the tenant-wide policy that controls whether external users can leave a Microsoft Entra tenant via self-service controls, for example, through the organizations menu of the My Account portal | externalIdentitiesPolicy resource type and its associated APIs |
Force autoacceleration sign-in to skip the username entry screen and automatically forward users to federated sign-in endpoints | homeRealmDiscoveryPolicy resource type resource type and its associated APIs |
Detect, investigate, and remediate identity-based risks using Microsoft Entra ID Protection and feed the data into security information and event management (SIEM) tools for further investigation and correlation | See Use the Microsoft Graph identity protection APIs |
Manage identity providers for Microsoft Entra ID, Microsoft Entra External ID, and Azure AD B2C tenants. You can perform the following operations: |
identityProviderBase resource type and its associated APIs |
Invite external users to collaborate with your tenant by using Microsoft Entra External ID | invitation resource type and its associated APIs |
Define a group of tenants belonging to your organization and streamline intra-organization cross-tenant collaboration | See Multitenant organization API overview |
Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language | organizationalBranding resource type and its associated APIs |
Customize the UI/UX in Azure AD B2C using the Identity Experience Framework (IEF) | trustFrameworkKeySet resource type and trustFrameworkPolicy resource type and their associated APIs |
User flows for Microsoft Entra External ID in workforce tenants | The following resource types and their associated APIs: |
User flows for Azure AD B2C | The following resource types and their associated APIs: |
User flows for Microsoft Entra External ID in external tenants | The following resource types and their associated APIs: |
Manage app consent policies and condition sets | permissionGrantPolicy resource type |
Manage app consent preapproval policies | permissionGrantPreApprovalPolicy resource type |
Enable or disable security defaults in Microsoft Entra ID | identitySecurityDefaultsEnforcementPolicy resource type |
Identity governance
For more information, see Overview of Microsoft Entra ID Governance using Microsoft Graph.
Microsoft Entra External ID in external tenants
The following API use cases ar supported to customize how users interact with your customer-facing applications. For administrators, most of the features available in Microsoft Entra ID and also supported for Microsoft Entra External ID in external tenants. For example, domain management, application management, and conditional access.
Use cases | API operations |
---|---|
User flows for Microsoft Entra External ID in external tenants and self-service sign-up experiences | authenticationEventsFlow resource type and its associated APIs |
Manage identity providers for Microsoft Entra External ID. You can identify the identity providers that are supported or configured in the tenant | See identityProviderBase resource type and its associated APIs |
Configuring custom URL domains in Microsoft Entra External ID in external tenants | The CustomUrlDomain value for the supportedServices property of domain resource type and its associated APIs |
Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language | organizationalBranding resource type and its associated APIs |
Manage identity providers for Microsoft Entra External ID, such as social identities | identityProviderBase resoruce type and its associated APIs |
Manage user profiles in Microsoft Entra External ID for customers | For more information, see Default user permissions in customer tenants |
Add your own business logic to the authentication experiences by integrating with systems that are external to Microsoft Entra ID | authenticationEventListener resource type and customAuthenticationExtension resource type and their associated APIs |
Multicloud permissions management
For more information, see Discover, remediate, and monitor permissions in multicloud infrastructures using permissions management APIs.
Network access management
For more information, see Secure access to cloud, public, and private apps using Microsoft Graph network access APIs.
Partner tenant management
Microsoft Graph also provides the following identity and access capabilities for Microsoft partners in the Cloud Solution Provider (CSP), Value Added Reseller (VAR), or Advisor programs to help manage their customer tenants.
Use cases | API operations |
---|---|
Manage contracts for the partner with its customers | contract resource type and its associated APIs |
Microsoft partners can empower their customers to ensure the partners have least privileged access to their customers' tenants. This feature gives extra control to customers over their security posture while allowing them to receive support from the Microsoft resellers | See Granular delegated admin privileges (GDAP) API overview |
Get detections and security alerts for unauthorized party abuse, account takeovers, and anomalous usage of Azure subscriptions in the customer tenants that you're responsible for. | See Use the partner security alert API in Microsoft Graph |
Licensing
Microsoft Entra licenses include Microsoft Entra ID Free, P1, P2, and Governance; Microsoft Entra Permissions Management; and Microsoft Entra Workload ID.
For detailed information about licensing for different features, see Microsoft Entra ID licensing.