Microsoft Graph what's new history
Find information about previous additions and updates to Microsoft Graph APIs, documentation, SDKs, and other resources.
January 2025: New and generally available
Updated the endpoint of the fileStorageContainer: restore method.
Identity and access | Identity and sign-in
Added riskEventType entry for the Suspicious API Traffic detection for service principals.
Microsoft Graph Bicep templates
You can now deploy the user resource in a Bicep template for your infrastructure as code (IaC) projects. For more information, see the Microsoft.Graph users Bicep reference.
Teamwork and communications | Calls and online meetings
- Microsoft Teams custom meeting templates allow you to specify values for many of the meeting options available to meeting organizers. Use the meetingTemplateId property on onlineMeeting to create an online meeting with a meeting template.
- Use the allowBreakoutRooms, allowLiveShare, allowPowerPointSharing, and allowWhiteboard to indicate whether breakout rooms, live share, PowerPoint live, and whiteboard features are enabled in an onlineMeeting or virtualEventSession.
- Use the allowedLobbyAdmitters property on onlineMeeting to get or set the users who can admit from the lobby.
- Use the allowRecording and allowTranscription properties on the onlineMeeting and virtualEventSession to indicate whether recording or transcription is enabled for a meeting or virtual event session.
Teamwork and communications | Messaging
- Get a chat message with an @mention for everyone.
- Get a chat message that has a forwarded message as an attachment.
- Use the isHiddenForAllMembers property to indicate whether a chat is hidden from all its members.
January 2025: New in preview only
Change notifications
Enabled change notifications support to the methods to list, get, create, update, delete, and reauthorize a subscription for aiInteraction.
Device and app management | Cloud PC
- Retry a bulk action with selected Cloud PCs.
- Use the productType property on cloudPC to get the product type of a Cloud PC or to filter Cloud PCs by product type.
- Deprecated the getCloudPcPerformanceReport method of the cloudPcReports resource in favor of the retrieveCloudPcTenantMetricsReport method.
Updated the endpoint of the fileStorageContainer: restore method.
Identity and access | Directory management
- Use the alternativeNames property on device to get or set alternative names for a device.
- Use the deviceTemplate resource and its associated methods to manage device templates for devices in Microsoft Entra ID.
- Use the mutualTlsOauthConfiguration resource and its associated methods to manage certificate authorities that are permitted to issue certificates for a specific set of objects used for mTLS.
Identity and access | Identity and sign-in
Added support for configuring a custom email provider for one-time passcodes (OTP) in Microsoft Entra External ID by using the following objects:
- The onOtpSendCustomExtension resource type to configure the custom authentication extension that contains configuration details of the external service that might be an Azure Function.
- The onEmailOtpSendListener resource type to configure the event listener that is triggered to send the OTP prompt to the user, based on the configuration details in the onOtpSendCustomExtension object.
The functionality also allows you to configure the default fallback option when the custom authentication extension isn't successfully called.
Industry data ETL
Use the start operation on the industryDataRun resource to perform an on-demand run, with throttling limits of up to five successful runs every 12 hours.
Mailbox import and export
Use the new mailbox import and export APIs in Microsoft Graph to build solutions that integrate with mailbox resources for data import and export scenarios. For more information, see Overview of the mailbox import and export APIs in Microsoft Graph.
Reports | Identity and access reports
Added attributeCollectionStart
, attributeCollectionSubmit
, and emailOtpSend
as supported values for the eventType property of the appliedAuthenticationEventListener resource.
Sites and lists
Archive or unarchive a SharePoint site.
Tasks and plans
Use the teamsChannel container type to create plans in shared channels in Microsoft Teams.
Teamwork and communications | Calls and online meetings
Get change notifications for Microsoft Teams emergency call event updates.
Teamwork and communications | Messaging
Get a chat message that includes a Microsoft Loop component as two attachments.
December 2024: New and generally available
Microsoft Graph activity logs, which provide an audit trail of all HTTP requests that Microsoft Graph received and processed for your tenant, are now available in China operated by 21Vianet.
Security | Alerts and incidents
Enabled the description, displayName, resolvingComment, and severity properties as supported properties in an Update incident request.
Teamwork and communications | Calls and online meetings
- Use the following new methods for virtual events that are of the virtualEventTownhall type:
- Link external event information to a virtualEventTownhall or virtualEventWebinar by setting an externalEventId.
- Use the externalEventInformation on virtualEventTownhall and virtualEventWebinar to identify the external event information of a virtual event.
- Use the externalRegistrationInformation property on virtualEventRegistration to get or set the external information for a virtual event registration.
Teamwork and communications | Shift management
- Stage the deletion of an openShift, shift, or timeOff instance in a schedule in draft mode.
- Use the eligibilityFilteringEnabledEntities property on workforceIntegration to get or set support for viewing eligibility-filtered results.
Published the following lesser privileged permissions for managing specific scenarios on the user object:
Permission | Comments |
User-Mail.ReadWrite.All | Least privileged permission to update the otherMails property. |
User-PasswordProfile.ReadWrite.All | Least privileged permission to read and write password reset-related properties. |
User-Phone.ReadWrite.All | Least privileged permission to update the businessPhones and mobilePhone properties. Previously, only the Directory.AccessAsUser.All permission was supported to update the properties for admin user. We recommend you move the lesser privileged permission instead. |
User.EnableDisableAccount.All | Least privileged permission to update the accountEnabled property. Requires User.Read.All permission as well. Previously, only the Directory.AccessAsUser.All permission was supported to update the account status for admin users. We recommend you move the lesser privileged permission instead. |
User.DeleteRestore.All | Least privileged permission to delete a user, restore a deleted user from the recycle bin, or permanently delete a deleted user from the recycle bin. Also allows retrieving deleted users via the /directory/deleteditems/microsoft.graph.user endpoint. |
December 2024: New in preview only
Backup Storage
Use the new restore bulk addition request API for more convenient, efficient, and scalable restore solutions. This API is designed to streamline the restore process by allowing direct submission of restoration resources in a bulk request. The following resources are supported:
- driveRestoreArtifactsBulkAdditionRequest
- mailboxRestoreArtifactsBulkAdditionRequest
- siteRestoreArtifactsBulkAdditionRequest
Device and app management | Cloud PC
- Use the disasterRecoveryType property on cloudPcCrossRegionDisasterRecoverySetting to get or set the type of disaster recovery to perform when a disaster occurs on a user's Cloud PC.
- Use the userInitiatedDisasterRecoveryAllowed property on cloudPcCrossRegionDisasterRecoverySetting to get or set whether the client allows the end user to initiate a disaster recovery activation.
- Deprecated the crossRegionDisasterRecoveryEnabled property of the cloudPcCrossRegionDisasterRecoverySetting resource. Going forward use the disasterRecoveryType property.
- Enabled
as a supported error type in the errorType property of the cloudPcOnPremisesConnectionHealthCheck resource.
Identity and access | Directory management
While restoring soft-deleted users, you can now specify whether Microsoft Entra ID should replace the user's userPrincipalName with a new value.
Identity and access | Identity and sign-in
- Use Microsoft Graph APIs to stay informed about the latest product updates, including the product roadmap and change announcements, the programmatic alternative to the What's new tab on the Microsoft Entra admin center.
- You can now manage hardware OATH tokens for your organization and users programmatically via the following Microsoft Graph APIs:
- hardwareOathTokenAuthenticationMethodDevice resource type and its associated methods to manage the hardware tokens in your tenant, including assigning to users
- hardwareOathAuthenticationMethod resource type and its associated methods to manage tokens that are already assigned to users by activating or deactivating them
Reports | Microsoft 365 monitoring reports
The Microsoft 365 monitoring APIs provide telemetry data to monitor the health of various Microsoft services within a Microsoft 365 subscription for your organization. Use the new operations in the serviceActivity resource to get telemetry data for Exchange Online, Microsoft 365 Apps, and Microsoft Teams.
Security | Alerts and incidents
Enabled the description, displayName, and severity properties as supported properties in an Update incident request.
Sites and lists
Create and manage a news link page in SharePoint.
Teamwork and communications | Calls and online meetings
The get and list operations of the callRecording and callTranscript resources support the retrieval of call recordings or call transcripts from private chat meetings and channel meetings.
Teamwork and communications | Messaging
Use the firstChannelName property on team to set the name of the first channel created in a team.
November 2024: New and generally available
Applications | Policies
Use the state property on keyCredentialConfiguration and passwordCredentialConfiguration to indicate whether a restriction is evaluated.
Use a range of new methods and resources for enhanced file storage management, including methods for managing columns and recycle bin items. You can also run operations like restore, lock, unlock, and more across the fileStorageContainer, fileStorage, and recycleBin resources.
Security | Alerts and incidents
Enabled the active
, pendingApproval
, declined
, unremediated
, running
, and partiallyRemediated
statuses in the evidenceRemediationStatus enumeration. Use these new statuses via the remediationStatus property of the alertEvidence and its inherited types.
Security | Identities
The Defender for Identity sensors management API enables you to create detailed reports on the sensors in your workspace, providing information such as server name, sensor version, type, state, and health status. It also allows you to manage sensor settings, including adding descriptions, enabling or disabling delayed updates, and specifying the domain controller the sensor connects to for querying Entra ID. For more information, see sensor.
Teamwork and communications | Calls and online meetings
Use the administrativeUnitInfos property on participant and organizer to get the IDs of one or more administrative units for a call participant.
November 2024: New in preview only
Device and app management | Cloud PC
- Added new endpoints that support application permissions in the following methods of the cloudPC resource:
- Use the reservePercentage property in the [cloudPcProvisioningPolicy: apply] method to specify the percentage of Cloud PCs to keep available for frontline shared scenarios.
- Use the getCloudPCPerformanceReport method to get reports related to the performance of Cloud PCs.
- Use the reportName parameter with the getInaccessibleCloudPcReports method to specify the Cloud PC report type.
- Enabled the
options for the reportName parameter in the Create cloudPcExportJob method.
Device and app management | Device updates
- Deploy a hotpatch quality update using Windows Autopatch.
- Use the isHotpatchUpdate property on productRevision to identify whether the content is hotpatchable.
- Use the isHotpatchEnabled property on userExperienceSettings to identify whether the update is offered as a hotpatch.
Lock or unlock a fileStorageContainer.
Identity and access | Identity and sign-in
- Use the oidcIdentityProvider resource and its methods to interact with OpenID Connect identity providers in a Microsoft Entra external tenant.
- Added the certificateBasedAuthPki resource to manage the collection of public key infrastructure (PKI) instances for the certificate-based authentication method, and the certificateAuthorityDetail resource to access the properties of each certificate authority object within a certificateBasedAuthPki.
Identity and access | Network access
List, create, get, update, and delete fqdnFilteringRule and webCategoryFilteringRule resources that are derived types of filteringRule.
Reports | Identity and access reports
Use the sessionId property on signIn to get the identifier of the session that was generated during a sign-in.
Security | Discovered cloud apps
The new Microsoft Defender for Cloud apps API in Microsoft Graph is designed to provide an efficient and reliable way to query discovered apps information, making it easier for you to analyze the risks associated with the discovered apps. Use the following resources and their methods to get data and insights across the discovered SaaS apps ecosystem:
- cloudAppDiscoveryReport
- discoveredCloudAppDetail
- discoveredCloudAppInfo
- discoveredCloudAppUser
- discoveredCloudAppIPAddress
- discoveredCloudAppDevice
- endpointDiscoveredCloudAppDetail
Security | eDiscovery
Added application authentication for Microsoft Purview eDiscovery Graph APIs. For more information about setting up app-only access, see Set up application authentication.
Teamwork and communications | AI interactions
Use the getAllEnterpriseInteractions method to get Microsoft 365 Copilot interaction data, including user prompts to Copilot and Copilot responses.
Teamwork and communications | Calls and online meetings
- Link external event information to a virtualEventTownhall or virtualEventWebinar by setting an externalEventId.
- Use the externalEventInformation on virtualEventTownhall and virtualEventWebinar to identify the external event information of a virtual event.
- Use the allowedLobbyAdmitters property on onlineMeeting to get or set the users who can admit from the lobby.
- Get or set whether users of Microsoft 365 Copilot in Teams meetings can receive responses to sentiment-related prompts.
October 2024: New and generally available
Backup storage
Updated the endpoints of the following methods:
Change notifications
Enabled the $notifyOnUserSpecificProperties
query parameter as a value of the resource property in the subscription resource. You can use the notifyOnUserSpecificProperties parameter when you subscribe to notifications in a particular chat.
Identity and access | Directory management
- Get the root domain of a subdomain.
- Added recommendations to use unified RBAC APIs in unifiedRoleDefinition instead of directoryRole and directoryRoleTemplate.
- Use the membershipRule property on administrativeUnit to get or set the dynamic membership rule for an administrative unit.
- Use the membershipRuleProcessingState property on administrativeUnit to indicate whether the dynamic membership rule is actively processed.
- Use the membershipType property on administrativeUnit to get or set the membership type for an administrative unit.
Security | eDiscovery
- Enabled the deletion of Exchange mailbox items in the ediscoverySearch: purgeData method.
- Deleted the
member from the purgeType enumeration in favor of thepermanentlyDelete
member. - Export results and a report from an ediscoverySearch.
- Legal holds are holds that are tied to an eDiscovery case. To learn more about a legal hold policy and its supported methods, see ediscoveryHoldPolicy.
Teamwork and communications | Apps
Use the clientAppId property on teamsAppAuthorization to get the registration ID of the Microsoft Entra app ID associated with an app in the Microsoft Teams app catalog.
Teamwork and communications | Calls and online meetings
Use the isDeltaRosterEnabled property on incomingCallOptions and outgoingCallOptions to indicate whether delta roster is enabled for a call.
Teamwork and communications | Messaging
- Updated the chatMessage: delta method to use a new endpoint that gets the list of delta messages from all chats in which a user is a participant, including one-on-one chats, group chats, and meeting chats.
- Use the reactionContentUrl property on chatMessageReaction to represent the hosted content URL for a custom reaction in a chatMessage.
- Use the
tag on the content property of the itemBody resource to represent custom emojis in the message body in a chatMessage. - Use the displayName property on chatMessageReaction to represent the reaction name in a chatMessage.
October 2024: New in preview only
Backup storage
Added new endpoints for bulk addition of protection units into a protection policy:
Updated the endpoints of the following methods:
Device and app management | Cloud licensing
- Use the new cloud licensing usageRight entity that is designed for client and workload license checks, with relationships structured to flow from the user or group to the usageRight. This new entity supports the following operations:
- Use the cloudLicensing property on a group or user to get their relationships with cloud licensing resources.
Device and app management | Cloud PC
- Enabled the
query parameter for the cloudPC: getProvisionedCloudPCs method. - Use the notificationSetting property on cloudPcUserSetting to define the Cloud PC notification prompts for a Cloud PC user.
- Enabled the
member in the alertRuleTemplate enumeration. - Enabled the
members in the ruleCondition enumeration.
Identity and access | Directory management
Get or update the uxSetting that restricts access to Microsoft Entra admin center to only administrators.
Identity and access | Identity and sign-in
Enabled suspiciousAPITraffic
as a supported value for the riskEventType property in the servicePrincipalRiskDetection resource. You can retrieve this value when you use either the List servicePrincipalRiskDetections or Get servicePrincipalRiskDetection APIs.
Reports | Identity and access reports
The Microsoft Entra Health monitoring alerts APIs enable you to detect anomalous usage patterns in business-critical identity scenarios for your tenant and receive alert notifications. Use the operations of the alert and alertConfiguration resources to retrieve and update alerts and alert configurations. For details, see the related changelog section.
Security | eDiscovery
- Enabled the deletion of Exchange mailbox items in the ediscoverySearch: purgeData method.
- Deleted the
member from the purgeType enumeration in favor of thepermanentlyDelete
Sites and lists
Updated the endpoints of the following methods:
Teamwork and communications | Calls and online meetings
- Use the externalRegistrationInformation property on virtualEventRegistration to get or set the external information for a virtual event registration.
- Use the following new methods for virtual events that are of the virtualEventTownhall type:
Teamwork and communications | Messaging
- Updated the chatMessage: delta method to use a new endpoint that gets the list of delta messages from all chats in which a user is a participant, including one-on-one chats, group chats, and meeting chats.
- Get a chat message that has a forwarded message as an attachment.
- Remove multiple members from a team in a single request.
Changed the following on-premises synced properties of the user resource type that were read-only in Microsoft Graph to be updatable via Microsoft Graph:
- onPremisesDistinguishedName
- onPremisesDomainName
- onPremisesSamAccountName
- onPremisesSecurityIdentifier
- onPremisesUserPrincipalName
September 2024: New and generally available
Change notifications
Announced the deprecation of shared access signatures (SAS) for authenticating Event Hubs for Microsoft Graph change notifications. We recommend using Microsoft Entra ID role-based access control (RBAC) instead. Follow the guidance to migrate to RBAC.
Identity and access | Directory management
Removed the previously deprecated Directory.Write.Restricted
permission from the device, group, and user resources.
Security | Alerts and incidents
- Use the dnsDomain property on deviceEvidence to get the DNS domain that a computer belongs to.
- Use the hostName property on deviceEvidence to get the hostname without the domain suffix.
- Use the ntDomain property on deviceEvidence to get a logical grouping of computers within a Microsoft Windows network.
Security | Identities
Added the ability to get, list, and update Microsoft Defender for Identity health issues that represent potential issues identified within a customer's Defender for Identity configuration.
Teamwork and communications | Messaging
- Get all retained messages across all channels in a team.
- Get all retained messages from all chats that a user is a participant in, including one-on-one chats, group chats, and meeting chats.
September 2024: New in preview only
Applications | Service principal
Use the serviceManagementReference optional property in the applicationTemplate: instantiate method to set the service tree ID for a service.
Device and app management | Cloud PC
- Enabled the
members as supported regions in the cloudPcRegionGroup enumeration. - Removed the getShiftWorkCloudPcAccessState method from the cloudPC resource. Going forward, use the getFrontlineCloudPcAccessState API.
- Use the autopilotConfiguration property on cloudPcProvisioningPolicy to get or set the settings for Windows Autopilot that enable Windows 365 customers to experience it on Cloud PC.
- Use the osVersionNumber property on cloudPcDeviceImage and cloudPcGalleryImage resources to get the operating system version of an image.
- Introduced the retrieveSnapshots method on the cloudPC resource to enable you to return a list of all snapshots of a Cloud PC.
Deprecated the following methods:
- bulkSetReviewStatus; use the cloudPcBulkSetReviewStatus resource and its supported APIs instead.
- List snapshots; use the retrieveSnapshots resource and its supported APIs instead.
- Update the recycle bin settings for a fileStorageContainer.
- Use the
, andincludeAllContainerUsers
query parameters to customize the List permissions operation response. - Include all version history when you copy a drive item. The version history is included up to the target version setting limit.
Identity and access | Directory management
Use the passwordResetUri property on internalDomainFederation to get or set the URI that clients are redirected to for resetting their password.
Identity and access | Identity and sign in
- Use the identifierUris property in the get and update operations of the tenantAppManagementPolicy resource to get or set restrictions on vulnerable or easily compromised identifier URI formats for an application.
- Updated the return type for the applicationRestrictions property of the tenantAppManagementPolicy resource from appManagementConfiguration to appManagementApplicationConfiguration.
- Updated the return type for the servicePrincipalRestrictions property of the tenantAppManagementPolicy resource from appManagementConfiguration to appManagementServicePrincipalConfiguration.
- Updated the return type for the restrictions property of the appManagementPolicy resource from appManagementConfiguration to customAppManagementConfiguration.
Reports | Microsoft 365 usage reports
- Get the most recent activity data for enabled users of Microsoft 365 Copilot apps.
- Get the aggregated number of active and enabled users of Microsoft 365 Copilot for a specified time period.
- Get the trend in the daily number of active and enabled users of Microsoft 365 Copilot for a specified time period.
Security | Alerts and incidents
- Use the dnsDomain property on deviceEvidence to get the DNS domain that a computer belongs to.
- Use the hostName property on deviceEvidence to get the hostname without the domain suffix.
- Use the ntDomain property on deviceEvidence to get a logical grouping of computers within a Microsoft Windows network.
Security | Identities
- Generate a new deployment access key.
- Get the deployment access key associated with a Microsoft Defender for Identity.
- Get the sensor deployment package URL and version.
Teamwork and communications | Calls and online meetings
Use the isDeltaRosterEnabled property on incomingCallOptions and outgoingCallOptions to indicate whether delta roster is enabled for a call.
August 2024: New and generally available
- Enabled the
query parameter for the following methods: - Reduced support for the
query parameter in the List assignments of a user method to a subset of the properties in the educationAssignment resource.
Employee experience | Employee engagement
Introduced the general availability of the Viva Engage API in Microsoft Graph. A Viva Engage community is a central place for conversations, files, events, and updates for people sharing a common interest or goal. Use the Viva Engage API for the following scenarios:
- Create a community
- Poll for community creation status
- Get a community
- List communities
- Update a community
- Delete a community
People and workplace intelligence | Insights
Get and update user privacy settings for itemInsights and meeting hours insights. Use the userInsightsSettings resource to enable or disable the calculation and visibility of item insights and meeting hours insights for a user.
Reports | Microsoft 365 usage reports
Get or update tenant-wide settings to hide or show identifiable information for users, groups, or sites in Microsoft 365 usage reports.
Teamwork and communications | Online meeting
- Enabled the
query parameter for the Get callRecording method. - Enabled the
query parameter for the Get callTranscript method. - Enabled the
, and$top
query parameters for the List recordings method. - Enabled the
, and$top
query parameters for the List transcripts method. - Get all recordings and transcripts from scheduled online meeting instances for which the specified user is the organizer.
- Get a set of recording and transcript resources that were added for online meeting instances organized by the specified user.
Teamwork and communications | Settings
Enabled the Spain
and Mexico
values as supported regions for the region property of the teamwork and userTeamwork resources.
August 2024: New in preview only
Identity and access | Partner Center security
Introduced the partner security score API. Use this API to generate security scores for partners to help them enhance their posture. The API provides a history of score changes, detailed customer insights, and requirement score information.
Device and app management | Cloud PC
- Use the crossRegionDisasterRecoverySetting property on cloudPcUserSetting to define cross-region disaster recovery settings.
- Deprecated the
member on frontlineCloudPcAccessState.
- Enabled the
query parameter for the following methods: - Reduced support for the
query parameter in the List assignments of a user method to a subset of the properties in the educationAssignment resource.
Teamwork and communications | Apps
Use the clientAppId property on teamsAppAuthorization to get the registration ID of the Microsoft Entra app ID associated with an app in the Microsoft Teams app catalog.
Teamwork and communications | Calls and online meetings
- Use the settings property on virtualEventTownhall and virtualEventWebinar to get or set whether attendees receive email notifications for a town hall or webinar.
- Removed the meetingOrganizerId property from the callRecording and callTranscript resources in favor of the meetingOrganizer property.
Teamwork and communications | Messaging
Use the displayName property on the chatMessageReaction resource to represent the reaction name chatMessage.
Teamwork and communications | Online meeting
- Enabled the
query parameter for the Get callRecording method. - Enabled the
query parameter for the Get callTranscript method. - Enabled the
, and$top
query parameters for the List recordings method. - Enabled the
, and$top
query parameters for the List transcripts method.
Teamwork and communications | Settings
Enabled the Spain
and Mexico
values as supported regions for the region property of the teamwork and userTeamwork resources.
Security | Identities
Added the ability to get, list, and update Microsoft Defender for Identity sensors settings.
July 2024: New and generally available
Backup Storage
The new Microsoft 365 Backup Storage API enables partners to build customized versions of their applications that are integrated with the Microsoft 365 Backup Storage platform. This helps to ensure exceptionally fast recovery from typical business continuity and disaster recovery (BCDR) scenarios, such as ransomware attacks or accidental/malicious deletion or overwriting of content by employees. For more information, see Backup Storage.
Customer booking
- Use the createdDateTime and lastUpdatedDateTime properties on bookingAppointment, bookingBusiness, bookingCustomer, bookingCustomQuestion, bookingService, and bookingStaffMember to identify when a related booking resource was created or updated.
- Use the isCustomerAllowedToManageBooking property on bookingAppointment and bookingService to indicate that a customer can manage bookings created by the staff.
- Use the appointmentLabel property on bookingAppointment to get the custom label that can be stamped on an appointment by users.
- Use the customerEmailAddress property on bookingAppointment to get or set the SMTP address of the bookingCustomer who books an appointment.
- Use the customerName property on bookingAppointment to get or set the customer's name.
- Use the customerNotes property on bookingAppointment to get or set the notes from the customer associated with an appointment.
- Use the customerPhone property on bookingAppointment to get or set the customer's phone number.
- Use the bookingPageSettings property on bookingBusiness to get the settings for a published booking page.
- Use the customAvailabilities property on bookingSchedulingPolicy to get the custom availability of a service within a given time frame.
- Use the generalAvailability property on bookingSchedulingPolicy to get the general availability of a service defined by the scheduling policy.
- Use the isMeetingInviteToCustomersEnabled property on bookingSchedulingPolicy to indicate whether a meeting invite is sent to the customers.
- Renamed the startDateTime and endDateTime properties to start and end respectively in the bookingAppointment resource.
Security | Alerts and incidents
Use the summary property to get details about what happened, impacted assets, and the type of attack on an incident.
Teamwork and communications | Calls and online meetings
- Use the settings property on virtualEventWebinar to identify whether attendees receive email notifications.
- Use the callId on callRecording or callTranscript to identify the call that is related to a recording or transcript.
- Use the contentCorrelationId on callRecording or callTranscript to correlate a transcript with its corresponding recording.
- Use the endDateTime on callRecording or callTranscript to identify when a recording or transcript ends.
- Provision approvalSolution and manage approvalItems.
Change notifications
Enabled change notifications support to the methods to list, get, create, update, and delete a subscription for approvalItems in a tenant.
July 2024: New in preview only
Applications | Application
Use the configurationUris property on applicationTemplate to get the URIs required for the single sign-on configuration of a preintegrated application.
Device and app management | Cloud PC
- Use the disasterRecoveryCapability property on cloudPC to get the disaster recovery status of the Cloud PC, including the primary region, secondary region, and capability type.
- Use the autopatch property on cloudPcProvisioningPolicy to get or set specific settings for Windows Autopatch that enable its customers to experience it on Cloud PC.
- Deprecated the synchronizationProfiles relationship on the educationRoot, including all types serviced under this endpoint.
- Introduced the Reflect API in Microsoft Graph to get Reflect check-in responses and get reading assignment submissions. Microsoft Reflect helps you create impactful check-ins to gain insights into your learners' well-being and build a happier and healthier learning community, all within a single, user-friendly app.
Identity and access | Directory management
Added the ability to initiate an external admin takeover of an unmanaged domain via the domain-verify API operation.
The following objects are removed:
- cloudPcSharedUseServicePlan resource and its supported methods. Going forward, use the cloudPcFrontLineServicePlan resource.
- sharedUseServicePlans relationship from the virtualEndpoint resource. Going forward, use the frontLineServicePlans relationship.
People and workplace intelligence | Profile
Use the companyCode on companyDetail to get or set the legal entity number of the company or its subdivision.
Security | Alerts and incidents
Use the summary property to get details about what happened, impacted assets, and the type of attack on an incident.
Teamwork and communications | Calls and online meetings
- Use the settings property on virtualEventTownhall and virtualEventWebinar to get or set whether attendees receive email notifications for a town hall or webinar.
- Removed the meetingOrganizerId property from the callRecording and callTranscript resources in favor of the meetingOrganizer property.
Teamwork and communications | Shift management
Added the ability to start and end the working time of a specific user.
June 2024: New and generally available
Change notifications
Enabled change notifications support to the methods to list, get, create, reauthorize, update, and delete a subscription for offerShiftRequest, openShiftChangeRequest, shift, swapShiftsChangeRequest, and timeOffRequest.
Identity and access | Identity and sign-in
Get or update the cross-tenant access default settings to include cross-tenant access policy tenant restrictions that restrict organization users accessing an external organization on their network or devices.
People and workplace intelligence | People admin settings
- Use more granular privacy control over the availability and display of item insights in Microsoft 365. These insights represent the relationships between a user and documents in OneDrive for work or school, calculated using advanced analytics and machine learning techniques.
- Update insightsSettings to disable item insights for a specific Microsoft Entra group or an entire organization. You can also use the List itemInsights API to display or return item insights in an organization.
Permanently delete a fileStorageContainer.
Microsoft Graph Data Connect
Effective January 31, 2024, billing is now enabled for all Microsoft Graph Data Connect pipelines on Microsoft Fabric. Update your application in the Microsoft Graph Data Connect experience in the Azure portal to use it with Fabric.
Security | Threat intelligence
Use the relatedHosts method to get a list of related host resources associated with an sslCertificate.
Teamwork and communications | Messaging
Archive or unarchive a channel in a team.
June 2024: New in preview only
Change notifications
Enabled change notifications support to the methods to list, get, create, reauthorize, update, and delete a subscription for offerShiftRequest, openShiftChangeRequest, shift, swapShiftsChangeRequest, and timeOffRequest.
Device and app management | Cloud PC
- Removed the type property from the cloudPcAuditResource resource. Going forward, use the resourceType property.
- Use the deviceRegionName property on cloudPC to get the name of the geographical region where the Cloud PC is currently provisioned.
- Use the initiatedByUserPrincipalName property on cloudPcBulkAction to get the user principal name (UPN) of the user who initiated a bulk action.
- Use the status property on cloudPcBulkAction to get the status of bulk actions.
- Perform bulk disaster recovery failover and failback actions to initiate the activation or deactivation of cross-region disaster recovery during regional outage scenarios.
- Deprecated the getCloudPcRemoteActionResults method in favor of the retrieveCloudPcRemoteActionResults method.
- Use the retrieveCrossRegionDisasterRecoveryReport method on the cloudPcReports resource to retrieve the Windows 365 cross-region disaster recovery report with configuration health check results, disaster recovery status, latest cross-region restore points, and user settings.
Employee experience | Employee engagement
List, update, and delete Viva Engage [community] objects.
You can now discard a checkout of a driveItem.
Identity and access | Directory management
When restoring soft-deleted users, you can now specify whether Microsoft Entra ID should autoreconcile conflicting proxy addresses if one or more of the soft-deleted user's proxy addresses are currently used for an active user.
Identity and access | Identity and sign-in
You can now control multifactor authentication (MFA) on an individual user basis, commonly referred to as per-user MFA on the Microsoft Entra admin center, by using the authenticationMethod resource and its associated methods.
Identity and access | Network access
You can now enable and control compliant network check with Conditional Access through the Global Secure Access service by using the compliantNetworkNamedLocation resource type and its associated methods.
Security | Threat intelligence
Use the relatedHosts method to get a list of related host resources associated with an sslCertificate.
Sites and lists
Added content model support to sites. You can apply content models to SharePoint document libraries to classify and extract metadata from files. The new APIs enable you to do the following:
- Use Get model or Get model by name methods to get a content model resource.
- Add a content model to a library by using the add to drive method to make it ready to process files.
- Remove a content model from a library by using the remove from drive method.
- Use Get applied drives to list all libraries associated with the content model.
The content model automatically processes new files that are added to the libraries. You can create document processing jobs to process existing files.
Tasks and plans
Assign a sensitivity label to a plannerRoster.
Teamwork and communications | Calls and online meetings
- Introduced the ability to list, create, cancel, and list sessions for virtual event meeting registrations.
- Delete a registration question from a webinar. The question can either be a predefined registration question or a custom registration question.
May 2024: New and generally available
Identity and access | Identity and sign-in
Customize the authentication experience for your customers by using user flows in Microsoft Entra External ID in external tenants. In the self-service sign-up user flow, you can collect user attributes, disable sign-up and only allow sign in, and also integrate with systems that are external to Microsoft Entra ID.
Teamwork and communications | Calls and online meetings
Get the list of callRecord objects and their properties and the associated participant objects for each callRecord using the following APIs:
The following properties are deprecated:
- organizer property on callRecord in favor of the organizer_v2 relationship.
- participants property on callRecord in favor of the participants_v2 relationship.
- identity property on participantEndpoint in favor of the associatedIdentity property.
May 2024: New in preview only
Backup storage
The new Microsoft 365 Backup Storage API enables partners to build customized versions of their applications that are integrated with the Microsoft 365 Backup Storage platform. This helps to ensure exceptionally fast recovery from typical business continuity and disaster recovery (BCDR) scenarios, such as ransomware attacks or accidental/malicious deletion or overwriting of content by employees. To explore the API, see Backup restore root.
Change notifications
- Enabled change notifications support to the methods to list, get, create, reauthorize, update, and delete a subscription for user-scoped chat notifications.
- Enabled the
query parameter as a value of the resource property in the subscription resource. You can use the notifyOnUserSpecificProperties parameter when you subscribe either to user-scoped chat notifications or notifications in a particular chat.
Device and app management | Cloud PC
Create a snapshot for a specific Cloud PC device.
Deprecated the following methods on the cloudPC resource:
- getCloudPcReviewStatus method; use the retrieveReviewStatus API instead.
- setCloudPcReviewStatus method; use the setReviewStatus API instead.
- resizeCloudPc method; use the resize API instead.
- bulkReprovisionCloudPc method; use the cloudPcBulkReprovision resource and its supported APIs instead.
- bulkRestoreCloudPc method; use the cloudPcBulkRestore resource and its supported APIs instead.
- bulkResize method; use the cloudPcBulkResize resource and its supported APIs instead.
Identity and access | Identity and sign-in
- Use the externalAuthenticationMethodConfiguration resource type and its associated methods to manage the configuration of external authentication methods and define users who can use the external authentication methods to satisfy the second factor of Microsoft Entra ID multifactor authentication requirements.
- Added API operations to retrieve or update keys in an Azure AD B2C Identity Experience Framework (IEF) policy through the new trustFrameworkKey_v2 resource type and its associated methods.
- The custom claims policy API allows application admins to customize the additional claims emitted in tokens affected by this policy. This API enables admins to manage the claims for their application from the Microsoft Entra admin center and by using the Microsoft Graph API interchangeably, allowing more flexibility in their application claims management experience.
Microsoft Graph Bicep templates
Use the new Bicep templates for Microsoft Graph resources to deploy Microsoft Graph resources for your infrastructure as code (IaC) projects. The following Microsoft Graph resources are currently supported as Bicep resource types:
- application
- appRoleAssignedTo
- group
- federatedIdentityCredential
- oauth2PermissionGrant
- servicePrincipal
Microsoft Graph Bicep is currently in preview, but can be used to deploy Microsoft Graph resources that are in v1.0
and beta
Use the includeHiddenContent property on the sharePointOneDriveOptions resource to include hidden content, such as archived content and SharePoint Embedded (RaaS), in search results.
Security | eDiscovery
Export results and a report from an ediscoverySearch.
Teamwork and communications | Calls and online meetings
- Get information about a webinar registration configuration.
- List, create, get, update, and delete presenters on a virtualEventWebinar.
- Use the callId on callRecording or callTranscript to identify the call that is related to a recording or transcript.
- Use the contentCorrelationId on callRecording or callTranscript to correlate a transcript with its corresponding recording.
- Use the endDateTime on callRecording or callTranscript to identify when a recording or transcript ends.
Teamwork and communications | Messaging
- Use the reactionContentUrl property on chatMessageReaction to represent the hosted content URL for a custom reaction in a chatMessage.
- Use the
tag on the content property of the itemBody resource to represent custom emojis in the message body in a chatMessage. - Use the isHiddenForAllMembers property to indicate whether a chat is hidden from all its members.
- Use the createdBy property on chat to retrieve the entity that created the chat.
April 2024: New and generally available
Updated the default value for signInAudience for new applications from
. Going forward, if you don't explicitly assign a value to the property during app creation, the app is automatically assigned the valueAzureADMyOrg
.Added the support for adding password secrets to applications during app creation. Previously, you could only add secrets to existing apps through the Update application or the addPassword operations.
Use the upsert capability to create an application, federatedIdentityCredential, or servicePrincipal if it doesn't exist, or update an existing object, by using a client-provided key. For more information, see the following API operations:
Identity and access | Governance
Use the Create operation on the workflow resource to create now up to 100 workflows that is an increase from the previous limit of 50.
Identity and access | Identity and sign-in
- Configure the default identity provider to use in redemption flow settings for Microsoft Entra ID B2B collaboration.
- Use a custom authentication extension to manage the configuration and get data from a system external to Microsoft Entra ID, such as a database, so to customize the authentication experience for users. This feature is available for both Microsoft Entra for workforce tenants and Microsoft Entra External ID.
- To customize an authentication process, use an authentication event listener to manage listeners and handlers that trigger the execution of custom logic during the authentication experience. This feature is available for both Microsoft Entra for workforce tenants and Microsoft Entra External ID.
- Multiple tenants in Microsoft Entra ID can now collaborate seamlessly as a single entity by using multi-tenant organization APIs. Set up and manage a multi-tenant organization, and configure cross-tenant policies for multi-tenant organization tenants through policy templates.
Added the upsert capability to the group resource type. Use this capability to create a group if it doesn't exist, or update an existing group, by using the uniqueName client-provided key.
Reports | Identity and access reports
Added the lastSuccessfulSignInDateTime and lastSuccessfulSignInRequestId properties to the signInActivity resource. Use the lastSuccessfulSignInDateTime property to get the last successful sign-in time for a specific user, regardless of whether the sign-in was interactive or non-interactive. The data isn't backfilled for this property.
Security | Legacy alerts
The /security/alerts
endpoint is deprecated and will stop returning data on April 10, 2026.
Sites and lists
You can now:
- Track changes for SharePoint site resources.
- Track changes for SharePoint list item resources.
Work with site pages and horizonal and vertical sections of pages.
Associate users or groups as sponsors for a guest user's privileges in the tenant and keep the guest user's information and access updated. You can assign a sponsor, list sponsors, and remove a sponsor.
April 2024: New in preview only
Device and app management | Cloud PC
- Use the allotmentDisplayName property on cloudPC to divide tenant licenses into smaller batches or groups that help restrict the number of licenses available for use in a specific assignment.
- Deprecated the type property on cloudPcAuditResource in favor of the resourceType property.
- Deprecated the
member on cloudPcProvisioningType in favor of thesharedByUser
member. - Added the
member as a new provisioning type under cloudPcProvisioningType.
Identity and access | Governance
Use the Create operation on the workflow resource to create now up to 100 workflows that is an increase from the previous limit of 50.
Identity and access | Network access
Updated the definition of physical locations for customer premises equipment in the Global Secure Access services from the branchSite resource type to the remoteNetwork resource type. The branchSite resource type and its associated properties, relationships, and endpoints are deprecated will be retired soon. Use the remoteNetwork resource type and its associated properties, relationships, and endpoints.
Identity and access | Partner customer administration
As a partner in the Cloud Solution Provider (CSP) program, you're responsible for your customer's Azure consumption; therefore, it's important that you're aware of any anomalous usage in your customer's Azure subscriptions. Use the partner security alert API in Microsoft Graph to detect fraudulent activities and misuse in your customer's Azure resources. Mitigating and responding to the alerts within 24 hours can help to significantly reduce the financial loss that your customers might incur during the compromise.
Industry data ETL
The outbound provisioning flow set, which represents a collection of outbound provisioning flows used to configure how school data sync populates data in Microsoft 365 and Microsoft Entra ID, is now generally available.
An outbound provisioning flow set can contain no more than one of each provisioning flow configuration: userProvisioningFlow, classGroupProvisioingFlow, securityGroupProvisioingFlow, administrativeUnitProvisioingFlow.
When calling the industry data ETL API, take advantage of more granular permissions added for reading or writing outbound provisioning flow set data by using the new permissions IndustryData-OutboundFlow.Read.All
and IndustryData-OutboundFlow.ReadWrite.All
People and workplace intelligence | People
Deprecated the /organization/{organizationId}/settings/itemInsights
endpoint in favor of the new peopleAdminSettings resource and introduced the List method on the peopleAdminSettings resource.
Reports | Identity and access reports
- Added the
member as a supported protocol type to the authenticationProtocol in the signIn resource. - The previously deprecated activeUsersBreakdownMetric resource and its associated APIs are now retired. To get insights into daily and monthly user activity on apps registered in your tenant that's configured for Microsoft Entra External ID for customers, use the activeUsersMetric resource type and its associated APIs.
Security | Legacy alerts
The /security/alerts
endpoint is deprecated and will stop returning data on April 10, 2026.
Security | Threat intelligence indicator
The /security/tiindicators
endpoint is deprecated and will stop returning data on April 10, 2026.
Teamwork and communications | Calls and online meetings
A town hall is a type of meeting available in Microsoft Teams. Whether you're marking milestone achievements within your organization or covering an election, town hall features enable you to provide high-quality production experiences to large audiences. You can create, publish, and cancel town hall meetings by using the following APIs:
For more information about town hall APIs, see virtualEventTownhall.
Teamwork and communications | Messaging
Send chatMessage in a channel or a chat with a file attachment in it using file share link.
March 2024: New and generally available
Perform a bulk upload as a synchronization job to ingest data into the Microsoft Entra ID synchronization service.
Cross-device experiences
Added the ability to list and get Windows settings and Windows settings instances.
Device and app management | Cloud PC
- List, get, end grace period, reboot, rename, restore, and troubleshoot operations are now available on cloudPC.
- List and get operations are now available on cloudPcAuditEvent.
- List, get, create, update, delete, and assign provisioning policies operations are now available on cloudPcProvisioningPolicy.
- List, get, create, update, delete, and assign user settings operations are now available on cloudPcUserSetting.
- List, get, create, delete, and get source images operations are now available on cloudPcDeviceImage.
- List and get operations are now available on cloudPcGalleryImage.
Education | Assignment
Enabled the $expand
query parameter for the Get educationAssignment method.
Identity and access | Directory management
- The organization entity now returns the
tenantType to identify tenants that are set up as Microsoft Entra ID for customers tenants, a customer identity & access management (CIAM) solution. - New properties set by Intune on the device resource: enrollmentType, isRooted, and managementType.
Reports | Partner billing reports
Use the billedReconciliation: export API to access billed invoice reconciliation data.
March 2024: New in preview only
Security | Attack simulation and training
Use the training campaign API to directly assign security trainings to users.
Use the upsert capability to create an application, federatedIdentityCredential, or servicePrincipal if it doesn't exist, or update an existing object, by using a client-provided key. For more information, see the following API operations:
Device and app management | Cloud PC
- Apply the current provisioning policy configuration across all Cloud PC devices under a specified policy.
- Update the provisioning policy configuration for a specific set of Cloud PC devices using their IDs.
- Added the ability to mark specified alertRecord objects as sent via the isPortalNotificationSent property.
- Run bulk power-off, power-on, reprovision, resize, restart, restore, and troubleshoot actions on Cloud PC devices using their IDs.
Deprecated the following properties:
- type property on cloudPcOnPremisesConnection; use the connectionType property instead.
- healthCheckStatusDetails property on cloudPcOnPremisesConnection; use the healthCheckStatusDetail property instead.
- additionalDetails property on cloudPcOnPremisesConnectionHealthCheck; use the additionalDetail property instead.
- domainJoinConfiguration property on cloudPcProvisioningPolicy in favor of the domainJoinConfigurations property.
- onPremisesConnectionId property on cloudPcProvisioningPolicy in favor of the domainJoinConfigurations property.
Device and app management | Device updates
Added methods to the Windows Updates API for Windows products, including retrieval of known issues by time range, finding product revisions by catalog ID, and by knowledge base number.
Use the Get file by contentStream method to download file content directly instead of getting a 302
redirect URL.
Added the upsert capability to the group resource type. Use this capability to create a group if it doesn't exist, or update an existing group, by using the uniqueName client-provided key.
Identity and access | Identity and sign-in
Use the federatedTokenValidationPolicy resource type and its associated methods to manage whether Microsoft Entra ID validates federation authentication tokens.
Security | Email and collaboration protection
Added the ability to list emails analyzed by Microsoft Defender for Office 365, get email related metadata, and perform response actions (soft delete, hard delete, move to junk, move to Inbox).
Security | Identities
Added the ability to get, list, and update Microsoft Defender for Identity health issues.
Added the ability to convert an external user to an internal member user using the user: convertExternalToInternalMemberUser API. This conversion allows the converted users to maintain their existing user object and access, while gaining the full privileges of an internal member user in the tenant.
February 2024: New and generally available
Microsoft Graph Toolkit
Microsoft Graph Toolkit v4 is now available. For details about changes in the latest release, see Upgrade to the latest version of Microsoft Graph Toolkit.
Identity and access | Identity and sign-in
- Introduced the following more granular delegated and application permissions for managing tenant branding through the organizationalBranding and organizationalBrandingLocalization resource types:
- Use OrganizationalBranding.Read.All permission for read operations instead of the Organization.Read.All permission.
- Use OrganizationalBranding.ReadWrite.All permission for read and write operations instead of the Organization.ReadWrite.All permission.
February 2024: New in preview only
Use the iCalUId property on event to get the unique identifier for an event across calendars.
Set up acronym, bookmark, and qna resources as administrative search answers for users in an organization.
- Teachers can activate an inactive assignment to signal that the assignment has further action items for teachers or students.
- Teachers can deactivate and mark an assignment as inactive to signal that the assignment has no further action items for teachers and students.
Identity and access | Directory management
- Updated the descriptions of the model and manufacturer properties in the device resource to clarify their read-only status, replacing the outdated descriptions related to Project Rome sign-ins.
- Enabled tenants to update the following properties of the organization entity: businessPhones, city, postalCode, preferredLanguage, state, street.
- You can now invite external users to Teams and manage the lifecycle of their invitation through the pendingExternalUserProfile resource type and its associated methods. After the user redeems their pending profile, you can manage their profile in your tenant through the externalUserProfile resource type and its associated methods.
Identity and access | Identity and sign-in
- Added the ability to target the device code authentication flow using Microsoft Entra Conditional Access. Configure the conditionalAccessPolicy > conditions property > authenticationFlows property of conditionalAccessConditionSet complex type > transferMethods property of conditionalAccessAuthenticationFlows complex type.
Reports | Partner billing reports
Use the billedReconciliation: export API to access billed invoice reconciliation data.
Teamwork and communications | Apps
Use the dashboardCards navigation property on teamsAppDefinition to get dashboard cards specified in the manifest of a teamsApp.
Teamwork and communications | Calls and online meetings
Microsoft Teams custom meeting templates allow you to specify values for many of the meeting options available to meeting organizers. Use the meetingTemplateId property on onlineMeeting to create an online meeting with a meeting template.
Teamwork and communications | Messaging
- Enabled the
, and$top
query parameters for the List members of channel method. - Enabled the
query parameter for the List members of team method.
Teamwork and communications | Shift management
- Added the ability to get shifts and get time offs across all teams that a user is a direct member of.
- Added the isCrossLocationShiftRequestApprovalRequired and isCrossLocationShiftsEnabled properties on schedule to support two cross location scenarios.
- Added the ability to get and update front-line managers' capabilities in a Shifts schedule.
- Added the ability to get and update frontline managers' capabilities in a Shifts schedule.
January 2024: New and generally available
Device and app management | Cloud PC
The virtualEndpoint resource is generally available, laying the foundation for future Cloud PC updates to the v1.0
Use the webURL property to get the deep link URL of an educationSubmission.
Identity and access | Governance
Through the attributes property of the accessPackageResource resource type, you can now view details of the attributes that are collected from the requestor and sent to the resource application.
Reports | Partner billing reports
The new partner billing API in Microsoft Graph offers Microsoft direct partners a faster, more efficient way to export their high-volume billed and unbilled Azure usage data. Partners can quickly create export operations, monitor their status, and retrieve manifests using the following APIs:
Teamwork and communications | Calls and online meetings
- Communications servers can publish deltaParticipants notifications for the creation, update, or deletion of a participant in a call. For more information, see JSON payload examples of notifications with delta roster disabled or enabled.
- Removed the profilePhoto property on virtualEventPresenter in favor of the photo property on virtualEventPresenterDetails.
- Use the email property on communicationsGuestIdentity to get access to the email address of a guest user.
January 2024: New in preview only
For Azure AD Connect cloud sync scenarios, you can now specify organizational units and groups that are in scope of a synchronizationRule. For details, see the related changelog section.
Device and app management | Cloud PC
- Use the errorMessage property in the cloudPcPartnerAgentInstallResult to access a detailed error message for instances where the installation of a partner agent on a Cloud PC fails.
- Get the device recommendation reports for Cloud PCs, such as the usage category report.
- Get the remote action status reports, including data such as the Cloud PC ID, Cloud PC device display name, action taken, and action state.
The following properties are deprecated:
- recommendedSku property on cloudPcGalleryImage.
- offer and offerDisplayName properties on cloudPcGalleryImage in favor of the offerName property.
- publisher property on cloudPcGalleryImage in favor of the publisherName property.
- sku and skuDisplayName properties on cloudPcGalleryImage in favor of the skuName property.
- statusDetails property on cloudPcDeviceImage in favor of the errorCode property, to identify why an upload failed. The errorCode property is of type cloudPcDeviceImageErrorCode.
- id property on cloudPcSourceDeviceImage in favor of the resourceId property, to get the fully qualified unique identifier of the source image resource in Azure.
- windowsSettings property on cloudPcProvisioningPolicy in favor of the windowsSetting property.
- type property on cloudPcDomainJoinConfiguration in favor of the domainJoinType property.
- type property on microsoftManagedDesktop in favor of the managedType property.
- frequencyInHours property on cloudPcRestorePointSetting in favor of the frequencyType property.
Identity and access | Governance
- You can refresh an access package resource request to fetch the latest information for an access package resource from the origin system.
- Added the assignmentRequests relationship to the entitlementManagement resource type and updated the API endpoints for the managing access package assignment requests from
which will be retired soon to/identityGovernance/entitlementManagement/assignmentRequests/
. Inspect the API paths in your code and update to the new request paths for the Create, Delete, Get, and List operations.
Identity and access | Identity and sign-in
Added the x509CertificateCombinationConfiguration resource type as a new derived type for authenticationCombinationConfiguration resource type which helps you set restrictions on specific types, modes, or versions of an authentication method used in an authentication strength. Previously, you could only restrict the allowed FIDO2 key types. The x509CertificateCombinationConfiguration type allows you to configure the list of allowed values for specific certificate properties.
Reports | Partner billing reports
The new partner billing API in Microsoft Graph offers Microsoft direct partners a faster, more efficient way to export their high-volume billed and unbilled Azure usage data. Partners can quickly create export operations, monitor their status, and retrieve manifests using the following APIs:
Added the deletePasswordSingleSignOnCredentials and getPasswordSingleSignOnCredentials methods to the user resource for deleting and retrieving the password-based single sign-on credentials for a user to a given service principal.
December 2023: New and generally available
Identity and access | Directory management
When a Microsoft service fails to provision a user, group, or organizational contact, and returns an error, you can now manually retry provisioning using the following APIs:
For details, see the related changelog section.
Teams meeting APIs
Pricing updates for the Teams meeting APIs apply starting January 1, 2024. For more information, see Payment models and licensing requirements for Microsoft Teams APIs.
Teamwork and communications | Calls and online meetings
Manage change notifications for virtual events using the Create, Get, Update, and Delete operations of the subscription resource.
December 2023: New in preview only
Employee experience | Employee engagement
Create and get a Viva Engage community that is a central place for conversations, files, events, and updates for people sharing a common interest or goal. Use the Viva Engage API for the following scenarios:
For details, see the related changelog section.
Identity and access | Identity and sign-in
- Customize user authentication experiences in Microsoft Entra External ID for customers by configuring actions to run before or after you collect attributes from a user. You can configure the following Microsoft Graph entities:
- onAttributeCollectionStartCustomExtension and onAttributeCollectionSubmitCustomExtension objects to run custom code before or after you collect attributes from a user, respectively.
- onAttributeCollectionStartListener and onAttributeCollectionSubmitListener objects to specify the event to invoke before or after you collect attributes from a user, respectively.
For details, see the related changelog section.
- We have refined how you can programmatically define the tenant-wide policy for registering new devices using Microsoft Entra join and Microsoft Entra register within your organization. This update introduces breaking changes that require you to update your app logic to ensure continued functionality. See the related changelog section.
Teamwork and communications | Calls and online meetings
Manage change notifications for virtual events using the Create, Get, Update, and Delete operations of the subscription resource.
Teamwork and communications | Shift management
- Get all openShift objects across all teams a user is a direct member of, removing the need to specify a team ID in the request. For more information, see team: getOpenShifts.
- Stage the deletion of an openShift, shift, or timeOff instance in a schedule in draft mode.
For details, see the related changelog section_.
November 2023: New and generally available
Manage the lifecycle of a drive item (file or folder) by using retention labels:
- Get or set a retention label.
- Lock or unlock a file for record versioning.
- Remove a retention label.
See the related changelog section.
Delete a group's profile photo. See the related changelog section.
Identity and access | Directory management
Optionally define a directory extension as a multi-valued custom property that contains a collection of objects, instead of a single-valued property. See the related changelog section.
Security | Alerts and incidents
Get an alert that can indicate a more specific workload protection plan of Microsoft Defender for Cloud as the source that detected notable component or activity. Examples of more specific workload protection plans include Microsoft Defender for IoT, Microsoft Defender for Servers, Microsoft Defender for Storage. For a list of the additional possible sources, see the related changelog section.
Use SDKs
- The Microsoft Graph Python SDK is now generally available. You can now access the beta and v1.0 endpoints of Microsoft Graph, with a fluent experience, designed to facilitate discoverability with the best features of the Python language. With simplified initialization and authentication, you can start making requests to Microsoft Graph with just 5 lines of code. The SDK also offers a built-in Retry-Handler that understands
, and504
status codes. To learn more about the new Python SDK, see Introducing the Microsoft Graph Python SDK. - The Microsoft Graph PHP SDK v2.0 is now generally available. The Microsoft Graph PHP SDK 2.0.0 offers best-in-class features to improve developer efficiency and code quality. By solving cross-cutting concerns like authentication, retry, and batching, the SDK gives you time back to focus on the design and value of your application. To learn more about the new PHP SDK, see Write high quality code with the new Microsoft Graph PHP SDK v2.
Delete the profile photo of a signed-in user. See the related changelog section.
November 2023: New in preview only
Device and app management | Cloud PC
Get the access state of a Frontline Cloud PC to determine whether the Frontline Cloud PC is accessible to a user. See the related changelog section.
Reports | Identity and access reports
As a best practice recommended for a Microsoft Entra tenant, get historical Secure Score data for the tenant. See the related changelog section.
Identity and access | Identity and sign-in
- When configuring strong authentication for an X.509 certificate, set up an X509 certificate rule that binds a specific issuer subject, policy OID, or both to an authentication mode and affinity level. For example, bind the policy OID "" to multifactor authentication mode and high affinity level. See the related changelog section.
- Support the Platform Credential authentication method for users on Mac OS devices to authenticate in Microsoft Entra ID. See the related changelog section.
- Get or update default identity provider configuration for invitation redemption to set redemption flow settings for Microsoft Entra ID B2B collaboration. See the related changelog section.
Identity and access | Network access
Get connectivity configuration details for customers' device link equipment at a branch site connected to Global Secure Access services. See the related changelog section.
Identity and access | Multicloud permissions management
Use the permissions management APIs to programmatically discover, remediate, and monitor permissions in your multicloud infrastructure. For each supported cloud infrastructure, you can:
- Discover identities, resources, and permissions that identities have to resources, and what actions the identities can perform.
- Request permissions for identities to resources; Grant or reject permissions requests.
- Generate reports relating to permissions and resources.
Permissions Management currently supports only Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) cloud infrastructures. See the related changelog section.
Reports | Identity and access reports
- Trace the history of activities related to managing custom security attributes, such as attribute definitions and assigning attribute values to principals. See the related changelog section.
- When using Microsoft Entra ID for customers, you can now get daily and monthly insights into user activities on apps registered in your tenant. The reports include data about sign ups, active users, and multifactor authentication completions. See the related changelog section.
Tasks and plans
Create a plan in a user container to let individual users track their own tasks. This provides the flexibility for users to share or collaborate on their personal plans, or subsequently upgrade their personal plans into group-based plans by moving the plan from the user container to a group container. See the related changelog section.
Teamwork and communications | Messaging
Remove a user's access to a chat. See the related changelog section.
October 2023: New and generally available
Get or set a remote desktop security configuration to enable the Microsoft Entra ID Remote Desktop Services (RDS) authentication protocol, for Microsoft Entra ID to authenticate users to joined or hybrid joined devices. The configuration also enables single sign-on (SSO) when RDP clients connect to a Microsoft Entra joined or Microsoft Entra hybrid joined device. See the related changelog section.
Compliance | Subjects rights request
Specify or get the search locations for a KQL-based content query in a subject rights request, such as mailboxes, SharePoint, OneDrive, or Teams channels. See the related changelog section.
Device and app management | Cloud printing
Include additional usage data in reports for user-based print activity and for printer-based print activity. Examples of usage data include the number of completed black-and-white print jobs and estimated number of single-sided media sheets. See the related changelog section.
External data connections
Optionally, specify the ID of a Teams app in an external connection in the connectorId property. See the related changelog section.
Identity and access | Directory management
List the credentials of local administrator accounts of devices that are associated with a deleted item, such as being a member of a deleted group or owned ore registered by a deleted user. See the related changelog section.
Identity and access | Governance
Use Privileged Identity Management (PIM) for groups to govern how principals are assigned membership or ownership of security and Microsoft 365 groups, such as the following capabilities:
- Providing principals just-in-time membership or ownership of groups.
- Assigning principals temporary membership or ownership of groups.
See the related changelog section.
Identity and access | Partner customer administration
Specify automatic extension of a delegated admin relationship between a partner and customer or between a Microsoft indirect reseller partner and a customer when the relationship expires. See the related changelog section.
People and workplace intelligence | People admin settings
Administrators can customize the profile card for users in an organization by using the profile card property API on built-in or custom attributes stored in Microsoft Entra ID. For more information, see Add or remove custom attributes on a profile card using the profile card API, and the related changelog section.
Security | Attack simulation and training
- Create, update, or delete an attack similation training campagin for a tenant.
- Get end user notifications, landing page, login page, payload detail (such as message content, links, or attachment in a phishing email), training, and training language detail for the attack simulation.
- See the related changelog section for the preceding updates for attack simulation and training.
Security | Threat intelligence
Discover information about each host port that Microsoft Defender Threat Intelligence has observed on a host, including each host port component that has been seen on a port, the number of times that a port has been observed in all the scans, and what each host port banner response contains. See the related changelog section.
Teamwork and communications | Calls and online meetings
- Get a specific transcript or all the transcripts of an online meeting. See the related changelog section.
- When getting information about a channel, optionally include summary information about the channel. See the related changelog section.
October 2023: New in preview only
Device and app management | Cloud PC
- Running health checks for on premises network connection can now identify the active domain join check failed because the server is not operational. This could be due to network connectivity issues, DNS resolution issues, or problems with the domain controller itself. Make sure that the domain controller is running, and that ports that are required to be open between the client computer and the domain controller are enabled and not blocked. See the related changelog section.
- Support app scenarios to create, update, delete, or run health checks on a Cloud PC on-premises connection without a signed-in user. See the related changelog section.
- Get a raw real-time remote connection report for a Cloud PC without any calculation or aggregation. As an alternative, you can download the report by an export job. See the related changelog section.
- Get a specified Cloud PC FrontLine service plan, or all such service plans that a customer has purchased. This type of Windows 365 Frontline-branded service plan provides an allotment of three Cloud PCs for an administrator to provision, for three active users at a time without assigning a Cloud PC to only one specific user. The service plan allows provisioned users to time-share, and let customers deploy a larger number of users. Customers using the pre-existing Cloud PC shared-use service plan should have switched to the Cloud PC Frontline service plan by October 8, 2023, as that plan has been deprecated and has stopped returning data since October 8, 2023. See the related changelog section.
Device and app management | Corporate management
Intune October updates for the beta version. See the related changelog section.
Identity and access | Directory management
Create and manage a certificate-based application configuration which represents a chain of trust that specifies allowed root and intermediate certificate authorities. This configuration is part of an app management policy used for application authentication and can restrict app developers to use only those certificates issued by authorities defined in the configuration. See the related changelog section.
Identity and access | Identity and sign-in
- Get or specify in a Microsoft Entra native X-509 certificate-based authentication configuration, whether Certificate Authority issuer hints are sent back to the client side to filter the certificates shown in certificate picker. See the related changelog section.
- Get or update a setting that requires a user to perform registration after snoozing 3 times, as part of an authentication methods registration campaign to enforce registration at sign-in time in an authentication policy. See the related changelog section.
Reports and audit | Identity and access reports
Get Microsoft Entra service activity reports for sign-in metrics at minute-level granularity on four scenarios:
- Get metrics for MFA sign-in success and get metrics for MFA sign-in failure
- Get metrics for conditional access managed devices sign-in success
- Get metrics for conditional access compliant devices sign-in success
- Get metrics for SAML sign-in success
Tenant administrators can monitor the sign-in activities within their tenant across those four sign-in scenarios, and feed these metrics to their own monitoring or alerting system as appropriate. See the related changelog section.
Sites and lists
List items in the recycle bin of a SharePoint site. See the related changelog section.
Teamwork and communications | Calls and online meetings
Use the following new functions for virtual events that are of the webinar type:
- Get the virtual event webinars where a specified user is an organizer or coorganizer.
- Get the virtual event webinars where the signed-in user is an organizer or coorganizer.
- See the related changelog section.
September 2023: New and generally available
- Support app scenarios to update or delete a class assignment with grades for all users, or delete an assignment resource without a signed-in user. See the related changelog section.
- Support app scenarios to create or set up a folder for assignment resources without a signed-in user. See the related changelog section.
External data connections
As an option, include a label to indicate a property in the schema for an external connection is an icon URL. See the related changelog section.
Identity and access | Partner customer administration
A Microsoft indirect reseller partner administrator can approve or reject a reseller delegated admin relationship between a partner and a customer, created for them by a Microsoft indirect provider partner. See the related changelog section.
Security | Threat intelligence
- Discover referential host pairs observed about a host. Host pairs include details such as information about HTTP redirections, consumption of CSS or images from a host, and more.
- Read SSL certificate data, and SSL certificate data observered on a host. This data includes information about the SSL certificate and the relationship between the host and the SSL certificate.
- Read subdomain details for a host. For every subdomain, there can be a new set of IP addresses to which the domain resolves. This can be a great data source for finding related infrastructure.
- Read WHOIS details for a host. A common function of WHOIS in threat infrastructure is to identify or connect disparate entities based on unique data shared within the records.
- See the related changelog section for the preceding updates for threat intelligence.
Teamwork and communications | Apps
Get or update tenant-wide settings to allow or disallow installing Teams apps that require resource-specific permissions in a chat or meeting. See the related changelog section.
Teamwork and communications | Calls and online meetings
Set a status message about a user's presence, such as their availability or user activity. See the related changelog section.
September 2023: New in preview only
Device and app management | Cloud PC
- Get the overall connection quality reports for all devices within a current tenant during a given time period, including metrics like the average round trip time, and real-time metrics such as last connection round trip time. See the related changelog section.
- Get a usage report on Frontline Cloud PC licenses, for data such as service plan ID, license count, and claimed license count, for real-time, 7-day, or 28-day trend. This is a Windows 365 Frontline-branded report which replaced the report to get shared licenses of a service plan. See the related changelog section.
Device and app management | Corporate management
Intune September updates for the beta version. See the related changelog section.
Support app scenarios to read or write an education module or learning resource without a signed-in user. Scenarios can include publishing, pinning, or unpinning a module, or setting up a SharePoint folder for resources in a module. See the related changelog section.
Identity and access | Directory management
- Update for an organization whether it is synchronized with an on-premises directory. See the related changelog section.
- Improve the security posture of the applications in your tenant by configuring and limiting the certificate authority issuers whose certificates can be assigned to your apps and service principals.
Identity and access | Governance
- Get the date and time when an access package subject, which can be a user, service principal, or other entity, is to be blocked from access. See the related changelog section.
- Check out the new documentation about managing security alerts for Microsoft Entra roles using Privileged Identity Management APIs in Microsoft Graph.
Identity and access | Identity and sign-in
You can now configure the Microsoft Entra ID certificate-based authentication (CBA) policy to send hints back to the client application that filters the certificates shown in the certificate picker when the user initiates sign-in using a certificate.
Identity and access | Partner customer administration
When creating a delegated admin relationship between a partner and customer, set the duration by which the validity of the relationship is automatically extended. See the related changelog section.
The audit trail of all HTTP requests that Microsoft Graph received and processed for your tenant are now available through Microsoft Graph activity logs. Use Azure Monitor Logs to collect the logs and configure downstream destinations such as Azure Storage or stream with Azure Event Hubs to external security information and event management (SIEM) tools. For more information about Microsoft Graph activity logs, see Access Microsoft Graph activity logs (preview).
Security | Attack simulation and training
Create an attack simulation campaign with landing page, login page, training, and endUserNotifications. See the related changelog section.
Security | Records management
Support app scenarios to read any retention event, retention event type, and retention label without a signed-in user. See the related changelog section.
Teamwork and communications | Calls and online meetings
- Get a call recording or call transcript that includes more identity information for the organizer, in addition to the existing meeting organizer ID for the online meeting. Additional identity information may include data such as user display name, identity type, or tenant ID. See the related changelog section.
- Get the preferred display name of a participant in a call. See the related changelog section.
Workbooks and charts
Get tasks that a user has identified in association with a comment or reply for a comment in a worksheet:
- List document tasks on a worksheet.
- List the changes of a document task.
See the related changelog section.
August 2023: New and generally available
Enable or disable the lock configuration of sensitive properties of a multitenant application for editing after the application is provisioned in a tenant.
Create a class assignment using an application permission without a signed-in user present.
Get the user who has checked out a drive item or a specific version of the drive item.
Identity and access | Directory management
Use the application permission OnPremDirectorySynchronization.Read.All
or OnPremDirectorySynchronization.ReadWrite.All
to read or update on-premises directory synchronization functionalities that are available for an organization, without a signed-in user present.
Security | Alerts and incidents
Manage additional resources, such as a Kubernetes account or service, or a storage blob or blob container, as specific types of evidence related to an alert. See an exact list of evidence types added.
Teamwork and communications | Apps
- List each resource-specific permission grant on a specific chat, showing each Microsoft Entra app that has access to the chat, the permission type, and actual resource-specific permission.
- List each resource-specific permission grant on a specific team, showing each Microsoft Entra app that has access to the team, the permission type, and actual resource-specific permission.
- Set or unset a reaction to a single message or a message reply in a Teams channel or a chat.
August 2023: New in preview only
Set as part of authentication behaviors a requirement that a multitenant resource application should have a service principal in the resource tenant before the application is granted access tokens.
Change notifications
Subscribe to changes when any recording becomes available for a specific meeting, or when any meeting recording becomes available in a tenant. For more information, see Use the Microsoft Graph API to get change notifications.
Device and app management | Cloud PC
- Set up an alert rule by using a rule template for a grace period scenario. This type of an alert rule triggers an alert on the Microsoft Endpoint Manager admin center when a license or assignment change happens to the user and the Cloud PC enters a grace period. For more information about Cloud PC grace periods, see Device management overview for Cloud PCs. See the related changelog section.
- Get informational status from the most recent health check on an on-premises network connection between a Cloud PC and Azure, involving Cloud PC add-on features such as single sign-on. This information is intended to optimize the user experience and doesn't affect the provisioning of the customer's Cloud PC. See the related changelog secton.
Device and app management | Device updates
- Get one or more quality updates in a catalog and the corresponding operating system product revision.
- Get quality updates that address publicly exploited vulnerabilities or Common Vulnerabilities and Exposures (CVE) of a specific severity level.
- Get quality updates that contain specific product revision criteria, such as the operating system release date, version, or other build version details.
- Get the build numbers of available feature updates to deploy.
Device and app management | Multi-tenant management
Get the license type of a specified managed tenant as part of the Microsoft Entra ID credential user registration, for example, AADFree, AADPremium1, AADPremium2.
Organize individual learning resources in a systematic way in a module. Modules contain read-only learning resources and assignments the teacher wants the student to complete. The teacher can set up a resources folder on SharePoint for a module, pin one module at a time in a classwork list, unpin a module in a classwork list, and publish a module to a student's classwork list.
Identity and access | Directory management
Identify if a role or action supported by a directory RBAC provider is privileged.
Identity and access | Identity and sign-in
- Use a session control that requires sign-in sessions to be bound to a device.
- Use hardware OATH authentication method policy to sign in and perform multi-factor authentication (MFA) in Microsoft Entra ID.
- Use a new form of cross-tenant collaboration, multi-tenant organization, to enable multiple tenants in Microsoft Entra ID to collaborate seamlessly as a single entity. Set up and manage a multi-tenant organization, and configure cross-tenant policies for multi-tenant organization tenants through policy templates. For more information, see multi-tenant organization API overview.
People and workplace intelligence | People
- Use the delegated permission,
, to read or update people-related admin settings that are available for an organization, with a signed-in user present. - Use the policy-based application permission,
, to read or update people-related admin settings that are available for an organization, without a signed-in user present.
Reports | Identity and access reports
Get information about the managed identity used for a sign-in, including its type, associated Azure Resource Manager (ARM) resource ID, and federated token information.
Security | Threat intelligence
List host pair information for a host to reveal connections between websites, where your resources are being used and vice-versa, and adversaries' infrastructure of actor groups targeting your organization. A host pair is two pieces of infrastructure (a parent and a child), leveraging the relationship of which can build out a threat investigation. For more information, see infrastructure chaining, data sets, and host pairs.
Teamwork and communications | Calls and online meetings
- Get a specific call recording for an online meeting for which the specified user is an organizer or participant.
- List all recordings of an online meeting for which the specified user is an organizer or participant.
- Get all recordings from scheduled online meeting instances for which the specified user is the organizer.
- Get a set of recording resources that have been added for online meeting instances organized by the specified user.
- List all virtual event sessions for a webinar virtual event.
- Get a deleted chat.
- Delete or undo a deletion of a chat.
- Get all on-premises Session Initiation Protocol (SIP) information related to a user.
- Get information related to Microsoft real-time communications for a user.
July 2023: New and generally available
Request a lower privileged delegated or application permission, Calendar.ReadBasic
, for most read operations for events in calendars, with or without a signed-in user present. This permission allows an app to read events of all calendars, except for properties such as body, attachments, and extensions. For the exact list of operations that support these permissions, see the July updates for Calendar.
Device and app management | Cloud printing
Get the printer name in reports for archived print jobs and printer usage.
Permanently delete a file, folder, or other item stored in OneDrive or SharePoint.
Identity and access | Directory management
- Find tenant information by domain name or by tenant ID.
- Use a number of new properties to configure an organization's branding. For example, custom CSS for the sign-in page, a custom favicon with a CDN-based URL, custom link text and URL for "Terms of use" and "Privacy and cookies" in the footer, and a few other custom properties for users to manage accounts. For an exact list of these enhancements, see the API changelog.
Identity and access | Governance
- Get information about all custom extension calls that were made during the access package assignment and access package assignment request workflows.
- Use an access package resource request to add a resource to a catalog so that the roles of the resource can be used in one or more access packages in the catalog, update a resource in a catalog to have different attribute requirements, or to remove a resource from a catalog that is no longer needed by the access packages.
Reports | Identity and access reports
- Get a report of the details of the registered authentication methods for a specified user or users in an organization, such as multi-factor authentication, self-service password reset, and passwordless authentication.
- Get a report of the number of users in an organization capable of each of multi-factor authentication, self-service password reset, and passwordless authentication in an organization.
- Get a report of the number of users in an organization registered for each authentication method.
Security | Alerts and incidents
Get the Azure AD user display name for a user account which is involved in mailbox evidence, process evidence, or user evidence related to an alert.
Teamwork and communication | Apps
Support for granting scoped access (also known as resource-specific consent) to an app installed within a chat, team, or the personal scope of a user.
Teamwork and communications | Calls and online meetings
- Create or list audio routing group resources.
- Allow or disallow participants to rename themselves in an instance of an online meeting.
- Set and get the default mode for sharing chat history for an online meeting.
July 2023: New in preview only
Applications | Synchronization
Perform a bulk upload as a synchronization job to ingest data into the Azure AD synchronization service.
Device and app management | Cloud PC
- Get a report for inaccessible Cloud PCs that have failed at least a health check or experienced consecutive user connections failure.
- Use a setting on a Cloud PC to allow or disallow an end user to reset their Cloud PC.
Device and app management | Corporate management
Intune July updates for the beta version.
Identity and access | Directory management
- Get or list one or more of the commercial subscription resources that an organization has acquired. A subscription resource contains the ID and part number of the SKU that it is associated with.
- In a role definition, get one or more types of principals that can be assigned the role, including user, service principal, and group.
Identity and access | Governance
Stop the process of applying a review decision for an instance of a recurring access review created with autoapply and autoreview settings.
Identity and access | Network access
Use the APIs for Microsoft Entra Internet Access and Microsoft Entra Private Access to enable organizations to consolidate controls and configure unified identity and network access policies. Microsoft Entra Internet Access manages access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats. Microsoft Entra Private Access manages access to private apps hosted on-premises or in the cloud. The two products comprise Microsoft's Security Service Edge solution. For more information on the APIs, see Secure access to cloud, public, and private apps using Microsoft Graph network access APIs.
- Mark an email as junk, adds the sender to the list of blocked senders, and optionally, moves the message to the Junk Email folder.
- Mark an email as not-junk, removes the sender from the list of blocked senders, and optionally, moves the message to the Inbox.
Reports | Identity and access reports
- Get the monthly percentage of authentication availability on Azure Active Directory for a tenant. This data is the tenant's actual attainment as compared with the Azure AD service-level agreement (SLA) which commits to at least 99.99% authentication availability, as described in Azure Active Directory SLA performance.
- Get a log of events for traffic routed through the Global Secure Access services.
- Get all the report components in the Global Secure Access services, including entities summaries, cross-tenant summary, destination summaries, device usage summary, and transaction summaries.
Security | Alerts and incidents
- When getting alerts, in addition to the previously supported types of detection technology and services, you can now identify Microsoft Defender for Cloud as the technology that detected a specific alert, or service that created the alert.
- When getting alerts, in addition to previously supported types of evidence, you can now differentiate evidence resources of the following types: Amazon resource evidence, Azure resource evidence, or Google resource evidence.
Sites and lists
- For a standard web part contained in a rich text web part, get the ID of the container text web part.
- Create, update, or delete a horizontal section on a SharePoint page.
- Create, update, or delete a vertical section on a SharePoint page.
- In addition to getting or listing one or more web part resources on a page, you can now create, update, or delete a web part.
Teamwork and communications | Calls and online meetings
Subscribe to change notifications for transcripts of a specific online meeting, or for transcripts of any online meeting in a tenant.
Teamwork and communications | Devices
Listing teamwork devices now includes SIP analog devices provisioned for the tenant. These SIP analog devices are legacy endpoints such as elevator phones, parking lot phones, or factory floor devices, registered with Microsoft Teams through the SIP Gateway.
Associate users or groups as sponsors for a guest user's privileges in the tenant and keep the guest user's information and access updated. You can assign a sponsor, list sponsors, and remove a sponsor.
June 2023: New and generally available
Address an application by a new alternate key, appId. The Microsoft Entra admin center app registration refers to appId as the application (client) ID.
Device and app management | Cloud printing
- Get a list of printer share resources recently used by the signed-in user.
- Get or update additional printer share viewpoint, which is printer share data specific to the signed-in user.
Device and app management | Corporate management
Intune June updates for the v1.0 version.
- Assign a sensitivity label to a file in OneDrive or SharePoint.
- Extract one or more sensitivity labels assigned to a file or folder and update the metadata of that drive item with the latest details of the assigned label.
Identity and access | Governance
- Manage settings for emails sent out from an email-specific task within a lifecycle workflow. For more information on how lifecycle workflows enable organizations to automate basic lifecycle processes for their users, see Overview of lifecycle workflows APIs.
- Configure group peer outlier insights that help reviewers make decisions for an access review schedule definition based on the access that the user's peers have.
Search | Query
- Optionally specify the sortable or refinable properties to collapse in the results of a search request.
- To include multiple search requests in a single request body in the request body, use the Microsoft Graph Search API to pass multiple search requests.
- Guest users can search for items within SharePoint or OneDrive that have been shared with them.
Security | eDiscovery
Initiate an export from a ediscoveryReviewSet, or an export from a ediscoveryReviewSetQuery.
Security | Threat intelligence
GA release of the threat intelligence API for Microsoft Defender Threat Intelligence. The API identifies adversaries and their operations, accelerates detection and remediation, and enhances your security investments and workflows. For more information about the earlier public preview release, see What's new: APIs in Microsoft Graph.
Teamwork and communications | Calls and online meetings
- Track the freeze duration data of a video stream in a media stream.
- Check whether the forward error correction (FEC) was used at some point during a session.
- Represent CPU capabilities and name of the device used by a caller or callee participant endpoint in a call or online meeting.
- Listing sessions in a call record can now identify those sessions that took place for testing purpose.
Teamwork and communications | Employee learning
Get or specify whether a learning provider can ingest learning course activity records, including learning activity assigned to a user and learning course activity initiated by a user.
Teamwork and communications | Messaging
List all the teams in an organization.
June 2023: New in preview only
Get or set the authentication behavior of an application, for whether to remove the email
claim from tokens sent to the application when the domain of the email address cannot be verified.
Device and app management | Cloud PC
Running health checks for on premises network connection can now identify the following error conditions:
- Your current network configuration does not allow the use of UDP direct connect Session Traversal Utilities for NAT (TURN).
- Your current network configuration does not allow the use of UDP direct connect Session Traversal Utilities for NAT (STUN and TURN).
In either case, the condition does not prevent the use of Cloud PCs but can prevent optimal performance. Consider your own network configuration policies before you apply changes.
Use a new correlation ID to uniquely identify health check item-related activities, which is part of the health check status details returned from getting the Azure resource information used to establish Azure network connectivity for Cloud PCs.
Create or get a report of Cloud PCs that failed to connect because licenses were unavailable.
Get the provisioned Cloud PCs of a specific service plan for users in a certain Azure AD user gorup.
Validate multiple Cloud PCs in bulk, and resize them based on the individual validation result. For related administrator's information about resizing Cloud PCs using the Mirosoft Intune admin center, see resize a Cloud PC.
Get the power state of a Cloud PC for shift workers, differentiating the Cloud PC as
. For more general information on Cloud PCs for shift and part-time workers, see the blog post for Windows 365 Frontline.
Device and app management | Cloud printing
Get a report of printer usage or archived print job that includes the printer name. Previously the printer is identified by only its printer ID in the report.
Device and app management | Corporate management
Intune June updates for the beta version.
Identity and access | Directory management
- Manage an administrative unit, device, group, or user that is a member of a restricted management administrative unit by requiring a role scoped to the restricted administrative unit. The calling app must be assigned the Directory.Write.Restricted permission. For delegated scenarios, the administrators must also be explicitly assigned supported roles at the restricted administrative unit scope.
- Get the last time a password sync request was received for an organization.
Identity and access | Governance
- Use the application permission
to read or update policies in Privileged Identity Management for groups, without a signed-in user. - Use Privileged Identity Management (PIM) to govern privileged access and limit excessive access to Azure AD roles. See more information on the governance capabilities of PIM for Azure AD roles APIs in Microsoft Graph.
- Use security alerts built into Privileged Identity Management (PIM) for Azure AD roles to detect suspicious or unsafe settings for Azure AD roles in your tenant. For more information on the types of security alerts, see Get security alerts for Azure AD roles.
- Get information about a subject who requests or is assigned an access package; the subject can be a user or some entity from a connected organization who is not yet in the tenant.
- Update the lifecycle status of a user for an access package, if the user is a guest.
Identity and access | Identity and sign-in
- Get or update sign-in preferences for authentication, for the default second-factor method used by the user when signing in.
- Get or update content options to be customized throughout the authentication flow for a tenant.
Reports | Identity and access reports
Get the date/time for the last update of a user's registration record for authentication methods, including which methods are registered and which features the user is registered and capable of (such as multi-factor authentication, self-service password reset, and passwordless authentication).
Security | Alerts and incidents
Depending on the type of alert evidence, such as mailbox evidence, process evidence, or user evidence, get the display name of the related user account as part of the rich data about each artifact involved in an alert.
Security | Threat intelligence
List subdomains for a host.
Tasks and plans
Specify or get checklist items as a completion requirement for a Planner task.
Teamwork and communications | Calls and online meetings
Get information about a webinar virtual event on Microsoft Teams, including the following:
- Presenter information and details.
- Registration information, registration questions, and registrant information and status.
- Attendance report for a session in the webinar.
- Create an online meeting with the option to anonymize attendees' identity in the meeting.
- From a PSTN call log, get the IPv4 or IPv6 of a client's local address, and public IP address that can be used to determine the client's location.
Teamwork and communications | Messaging
- Get summary information about a channel, including the number of guests, members, owners, and an indicator for members from other tenants.
May 2023: New and generally available
External data connections
- Specify settings for the search experience of content in an external connection. For example, a display template for search results, and a rule to select the display template.
- Collect configurable settings related to activities of connector content in an external connection. These settings set rules to resolve the URL of an external item to its ID , thereby identifying the external item.
- Add instances of external activity on an external item. You can track the type of external activity (such as viewed, modified, created, commented), the identity of the user, group, or external group who performed the activity, and the result of adding the activity.
Identity and access | Directory management
- As part of managing corporate devices, Intune can now set additional properties on a device used for multi-factor authentication in conditional access policies for an organization: deviceCategory, deviceOwnership, enrollmentProfileName, and registrationDateTime.
- Get organization details to identify the tenant type of an organization set up as a customer identity & access management (CIAM) solution. A CIAM tenant provides an integrated platform to serve consumers, partners, and citizen scenarios.
- Define custom security attribute resources to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. For more information on defining and assigning your own custom security attributes, see Overview of custom security attributes.
Identity and access | Identity and sign-in
- Specify whether to exclude or include guests or external users as part of the condition set for conditional access.
- Configure an authorization policy to allow user consent for risky apps.
- Use a cross-tenant identity sync policy to synchronize users from a partner tenant. The policy streamlines collaboration between users in a multi-tenant organization, by automating creating, updating, and deleting users from one tenant to another.
- Get the cross-tenant access default settings for automatic user consent from an inbound/outbound policy configuration.
Reports | Microsoft 365 usage reports
- Get a report of the number of teams of a particular type in an instance of Microsoft Teams.
- Get a report of the number of team activities across Microsoft Teams. Activities are related to meetings and messages.
- Get a report of the number of team activities across Microsoft Teams over a selected period.
- Get a report of details about Microsoft Teams activity by team. The activities for both licensed and non-licensed users.
Security | Alerts and incidents
- Manage an Amazon resource, Azure resource such as a VM, Storage, or KeyVault, or Google Cloud resource such as compute or Kubernetes cluster identifier, as specific types of evidence related to an alert.
- Support Microsoft Defender for Cloud as a detection source that identifies a notable component or activity, or as a source that creates an alert.
Sites and lists
- Get or update tenant-wide settings for SharePoint and OneDrive, which include a number of settings such as the following:
- The idle session sign-out policy settings for SharePoint.
- Whether legacy authentication protocols are enabled for the tenant.
- Whether guests must sign in using the same account to which sharing invitations are sent.
- Get all the sites across georgraphies in an organization.
Teamwork and communications | Calls and online meetings
- Identify the reasons for shared content or video from an online meeting participant being restricted.
- Get a join web URL for a Microsoft Virtual Appointment. This web URL includes enhanced business-to-customer experiences such as mobile browser join and virtual lobby rooms.
May 2023: New in preview only
Device and app management | Cloud PC
- Get or set a template to name Cloud PCs provisioned by a Cloud PC provisioning policy.
- Get or set configuration settings for how a Cloud PC joins Azure Active Directory in a Cloud PC provisioning policy.
- Get the user resources that are targeted in the assignment of a Cloud PC provisioning policy. This list of users is computed based on assignments, licenses, group memberships, and policies.
Get or update from class level assignment settings any grading category to weight assignments differently when computing a class average grade.
Identity and access | Directory management
- Get any service provisioning error published by a federated service describing a non-transient, service-specific error for a user, group, or organization contact to let an administrator follow up. The administrator can retry provisioning the service for the user, group, or organization contact as applicable.
- Fine-tune the on-premises directory synchronization process for an organization by getting or updating the following additional configuration data: anchor attribute, synchronization client application ID and version, data for the current export run, and write-back configuration.
- Optionally define a directory extension as a multi-valued custom property that contains a collection of objects, instead of a single-valued property.
- Use a custom RBAC scope to manage the scope of a role assignment for an Exchange Online provider.
Identity and access | Governance
- When getting a list of every decision for an instance of an access review, access reviewers can expand to find the last user who modified any insight that a user has low affiliation and is an outlier with other users within the group.
- Use Privileged Identity Management (PIM) for groups to govern how principals are assigned membership or ownership of security and Microsoft 365 groups, such as the following capabilities:
- Providing principals just-in-time membership or ownership of groups.
- Assigning principals temporary membership or ownership of groups.
Identity and access | Identity and sign-in
- Use a custom authentication extension to manage the configuration and get data from a system external to Azure Active Directory, such as a database, so to customize the Azure AD authentication experience for users.
- To customize an authentication process, use an authentication event listener to manage listeners and handlers that trigger the execution of custom logic during the Azure AD authentication experience.
- Use a self-service sign-up user flow for external identities within an Azure AD customer tenant, to let users sign up for an app and create a new guest account. A user flow is basically a multi-event policy that defines a series of steps for the user, listing each supported identity provider, and the user attributes to collect from the user such as given name, surname, city, postal code. For more information, see Add a self-service sign-up user flow to an app.
- Get or update the permissions for the default user role in an authorization policy to allow creating tenants in an Azure Active Directory organization.
- Get or update the cross-tenant access default settings to include cross-tenant access policy tenant restrictions that restrict organization users accessing an external organization on their network or devices.
- As part of the authentication methods policy in Azure Active Directory,enable settings that allow users in specific groups to report unexpected multi-factor authentication (MFA) prompts as suspicious.
Reports | Identity and access reports
- Get a report that contains sign-in activity information of an application credential in an Azure Active Directory tenant.
- Get a report that contains sign-in activity information for a service principal in an Azure Active Directory tenant.
Security | Attack simulation and training
Get the following additional data from attack simulation reports:
- The number of days that an attack simulation user is out of office during an attack simulation and training campaign.
- The last activity in a user's detailed online actions in an attack simulation and training campaign.
Tasks and plans
- Share a plan using a shared-with container that is separate from the original container that the plan belongs to. Users can share a plan with multiple other containers, and specify the maximum access level allowed by each of these containers, such as read, readwrite, or full access.
- Specify in the details of the context of a plan to surface the plan in Microsoft Project.
Teamwork and communications | Calls and online meetings
List each message history item of a chat message in a Teams chat or channel.
April 2023: New and generally available
Device and app management | Browser management
Administrators can use the Edge API in Microsoft Graph in an app to manage an organization's browser site lists for Internet Explorer (IE) mode that reside in the cloud, much like the way they can do it in the Microsoft 365 admin center. With proper permissions, the app can create a browser site list, add a browser site and shared cookie, and publish the site list for Microsoft Edge to download.
Identity and access | Identity and sign-in
- Include an authentication strength policy as part of conditonal access grant controls to be fulfilled to pass a conditional access policy. An authentication strength policy defines specific combinations of authentication methods to be used to authenticate in the corresponding scenario.
- As part of the default user role of an authorization policy, specify whether the registered owner of a device can read their own BitLocker recovery keys.
Search | Query
Qualify a search query string with a query template, which supports KQL and query variables.
Teamwork and communications | Calls and online meetings
Specify whether content for an online meeting, such as shared content or video feed, should have watermark protection. To support watermarking content, client applications must implement and apply the watermarking.
Teamwork and communications | Messaging
Subscribe to change notifications in a tenant where a specific Teams app is installed, for the following resources:
April 2023: New in preview only
Device and app management | Cloud PC
- Start or stop a Windows 365 Frontline Cloud PC for a user.
- IT administrators can power on or power off a Windows 365 Frontline Cloud PC. After powering on a Cloud PC, an IT administrator can allocate and assign licenses to a user.
Device and app management | Corporate management
Intune April updates for the beta version.
- Teachers can activate an inactive assignment to signal that the assignment has further action items for teachers or students.
- Teachers can deactivate and mark an assignment as inactive to signal that the assignment has no further action items for teachers and students.
External data connections
Get or set the relative ranking importance of a property in a schema, to allow Microsoft Search to determine the search relevance of the content.
Identity and access | Directory management
List or get local administrator credential information for all device objects in Azure Active Directory that are enabled with Local Admin Password Solution (LAPS). For more information on LAPS, see Windows Local Administrator Password Solution in Azure AD (preview).
Identity and access | Governance
- Use the new
delegated or application permission to resume a task-processing result that's in progress. - Get the settings for verifiable credentials in an access package assignment policy, that have been set up in the Microsoft Entra Verified ID verification solution. These settings represent the verifiable credentials that a requestor of an access package in this policy can present to be assigned the access package. The types of verifiable credentials that a requestor presents include the type of the credential issued, such as
, and list of accepted issuers.
Identity and access | Identity and sign-in
- Get or update the permissions for the default user role in an authorization policy to allow creating tenants in an Azure Active Directory organization.
- Get or update the settings in an authentication methods policy for selected users or groups to be included or excluded from being prompted with their preferred multifactor authentication methods for their Azure Active Directory organization.
- To support Windows Local Administrator Password Solution (LAPS) in Azure AD, administrators can get or update local admin password settings in the device registration policy for an organization.
Reports | Azure AD activity reports
List any managed identity used for a sign-in activity, including the identity type and associated Azure Resource Manager (ARM) resource ID.
Reports | Microsoft 365 usage reports
For Microsoft Forms:
- Get usage reports for activity counts by activity type.
- Get usage reports for activity counts by user type.
- Get usage reports for details of form activity by user.
Teamwork and communications | Calls and online meetings
- Get the metadata content of a call transcript in a stream.
- Get a log of users who are blocked or unblocked from making public switched telephone network (PSTN) calls in Microsoft Teams.
- Get an aggregated report of the usage and money spent for audio conferencing dial-out service. The report includes the cost, number of dial-out calls, and total time of use over a selected period.
- Get a log of sent or received SMS messages.
- In addition to existing data in a PSTN call log row, get the country code for the second party in the PSTN call.
- In addition to existing data in a direct routing call log row, get the country codes of the two parties in the direct routing call.
- Get the join URL for an appointment on the Virtual Appointments app for Microsoft Teams. Existing customers who use the prior virtual appointment API in their apps should update their apps to integrate with the Virtual Appointments app before the API stops returning data on June 20, 2023. For more information, see Virtual Appointments with Microsoft Teams.
- Get or set the option to share the chat history of an online meeting with participants.
- Listing sessions in a call record can now identify those sessions that took place for testing purpose.
- Represent CPU capabilities of a caller or callee participant endpoint in a call or online meeting.
- Track the freeze duration data of a video stream in a media stream.
- Communications servers can publish deltaParticipants notifications for the creation, update, or deletion of a participant in a call. For more information, see JSON payload examples of notifications with delta roster disabled or enabled.
Teamwork and communications | Employee learning
Track an activity that is part of a learning course in Viva Learning, for a user and for a learning provider. Differentiate between an activity that's been assigned to the user, and an activity that is initiated by the user.
March 2023: New and generally available
Specify if an application requires Azure AD to verify signed authentication requests.
Compliance | Records management
Use the Microsoft Purview records management API to help organizations manage the retention and deletion of data to meet legal obligations and compliance regulations.
Identity and access | Directory management
Get newly created, updated, or deleted directory objects without performing a full read of the entire set of Active Directory objects in an organization.
Identity and access | Identity and sign-in
- Enable or disable the following authentication methods for specific users and groups in a tenant:
- Organizations can use policies to enforce best practices for apps using application authentication methods. Such policies can apply to specific applications and service principals, or to all applications and service principals in a tenant.
Teamwork and communications | Calls and online meetings
When getting a call record, you can get up to 60 sessions for that call record on the same page.
Teamwork and communications | Messaging
To export Teams content, you can list teams that have been deleted, and get 1:1 chats, group chats, meeting chats, and channel messages of a deleted team. For more information, see Export content with the Microsoft Teams export APIs.
Use the last interactive and non-interactive sign-in date/time values of users' signInActivity to manage inactive accounts.
March 2023: New in preview only
Device and app management | Cloud PC
- Getting launch information about a signed-in user's connecting to a Cloud PC now includes whether the Cloud PC supports switch functionality, and reason if it doesn't, such as not meeting requirements for the version of the operating system, CPU, or RAM.
- Include provisioning type (dedicated or shared) and management service type (for example, Windows 365, Power Automate) as criteria for a Windows 365 service plan.
Device and app management | Corporate management
Intune March updates for the beta version.
When sharing an item on OneDrive for Business with other users, include the option to notify those users by email.
Identity and access | Governance
- Use access package assignment workflow extension or access package assignment request workflow extension to define the configuration of logic apps. Integrate logic apps with entitlement management to broaden your governance workflows beyond the core entitlement management use cases.
- Get information about all custom extension calls that were made during the access package assignment and access package assignment request workflows.
- Manage settings for emails sent out from an email-specific task within a lifecycle workflow. For more information on how lifecycle workflows enable organizations to automate basic lifecycle processes for their users, see Overview of lifecycle workflows APIs.
Identity and access | Identity and sign-in
- In addition to approving authentication push notifications on Microsoft Authenticator, specified users, groups, or administrative units can approve authentication push notifications on a supported Microsoft 365 app (Outlook mobile app). Administrators can get or update the companionAppAllowedState property of the feature settings of a Microsoft Authenticator authentication method configuration policy. When enabling this capability, administrators can set the Microsoft 365 app name in the clientAppName property for the Microsoft Authenticator authentication method registered to the user.
- Get and manage the profile data of users from an external Azure AD tenant as inbound shared user profile, and profile data of users in the current tenant, who have shared their data with an external Azure AD tenant, as outbound shared user profile. Such capability is part of Azure Active Directory (Azure AD) B2B direct connect which enables users from two Azure AD organizations to work together using their home credentials without having to be added to each other's organizations as guests.
Industry data ETL
Debut of the industry data API, which is a multi-vertical, cross-industry, ETL (Extract-Transform-Load) platform. Use the API to combine data from multiple sources into a single Azure Data Lake data store, normalize the data, and export it in outbound flows. Use it to assist with monitoring and troubleshooting. Get statistics after the data is processed.
Reports | Azure AD activity reports
- View in an Azure AD activity report if any sign-in activity in your directory is triggered by a match of a condition about Microsoft admin portals, that is satisfied in a rule in the applied conditional access policy.
- View in an Azure AD activity report the result of enforcing a custom authentication strength in an applied conditional access policy.
Reports | Microsoft 365 usage reports
Get counts for different types of teams in an instance of Microsoft Teams, such as public teams, active public teams, private teams, and active private teams.
Security | eDiscovery
Get the metadata of an eDiscovery export file, such as the download URL, file name and size.
Security | Threat intelligence
Debut of the threat intelligence API for Microsoft Defender Threat Intelligence. The API identifies adversaries and their operations, accelerates detection and remediation, and enhances your security investments and workflows. For more information about the debut, see What's new: APIs in Microsoft Graph.
Sites and lists
When sharing an item on SharePoint with other users, include the option to notify those users by email.
Tasks and plans
Use the following delta functions of the corresponding type of Planner resources to get the newly created, updated, or deleted resources without having to perform a full read of the entire resource collection:
- Delta function for Planner plans in either a group or a Planner roster.
- Delta function for Planner buckets in a Planner plan.
- Delta function for Planner tasks in either a Planner plan or assigned to the signed-in user.
February 2023: New and generally available
Identity and access | Directory management
- Following the Zero Trust cybersecurity model, Microsoft partners can use granular delegated admin privileges (GDAP) to carry out administrative tasks with least-privileged access to their customer tenants, to avoid potential security exposures. Instead of requesting Global Administrator role as in the past, partners request specific roles for customer tenant administration for a definite amount of time, and their customers must explicitly grant the least-privileged access to them.
- Get or update the configuration and features of on-premises directory synchronization set up for an organization, including configuration to prevent accidental deletion.
Identity and access | Governance
As part of a policy for access package assignment, you can specify or get the required regex pattern for a requestor to answer an access package question.
Identity and access | Identity and sign-in
Specify in a cross-tenant access policy to enable B2B collaboration across Azure clouds, for example, between tenants in Azure Commercial and Azure Government clouds, and between Azure Commercial and Azure China clouds.
Search | Query
Use application permissions and search all shared or private content on SharePoint sites that belong to the app owner in a specified region.
Security | Attack simulation and training
- Get information about an automated attack simulation for a tenant.
- Get a list of automated runs of attack simulation for a tenant.
Teamwork and communications | Calls and online meetings
Support a user to participate in an online meeting in the role of a coorganizer.
Teamwork and communications | Messaging
Support an Azure Communication Services user to participate in a team, channel, or chat.
To-do tasks
Use a single POST operation to attach a file up to 3MB to a to-do task, or create an upload session to iteratively upload portions of a file up to 25 MB total size to attach it to a task.
February 2023: New in preview only
Applications | Synchronization
When calling the synchronization API, take advantage of more granular permissions designed for reading or writing synchronization data, by using the new permission, Synchronization.Read.All
, instead of the higher privileged permission, Directory.Read.All
, and Synchronization.ReadWrite.All
instead of Directory.Read.All
Request a lower privileged delegated or application permission, Calendar.ReadBasic
or Calendars.ReadBasic.All
, for most read operations for events in calendars, with or without a signed-in user present. These permissions allow an app to read events of all calendars, except for properties such as body, attachments, and extensions. For the exact list of operations that support these permissions, see the February updates for Calendar.
Device and app management | Cloud PC
- Enable or disable single sign-on as part of a Cloud PC provisioning policy and of the tenant-wide organization settings for Cloud PC. When single sign-on is enabled, Windows 365 users can use single sign-on to authenticate to Azure Active Directory (Azure AD) with passwordless options (for example, FIDO keys) to access their Cloud PCs.
- Organizations with frontline workers can provision Cloud PCs as a shared type and subscribe to a shared-use service plan for Cloud PCs.
- Allow a customer to select from a list of supported region groups when provisioning a Cloud PC, so to put that Cloud PC in one of the regions belonging to that group based on resource status.
Device and app management | Device updates
Use the Windows Update for Business deployment service to manage Windows 11 feature updates and driver updates. When enrolled devices are scanned for updates, the deployment service identifies applicable, better drivers for each device. The service collects such driver information in a catalog for approval, and schedules approved catalog content for deployment.
Identity and access | Directory management
Debut of pronouns support for organizations - use pronouns settings to programmatically manage the support of pronouns in an organization. Find out about how administrators can enable or disable pronouns in the Microsoft 365 admin center, and the availability timeline for pronouns on profile cards on the Microsoft 365 roadmap.
Reports | Identity and access reports
Use the recommendation resource as personalized and actionable insights to implement Azure Active Directory best practices. Recommendations help to ensure your tenant is in a secure and healthy state and maximize the value of the features available in Azure AD. For more information about how recommendations work in Azure AD for administrators, see What are Azure Active Directory recommendations.
Identity and access | Governance
List the users who are in the scope of the execution conditions of a workflow.
Security | Attack simulation and training
- Create or delete an attack simulation campaign for a tenant. Prior to this update, apps can only get information about an existing simulation campaign.
- Get information about an attack simulation training. Get further details such as the content and coachmarks.
Teamwork and communications | Calls and online meetings
Identify the reasons for shared content or video from an online meeting participant being restricted.
Teamwork and communications | Messaging
Support an Azure Communication Services user to participate in a team, channel, or chat.
January 2023: New and generally available
Device and app management | Corporate management
Intune January updates for the v1.0 version.
Identity and access | Directory management
Get the country code that represents the default service usage location of an organization.
Security | Attack simulation and training
- Get information about an automated attack simulation for a tenant.
- Get a list of automated runs of attack simulation for a tenant.
Tasks and plans
Use application permissions for read and write operations of Planner resources.
Teamwork and communications | Calls and online meetings
Specify settings that include a meeting ID, and whether attendees require a passcode to join the online meeting.
Teamwork and communications | Messaging
- Delete or undo a deletion of a chat message in a channel or chat.
- Get or set summary information about a team, including the count of owners, members, and guests.
January 2023: New in preview only
Device and app management | Cloud PCs
- Get a usage report on shared licenses of a service plan over a specified period of time, or at real time.
- Associate a Cloud PC supported region to a geographic group that belongs to a supported set.
- Get the set of remote actions supported for a Cloud PC device.
Device and app management | Cloud printing
Get or set a display name for a print job.
Identity and access | Governance
Update a task for lifecycle workflows.
Identity and access | Identity and sign-in
- Use a cross-tenant identity sync policy to synchronize users from a partner tenant. The policy streamlines collaboration between users in a multi-tenant organization, by automating creating, updating, and deleting users from one tenant to another.
- Get the cross-tenant access default settings for automatic user consent from an inbound/outbound policy configuration.
Security | Attack simulation and training
- Create or delete an attack simulation campaign for a tenant. Prior to this update, apps can only get information about an existing simulation campaign.
- Get information about an attack simulation training. Get further details such as the content and coachmarks.
Tasks and plans | Business scenarios
Debut of the business scenarios API which allows developer customers to configure plans and tasks, and to bring custom scenario data in entities for their Planner-specific scenarios.
December 2022: New and generally available
Address a service principal by a new alternate key, appId.
Identity and access | Directory management
- Address an device by a new alternate key, deviceId.
- Address an directoryRole by a new alternate key, roleTemplateId.
Identity and access | Identity and sign-in
Identify at-risk service principals in an organization with Azure AD, which continually detects and evaluates risks based on various signals and machine learning. You can confirm if an at-risk service principal is indeed compromised, upon which Microsoft would disable that service principal object. You can dismiss the risk of an at-risk service principal. And, you can list the risk history of a service principal.
December 2022: New in preview only
Device and app management | Corporate management
Intune December updates for the beta version.
Identity and access | Directory management
- Use additional customizations on the Azure Active Directory sign-in page for an organization: custom CSS, organization logo on the page header, and login page layout configuration.
- Get or update the configuration and features of on-premises directory synchronization set up for an organization.
People and workplace intelligence | Item insights
A user whose item insights have been disabled can still see the file-based activities of other users with item insights enabled. Previous to this update, that user with item insights disabled would not see anybody's trending content. Learn more about an organization's insights-based experience after disabling a user's item insights.
Reports | Azure AD activity reports
Get additional details about user or application sign-in activity logs:
- Details about the app and device used during an Azure AD authentication step.
- Details about the Azure AD policies applied to a user or client authentication app during an authentication step.
Sites and lists
- Get counts of user reactions (likes, comments, and shares) of a site page.
- When creating a site page, you can specify the following:
- The title area of the page.
- The page layout as an article page or a home page when creating a site page.
- The canvas layout, including any horizontal section, column in a horizontal section, vertical section, or web part.
- The URL of a thumbnail image for the page.
- Whether to show comments at the bottom of the page.
- Whether to show recommended pages at the bottom of the page.
- Differentiate a web part as a standard web part or text web part.
- Get web part data from a standard web part.
- Get position information of a web part.
- Get a collection of web parts by providing web part position information.
Tasks and plans
Use an external source to relate a bucket, task, or plan to a user experience outside of Planner. Surface and sync the bucket, task, or plan in that experience, and track work in the context of that experience. See more information in external bucket source, external task source, and external plan source.
Use SDKs
Try the new Microsoft Graph Python SDK (preview) and take advantage of the following improvements:
- A new authentication provider that automatically refreshes access tokens.
- A built-in retry handler that understands response status codes.
- A fluent request building pattern to improve efficiency and discoverability.
- Type annotations, both synchronous and asynchronous experiences and HTTP2 support.
Note: The Microsoft Graph Python SDK is currently in public preview. Don't use this SDK in production environments. For details see SDKs in preview or GA status.
To get started, see:
November 2022: New and generally available
- Create a SharePoint folder for an assignment to upload feedback documents.
- Create a feedback document for a submission in the feedback folder associated with the assignment.
Identity and access | Directory management
- List or restore deleted administrative unit.
- Promote a verified subdomain to the root domain.
- Reset a guest user's redemption status by using the resetRedemption property of an invitation. This enables the user to sign in using a different email address, without first deleting the user's account from the directory and re-inviting the user, thereby retaining their user identifier, group memberships, and app assignments.
- Use the delegated permission
to query and read all acronyms on behalf of a signed-in user. - Use the delegated permission
to query and read all bookmarks on behalf of a signed-in user. - Use the delegated permission
to query and read a signed-in user's 1:1 or group chat messages, on behalf of the signed-in user. - Use the delegated permission
to query and read all messages in a Teams channel on behalf of a signed-in user.
Security | eDiscovery
Delete Microsoft Teams messages contained in a eDiscovery search. Specify the purge type to be soft or hard delete, and the scope of the purge action.
Teamwork and communications | Messaging
- Only the tenant admin of the sender of a chat message can update and override a policy violation on the message. Usually, a data loss prevention (DLP) application takes action when a sender violates policy and sends data they should not send.
- Send activity feed notifications to a user, to a user in a chat, or to a user in a team, based on the supported types of activities declared in the corresponding app manifest.
November 2022: New in preview only
- Enable or disable the lock configuration of sensitive properties of a multi-tenant application for editing after the application is provisioned in a tenant.
- Address a service principal by a new alternate key, appId.
- Address an application by a new alternate key, appId. The Microsoft Entra admin center app registration refers to appId as the application (client) ID.
Devices and apps | Browser management
Administrators can use the Edge API in Microsoft Graph in an app to manage an organization's browser site lists for Internet Explorer (IE) mode that reside in the cloud, much like the way they can do it in the Microsoft 365 admin center. With proper permissions, the app can create a browser site list, add a browser site and shared cookie, and publish the site list for Microsoft Edge to download.
External data connections
Specify in a schema property definition for a connection whether to match the property exactly for queries.
Identity and access | Directory management
Use the assignedPrincipals method to get the list of security principals (users, groups, and service principals) that are assigned to a specific role for different scopes either directly or transitively.
Search | Query
Specify in a search request one or more criteria to collapse search results.
Teamwork and communications | Messaging
List the message history items of a chat message in a Teams chat or channel.
October 2022: New and generally available
Devices and apps | Corporate management
Intune October updates for v1.0.
- Use application permissions to update the outcome of an assignment.
- Use application permissions to submit, unsubmit, return, or reassign a submission.
Identity and access | Governance
Manage access package or group resources that are incompatible with one another.
Identity and access | Identity and sign-in
- Use an authentication context class reference to specify custom values for a conditional access authentication requirement, to build user-facing custom admin experiences.
- Enable or disable users and groups in an organization to use the Azure AD native Certificate-Based Authentication (CBA).
- Get conditional access details in a template that is recommended by Microsoft as best practice configurations for an Azure Active Directory conditional access policy.
- Get or update specific feature settings for Microsoft Authenticator, for example, whether to show the app that the user is signing into, or the geographic location from which the authentication request originated.
Reports | Microsoft 365 usage reports
Get reports for Microsoft 365 app usage, including the usage of Microsoft 365 apps by user, the number of daily unique active users by app, and the number of daily unique active users across all apps by platform (Windows, Mac, web, and mobile).
Teamwork and communications | Calls and online meetings
When inviting a participant to a call, you can specify whether to hide the participant from the roster or remove the participant from the main mixer.
Teamwork and communications | Messaging
- Send activity feed notifications to multiple users, in bulk.
- Hide or unhide a chat for a user.
- Using delegated permissions to list chats now takes the viewpoint of the specific user into account. The viewpoint includes whether the user has hidden the chat, and the date/time when the user last read a message in that chat.
October 2022: New in preview only
Device and app management | Cloud PCs
- Use an alert rule with prefered notification channels, like email and Microsoft Endpoint Manager admin center notification, to monitor and receive alerts when conditions set in alert rules are met. Currently issues with Cloud PCs such as provisioning or checking on-premise network connections can trigger alerts.
- For customers accessing their Cloud PCs in the US Government Community Cloud (GCC), administrators can set up a mapping between the the Azure Active Directory in the public cloud and GCC. Use the mapping to update the security and compliance requirements for the FedRAMP certification and onboarding to GCC.
- Get real-time or aggregated reports about Cloud PC remote connection. You can also download a report by an export job, where you can specify a filter, columns, and format.
Device and app management | Cloud printing
Get a list of printer share resources recently used by the signed-in user.
Devices and apps | Corporate management
Intune October updates for the beta version.
Devices and apps | Multi-tenant management
- Support a status of granular delegated admin privileges (GDAP) or delegated and granular delegated admin privileges relationship between a managing entity and a managed tenant.
Identity and access | Governance
- Enable a workflow or its subsequent versions to run on demand, or on schedule by the Lifecycle Workflows engine based on the schedule defined by tenant settings.
- Move an access package to a specified target access package catalog.
Identity and access | Identity and sign-in
- Get a Microsoft-recommended template of best practice configurations for Azure Active Directory conditional access policies.
- Include an authentication strength policy as part of conditonal access grant controls to be fulfilled to pass a conditional access policy. An authentication strength policy defines specific combinations of authentication methods to be used to authenticate in the corresponding scenario.
- Configure an authorization policy to allow user consent for risky apps.
- Specify a dynamic application syntax rule as a filter to include or exclude cloud applications from a conditional access policy.
- Specify a dynamic service principal syntax rule as a filter to include or exclude service principals from a conditional access policy.
Personal contact | Org control for contact insights
Administrators can configure tenant-level privacy control as organization settings for displaying or returning contact insights in an organization. An example of contact insights is whether to identify duplicate contacts among a user's contacts list and suggest the user to merge those contacts to have a cleaner contacts list.
Search | Query
- Specify options for searching for SharePoint or OneDrive content - the kinds of content to be searched when performing a search request using application permissions.
- Include in a search request the possible resource types of acronym, bookmark, or chatMessage in the search response.
Security | Advanced hunting
Query event, activity, or entity data in Microsoft 365 Defender to proactively look for specific threats in your environment. This advanced hunting feature enables unconstrained hunting for both known and potential threats.
Security | Alerts and incidents
Create a comment for an existing alert or incident.
Tasks and plans
Get or update rich text description of a Planner task intended for HTML-aware clients.
Teamwork and communications | Messaging
- Subscribe to change notification of membership in all the channels across a tenant.
- Set or unset a reaction to a single message or a message reply in a Teams channel or a chat.
- Only the tenant admin of the sender of a chat message can update and override a policy violation on the message. Usually, a data loss prevention (DLP) application takes action when a sender violates policy and sends data they should not send.
- The identity of a user in a Teams chat or online meeting can be an Azure Communication Services user.
September 2022: New and generally available
Devices and apps | Corporate management
Intune September updates for the v1.0 version.
Identity and access | Directory management
Add a group as a member of an administrative unit.
Identity and access | Identity and sign-in
Identify the risk state in a risky user or sign-in event as safe or compromised because an Microsoft 365 Defender administrator dismissed risk detection.
Security | Attack simulation and training
GA of the API for attack simulation and training, which is a service available as part of Microsoft Defender for Office 365. The API enables tenant administrators to list launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.
Teamwork and communications | Calls and online meetings
- Configure broadcast settings to create an online meeting as a live event. See an example.
- Turn on the large gallery view to display participants on a Teams call. For more information about the large gallery view on a call, check out the section titled "see more participants".
- Get the sessions where users share content in a call.
Teamwork and communications | Messaging
Get the details of pinning or unpinning a chatMessage in a chat.
Use the API | Batching
For apps that make multiple requests on Outlook resources in the same mailbox, you can now further optimize app performance by using JSON batching to combine more than 4 such requests in one HTTP call. The previous limit on batching up to 4 requests on the same mailbox has been removed.
September 2022: New in preview only
Devices and apps | Corporate management
Intune September updates for the beta version.
Assign a sensitivity label to a file in OneDrive or SharePoint.
Identity and access | Governance
As part of a policy for access package assignment, you can specify or get the required regex pattern for a requestor to answer an access package question.
Identity and access | Identity and sign-in
- Identify the risk state in a risky user or sign-in event as safe or compromised based on one of the following reasons:
- An administrator has dismissed all risks for the service principal.
- An administrator confirmed the service principal has been compromised.
- Allow internal guests or external users to be among the types of conditional access users that can be included or excluded in the scope of a conditional access policy.
Teamwork and communications
- Subscribe to change notifications in a tenant where a specific Teams app is installed, for the following resources:
- Use the following least privileged application permission necessary for a subscription for chats, chat messages, or chat members as listed in the preceding scenarios:
- Get or set the date for an employee leaving an organization as part of the user resource.
- Use the authorization info resource to bind IDs of smart card certificates of an Azure AD user for identification and authentication to non-Azure AD environments, such as on-premises Active Directory deployments or federated environments.
- List the apps to which a user has an app role assignment either directly or through group membership.
August 2022: New and generally available
Use federated identity credentials to manage an application's credentials and allow an organization's cloud applications to access Azure AD without using secrets and certificates.
Devices and apps | Corporate management
Intune August updates for the v1.0 version.
Identity and access | Governance
Manage a policy that assigns an access package to a subject automatically, as opposed to assigning on the subject's request.
Identity and access | Identity and sign-in
- GA of authentication methods including email, password, phone, and software OATH.
- Reset a user password and get the operation status for a long-running operation.
- Manage session controls to enforce sign-in frequency in a conditional access policy.
Sites and lists
Manage the version history of a document set in SharePoint, allowing apps to capture the document set (folder) and its contents (documents) at a point in time.
Teamwork and communications | Calls and online meetings
- Get a specific transcript or all the transcripts of an online meeting.
- Set or clear the preferred availability and activity status for a user.
- Get a call record of calls or online meetings that use Azure Communication Service as a client user agent in an endpoint.
Teamwork and communications | Messaging
- Limit a chat title to a maximum of 255 characters and characters that are not the colon.
- List the chats of a specific user who may not be signed in or is different from the signed-in user, using application permissions.
- List and sort chats starting with the most recent ones.
August 2022: New in preview only
- Specify if an application requires Azure AD to verify signed authentication requests.
- Configure Azure AD Application Proxy to publish on-premises apps for remote users.
Calendar | Places
Get or update a workspace in a tenant.
Devices and apps | Cloud PC
Restore a Cloud PC to a prior state.
Devices and apps | Corporate management
Intune August updates for the beta version.
Get or update tenant-wide settings for SharePoint and OneDrive:
- The idle session sign-out policy settings for SharePoint.
- Whether legacy authentication protocols are enabled for the tenant.
- Whether guests must sign in using the same account to which sharing invitations are sent.
Identity and access | Governance
Configure group peer outlier insights that help reviewers make decisions for an access review schedule definition based on the access that the user's peers have.
Create, activate, and maintain Azure AD lifecycle workflows to manage Azure AD users by automating lifecycle processes, including the following:
- When a user comes into scope of needing access, such as joining an organization.
- When a user moves between boundaries within an organization, such that the move requires more access.
- When a user leaves the scope of needing access, such as leaving or retiring from an organization.
Use lifecycle workflow reporting to get insight into how lifecycle workflows are processed.
Identity and access | Identity and sign-in
Use Microsoft authenticator authentication method configuration as an authentication methods policy to configure and allow users to use specific authentication methods, such as number matching and location context, and whether to enable the methods for all users or specific users.
Track and get specifically only created, updated, or deleted messages in a delta request.
Reports | Identity and access reports
Get more details about authentication registration by users in a tenant - whether a user is a member or guest, and whether the user has an admininstrator role in the tenant.
Security | Alerts and incidents
Use the latest generation of alerts and incidents that aggregate alert data from security providers integrated with Microsoft 365 Defender, correlate clues and evidence to provide a richer, broader context of an attack. These alert and incident resources offer consistent actionability across the different providers, making it easy for analysts to collectively investigate and respond to threats.
Teamwork and communications | Calls and online meetings
Get a specific transcript or all the transcripts of an online meeting.
Teamwork and communications | Messaging
List and sort chats in descending order.
July 2022: New and generally available
Customer booking
Get the availability of specified staff members in a business.
Devices and apps | Corporate management
Intune July updates for the v1.0 version.
Identity and access | Directory management
- Restore a deleted directory object within 30 days of deletion. The directory object can be an application, group, service principal, or user.
- Permanently delete a directory object as listed above.
Identity and access | Governance
- Reprocess an access package assignment request to automatically retry a user's request for access to the package.
- Reprocess an access package assignment to automatically re-evaluate and enforce a user's assignments to groups, applications, and SharePoint Online sites for internal users as well as users outside your organization
- Get an access package assignment to help manage access to groups, applications, and SharePoint Online sites for users internal to or outside of an organization.
- Configure settings for each stage in a multi-stage access review. In addition to get or update an access review stage, you can do the following:
- Stop reviewers from giving more input to a stage and proceed to the next stage if applicable.
- Filter and get all the stages on an access review instance for which the calling user is a reviewer
- List decisions from a multi-stage access review.
- Get or update the photo for a team.
- Use the delegated permission,
, to read, install, upgrade, or uninstall a tab pinned to your Teams app in chats that the signed-in user can access. - Use the application permission,
, to read, install, upgrade, or uninstall a tab pinned to your Team's app for any chat, without a signed-in user. - Use the delegated permission,
, to read, install, upgrade, or uninstall a tab pinned to your Teams app for the channels that the signed-in user can access. - Use the application permission,
, to read, install, upgrade, or uninstall a tab pinned to your Team's app for any channel, without a signed-in user. - Share a channel with one or more teams:
- List only channels that are shared with a team.
- List all the channels in a team including those hosted in a team or shared with the team.
- List team members who can access a specified shared channel.
- Remove a channel shared with a team.
- List the teams that have been shared a specified channel.
- Unshare a channel with a team.
- Create a team from a group, and create a channel in a team as asynchronous operations.
- Add a member directly to a channel without first adding the member to the parent team.
July 2022: New in preview only
Cloud communications | Call
- Join a scheduled call with a join-meeting ID or passcode.
Cloud communications | Online meeting
- Create an online meeting that requires a passcode.
- Specify settings that include a meeting ID, and whether attendees require a passcode to join the online meeting.
- Create and manage a virtual appointment between a service provider and their customer. This release is a programmatic debut that enables providers such as financial professionals, design consultants, or health care clinicians to consume online workflows and to meet with their customers remotely over video meetings. Find out more information about the end user experience with virtual appointments on Microsoft Teams.
Devices and apps | Cloud PC
Create, get, or update settings for an external partner of Cloud PC, such as the partner status, and enabling or disabling the connection.
Devices and apps | Corporate management
Intune July updates for the beta version.
Identity and access | Directory management
- Get or update a tenant-wide policy whether the administrator of a guest tenant must remove an external user from the tenant, or whether external users can self-serve and remove themselves from the guest tenant.
- Find tenant information by domain name or by tenant ID.
Reports | Microsoft 365 usage reports
Get or update tenant-wide settings to hide or show identifiable information for users, groups, or sites in Microsoft 365 usage reports.
Security | Threat submission
Create or get a submission of an email, email file attachment, or URL at the the Microsoft 365 Defender portal ( to confirm if the item is malicious or safe, or has been allowed or blocked by tenant policies that have overridden Microsoft Defender for Office 365.
- Get a collection of team templates and their template definitions available for a tenant.
- Delete or undo a deletion of a chat message in a channel or chat.
- Get or update tenant-wide settings to allow or disallow installing Teams apps that require resource-specific permissions in a chat or meeting.
Teamwork | Employee learning
Debut of the employee learning API that enables apps to make content from a Learning Management System (LMS) or learning provider available in Viva Learning. In Viva Learning, employees and teams can discover, share, recommend, and learn from content libraries provided by both their organization and partners. Because Viva Learning is a centralized learning hub in Microsoft Teams, this makes it easier for employees to prioritize their growth and integrate learning and building skills into their workday.
To-do tasks
- Use a single POST operation to attach a file up to 3MB to a to-do task, or create an upload session to iteratively upload portions of a file up to 25 MB total size to attach it to a task.
- Get or set a date and time in a specific time zone for a to-do task to begin.
Use SDKs
Try the new Microsoft Graph PHP SDK 2.0.0-RC5 and take advantage of the following improvements:
- A new authentication provider that automatically refreshes access tokens.
- A built-in retry handler that understands response status codes.
- A fluent request building pattern to improve efficiency and discoverability.
To get started, see:
Get the security identifier (SID) of a user in Windows scenarios.
June 2022: New and generally available
Cloud communications | Call records
Get information about the audio codec, video codec, network transport protocol, and trace route hops for a media stream when getting a call record and expanding each segment of a session.
Identity and access | Directory management
- List the administrative units that a device is a member of.
- Manage devices as members in an administrative unit: list members including devices, and get, add, and remove a device as a member.
- Get the status and other details of security and compliance certification of an application to protect customer data.
- Configure federation settings with Azure AD.
Identity and access | Identity and sign-in
- Configure and manage the settings of the Temporary Access Pass authentication methods policy in your tenant.
- Get the base policy in a directory for cross-tenant access settings, default configuration for how an organization interacts with external Azure Active Directory organizations, and partner-specific configurations for external Azure Active Directory organizations.
Reports | Microsoft 365 usage reports
Find new columns in Teams reports generated by the following methods:
- getTeamsUserActivityCounts
- getTeamsUserActivityUserDetail
- getTeamsDeviceUsageUserDetail
- getTeamsDeviceUsageUserCounts
- getTeamsDeviceUsageDistributionUserCounts
- Deprecated the Windows Phone column in the Teams reports generated by the following methods:
Subscribe to change notifications for the following in Teams:
- team and channel
- team and channel membership
- chat
- chat membership
- chat messages across all chats that a particular user is part of.
June 2022: New in preview only
Specify linked objects that can be provisioned during on-demand provisioning, including principals like manager, members, and owners.
Compliance | eDiscovery
Access the eDiscovery API from the security namespace going forward, instead of the compliance namespace.
Compliance | Records management
Use the debut Microsoft Purview records management API to help organizations manage the retention and deletion of data to meet legal obligations and compliance regulations.
Customer booking
- Manage the language of the self-serve booking page of a business or a service provided by the business.
- Specify in the customer's information whether SMS notifications are enabled for an appointment of the customer's.
- Specify whether anonymous join is enabled for a service, and whether to generate an anonymous join Web URL for an appointment for the service.
- Differentiate the role of a staff member as a scheduler or a member.
- Specify whether to notify a staff member by email when a booking is assigned or updated for the member.
Device and app management | Cloud PC
Get the following information for a Cloud PC provisioning policy:
- The name of the group that Cloud PCs reside in.
- The number of hours to wait before reprovisioning/deprovisioning happens.
- Whether local admin (such as the end user of the Cloud PC) is enabled.
- The service that manages the Azure network connection, which currently is Windows 365 or Microsoft Dev Box.
Device and app management | Multi-tenant management
Get the collection of roles assigned to a user signed in to a managed tenant.
- Create a SharePoint folder for an assignment to upload feedback documents.
- Create a feedback document for a submission in the feedback folder associated with the assignment.
Specify if a group is configured to write back group object properties to on-premise Active Directory.
Identity and access | Directory management
- Promote a verified subdomain to the root domain.
- Get the URL to the SAML metadata for federation of a single-tenant application.
Identity and access | Identity and sign-in
Hide self-service password reset (SSPR) links in the login page text visibility settings for a tenant's sign-in page.
- Get the details of pinning or unpinning a chatMessage in a chat.
- As scenarios supported to export Teams content, you can list teams that have been deleted, and get 1:1 chats, group chats, meeting chats, and channel messages of a deleted team. For more information, see Export content with the Microsoft Teams export APIs.
May 2022: New and generally available
- Track changes for assignment resources.
- Track changes for assignment category resources.
Identity and access | Directory management
An application registered in Azure Active Directory (Azure AD) can specify application or service contact information from a Service or Asset Management database.
Identity and access | Identity and sign-in
Allow an Azure Active Directory (Azure AD) tenant to set up federation with another organization whose identity provider (IdP) supports either the SAML or WS-Fed protocol. This enables the Azure AD tenant to allow guest users to access its resources.
You can specify up to 1000 search results per page for a search request.
Sites and lists
- Get a collection of content type resources from the content type hub that are compatible by using the getCompatibleHubContentTypes action.
- Add or synchronize a content type from the content type hub to a site or list, by using the addCopyFromContentTypeHub action. This makes a content type or its update available to a specific site or list where it is needed. This is an improvement from the legacy sync infrastructure which pushes the content type to all sites across an organization, reducing wait times for the publishing to propagate.
- Get one or more rich, long-running operations occurring on a site or list, which can happen when adding a content type synchronously.
Tasks and plans
- Get or update category descriptions as part of the details of a plan.
- Instead of the owner property of a plan, use the type property of a plan container to specify authorization rules and the lifetime of a plan.
- Get the priority of a task.
Get messages on a channel and include any replies to the message.
To-do tasks
- Break down a complex to-do task into more actionable, smaller tasks each as a checklist item.
- Label a to-do task with a category that is defined by the user to group Outlook contacts, events, messages, group posts, and to-do tasks.
May 2022: New in preview only
When configuring Azure AD Application Proxy for on-premises applications for secure remote access, use the isStateSessionEnabled property in the onPremisesPublishing resource to specify whether to validate the state parameter if the application uses the OAuth 2.0 authorization code grant flow. Setting this property helps administrators to protect the app from cross-site request forgery (CSRF).
Compliance | Subject rights requests
- Specify or get the locations that should be searched in a subject rights request, such as mailboxes, SharePoint, OneDrive, or Teams channels.
- Specify or get a KQL-based content query that should be used for search in a subject rights request.
Device and app management | Cloud PC
- Get a clearly defined result upon bulk-reprovisioning Cloud PC devices.
- Get or set a Cloud PC review status, or bulk-set Cloud PC review status for multiple devices.
Device and app management | Multi-tenant management
Get the number of monthly active users for each service in a managed tenant.
Use a Teams app resource that corresponds to an installed Microsoft Teams app, to allow education service users to create and share assignments with embedded Teams applications, such as YouTube or FlipGrid.
External data connections
Get the quota information for a connection. This information includes the number of items you can ingest into the connection, taking into account items remaining in the connection and the tenant-level remaining quota for all its connections.
Identity and access | Directory management
Activating a service for an organization and for a user are deprecated, and will stop returning data on June 30, 2022.
Identity and access | Identity and sign-in
As part of the default user role of an authorization policy, specify whether the registered owner of a device can read their own BitLocker recovery keys.
Reports | Identity and access reports
Get a usage report for a user's registered authentication methods that includes the default method for multi-factor authentication.
Sites and lists
Track changes for SharePoint list item resources.
- Use application permissions to get all the chats that a specified user is involved in without the user being present.
- Send activity feed notifications to multiple users in bulk, up to 100 users at a time.
To-do tasks
As of May 31, 2022 the to-do API set that is built on baseTask is deprecated. That API set will stop returning data on August 31, 2022. Use the to-do API set built on todoTask instead.
April 2022: New and generally available
External data connections
- Use the application permissions
to read or write all external connections without a signed-in user present. - Use the application permission
to read all external items without a signed-in user present. - Use the delegated permission
to read and write external connections on behalf of a signed-in user, that your app is authorized to. - Use the delegated permission
to read or write all external connections on behalf a signed-in user. - Use the delegated permission
to read and write external items on behalf of a signed-in use, that your app is authorized to. - Use the delegated permission
to read or write all external items on behalf of a signed-in user.
Identity and access | Governance
Use Privileged Identity Management (PIM) in production apps to manage, control, and monitor access to important resources in your organization. The access is enabled through privileged roles and role-based access control (RBAC) and can be granted to users, groups, or service principals. The resources can be in Azure AD, Azure, and other Microsoft cloud services such as Microsoft 365 or Microsoft Intune.
April 2022: New in preview only
Customer bookings
- Get availability information for staff member resources in a business.
- Use the application permission
in read operations for business, staff member, service, customer, and appointment resources. - Use the application permission
for read/write operations for customer and appointment resources.
Device and app management | Cloud PC
- Specify Windows settings as part of Cloud PC organization settings for a tenant.
- Get the Cloud PC devices attributed to the signed-in user.
- Get information to launch a Cloud PC device for the signed-in user.
Identity and access | Directory management
Configure federation settings to federate domains with Azure Active Directory.
Identity and access | Governance
Get assignments for which the corresponding user has an incompatible access packages.
Reports | Identity and access reports
Confirm an event is high-risk and compromised or is safe by marking the event in the corresponding Azure Active Directory sign-in logs.
Reports | Microsoft 365 usage reports
- Get a total distribution report for the count of specific Teams activities over a specified period. Counts of Teams activities include team chat messages, calls, meetings, audio duration, posting messages, and so on.
- Get additional activity types in reports that get user detail, get activity counts, and get activity total counts.
Share a channel with one or more teams:
- List only channels that are shared with a team.
- List all the channels in a team including those hosted in a team or shared with the team.
- List team members who can access a specified shared channel.
- Remove a channel shared with a team.
- List the teams that have been shared a specified channel.
- Unshare a channel with a team.
March 2022: New and generally available
Use a bundle resource to share multiple files at once, much like other driveItem resources. You can apply CRUD operations on a bundle, and add an item to or remove an item from a bundle.
Identity and access | Directory management
Use resource-specific permission to authorize a Teams app direct access to the data of a specific instance of a chat or team. For example, the resource-specific permission ChannelMessage.Read.Group allows a Teams app to read the channel messages of a single team.
Identity and access | Governance
- Get approval decisions associated with a request for access package assignment.
- As part of Azure Active Directory (Azure AD) entitlement management, use an access package assignment policy to manage a request, approval, assignment, or regular review to an access package. You can govern internal and external users' access to groups, applications, and SharePoint Online sites of an organization.
Identity and access | Identity and sign-in
Specify the inclusion or exclusion of client applications as among a set of conditions to apply a conditional access policy.
Use the toolkit
Celebrate real teamwork with community contributions and try new features in Microsoft Graph Toolkit v2.4.0:
- Optimize refreshing of people's images in the person component by using the
attribute to control unnecessary fetching. - Avoid unncessary loading of people's images in the people picker component by using the
attribute. - Filter for available users, groups, and list of people in the people picker component by using the
, andpeople-filters
March 2022: New in preview only
Cloud communications | Online meeting
Specify one or more meeting participants as co-organizer.
Compliance | eDiscovery
Purge data and permanently delete Microsoft Teams messages from an eDiscovery source collection.
Device and app management | Cloud PC
- Use delegated or application permissions of
for the read operations of the unifiedRoleDefinition resource. - Use delegated or application permissions of
for the read and write operations of the unifiedRoleDefinition resource. - Specify the ID and display name of an Azure subscription as part of the information for a source image for a device.
- Specify and configure Windows settings when creating Cloud PCs for a provisioning policy.
Device and app management | Corporate management
- Intune March updates for the beta version.
Device and app management | Multi-tenant management
List and get audit events for managed tenants in Microsoft 365 Lighthouse.
Identity and access | Directory management
- List or update settings that specify access from Microsoft applications to Microsoft 365 data belonging to users in an organization. For example, given the proper authorization, whether only Microsoft 365 apps (such as Word and Excel) can access users' Microsoft 365 data, or whether other Microsoft apps (such as Windows) can access the data as well. By default, all users in an organization can access in a Microsoft app any Microsoft 365 data that the user has been authorized to access.
- Following the Zero Trust cybersecurity model, Microsoft partners can use granular delegated admin privileges (GDAP) to carry out administrative tasks with least-privileged access to their customer tenants, to avoid potential security exposures. Instead of requesting Global Administrator role as in the past, partners request specific roles for customer tenant administration for a definite amount of time, and their customers must explicitly grant the least-privileged access to them.
Security | Attack simulation and training
- List simulation automations for a tenant.
- List runs of simulation automations for a tenant.
- Specify in a search request whether to trim away the duplicate SharePoint files from search results. The default is false.
- Qualify a search query string with a template, which supports KQL and query variables.
Sites and lists
- For a column that contains taxonomy data, specify the parent term and term set for which the child terms can be selected as column values.
- Get the settings for a site, including its language and time zone.
Tasks and plans
Identify if a Planner plan intended for experiences outside of Planner (such as Microsoft Teams) can track work in that context, by checking the details relationship of the corresponding plannerPlan resource.
- Get or set summary information about a team, including the count of owners, members, and guests.
- Sort messages in descending order when listing messages in a chat.
February 2022: New and generally available
Get details about an online meeting that is associated with a chat through the onlineMeetingInfo property.
February 2022: New in preview only
- Use a new policy option for application authentication methods to restrict a custom password secret on an application or service principal.
- Specify settings for apps running Windows and published in the Microsoft Store or Xbox games store.
Change notifications
Subscribe to changes of Outlook contacts, events, or messages to receive notifications that include resource data in the payload. For more information, see Change notifications for Outlook resources in Microsoft Graph.
Device and app management | Cloud PC
- Define restore point settings, which include the frequency to create a restore point, and whether users can restore their own Cloud PC based on a restore point backup.
- Restore a Cloud PC based on a previous snapshot.
- Restore multiple Cloud PCs in a single request by specifying their managed device IDs and a date/time range (e.g., before, after) of a restore point.
Identity and access | Directory management
Use application permissions CustomSecAttributeAssignment.Read.All
to read custom security attribute definitions for an organization without a signed-in user.
Identity and access | Governance
- Configure settings for each stage in a multi-stage access review. In addition to get or update an access review stage, you can do the following:
- Stop reviewers from giving more input to a stage and proceed to the next stage if applicable.
- Filter and get all the stages on an access review instance for which the calling user is a reviewer
- List decisions from a multi-stage access review.
- Apps can use application permission
to create an access package resource request to add or remove a resource to an access package catalog.
Identity and access | Identity and sign-in
- Use a number of new properties to configure an organization's branding. For example, a banner version of a company logo for the sign-in page, a custom favicon with a CDN-based URL, and a few other custom properties for users to manage accounts.
- Include or exclude Linux as one of the platform conditions in a conditional access policy.
- Identify at-risk service principals in an organization with Azure AD, which continually detects and evaluates risks based on various signals and machine learning. You can confirm if an at-risk service principal is indeed compromised, upon which Microsoft would disable that service principal object. You can dismiss the risk of an at-risk service principal. And, you can list the risk history of a service principal.
- Use cross-tenant access settings to control and manage collaboration between users in your organization and other organizations. They are granular to let you determine the users, groups, and apps, both in your organization and in external organizations, that can participate in Azure AD B2B collaboration and Azure AD B2B direct connect.
- Enable or disable users and groups in an organization to use the Azure AD native Certificate-Based Authentication (CBA).
Set up acronym, bookmark, and QnA resources as administrative search answers for users in an organization.
January 2022: New and generally available
Devices and apps | Service health and communications
Get a service announcement attachment added to a service update message.
Identity and access | Governance
- Get a collection of access review reviewer resources that is used to define reviewers contacted for an instance of access reviews.
- Differentiate 3 types of resources whose access is represented through an access review decision:
- An access package assignment policy for which access is determined by an access review decision.
- An Azure resource role for which access is determined by an access review decision.
- A service principal whose access to a resource is determined by an access review decision.
Identity and access | Identity and sign-in
Enforce a session control (by setting the disableResilienceDefaults property) to determine whether Azure AD should extend existing sessions based on information collected prior to an outage.
Create a chat using application permissions.
January 2022: New in preview only
Compliance | eDiscovery
Get the URL of a custodian's OneDrive for Business site (siteWebUrl property of userSource.
Devices and apps | Cloud PC
- Get or update settings for an organization, which include the Windows operating system version to provision on Cloud PCs, and the user account type on provisioned Cloud PCs.
- Change the user account type on a specified Cloud PC.
Identity and access | Governance
- Reviewers of an access review can record decisions for which the current user is the reviewer.
- Configure the last sign-in date and time of a user as an insight to aid reviewers in making decisions for an access review schedule definition.
- Configure the last sign-in date and time of a user as an insight for a decision on a user or principal's access in an instance of an access review.
- The requestor of an access package can provide custom information as part of an access package resource that may be used to make approval decisions for the access package.
- A requestor can edit the answer to a question in an access package assignment policy.
Reports | Identity and access reports
- Get details of the authentication methods registered for a user, such as multi-factor authentication, self-service password reset, and passwordless authentication.
- Get the following properties for a sign-in event of a user or application in an organization:
- Any conditional access authentication context.
- Any conditional access session lifetime policy.
- The ID of an Azure resource accessed during sign-in.
- The identifier of an application's federated identity credential if that was used to sign in.
- The identifier of the service principal representing the target resource in the sign-in event.
Reports | Microsoft 365 usage reports
Get usage reports for Outlook, OneDrive, and SharePoint for Microsoft Cloud for US Government. See summary for cloud deployments.
Sites and lists
- Add or synchronize a content type from the content type hub to a site or list, by using the addCopyFromContentTypeHub action. This makes a content type or its update available to a specific site or list where it is needed. This is an improvement from the legacy sync infrastructure which pushes the content type to all sites across an organization, reducing wait times for the publishing to propagate.
- Get one or more rich, long-running operations occurring on a site or list, which can happen when adding a content type synchronously.
- Get a collection of content type resources from the content type hub that are compatible by using the getCompatibleHubContentTypes action.
- Let users choose LastModifiedDateTime or CreatedDateTime as the sorting order when listing messages in a chat.
- Specify user attribution (in the onBehalfOf property) when a bot sends a chat message on behalf of a user.
- Add the following types of members to a chat:
- Use the delegated permission
to read tags and tag members in Teams, on behalf of the signed-in user.
December 2021: New and generally available
Cloud communications | Presence
Subscribe to notifications of changes in a specified user's presence status. Always specify an encryption certificate in the subscription request as these are rich notifications that include encrypted resource data.
Compliance | Subject rights requests
As part of privacy management in Microsoft 365, the subject rights requests API debuts in both v1 and beta endpoints of Microsoft Graph. The API lets users make requests to review or manage their personal data in their organizations. It also lets organizations automate and scale managing these requests, helping them to meet industry regulations more efficiently.
Customer booking
Use the API for Microsoft Bookings in production apps, and take advantage of the following new features and updates:
- Notify your customers in the US or Canada by SMS for an appointment or specific service associated with an appointment.
- Enable meeting online for a service and auto-generate a Microsoft Teams meeting link for the appointment.
- Allow one or more customers in a group appointment, setting a maximum attendee count for a service and for an appointment, and tracking the actual attendee count in an appointment.
- Create a custom question for a business, associate a question with an option to specify it as mandatory for a service, and track questions and answers in an appointment.
- Get or set the time zone for a customer in an appointment or staff member.
- Get or set the location and phone number for a customer.
- Access the v1 API from the new endpoint
. Note that the beta API remains in the
- Specify an assignment to be added to only students' calendars using the addToCalendarAction property.
- Reassign a submitted assignment to a student with feedback for review.
- List assignments for an educationUser.
Identity and access | Governance
Update the reviewers and fall-back reviewers for an instance of an access review.
- Identify a chat in Microsoft Teams by its web URL (via the webUrl property).
- Get details of an event that happened in a chat, channel or team by accessing eventMessageDetail from a chatMessage or chat. For example, members added to a channel or chat, and team description updated.
December 2021: New in preview only
Cloud communications | Online meetings
Enable registration for an online meeting using an external registration system.
Cloud communications | Presence
- Use the setUserPreferredPresence action to set the preferred availability and activity status for a user. The user's presence becomes the preferred presence.
- Use the clearUserPreferredPresence action to clear any preferred availability and activity status for a user.
- Use
as delegated permission with setPresence, clearPresence, setUserPreferredPresence, or clearUserPreferredPresence. - Use
as application permission with setPresence, clearPresence, setUserPreferredPresence, or clearUserPreferredPresence.
Devices and apps | Cloud PC
- Administrators can enable Microsoft Managed Desktop by specifying settings in a Cloud PC provisioning policy and configuring a managed device experience for a Cloud PC.
- Reboot a Cloud PC.
- Rename to update the display name of a Cloud PC.
- Troubleshoot to check the health status of a Cloud PC and the session host.
- Track the last remote action result on a Cloud PC, including reboot, rename, reprovision, troubleshoot, by the lastRemoteActionResult property.
- Track the last login timestamp of a Cloud PC by the lastLoginResult property.
- Track the date that a Cloud PC device image becomes unavailable by the expirationDate property.
- Track the status of the operating system in a Cloud PC device image by the osStatus property.
- Create, update, and delete a unifiedRoleDefinition object for a Cloud PC RBAC provider.
- Track changes to educationClass and educationUser resources.
- Specify an assignment to be added to only students' calendars using the addToCalendarAction property.
External data connections
Use the update operation to update properties for items in a connection schema, including their aliases and labels.
Identity and access | Directory management
- Get the certification details of an application through the certification property. The property is set only when the application is certified through the Microsoft 365 App Compliance Program.
- Include or exclude certification as a condition in a permission grant policy, through the certifiedClientApplicationsOnly property of permissionGrantConditionSet.
- List all teams in an organization.
To-do tasks
- To anticipate being able to manage in a single place all the tasks from multiple sources (such as Outlook messages, Teams chats, OneDrive documents):
- Use the latest To Do API and access it from the new endpoint
. - Use the segment
to get all the tasks for a user:
. - Differentiate between a built-in task list (such as Flagged Email or Tasks) and a user-defined task list. A built-in task list is represented by the wellKnownTaskList resource, and a user-defined task list is represented by the taskList resource.
- Differentiate between the currently defined type of tasks, task, from a base type baseTask.
- Use the latest To Do API and access it from the new endpoint
- Break down a more complex task into smaller, more actionable subtasks. Each subtask is represented by a checklistItem resource.
- Move a task across lists.
- Refer to this blog post for more details and migrate any existing apps that use the earlier To Do API to the latest To Do API.
November 2021: New and generally available
Get the state of a drive as of a specific time by specifying the corresponding URL-encoded timestamp. See an example.
Identity and access | Identity and sign-in
- Run campaigns and enforce users to register at sign-in time to set up targeted authentication methods.
- Configure an Apple identity provider in an Azure AD B2C tenant.
November 2021: New in preview only
Cloud communications | Online meeting
Automatically admit new types of participants in an online meeting and bypass the meeting lobby:
- Only people the organizer invites.
- Only the participants from the same company.
Devices and apps | Cloud PC
- Define a configuration of how a provisioned Cloud PC device can join Azure Active Directory (Azure AD): either cloud-only and join only to Azure AD, or hybrid and join on-premises Active Directory and Azure AD.
- Get the gallery image resource of the current organization which can be used to provision a Cloud PC.
Devices and apps | Device updates
- Use safeguard settings to opt-out of safeguards against likely issues in a deployment.
- Support for a deployment state where a deployment is faulted due to the content no longer being deployable, for example, at the end of service.
Identity and access | Directory management
- Define and assign custom security attributes to Azure AD objects. Use these attributes to store information, categorize objects, or enforce fine-grained access control over specific Azure resources. Use these attributes with Azure attribute-based access control (Azure ABAC).
- Create a group within an administrative unit.
Reports | Microsoft 365 usage reports
Microsoft 365 usage reports in JSON output type are no longer strongly typed and are of the type Edm.Stream
. For more information, see OData property changes to Microsoft 365 usage reports API in Microsoft Graph.
Mark a chat as read, or unread for a user.
October 2021: New and generally available
Cloud communications | Calls
- Transfer an active peer-to-peer call.
- Transfer a group call to a specified participant (transferee).
Cloud communications | Online meetings
Support multiple toll and toll-free numbers for dial-in phone access (audio conferencing) of an online meeting.
Support a media file or some other external generic resource as an assignment resource.
Identity and access | Applications
- To drive the consent experience for an application, specify the resources that the app needs to access, including the set of OAuth 2.0 delegated permissions and application roles that the application requires.
- Limit the number of required APIS to 50, and required permissions to 400 per application.
Identity and access | Directory management
- Set extension attributes for a device and manage them in Azure Active Directory on device creation or update.
- Get a BitLocker recovery key on behalf of the signed-in user who's the device owner or in an appropriate role. Getting a recovery key generates an audit log, in parity with the end user experience.
Identity and access | Governance
Specify a list of additional users or group members to be notified of the access review progress, in the additionalNotificationRecipients property of an accessReviewScheduleDefinition.
Identity and access | Identity and sign-in
Specify the devices in a conditional access policy, as part of the conditions that govern when the policy applies.
Personal contacts
Enable support for delegated permissions (Contacts.Read
or Contacts.ReadWrite
) for profilePhoto resources in personal Microsoft accounts.
- Get all chat messages across all channels in a team.
- Get all messages from all the chats that a user participates in, including one-on-one chats, group chats, and meeting chats.
- Check out the licensing and payment models that apply to Microsoft Teams APIs in Microsoft Graph.
User licenses for Azure Active Directory (Azure AD) services now support a timestamp for when the state of the license assignment is last updated.
October 2021: New in preview only
Use federated identity credentials to manage an application's credentials and allow an organization's cloud applications to access Azure AD without using secrets and certificates.
Cloud communications | Calls
Identify a call participant, by using the participantId property of the participantInfo resource type.
Cloud communications | Online meetings
Enable meeting registration and organize online meetings as a webinar. Associate the meeting with a registration page, and choose to enroll everyone or only organization members as meeting registrants.
Customer booking
- Support the following attributes for a booking service:
- Enable sending SMS notifications to customers for their appointments (smsNotificationsEnabled property).
- The URL that customers can use to access the service (webUrl property).
- Book an appointment with one or more of the following attributes:
- Specify the customer's time zone (customerTimeZone property).
- Specify the URL for an online appointment (joinWebUrl property).
- Enable SMS notifications to the customer for the appointment (smsNotificationsEnabled property).
- Specify one or more addresses and phone numbers for a customer.
- Specify the time zone for a staff member.
Devices and apps | Cloud PC
List the Windows 365 service plans that an organization subscribes to for their Cloud PCs. Under each service plan type (business or enterprise), an organization can choose to subscribe from a range of plan configurations that vary by attributes like vCPU, RAM, and storage.
External data connections
- Specify settings for the search experience of content in an external connection. For example, a display template for search results, and a rule to select the display template.
- Relate one or more external groups to an external connection. For example, an external group such as a business unit or work team can determine permissions to the content in the data source represented by the external connection.
- Can optionally specify the ID of a Teams app in an external connection in the connectorId property.
Identity and access | Directory management
Specify key credential configuration settings that can be configured to enable restrictions to an application or service principal.
Identity and access | Governance
Enable the following additional settings to review an access package assignment policy:
- Default behavior if request is not reviewed in a specified duration (accessReviewTimeoutBehavior property).
- Display recommendations to reviewer (isAccessRecommendationEnabled property).
- Require reviewer to provide justification for approval (isApprovalJustificationRequired property).
Identity and access | Identity and sign-in
- Specify whether continuous access evaluation policy settings should be or have been migrated to the conditional access policy.
- As a part of Azure Active Directory conditional access, use a new session control, continuousAccessEvaluationSessionControl, to continuously evaluate access and make access decisions.
Validate a password in real time against an organization's password validation policy, as a user types the password. Get detailed information from the validation against rules in the policy.
September 2021: New and generally available
Cloud communications | Calls
- Put a participant on hold and play music in the background, by using the startHoldMusic action.
- Reincorporate a participant previously put on hold to a call, by using the stopHoldMusic action.
Cloud communications | Online meetings
- Get the content stream of an attendee report of a Teams live event.
- Get or set the option to automatically record an online meeting.
- Use
as delegated or application permission to read artifacts of online meetings. For more information, see online meetings permissions.
Devices and apps | Cloud printing
Cloud printer status includes all the standard values in Internet Printing Protocol (IPP).
Devices and apps | Corporate management
Intune monthly updates for the v1.0 version. In the changelog, set the Date filter for September, 2021, and look for a section with this same heading.
- Get the details of any virus detected in a driveItem through a malware property.
- Use the delta function to track changes on not only the root folder but also other folders within a drive.
Identity and access | Directory management
Providers of role-based access control (RBAC) can manage roles in Azure Active Directory, by defining role actions that can be performed on specific resources, and assigning roles to users based on such role definitions, giving them the corresponding access to those resources.
Search | Query
- Aggregate numeric or string type search results that are imported by Microsoft Graph connectors and that are set to be refinable in the schema. See more information about refining search results using aggregations.
- Sort search results for OneDrive and SharePoint on any sortable property. For more information, see Use the Microsoft Search API to sort search results.
Use a single action provisionEmail to get the email address of a channel if one exists, or create one otherwise. Use the removeEmail action to remove the email address.
Workbooks and charts
Create table rows asynchronously. For better performance, a good practice to create multiple table rows is to batch them in one create tableRow operation and carry out the operation asynchronously. Follow with the GET workbookOperation operation and tableRowOperationResult function to get the new workbookTableRow resource.
September 2021: New in preview only
Applications that use Security Assertion Markup Language (SAML) single sign-on flows can specify a default redirect URI (defaultRedirectUri property of application), or identify a specific redirect URI where users are sent to sign in (redirectUriSettings property of webApplication).
Cloud communications | Online meetings
Get the total participant count in a meeting attendance report of an online meeting.
Compliance | eDiscovery
The create case operation always creates cases in large format. This expands the case size limit to accommodate a higher total data volume and total number of items. For details, see benefits of large cases.
Devices and apps | Cloud PC
- Reprovision a Cloud PC as a cloud-managed virtual desktop enrolled into Intune.
- Resize a Cloud PC by either upgrading or downgrading it to another configuration with a new virtual CPU (vCPU) and storage size.
- Set up, list, and run health checks on on-premises network connections to provision Cloud PCs.
Devices and apps | Corporate management
Intune monthly updates for the beta version. In the changelog, set the Date filter for September, 2021, and look for a section with this same heading.
- Allow teachers to reassign an assignment submission to the student with feedback for review.
- Support for adding assignments to only students' calendars if you use the
Prefer: include-unknown-enum-members
request header for operations on the educationAssignment or educationAssignmentDefaults resource.
Identity and access | Governance
Delete an accessPackageAssignmentRequest to remove a denied or completed request.
Identity and access | Identity and sign-in
- Allow users to perform multi-factor authentication using a software OATH token. A software OATH token is a software-based number generator that uses the OATH Time-Based One Time Password (TOTP) standard.
- Identify whether number matching is enabled or disabled for multi-factor authentication by policy in Azure AD, by using the numberMatchingRequiredState property of microsoftAuthenticatorAuthenticationMethodTarget.
- Identify whether to show a user additional context in their authenticator app notification, by using the displayAppInformationRequiredState property of microsoftAuthenticatorAuthenticationMethodTarget.
- Use B2C user flow and self-service sign-up user flow in favor of the earlier user flow API, which has been deprecated.
Security | Attack simulation and training
Debut of the API for attack simulation and training, which is a service available as part of Microsoft Defender for Office 365. The API enables tenant administrators to list launched simulation exercises and trainings, and get reports on derived insights into online behaviors of users in the phishing simulations.
August 2021: New and generally available
Cloud communications | Calls
A participant can include metadata as a blob of data in the roster for a call.
Cloud communications | Online meetings
- Create an online meeting as a live event, configuring broadcast settings and meeting participant info with the role of producer. See an example.
- Enable, disable, or limit duration of chat for an online meeting by using the allowMeetingChat property.
- Enable or disable reactions for an online meeting, by using the allowTeamworkReactions property.
- Allow an attendee to turn on their camera or microphones by using the allowAttendeeToEnableCamera or allowAttendeeToEnableMic property respectively.
Cloud communications | Presence
- Set the state of a user's presence which is an aggregated state on each Teams client (desktop, mobile, or web).
- Clear the presence session for a user.
Devices and apps | Corporate management
Intune monthly updates for the v1.0 version. Set the Date filter for August, 2021, and look for a section with this same heading.
Devices and apps | Service health and communications
GA of the service communications API in Microsoft Graph to access the health status and message center posts about Microsoft cloud services.
Identity and access | Governance
Get a collection of access review scopes that is used to define reviewers and fallback reviewers for an instance of access reviews.
Sites and lists | Taxonomy
Access the SharePoint term store taxonomy, the hierarchy that consists of group, set, and term resources, and relation resources between terms.
List chats that a user is part of, in a delegated context.
August 2021: New in preview only
Cloud communications | Calls
- Put a participant on hold and play music in the background, by using the startHoldMusic action.
- Reincorporate a participant previously put on hold to a call, by using the stopHoldMusic action.
Cloud communications | Online meetings
Set an online meeting to record automatically.
Devices and apps | Cloud PC
End the grace period for a Cloud PC. The grace period lets users access Cloud PCs up to seven days before de-provisioning occurs. Ending the grace period immediately deprovisions the Cloud PC without waiting the seven days.
Devices and apps | Corporate management
Intune monthly updates for the beta version. Set the Date filter for August, 2021, and look for a section with this same heading.
Identity and access | Governance
- Reprocess an access package assignment request to automatically retry a user's request for access to the package.
- Reprocess an access package assignment to automatically re-evaluate and enforce a user's assignments.
- Get a set of policy requirements to create an assignment request for an access package.
- Get a collection of access review reviewer resources that is used to define reviewers contacted for an instance of access reviews.
- Get or set the duration of inactivity that recommendations are configured from in the schedule settings of an access review, by using the recommendationLookBackDuration property.
Identity and access | Identity and sign-in
- Organizations can use policies to enforce best practices for apps using application authentication methods. Such policies can apply to specific applications and service principals, or to all applications and service principals in a tenant.
- Support for paging on the appRoleAssignments navigation property for users, groups, and service principals.
- Allow an Azure Active Directory (Azure AD) tenant to set up federation with another organization whose identity provider (IdP) supports either the SAML or WS-Fed protocol. This enables the Azure AD tenant to allow guest users to access its resources.
- Get information about an online meeting that is associated with a chat.
- Get the identifier of the tenant in which a chat is created.
Use the last interactive and non-interactive sign-in date/time values of users' signInActivity to manage inactive accounts.
July 2021: New and generally available
Cloud communications | Calls
Support for a capacity limit for the number of participants that an application can handle when answering a call, in organizations that adopt Teams policy-based recording.
Identity and access | Identity and sign-in
- GA of identity providers that share a common base type identityProviderBase:
- Built-in identity providers for Azure AD B2B scenarios in an Azure AD tenant. These providers can support Azure AD, Microsoft account (MSA), or email one-time passcodes.
- Social identity providers in an Azure AD B2C tenant to allow users to sign up and sign in for the service using a social media account, such as Microsoft, Google, Facebook, Amazon, LinkedIn, or Twitter.
- Deprecation of the earlier identity provider API.
Let a user change their own password without requiring an administrator role.
July 2021: New in preview only
Devices and apps | Cloud PC
An on-premises connection health check can identify a few more possible health check error types:
- Cloud PC computer account is not found in the organizational unit (
). - Cloud PC object is not found in Azure AD (
). - Timeout from checking if a cloud PC object has been synchronized to Azure AD (
See the reference for details and recommended remedial actions.
Devices and apps | Corporate management
Intune monthly updates for the beta version. Set the Date filter for July, 2021, and look for a section with this same heading.
Devices and apps | Multi-tenant management
Debut of the Microsoft 365 Lighthouse API that lets Managed Service Providers (MSPs) remotely manage multiple customer tenants at scale for compliance and threat detection, and help get tenant devices in a healthy and secure state.
Identity and access | Governance
Get a collection of errors in the lifecycle of an access review instance.
- Use the Microsoft Search API to retrieve information about the people who are most relevant to a user. Relevance is determined by the user's communication and collaboration patterns and business relationships.
- Access the connectors API in the microsoft.graph.externalConnectors sub-namespace.
- Subscribe to change notifications on the chat resource.
- Subscribe to change notifications of users in a chat, in a channel, or in a team (i.e., conversationMember resources).
- Get details of an event that happened in a chat, channel or team by accessing eventMessageDetail from a chatMessage or chat. For example, members added to a channel or chat, and team description updated.
June 2021: New and generally available
Get or set the status of an application or servicePrincipal to identify if Microsoft has disabled the application through the disabledByMicrosoftStatus property. Disabling reasons include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement.
Change notifications
Extended the maximum length of a subscription before expiring for the following resources:
- OneDrive driveItem and SharePoint list from 3 to 30 days.
- group, user, or other directory resources from 3 to 29 days.
Change tracking
Removed limitation for tracking changes in non-root folders in OneDrive for Business and SharePoint.
The APIs for the education assignments service are now generally available.
Identity and access | Governance
GA of the access review API. Check out the overview and tutorials to review access to security groups and access to Microsoft 365 groups. Note that the legacy access review API is being deprecated and will stop returning data in May 2023.
June 2021: New in preview only
Cloud communications | Online meetings
Customize audio and video control in an onlineMeeting by enabling or disabling attendees from turning on their cameras and microphones, through the allowAttendeeToEnableCamera and allowAttendeeToEnableMic respectively.
Devices and apps | Cloud PC
- Assign and manage cloudPcUserSetting to enable local admin or self-service option for a user on a cloud PC. Currently assignments can be made at a group level (users belonging to a Microsoft 365 group or security group).
- Get a few new properties of a cloudPC: the names of the provisioning policy and of the on-premises connection used during provisioning, and the end date/time of the grace period by which reprovisioning or deprovisioning happens.
- Support for more status and error types upon a health check on an on-premises connection.
- Teachers can now select the default behavior for a calendar when they publish assignments. Teachers can control the assignment calendar behavior by using the addToCalendarAction property of the educationAssignment resource.
- Teachers can now also set a default behavior for a calendar when they publish assignments. Teachers can control the assignment default calendar behavior by using the addToCalendarAction property of the educationAssignmentDefaults resource.
Allow a group to be assigned to an Azure AD role on creation by setting the isAssignableToRole property. If set, this property makes it convenient to manage roles for individuals - instead of having to assign a role to each individual person, eligible persons can join a group, and assigning the role to the group would by default assign the role to each new person joining the group.
Identity and access | Governance
Set users or group members to be notified of the progress of an access review, by using the additionalNotificationRecipients property of the schedule definition.
Identity and access | Identity and sign-in
Define a filter to dynamically include or exclude devices, using the deviceFilter property of conditionalAccessDevices.
Sites and lists
Create or get an existing sharingLink for a listItem by calling createLink.
- Get an opaque URL to a chat via the webUrl property.
- Subscribe to change notifications of a channel, conversationMember, or team resource.
- Use resource-specific consent permissions with the APIs for channel, chat, chatMessage, chatMessageHostedContent, or team.
- Get a list of resource-specific permissions grants for a team, that specifies that team's apps and the corresponding resource-specific permissions that they have been granted.
- Get a specific asynchronous operation, or list all the asynchronous operations that run on a chat.
- Can specify a Teams app when creating a chat.
- Use a single action provisionEmail to get the email address of a channel if one exists, or create one otherwise. Use the removeEmail action to remove the email address.
Teamwork | Shifts
- Support for the offerShiftRequest, timeOff, timeOffReason, and timeOffRequest entities for synchronous change notifications.
- Support for managing time card resources and common functionality such as clock in, clock out, start break, end break, confirm, and replace.
May 2021: New and generally available
Devices and apps | Cloud printing
Find out when a printer last interacted with Universal Print, by using the lastSeenDateTime property of printer.
Identity and access | Identity and sign-in
Get or update the role of a guest user by using the guestUserRoleId property of authorizationPolicy.
- Create drafts and send Outlook messages in MIME format, attach S/MIME digital signatures, and encrypt message content in S/MIME.
- Create a mailFolder as a hidden folder by setting the isHidden property.
Microsoft Graph Toolkit
Try the following new features in the Microsoft Graph Toolkit 2.2:
Reports | Azure AD activity reports
GA of the reporting API to list actions performed by the Azure AD provisioning service and its associated properties. Aligned the prior beta version to the v1.0 version of the API.
May 2021: New in preview only
Connecting external content
- Be aware of implementation and operational limits when designing connectors.
- Try the connectors API with Postman.
Devices and apps | Cloud PC
Request the least privileged application permissions, CloudPC.Read.All
or CloudPC.ReadWrite.All
, to access methods of the following resources:
- Read and write operations, and reprovision method of cloudPC.
- Read and write operations, and getSourceImages method of cloudPcDeviceImage.
- Read and write operations, and updateAdDomainPassword method of cloudPcOnPremisesConnection.
- Read and write operations, and assign method of cloudPcProvisioningPolicy.
Devices and apps | Corporate management
Intune monthly updates for the beta version. Set the Date filter for June, 2021, and look for a section with this same heading.
- Set up a SharePoint resource folder to upload and store all file-based resources in the same location for an educationAssignment.
- Set up a SharePoint resource folder to upload and store all file-based resources, such as a Word or Excel file, in the same location for an educationSubmission.
Identity and access | Governance
- Get a collection of accessPackageAssignment resources by filtering on the signed-in user.
- Get a collection of accessPackageAssignmentRequest resources by filtering on the signed-in user.
Use SDKs
Try the preview version of Microsoft Graph .NET SDK v4, and take advantage of the following improvements:
- Use a single API to authenticate against Microsoft Graph and Azure .NET clients.
- New support for JSON serialization and deserialization.
- Easy access to response information.
- Better experience upgrading dependencies.
April 2021: New and generally available
Identity and access | Identity and sign-in
- Manage an authentication policy at a tenant level, to enable or disable self-service sign-up of external users.
- Administrators can associate user flows with apps that are shared with external users and enable self-service sign-up on those apps. They can customize a self-service sign-up user flow and create a personalized sign-up experience. Once an application is associated with the user flow, users who go to that application will be able to initiate a sign-up flow that provisions a guest account.
- Configure user flow attributes in your Azure AD tenant allows you to collect information about a user during sign-up. You can collect a built-in set of attributes, or configure custom user flow attributes to collect information from a user that is not built in to the directory.
- In an Azure Active Directory user flow, you can manage language defaults and customize the language and strings displayed to users in the user flow.
- Use an API connector in user flows for Azure AD self-service sign-up and Azure AD B2C sign-up, to call an API at a specific step to affect the execution of the user flow.
- Identify the channel by the channelIdentity property, if a chatMessage is within a channel.
- Identify the chat by the chatId property, if the chatMessage is in a chat.
- Use the messages relationship to get all the chatMessage resources in a chat.
- Use application permissions to get the properties of a specified chat.
- Use application permissions to get a specified chat member or get all the chat members included in a chat. Because data for users as chat members is sensitive, other than obtaining application permissions, please request additional access to these operations.
Use the Toolkit
New to the Microsoft Graph Toolkit? Try the new Toolkit learning path, use the Toolkit set of web components and authentication providers to connect a web app to Microsoft Graph, and load data from Microsoft 365.
April 2021: New in preview only
Cloud communications | Online meetings
- Get a report of each attendee's attendance in a scheduled online meeting, through the meetingAttendanceReport property of the onlineMeeting.
- Enable, disable, or limit duration of chat for an online meeting by using the allowMeetingChat property.
- Enable or disable reactions for an online meeting, by using the allowTeamworkReactions property.
Get, update, or reset to default the following settings for an eDiscovery case:
- Detection of duplicates, near-duplicate, and email threading, through the redundancyDetection property.
- Identifying themes which are prevalent ideas in documents of a review set, through the topicModeling property.
- Extracting text from image files by optical character recognition (OCR), through the ocr property.
These settings provide analytics functionality that culls data intelligently in the end-to-end workflow of Advanced eDiscovery.
Devices and apps | Device updates
Debut of APIs for the Windows Update for Business deployment service. The service supports deploying Windows 10 feature updates and expediting Windows 10 security updates on devices. To learn more, start with the Windows updates API overview.
- Associate a folder with an educationAssignment to store all the related file resources, through the resourcesFolderUrl property.
- Deep link into an educationAssignment through the webUrl property.
Identity and access | Governance
Administrators can get or update policies at the directory-level to review access, by using the accessReviewPolicy resource. For example, administrators can use an access review policy to enable or disable group owners reviewing access on groups that they own.
Enable spelling suggestions or corrections for a user query. This is useful when a user query contains typing errors, or when the errors render no search results.
- Use resource-specific permission grant to list the apps with access to a specified group or chat.
- Get the properties of an icon associated with a Teams app. To get the actual image of the icon, use get hosted content.
Use SDKs
- Try the preview release of the Microsoft Graph JavaScript client library, version 3.0.0.This release enables multiple authentication flows, server-side authentication, Node.js Stream large file upload and progress tracking, and more. See the upgrade guide for details.
- Try a new learning path to explore Microsoft Graph scenarios for JavaScript development.
March 2021: New and generally available
- GA of the applicationTemplate resource which supports listing applications in the Azure AD application gallery, and adding an instance of such an application to a directory.
- Use app-only permission
when adding such an instance. - Use the signInAudience property of servicePrincipal to get the user accounts supported by the current application.
Devices and apps | Cloud printing
- GA of the cloud printing API for Universal Print! See the announcement, and check out how to get started with Universal Print.
- Subscribe to change notifications on a print task definition or printer resource.
Identity and access | Governance
- Use Azure Active Directory (Azure AD) consent requests to manage the request workflow for users attempting to access apps that require admin approval. The API makes use of the following resources:
- The adminConsentRequestPolicy resource for creating and managing requests for app access for the organization.
- The appConsentRequest resource for aggregating and managing user requests to access a specific app.
- The userConsentRequest resource for users requesting access to an app which requires admin authorization.
- The accessReviewReviewerScope resource defines who is specified in the adminConsentRequestPolicy to review appConsentRequest and userConsentRequest objects.
- The approval resource represents an approval decision for a request.
- GA of the Terms of Use API which supports a tenant's customizable Terms of Use agreement in Azure AD.
Identity and access | Identity and sign-in
- GA of authentication methods including FIDO2 security keys, Microsoft Authenticator app, and Windows Hello for Business.
- GA of authentication method policies that define authentication methods and the users that are allowed to use them to sign in and perform multi-factor authentication (MFA) in Azure AD. Authentication methods policies that can be managed in Microsoft Graph include FIDO2 security keys, Passwordless Phone Sign-in with Microsoft Authenticator app, and tenant's email OTP authentication methods policy.
- GA of feature rollout policy that helps tenant administrators to pilot features to specific groups before enabling them for the entire organization.
- GA of the organization branding properties which enables a custom look and feel of Azure Active Directory sign-in screens. Organizations can customize based on locale for specific users.
Tasks and plans
- Use the delegated permission of
to read operations of all Planner resources. - Use the delegated permission of
to read and write operations of all Planner resources.
- GA of chat operations, chat conversationMember, chat app, chat tab, and their methods.
- GA of a few more properties of teamsAppDefinition, which represent details of a version of an app in the Microsoft Teams app catalog, including the following:
- createdBy, description, shortDescription, lastModifiedDateTime
- publishingState which can be one of
and under review,published
, orrejected
by the admin - bot relationship of the teamworkBot type, representing the details of the bot specified in the teams app manifest.
- Use the activity feed notifications API to better engage users in three contexts:
- Migrate users' message history and data from an external system into a Teams channel, allowing users to continue their communications seamlessly. Use the following methods that support the migration scenario:
- List or get rich content hosted in a chatMessage, such as images or code snippets.
- Delegated permissions support of
for subscribing change notifications on chatMessage resources.
March 2021: New in preview only
Create and add self-signed certificates to your SAML applications. Use this to help enable single sign-on for Azure AD gallery apps in your tenant by allowing Azure AD to sign SAML responses.
Devices and apps | Cloud PC
Added to the cloudPcDeviceImage resource two more reasons for failure to upload a device source image: operating system not supported (osVersionNotSupported
), or an invalid source image to provision a Windows VM (sourceImageInvalid
Devices and apps | Cloud printing
Get the most recent date/time (lastSeenDateTime property) when a printer interacted with Universal Print.
Devices and apps | Corporate management
Intune March updates for the beta version.
Identity and access | Governance
Apply the new model of access reviews to group memberships and all other supported resource types. Deprecate the legacy model of access reviews.
Sites and lists
- Support a specific content type or template for documents or document sets in specific site collections, through a set of new properties and methods on the contentType entity. The methods include the following:
- Customize content types by their columns. Columns are represented by the columnDefinition entity, and support the full set of CRUD operations.
- Get content types of a site that can be applied to a list.
- Differentiate column types by the following properties in the columnDefinition entity: Boolean, calculated, choice, currency, dateTime, lookup, number, personOrGroup, text. These properties are mutually exclusive.
Sites and lists | Taxonomy
- Navigate from a site to a taxonomy term store using the termStore relationship.
- In the reverse direction, get the ID of the parent site of a term store using the parentSiteId property.
- Get or update a user's preferences for translating languages. For example, whether or not to translate, translate automatically, or prompt before translating specific languages in messages, chats, and web pages, and any translation overrides.
February 2021: New and generally available
Cloud communications | Online meeting
Use policy-based application permissions of OnlineMeetings.Read.All
or OnlineMeetings.ReadWrite.All
on operations and methods of the onlineMeeting resource. This means administrators can configure application access policy to allow apps to access online meetings on behalf of a user.
Sites and lists
Use the permission resource and its CRUD operations to manage sharing permission granted for a driveItem. Permissions with a link facet represent sharing links created on the item. Permissions with an invitation facet represent permissions added by inviting specific users or groups to have access to the file.
February 2021: New in preview only
Use application permissions for the synchronization APIs that automate provisioning (creation, maintenance) and de-provisioning (removal) of identities in Azure AD.
Cloud communications | Calls
Support for policy-based recording for calls where using administrative policy, calls are automatically recorded for subsequent processing and retention as required by relevant corporate or regulatory policy. Before a policy-based participant joins a call, policy stipulates sending a participantJoiningNotification to the bot associated with the policy that has available capacity to handle the new participant. The bot responds with one of acceptJoinResponse, rejectJoinResponse, or inviteNewBotResponse in its response payload.
Compliance | eDiscovery
- Use the legalHold resource and its APIs to protect content indefinitely from deletion, for the purpose of litigation, internal investigation, or other legal actions.
- Use the sourceCollection resource and its APIs to search for and identify relevant documents from custodial and non-custodial locations in Microsoft 365.
- Use the tag resource and APIs to mark documents during review to separate responsive and non-responsive content.
- Export documents from a review set.
- Use the addToReviewSet action to add documents in a sourceCollection to a reviewSet.
- Apply tags to documents based on a review set query.
- Defined all eDiscovery API in the
namespace. - Changed delegated permissions model from
Devices and apps | Corporate management
- Intune February updates for the beta version.
- New properties set by Intune on the device resource: deviceCategory, deviceOwnership, domainName, enrollmentProfileName, enrollmentType, isRooted, managementType, and registrationDateTime.
Use educationAssignmentDefaults to specify default practices on an assignment for a class, for example, assignment due time, channel URL for notifications on an assignment. You can still customize values when creating an assignment.
Identity and access | Identity and sign-in
- Use the smsAuthenticationMethodConfiguration resource to get, update, or delete the configuration settings of a text message authentication policy in an organization.
- Use the temporaryAccessPassAuthenticationMethodConfiguration resource to get, update, and delete the configuration settings of a temporary access pass authentication policy in an organization.
Identity and access | Governance
- Assign geolocation information to an access package resource in the access package assignment request.
- Get a list of all access package resource environments that represent the geolocations that store SharePoint Online resources.
- Use application permissions (
) for operations of the following resources:
Reports | Microsoft 365 usage reports
Get more properties included in detail reports for SharePoint site usage: anonymousLinkCount, companyLinkCount, externalSharing, geolocation, secureLinkForGuestCount, secureLinkForMemberCount, siteSensitivityLabelId, and unmanagedDevicePolicy.
Tasks and plans
- Define up to 25 categories in a plan details object for a plan. For each category, specify a descriptive label and associate tasks in a plan with one or more of these categories.
- Use a roster to represent a collection of users collaborating on a plan. Use the rosterPlans relationship to get the rosters of which the user is a member.
- For plans that are surfaced in experiences outside of Planner, such as Microsoft Teams, specify in the plan context details how to display the link to the plan context.
Use SDKs
Try the preview release of the Microsoft Graph Java SDK v3! For more information, see the related blog post.
January 2021: New in preview only
Cloud communications
- Organize a live event as an onlineMeeting - see an example.
- Get the content stream of an attendee report, recording, or alternative recording of the live event.
- Get the presence status of a user who is out-of-office, and any message set for that status.
Devices and apps | Cloud PC
- Update an Active Directory domain password for a successful on-premises network connection.
- Running health checks on an on-premises network connection can now expose 5 additional error types in the on-premises connection health check resource. For more information on the error types, see the changelog for January 2021.
Devices and apps | Cloud printing
- Subscribe to change notifications of cloud printing - when a print job is started, and when the print job is ready to be downloaded by a printer.
- Get a fuller range of possible values for the status of a printer.
- Use delegated permissions in apps on behalf of the signed-in user:
to read basic information about printer shares, excluding access control information.PrintConnector.Read.All
to read print connectors.PrintConnector.ReadWrite.All
to read or write print connectors.PrintJob.Create
to create print jobs and upload content to print jobs.PrintSettings.Read.All
to read tenant-wide print settings.PrintSettings.ReadWrite.All
to read or write tenant-wide print settings.Reports.Read.All
to read print usage summary per specified user or per printer.
Use class-level assignment settings to enable or disable animation to celebrate turning in an assignment.
Get the processing status of a rule-based dynamic group by using the membershipRuleProcessingStatus property. This is useful when an attribute of a user changes, the user's membership in a rule-based Microsoft 365 group is re-evaluated based on the group membership rules set for the organization.
Identity and access | Directory management
Get the usage right that a user or device has over third-party software built on Power Apps or, usage right of a device over a subscription. Usage right includes identifiers for the corresponding service or product, and the current state of the usage right such as active, inactive, in warning, or suspended.
Identity and access | Identity and sign-in
- Apps can use application permissions to let administrators manage authentication methods for users.
- Support Microsoft Authenticator as an authentication method of a user to sign in or perform multi-factor authentication to Azure AD.
- Use Microsoft Authenticator policy to define configuration settings and users or groups that are enabled to use Microsoft Authenticator as an authentication method. Use Microsoft Authenticator policy in place of Microsoft Authenticator passwordless phone sign-in policy which is deprecated.
- Support Windows Hello for Business as an authentication method of a user to sign in on Windows devices without using a password.
Reports | Identity and access reports
- Get a report of the number of users who are registered, or who are capable of various registration features, including multi-factor authentication, self-service password reset, or passwordless authentication.
- Get a report of the number of users registered for each authentication method, including password, Windows Hello for Business, or passwordless phone sign-in.
December 2020: New and generally available
- Meeting organizers can use the hideAttendees property of an event to control whether attendees can see one another in the meeting Tracking list.
- GA of the isDraft property and cancel method that are available to organizers, and the forward method available to organizers and attendees to better manage event resources in a calendar.
- GA of the hexColor and isDefault properties of a calendar to better manage calandars.
Cloud communications
GA of the presence resource, allowing getting presence information of one or more users, such as their availability and user activity.
Identity and access | Identity and sign-in
Try a new tutorial to learn how to use the identity protection API to identify risk and configure a workflow to confirm compromise or enable remediation.
- GA of the API to manage the installation of a Teams app, including getting installed apps, or adding, removing, or upgrading of the app in a team or in the personal scope of a user.
- Get a chat between a user and a Teams app.
Use the Toolkit
GA of Microsoft Graph Toolkit 2.0 - this release includes a new component for Microsoft Graph To-Do tasks, distinct from thePlanner tasks component, and an enhanced person card component. See the related blog post for more information.
December 2020: New in preview only
Compliance | eDiscovery
Continuing to fulfill the pipeline of Microsoft 365 compliance APIs are the custodian resource and its related operations and methods to release or activate a custodian. Use the custodian resource to access the custodian's data (userSource) in an Exchange Online mailbox and OneDrive for Business, SharePoint sites (siteSource), and Microsoft 365 groups (unifiedGroupSource).
Devices and apps | Cloud PC
Identify the failure status of a cloud-managed virtual desktop collectively as failed
, in the status property of the cloudPC resource.
Devices and apps | Cloud printing
- Update the configuration of a print job.
- For details on the renaming of a few properties and retyping of relationships, see the December 2020 section of the API changelog for details.
- If students are added after publishing the assignment, teachers can control the assignment behavior by using the addedStudentAction property of the educationAssignment resource.
- Teachers can post assignment publish notification through the notificationChannelUrl property of the educationAssignment resource.
Identity and access
Get or set the version and creation metadata for an Azure AD terms of use agreement, agreement file, and agreementfilelocalization.
Identity and access | Governance
As part of Azure Active Directory entitlement management, when users wishing to access groups, applications, or SharePoint Online sites request an assignment to an access package, they can now respond to questions represented in localized content in the access package assignment request.
Identity and access | Identity and sign-in
- Administrators can associate user flows with apps that are shared with external users and enable self-service sign-up on those apps. They can customize a self-service sign-up user flow and create a personalized sign-up experience. Specifically, they create a listener for a sign-up-start event to invoke a custom user flow. Once an application is associated with the user flow, users who go to that application will be able to initiate a sign-up flow that provisions a guest account.
- In an Azure Active Directory user flow or Azure Active Directory B2C tenant user flow, you can manage language defaults and customize the language and strings displayed to users in the user flow.
- Use an API connector in user flows for Azure AD self-service sign-up and Azure AD B2C sign-up, to call an API at a specific step to affect the execution of the user flow.
- Define an email OTP authentication methods policy for a tenant.
- For a member resource in a team, channel, or a chat context, you can now:
- Differentiate a member who is an Azure AD user, noting the user ID, email address, and Azure AD tenant ID.
- Add multiple users as members of a team.
- For a chat resource:
- Get all the messages in chats that the specified user has participated in, including one-on-one chats, group chats, and meeting chats.
- Use the full range of functionality to list, get, add, remove, and update an app or a tab in a chat.
- Use the chatType property to distinguish a one-on-one chat from a group chat or from a chat associated with an online meeting.
- Create or update a chat.
- For a member in a chat context, use the visibleHistoryStartDateTime property to set or get a timestamp that represents how far back a conversation's history is shared with that member.
- Create to or delete a member from a specified chat.
- For a channel resource:
- Get all the messages across all the channels in a team.
- Team owners can turn on moderation for a channel to control who can start new posts or reply to posts in that channel, using the moderationSettings property of the channel.
- As part of a Teams app definition, use the bot relationship to connect to a teamwork bot.
To-do tasks
Subscribe to change notifications of a To Do task.
November 2020: New and generally available
Cloud communications
- GA of the role property of the meetingParticipantInfo type, that distinguishes the role of a participant in an online meeting as an attendee or presenter.
- GA of the lobbyBypassSettings property and its values to admit users to an online meeting.
- GA of the isEntryExitAnnounced property to customize settings for announcing callers joining or leaving an online meeting.
- GA of the allowedPresenters property to allow specific presenters in the meeting.
- GA of the Microsoft Search query API, supporting scoped searching of the following types of data:
- GA of resource-specific consent (RSC) permissions. RSC permissions allow team owners to grant granular consent to a production app to access and/or modify specific data of a team, for example, reading the team's settings, or modifying channel names, descriptions, and other settings.
- GA of APIs that apply to a channel or messages within a channel. The APIs include:
- Create or delete a conversation member from a channel.
- Update the role of a member in a channel.
- Get a specific message or all messages in a channel.
- Get a specific reply or all replies in a channel.
- Track new or updated messages in a channel.
November 2020: New in preview only
Devices and apps | Cloud PC
Debut of the cloud PC API that lets organizations provision and manage virtual desktops for employees. Use it in conjunction with the Intune API to manage physical and virtual endpoints.
Devices and apps | Cloud printing
Subscribe to change notifications on a print task definition.
Devices and apps | Corporate management
Intune November updates for the beta version.
Identity and access
- Specify URLs for sending sign-in user tokens, and URIs for authorization codes and access tokens, in the spa property of application.
- Customize the look and feel of Azure Active Directory sign-in screens through the organization branding properties. Organizations can customize based on locale for specific users.
Identity and access | Governance
Debut of access review API for group membership to review user access regularly, make sure only the right people have continued access, and efficiently manage group memberships.
You can aggregate numeric or string type search results that are imported by Microsoft Graph connectors and that are set to be refinable in the schema. See more information about refining search results using aggregations.
October 2020: New and generally available
- Allow email as an alternate login ID to Azure AD, using a Home Realm Discovery policy. A Home Realm Discovery policy determines after a user provides a sign-in ID, whether to prompt the user to authenticate. In this case, setting the AlternateIdLogin property of a homeRealmDiscoveryPolicy resource can enable a user to sign in with an email address.
- Get the verified publisher information for an application or servicePrincipal, and set or remove verified publisher information for an application.
Change notifications
Production apps can now subscribe to lifecycle notifications of Outlook message, event, and contact, and Teams chatMessage, in order to reduce missing subscriptions and change notifications.
Identity and access
- GA of advanced OData system query options (
, and$filter
) on directory objects. - Check out examples that show OData cast on directory objects.
- See the Identity and access section of the October updates in the changelog for the lists of enhanced APIs.
- GA of the full set of CRUD operations for conversationMember and aadUserConversationMember. These resources represent a member in a chat or channel conversation, who may or may not be a user in Azure AD.
- GA of lifecycle notifications for Teams chatMessage resources, to reduce missing subscriptions and change notifications.
To-do tasks
GA of the Microsoft To Do API - use the to-do API in a production app to create and manage tasks that are part of a user's workflow, such as creating a task off an email.
Get new properties applicable to a user who is corporate employee: hire date, organizational association such as division and cost center, and employee type such as consultant, contractor, or vendor. These properties require specifying the $select
OData query parameter in the GET operation.
October 2020: New in preview only
Cloud communications | Online meeting
- Distinguish the role of a participant in an online meeting as an attendee or presenter, by using the role property of the meetingParticipantInfo type.
- Get an onlineMeeting by filtering on the joinWebUrl property of the meeting.
Devices and apps | Cloud printing
- Deprecate the uploadData action in favor of creating an upload session to upload a document to a printer or printer share.
- Deprecate the configuration property on printDocument in favor of a similar configuration property on printJob.
- Get the source or destination job URL for a printJob that is being redirected, by using the redirectedFrom or redirectedTo property.
- Get the current status of a printJob by using the state property and new details property.
- Get the collection of printer shares associated with a printer by using the shares relationship.
- Deprecate the processingStateReasons property of printer in favor of the status property. The status property is of the type printer status and exposes a details property. Use the details property to identify the reason for a printer to be in the current state.
- Deprecate the feedDirections property on printerCapabilities in favor of the feedOrientations property, to get feed orientations supported by a printer.
- See the cloud printing section of the October updates in the changelog for a few renaming of API and properties, and a few other deprecations.
Devices and apps | Corporate management
Intune October updates for the beta version.
Revoke access to a listItem or driveItem granted via a sharing link.
Identity and access | Identity and sign-in
- Manage authentication method policies to identify users who can use specific multi-factor authentication methods to sign into Azure Active Directory. Configure policies to define the following:
- The types of FIDO2 security keys that can be used in the Azure AD tenant.
- The users or groups of users who are allowed to use FIDO2 Security Keys or Passwordless Phone Sign-in to sign in to Azure AD.
- Configure an email authentication method for users to self-serve password resets.
- Use Azure AD B2C and choose a mechanism to configure and let end users authenticate via local accounts.
- Use
to read or write an organization's authentication method policies, as a delegated permission on behalf of a signed-in user, or as an application permission without a signed-in user present. - Specify in an authorization policy if and who can invite external users to an organization.
People and workplace intelligence | Insights
Administrators can see examples of using PowerShell cmdlets to customize item insight settings for an organization.
- Use the instance attribute channelCreationMode to indicate that a channel is being created to serve migration of data. Use the completeMigration to indicate migration is over, such that members can post and read messages.
- Use the instance attribute teamCreationMode to indicate that a team is being created to serve migration. Use the completeMigration to indicate migration is over, such that member operations can happen, and members can post messages.
September 2020: New and generally available
GA of the transactionId property of the event resource, which is optionally set by a client app to avoid redundant POST operations in case of client retries to create the same event. This is useful when low network connectivity causes the client to time out before receiving a response from the server for the client's prior create-event request.
Cloud communications
Delete a participant from a call. You can use this operation even in situations where it's necessary to delete a participant from an active call.
Devices and apps | Corporate management
Intune September updates for the v1.0 version.
Identity and access | Directory management
GA of the administrative units API that allow organizations to subdivide their Azure Active Directory, manage and delegate administrative duties to these subdivisions. These subdivisions can represent regions, departments, cost centers, and so on.
Get a report that includes the count of unique users for Outlook 2019 and for Outlook on Microsoft 365.
- Get the lastEditedDateTime property to find out when a sender last edits a chat message.
- Get the lastModifiedDateTime property to find out when a sender creates a chat message or when anyone modifies it in other ways, including adding or removing a reaction.
- Get notifications on changes in chat messages.
- Update the policyViolation property of a chatMessage within a channel or chat, enabling data loss prevention (DLP) apps to monitor chat message policy violation to prevent messages from containing data that users are not supposed to send.
Use the SDKs
GA of the Microsoft Graph PowerShell SDK which enables access to the entire surface of Microsoft Graph in a straightforward and consistent way.
Use the Toolkit
Try the new step-by-step getting-started tutorials for Microsoft Graph Toolkit and experience the convenience the toolkit brings:
- Build a web application in JavaScript
- Build a SharePoint web part
- Build a Microsoft Teams tab
- Use the toolkit with React
- Use the toolkit with Angular
Aside from getting the SMTP address of a user through the mail property, you can now set that property and update the user's email address.
September 2020: New in preview only
Create, list, or delete classifications of delegated permissions that a service principal exposes. Use delegated permission classifications in combination with user consent settings to set limits on when end-users are allowed to grant consent to apps.
Cloud communications
- Deprecation of the autoAdmittedUsers property of onlineMeeting. Instead, use the new lobbyBypassSettings property and its values.
- Use additional settings about announcing callers joining or leaving an online meeting (isEntryExitAnnounced property), and allowing specific presenters in the meeting (allowedPresenters property).
Devices and apps | Cloud printing
- Get the documents for each of the print jobs associated with a printer, by applying an
OData system query option. - Filter print jobs by the user who created them, by applying a
OData system query option.
Devices and apps | Corporate management
Intune September updates for the beta version.
Identity and access | Directory management
- Get a BitLocker recovery key on behalf of the signed-in user who's the device owner or in an appropriate role. Getting a recovery key generates an audit log, in parity with the end user experience.
- Get the total and used amount of the directory quota of an organization, through the directorySizeQuota property.
Identity and access | Governance
Be able to include a schedule when requesting or removing an assignment of a user to an access package, that specifies access to groups, applications, or SharePoint sites.
Identity and access | Identity and sign-in
Organizations can get or update a continuous access evaluation policy to manage authentication sessions in real time.
Use additional capabilities in the Microsoft Search API for OneDrive, SharePoint, Microsoft Graph connectors:
- Get additional types of content from OneDrive and SharePoint: drive, list, listItem, and site.
- Scope properties in search results to selected properties.
- Get custom properties on listItem resources.
- Sort search results for OneDrive and SharePoint on any sortable property.
- Refine results using aggregations for OneDrive and SharePoint.
Query external data ingested by Microsoft Graph connectors across more than one connection.
Take advantage of enhanced content for Microsoft Graph connectors to learn about:
Track the state of a Microsoft Graph connection.
Define an external group to set permissions on external item objects added to a Microsoft Graph connection. External groups can represent non-Azure Active Directory groups or group-like constructs, such as business units, that determine permissions over the content in the external data source.
August 2020: New and generally available
Change notifications
Track changes of supported resources in the Microsoft Graph for US Government national cloud.
Cloud communications
- Cancel any Interactive Voice Response (IVR) actions that are in process or in queue, that are either playing an audio prompt or recording a response.
- Get call transcription information through the transcription property.
- Use an alternative way to create a team directly without first creating a group.
- Use the members navigation property to add members to a team with increased reliability and lower latency.
- Get the publishing status of a Microsoft Teams app through the publishingState property of the app definition. The possible status values are
, andrejected
. See an example. - Use the
delegated permission to allow a user to submit an app and request administrator review. Use the same permission for a user to cancel an app submitted in the past that has not been published.
August 2020: New in preview only
Support password-based single-sign-on in service principal application resources and specify such settings in the passwordSingleSignOnSettings property. For information about password-based single sign-on in Azure AD, see configure password-based single-sign-on.
Enhance programmatic support for scenarios involving a recurring event:
- Reliably identify any occurrence in a recurring series, including a modified or cancelled occurrence, by using the occurrenceId property.
- Get any exceptions in a recurring series by using the exceptionOccurrences property.
- Get any cancellations in a series using the cancelledOccurrences property.
Change notifications
- Use the includeResourceData property of a subscription, to set up change notifications that include resource data. Do not use the includeProperties property.
- Get change notifications delivered via Event Hub.
Devices and apps | Cloud printing
- Grant all users and groups access to a printer share by using the allowAllUser property.
- Use new delegated and application permissions to access or manage a print document, print job, printer, printer share, or print task definition. For details, see cloud printing August updates.
Devices and apps | Corporate management
Intune August updates in beta.
Identity and access | Governance
- Customize a terms of use agreement to support an agreement expiration date and cadence, require the user to accept the agreement per device, or to re-accept the agreement on a set frequency.
- Use the file property to navigate to a custom agreement for terms of use. Do not use the files property.
- Add, remove, and list internal or external sponsors who can approve requests from a connected organization to access a group, application, or SharePoint Online site. See entitlement management for more information.
Identity and access | Identity and sign-in
- Enable further customizing an authorization policy for a tenant, such as allowing the default user role to create applications or security groups or to read other users, allowing users to sign up for email-based subscriptions or to join the tenant by email validation, or letting users self-serve password resets.
- Manage predefined, configurable policies as user flows within an Azure Active Directory B2C tenant. See more information about B2C user flows.
- Enable self-service sign-up experience as B2X user flows in an Azure Active Directory tenant,see more information about self-service sign-up.
People and workplace intelligence | Profile
Add and manage the following additional properties in a user's profile, and that can be surfaced in shared, people experiences across Microsoft 365 and third-party apps:
Reports | Microsoft 365 usage reports
Get reports on Microsoft 365 apps usage, specifically on user detail, user counts, and platform user counts.
Get content hosted in a chat message, such as images or code snippets. See an example to get the content bytes of an image.
To-do tasks
- Debut of a new set of API for Microsoft To Do, allowing app users to organize and track personal tasks across Microsoft 365 client apps. See Use the Microsoft To Do API for more information.
- Deprecation of the Outlook tasks API.
July 2020: New and generally available
GA of the feature that allows organizers to allow alternate meeting time proposals, and invitees to propose new times for a meeting when they tentatively accept or decline an event.
Change notifications
Removed the erroneously introduced sequenceNumber property from the changeNotification resource.
GA of the following properties for the group entity: assignedLabels, expirationDateTime, membershipRule, membershipRuleProcessingState, preferredLanguage, and theme.
Identity and access
- Remove a user as a registered owner or user of a device.
- Track changes to newly created, updated, or deleted local representation of applications (represented by servicePrincipals resources) and delegated permissions grants (represented by oAuth2PermissionGrant resources) without performing a full read of the entire resource collection.
- GA of the policy to enforce security defaults that protect organizations against common attacks.
Identity and access | Identity and sign-in
- GA of conditional access policies that are custom rules that define an access scenario.
- GA of named locations representing custom rules that define network locations used in a conditional access policy.
Schema extensions
The schema extensions feature is now generally available in Microsoft Cloud for US Government.
Use the delegated permissions of TeamsAppInstallation.ReadForTeam
or TeamsAppInstallation.ReadWriteForTeam
, or application permissions of TeamsAppInstallation.ReadForTeam.All
or TeamsAppInstallation.ReadWriteForTeam.All
to list apps that are installed in a team.
July 2020: New in preview only
Cloud communications
- Use the update operation to update the startDateTime, endDateTime, participants, or subject property of an online meeting.
- Subscribe to notifications on changes to the availability of a user on Microsoft Teams, as represented by the presence resource.
Cloud communications | Call records
Compliance | eDiscovery
Debut of eDiscovery cases that can contain custodians, holds, collections, review sets, and exports that can be used as evidence in legal cases. Apps can now query and cull review set data collected for use in a litigation, investigation, or regulatory request. This debut is part of Microsoft 365 Advanced eDiscovery.
Devices and apps | Cloud printing
- Use the application permission
and Internet Printing Protocol (IPP) encoding to update a printer. - Use one of the application permissions,
, orPrintJob.ReadWrite.All
, to get a print job or list print jobs for a printer. - When getting a print job, use
to get print tasks that are executing or have executed against the job. Print tasks, task definitions, and task triggers are used in pull printing. - Redirect a print job to a different printer, as part of pull printing.
Devices and apps | Corporate management
Intune July updates in beta.
Use the isAssignableToRole property of a Microsoft 365 group and set it during group creation to indicate whether the group can be assigned to an Azure AD role. This helps manage role assignments in Azure AD, such that instead of assigning individual users an Azure AD role, a privileged role admin or global admin can create a Microsoft 365 group and assign the group that role, so that when users join the group, they are assigned the intended role indirectly.
Identity and access
- Acquire an access token to authorize the Azure AD provisioning service to provision users into an application.
- Get or update entitlement management settings that control access to groups, applications, and SharePoint Online sites for users internal and external to your organization.
Identity and access | Identity and sign-in
- Include user risk levels (
) as a consideration for applying a conditional access policy. - Use password change as a grant control in order to pass a conditional access policy.
- Use an Open ID Connect provider (ODIC) as an identity provider in an Azure AD tenant and an Azure AD B2C tenant. Its claimsMapping property allows Azure AD to map the claims from an OIDC provider to the claims that Azure AD recognizes and uses.
People and workplace intelligence | Insights
Use more granular privacy control over the availability and display of item insights in Microsoft 365. These insights represent the relationships between a user and documents in OneDrive for Business, calculated using advanced analytics and machine learning techniques.
People and workplace intelligence | Profile card customization
Administrators can customize the properties exposed on the profile card for their organizations by using the API for profile card property.
Sites and lists
Access the SharePoint term store taxonomy, the hierarchy that consists of group, set, and term resources, and relation resources between terms.
Workbooks and charts
Get the status and any result of a long running operation in a workbook.
June 2020: New and generally available
Cloud communications | Online meeting
- Use the
HTTP header when creating an online meeting to provide locale-based join information. - Use createOrGet to return an online meeting that has a specified externalId value, or create one if none already exists, to streamline embedding the resultant meeting in a third-party calendar.
- Enhanced synchronization support:
- Use the pendingOperations property to identify any operations that might update the binary content of a driveItem file, that are pending completion.
- Restore a driveItem that has been deleted and is in the recycle bin on OneDrive Personal.
- Get or set the orientation of a photo. Setting is supported on OneDrive Personal.
- Use Secure Hash Algorithm (SHA-256) to enhance file data security and integrity.
- Use the
parameter to defer final creation when uploading typically a large file to OneDrive for Business, until an app makes a request to complete the upload. - Use the fileSize property to provide as part of the item parameter an estimate, so to do a quota check prior to uploading a file on OneDrive Personal.
- Find storagePlanInformation through the quota property of a drive resource to see if there are higher storage quota plans available.
Use application permissions Group.Read.All
and Group.ReadWrite.All
to get group conversation and conversation thread resources.
Identity and access
- GA of two sets of API for identity protection: risk detection and risky user APIs.
- Track the following as properties of an alert:
- IDs of incidents related to the alert.
- Identify a resource as attacked or as a related resource in the alert.
- Specify the source and destination locations of a network connection related to the alert.
Sites and lists
Specify geolocation data in a column definition for a SharePoint list resource.
- Use the delegated permission AppCatalog.Read.All to list apps from the Microsoft Teams app catalog.
- Get information about the folder that maps to the Files tab of a Teams channel.
- Get the default channel, labelled as General, of a team.
June 2020: New in preview only
In addition to tracking incremental changes on events in a calendarView (collection or events delimited by start and end dates), use the delta function on events in a user mailbox, or events in a specific user calendar.
Cloud communications | Presence
Get the presence status of all the users in an organization, or a specific user in the organization.
Devices and apps | Cloud printing
- Specify print margins when configuring a document for printing.
- Support for the following printer capabilities:
- feed directions
- printing page ranges
- print resolution in DPI
- maximum print job queue size in bytes
- input bins
- margins
- collation
- document scaling
- Support for print resolution (DPI) and document scaling as part of default printer settings.
- Support for the following document configuration settings:
- input bins
- output bins
- media sizes
- margins
- media types
- finishings such as stapling or binding
- pages per sheet
- multi-page layout specifying the direction to lay out pages per sheet
- collation
- scaling
- Expand documents when listing pring jobs.
- Register a printer and use the printerCreateOperation resource to track and verify the registration of the printer.
- Get long-running printer registration operation within current user or app's tenant.
- A few renaming of properties and enum types - see details in the June changelog updates for cloud printing.
Devices and apps | Corporate management
Intune June updates in beta.
- Can use delegated permissions
to get the ID of a teacher or student in an external source program, as the externalId property. - Use the externalSource property to track the value
if an education organization or class is created from a learning management system (LMS).
Identity and access
- IT professionals can use connector resources that are lightweight agents to connect to Azure AD Application Proxy, and publish on-premises web applications apps externally, so that remote users of their organizations can access these apps in a secure manner.
- Manage an authentication policy at a tenant level, to enable or disable self-service sign-up of external users.
- Provision a user account on demand, and be able to specify the objects to provision and synchronization rules to execute.
- Make use of enhancements on a property in a schema: isRefinable to enable filtering of search results and for a more refined control of the search experience, and aliases and labels for better relevance.
- Be able to specify up to 128 property resources in a schema.
- Use get externalItem for diagnostic purposes.
- Use the userPurpose property of mailboxSettings to identify and differentiate a mailbox for a single user from a shared mailbox and equipment mailbox in Exchange Online.
- Use user settings to get or update preferred languaes and regional settings.
- User settings is a relationship accessible through user that enables a consistent user experience across apps, by tapping into the Azure AD user profile to reflect the same user preferences. See how user settings differentiate from mailbox settings.
May 2020: New and generally available
Calendar | Place
GA of the places API in v1.0 - use this API in production apps to get, update, or delete a room or room list in a tenant. Find out more about the places API.
Change notifications
- Subscribe to change notifications in Microsoft Cloud for US Government.
Cloud communications | Call records
- GA of the call records API - use the callRecord resource to get the metadata of calls and online meetings on Microsoft Teams and Skype.
- Subscribe to change notifications for changes to all callRecord resources in an organization.
- List sessions in a callRecord, and optionally expand each session to list segments in the call record.
- Support for 60-GHz (
) andunknownFutureValue
WiFi band values of a media endpoint in a segment. - Support for voice mail as a possible type of service-side end point in a communication segment.
Devices and apps | Corporate management
Intune May updates in v1.0.
Graph Explorer
Use the many new features of Graph Explorer that enhance learning and prototyping in the sandbox. For example:
- View code snippets that correspond to the REST API query you entered, in C#, Java, JavaScript, and Objective C.
- Signed in with a tenant, view and copy an access token to your favorite REST client application.
See New Graph Explorer is now GA for more details.
- Synchronizing on-premises directory to Azure Active Directory via Azure AD Connect now returns the onPremisesDomainName, onPremisesNetBiosName and onPremisesSamAccountName properties as part of the group resource.
- Subscribe to change notifications for group resources in Microsoft Cloud China operated by 21Vianet.
Identity and access
- GA of the service principals API in v1.0 - use the servicePrincipal resource in production apps to programmatically manage instances of applications and control what an application can do within your tenant. You can control who can use an application, what resources the application has access to, such as adding password credentials, rolling expiring certificates, and managing delegated permission grants and application role assignments.
- GA of the appRoleAssignment API, which records the assignment of an appRole (representing the
claim in ID tokens and access tokens) to a user, group, or servicePrincipal. - Use Facebook as an identity provider on Azure Active Directory.
- Use the delegated or application permission of
to allow an app to manage grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, respectively with or without the signed-in user.
Microsoft Graph SDKs
See new SDK guidance on the following:
- Paging
- Batching
- Uploading large files on OneDrive
- Customizing SDK service client through HTTP middleware components.
- If your scenario involves online meetings on Teams, see new guidance on how to choose between the calendar API and cloud communications API to create and join online meetings.
- Send and reply to messages in a channel.
- Get the OneDrive for Business location of the files for a channel, by using the fileFolder navigation property.
Teamwork | Shifts
GA of the shifts API in v1.0 - use this API in production apps to create, update, and manage schedules of firstline workers, to let them stay in touch and collaborate effectively.
- Subscribe to change notifications for user resources in Microsoft Cloud China operated by 21Vianet.
- Track the status and date/time of the last status change of an external user, who has been invited to join the organization, by using the externalUserState and externalUserStateChangeDateTime properties of the user resource.
May 2020: New in preview only
Change notifications
- Use formally schematized types changeNotification and changeNotificationCollection to process resource change notifications.
- Track if notifications are in sequence or if a notification is missing by using the sequenceNumber property on the changeNotification resource.
Devices and apps | Cloud printing
- The printer and printerShare resources are now in parity and have the same properties as each other.
- Some property and type name clean-up around printer shares:
Devices and apps | Corporate management
Intune May updates in beta.
- Evaluate whether a user or device is or would be a member of a dynamic group, using the existing rule for the group or a specified rule. Rule-based dynamic membership reduces administrative overhead of adding and removing members.
- When creating a Microsoft 365 group, configure the behaviors of the group by specifying them in the resourceBehaviorOptions property. For example, allow members to post, subscribe new members to conversation, disable welcome email, and hide the group in Outlook experiences.
- Specify the resources to provision in the resourceProvisioningOptions property that are normally not part of the default group creation. Currently supported is provisioning a group as a team with Microsoft Teams capabilities.
Identity and access
- Apply OData system query options (
) when getting collections of entities that are derived from directoryObject. You can search for specific tokens in the displayName and description properties of these entities, and use OData cast to trim directoryObject results to certain derived types. See more details in Build advanced queries in Microsoft Graph with $count, $filter, $search, and $orderby. - As part of the identity protection API, use the riskEventType property to get the type of risk detected, or get the type of risk in a user's history. Do not use the riskType property as it has been deprecated.
- Specify client application types in the clientAppTypes property of the condition set for a conditional access policy.
- Use the delegated permission of
to allow an app to read access packages and related entitlement management resources on behalf of the signed-in user. - Use the delegated or application permissions of
to list applications in an organization. - Control authorization settings in Azure AD using the authorizationPolicy resource type.
- Teams apps that support single sign-on (SSO) can specify the
from the Teams app manifest, in the azureADAppId property of the teamsAppDefinition. - Use finer grained permissions to access team and channel resources.
April 2020: New and generally available
- Share or delegate calendars programmatically, in closer parity with the Outlook user experience. In addition to tracking the current user's permissions and sharing status for a calendar:
- For each calendar, you can now manage the permissions of each user with whom the calendar is shared.
- For each mailbox, you can now specify whether a delegate, mailbox owner, or both receive meeting messages and meeting responses.
- Create or update an event as an online meeting:
- For each calendar, specify the allowed and the default online meeting providers.
- Create or update an event to be available online, and provide details for attendees to join the meeting online.
- In particular, use the new onlineMeetingProvider and onlineMeeting properties of event to set or identify Microsoft Teams as an online meeting provider, a workaround for a known issue with the onlineMeetingUrl property.
- Add file attachments up to 150MB to an event.
- Check out or check in a file to OneDrive to manage updating the file and making updates available to others when the updates are ready.
- Apply optional password and expiration date/time as parameters of the invite and create sharing link actions to share a driveItem.
- Get or set password and expiration date/time of a permission, and track the identitySet of users granted the permission to share a driveItem.
- Get the permission of a shared drive item by using the permission navigation property.
- Limit users with a sharing link to only view and may not download the contents of a shareddriveItem on OneDrive for Business or SharePoint.
Identity and access
- To manage roles and assign access to resources in role-based access control (RBAC) providers such as Microsoft Intune, use unifiedRoleAssignmentMultiple. The unifiedRoleAssignmentMultiple resource supports defining a single role over an array of scopes, and assigning the role to multiple principals (such as users).
- Access specific types of policies for an organization using the
URL segment and specifying the policy type. For example, an organization can enforce a policy to automatically sign a user out from a web session after a period of inactivity; see CRUD operations for instances of activityBasedTimeoutPolicy. This is a breaking change to make it easier to discover all policies, by grouping all typed policies under the/policies
segment. Access other typed policies in a similar approach: claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenLifetimePolicy, and tokenIssuancePolicy.
Add file attachments up to 150MB to a message.
Sites and lists
- List sites that the signed-in user has followed.
- Identify the geographic region of a site collection by using the dataLocationCode property.
- Identify the tenant of a file, folder, or other item on SharePoint by accessing the tenantId property that is part of the sharepointIds of a driveItem.
April 2020: New in preview only
Devices and apps | Cloud printing
Designate allowed users and groups to use specific printer shares on Universal Print, the Microsoft 365 cloud-based print infrastructure. To experience robust and centralized print management capabilities, and offer a simple yet rich and secure print experience for print users, see the Universal Print announcement and join their preview program.
Devices and apps | Corporate management
Intune April updates.
Identify the app that created a group by its app ID.
Identity and access
- Track changes for administrative units.
- Track changes for oAuth2PermissionGrant.
- Manage a user's authentication methods which include password or phone. For example, reset a user password and get the reset status, or add a phone number for a user for SMS or voice call authentication, if the policy is enabled for the user.
Reports | Identity and access reports
List relying parties configured in Active Directory Federation Services.
Reports | Microsoft 365 usage reports
View Meeting Created and Meeting Interacted data in CSV reports for email activity counts, email activity user counts, and email activity user detail.
March 2020: New and generally available
Cloud communications
- Get the call routing and incoming context of a call.
- Update the recording status of a call.
- Specify recording information for a participant, including the initiator and status of the recording.
- Uniquely identify participants in a conference or participant-to-participant call using the callChainId property.
- Identify as part of participantInfo the country code and endpoint type (such as Skype for Business, or Skype for Business VOIP) of the participant.
- Third-party video teleconferencing (VTC) device partners can log and provide media quality data for their video teleconferencing devices through a Cloud Video Interop (CVI) bot and using the logTeleconferenceDeviceQuality function. Media quality includes open-type data for audio, video, and screen-sharing.
- Remote items that are shared with a user, added to the user's OneDrive, or returned as a search result can contain metadata for an image or video.
- Follow a driveItem for convenient access, or for faciliating actions such as move, copy, and save-as. Use unfollow to stop following the drive item.
- Grant permissions to users to access a sharing link, in order to share the corresponding drive item.
Identity and access
- Track changes for organizational contacts.
- Use the riskEventTypes_v2 property to get the risk event types associated with a sign-in.
- Use the
delegated permission to allow an app to read, update, or delete identities that are associated with a user's account, that the signed-in user has access to. Use that permission at the application-level without a signed-in user present. This allows the app to manage which identities a user can sign-in with.
Use Teams Service Administrator and Teams Communications Administrator as accepted user roles to allow apps to read Microsoft 365 service usage reports on behalf of a user, as forms of user-delegated authorization.
- Let users follow or unfollow SharePoint sites.
- Subscribe to change notifications for a SharePoint list.
March 2020: New in preview only
- Use the calendarGroupId property to get the calendar group in which a calendar has been created.
- Use the isDraft property to identify an event as a meeting that the user has updated in Outlook but has not sent to update attendees.
Cloud communications
- Use createOrGet to get an online meeting instance by a custom external ID, and create one when none already exists.
- Have the option to use the externalId property to identify an online meeting with the custom external ID.
- Use the optional
HTTP request header to create or get an instance of online meeting, so that the successful operation displays the content of the joinInformation property in the specified language and locale variant.
Devices and apps
Intune March updates.
Identity and access
- Use the
permission to list the sign-in activity of a user. - Use the
application-level permission for Privileged Identity Management (PIM) of Azure resources, to set up just-in-time access workflow for Azure infrastructure roles at a management group, subscription, resource group, or resource level. - Use the identitySecurityDefaultsEnforcementPolicy entity to get or update pre-configured default security settings that protect organizations against common attacks.
- Use an
segment when calling the conditional access APIs. For example, to get a conditional access policy:GET{id}
. - Use the authenticationRequirement property to get the highest level of authentication that is needed through all the sign-in steps in order for sign-in to succeed.
- Use pagination when listing provisioning events that occurred in your tenant.
- To add data in a file to search results, index the data simply as an externalItem. The externalFile type has been deprecated.
- Update an item in the index, by specifically updating the plain-text representation of the item (represented by the content property), or the properties bag of the item (represented by the properties property). Updating any property in the properties bag overwrites the entire properties bag, so make sure to explicitly include all the properties of the item in the update.
- Check for
HTTP 429
and theRetry-After
response header after calling the create, update, or delete operation of externalItem. Backing off requests using theRetry-After
delay is the fastest way to recover from throttling.
Use the ChannelMessage.Read.All
application-level permission to read chatMessage instances in channels without a signed-in user.
Universal Print
Debut of the Universal Print API which allows users to print on the web or from an app. The API lets IT administrators manage user and group access to printers in the Microsoft 365 cloud, remote printer sharing to maintain availability, monitor printer status, and report on archived print jobs and usage.
Note that as of March 2020, the Universal Print service is in private preview. See Announcing Universal Print: a cloud-based print solution for information regarding participation.
February 2020: New and generally available
Walk through an example of creating an event in a shared or delegated calendar, and the actions and properties available to the delegate, invitees, and calendar owner during this process.
Identity and access
- To improve security when subscribing to change notifications of user data, enforce Transport Layer Security (TLS) 1.2 or higher on clients and site servers used in the notification process. The new requirement is rolled out in stages starting February 15 2020. By May 15, 2020, all notification endpoints must meet the new TLS requirement. Find out the stages of the rollout and if necessary, use the new latestSupportedTlsVersion property as a temporary workaround to avoid subscription failures, before completing the TLS upgrade.
- Use respective types of threat assessment request to track threats from mail, an email message file (.EML file), email attachment file (text, Word, or binary file), or URL.
Reprocess all group-based license assignments for a user.
February 2020: New in preview only
See tasks supported by preview APIs that manage calendar sharing and delegation.
Cloud communications
- Use the new call records resource to get metadata of calls and online meetings on Microsoft Teams and Skype for Business for an organization.
- For a participant in a meeting, use the initiator property to get the identity information of the initiator of a recording, if there is one.
Devices and apps
Intune February updates.
Use the assignLicense method to assign licences for products, such as Microsoft 365 or Enterprise Mobility + Security, to a group. Since Azure AD ensures licences are assigned to members of the group, members joining or leaving a group no longer requires licence management at the individual level.
Identity and access
- Set requestor, approval, and review settings when creating an access package assignment policy.
- Access specific types of policies for an organization using the
URL segment and specifying the policy type. For example, an organization can enforce a policy to automatically sign a user out from a web session after a period of inactivity; see CRUD operations for instances of activityBasedTimeoutPolicy. This is a breaking change to make it easier to discover all policies, by grouping all typed policies under the/policies
segment. Access other typed policies in a similar approach: claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenLifetimePolicy, and tokenIssuancePolicy. - Use application-level and delegated
permission for read and write operations on application configuration policies mentioned in the preceding item.
- Use change notifications on all channel messages or all chat messages in an organization.
- Decline a request to swap shifts with another user in a team.
January 2020: New and generally available
As part of customer alert management, use the update alert method and update the comments field as either Closed in IPC
or Closed in MCAS
Use the primaryChannel navigation property of a team to access its default channel, General.
Use the identities property to access one or more identities that a user can use to sign in to an Azure AD user account. The identities can be provided by Microsoft, organizations, or social identity providers such as Facebook, Google, or Microsoft. This property allows the user to sign in to the user account with any of these identities.
January 2020: New in preview
Devices and apps
Intune January updates.
December 2019: New and generally available
Cloud communications
The cloud communications API has GA'd and APIs for call and onlineMeeting are available in v1.0.
Use the classSettings property to manage class-specific settings, such as enabling the sending of weekly assignment digests. This property is available on the team resource when the team represents an education class.
Identity and access
Attempting to get container objects with limited permissions returns partial data. An example is a group instance that's associated with a user, another group, and a device. An app having only the permissions User.Read.All and Group.Read.All and attempting to access this group instance would get the user and group objects, but limited data for the device object (only data type and object ID and not property values).
People and workplace intelligence
The insights API has GA'd. Use the API in production apps to identify the most relevant documents that are:
- Trending around a user
- Used by a user
- Shared with or shared by a user
To get Microsoft 365 usage reports using permissions delegated by a user, administrators must have assigned the user an Azure AD limited administrator role. This can be one of the following roles: company administrator, Exchange administrator, SharePoint administrator, Lync administrator, global reader, or reports reader. See Authorization for APIs to read Microsoft 365 usage reports for details.
Microsoft Graph Toolkit v1.1 has released. For a list of enhancements and bug fixes, see the December 2019 section of the changelog.
December 2019: New in preview
Cloud communications
- Use the new presence resource to get information about the availability and current activity of one or more users.
- Delete an instance of an onlineMeeting.
- See the December 2019 section of the changelog for the renaming and removal of a few members of the call and onlineMeeting resources, to be in parity with the v1 version of these resources.
Devices and apps
Intune December updates
Identity and access
- Behavior fix to the appRoleAssignments and appRoleAssignedTo relationships on servicePrincipal.
- Use accessPackageResourceRequest in Azure AD entitlement management to request adding a resource to a catalog, so that the roles of that resource can be used in an access package.
- Use the threat assessment API to empower administrators to report suspicious emails, phishing URLs, email attachments, or other files. The thread scanning verdict can then inform them to adjust organizational policy appropriately.
- Set up change notifications that include resource data for chatMessage resources in Microsoft Teams channels and chats.
- Subscribe to notifications for new or modified channel messages or chat messages.
- Use the shiftPreferences resource to enable specifying a user's availability to be assigned shifts in a schedule. Get or set this as part of the user's settings.
November 2019: New and generally available
- Use delegated or application permissions, GroupMember.Read.All and GroupMember.ReadWrite.All, to list groups, read basic group properties, read (and update if read/write permission) the membership of the groups the app has access to.
- Use the application permission, Group.Create, to create groups without a signed-in user.
- For a specified group, check for membership in other groups or directory roles.
Identity and access
- Register applications that authenticate with Azure Active Directory (Azure AD). Use delegated permissions, Application.Read.All and Application.ReadWrite.All, or application permission, Application.Read.All, as appropriate.
- For a specified device, check for membership in other groups or directory roles.
- Use the conversationIndex property to get the position of a message in an Outlook email conversation.
- Use the delegated permission, Mail.ReadBasic, and application permission, Mail.ReadBasic.All, to get message or mail folder resources, track their changes, and manage subscriptions for change notifications on messages.
- Check for group memberships for a specified user.
- Use the creationType property to find how a user account was created, for example, whether the account was created as a regular school or work account or as an external account, etc.
November 2019: New in preview
- Use Outlook to organize or attend meetings online.
- Set properties for the rich location types of room and room list.
Cloud communication
The call resource type supports the following additional features:
- The context of an incoming call
- The type of endpoint for a participant, such as voice mail or Skype for Business
- The ability to update the recording information for a participant
Devices and apps
Intune November updates
Administrators can enable class-wide settings through the classSettings property of the team associated with the class. Currently, there is a setting to notify guardians about weekly assignments.
Identity and access
- Use the application permission, Policy.Read.All, to read all your organization's conditional access policies and named locations, without a signed-in user present.
- Allow a conditional access policy to be in a report-only state,
. - Use the delegated permission, ThreatAssessment.ReadWrite.All, or application permission, ThreatAssessment.Read.All, to read (or create, if read/write permission) requests to assess threats in an organization.
Use the delegated permission, Mail.ReadBasic, and application permission, Mail.ReadBasic.All, to manage subscriptions for change notifications on the message resource.
Use the new light-weight notifications web SDK in place of the Project Rome SDK, to take advantage of an improved authentication model and support for web apps using web push.
People and workplace intelligence
Debut of the profile resource which is a rich representation of the next generation of people entities in Microsoft services. This resource relates to common and practical people attributes, including information for any meaningful dates such as anniversaries, education, employment positions, interests, language and skill proficiencies, project participation, web site association, and other account and contact information.
Debut of the Microsoft Search API which allows app users to get more up-to-date, personalized, and relevant search results powered by Microsoft Graph. Use the query capability that by default, searches Outlook messages and events, and OneDrive and SharePoint files in the Microsoft cloud. Use connectors, available in the Microsoft Graph connectors gallery, to include search data outside of the Microsoft cloud. Alternatively, build your own connectors, index external custom items and files, and query specific external data sources.
Get the file resources associated with a team and channel by using the following HTTP request syntax:
GET /teams/{teamId}/channels/{channelId}/filesFolder
Use the creationType property to find how a user account was created, for example, whether the account was created as a regular school or work account or as an external account, etc.
October 2019: New and generally available
Identity and access
- Use organization contacts in production apps. Organization contacts are managed by organization administrators, synchronized either from an on-premises Active Directory or from Exchange Online.
- Configure certificate-based authentication in an organization.
- Add and remove password credentials for applications.
Use the new message parameter to update any writeable message properties when replying to a message, for example, adding a recipient to the reply.
Microsoft Graph data connect
Developers and data scientists can now use tools to translate Office 365 data into Common Data Model format, making it schematically consistent with other Open Data Initiative (ODI)-ready datasets.
Microsoft Graph SDKs
- Use chaos handlers in the JavaScript SDK to verify if an app is resilient to server failures that are tricky to initiate.
- Read about making API calls using the SDKs.
- Get or set a user's preferred date and time format settings for the user's mailbox.
- Track the date/time of the last password change on a user.
October 2019: New in preview
- Meeting organizers can allow invitees to propose alternate meeting times. When receiving a meeting response that includes a proposed alternate time, the organizer can decide to accept the proposal and update the meeting time.
- Programmatic calendar sharing is in closer parity with the Outlook user experience. In addition to tracking the current user's permissions and sharing status for a calendar:
- For each calendar, you can now manage the permissions of each user with whom the calendar is shared.
- For each mailbox, you can now specify whether a delegate, mailbox owner, or both receive meeting messages and meeting responses.
- Additional online meeting support:
- For each calendar, specify the allowed and the default online meeting providers.
- Create or update an event to be available online, and provide details for attendees to join the meeting online.
- In particular, use the new onlineMeetingProvider and onlineMeeting properties of event to set or identify Microsoft Teams as an online meeting provider, a workaround for a known issue with the onlineMeetingUrl property.
Devices and apps
Intune October updates
Graph Explorer
Try the next version of Graph Explorer and see handy contextual information such as permissions, access tokens, and SDK code snippets in the new Permissions, Auth, and Snippets tabs. Use the Preview slider to switch between the production and new preview version of Graph Explorer.
- Use the hideFromAddressLists and hideFromOutlookClients properties to control the visibility of a group in certain parts of the Outlook user interface or in an Outlook client.
- Assign or remove licenses on users in a group.
Identity and access
- Use conditional access policies to customize access rules for an organization. These rules consider signals about a user or a device identity, such as user or group membership, IP location, and behaviors such as attempts to access specific applications, and risky sign-in behaviors.
- Use entitlement management to manage access to groups, applications, and SharePoint Online sites for users in and outside of an organization.
- Add and remove password credentials for applications and service principals.
- Manage Azure AD B2C trust framework policy keys.
- Define Azure AD B2C user flow policies for sign in, sign up, combined sign up and sign in, password reset, and profile update.
- Configure information protection labels to classify sensitivity for a user or tenant.
- Existing apps using APIs for identity risk events should transition to those for risk detection in Azure AD Identity Protection. See the related blog post for more details and deprecation timeline.
Attach large files up to 150MB to a message instance, by creating an upload session, and iteratively uploading ranges of the file until all the bytes of the file have been uploaded.
Microsoft Graph Security API
- Preview integration with RSA NetWitness, ServiceNow, and Splunk, to correlate and synchronize alerts, and improve threat protection and response.
- New triggers added to the Microsoft Graph security connector and playbooks for Logic Apps and Flow. See playbook examples.
- Support for sending threat indicators to Microsoft Defender for Endpoint to block or alert on threats using their own intelligence sources. Integrations with partners like ThreatConnect enable customers to send indicators directly from threat intelligence and automation solutions.
- Create and send notifications to all app clients on all device endpoints that a user is signed in to, without having to manage user-delegated permissions.
- Use target policy endpoints on user notifications to specifically target notifications for the Windows, iOS, Android, or WebPush platform.
- Specify a fall back policy on notifications for iOS endpoints, to send high-priority raw notifications that might not be delivered to devices otherwise due to platform specific restrictions, such as battery saver mode.
PowerShell SDK
Developers and IT professionals can note the coming of the Microsoft Graph Powershell SDK, which will generate modules that contain cmdlets to make Microsoft Graph REST API requests.
September 2019: New and generally available
Calendar, mail, and group
Get the raw content of a file, or the MIME content of an item that has been added as an attachment to an event, message, or group post.
Calendar, mail, Outlook task, personal contact
Use the translateExchangeId function to convert an Outlook item ID between supported formats, including the Microsoft Graph default ID format and immutable ID format.
The following resources support ID format conversion:
Get the MIME content of a message.
Microsoft Graph Toolkit
Use the Microsoft Graph Toolkit to develop production apps that offer a consistent Microsoft 365 look-and-feel, and save time in authenticating and accessing data from Microsoft Graph.
September 2019: New in preview
Features, including APIs and tools, in preview status may change without notice, and some may never be promoted to GA status. Do not use them in production apps.
Devices and apps
Intune September updates
Enhanced synchronization support:
Use Secure Hash Algorithm (SHA-256) to enhance file data security and integrity.
Get or set the orientation of a photo. Setting is supported on OneDrive Personal.
Identity and access
Use the new identities property and get the identities that a user can use to sign in to an account. Identities can be provided by organizations, or social identity providers such as Facebook, Google, and Microsoft.
Incremental enhancements for synchronizing identities in a cloud application for a tenant:
- Store settings for a synchronization job
- Specify a reason to impose quarantine on a synchronization job
Use the General channel of a team, or customize member settings to let team members create private channels in the team.
- Get or update the identities with which a user can sign in to an account. These identities can be provided by business organizations, or by social identity providers such as Facebook, Google, and Microsoft.
- Get or update a user's preferred date and time format settings for the mailbox.
August 2019: New and generally available
- Get additional mailbox usage data about deleted item count and size.
- Track Microsoft 365 group IDs when getting group activity details.
- Track the owner principal name when getting OneDrive usage account detail and SharePoint site usaged detail.
- Get the number of active and inactive users on Microsoft 365, when getting a report on user counts per Microsoft 365 service.
- Use the new Microsoft Graph security API add-on for Splunk to stream security alerts and insights from many partner products into Splunk, enabling easier real-time correlation of their security data. See the announcement for more information.
- See a list of other solutions and connectors built by Microsoft or by Microsoft partners that connect with the security API and let you work with data in a unified format.
August 2019: New in preview
Features, including APIs and tools, in preview status may change without notice, and some may never be promoted to GA status. Do not use them in production apps.
Devices and apps
Intune August updates
- Associate a teacher or assignment with a grading rubric to account for specific qualities and levels in assignments. An example of a quality is spelling and grammar, and examples of levels are "good" and "poor". You can further associate points and weights to the rubric. For more information, see education rubric overview.
- Evaluate an assignment and present the results in terms of feedback, a numeric grade, or rubric.
Up until this point, you have been able to follow a driveItem for convenient access, or for faciliating actions such as move, copy, and save-as. You can now use the unfollow action to stop following such drive items.
Identity and access
- Providers of role-based access control (RBAC) can manage roles in Azure Active Directory, by defining role actions that can be performed on specific resources, and assigning roles to users based on such role definitions, giving them the corresponding access to those resources.
- Administrators can list access reviews to efficiently facilitate reviewing group memberships, access to enterprise applications, and role assignments. Regular access reviews make sure only the appropriate people have continued access to resources in specific ways.
Social and workplace intelligence
End users have been able to use the Microsoft 365 MyAnalytics app to get insights on managing time, collaboration at work, and work-life balance. Now, you can use the analytics API to integrate data on time spent on work activities such as calls, chats, and email, to help improve a user's productivity and wellbeing.
July 2019: New and generally available
Example code snippets
There are now Objective-C code snippets in all API topics in the v1.0 and beta references. See the Objective-C example for getting an event.
- Use the validateProperties function to make sure the display name or mail nickname of an existing Microsoft 365 group complies with naming policies.
- Alternatively, before creating the group, you can use the validateProperties function for a directoryObject to validate the names first.
Identity and access
Use new delegated and application permissions, Organization.Read.All and Organization.ReadWrite.All, to access an organization and related resources such as subscribed SKUs.
Use new delegated and application permissions, RoleManagement.Read.Directory and RoleManagement.ReadWrite.Directory, for role-based access control (RBAC) for your company's directory:
- Use the read/write permission to first activate a directory role.
- With the role activated, you can use the read permission to read directory roles, list role members, and list directory role templates.
- You can also use the read/write permission to add and remove role members.
July 2019: New in preview
Features, including APIs and tools, in preview status may change without notice, and some may never be promoted to GA status. Do not use them in production apps.
Use the new places API to make use of rich location types such as room and room list, as set up by Exchange Online administrators.
Devices and apps
Intune July updates
Apply expiration date/time or password when creating a sharing link to a file, folder, or some other driveItem.
Identity and access
- Use new application permission AccessReview.ReadWrite.Membership for CRUD operations on access reviews.
- Use new delegated and application permissions, AdministrativeUnit.Read.All and AdministrativeUnit.ReadWrite.All, to respectively read or write (including create, update, delete, or manage membership) administrative unit resources.
- Use new delegated and application permissions, Organization.Read.All and Organization.ReadWrite.All, to access an organization and related resources such as a subscribed SKU.
- Use the new discover function to find the latest directory synchronization schema, so as to sync directory objects, attributes, and their types to an app.
- Use feature rollout policy to help tenant administrators to pilot features to specific groups before enabling them for entire organization.
Use more granular application permission, Mail.ReadBasic.All, to read a user's mailbox except for any message body, preview body, attachments, and extended properties, and except for searching the mailbox. Now applicable to mailFolder and change tracking for message and mailFolder.
- Get additional mailbox usage data about deleted item count and size.
- Install, uninstall, upgrade, and list installed Microsoft Teams apps for a user.
- Use app-only access to read channel messages, replies to channel messages, and messages in a chat. Request and get approval for such access.
May - June, 2019: New and generally available
Calendar, mail, and personal contacts
Exchange administrators can grant application permissions to an app and limit the app to access only a subset of mailboxes, instead of the default which is access to all mailboxes in the organization. Such restricted access would apply to any application permissions granted to the app for calendars, contacts, and mail and mailbox settings. See related blog announcement.
Use mail search folders API to search messages and access Outlook email search results. See related blog announcement.
As an alternative to Graph Explorer, try the Microsoft Graph API on the Microsoft Graph Postman collection to learn the API behavior and speed up app development.
Try the new tutorial to build a Java console app to get information about a user calendar.
Administrators or users can revoke all issued refresh tokens for a user. This is usually used to prevent apps on a lost or stolen device from accessing an organization's data.
May - June, 2019: New in preview
Features, including APIs and tools, in preview status may change without notice, and some may never be promoted to GA status. Do not use them in production apps.
Devices and apps
- Delta query for educationSchool.
- Delta query and property additions for educationClass and educationUser.
Get sensitivity labels to help protect sensitive data of a Microsoft 365 group and meet compliance policies. These labels are assignedLabel objects, published by administrators in Microsoft 365 Security & Compliance Center, as part of Microsoft Purview Information Protection capabilities.
Identity and access
- Get an instance of an application, or add an instance from the Azure AD application gallery into your directory as a template.
- Get a log of all directory provisioning events in a tenant.
- Get information about detected user or sign-in risks in an Azure AD environment. This risk detection functionality is part of Azure AD Identity Protection.
Use more granular delegated permission, Mail.ReadBasic, to read a user's mailbox except for any message body, preview body, attachments, and extended properties, and except for searching the mailbox. Available to read methods of mailFolder, and change tracking for message and mailFolder.
Microsoft Graph toolkit
The Microsoft Graph toolkit is a set of framework-agnostic web components and helpers that provides convenience to authenticate and access data in Microsoft Graph. Because the Microsoft Graph toolkit is in preview status, use toolkit providers and components in only non-production apps.
- Get reports on the authentication methods adopted by users in an organization, such as self-service password rest and multi-factor authentication (MFA).
Let users follow or unfollow SharePoint sites.
- Host images in Microsoft Teams chat messages.
- Support configuring how a private team can be discovered.
January - April, 2019: New and generally available
Identity and access
Identity providers Improved auth guides Migrating apps from Azure AD Graph to Microsoft Graph
API snippets (example)
January - April, 2019: New in preview
Calendar, group, mail, to-do tasks
Get raw/MIME content of file or item attachments in an event, message, Outlook task, or group post
Change notifications
Reduce missing change notifications
Devices and apps
Sharing invitation includes expiration and password
Identity and access
Access reviews support application permissions Audit and sign-in logs Custom sign-in and sign-up in Azure AD B2C Risky user and history
Security actions Threat indicators
Related content
- See what's currently new in Microsoft Graph.
- Check out the Microsoft Graph developer blog periodically for release announcements and helpful resources.
- Browse details of Microsoft Graph API additions, and API behavior updates in the changelog.