편집

다음을 통해 공유


Update user

Namespace: microsoft.graph

Update the properties of a user object.

  • Not all properties can be updated by Member or Guest users with their default permissions without administrator roles. Compare member and guest default permissions to see properties they can manage.
  • Microsoft Entra External ID in external tenants can also use this API operation to update their details. See Default user permissions in external tenants for the list of properties they can update.
  • For synced users, the ability to update certain properties is additionally determined by the source of authority and whether synchronization is enabled.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) User.ReadWrite User.ManageIdentities.All, User.EnableDisableAccount.All, User.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) User.ReadWrite Not available.
Application User.ManageIdentities.All User.EnableDisableAccount.All, User.ReadWrite.All, Directory.ReadWrite.All

Permissions for specific scenarios

  • Your personal Microsoft account must be tied to a Microsoft Entra tenant to update your profile with the User.ReadWrite delegated permission on a personal Microsoft account.
  • To update the employeeLeaveDateTime property:
    • In delegated scenarios, the admin needs the Global Administrator role; the app must be granted the User.Read.All and User-LifeCycleInfo.ReadWrite.All delegated permissions.
    • In app-only scenarios with Microsoft Graph permissions, the app must be granted the User.Read.All and User-LifeCycleInfo.ReadWrite.All permissions.
  • To update the customSecurityAttributes property:
    • In delegated scenarios, the admin must be assigned the Attribute Assignment Administrator role and the app granted the CustomSecAttributeAssignment.ReadWrite.All permission.
    • In app-only scenarios with Microsoft Graph permissions, the app must be granted the CustomSecAttributeAssignment.ReadWrite.All permission.
  • User-Mail.ReadWrite.All is the least privileged permission to update the otherMails property.
  • User-PasswordProfile.ReadWrite.All is the least privileged permission to update the passwordProfile property.
  • User-Phone.ReadWrite.All is the least privileged permission to update the businessPhones and mobilePhone properties.
  • User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions to update the accountEnabled property.
  • User.ManageIdentities.All is required to update the identities property.

HTTP request

PATCH /users/{id | userPrincipalName}

Request headers

Header Value
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json

Request body

In the request body, supply only the values for properties to update. Existing properties that aren't included in the request body maintain their previous values or are recalculated based on changes to other property values.

The following table specifies the properties that can be updated.

Property Type Description
aboutMe String A freeform text entry field for the user to describe themselves.
accountEnabled Boolean true if the account is enabled; otherwise, false. This property is required when a user is created.
  • User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions required to update this property.
  • In delegated scenarios, Privileged Authentication Administrator is the least privileged role that's allowed to update this property for all administrators in the tenant. In general, the signed-in user must have a higher privileged administrator role as indicated in Who can perform sensitive actions.
  • In app-only scenarios in addition to Microsoft Graph permissions, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions.
  • ageGroup ageGroup Sets the age group of the user. Allowed values: null, Minor, NotAdult, and Adult. Refer to the legal age group property definitions for further information.
    birthday DateTimeOffset The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
    businessPhones String collection The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. User-Phone.ReadWrite.All is the least privileged permission to update this property.
    city String The city in which the user is located.
    companyName String The name of the company that the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters.
    consentProvidedForMinor consentProvidedForMinor Sets whether consent has been obtained for minors. Allowed values: null, Granted, Denied and NotRequired. Refer to the legal age group property definitions for further information.
    country String The country/region in which the user is located; for example, US or UK.
    customSecurityAttributes customSecurityAttributeValue An open complex type that holds the value of a custom security attribute that is assigned to a directory object.
  • To update this property in delegated scenarios, the calling principal must be assigned the Attribute Assignment Administrator role and the app granted the CustomSecAttributeAssignment.ReadWrite.All delegated permission.
  • To update this property in app-only scenarios with Microsoft Graph permissions, the app must be granted the CustomSecAttributeAssignment.ReadWrite.All application permission.
  • department String The name for the department in which the user works.
    displayName String The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial, and last name. This property is required when a user is created and it can't be cleared during updates.
    employeeId String The employee identifier assigned to the user by the organization. The maximum length is 16 characters.
    employeeType String Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor. Returned only on $select.
    givenName String The given name (first name) of the user.
    employeeHireDate DateTimeOffset The hire date of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
    employeeLeaveDateTime DateTimeOffset The date and time when the user left or will leave the organization. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
  • To update this property, the calling app must be assigned the User-LifeCycleInfo.Read.All and User.Read.All permissions.
  • To update this property in delegated scenarios, the admin needs the Global Administrator role.
  • employeeOrgData employeeOrgData Represents organization data (for example, division and costCenter) associated with a user.
    identities objectIdentity collection Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft, by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account. Any update to identities replaces the entire collection and you must supply the userPrincipalName signInType identity in the collection.

    NOTE: Adding a B2C local account to an existing user object isn't allowed, unless the user object already contains a local account identity.
    interests String collection A list for the user to describe their interests.
    jobTitle String The user's job title.
    mail String The SMTP address for the user, for example, jeff@contoso.com. Changes to this property also update the user's proxyAddresses collection to include the value as an SMTP address. For Azure AD B2C accounts, this property can be updated up to only 10 times with unique SMTP addresses. Can't be updated to null.
    mailNickname String The mail alias for the user. This property must be specified when a user is created.
    mobilePhone String The primary cellular telephone number for the user.
  • User-Phone.ReadWrite.All is the least privileged permission to update this property.
  • In delegated scenarios, Privileged Authentication Administrator is the least privileged role that's allowed to update this property for all administrators in the tenant. In general, the signed-in user must have a higher privileged administrator role as indicated in Who can perform sensitive actions.
  • In app-only scenarios in addition to Microsoft Graph permissions, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions.
  • mySite String The URL for the user's personal site.
    officeLocation String The office location in the user's place of business.
    onPremisesExtensionAttributes onPremisesExtensionAttributes Contains extensionAttributes 1-15 for the user. The individual extension attributes aren't selectable or filterable. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. These extension attributes are also known as Exchange custom attributes 1-15.
    onPremisesImmutableId String This property is used to associate an on-premises Active Directory user account to their Microsoft Entra user object. This property must be specified when creating a new user account in the Graph if you're using a federated domain for the user's userPrincipalName (UPN) property. Important: The $ and _ characters can't be used when specifying this property.
    otherMails String collection A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. To update this property, pass in all the email addresses that you want the user to have; otherwise, existing values get overwritten by the values you specify.

  • User-Mail.ReadWrite.All is the least privileged permission to update this property.
  • In delegated scenarios, Privileged Authentication Administrator is the least privileged role that's allowed to update this property for all administrators in the tenant. In general, the signed-in user must have a higher privileged administrator role as indicated in Who can perform sensitive actions.
  • In app-only scenarios in addition to Microsoft Graph permissions, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions.
  • passwordPolicies String Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two can be specified together; for example: DisablePasswordExpiration, DisableStrongPassword.
    passwordProfile passwordProfile Specifies the password profile for the user. The profile contains the user's password. The password in the profile must satisfy minimum requirements as specified by the passwordPolicies property. By default, a strong password is required. As a best practice, always set the forceChangePasswordNextSignIn to true. This can't be used for federated users.
  • User-PasswordProfile.ReadWrite.All is the least privileged permission to update this property.
  • In delegated scenarios, the User Administrator Microsoft Entra role is the least privileged admin role supported to update this property for nonadmin users. Privileged Authentication Administrator is the least privileged role that's allowed to update this property for all administrators in the tenant. In general, the signed-in user must have a higher privileged administrator role as indicated in Who can reset passwords.
  • In app-only scenarios, the calling app must be assigned a supported permission and at least the User Administrator Microsoft Entra role.
  • pastProjects String collection A list for the user to enumerate their past projects.
    postalCode String The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.
    preferredLanguage String The preferred language for the user. Should follow ISO 639-1 Code; for example, en-US.
    responsibilities String collection A list for the user to enumerate their responsibilities.
    schools String collection A list for the user to enumerate the schools they attended.
    skills String collection A list for the user to enumerate their skills.
    state String The state or province in the user's address.
    streetAddress String The street address of the user's place of business.
    surname String The user's surname (family name or last name).
    usageLocation String A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB. Not nullable.
    userPrincipalName String The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the verifiedDomains property of organization.
    NOTE: This property can't contain accent characters. Only the following characters are allowed A - Z, a - z, 0 - 9, ' . - _ ! # ^ ~. For the complete list of allowed characters, see username policies.
    userType String A string value that can be used to classify user types in your directory, such as Member and Guest.

    Note

    • The following properties cannot be updated by an app with only application permissions: aboutMe, birthday, employeeHireDate, interests, mySite, pastProjects, responsibilities, schools, and skills.
    • To update the following properties, you must specify them in their own PATCH request, without including the other properties: aboutMe, birthday, interests, mySite, pastProjects, responsibilities, schools, and skills.

    Manage extensions and associated data

    Use this API to manage the directory, schema, and open extensions and their data for users, as follows:

    • Add, update, and store data in the extensions for an existing user
    • For directory and schema extensions, remove any stored data by setting the value of the custom extension property to null. For open extensions, use the Delete open extension API.

    Response

    If successful, this method returns a 204 No Content response code.

    Example

    Example 1: Update properties of the signed-in user

    Request

    The following example shows a request.

    PATCH https://graph.microsoft.com/v1.0/me
    Content-type: application/json
    
    {
      "businessPhones": [
        "+1 425 555 0109"
      ],
      "officeLocation": "18/2111"
    }
    

    Response

    The following example shows the response.

    HTTP/1.1 204 No Content
    

    Example 2: Update properties of the specified user

    Request

    The following example shows a request.

    PATCH https://graph.microsoft.com/v1.0/users/{id}
    Content-type: application/json
    
    {
      "businessPhones": [
        "+1 425 555 0109"
      ],
      "officeLocation": "18/2111"
    }
    

    Response

    The following example shows the response.

    HTTP/1.1 204 No Content
    

    Example 3: Update the passwordProfile of a user and reset their password

    The following example shows a request to reset the password of another user. As a best practice, always set the forceChangePasswordNextSignIn to true.

    • User-PasswordProfile.ReadWrite.All is the least privileged permission to update the passwordProfile property.
    • In delegated scenarios, the calling app must be assigned a supported permission and a supported Microsoft Entra role.
      • Privileged Authentication Administrator is the least privileged role that's allowed to update this property for all administrators in the tenant.
      • In general, the signed-in user must have a higher privileged administrator role as indicated in Who can reset passwords.
    • In app-only scenarios, the calling app must be assigned a supported permission and at least the User Administrator Microsoft Entra role.

    Request

    PATCH https://graph.microsoft.com/v1.0/users/{id}
    Content-type: application/json
    
    {
      "passwordProfile": {
        "forceChangePasswordNextSignIn": false,
        "password": "xWwvJ]6NMw+bWH-d"
      }
    }
    

    Response

    HTTP/1.1 204 No Content
    

    Example 4: Add or update the values of a schema extension for a user

    You can update or assign a value to a single property or all properties in the extension.

    Request

    PATCH https://graph.microsoft.com/v1.0/users/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e
    Content-type: application/json
    
    {
        "ext55gb1l09_msLearnCourses": {
            "courseType": "Admin"
        }
    }
    

    To remove the value of the schema extension from the user object, set the ext55gb1l09_msLearnCourses property to null.

    Response

    HTTP/1.1 204 No Content
    

    Example 5: Assign a custom security attribute with a string value to a user

    The following example shows how to assign a custom security attribute with a string value to a user.

    • Attribute set: Engineering
    • Attribute: ProjectDate
    • Attribute data type: String
    • Attribute value: "2022-10-01"

    To assign custom security attributes, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.ReadWrite.All permission.

    For examples of custom security attribute assignments, see Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API.

    Request

    PATCH https://graph.microsoft.com/v1.0/users/{id}
    Content-type: application/json
    
    {
        "customSecurityAttributes":
        {
            "Engineering":
            {
                "@odata.type":"#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
                "ProjectDate":"2022-10-01"
            }
        }
    }
    

    Response

    HTTP/1.1 204 No Content