Get a user

Namespace: microsoft.graph

Retrieve the properties and relationships of user object.

This operation returns by default only a subset of the more commonly used properties for each user. These default properties are noted in the Properties section. To get properties that are not returned by default, do a GET operation for the user and specify the properties in a $select OData query option. Because the user resource supports extensions, you can also use the GET operation to get custom properties and extension data in a user instance.

Customers through Microsoft Entra ID for customers can also use this API operation to retrieve their details.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) User.Read User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) User.Read User.ReadWrite
Application User.Read.All User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Note

  • Calling the /me endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the /me endpoint.
  • The User.Read permission allows the app to read the profile, and discover relationships such as the group membership, reports and manager of the signed-in user only.

Permissions for specific scenarios

  • To read the employeeLeaveDateTime property:
    • In delegated scenarios, the signed-in user needs at least one of the following Microsoft Entra roles: Lifecycle Workflows Administrator (least privilege), Global Reader; the app must be granted the User-LifeCycleInfo.Read.All delegated permission.
    • In app-only scenarios with Microsoft Graph permissions, the app must be granted the User-LifeCycleInfo.Read.All permission.
  • To read the customSecurityAttributes property:
    • In delegated scenarios, the signed-in user must be assigned the Attribute Assignment Administrator role and the app granted the CustomSecAttributeAssignment.Read.All permission.
    • In app-only scenarios with Microsoft Graph permissions, the app must be granted the CustomSecAttributeAssignment.Read.All permission.
  • User-Mail.ReadWrite.All is the least privileged permission to read and write the otherMails property; also allows to read some identifier-related properties on the user object.
  • User-PasswordProfile.ReadWrite.All is the least privileged permission to read and write the passwordProfile property; also allows to read some identifier-related properties on the user object.
  • User-Phone.ReadWrite.All is the least privileged permission to read and write the businessPhones and mobilePhone properties; also allows to read some identifier-related properties on the user object.
  • User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions to read and write the accountEnabled property.

HTTP request

For a specific user:

GET /me
GET /users/{id | userPrincipalName}

Tip

  • When the userPrincipalName begins with a $ character, the GET request URL syntax /users/$x@y.com fails with a 400 Bad Request error code. This is because this request URL violates the OData URL convention, which expects only system query options to be prefixed with a $ character. Remove the slash (/) after /users and enclose the userPrincipalName in parentheses and single quotes, as follows: /users('$x@y.com'). For example, /users('$AdeleVance@contoso.com').
  • To query a B2B user using the userPrincipalName, encode the hash (#) character. That is, replace the # symbol with %23. For example, /users/AdeleVance_adatum.com%23EXT%23@contoso.com.

For the signed-in user:

GET /me

Optional query parameters

This method supports the $select OData query parameter to retrieve specific user properties, including those that aren't returned by default.

By default, only a limited set of properties are returned ( businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName ).

To return an alternative property set, you must specify the desired set of user properties using the OData $select query parameter. For example, to return displayName, givenName, and postalCode, add the following expression to your query $select=displayName,givenName,postalCode.

Extension properties also support query parameters as follows:

Extension type Comments
onPremisesExtensionAttributes 1-15 Returned only with $select.
Schema extensions Returned only with $select.
Open extensions Returned only through the Get open extension operation.
Directory extensions Returned only with $select.

Request headers

Header Value
Authorization Bearer {token}. Required. Learn more about authentication and authorization.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and user object in the response body. It returns the default properties unless you use $select to specify specific properties. This method returns 202 Accepted when the request has been processed successfully but the server requires more time to complete related background operations.

If a user with the ID doesn't exist, this method returns a 404 Not Found error code.

Examples

Example 1: Standard users request

Request

By default, only a limited set of properties are returned ( businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName ). This example illustrates the default request and response.

GET https://graph.microsoft.com/v1.0/users/87d349ed-44d7-43e1-9a83-5f2406dee5bd

Response

HTTP/1.1 200 OK
Content-type: application/json

{
  "businessPhones": [
       "+1 425 555 0109"
   ],
   "displayName": "Adele Vance",
   "givenName": "Adele",
   "jobTitle": "Retail Manager",
   "mail": "AdeleV@contoso.com",
   "mobilePhone": "+1 425 555 0109",
   "officeLocation": "18/2111",
   "preferredLanguage": "en-US",
   "surname": "Vance",
   "userPrincipalName": "AdeleV@contoso.com",
   "id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}

Example 2: Signed-in user request

You can get the user information for the signed-in user by replacing /users/{id | userPrincipalName} with /me.

Request

GET https://graph.microsoft.com/v1.0/me

Response

HTTP/1.1 200 OK
Content-type: application/json

{
  "businessPhones": [
       "+1 425 555 0109"
   ],
   "displayName": "Adele Vance",
   "givenName": "Adele",
   "jobTitle": "Retail Manager",
   "mail": "AdeleV@contoso.com",
   "mobilePhone": "+1 425 555 0109",
   "officeLocation": "18/2111",
   "preferredLanguage": "en-US",
   "surname": "Vance",
   "userPrincipalName": "AdeleV@contoso.com",
   "id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}

Example 3: Use $select to retrieve specific properties of a user

To retrieve specific properties, use the OData $select query parameter. For example, to return displayName, givenName, postalCode, and identities, you would use the add the following to your query $select=displayName,givenName,postalCode,identities

Request

GET https://graph.microsoft.com/v1.0/users/87d349ed-44d7-43e1-9a83-5f2406dee5bd?$select=displayName,givenName,postalCode,identities

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,givenName,postalCode,identities)/$entity",
    "displayName": "Adele Vance",
    "givenName": "Adele",
    "postalCode": "98004",
    "identities": [
        {
            "signInType": "userPrincipalName",
            "issuer": "contoso.com",
            "issuerAssignedId": "AdeleV@contoso.com"
        }
    ]
}

Example 4: Get the value of a schema extension for a user

In this example, the ID of the schema extension is ext55gb1l09_msLearnCourses.

Request

GET https://graph.microsoft.com/v1.0/users/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e?$select=ext55gb1l09_msLearnCourses

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(ext55gb1l09_msLearnCourses)/$entity",
    "ext55gb1l09_msLearnCourses": {
        "@odata.type": "#microsoft.graph.ComplexExtensionValue",
        "courseType": "Developer",
        "courseName": "Introduction to Microsoft Graph",
        "courseId": 1
    }
}

Example 5: Get the custom security attribute assignments for a user

The following example shows how to get the custom security attribute assignments for a user.

Attribute #1

  • Attribute set: Engineering
  • Attribute: Project
  • Attribute data type: Collection of Strings
  • Attribute value: ["Baker","Cascade"]

Attribute #2

  • Attribute set: Engineering
  • Attribute: CostCenter
  • Attribute data type: Collection of Integers
  • Attribute value: [1001]

Attribute #3

  • Attribute set: Engineering
  • Attribute: Certification
  • Attribute data type: Boolean
  • Attribute value: true

Attribute #4

  • Attribute set: Marketing
  • Attribute: EmployeeId
  • Attribute data type: String
  • Attribute value: "QN26904"

To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.Read.All or CustomSecAttributeAssignment.ReadWrite.All permission.

For more examples of custom security attribute assignments, see Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API.

Request

GET https://graph.microsoft.com/v1.0/users/{id}?$select=customSecurityAttributes

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(customSecurityAttributes)/$entity",
    "customSecurityAttributes": {
        "Marketing": {
            "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
            "EmployeeId": "QN26904"
        },
        "Engineering": {
            "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
            "Project@odata.type": "#Collection(String)",
            "Project": [
                "Baker",
                "Cascade"
            ],
            "CostCenter@odata.type": "#Collection(Int32)",
            "CostCenter": [
                1001
            ],
            "Certification": true
        }
    }
}

If there are no custom security attributes assigned to the user or if the calling principal doesn't have access, the following will be the response:

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(customSecurityAttributes)/$entity",
    "customSecurityAttributes": null
}