編輯

共用方式為


Manage Microsoft Entra identity and network access capabilities by using Microsoft Graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

With Microsoft Graph, you can manage identity and network access capabilities, most of which are available through Microsoft Entra. The APIs in Microsoft Graph help you to automate identity and network access management tasks and integrate with any application, and are the programmatic alternative to the administrator portals such as the Microsoft Entra admin center.

Microsoft Entra is a family of identity and network access capabilities that are available in the following products. All these capabilities are available through Microsoft Graph APIs:

  • Microsoft Entra ID that groups identity and access management (IAM) capabilities.
  • Microsoft Entra ID Governance
  • Microsoft Entra External ID
  • Microsoft Entra Verified ID
  • Microsoft Entra Permissions Management
  • Microsoft Entra Internet Access and Network Access

Manage user identities

Users are the main identities in any identity and access solution. You can manage the entire lifecycle of users in your organization, and their entitlements like licenses or group memberships, using Microsoft Graph APIs. For more information, see Working with users in Microsoft Graph.

Manage groups

Groups are the containers that allow you to efficiently manage the entitlements for identities as a unit. For example, through a group, you can grant users access to a resource, such as a SharePoint site. Or you can grant them licenses to use a service. For more information, see Working with groups in Microsoft Graph.

Manage applications

You can use Microsoft Graph APIs to register and manage your applications programmatically, enabling you to use Microsoft's IAM capabilities. For more information, see Manage Microsoft Entra applications and service principals by using Microsoft Graph.


Tenant administration or directory management

A core functionality of identity and access management is managing your tenant configuration, administrative roles, and settings. Microsoft Graph provides APIs to manage your Microsoft Entra tenant for the following scenarios:

Use cases API operations
Manage administrative units including the following operations:
  • Create administrative units
  • Create and manage members and membership rules of administrative units
  • Assign administrator roles that are scoped to administrative units
  • administrativeUnit resource type and its associated APIs
    Retrieve BitLocker recovery keys bitlockerRecoveryKey resource type and its associated APIs
    Monitor licenses and subscriptions for the tenant
  • companySubscription resource type and its associated APIs
  • subscribedSku resource type and its associated APIs
  • Manage custom security attributes See Overview of custom security attributes using the Microsoft Graph API
    Manage deleted directory objects. The functionality to store deleted objects in a "recycle bin" is supported for the following objects:
  • Administrative units
  • Applications
  • External user profiles
  • Groups
  • Pending external user profiles
  • Service principals
  • Users
  • Get or List deleted objects
  • Permanently delete a deleted object
  • Restore a deleted item
  • List deleted items owned by user
  • Manage devices in the cloud device resource type and its associated APIs
    View local administrator credential information for all device objects in Microsoft Entra ID that are enabled with Local Admin Password Solution (LAPS). This feature is the cloud-based LAPS solution deviceLocalCredentialInfo resource type and its associated APIs
    Directory objects are the core objects in Microsoft Entra ID, such as users, groups, and applications. You can use the directoryObject resource type and its associated APIs to check memberships of directory objects, track changes for multiple directory objects, or validate that a Microsoft 365 group's display name or mail nickname complies with naming policies directoryObject resource type and its associated APIs
    Administrator roles, including Microsoft Entra administrator roles, are one of the most sensitive resources in a tenant. You can manage the lifecycle of their assignment in the tenant, including creating custom roles, assigning roles, tracking changes to role assignments, and removing assignees from roles directoryRole resource type and directoryRoleTemplate resource typeand their associated APIs

    roleManagement resource type and its associated APIs

    These APIs allow you to make direct role assignments. Alternatively, you can use Privileged Identity Management APIs for Microsoft Entra roles and groups to make just-in-time and time-bound role assignments, instead of direct forever active assignments.
    Define the following configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior.
  • Settings for Microsoft 365 groups such as guest user access, classifications, and naming policies
  • Password rule settings such as banned password lists and lockout duration
  • Prohibited names for applications, reserved words, and blocking trademark violations
  • Custom conditional access policy URL
  • Consent policies such as user consent requests, group-specific consent, and consent for risky apps
  • groupSetting resource type and groupSettingTemplate resource type and their associated APIs

    For more information, see Overview of group settings.
    Domain management operations such as:
  • associating a domain with your tenant
  • retrieving DNS records
  • verifying domain ownership
  • associating specific services with specific domains
  • deleting domains
  • domain resource type and its associated APIs
    Configure and manage staged rollout of specific Microsoft Entra ID features featureRolloutPolicy resource type and its associated APIs
    Configure options that are available in Microsoft Entra Cloud Sync such as preventing accidental deletions and managing group writebacks onPremisesDirectorySynchronization resource type and its associated APIs
    Manage the base settings for your Microsoft Entra tenant organization resource type and its associated APIs
    Retrieve the organizational contacts that might be synchronized from on-premises directories or from Exchange Online orgContact resource type and its associated APIs
    Discover the basic details of other Microsoft Entra tenants by querying using the tenant ID or the domain name tenantInformation resource type and its associated APIs
    Manage the delegated permissions and their assignments to service principals in the tenant oAuth2PermissionGrant resource type and its associated APIs

    Identity and sign-in

    Use cases API operations
    Configure listeners that monitor events that should trigger or invoke custom logic, typically defined outside Microsoft Entra ID authenticationEventListener resource type and its associated APIs
    Manage authentication methods that are supported in Microsoft Entra ID See Microsoft Entra authentication methods API overview and Microsoft Entra authentication methods policies API overview
    Manage the authentication methods or combinations of authentication methods that you can apply as grant control in Microsoft Entra Conditional Access See Microsoft Entra authentication strengths API overview
    Manage tenant-wide authorization policies such as:
  • enable SSPR for administrator accounts
  • enable self-service join for guests
  • limit who can invite guests
  • whether users can consent to risky apps
  • block the use of MSOL
  • customize the default user permissions
  • identity private preview features enabled
  • Customize the guest user permissions between User, Guest User, and Restricted Guest User
  • authorizationPolicy resource type and its associated APIs
    Manage the policies for certificate-based authentication in the tenant certificateBasedAuthConfiguration resource type and its associated APIs
    Manage Microsoft Entra conditional access policies conditionalAccessRoot resource type and its associated APIs
    Manage cross-tenant access settings and manage outbound restrictions, inbound restrictions, tenant restrictions, and cross-tenant synchronization of users in multitenant organizations See Cross-tenant access settings API overview
    Configure how and which external systems interact with Microsoft Entra ID during a user authentication session customAuthenticationExtension resource type and its associated APIs
    Manage requests against user data in the organization, such as exporting personal data dataPolicyOperation resource type and its associated APIs
    Force autoacceleration sign-in to skip the username entry screen and automatically forward users to federated sign-in endpoints homeRealmDiscoveryPolicy resource type resource type and its associated APIs
    Detect, investigate, and remediate identity-based risks using Microsoft Entra ID Protection and feed the data into security information and event management (SIEM) tools for further investigation and correlation See Use the Microsoft Graph identity protection APIs
    Manage identity providers for Microsoft Entra ID, Microsoft Entra External ID, and Azure AD B2C tenants. You can perform the following operations:
  • Manage identity providers for external identities, including social identity providers, OIDC, Apple, SAML/WS-Fed, and built-in providers
  • Manage configuration for federated domains and token validation
  • identityProviderBase resource type and its associated APIs
    Invite external users to collaborate with your tenant by using Microsoft Entra External ID invitation resource type and its associated APIs
    Define a group of tenants belonging to your organization and streamline intra-organization cross-tenant collaboration See Multitenant organization API overview
    Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language organizationalBranding resource type and its associated APIs
    User flows for Microsoft Entra External ID in workforce tenants The following resource types and their associated APIs:
  • b2xIdentityUserFlow to configure the base user flow and its properties such as identity providers
  • identityUserFlowAttribute to manage built-in and custom user flow attributes
  • identityUserFlowAttributeAssignment to manage user flow attribute assignments
  • userFlowLanguageConfiguration resource type to configure custom languages for user flows
  • User flows for Microsoft Entra External ID in external tenants The following resource types and their associated APIs:
  • authenticationEventsFlow resource type and its associated APIs
  • identityUserFlowAttribute to manage built-in and custom user flow attributes
  • Manage app consent policies and condition sets permissionGrantPolicy resource type
    Enable or disable security defaults in Microsoft Entra ID identitySecurityDefaultsEnforcementPolicy resource type

    Identity governance

    For more information, see Overview of Microsoft Entra ID Governance using Microsoft Graph.

    Microsoft Entra External ID in external tenants

    The following API use cases ar supported to customize how users interact with your customer-facing applications. For administrators, most of the features available in Microsoft Entra ID and also supported for Microsoft Entra External ID in external tenants. For example, domain management, application management, and conditional access.

    Use cases API operations
    User flows for Microsoft Entra External ID in external tenants and self-service sign-up experiences authenticationEventsFlow resource type and its associated APIs
    Manage identity providers for Microsoft Entra External ID. You can identify the identity providers that are supported or configured in the tenant See identityProviderBase resource type and its associated APIs
    Configuring custom URL domains in Microsoft Entra External ID in external tenants The CustomUrlDomain value for the supportedServices property of domain resource type and its associated APIs
    Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language organizationalBranding resource type and its associated APIs
    Manage identity providers for Microsoft Entra External ID, such as social identities identityProviderBase resoruce type and its associated APIs
    Manage user profiles in Microsoft Entra External ID for customers For more information, see Default user permissions in customer tenants
    Add your own business logic to the authentication experiences by integrating with systems that are external to Microsoft Entra ID authenticationEventListener resource type and customAuthenticationExtension resource type and their associated APIs

    Partner tenant management

    Microsoft Graph also provides the following identity and access capabilities for Microsoft partners in the Cloud Solution Provider (CSP), Value Added Reseller (VAR), or Advisor programs to help manage their customer tenants.

    Use cases API operations
    Manage contracts for the partner with its customers contract resource type and its associated APIs
    Microsoft partners can empower their customers to ensure the partners have least privileged access to their customers' tenants. This feature gives extra control to customers over their security posture while allowing them to receive support from the Microsoft resellers See Granular delegated admin privileges (GDAP) API overview

    Zero Trust

    This feature helps organizations to align their tenants with the three guiding principles of a Zero Trust architecture:

    • Verify explicitly
    • Use least privilege
    • Assume breach

    To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.

    Licensing

    Microsoft Entra licenses include Microsoft Entra ID Free, P1, P2, and Governance; Microsoft Entra Permissions Management; and Microsoft Entra Workload ID.

    For detailed information about licensing for different features, see Microsoft Entra ID licensing.