{
	"id": "ce8a050e-f3fb-4330-965e-dc9a661dc1ed",
	"created_at": "2026-04-06T01:30:32.211483Z",
	"updated_at": "2026-04-10T03:20:23.462345Z",
	"deleted_at": null,
	"sha1_hash": "091fa5d957bfe9e25c29201a8dd9ff4dd443a7d3",
	"title": "Azure AD Graph API Operations Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 83128,
	"plain_text": "Azure AD Graph API Operations Overview\r\nBy JimacoMS\r\nArchived: 2026-04-06 01:12:36 UTC\r\nThe Azure Active Directory (AD) Graph API is an OData 3.0 compliant service that you can use to read and modify objects\r\nsuch as users, groups, and contacts in a tenant. Azure AD Graph API exposes REST endpoints that you send HTTP requests\r\nto in order to perform operations using the service. The following sections provide general information about how to format\r\nrequests and what to expect in responses when you use the Graph API to read and write directory resources, call directory\r\nfunctions or actions, or perform queries against the directory. For more detailed information about performing specific\r\noperations directory resources, see the appropriate operations topic in the Azure AD Graph API reference.\r\nThis article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see Microsoft Graph overview.\r\nA successful request to the Graph API must be addressed to a valid endpoint and be well-formatted, that is, it must contain\r\nany required headers and, if necessary, a JSON payload in the request body. The app making the request must include a\r\ntoken received from Azure AD that proves that it is authorized to access the resources targeted by the request. The app must\r\nbe able to handle any responses received from the Graph API.\r\nThe sections in this topic will help you understand the format of requests and responses used with the Graph API.\r\nEvery request to the Graph API must have a bearer token issued by Azure Active Directory attached. The token carries\r\ninformation about your app, the signed-in user (in the case of delegated permissions), authentication, and the operations on\r\nthe directory that your app is authorized to perform. This token is carried in the Authorization header of the request. For\r\nexample (the token has been shortened for brevity):\r\nAuthorization: Bearer eyJ0eX ... FWSXfwtQ\r\nThe Graph API performs authorization based on OAuth 2.0 permission scopes present in the token. For more information\r\nabout the permission scopes that the Graph API exposes, see Graph API Permission Scopes.\r\nIn order for your app to authenticate with Azure AD and call the Graph API, you must add it to your tenant and configure it\r\nto require permissions (OAuth 2.0 permission scopes) for Windows Azure Active Directory. For information about adding\r\nand configuring an app, see Integrating Applications with Azure Active Directory.\r\nAzure AD uses the OAuth 2.0 authentication protocol. You can learn more about OAuth 2.0 in Azure AD, including\r\nsupported flows and access tokens in OAuth 2.0 in Azure AD.\r\nTo perform operations with the Graph API, you send HTTP requests with a supported method - typically GET, POST,\r\nPATCH, PUT, or DELETE -- to an endpoint that targets the service, a resource collection, an individual resource, a\r\nnavigation property of a resource, or a function or action exposed by the service. Endpoints are expressed as URLs.\r\nThe following describes the basic format of a Graph API endpoint:\r\nhttps://graph.windows.net/{tenant_id}/{resource_path}?{api_version}\r\nThe following components comprise the URL:\r\nService Root: The service root for all Graph API requests is https://graph.windows.net .\r\nTenant Identifier {tenant_id}: The identifier for the tenant that the request targets.\r\nResource path {resource_path}: The path to the resource -- for example, a user or a group -- that the request targets.\r\nGraph API Version {api_version}: The version of the Graph API targeted by the request. This is expressed as a\r\nquery parameter and is required.\r\nNote: In some cases, when reading resource collections, OData query parameters can be added to the request to filter, order,\r\nand page the result set. For more information, see the OData query parameters section in this topic.\r\nYou can specify the target tenant of a request in one of four ways:\r\nBy tenant object ID. The GUID that was assigned when the tenant was created. This can be found in the objectId\r\nproperty of the TenantDetail object. The following URL shows how to address the users resource collection by using\r\nthe tenant object ID:\r\nhttps://graph.windows.net/12345678-9abc-def0-1234-56789abcde/users?api-version=1.6 .\r\nBy verified (registered) domain name. One of the domain names that are registered for the tenant. These can be\r\nfound in the verifiedDomains property of the TenantDetail object. The following URL shows how to address the\r\nhttps://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview\r\nPage 1 of 4\n\nusers resource collection of a tenant that has the domain contoso.com:\r\nhttps://graph.windows.net/contoso.com/users?api-version=1.6 .\r\nBy using the myOrganization alias. This alias is only available when using OAuth Authorization Code Grant type\r\n(3-legged) authentication; that is, when using a delegated permission scope. The alias is not case sensitive. It replaces\r\nthe object ID or tenant domain in the URL. When the alias is used, Graph API derives the tenant from the claims\r\npresented in the token attached to the request. The following URL shows how to address the users resource collection\r\nof a tenant using this alias:\r\nhttps://graph.windows.net/myorganization/users?api-version=1.6 .\r\nBy using the me alias. This alias is only available when using OAuth Authorization Code Grant type (3-legged)\r\nauthentication; that is, when using a delegated permission scope. The alias is not case sensitive. It replaces the object\r\nID or tenant domain in the URL. When the alias is used, Graph API derives the user from the claims presented in the\r\ntoken attached to the request. The following URL to address the signed-in user using this alias:\r\nhttps://graph.windows.net/me?api-version=1.6 .\r\nNote: You use me alias solely to target operations against the signed-in user. For more information, see Signed-in User\r\nOperations.\r\nYou specify the {resource_path} differently depending on whether you are targeting a resource collection, an individual\r\nresource, a navigation property of a resource, a function or action exposed on the tenant, or a function or action exposed on a\r\nresource.\r\nTarget Path Explanation\r\nService\r\nMetadata\r\n/$metadata\r\nReturns the service metadata document. The following example t\r\nusing the contoso.com tenant:\r\nhttps://graph.windows.net/contoso.com/$metadata?api-versi\r\nNote: No authentication is necessary to read the service metadata\r\nResource\r\ncollection\r\n/{resource_collection}\r\nTargets a resource collection, such as users or groups in the tenan\r\nread resources in the collection, and, depending on the resource t\r\nresource in the tenant. In many cases the result set returned by a r\r\nrefined by the addition of query parameters to filter, order, or pag\r\nfollowing example targets the user collection:\r\nhttps://graph.windows.net/myorganization/users?api-versio\r\nSingle\r\nresource\r\n/{resource_collection}/{resource_id}\r\nTargets a specific resource in a tenant, such as a user, organizatio\r\nmost resources the resource_id is the object ID. Some resource\r\nspecifiers; for example, users can be also specified by user princi\r\nDepending on the resource, you can use this path to get the decla\r\nresource, to modify its declared properties, or to delete the resour\r\nexample targets the user john@contoso.com:\r\nhttps://graph.windows.net/contoso.com/users/john@contoso.\r\nNavigation\r\nproperty\r\n(objects)\r\n/{resource_collection}/{resource_id}/{property_name}\r\nTargets a navigation property of a specific resource, such as a use\r\nmemberships, or a group's members. You can use this path to retu\r\nreferenced by the target navigation property. The following exam\r\nof john@contoso.com:\r\nhttps://graph.windows.net/contoso.com/users/john@contoso.\r\nversion=1.6\r\nNote: This form of addressing is only available for reads.\r\nNavigation\r\nproperty\r\n(links)\r\n/{resource_collection}/{resource_id}/$links/{property_name}\r\nTargets a navigation property of a specific resource, such as a use\r\nmemberships, or a group's members. You can use this form of add\r\nmodify a navigation property. On reads, the objects referenced by\r\nas one or more links in the response body. On writes, the objects\r\nmore links in the request body. The following example targets the\r\njohn@contoso.com:\r\nhttps://graph.windows.net/contoso.com/users/john@contoso.\r\nversion=1.6\r\nFunctions\r\nor actions\r\nexposed\r\n/{function_name} Targets a function or action exposed at the tenant. Functions and\r\ninvoked with a POST Request and may include a request body. T\r\nhttps://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview\r\nPage 2 of 4\n\nTarget Path Explanation\r\non the\r\ntenant\r\ntargets the isMemberOf function:\r\nhttps://graph.windows.net/myorganization/isMemberOf?api-v\r\nFunctions\r\nor actions\r\nexposed\r\non a\r\nresource.\r\n/{resource_collection}/{resource_id}/{function_name}\r\nTargets a function or action exposed on a resource. Functions and\r\ninvoked with a POST Request and may include a request body. T\r\ntargets the getMemberGroups function:\r\nhttps://graph.windows.net/myorganization/users/john@conto\r\napi-version=1.6 .\r\nYou use the api-version query parameter to target a specific version of the Graph API for an operation. This parameter is\r\nrequired.\r\nThe value for the api-version parameter can be one of the following:\r\n\"beta\"\r\n\"1.6\"\r\n\"1.5\"\r\n\"2013/11/08\"\r\n\"2013/04/05\"\r\nFor example the following URL targets the user collection using Graph API version 1.6:\r\nhttps://graph.windows.net/myorganization/users?api-version=1.6\r\nFor more information about versions and feature changes between versions, see Versioning.\r\nIn many cases when you read a collection of resources, you can filter, sort, and page the result set by attaching OData query\r\nparameters to your request.\r\nThe Graph API supports the following Odata query parameters:\r\n$filter\r\n$batch\r\n$expand\r\n$orderby\r\n$top\r\n$skiptoken and previous-page\r\nSee Supported Queries, Filters, and Paging Options for more information about supported OData query parameters and their\r\nlimitations in the Graph API.\r\nThe following table shows common HTTP headers used in requests with the Graph API. It is not meant to be\r\ncomprehensive.\r\nRequest\r\nHeader\r\nDescription\r\nAuthorization\r\nRequired. A bearer token issued by Azure Active Directory. See Authentication and Authorization in\r\nthis topic for more information.\r\nContent-Type\r\nRequired if request body is present. The media type of the content in the request body. Use\r\napplication/json. Parameters may be included with the media type.\r\nNote: application/atom+xml and application/xml (for links) are supported but are not recommended\r\nboth for performance reasons and because support for XML will be deprecated in a future release.\r\nContent-Length\r\nRequired if request body is present. The length of the request in bytes.\r\nThe following table shows common HTTP headers returned in responses by the Graph API. It is not meant to be\r\ncomprehensive.\r\nResponse Header Description\r\nContent-Type\r\nThe media type of the content in the response body. The default is application/json. Requests\r\nfor user thumbnail photos return image/jpeg by default.\r\nhttps://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview\r\nPage 3 of 4\n\nResponse Header Description\r\nLocation\r\nReturned in responses to POST requests that create a new resource (object) in the directory.\r\nContains the URI of the newly created resource.\r\nocp-aad-diagnostics-server-name\r\nThe identifier for the server that performed the requested operation.\r\nocp-aad-session-key The key that identifies the current session with the directory service.\r\nAt a minimum, we recommend you do the following for each request:\r\n1. Log an accurate time stamp of the request submission.\r\n2. Send and log the client-request-id .\r\n3. Log the HTTP response code and request-id .\r\nProviding information in such logs will help Microsoft troubleshoot issues when you ask for help or support.\r\nRequest bodies for POST, PATCH, and PUT requests can be sent in JSON or XML payloads. Server responses can be\r\nreturned in JSON or XML payloads. You can specify the payload in request bodies by using the Content-Type request\r\nheader and in responses by using the Accept request header.\r\nWe strongly recommend that you use JSON payloads in requests and responses with the Graph API. This is both for\r\nperformance reasons and because XML will be deprecated in a future release.\r\nThe preceding sections discussed the formatting of basic requests and responses with the Graph API. More advanced\r\nfeatures may add additional query string parameters or have significantly different request and response bodies than the\r\nbasic operations discussed previously in this topic.\r\nThese features include:\r\nBatch Processing: The Graph API supports batching. Sending requests in batches reduces round trips to the server,\r\nwhich reduces network overhead and helps your operations complete more quickly. For more information about\r\nbatch processing with the Graph API, see Batch Processing.\r\nDifferential Query: The Graph API supports performing differential queries. Differential query allows you to return\r\nchanges to specific entities in a tenant between requests issued at different times. This feature is often used to sync a\r\nlocal store with changes on the tenant. For more information about differential query with the Graph API, see\r\nDifferential Query.\r\nAzure AD Graph API reference\r\nSource: https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview\r\nhttps://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview"
	],
	"report_names": [
		"azure-ad-graph-api-operations-overview"
	],
	"threat_actors": [],
	"ts_created_at": 1775439032,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/091fa5d957bfe9e25c29201a8dd9ff4dd443a7d3.pdf",
		"text": "https://archive.orkl.eu/091fa5d957bfe9e25c29201a8dd9ff4dd443a7d3.txt",
		"img": "https://archive.orkl.eu/091fa5d957bfe9e25c29201a8dd9ff4dd443a7d3.jpg"
	}
}