Manage Microsoft Entra identity and network access capabilities by using Microsoft Graph

Microsoft Graph provides REST APIs to manage identity and network access capabilities, most of which are available through Microsoft Entra. These APIs help you automate identity and network access management tasks, integrate with applications, and serve as the programmatic alternative to administrator portals such as the Microsoft Entra admin center.

Microsoft Entra is a family of identity and network access solutions that includes the following products. All these capabilities are available through Microsoft Graph APIs:

• Microsoft Entra ID that groups identity and access management (IAM) capabilities.
• Microsoft Entra ID Governance
• Microsoft Entra External ID
• Microsoft Entra Verified ID
• Microsoft Entra Permissions Management (deprecated)
• Microsoft Entra Internet Access and Network Access

Manage user identities

Users are the main identities in any identity and access solution. You can manage the entire lifecycle of users in your organization, including guests, and their entitlements like licenses or group memberships, using Microsoft Graph APIs. For more information, see Working with users in Microsoft Graph.

Manage groups

Groups are the containers that allow you to efficiently manage the entitlements for identities as a unit. For example, through a group, you can grant users access to a resource, such as a SharePoint site. Or you can grant them licenses to use a service. For more information, see Working with groups in Microsoft Graph.

Manage applications

You can use Microsoft Graph APIs to register and manage your applications programmatically, enabling you to use Microsoft's IAM capabilities. For more information, see Manage Microsoft Entra applications and service principals by using Microsoft Graph.

Manage agents (preview)

AI agents require the same identity, access, security, and governance frameworks that are applied to users, applications, and devices in your organization. For more information about using Microsoft Graph APIs to achieve these capabilities for agents, see Microsoft Entra Agent ID APIs in Microsoft Graph overview (preview).

Tenant administration or directory management

A core functionality of identity and access management is managing your tenant configuration, administrative roles, and settings. Microsoft Graph provides APIs to manage your Microsoft Entra tenant for the following scenarios:

Use cases	API operations
Manage administrative units including the following operations: Create administrative units Create and manage members and membership rules of administrative units Assign administrator roles that are scoped to administrative units	administrativeUnit and its associated APIs
Retrieve BitLocker recovery keys	bitlockerRecoveryKey and its associated APIs
Manage custom security attributes	See Overview of custom security attributes using the Microsoft Graph API
Manage deleted directory objects. The functionality to store deleted objects in a "recycle bin" is supported for the following objects: Administrative units Applications External user profiles Groups Pending external user profiles Service principals Users	Get or List deleted objects Permanently delete a deleted object Restore a deleted item List deleted items owned by user
Manage devices in the cloud	device and its associated APIs deviceTemplate and its associated APIs
View local administrator credential information for all device objects in Microsoft Entra ID that are enabled with Local Admin Password Solution (LAPS). This feature is the cloud-based LAPS solution	deviceLocalCredentialInfo and its associated APIs
Directory objects are the core objects in Microsoft Entra ID, such as users, groups, and applications. You can use the directoryObject resource type and its associated APIs to check memberships of directory objects, track changes for multiple directory objects, or validate that a Microsoft 365 group's display name or mail nickname complies with naming policies	directoryObject and its associated APIs
Manage administrator roles including the following operations: Create custom roles Assign roles to users, groups, or service principals Track changes to role assignments Remove assignees from roles	The following resources and their associated APIs: directoryRole and directoryRoleTemplate roleManagement (recommended) For just-in-time and time-bound role assignments instead of direct forever active assignments, use Privileged Identity Management APIs for Microsoft Entra roles and groups
Define the following configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior. Settings for Microsoft 365 groups such as guest user access, classifications, and naming policies Password rule settings such as banned password lists and lockout duration Prohibited names for applications, reserved words, and blocking trademark violations Custom conditional access policy URL Consent policies such as user consent requests, group-specific consent, and consent for risky apps	In beta: directorySetting and directorySettingTemplate and their associated APIs In v1.0: groupSetting and groupSettingTemplate and their associated APIs For more information, see Overview of group settings.
Domain management operations such as: associating a domain with your tenant retrieving DNS records verifying domain ownership External admin takeover of unmanaged domains associating specific services with specific domains deleting domains	domain and its associated APIs
Manage the profile objects for external users that you're invited to collaborate via Teams. These APIs aren't similar to the invitation APIs for Microsoft Entra External ID B2B collaboration	externalUserProfile and pendingExternalUserProfile and their associated APIs
Configure and manage staged rollout of specific Microsoft Entra ID features	featureRolloutPolicy and its associated APIs
Monitor licenses and subscriptions for the tenant	companySubscription and its associated APIs subscribedSku and its associated APIs
Manage the policies for Mobile Device Management (MDM) and Mobile Application Management (MAM) autoenrollment for Microsoft Entra joined and registered devices	The following resources and their associated APIs: mobileAppManagementPolicy >mobileDeviceManagementPolicy >
Configure options that are available in Microsoft Entra Cloud Sync such as preventing accidental deletions and managing group writebacks.	onPremisesDirectorySynchronization and its associated APIs
Manage synchronization settings for directory objects such as users, groups, and organizational contacts between on-premises Active Directory and the cloud	onPremisesSyncBehavior and its associated APIs
Manage the base settings for your Microsoft Entra tenant	organization and its associated APIs
Manage the tenant-wide settings for your Microsoft Entra tenant, such as whether people and item insights are enabled for the organization	organizationSettings and its associated APIs
Retrieve the organizational contacts that might be synchronized from on-premises directories or from Exchange Online	orgContact and its associated APIs
Discover the basic details of other Microsoft Entra tenants by querying using the tenant ID or the domain name	tenantInformation and its associated APIs

Identity and sign-in

Use cases	API operations
Grant, revoke, and retrieve app roles on a resource application for users, groups, or service principals	appRoleAssignment and its associated APIs
Configure listeners that monitor events that should trigger or invoke custom logic, typically defined outside Microsoft Entra ID	authenticationEventListener and its associated APIs
Manage authentication methods that are supported in Microsoft Entra ID	See Microsoft Entra authentication methods API overview and Microsoft Entra authentication methods policies API overview
Manage the authentication methods or combinations of authentication methods that you can apply as grant control in Microsoft Entra Conditional Access	See Microsoft Entra authentication strengths API overview
Manage tenant-wide authorization policies such as: enable SSPR for administrator accounts enable self-service join for guests limit who can invite guests whether users can consent to risky apps block the use of MSOL customize the default user permissions identity private preview features enabled Customize the guest user permissions between User, Guest User, and Restricted Guest User	authorizationPolicy and its associated APIs
Customize the UI/UX in Azure AD B2C using the Identity Experience Framework (IEF)	trustFrameworkKeySet and trustFrameworkPolicy and their associated APIs
Manage the policies for certificate-based authentication in the tenant	certificateBasedAuthConfiguration and its associated APIs
Manage Microsoft Entra Conditional Access policies, including network locations such as countries, IP addresses, and compliant networks Evaluate the impact of Conditional Access policies before enforcing them Configure Continuous Access Evaluation (CAE), which allows access tokens to be revoked based on critical events and policy evaluation rather than relying on token expiry based on lifetime	The following resources and their associated APIs: conditionalAccessPolicy conditionalAccessTemplate authenticationContextClassReference namedLocation whatIfAnalysisResult continuousAccessEvaluationPolicy
Manage cross-tenant access settings and manage outbound restrictions, inbound restrictions, tenant restrictions, and cross-tenant synchronization of users in multitenant organizations	See Cross-tenant access settings API overview
Manage the user profiles that are shared with you or external tenants using B2B direct connect, including removing and exporting personal data	inboundSharedUserProfile and outboundSharedUserProfile and their associated APIs
Configure how and which external systems interact with Microsoft Entra ID during a user authentication session	customAuthenticationExtension and its associated APIs
Manage requests against user data in the organization, such as exporting personal data	dataPolicyOperation and its associated APIs
Configure the policies for managing Microsoft Entra join and Microsoft Entra register devices	deviceRegistrationPolicy and its associated APIs
Manage the tenant-wide policy that controls whether external users can leave a Microsoft Entra tenant via self-service controls, for example, through the organizations menu of the My Account portal	externalIdentitiesPolicy and its associated APIs
Force autoacceleration sign-in to skip the username entry screen and automatically forward users to federated sign-in endpoints	homeRealmDiscoveryPolicy and its associated APIs
Detect, investigate, and remediate identity-based risks using Microsoft Entra ID Protection and feed the data into security information and event management (SIEM) tools for further investigation and correlation	See Use the Microsoft Graph identity protection APIs
Manage identity providers for Microsoft Entra ID, Microsoft Entra External ID, and Azure AD B2C tenants. You can perform the following operations: Manage identity providers for external identities, including social identity providers, OIDC, Apple, SAML/WS-Fed, and built-in providers Manage configuration for federated domains and token validation	identityProviderBase and its associated APIs
Define a group of tenants belonging to your organization and streamline intra-organization cross-tenant collaboration	See Multitenant organization API overview
Manage the delegated permissions and their assignments to service principals in the tenant	oAuth2PermissionGrant and its associated APIs
Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language	organizationalBranding and its associated APIs
Configure trusted certificate authorities for certificates that can be assigned to apps and service principals in the tenant.	certificateBasedApplicationConfiguration and its associated APIs
User flows for Microsoft Entra External ID in workforce tenants	the following resources and their associated APIs: b2xIdentityUserFlow to configure the base user flow and its properties such as identity providers identityUserFlowAttribute to manage built-in and custom user flow attributes identityUserFlowAttributeAssignment to manage user flow attribute assignments userFlowLanguageConfiguration to configure custom languages for user flows
User flows for Azure AD B2C	the following resources and their associated APIs: b2cIdentityUserFlow to configure the base user flow and its properties such as identity providers identityUserFlowAttribute to manage built-in and custom user flow attributes identityUserFlowAttributeAssignment to manage user flow attribute assignments userFlowLanguageConfiguration to configure custom languages for user flows
User flows for Microsoft Entra External ID in external tenants	the following resources and their associated APIs: authenticationEventsFlow and its associated APIs identityUserFlowAttribute to manage built-in and custom user flow attributes
Manage app consent policies and condition sets	permissionGrantPolicy
Manage app consent preapproval policies	permissionGrantPreApprovalPolicy
Enable or disable security defaults in Microsoft Entra ID	identitySecurityDefaultsEnforcementPolicy

Identity governance

For more information, see Overview of Microsoft Entra ID Governance using Microsoft Graph.

Microsoft Entra External ID in external tenants

The following API use cases are supported to customize how users interact with your customer-facing applications. For administrators, most of the features available in Microsoft Entra ID and also supported for Microsoft Entra External ID in external tenants. For example, domain management, application management, and conditional access.

Use cases	API operations
User flows for Microsoft Entra External ID in external tenants and self-service sign-up experiences	authenticationEventsFlow and its associated APIs
Manage identity providers for Microsoft Entra External ID. You can identify the identity providers that are supported or configured in the tenant	See identityProviderBase and its associated APIs
Configuring custom URL domains in Microsoft Entra External ID in external tenants	The CustomUrlDomain value for the supportedServices property of domain and its associated APIs
Customize sign-in UIs to match your company branding, including applying branding that's based on the browser language or to apply app-based branding	organizationalBranding and its associated APIs
Manage identity providers for Microsoft Entra External ID, such as social identities	identityProviderBase and its associated APIs
Sign in with an alias or username	signInIdentifierBase and its associated APIs
Manage user profiles in Microsoft Entra External ID for customers	For more information, see Default user permissions in customer tenants
Add your own business logic to the authentication experiences by integrating with systems that are external to Microsoft Entra ID	authenticationEventListener and customAuthenticationExtension and their associated APIs
Integrate with Web Application Firewall providers such as Akamai and Cloudflare	webApplicationFirewallProvider and its associated APIs

Multicloud permissions management (deprecated)

For more information, see Discover, remediate, and monitor permissions in multicloud infrastructures using permissions management APIs.

Network access management

For more information, see Secure access to cloud, public, and private apps using Microsoft Graph network access APIs.

Partner tenant management

Microsoft Graph also provides the following identity and access capabilities for Microsoft partners in the Cloud Solution Provider (CSP), Value Added Reseller (VAR), or Advisor programs to help manage their customer tenants.

Use cases	API operations
Manage contracts for the partner with its customers	contract and its associated APIs
Microsoft partners can empower their customers to ensure the partners have least privileged access to their customers' tenants. This feature gives extra control to customers over their security posture while allowing them to receive support from the Microsoft resellers	See Granular delegated admin privileges (GDAP) API overview
Get detections and security alerts for unauthorized party abuse, account takeovers, and anomalous usage of Azure subscriptions in the customer tenants that you're responsible for.	See Use the partner security alert API in Microsoft Graph

Identity and access reports

Microsoft Entra records every activity in your tenant and produces reports and audit logs that you can analyze for monitoring, compliance, and troubleshooting. Records of these activities are also available through Microsoft Graph reporting and audit logs APIs, which allow you to analyze the activities with Azure Monitor logs and Log Analytics, or stream to third-party SIEM tools for further investigations. For more information, see Identity and access reports API overview.

Zero Trust

This feature helps organizations to align their tenants with the three guiding principles of a Zero Trust architecture:

• Verify explicitly
• Use least privilege
• Assume breach

To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.

Licensing

Microsoft Entra licenses include Microsoft Entra ID Free, P1, P2, and Governance; Microsoft Entra Permissions Management; and Microsoft Entra Workload ID.

For detailed information about licensing for different features, see Microsoft Entra ID licensing.

Related content

• Implement identity standards with Microsoft Entra ID
• Microsoft Entra ID Guide for independent software developers
• Review the Microsoft Entra deployment plans to help you build your plan to deploy the Microsoft Entra suite of capabilities.