+The following table shows the properties of the [group](../resources/group.md) resource to specify when you create a group in the administrative unit.

+When creating a new group (without `$ref`), this method returns a `201 Created` response code and a [group](../resources/group.md) object in the response body. The response includes only the default properties of the group. You must supply the `"@odata.type" : "#microsoft.graph.group"` line in the request body to explicitly identify the new member as a group. A request body without the correct @odata.type returns a `400 Bad Request` error message.

+The following example creates a new group in the administrative unit. You must supply the `"@odata.type" : "#microsoft.graph.group"` line in the request body to explicitly identify the new member as a group. A request body without the correct @odata.type returns a `400 Bad Request` error message.

+ "@odata.type": "#microsoft.graph.group",

+> [!NOTE]

+> In general, the `id` of a **teamsApp** resource is generated by the server. It is not the same as the `id` specified in a Teams app manifest, unless its `distributionMethod` is *store*. For other cases, the `id` provided by the developer as part of the Teams app manifest is stamped as the `externalId` in the teamsApp resource.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "create-online-meeting-with-passcode"

+}-->

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+ "blockType": "response",

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "create-online-meeting-without-passcode"

+}-->

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+ "blockType": "response",

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79

+2015-10-25 14:57:30 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "Create onlineMeeting",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+For delegated scenarios, the calling user must have the *Global Administrator* [Azure AD role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).

+> [!NOTE]

+> Some special characters in the channel name will cause this API to return an error. For details, see [Known issues](/graph/known-issues#create-channel).

+This method supports the `$filter` and `$select` [OData query parameters](/graph/query-parameters) to help customize the response.

+>**Note:** Guest users can't see private or shared channels that they aren't members of in the response for this API.

+This method supports the `$filter` and `$select` [OData query parameters](/graph/query-parameters) to help customize the response.

+| Application | Teamwork.Migrate.All |

+Create a new [channel](../resources/channel.md) in a team, as specified in the request body. When you create a channel, the maximum length of the channel's `displayName` is 50 characters. This is the name that appears to the user in Microsoft Teams.

+You can add a maximum of 200 members when you create a private channel.

+> [!NOTE]

+> Some special characters in the channel name will cause the [Get filesFolder](/graph/api/channel-get-filesfolder) API to return an error. For details, see [Known issues](/graph/known-issues#create-channel).

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+ Title: "cloudPcReports: getSharedUseLicenseUsageReport"

+description: "Get the shared use license usage reports, such as servicePlanId, licenseCount, and claimedLicenseCount, for real-time, 7 days, or 28 days trend."

+ms.localizationpriority: medium

+# cloudPcReports: getSharedUseLicenseUsageReport

+Namespace: microsoft.graph

+Get the shared use license usage reports, such as **servicePlanId**, **licenseCount**, and **claimedLicenseCount**, for real-time, 7 days, or 28 days trend.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | CloudPC.Read.All, CloudPC.ReadWrite.All |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | CloudPC.Read.All, CloudPC.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /deviceManagement/virtualEndpoint/reports/getSharedUseLicenseUsageReport

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| Content-Type | application/json. Required. |

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+| Parameter | Type | Description |

+| : | :- | :- |

+| reportName | String | Specifies the report name. |

+| filter | String | OData filter syntax. Supported filters include `and`, `or`, `lt`, `le`, `gt`, `ge`, and `eq`. |

+| select | String collection | OData select syntax. Represents the selected columns of the reports. |

+| search | String | Specifies a string to search. |

+| groupBy | String collection | Specifies how to group the reports. If used, must have the same content as the **select** parameter. |

+| orderBy | String collection | Specifies how to sort the reports. |

+| skip | Int32 | The number of records to skip. |

+| top | Int32 | The number of top records to return. |

+## Response

+If successful, this action returns a `200 OK` response code and a Stream in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "cloudpcreportsthis.getSharedUseLicenseUsageReport"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/reports/getSharedUseLicenseUsageReport

+Content-Type: application/json

+Content-length: 199

+{

+ "reportName": "SharedUseLicenseUsageReport",

+ "filter": "ServicePlanId eq '2d1d344e-d10c-41bb-953b-b3a47521dca0' and DateTimeUTC gt datetime'2022-11-30'",

+ "select":["ServicePlanId", "LicenseCount", "ClaimedLicenseCount", "DateTimeUTC"],

+ "skip": 0,

+ "top": 100

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Edm.Stream"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/octet-stream

+{

+ "TotalRowCount": 2,

+ "Schema": [

+ {

+ "name": "ServicePlanId",

+ "type": "String"

+ },

+ {

+ "name": "LicenseCount",

+ "type": "Int32"

+ },

+ {

+ "name": "ClaimedLicenseCount",

+ "type": "Int32"

+ },

+ {

+ "name": "DateTimeUTC",

+ "type": "DateTime"

+ }

+ ],

+ "Values": [

+ [

+ "2d1d344e-d10c-41bb-953b-b3a47521dca0", 100, 10, "2022-12-02T00:00:00"

+ ],

+ [

+ "2d1d344e-d10c-41bb-953b-b3a47521dca0", 100, 11, "2022-12-01T00:00:00"

+ ]

+ ]

+}

+```

+Get a list of all notifications that one or more users can access, from the Microsoft Endpoint Manager admin center.

+Set the status of the specified notification on the Microsoft EndPoint Manager admin center as sent, by modifying the **isPortalNotificationSent** property to `true`.

+ Title: "Delete customers"

+description: "Delete a customers object from Dynamics 365 Business Central."

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+### Request

+The following is an example of the request.

+### Response

+The following is an example of the response.

+This method does not delete the rubric itself and can only be performed by teachers.

+Get the [educationRubric](../resources/educationrubric.md) object attached to an [educationAssignment](../resources/educationassignment.md), if one exists. Only teachers, students, and applications with application permissions can perform this operation.

+Get the properties and relationships of an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the categories associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Get all the [educationAssignmentResource](../resources/educationassignmentresource.md) objects associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the [submissions](../resources/educationsubmission.md) associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Add one or more existing [educationCategory](../resources/educationcategory.md) objects to this [educationAssignment](../resources/educationassignment.md). Only teachers and students can perform this operation.

+Create an [assignment resource](../resources/educationassignmentresource.md). Only teachers can perform this operation.

+You can create the following types of assignment resources:

+Every resource has an **@odata.type** property to indicate which type of resource is being created.

+ "@odata.type": "microsoft.graph.educationTeamsAppResource"

+Attach an existing [educationRubric](../resources/educationrubric.md) object to an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Remove an [educationCategory](../resources/educationcategory.md) from an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload feedback files for a given [educationSubmission](../resources/educationsubmission.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload files for a given [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+The teacher determines the resources to upload in the assignment's folder.

+These are the class-level assignment defaults respected by new [assignments](../resources/educationassignment.md) created in the class. Callers can continue to specify custom values on each **assignment** creation if they don't want the default behaviors. Only teachers can perform this operation.

+Get the properties of an [education assignment resource](../resources/educationassignmentresource.md) associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Read the properties and relationships of an [educationAssignmentSettings](../resources/educationassignmentsettings.md) object. Only teachers can perform this operation.

+Delete an existing category. Only teachers can perform this operation.

+Retrieve an [educationCategory](../resources/educationcategory.md) object. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of assignment objects. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationCategory](../resources/educationcategory.md) objects. Only teachers can perform this operation.

+Create a new assignment.

+Creates a new [educationCategory](../resources/educationcategory.md) on an [educationClass](../resources/educationclass.md). Only teachers can perform this operation.

+Update the properties of an [educationOutcome](../resources/educationoutcome.md) object. Only teachers can perform this operation.

+Delete an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve the properties and relationships of an [educationRubric](../resources/educationrubric.md) object. Only teachers and students can perform this operation.

+Update the properties of an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve a particular [submission](../resources/educationsubmission.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationOutcome](../resources/educationoutcome.md) objects. There are four types of outcomes: **educationPointsOutcome**, **educationFeedbackOutcome**, **educationRubricOutcome**, and **educationFeedbackResourceOutcome**. Only teachers, students, and applications with application permissions can perform this operation.

+List the resources associated with a submission. Only teachers, students, and applications with application permissions can perform this operation.

+List the [educationSubmissionResource](../resources/educationsubmissionresource.md) objects that have officially been submitted for grading. Only teachers, students, and applications with application permissions can perform this operation.

+The student who owns the submission cannot change the submitted list without resubmitting the assignment. This is a wrapper around the real resource and can contain a pointer back to the actual assignment resource if this resource was copied from the assignment.

+Only teachers and students can perform this operation.

+The operation will not succeed if the **allowStudentsToAddResources** flag is not set to `true`.

+Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission. Only teachers and students can perform this operation.

+Indicate that a student is done with the work and is ready to hand in the assignment. Only teachers, students, and applications with application permissions can perform this operation.

+Indicate that a student wants to work on the submitted assignment after it was turned in. Only teachers, students, and applications with application permissions can perform this operation.

+Delete an [educationSubmissionResource](../resources/educationsubmissionresource.md) from the submission. Only teachers and students can perform this operation.

+If the resource was copied from the assignment, a new copy of the resource will be created after the current copy is deleted. This allows you to "reset" the resource to its original state. If the resource was not copied from the assignment but was added from the student, the resource is simply deleted.

+Retrieve the properties of a specific resource associated with a [submission](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a [submitted resource](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Returns a list of assignments assigned to a user for all classes. Only teachers, students, and applications with application permissions can perform this operation.

+ "includeTargets": [],

+ "excludeTargets": []

+In the following example, the pre-defined **customAccessPackageWorkflowExtension** object is triggered when an access package assigned request is created and when it's granted. The identifier provided within the **customExtension** field is the **customAccessPackageWorkflowExtension** object's ID.

+ "id": "219f57b6-7983-45a1-be01-2c228b7a43f8"

+ ],

+ "excludeTargets": []

+An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code.

+An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code. For example, `/groups/{id}}/members/microsoft.graph.group` when the group is a Microsoft 365 group will return this error, because Microsoft 365 groups cannot have other groups as members.

+Get a list of the group's members. A group can different object types as members. For more information about supported member types for different groups, see [Group membership](../resources/groups-overview.md#group-membership).

+This operation is transitive and returns a flat list of all nested members. An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code.

+ An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code. For example, `/groups/{id}}/transitiveMembers/microsoft.graph.group` when the group is a Microsoft 365 group will return this error, because Microsoft 365 groups cannot have other groups as members.

+ "blockType": "response"

+A group with **isAssignableToRole** property set to `true` cannot be of dynamic membership type, its **securityEnabled** must be set to `true`, and **visibility** can only be `Private`.

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+|displayName|String|A unique string that identifies the `customTaskExtension`.|

+>- The **attendanceRecords** property does not return information about a breakout room.

+ "excludeTargets": [],

+ "isSoftwareOathEnabled": true,

+You can retrieve meeting information via JoinWebUrl by using either a user or application token. This option is available to support use cases where the meeting ID isn't known but the JoinWebUrl is, such as when a user creates a meeting (for example in the Microsoft Teams client), and a separate application needs to retrieve meeting details as a follow-up action.

+The following is an example of a request that uses a user (delegated) token.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get-an-online-meeting-by-joinmeetingid"

+} -->

+```msgraph-interactive

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+> **Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.onlineMeeting"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-Type: application/json

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+POST /users/{userId|userPrincipalName}/contacts/{contactId}/extensions

+| Delegated (work or school account) | Tasks.ReadWrite, Group.ReadWrite.All |

+The following table shows the properties that are required when you create a [plannerPlan](../resources/plannerplan.md).

+|Property|Type|Description|

+|:|:|:|

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated.|

+|title|String|The title of the plan.|

+If successful, this method returns a `201 Created` response code and a [plannerPlan](../resources/plannerplan.md) object in the response body.

+This method can return any of the [HTTP status codes](/graph/errors). The most common errors that apps should handle for this method are the 400, 403, and 404 responses. For more information about these errors, see [Common Planner error conditions](../resources/planner-overview.md#common-planner-error-conditions).

+The following is an example of the request.

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+If successful, this method returns a `200 OK` response code and a [plannerAssignedToTaskBoardTaskFormat](../resources/plannerassignedtotaskboardtaskformat.md) object in the response body.

+### Request

+The following is an example of the request.

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ Title: "presence: setStatusMessage"

+description: "Set a presence status message for a user."

+ms.localizationpriority: medium

+# presence: setStatusMessage

+Namespace: microsoft.graph

+Set a presence status message for a user. An optional expiration date and time can be supplied.

+## Permissions

+The following permission is required to call the API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | Presence.ReadWrite |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | Not supported. |

+## HTTP Request

+<!-- { "blockType": "ignored" } -->

+```http

+POST /users/{userId}/presence/setStatusMessage

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| Content-Type | application/json. Required. |

+## Request body

+In the request body, provide a JSON object with the following parameters.

+| Parameter | Type | Description |

+| | |- |

+| `statusMessage` | [microsoft.graph.presenceStatusMessage](../resources/presencestatusmessage.md) |It can be set to display the presence status message of a user. |

+## Response

+If successful, this method returns a `200 OK` response code.

+## Examples

+### Example 1: Set status message with expiry date

+The following request sets the presence status message as "Hey I'm currently in a meeting." for user `fa8bf3dc-eca7-46b7-bad1-db199b62afc3`, with the expiration on `2022-10-18 at 17:05:33.2079781 Pacific Standard Time`.

+#### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "setstatusmessage"

+}-->

+```http

+POST https://graph.microsoft.com/beta/users/fa8bf3dc-eca7-46b7-bad1-db199b62afc3/presence/setStatusMessage

+Content-Type: application/json

+{

+ "statusMessage": {

+ "message": {

+ "content": "Hey I'm currently in a meeting.",

+ "contentType": "text"

+ },

+ "expiryDateTime": {

+ "dateTime": "2022-10-18T17:05:33.2079781",

+ "timeZone": "Pacific Standard Time"

+ }

+ }

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+<!-- {

+ "blockType": "response",

+ "name": "setstatusmessage",

+ "truncated": true

+} -->

+```http

+HTTP/1.1 200 OK

+```

+### Example 2: Get status message of another user

+The following request sets the presence status message as "Hey I'm currently in a meeting." for user `fa8bf3dc-eca7-46b7-bad1-db199b62afc3`. Then presence for user `fa8bf3dc-eca7-46b7-bad1-db199b62afc3` is obtained on behalf of other user via a [getPresence](presence-get.md) request.

+#### Set status message: request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "setstatusmessage-another-user"

+}-->

+```http

+POST https://graph.microsoft.com/beta/users/fa8bf3dc-eca7-46b7-bad1-db199b62afc3/presence/setStatusMessage

+Content-Type: application/json

+{

+ "statusMessage": {

+ "message": {

+ "content": "Hey I am available now",

+ "contentType": "text"

+ }

+ }

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Set status message: response

+<!-- {

+ "blockType": "response",

+ "name": "setstatusmessage-another-user",

+ "truncated": true

+} -->

+```http

+HTTP/1.1 200 OK

+```

+#### Get another user presence: request

+This request should be executed on behalf of another user.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "setstatusmessage-another-user-get-presence"

+}-->

+```msgraph-interactive

+GET https://graph.microsoft.com/beta/users/fa8bf3dc-eca7-46b7-bad1-db199b62afc3/presence

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Get another user presence: response

+Since this presence request does not qualify as a [self presence](presence-get.md#example-1-get-your-own-presence-information) request, `statusMessage.expiryDateTime` and `statusMessage.publishedDateTime` properties are not included in the response body.

+<!-- {

+ "blockType": "response",

+ "name": "setstatusmessage-another-user-get-presence",

+ "@odata.type": "microsoft.graph.presence",

+ "truncated":"true"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "id": "fa8bf3dc-eca7-46b7-bad1-db199b62afc3",

+ "availability": "Available",

+ "activity": "Available",

+ "outOfOfficeSettings": {

+ "message": null,

+ "isOutOfOffice": false

+ },

+ "statusMessage": {

+ "message": {

+ "content": "Hey I am available now",

+ "contentType": "text"

+ }

+ }

+}

+```

+ Title: "List printConnectors"

+description: "Retrieve a list of connectors."

+|Delegated (personal Microsoft account)|Not supported.|

+|Application| Not supported. |

+The following operators are not supported: `$count`, `$search`, `$filter`.

+If successful, this method returns a `200 OK` response code and a collection of [printConnector](../resources/printconnector.md) objects in the response body.

+| Delegated (work or school account) | Mail.Read, Calendars.Read, Files.Read.All, Sites.Read.All, ExternalItem.Read.All, Acronym.Read.All, Bookmark.Read.All, ChannelMessage.Read.All, Chat.Read, QnA.Read.All |

+Delete Microsoft Teams messages contained in a [eDiscovery search](../resources/security-ediscoverysearch.md).

+ "customTags": [

+# Create comment

+|customTags|String collection|Array of custom tags associated with an incident.|

+ "customTags": [

+ "customTags": [

+#### Request

+#### Response

+ "customTags": [

+### Example 2: List all incidents with their alerts

+#### Request

+#### Response

+This is the method for advanced hunting in Microsoft 365 Defender. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the [advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide&preserve-view=true) and a piped sequence of operators to filter or search that data, and format the query output in specific ways.

+Find out more about [hunting for threats across devices, emails, apps, and identities](/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide&preserve-view=true). Learn about [KQL](/azure/data-explorer/kusto/query/).

+For information on using advanced hunting in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide&preserve-view=true), see [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide&preserve-view=true).

+- Looks into the [DeviceProcessEvents](/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide&preserve-view=true) table in the advanced hunting schema.

+Add an owner for the [servicePrincipal](../resources/serviceprincipal.md). Service principal owners can be users, the service principal itself, or other service principals.

+ Title: "sitepage: getWebPartsByPosition"

+description: "Get a collection of webParts by position information"

+# sitepage: getWebPartsByPosition

+ ],

+ "excludeTargets": []

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+The following is an example of the response

+ "truncated": true

+HTTP/1.1 204 No Content

+ Title: "Delete softwareOathAuthenticationMethodConfiguration"

+description: "Delete a softwareOathAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Delete softwareOathAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Revert the [third-party software Oath authentication method policy](../resources/softwareoathauthenticationmethodconfiguration.md) to its default configuration.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "delete_softwareoathauthenticationmethodconfiguration"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get softwareOathAuthenticationMethodConfiguration"

+description: "Read the properties and relationships of a softwareOathAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Get softwareOathAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Read the properties and relationships of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object, which represents the third-party software OATH authentication method policy for the Azure AD tenant.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Global Reader

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get_softwareoathauthenticationmethodconfiguration"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.softwareOathAuthenticationMethodConfiguration"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": {

+ "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "id": "SoftwareOath",

+ "state": "enabled",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false

+ }

+ ],

+ "excludeTargets": []

+ }

+}

+```

+ Title: "Update softwareOathAuthenticationMethodConfiguration"

+description: "Update the properties of a softwareOathAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Update softwareOathAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Update the properties of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object, which represents the third-party software OATH authentication method policy for the Azure AD tenant.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object with the values of fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.

+For the list of properties, see [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md).

+>**Note:** The `@odata.type` property with a value of `#microsoft.graph.softwareOathAuthenticationMethodConfiguration` must be included in the body.

+## Response

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "update_softwareoathauthenticationmethodconfiguration"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "state": "disabled"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+The following is an example of a request.

+### Response

+The following is an example of the response.

+The following is an example of a request.

+The following is an example of the response.

+ ],

+ "excludeTargets": []

+If the caller does not have the permission to read properties for some of the objects included in the result set, the response will follow the [limited information returned for inaccessible member objects](/graph/permissions-overview#limited-information-returned-for-inaccessible-member-objects) pattern.

+ Title: "Get user"

+# Get user

+### Example 5: Use `$filter` to retrieve specific users based on a property value

+This example shows how to use the `$filter` query parameter along with the `endswith` clause to retrieve a user with a specific value in the **mail** attribute. This request filters and returns all users with a mail address ending with contoso.com.

+#### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get_user_filter"

+} -->

+```msgraph-interactive

+GET https://graph.microsoft.com/beta/users?$count=true&ConsistencyLevel=eventual&$filter=endsWith(mail,'@contoso.com')

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.user",

+ "name": "get_user_filter"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#users",

+ "@odata.count": 1350,

+ "@odata.nextLink": "https://graph.microsoft.com/v1.0/users?$count=true&$filter=endsWith(mail,'@contoso.com')&ConsistencyLevel=eventual&$skiptoken=m~AQAnOzEyN2NjN2I3NTQzYzQ0YzA4NjlhYjU5MzUzYmNhNGI2OzswOzA7",

+ "value": [

+ {

+ "businessPhones": [],

+ "displayName": "Phantom Space",

+ "givenName": "Space",

+ "jobTitle": null,

+ "mail": "Space.Phantom@cloudezzy.com",

+ "mobilePhone": null,

+ "officeLocation": null,

+ "preferredLanguage": null,

+ "surname": "Phantom",

+ "userPrincipalName": "Space.Phantom@contoso.com",

+ "id": "00111916-c5c5-4dd2-9e31-aab96af7511e"

+ }

+ ]

+}

+```

+### Example 6: Get the value of a schema extension for a user

+The following is an example of the request.

+The following is an example of the response.

+The following is an example of the response.

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+# [Go](#tab/go)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PHP](#tab/php)

+ "supportedSolution": "windows365",

+ "regionGroup": "usCentral"

+ Title: "Delete voiceAuthenticationMethodConfiguration"

+description: "Delete a voiceAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Delete voiceAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Revert the [voice call authentication method policy](../resources/voiceauthenticationmethodconfiguration.md) to its default configuration.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "delete_voiceauthenticationmethodconfiguration"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get voiceAuthenticationMethodConfiguration"

+description: "Read the properties and relationships of a voiceAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Get voiceAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Read the properties and relationships of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Global Reader

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get_voiceauthenticationmethodconfiguration"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.voiceAuthenticationMethodConfiguration"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": {

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "id": "Voice",

+ "state": "enabled",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false

+ }

+ ],

+ "excludeTargets": [],

+ "isOfficePhoneAllowed": "true"

+ }

+}

+```

+ Title: "Update voiceAuthenticationMethodConfiguration"

+description: "Update the properties of a voiceAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Update voiceAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Update the properties of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object, which represents the voice call authentication method policy for the Azure AD tenant.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [voiceAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object with the values of fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.

+For the list of properties, see [voiceAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md).

+>**Note:** The `@odata.type` property with a value of `#microsoft.graph.voiceAuthenticationMethodConfiguration` must be included in the body.

+## Response

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "update_voiceauthenticationmethodconfiguration"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "isOfficePhoneAllowed": "false"

+}

+```

+# [JavaScript](#tab/javascript)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+# [HTTP](#tab/http)

+```msgraph-interactive

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+```msgraph-interactive

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PHP](#tab/php)

+The following table shows the properties that can be set when you update a [deployment](../resources/windowsupdates-deployment.md).

+### Example 1: Pause a deployment

+In this example, the deployment is paused by updating the **requestedValue** of the deployment **state**.

+The following is an example of a request.

+The following is an example of the response.

+### Example 2: Update deployment settings to add a monitoring rule

+In this example, the **settings** property of the deployment is updated to add a monitoring rule.

+The following is an example of a request.

+The following is an example of the response.

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+ ],

+ "excludeTargets": []

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from a policy.|

+|policyMigrationState|authenticationMethodsPolicyMigrationState|The state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. The possible values are: <br/><li>`premigration` - means the authentication methods policy is used for authentication only, legacy policies are respected. <li>`migrationInProgress` - means the authentication methods policy is used for both authenication and SSPR, legacy policies are respected. <li>`migrationComplete` - means the authentication methods policy is used for authentication and SSPR, legacy policies are ignored. <li>`unknownFutureValue` - Evolvable enumeration sentinel value. Do not use. |

+|reconfirmationInDays|Int32|Days before the user will be asked to reconfirm their method. |

+description: "A collection of groups that are enabled to use an authentication method as part of an authentication method policy."

+A collection of groups that are enabled to use an authentication method as part of an authentication method policy in Azure AD. Inherits from [entity](entity.md).

+|targetType|authenticationMethodTargetType| Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group.|

+| Manage devices registered in the organization. Devices are registered to users and include items like laptops, desktops, tablets, and mobile phones. Devices are typically created in the cloud using the Device Registration Service or by Microsoft Intune. They're used by conditional access policies for multifactor authentication. | [device](../resources/device.md) | [Getting started with Azure Active Directory device registration](/mem/intune/enrollment/).<br/><br/>[What is Intune?](/mem/intune/fundamentals/what-is-intune)<br/><br/>[Enroll devices for management in Intune](/mem/intune/enrollment/) |

+|Set up rules to alert issues on the Microsoft Endpoint Manager admin center with provisioning Cloud PCs, uploading Cloud PC images, and checking Azure network connections. |[alertRecord](devicemanagement-alertrecord.md), [alertRule](devicemanagement-alertrule.md) | [Alert monitoring API](devicemanagement-monitoring.md) |

+| Method | Return type | Description |

+| : | : | : |

+| [Create cloudPcExportJob](../api/cloudpcreports-post-exportjobs.md) | [cloudPcExportJob](../resources/cloudpcexportjob.md) | Create a new [cloudPcExportJob](../resources/cloudpcexportjob.md) object. |

+| [Get cloudPcExportJob](../api/cloudpcexportjob-get.md) | [cloudPcExportJob](../resources/cloudpcexportjob.md) | Read the properties and relationships of a [cloudPcExportJob](../resources/cloudpcexportjob.md) object. |

+| Property | Type | Description |

+| :-- | :- | :-- |

+| expirationDateTime | DateTimeOffset | The date and time when the export job expires. |

+| exportJobStatus | [cloudPcExportJobStatus](#cloudpcexportjobstatus-values) | The status of the export job. The possible values are: `notStarted`, `inProgress`, `completed`, `unknownFutureValue`. Read-only. |

+| exportUrl | String | The storage account URL of the exported report. It can be used to download the file. |

+| filter | String | The filter applied on the report. |

+| format | String | The format of the exported report. |

+| id | String | The unique identifier for the report. Read-only. |

+| reportName | [cloudPcReportName](#cloudpcreportname-values) | The report name. The possible values are: `remoteConnectionHistoricalReports`, `dailyAggregatedRemoteConnectionReports`, `totalAggregatedRemoteConnectionReports`, `unknownFutureValue`. |

+| requestDateTime | DateTimeOffset | The date and time when the export job was requested. |

+| select | String collection | The selected columns of the report. |

+| Member | Description |

+| :-- | :- |

+| notStarted | The export job doesn't start yet. |

+| inProgress | The export job is in progress. |

+| completed | The export job is completed with export URL returned. |

+| failed | The export job has failed. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+| Member | Description |

+| :- | : |

+| remoteConnectionHistoricalReports | The historical remote connections report. |

+| dailyAggregatedRemoteConnectionReports | The daily aggregated remote connections report. |

+| totalAggregatedRemoteConnectionReports | The total aggregated remote connections report. |

+| sharedUseLicenseUsageReport | Indicates daily/hourly aggregated shared use license usage report. |

+| sharedUseLicenseUsageRealTimeReport | Indicates real-time data for shared use license usage. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+None.

+ "expirationDateTime": "String (timestamp)",

+ "exportJobStatus": "String",

+ "exportUrl": "String",

+ "filter": "String",

+ "format": "String",

+ "requestDateTime": "String (timestamp)",

+ ]

+|managedBy|[cloudPcManagementService](#cloudpcmanagementservice-values)|Specifies which services manage the Azure network connection. Possible values are: `windows365`, `devBox`, `rpaBox`, `unknownFutureValue`. Read-only.|

+| Member | Description |

+|:-|:|

+| windows365 | Azure network connection was successfully created through Windows365. |

+| devBox | Azure network connection was successfully created through Project Fidalgo. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+| rpaBox | The Azure network connection was successfully created through the Power Automate project. |

+|managedBy|[cloudPcManagementService](../resources/cloudpconpremisesconnection.md#cloudpcmanagementservice-values)|Specifies which services manage the Azure network connection. Possible values are: `windows365`, `devBox`, `rpaBox`, `unknownFutureValue`. Read-only.|

+|[getSharedUseLicenseUsageReport](../api/cloudpcreports-getshareduselicenseusagereport.md)|Stream|Get the shared use license usage reports, such as **servicePlanId**, **licenseCount**, and **claimedLicenseCount**, for real-time, 7 days, or 28 days trend.|

+| Property | Type | Description |

+|: |: |: |

+|regionGroup|[cloudPcRegionGroup](#cloudpcregiongroup-values)|The geographic group this region belongs to. Multiple regions can belong to one region group. For example, the `europeUnion` region group contains the Northern Europe and Western Europe regions. A customer can select a region group when provisioning a Cloud PC; however, the Cloud PC will be put under one of the regions under the group based on resource capacity. The region with more quota will be chosen. Possible values are: `default`, `australia`, `canada`, `usCentral`, `usEast`, `usWest`, `france`, `germany`, `europeUnion`, `unitedKingdom`, `japan`, `asia`, `india`, `southAmerica`, `euap`, `usGovernment`, `usGovernmentDOD`, `norway`, `switzerland`，`southKorea`, `unknownFutureValue`. Read-only.|

+|supportedSolution|[cloudPcManagementService](../resources/cloudpconpremisesconnection.md#cloudpcmanagementservice-values)|The supported service or solution for the region. The possible values are: `windows365`, `devBox`, `rpaBox`, `unknownFutureValue`. Read-only.|

+### cloudPcRegionGroup values

+| Member | Description |

+|:-|:--|

+| default | The region belongs to the default region group. |

+| australia | The region belongs to the region group: Australia. |

+| canada | The region belongs to the region group: Canada. |

+| usCentral | The region belongs to the region group: Central US. |

+| usEast | The region belongs to the region group: East US. |

+| usWest | The region belongs to the region group: West US. |

+| france | The region belongs to the region group: France. |

+| germany | The region belongs to the region group: Germany. |

+| europeUnion | The region belongs to the region group: European Union. |

+| unitedKingdom | The region belongs to the region group: United Kingdom. |

+| japan | The region belongs to the region group: Japan. |

+| asia | The region belongs to the region group: Asia. |

+| india | The region belongs to the region group: India. |

+| southAmerica | The region belongs to the region group: South America. |

+| euap | The region belongs to the region group: Early Update Access Program. |

+| usGovernment | The region belongs to the region group: US Government. |

+| usGovernmentDOD | The region belongs to the region group: US Government Department of Defense (DOD). |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+| norway | The region belongs to the region group: Norway. |

+| switzerland | The region belongs to the region group: Switzerland. |

+| southKorea | The region belongs to the region group: South Korea. |

+ "regionGroup": "String",

+|aggregationType|[microsoft.graph.deviceManagement.aggregationType](../resources/devicemanagement-ruleThreshold.md#aggregationtype-values)|The aggregation type of the impact. The possible values are: `count`, `percentage`, `affectedCloudPcCount`, `affectedCloudPcPercentage`, `unknownFutureValue`. |

+|value|Int32|The number value of the impact. For the aggregation types of `count` and `affectedCloudPcCount`, the value indicates the number of affected instances. For example, `6 affectedCloudPcCount` means that 6 Cloud PCs are affected. For the aggregation types of `percentage` and `affectedCloudPcPercentage`, the value indicates the percent of affected instances. For example, `12 affectedCloudPcPercentage` means that 12% of Cloud PCs are affected. |

+Represents the record of an alert event in the Microsoft Endpoint Manager admin center triggered by an [alertRule](devicemanagement-alertrule.md).

+When the threshold of an **alertRule** is reached, an **alertRecord** is generated and stored, and administrators receive notifications via defined notification channels.

+For more information, see the [monitoring](devicemanagement-monitoring.md) resource.

+|[getPortalNotifications](../api/devicemanagement-alertrecord-getportalnotifications.md)|[microsoft.graph.deviceManagement.portalNotification](../resources/devicemanagement-portalnotification.md) collection|Get a list of all portal notifications that one or more users can access, from the Microsoft Endpoint Manager admin center.|

+|[setPortalNotificationAsSent](../api/devicemanagement-alertrecord-setportalnotificationassent.md)|None|Set the status of the specified notification on the Microsoft EndPoint Manager admin center as sent.|

+|alertImpact|[microsoft.graph.deviceManagement.alertImpact](../resources/devicemanagement-alertimpact.md)|The impact of the alert event. Consists of a number followed by the aggregation type. For example, `6 affectedCloudPcCount` means that 6 Cloud PCs are affected. `12 affectedCloudPcPercentage` means 12% of Cloud PCs are affected.|

+Represents a rule that an IT administrator with the appropriate roles can configure to monitor issues and trigger alerts on the Microsoft Endpoint Manager admin center.

+When the threshold of an **alertRule** is reached, an [alertRecord](devicemanagement-alertrecord.md) is generated and stored, and administrators receive notifications via defined notification channels.

+For more information, see the [monitoring](devicemanagement-monitoring.md) resource.

+|isSystemRule|Boolean|Indicates whether the rule is a system rule. If `true`, the rule is a system rule; otherwise, the rule is a custom defined rule and can be edited. System rules are built-in and only a few properties can be edited.|

+|threshold|[microsoft.graph.deviceManagement.ruleThreshold](../resources/devicemanagement-rulethreshold.md)|The conditions to send alerts. For example, send alert when provisioning has failed for greater than or equal to 6 Cloud PCs.|

+description: "Represents the entry point entity type to access all resources related to alerts in the Microsoft Endpoint Manager admin center."

+Represents the entry point to access all resources related to alerts in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

+The alert monitoring API provide a programmatic alert experience in the Microsoft Endpoint Manager admin center. A Microsoft Endpoint Manager admin can create an [alert rule](devicemanagement-alertrule.md) with preferred notification channels, and receive alerts when conditions set as thresholds in alert rules are met. Notification channels may include email and Microsoft Endpoint Manager admin center notifications. Each alert is recorded as an [alert record](devicemanagement-alertrecord.md). Admins can review alert records to learn about alert impact, severity, status, and more.

+Only the role of Windows 365 admin has access to the alert monitoring API. Admins also need a role of global admin, Intune admin, or Cloud PC admin to successfully make API calls.

+> [!Note]

+> Currently this API set supports only [Windows 365](/windows-365/overview) and Cloud PC scenarios. It allows admins to set up rules to alert issues with provisioning Cloud PCs, uploading Cloud PC images, and checking Azure network connections.

+>

+> Have a different scenario that can use additional programmatic alert support on the Microsoft Endpoint Manager admin center? [Suggest the feature or vote for existing feature requests](https://developer.microsoft.com/en-us/graph/support).

+Represents the portal notification associated with the [alert record](devicemanagement-alertrecord.md) of a user.

+|isPortalNotificationSent|Boolean|`true` if the portal notification has already been sent to the user; `false` otherwise.|

+Represents details about the threshold settings of an [alert rule](devicemanagement-alertrule.md).

+ Title: "accounts resource type"

+description: "Represents an account object in Dynamics 365 Business Central."

+|blocked|Boolean|Specifies that entries cannot be posted to the G/L account. `True` indicates that the account is blocked and posting is not allowed.|

+|category|String|Specifies the category of the G/L account. Maximum size is 20.|

+|displayName|String|Specifies the name of the G/L account. Maximum size is 50.|

+|id|GUID|The unique identifier for the account.|

+|lastModifiedDateTime|Datetime|The date and time when the account was last modified.|

+|number|String |Specifies the number of the G/L account. Maximum size is 20.|

+|subCategory|String|Specifies the subcategory of the account category of the G/L account. Maximum size is 80.|

+None.

+The following is a JSON representation of the resource.

+ "blocked": "Boolean",

+ "category": "String",

+ "displayName": "String",

+ "lastModifiedDateTime": "Datetime"

+ "number": "String",

+ "subCategory": "String"

+Represents a [payment term](../resources/dynamics-paymentterms.md) in Dynamics 365 Business Central.

+|[Get paymentTerms](../api/dynamics-paymentterms-get.md) |**paymentTerms**|Get a payment terms object. |

+|[Post paymentTerms](../api/dynamics-create-paymentterms.md) |**paymentTerms**|Create a payment terms object.|

+|[Patch paymentTerms](../api/dynamics-paymentterms-update.md) |**paymentTerms**|Update a payment terms object.|

+|[Delete paymentTerms](../api/dynamics-paymentterms-delete.md)|none |Delete a payment terms object.|

+|calculateDiscountOnCreditMemos|Boolean |Specifies whether the discount should be applied to credit memos. `True` indicates a discount will be given; `false`* indicates a discount will not be given.|

+|displayName |string |Specifies the payment term display name. |

+|dueDateCalculation |string |Specifies the formula that is used to calculate the date that a payment must be made.|

+|id |GUID |The unique identifier for the **paymentTerms**. Non-editable. |

+|lastModifiedDateTime |datetime|The date and time when the **paymentTerms** were last modified. Read-Only.|

+None.

+The following is a JSON representation of the resource.

+ "calculateDiscountOnCreditMemos": "boolean",

+ "displayName": "string",

+ "dueDateCalculation": "string",

+ "id": "GUID",

+description: "An abstract type that represents the base class for all education-related resource objects in a system."

+An abstract type that represents the base class for all education-related resource objects in a system.

+Base type of [educationExcelResource](../resources/educationexcelresource.md), [educationFileResource](../resources/educationfileresource.md), [educationLinkResource](../resources/educationlinkresource.md), [educationPowerPointResource](../resources/educationpowerpointresource.md), [educationWordResource](../resources/educationwordresource.md), [educationMediaResource](../resources/educationmediaresource.md), [educationExternalResource](../resources/educationexternalresource.md), and [educationTeamsAppResource](../resources/educationteamsappresource.md).

+description: "Corresponds to an installed Microsoft Teams app."

+Corresponds to an [installed Microsoft Teams app](teamsappinstallation.md). This allows education service users to create and share assignments with embedded Teams applications, such as YouTube or Flip.

+For information about using Flip for education on Microsoft Teams, see [introduction to Flip](/training/educator-center/product-guides/flip).

+Inherits from [educationResource](educationresource.md).

+| Property | Type | Description |

+|:|:|:--|

+| appIconWebUrl | String | URL that points to the icon of the app. |

+| appId | String | Teams app ID of the application. |

+| createdBy | [identitySet](identityset.md) | Identity of the user who created this resource. Inherited from **educationResource**. |

+| createdDateTime | DateTimeOffset | The date and time when the resource was added. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from **educationResource**. |

+| displayName | String | The display name of the resource. Inherited from **educationResource**. |

+| lastModifiedBy | [identitySet](identityset.md) | Identity of the user who last modified the resource. Inherited from **educationResource**. |

+| lastModifiedDateTime | DateTimeOffset | The date and time when the resource was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from **educationResource**. |

+| teamsEmbeddedContentUrl | String | URL for the app resource that will be opened by Teams. |

+| webUrl | String | URL for the app resource that can be opened in the browser. |

+ "appIconWebUrl": "String",

+ "appId": "String",

+ "displayName": "String",

+ "lastModifiedDateTime": "String (timestamp)",

+ "teamsEmbeddedContentUrl": "String",

+ "webUrl": "String"

+ "description": "educationTeamsAppResource resource",

+|[Update emailAuthenticationMethodConfiguration](../api/emailauthenticationmethodconfiguration-update.md)|None|Update the properties of an emailAuthenticationMethodConfiguration object.|

+|[Delete emailAuthenticationMethodConfiguration](../api/emailauthenticationmethodconfiguration-delete.md)|None|Reverts the emailAuthenticationMethodConfiguration object to its default configuration.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+### authenticationMethodTargetType values

+|Member|

+|:--|

+|group|

+|unknownFutureValue|

+### authenticationMethodsPolicyMigrationState values

+|Member|

+|:--|

+|premigration|

+|migrationInProgress|

+|migrationComplete|

+|id|String|The object identifier of an Azure AD group.|

+|targetType|authenticationMethodTargetType|The type of the authentication method target. Possible values are: `group` and `unknownFutureValue`.|

+|[Update](../api/fido2authenticationmethodconfiguration-update.md)|None|Update the properties of a fido2AuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+| isAssignableToRole | Boolean | Indicates whether this group can be assigned to an Azure Active Directory role. Optional. <br><br>This property can only be set while creating the group and is immutable. If set to `true`, the **securityEnabled** property must also be set to `true`, **visibility** must be `Hidden`, and the group cannot be a dynamic group (that is, **groupTypes** cannot contain `DynamicMembership`). <br/><br/>Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the _RoleManagement.ReadWrite.Directory_ permission to set this property or update the membership of such groups. For more, see [Using a group to manage Azure AD role assignments](https://go.microsoft.com/fwlink/?linkid=2103037)<br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`). |

+## Group membership

+Not all object types can be members of both Microsoft 365 and security groups.

+Microsoft 365 groups in Yammer are used to facilitate user collaboration through Yammer posts. This type of group can be returned through a read request, but their posts can't be accessed through the API. When Yammer posts and conversation feeds are enabled on a group, default Microsoft 365 group conversations are disabled. To learn more, see [Yammer developer API docs](/rest/api/yammer/).

+- Organizations are limited to a maximum of 10 connections (reach out if you need more).

+- You can create up to 25 `externalItem` resources items per second.

+- An application is limited to 25 concurrent operations on a connection.

+- Connections have a capacity limit of 5,000,000 items or ~350 GB of data.

+description: "An abstract class that contains meeting-specific information."

+An abstract class that contains meeting-specific information.

+Base type of [organizerMeetingInfo](organizermeetinginfo.md), [tokenMeetingInfo](tokenmeetinginfo.md), and [joinMeetingIdMeetingInfo](joinmeetingidmeetinginfo.md).

+## Properties

+None.

+|[Update](../api/microsoftauthenticatorauthenticationmethodconfiguration-update.md)|None|Update the properties of a microsoftAuthenticatorAuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|isSoftwareOathEnabled|Boolean|`true` if users can use the OTP code generated by the Microsoft Authenticator app, `false` otherwise.|

+|includeTargets|[microsoftAuthenticatorAuthenticationMethodTarget](../resources/microsoftauthenticatorauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method. Expanded by default.|

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+ "isSoftwareOathEnabled": "Boolean",

+ "featureSettings": {

+ "@odata.type": "microsoft.graph.microsoftAuthenticatorFeatureSettings"

+ }

+description: "A collection of groups enabled to use Microsoft Authenticator authentication methods policy."

+A collection of groups enabled to use [Microsoft Authenticator authentication methods policy](../resources/microsoftAuthenticatorAuthenticationMethodConfiguration.md) in Azure AD. Inherits from [authenticationMethodTarget](authenticationMethodTarget.md).

+|isRegistrationRequired|Boolean|Determines whether the user is enforced to register the authentication method. Inherited from [authenticationMethodTarget](authenticationmethodtarget.md). **Not supported**. |

+|targetType|authenticationMethodTargetType| Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group. Inherited from [authenticationMethodTarget](authenticationMethodTarget.md).|

+| allowedPresenters | [onlineMeetingPresenters](#onlinemeetingpresenters-values)| Specifies who can be a presenter in a meeting. |

+| joinMeetingIdSettings | [joinMeetingIdSettings](joinmeetingidsettings.md) | Specifies the **joinMeetingId**, the meeting passcode, and the requirement for the passcode. Once an **onlineMeeting** is created, the **joinMeetingIdSettings** cannot be modified. To make any changes to this property, the meeting needs to be canceled and a new one needs to be created. |

+| joinWebUrl | String | The join URL of the online meeting. Read-only. |

+ "allowedPresenters": "String",

+ "alternativeRecording": "Stream",

+ "attendeeReport": "Stream",

+ "joinInformation": {"@odata.type": "microsoft.graph.itemBody"},

+ "recordAutomatically": "Boolean",

+ "recording": "Stream",

+|includeTargets|[passwordlessMicrosoftAuthenticatorAuthenticationMethodTarget](../resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+description: "A collection of groups enabled to use Microsoft Authenticator Passwordless Phone Sign-in authentication methods policy."

+A collection of groups enabled to use Microsoft Authenticator Passwordless Phone Sign-in authentication methods policy](../resources/passwordlessMicrosoftAuthenticatorAuthenticationMethodConfiguration.md) in Azure AD.

+Contains information about the relationship of a [plannerBucket](plannerbucket.md) to a user experience outside of Planner. This allows surfacing or syncing buckets in Planner with other experiences to track work in the context of that experience.

+You can display data in a **plannerExternalBucketSource** in a user interface to sync information for an external service, or to simply point to where a task was created in the external service.

+The combination of the **contextScenarioId** and **externalObjectId** properties is unique within a tenant. If creation is called with existing **contextScenarioId** and **externalObjectId** values, the existing object is returned with no modifications.

+This type is derived from [plannerBucketCreation](plannerBucketCreation.md).

+Contains information about the relationship of a [plannerPlan](plannerplan.md) to a user experience outside of Planner. This allows surfacing or syncing plans in Planner with other experiences to track work in the context of that experience.

+You can display data in a **plannerExternalPlanSource** in a user interface to sync information for an external service, or to simply point to where a plan was created in the external service.

+The combination of the **contextScenarioId** and **externalObjectId** properties is unique within a tenant. If creation is called with existing **contextScenarioId** and **externalObjectId** values, the existing object is returned with no modifications.

+This type is derived from [plannerPlanCreation](plannerPlanCreation.md).

+Contains information about the relationship of a [plannerTask](plannerTask.md) to a user experience outside of Planner. This allows surfacing or syncing tasks in Planner with other experiences to track work in the context of that experience.

+You can display data in a **plannerExternalTaskSource** in a user interface to sync information for an external service, or to simply point to where a task was created in the external service.

+The combination of the **contextScenarioId** and **externalObjectId** properties is unique within a tenant. If creation is called with existing **contextScenarioId** and **externalObjectId** values, the existing object is returned with no modifications.

+This type is derived from [plannerTaskCreation](plannerTaskCreation.md).

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated. Required.|

+|containerId|String|The identifier of the resource that contains the plan. Optional.|

+|type|plannerContainerType|The type of the resource that contains the plan. For supported types, see the previous table. Possible values are: `group`, `unknownFutureValue`, `roster`, and `project`. Note that you must use the `Prefer: include-unknown-enum-members` request header to get the following value in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `roster`, `project`. Optional.|

+|url|String|The full canonical URL of the container. Optional.|

+| [Set user status message](../api/presence-setstatusmessage.md) | | Set a presence status message for a user. |

+| outOfOfficeSettings | [outOfOfficeSettings](outOfOfficeSettings.md) | The out of office settings for a user. |

+| statusMessage | [microsoft.graph.presenceStatusMessage](presencestatusmessage.md) | The presence status message of a user. |

+ "outOfOfficeSettings":{"@odata.type": "#microsoft.graph.outOfOfficeSettings"},

+ "statusMessage":{"@odata.type": "#microsoft.graph.presenceStatusMessage"}

+ Title: "presenceStatusMessage resource type"

+description: "Represents a presence status message related to the presence of a user in Microsoft Teams."

+ms.localizationpriority: medium

+# presenceStatusMessage resource type

+Namespace: microsoft.graph

+Represents a presence status message related to the [presence](presence.md) of a user in Microsoft Teams.

+## Properties

+| Property | Type | Description |

+| -- | -- | - |

+| expiryDateTime | [microsoft.graph.dateTimeTimeZone](datetimetimezone.md) | Time in which the status message expires.<br/>If not provided, the status message does not expire.<br/><br/>**expiryDateTime.dateTime** should not include time zone.<br/><br/>**expiryDateTime** is not available when requesting presence of another user. |

+| message | [microsoft.graph.itemBody](itembody.md) | Status message item.<br/><br/> The only supported format currently is `message.contentType = 'text'`. |

+| publishedDateTime | DateTimeOffset |Time in which the status message was published.<br/>Read-only.<br/><br/>**publishedDateTime** is not available when requesting presence of another user. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ "publishedDateTime",

+ "expiryDateTime"

+ ],

+ "@odata.type": "microsoft.graph.presenceStatusMessage"

+}-->

+```json

+{

+ "expiryDateTime": {"@odata.type": "#microsoft.graph.dateTimeTimeZone"},

+ "message": {"@odata.type": "#microsoft.graph.itemBody"},

+ "publishedDateTime": "String"

+}

+```

+Note that collapsing results is currently supported on the following entity types: [driveItem](driveitem.md), [listItem](listitem.md), [drive](drive.md), [list](list.md), [site](site.md), [externalItem](externalconnectors-externalitem.md).

+The properties on which the collapse clause are applied need to be queryable and either sortable or refinable. For multi-level collapse, each subsequent property limit size specified in a multi-level request should be less than or equal to the previous; otherwise, the response will return an `HTTP 400 Bad Request` error.

+Inherits from [searchAnswer](../resources/search-searchanswer.md).

+|[Delete qna](../api/search-qna-delete.md)|None|Delete a [qna](../resources/search-qna.md) object.|

+|availabilityStartDateTime|DateTimeOffset|Timestamp of when the qna will start to appear as a search result. Set as `null` for always available.|

+|description|String|Answer displayed in search results. Inherited from [searchAnswer](../resources/search-searchanswer.md).|

+|displayName|String|Question displayed in search results. Inherited from [searchAnswer](../resources/search-searchanswer.md).|

+|groupIds|String collection|List of security groups able to view this qna.|

+|id|String|The unique identifier (GUID) for the qna. Inherited from [entity](../resources/entity.md).|

+|isSuggested|Boolean| True if this qna was suggested to the admin by a user or was mined and suggested by Microsoft. Read-only.|

+|keywords|[microsoft.graph.search.answerKeyword](../resources/search-answerkeyword.md)|Keywords that trigger this qna to appear in search results.|

+|languageTags|String collection|A list of language names that are geographically specific and that this QnA can be viewed in. Each language tag value follows the pattern {language}-{region}. As an example, `en-us` is English as used in the United States. For the list of possible values, see [supported language tags](search-api-answers-overview.md#supported-language-tags). |

+|lastModifiedBy|[microsoft.graph.identitySet](../resources/identityset.md)|Details of the user that created or last modified the qna. Inherited from [searchAnswer](../resources/search-searchanswer.md). Read-only. |

+|lastModifiedDateTime|DateTimeOffset| Timestamp of when the qna is created or edited. Inherited from [searchAnswer](../resources/search-searchanswer.md). Read-only.|

+|targetedVariations|[microsoft.graph.search.answerVariant](../resources/search-answervariant.md) collection|Variations of a qna for different countries or devices. Use when you need to show different content to users based on their device, country/region, or both. The date and group settings will apply to all variations.|

+|webUrl|String|Qna URL link. When users click this qna in search results, they will go to this URL. Inherited from [searchAnswer](../resources/search-searchanswer.md).|

+ "availabilityEndDateTime": "String (timestamp)",

+ "availabilityStartDateTime": "String (timestamp)",

+ "displayName": "String",

+ "groupIds": [

+ "String"

+ ],

+ "id": "String (identifier)",

+ "isSuggested": "Boolean",

+ "keywords": {

+ "@odata.type": "microsoft.graph.search.answerKeyword"

+ "lastModifiedBy": {

+ "@odata.type": "microsoft.graph.identitySet"

+ },

+ "lastModifiedDateTime": "String (timestamp)",

+ "state": "String",

+ "webUrl": "String"

+|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](#evidenceremediationstatus-values)|Status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `unknownFutureValue`.|

+| notFound | The evidence was not found. |

+description: "The Microsoft Graph security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners."

+## Advanced hunting

+Alerts are detailed warnings about suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is alerts from multiple security providers for multiple entities in the tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming.

+- [Alerts and incidents](#alerts-and-incidents) - these are the latest generation of alerts in the Microsoft Graph security API. They are represented by the [alert](security-alert.md) resource and its collection, [incident](security-incident.md) resource, defined in the `microsoft.graph.security` namespace.

+### Alerts and incidents

+## Incidents

+| **Alerts and incidents**|||

+| **Attack simulation and training**|||

+description: "An abstract entity that represents a long-running eDiscovery process."

+An abstract entity that represents a long-running eDiscovery process. It contains a common set of properties that are shared among inheriting entities. Entities that derive from **caseOperation** include:

+Inherits from [entity](../resources/entity.md).

+| estimateStatistics | The operation represents searching against Microsoft 365 services such as Exchange, SharePoint, and OneDrive for Business. |

+| partiallySucceeded | The operation completed, but there were errors. For error details, see [resultInfo](../resources/resultinfo.md). |

+| failed | The operation failed. For error details, see [resultInfo](../resources/resultinfo.md). |

+ "completedDateTime": "String (timestamp)",

+ "createdDateTime": "String (timestamp)",

+ "id": "String (identifier)",

+ "percentProgress": "Int32",

+ },

+ "status": "String"

+```

+|customTags|String collection|Array of custom tags associated with an incident.|

+ "customTags": [

+|countryLetterCode|String|The two-letter country code according to ISO 3166 format, for example: `US`, `UK`, `CA`, etc..).|

+ "ipAddress": "String",

+ "countryLetterCode": "String"

+|[Update](../api/smsauthenticationmethodconfiguration-update.md)|None|Update the properties of a smsAuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[smsAuthenticationMethodTarget](../resources/smsauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ]

+description: "A collection of groups enabled to use Text Message authentication methods policy."

+A collection of groups enabled to use [Text Message authentication methods policy](../resources/smsAuthenticationMethodConfiguration.md) in Azure AD.

+|isUsableForSignIn|Boolean|Determines if users can use this authentication method to sign in to Azure AD. `true` if users can use this method for primary authentication, otherwise `false`.|

+|targetType|authenticationMethodTargetType|Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group. Inherited from [authenticationMethodTarget](authenticationMethodTarget.md).|

+ Title: "softwareOathAuthenticationMethodConfiguration resource type"

+description: "Represents the authentication policy for a third-party software OATH authentication method."

+ms.localizationpriority: medium

+# softwareOathAuthenticationMethodConfiguration resource type

+Namespace: microsoft.graph

+Represents the authentication policy for a third-party software OATH authentication method. Authentication methods policies define configuration settings and users or groups that are enabled to use the authentication method.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[Get softwareOathAuthenticationMethodConfiguration](../api/softwareoathauthenticationmethodconfiguration-get.md)|[softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md)|Read the properties and relationships of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object.|

+|[Update softwareOathAuthenticationMethodConfiguration](../api/softwareoathauthenticationmethodconfiguration-update.md)|None|Update the properties of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object.|

+|[Delete softwareOathAuthenticationMethodConfiguration](../api/softwareoathauthenticationmethodconfiguration-delete.md)|None|Reverts the [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object to its default configuration.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|id|String|The authentication method policy identifier.|

+|state|authenticationMethodState|Represents whether users can register this authentication method. The possible values are: `enabled`, `disabled`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection| A collection of groups that are enabled to use the authentication method. Expanded by default.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "baseType": "microsoft.graph.authenticationMethodConfiguration",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "id": "String (identifier)",

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ]

+}

+```

+| Property | Type | Description |

+||||

+| applicationId | String | Optional. Identifier of the application used to create the subscription. Read-only. |

+| changeType | String | Required. Indicates the type of change in the subscribed resource that will raise a change notification. The supported values are: `created`, `updated`, `deleted`. Multiple values can be combined using a comma-separated list. <br><br>**Note:** <li> Drive root item and list change notifications support only the `updated` changeType. <li>[User](../resources/user.md) and [group](../resources/user.md) change notifications support `updated` and `deleted` changeType. Use `updated` to receive notifications when user or group is created, updated or soft deleted. Use `deleted` to receive notifications when user or group is permanently deleted. |

+| clientState | String | Optional. Specifies the value of the **clientState** property sent by the service in each change notification. The maximum length is 255 characters. The client can check that the change notification came from the service by comparing the value of the **clientState** property sent with the subscription with the value of the **clientState** property received with each change notification. |

+| creatorId | String | Optional. Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the ID of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the ID of the service principal corresponding to the app. Read-only. |

+| encryptionCertificate | String | Optional. A base64-encoded representation of a certificate with a public key used to encrypt resource data in change notifications. Optional but required when **includeResourceData** is `true`. |

+| encryptionCertificateId | String | Optional. A custom app-provided identifier to help identify the certificate needed to decrypt resource data. Required when **includeResourceData** is `true`. |

+| expirationDateTime | DateTimeOffset | Required. Specifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. For the maximum supported subscription length of time, see [the table below](#maximum-length-of-subscription-per-resource-type). |

+| id | String | Optional. Unique identifier for the subscription. Read-only. |

+| includeResourceData | Boolean | Optional. When set to `true`, change notifications [include resource data](/graph/webhooks-with-resource-data) (such as content of a chat message). |

+| latestSupportedTlsVersion | String | Optional. Specifies the latest version of Transport Layer Security (TLS) that the notification endpoint, specified by **notificationUrl**, supports. The possible values are: `v1_0`, `v1_1`, `v1_2`, `v1_3`. </br></br>For subscribers whose notification endpoint supports a version lower than the currently recommended version (TLS 1.2), specifying this property by a set [timeline](https://developer.microsoft.com/graph/blogs/microsoft-graph-subscriptions-deprecating-tls-1-0-and-1-1/) allows them to temporarily use their deprecated version of TLS before completing their upgrade to TLS 1.2. For these subscribers, not setting this property per the timeline would result in subscription operations failing. </br></br>For subscribers whose notification endpoint already supports TLS 1.2, setting this property is optional. In such cases, Microsoft Graph defaults the property to `v1_2`. |

+| lifecycleNotificationUrl | String | Optional. The URL of the endpoint that receives lifecycle notifications, including `subscriptionRemoved`, `reauthorizationRequired`, and `missed` notifications. This URL must make use of the HTTPS protocol. |

+| notificationContentType | String | Optional. Desired **content-type** for Microsoft Graph change notifications for supported resource types. The default content-type is `application/json`. |

+| notificationQueryOptions | String | Optional. OData query options for specifying the value for the targeting resource. Clients receive notifications when the resource reaches the state matching the query options provided here. With this new property in the subscription creation payload along with all existing properties, Webhooks will deliver notifications whenever a resource reaches the desired state mentioned in the **notificationQueryOptions** property. For example, when the print job is completed or when a print job resource `isFetchable` property value becomes `true` etc. <br/><br/> Supported only for Universal Print Service. For more information, see [Subscribe to change notifications from cloud printing APIs using Microsoft Graph](/graph/universal-print-webhook-notifications). |

+| notificationUrl | String | Required. The URL of the endpoint that receives the change notifications. This URL must make use of the HTTPS protocol. |

+| notificationUrlAppId | String | Optional. The app ID that the subscription service can use to generate the validation token. This allows the client to validate the authenticity of the notification received. |

+| resource | String | Required. Specifies the resource that will be monitored for changes. Do not include the base URL (`https://graph.microsoft.com/bet) for each supported resource. |

+| id | string | The unique identifier of the team. The group has the same ID as the team. This property is read-only, and is inherited from the base entity type. |

+- [App catalog sample (C#)](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-appcatalog-lifecycle/csharp)

+- [App catalog sample (Node.JS)](https://github.com/OfficeDev/Microsoft-Teams-Samples/tree/main/samples/graph-appcatalog-lifecycle/nodejs)

+|hiddenMembership|2|Only the administrators (global, company, user, and helpdesk) can view the members of a team.<br>Owner permissions are required to join a team.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+ Title: "voiceAuthenticationMethodConfiguration resource type"

+description: "Represents a voice call authenticaiton methods policy"

+ms.localizationpriority: medium

+# voiceAuthenticationMethodConfiguration resource type

+Namespace: microsoft.graph

+Represents a voice call authentication methods policy. Authentication methods policies define configuration settings and users or groups that are enabled to use the authentication method.

+Inherits from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[Get voiceAuthenticationMethodConfiguration](../api/voiceauthenticationmethodconfiguration-get.md)|[voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md)|Read the properties and relationships of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object.|

+|[Update voiceAuthenticationMethodConfiguration](../api/voiceauthenticationmethodconfiguration-update.md)|None|Update the properties of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object.|

+|[Delete voiceAuthenticationMethodConfiguration](../api/voiceauthenticationmethodconfiguration-delete.md)|None|Revert the [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object to its default configuration.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|id|String|The authentication method policy identifier.|

+|isOfficePhoneAllowed|Boolean|`true` if users can register office phones, otherwise, `false`. |

+|state|authenticationMethodState|Represents whether users can register this authentication method. The possible values are: `enabled`, `disabled`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|includeTargets|[voiceAuthenticationMethodTarget](../resources/voiceauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method. Expanded by default.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "baseType": "microsoft.graph.authenticationMethodConfiguration",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "id": "String (identifier)",

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+ "isOfficePhoneAllowed": "Boolean"

+}

+```

+ Title: "voiceAuthenticationMethodTarget resource type"

+description: "A collection of groups enabled to use voice call authentication method via policy."

+ms.localizationpriority: medium

+# voiceAuthenticationMethodTarget resource type

+Namespace: microsoft.graph

+A collection of groups enabled to use voice call authentication via the [voice call authentication methods policy](../resources/voiceAuthenticationMethodConfiguration.md) in Azure AD.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|id|String|Object ID of an Azure AD group.|

+|isRegistrationRequired|Boolean|Determines whether the user is enforced to register the authentication method. **Not supported**.|

+|targetType|authenticationMethodTargetType|Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group. Inherited from [authenticationMethodTarget](authenticationMethodTarget.md).|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.voiceAuthenticationMethodTarget",

+ "baseType": "microsoft.graph.authenticationMethodTarget",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodTarget",

+ "id": "String (identifier)",

+ "targetType": "String",

+ "isRegistrationRequired": "Boolean"

+}

+```

+- [subscription resource type](subscription.md)

+- [Training module: Use change notifications and track changes with Microsoft Graph](/training/modules/msgraph-changenotifications-trackchanges)

+- [Lifecycle notifications](/graph/webhooks-lifecycle)

+<!-- Links -->

+|[Update x509CertificateAuthenticationMethodConfiguration](../api/x509certificateauthenticationmethodconfiguration-update.md)|None|Update the properties of a x509CertificateAuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+When creating a new group (without `$ref`), this method returns a `201 Created` response code and a [group](../resources/group.md) object in the response body. The response includes only the default properties of the group. You must supply the `"@odata.type" : "#microsoft.graph.group"` line in the request body to explicitly identify the new member as a group. A request body without the correct @odata.type returns a `400 Bad Request` error message.

+The following example creates a new group in the administrative unit. You must supply the `"@odata.type" : "#microsoft.graph.group"` line in the request body to explicitly identify the new member as a group. A request body without the correct @odata.type returns a `400 Bad Request` error message.

+ "@odata.type": "#microsoft.graph.group",

+> In general, the `id` of a **teamsApp** resource is generated by the server. It is not the same as the `id` specified in a Teams app manifest, unless its `distributionMethod` is *store*. For other cases, the `id` provided by the developer as part of the Teams app manifest is stamped as the `externalId` in the teamsApp resource.

+| Delegated (work or school account) | Not supported. |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | Calls.JoinGroupCalls.Chat*, Calls.JoinGroupCallAsGuest.All, Calls.JoinGroupCall.All, Calls.Initiate.All, Calls.InitiateGroupCall.All |

+>

+> Permissions marked with * use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

+The following example shows a request that makes a peer-to-peer call between the bot and the specified user. In this example, the media is hosted by the service. The values of authorization token, callback URL, application ID, application name, user ID, user name, and tenant ID must be replaced with actual values to make the example work.

+ "name": "create-call-service-hosted-media-1",

+}-->

+The following example shows a request that makes a peer-to-peer call between the bot and the specified user. In this example, the media is hosted locally by the application. The values of authorization token, callback URL, application ID, application name, user ID, user name, and tenant ID must be replaced with actual values to make the example work.

+ "name": "create-call-app-hosted-media",

+# [HTTP](#tab/http)

+ "blockType": "request",

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+> **Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "name": "create-group-call-service-hosted-media",

+ "@odata.type": "microsoft.graph.call"

+}-->

+```http

+HTTP/1.1 201 Created

+Location: https://graph.microsoft.com/v1.0/communications/calls/2f1a1100-b174-40a0-aba7-0b405e01ed92

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "state": "establishing",

+ "direction": "outgoing",

+ "subject": "Create a group call with service hosted media",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "callChainId": "d17646-3110-40b1-bae6-e9ac6c3f74",

+ "callRoutes": [],

+ "source": {

+ "@odata.type": "#microsoft.graph.participantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "application": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "TestBot",

+ "id": "dd3885da-f9ab-486b-bfae-85de3d445555"

+ }

+ },

+ "region": null,

+ "languageId": null

+ },

+ "targets": [

+ {

+ "@odata.type": "#microsoft.graph.invitationParticipantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "user": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "user1",

+ "id": "98da8a1a-1b87-452c-a713-65d3f10b5555"

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.invitationParticipantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "user": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "user2",

+ "id": "bf5aae9a-d11d-47a8-93b1-782504c95555"

+ }

+ }

+ }

+ ],

+ "requestedModalities": [

+ "audio"

+ ],

+ "activeModalities": [],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.serviceHostedMediaConfig",

+ },

+ "routingPolicies": [],

+ "tenantId": "aa67bd4c-8475-432d-bd41-39f255720e0a",

+ "id": "2f1a1100-b174-40a0-aba7-0b405e01ed92",

+ "myParticipantId": "c9a65b85-a223-44ae-8cdb-29395458323f",

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#app/calls/$entity",

+}

+```

+# [HTTP](#tab/http)

+ "blockType": "request",

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+> **Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "name": "create-group-call-app-hosted-media",

+ "@odata.type": "microsoft.graph.call"

+}-->

+```http

+HTTP/1.1 201 Created

+Location: https://graph.microsoft.com/v1.0/communications/calls/2f1a1100-b174-40a0-aba7-0b405e01ed92

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "state": "establishing",

+ "direction": "outgoing",

+ "subject": "Create a group call with app hosted media",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "callChainId": "d8217646-3110-40b1-bae6-e9ac6c3a9f74",

+ "callRoutes": [],

+ "source": {

+ "@odata.type": "#microsoft.graph.participantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "application": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "TestBot",

+ "id": "dd3885da-f9ab-486b-bfae-85de3d445555"

+ }

+ },

+ "region": null,

+ "languageId": null

+ },

+ "targets": [

+ {

+ "@odata.type": "#microsoft.graph.invitationParticipantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "user": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "user1",

+ "id": "98da8a1a-1b87-452c-a713-65d3f10b5555"

+ }

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.invitationParticipantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "user": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "user2",

+ "id": "bf5aae9a-d11d-47a8-93b1-782504c95555"

+ }

+ }

+ }

+ ],

+ "requestedModalities": [

+ "audio"

+ ],

+ "activeModalities": [],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.appHostedMediaConfig",

+ "blob": "<Media Session Configuration>",

+ "removeFromDefaultAudioGroup": false

+ },

+ "routingPolicies": [],

+ "tenantId": "aa67bd4c-8475-432d-bd41-39f255720e0a",

+ "id": "2f1a1100-b174-40a0-aba7-0b405e01ed92",

+ "myParticipantId": "c9a65b85-a223-44ae-8cdb-29395458323f",

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#app/calls/$entity",

+}

+```

+To join the scheduled meeting, you need to get the thread ID, message ID, organizer ID, and the tenant ID in which the meeting is scheduled.

+You can get this information by using the [Get onlineMeeting](../api/onlinemeeting-get.md) API.

+The values of authorization token, callback URL, application ID, application name, user ID, user name, and tenant ID must be replaced along with the details obtained from the [Get onlineMeeting](../api/onlinemeeting-get.md) API with actual values to make the example work.

+# [HTTP](#tab/http)

+ "blockType": "request",

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+Update the media config with the [appHostedMediaConfig](../resources/apphostedmediaconfig.md) as shown in the following example.

+#### Request

+# [HTTP](#tab/http)

+ "blockType": "request",

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.call",

+ "truncated": "true"

+}-->

+```http

+HTTP/1.1 201 Created

+Location: https://graph.microsoft.com/v1.0/communications/calls/2f1a1100-b174-40a0-aba7-0b405e01ed92

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "state": "establishing",

+ "direction": "outgoing",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "callChainId": "d8217646-3110-40b1-bae6-e9ac6c3a9f74",

+ "callRoutes": [],

+ "source": {

+ "@odata.type": "#microsoft.graph.participantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "application": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "Calling Bot",

+ "id": "2891555a-92ff-42e6-80fa-6e1300c6b5c6"

+ }

+ },

+ "region": null,

+ "languageId": null

+ },

+ "targets": [],

+ "requestedModalities": [

+ "audio"

+ ],

+ "activeModalities": [],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.appHostedMediaConfig",

+ "blob": "<Media Session Configuration>",

+ },

+ "chatInfo": {

+ "@odata.type": "#microsoft.graph.chatInfo",

+ "threadId": "19:meeting_Win6Ydo4wsMijFjZS00ZGVjLTk5MGUtOTRjNWY2NmNkYTFm@thread.v2",

+ "messageId": "0",

+ "replyChainMessageId": null

+ },

+ "meetingInfo": {

+ "@odata.type": "#microsoft.graph.organizerMeetingInfo",

+ "organizer": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "user": {

+ "@odata.type": "#microsoft.graph.identity",

+ "id": "5810cede-f3cc-42eb-b2c1-e9bd5d53ec96",

+ "tenantId": "aa67bd4c-8475-432d-bd41-39f255720e0a",

+ "displayName": "Bob"

+ }

+ },

+ "allowConversationWithoutHost": true

+ },

+ "transcription": null,

+ "routingPolicies": [],

+ "tenantId": "aa67bd4c-8475-432d-bd41-39f255720e0a",

+ "myParticipantId": "05491616-385f-44a8-9974-18cc5f9933c1",

+ "id": "2f1a1100-b174-40a0-aba7-0b405e01ed92",

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#app/calls/$entity",

+ "terminationReason": null,

+ "ringingTimeoutInSeconds": null,

+ "mediaState": null,

+ "subject": null,

+ "resultInfo": null,

+ "answeredBy": null,

+ "meetingCapability": null,

+ "toneInfo": null

+}

+```

+### Example 7: Join a scheduled meeting with joinMeetingId and passcode

+The following shows an example that requires a **joinMeetingId** and a **passcode** to join an existing meeting. You can retrieve these properties from the [Get onlineMeeting](../api/onlinemeeting-get.md) API.

+#### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "join-meeting-with-join-meeting-id-and-passcode",

+ "@odata.type": "microsoft.graph.call"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/communications/calls

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "requestedModalities": [

+ "audio"

+ ],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.serviceHostedMediaConfig",

+ "preFetchMedia": [

+ {

+ "uri": "https://cdn.contoso.com/beep.wav",

+ "resourceId": "f8971b04-b53e-418c-9222-c82ce681a582"

+ },

+ {

+ "uri": "https://cdn.contoso.com/cool.wav",

+ "resourceId": "86dc814b-c172-4428-9112-60f8ecae1edb"

+ }

+ ]

+ },

+ "meetingInfo": {

+ "@odata.type": "#microsoft.graph.joinMeetingIdMeetingInfo",

+ "joinMeetingId": "1234567",

+ "passcode": "psw123"

+ },

+ "tenantId": "86dc81db-c112-4228-9222-63f3esaa1edb"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "join-meeting-with-join-meeting-id-and-passcode",

+ "@odata.type": "microsoft.graph.call"

+}-->

+```http

+HTTP/1.1 201 Created

+Location: https://graph.microsoft.com/v1.0/communications/calls/2f1a1100-b174-40a0-aba7-0b405e01ed92

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "state": "establishing",

+ "direction": "outgoing",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "callChainId": "d8217646-3110-40b1-bae6-e9ac6c3a9f74",

+ "callRoutes": [],

+ "source": {

+ "@odata.type": "#microsoft.graph.participantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "application": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "Calling Bot",

+ "id": "2891555a-92ff-42e6-80fa-6e1300c6b5c6"

+ }

+ },

+ "region": null,

+ "languageId": null

+ },

+ "targets": [],

+ "requestedModalities": [

+ "audio"

+ ],

+ "activeModalities": [],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.serviceHostedMediaConfig",

+ "preFetchMedia": [

+ {

+ "uri": "https://cdn.contoso.com/beep.wav",

+ "resourceId": "f8971b04-b53e-418c-9222-c82ce681a582"

+ },

+ {

+ "uri": "https://cdn.contoso.com/cool.wav",

+ "resourceId": "86dc814b-c172-4428-9112-60f8ecae1edb"

+ }

+ ],

+ },

+ "chatInfo": {

+ "@odata.type": "#microsoft.graph.chatInfo",

+ "threadId": "19:meeting_Win6Ydo4wsMijFjZS00ZGVjLTk5MGUtOTRjNNkYTFm@thread.v2",

+ "messageId": "0",

+ "replyChainMessageId": null

+ },

+ "meetingInfo": {

+ "@odata.type": "#microsoft.graph.joinMeetingIdMeetingInfo",

+ "joinMeetingId": "1234567",

+ "passcode": "psw123"

+ },

+ "transcription": null,

+ "routingPolicies": [],

+ "tenantId": "86dc81db-c112-4228-9222-63f3esaa1edb",

+ "myParticipantId": "05491616-385f-44a8-9974-18cc5f9933c1",

+ "id": "2f1a1100-b174-40a0-aba7-0b405e01ed92",

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#app/calls/$entity",

+ "terminationReason": null,

+ "ringingTimeoutInSeconds": null,

+ "mediaState": null,

+ "subject": null,

+ "resultInfo": null,

+ "answeredBy": null,

+ "meetingCapability": null,

+ "toneInfo": null

+}

+```

+### Example 8: Join a scheduled meeting with joinMeetingId

+The following shows an example that requires a **joinMeetingId** but doesn't require a **passcode** to join an existing meeting. You can retrieve the **joinMeetingId** property from the [Get onlineMeeting](../api/onlinemeeting-get.md) API.

+#### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "join-meeting-with-join-meeting-id-and-without-passcode",

+ "@odata.type": "microsoft.graph.call"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/communications/calls

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "requestedModalities": [

+ "audio"

+ ],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.serviceHostedMediaConfig",

+ "preFetchMedia": [

+ {

+ "uri": "https://cdn.contoso.com/beep.wav",

+ "resourceId": "f8971b04-b53e-418c-9222-c82ce681a582"

+ },

+ {

+ "uri": "https://cdn.contoso.com/cool.wav",

+ "resourceId": "86dc814b-c172-4428-9112-60f8ecae1edb"

+ }

+ ]

+ },

+ "meetingInfo": {

+ "@odata.type": "#microsoft.graph.joinMeetingIdMeetingInfo",

+ "joinMeetingId": "1234567",

+ "passcode": null

+ },

+ "tenantId": "86dc81db-c112-4228-9222-63f3esaa1edb"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "join-meeting-with-join-meeting-id-and-without-passcode",

+ "@odata.type": "microsoft.graph.call"

+}-->

+```http

+HTTP/1.1 201 Created

+Location: https://graph.microsoft.com/v1.0/communications/calls/2f1a1100-b174-40a0-aba7-0b405e01ed92

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.call",

+ "state": "establishing",

+ "direction": "outgoing",

+ "callbackUri": "https://bot.contoso.com/callback",

+ "callChainId": "d8217646-3110-40b1-bae6-e9ac6c3a9f74",

+ "callRoutes": [],

+ "source": {

+ "@odata.type": "#microsoft.graph.participantInfo",

+ "identity": {

+ "@odata.type": "#microsoft.graph.identitySet",

+ "application": {

+ "@odata.type": "#microsoft.graph.identity",

+ "displayName": "Calling Bot",

+ "id": "2891555a-92ff-42e6-80fa-6e1300c6b5c6"

+ }

+ },

+ "region": null,

+ "languageId": null

+ },

+ "targets": [],

+ "requestedModalities": [

+ "audio"

+ ],

+ "activeModalities": [],

+ "mediaConfig": {

+ "@odata.type": "#microsoft.graph.serviceHostedMediaConfig",

+ "preFetchMedia": [

+ {

+ "uri": "https://cdn.contoso.com/beep.wav",

+ "resourceId": "f8971b04-b53e-418c-9222-c82ce681a582"

+ },

+ {

+ "uri": "https://cdn.contoso.com/cool.wav",

+ "resourceId": "86dc814b-c172-4428-9112-60f8ecae1edb"

+ }

+ ],

+ },

+ "chatInfo": {

+ "@odata.type": "#microsoft.graph.chatInfo",

+ "threadId": "19:meeting_Win6Ydo4wsMijFjZS00ZGVjLTk5MGUtOTRjNNkYTFm@thread.v2",

+ "messageId": "0",

+ "replyChainMessageId": null

+ },

+ "meetingInfo": {

+ "@odata.type": "#microsoft.graph.joinMeetingIdMeetingInfo",

+ "joinMeetingId": "1234567",

+ "passcode": null

+ },

+ "transcription": null,

+ "routingPolicies": [],

+ "tenantId": "86dc81db-c112-4228-9222-63f3esaa1edb",

+ "myParticipantId": "05491616-385f-44a8-9974-18cc5f9933c1",

+ "id": "2f1a1100-b174-40a0-aba7-0b405e01ed92",

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#app/calls/$entity",

+ "terminationReason": null,

+ "ringingTimeoutInSeconds": null,

+ "mediaState": null,

+ "subject": null,

+ "resultInfo": null,

+ "answeredBy": null,

+ "meetingCapability": null,

+ "toneInfo": null

+}

+```

+### Example 9: Create peer-to-peer PSTN call with service hosted media

+> **Note:** This call requires the Calls.Initiate.All permission.

+This call requires an application instance with a PSTN number assigned. For details, see [Assign a phone number to your bot](/graph/cloud-communications-phone-number#assign-a-phone-number-to-your-bot).

+#### Request

+The following example shows the request to make a peer-to-peer call between the bot and a PSTN number. In this example, the media is hosted by the service. The values of authorization token, callback URL, application instance ID, application instance display name, phone ID and tenant ID must be replaced with actual values to make the example work.

+> **Note:** Application instance ID is the object ID of application instance. The application ID that application instance links to should match the one in authorization token. Phone ID is the phone number in E.164 format.

+# [HTTP](#tab/http)

+<!-- {

+ "name": "create-call-service-hosted-media-2",

+}-->

+### Example 10: Create peer-to-peer PSTN call with application hosted media

+> **Note:** The response object shown here might be shortened for readability.

+ "name": "create-call-service-hosted-media-3",

+}-->

+>- `userId` is the object ID of a user in [Azure user management portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade). For more details, see [Allow applications to access online meetings on behalf of a user](/graph/cloud-communication-online-meeting-application-access-policy).

+The following is an example of a request.

+The following is an example of the response.

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('f4053e7-85f4-f0389ac980d6')/onlineMeetings/$entity",

+ "tollNumber": "+1252578",

+ "tollFreeNumber": "+18588",

+ "ConferenceId": "24999",

+ "dialinUrl": "https://dialin.teams.microsoft.com/22f12faf--bc69-b8de580ba330?id=24299"

+ "threadId": "19:meeting_M2IzYzczNTItYzUtYmFiMjNlOTY4MGEz@thread.skype",

+ "id": "MSpkYzE3NjctYmZiMi04ZdFpHRTNaR1F6WGhyZWFkLnYy",

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3ameeting_M2IzYzczNTItYmY3OC00MDlmLWJjMzUtYmFiMjNlOTY4MGEz%40thread.skype/0?context=%7b%22Tid%22%3a%2272f988bf-87cd011db47%22%2c%22Oid%22%3a%22550fae72-d251-43ec-868c-373732c2704f%22%7d",

+ "id": "550fae72-d25-868c-373732c2704f",

+ "subject": "User Token Meeting",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+ }

+The following is an example of a request.

+The following is an example of the response.

+ "id": "dc17674c-81d9-4ada442e4622",

+ "tenantId": "909c6581-5130cb3582cde38",

+ "id": "dc17674c-81d9--8f6a442e4622",

+ "tenantId": "909c6581-51f3-fcb3582cde38",

+ "id": "dc17674c-81d9-4adf6a442e4622",

+ "tenantId": "909c6581-5f3-fcb3582cde38",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+ },

+### Example 3: Create an online meeting that requires a passcode

+The following example shows how to add a passcode to a meeting. The passcode is used when you join a meeting with a **joinMeetingId**. For more details, see [joinMeetingIdSettings](../resources/joinmeetingidsettings.md).

+#### Request

+The following is an example of a request.

+>**Note:** The passcode is automatically generated and a custom passcode is not supported.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "create-online-meeting-with-passcode"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/me/onlineMeetings

+Content-Type: application/json

+{

+ "startDateTime":"2019-07-12T14:30:34.2444915-07:00",

+ "endDateTime":"2019-07-12T15:00:34.2464912-07:00",

+ "subject":"User meeting",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": true

+ }

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.onlineMeeting"

+} -->

+```http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('f4086-17cc-42e7-85f4-f03880d6')/onlineMeetings/$entity",

+ "audioConferencing": {

+ "tollNumber": "+12525478",

+ "tollFreeNumber": "+18690588",

+ "ConferenceId": "2999",

+ "dialinUrl": "https://dialin.teams.microsoft.com/22fa0-499f-435b-bc69-b8dea330?id=2999"

+ },

+ "chatInfo": {

+ "threadId": "19%3A3b523985568b776357c1dd79%40thread.skype",

+ "messageId": "15629053",

+ "replyChainMessageId": null

+ },

+ "creationDateTime": "2019-07-11T02:17:17.6491364Z",

+ "startDateTime": "2019-07-11T02:17:17.6491364Z",

+ "endDateTime": "2019-07-11T02:47:17.651138Z",

+ "id": "MSpkYzE3Njc0Yy04MWQ5LTRhFpHRTNaR1F6WGhyZWFkLnYy",

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3ameeting_M2IzYzczNTItYmY3iMjNlOTY4MGEz%40thread.skype/0?context=%7b%22Tid%22%3a%22f8bf-86f1-41af-91ab-2011db47%22%2c%22Oid%22%3a%20fae72-d251-43ec-86c-377304f%22%7d",

+ "participants": {

+ "organizer": {

+ "identity": {

+ "user": {

+ "id": "5e72-d251-43ec-868c-3732704f",

+ "tenantId": "72fbf-86f1-41af-91ab-2d71db47",

+ "displayName": "Mario Rogers"

+ }

+ },

+ "role": "presenter",

+ "upn": "upn-value"

+ }

+ },

+ "subject": "User meeting",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": true,

+ "joinMeetingId": "1234567890",

+ "passcode": "123abc"

+ }

+}

+```

+### Example 4: Create an online meeting that does not require a passcode

+When **isPasscodeRequired** is set to `false` or when **joinMeetingIdSettings** is not specified in the request, the generated online meeting will not have a passcode.

+#### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "create-online-meeting-without-passcode"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/me/onlineMeetings

+Content-Type: application/json

+{

+ "startDateTime":"2019-07-12T14:30:34.2444915-07:00",

+ "endDateTime":"2019-07-12T15:00:34.2464912-07:00",

+ "subject":"User meeting in Microsoft Teams channel.",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false

+ }

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+OR

+```http

+POST https://graph.microsoft.com/v1.0/me/onlineMeetings

+Content-Type: application/json

+{

+ "startDateTime":"2019-07-12T14:30:34.2444915-07:00",

+ "endDateTime":"2019-07-12T15:00:34.2464912-07:00",

+ "subject":"User meeting in Microsoft Teams channel."

+}

+```

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.onlineMeeting"

+} -->

+```http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('f4053f86-17cc-85f4-f0389ac980d6')/onlineMeetings/$entity",

+ "audioConferencing": {

+ "tollNumber": "+12525478",

+ "tollFreeNumber": "+186390588",

+ "ConferenceId": "24999",

+ "dialinUrl": "https://dialin.teams.microsoft.com/22f12fa0-45b-bc69-b8de580ba330?id=2425999"

+ },

+ "chatInfo": {

+ "threadId": "19%3A3b52398f3c524556894b776357c1dd79%40thread.skype",

+ "messageId": "1563302249053",

+ "replyChainMessageId": null

+ },

+ "creationDateTime": "2019-07-11T02:17:17.6491364Z",

+ "startDateTime": "2019-07-11T02:17:17.6491364Z",

+ "endDateTime": "2019-07-11T02:47:17.651138Z",

+ "id": "MSpkYzE3Njc0Yy04MWQ5LTRhZGItYmZiMi04ZdFpHRTNaR1F6WGhyZWFkLnYy",

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3ameeting_M2IzYzczNTItYmY3OC00MDlmLWJjMzUtYmFiMjNlOTY4MGEz%40thread.skype/0?context=%7b%22Tid%22%3a%2272f988bf-86f1-1ab-2d7cd011db47%22%2c%22Oid%22%3a%22550fae72-d251-c-373732c2704f%22%7d",

+ "participants": {

+ "organizer": {

+ "identity": {

+ "user": {

+ "id": "550fae72-d251-43ecc-373732c2704f",

+ "tenantId": "72f98841af-91ab-2d7cd011db47",

+ "displayName": "Tyler Stein"

+ }

+ },

+ "role": "presenter",

+ "upn": "upn-value"

+ }

+ },

+ "subject": "User meeting in Microsoft Teams channel.",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+ }

+}

+```

+For delegated scenarios, the calling user must have the *Global Administrator* [Azure AD role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).

+> [!NOTE]

+> Some special characters in the channel name will cause this API to return an error. For details, see [Known issues](/graph/known-issues#create-channel).

+This method supports the `$filter`and `$select` [OData query parameters](/graph/query-parameters) to help customize the response.

+>**Note:** Guest users can't see private or shared channels that they aren't members of in the response for this API.

+This method supports the $filter and $select [OData query parameters](/graph/query-parameters) to help customize the response.

+| Application | Teamwork.Migrate.All |

+Create a new [channel](../resources/channel.md) in a team, as specified in the request body. When you create a channel, the maximum length of the channel's `displayName` is 50 characters. This is the name that appears to the user in Microsoft Teams.

+If you're creating a private channel, you can add a maximum of 200 members.

+> [!NOTE]

+> Some special characters in the channel name will cause the [Get filesFolder](/graph/api/channel-get-filesfolder) API to return an error. For details, see [Known issues](/graph/known-issues#create-channel).

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+```

+This method does not delete the rubric itself and can only be performed by teachers.

+Get the [educationRubric](../resources/educationrubric.md) object attached to an [educationAssignment](../resources/educationassignment.md), if one exists. Only teachers, students, and applications with application permissions can perform this operation.

+Get the properties and relationships of an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the categories associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Get all the [educationAssignmentResource](../resources/educationassignmentresource.md) objects associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the submissions associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Add one or more existing [educationCategory](../resources/educationcategory.md) objects to the specified [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Create an [assignment resource](../resources/educationassignmentresource.md). Only teachers can perform this operation.

+You can create the following types of assignment resources:

+- [educationTeamsAppResource](../resources/educationteamsappresource.md)

+Every resource has an **@odata.type** property to indicate which type of resource is being created.

+- [educationTeamsAppResource](../resources/educationteamsappresource.md)

+### Example 7: Create an educationTeamsAppResource

+#### Request

+The following is an example of the request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2003c52e-807a-4186-9b49-60c573095461", "820371a1-4589-4a4a-8b40-9d5db94b9186"],

+ "name": "create_educationTeamsAppResource_from_educationassignmentsApp"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/education/classes/2003c52e-807a-4186-9b49-60c573095461/assignments/820371a1-4589-4a4a-8b40-9d5db94b9186/resources

+Content-type: application/json

+{

+ "distributeForStudentWork": false,

+ "resource": {

+ "displayName": "Template - My Story",

+ "appId": "6fbeb90c-3d55-4bd5-82c4-bfe824be4300",

+ "appIconWebUrl": "https://statics.teams.cdn.office.net/evergreen-assets/ThirdPartyApps/6fbeb90c-3d55-4bd5-82c4-bfe824be4300_largeImage.png?v=2.0.2",

+ "teamsEmbeddedContentUrl": "https://app.api.edu.buncee.com/player/C7B0866C9B7E485EAE21AE14DBC3FD08?embed=1&render_slide_panel=1",

+ "webUrl": "https://app.edu.buncee.com/buncee/C7B0866C9B7E485EAE21AE14DBC3FD08",

+ "@odata.type": "#microsoft.graph.educationTeamsAppResource"

+ }

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationTeamsAppResource"

+} -->

+```http

+HTTP/1.1 201 Created

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#education/classes('2003c52e-807a-4186-9b49-60c573095461')/assignments('820371a1-4589-4a4a-8b40-9d5db94b9186')/resources/$entity",

+ "distributeForStudentWork": false,

+ "id": "6821bff5-91e4-4b63-8f98-8157305ff004",

+ "resource": {

+ "@odata.type": "#microsoft.graph.educationTeamsAppResource",

+ "displayName": "Template - My Story",

+ "createdDateTime": "2022-12-01T16:35:58.0718192Z",

+ "lastModifiedDateTime": "2022-12-01T16:35:58.0718396Z",

+ "appId": "6fbeb90c-3d55-4bd5-82c4-bfe824be4300",

+ "appIconWebUrl": "https://statics.teams.cdn.office.net/evergreen-assets/ThirdPartyApps/6fbeb90c-3d55-4bd5-82c4-bfe824be4300_largeImage.png?v=2.0.2",

+ "teamsEmbeddedContentUrl": "https://app.api.edu.buncee.com/player/C7B0866C9B7E485EAE21AE14DBC3FD08?embed=1&render_slide_panel=1",

+ "webUrl": "https://app.edu.buncee.com/buncee/C7B0866C9B7E485EAE21AE14DBC3FD08",

+ "createdBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": "fffafb29-e8bc-4de3-8106-be76ed2ad499",

+ "displayName": null

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": "fffafb29-e8bc-4de3-8106-be76ed2ad499",

+ "displayName": null

+ }

+ }

+ }

+}

+```

+Attach an existing [educationRubric](../resources/educationrubric.md) object to an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Remove an [educationCategory](../resources/educationcategory.md) from an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload feedback files for a given [educationSubmission](../resources/educationsubmission.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload files for a given [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+These are the class-level assignment defaults respected by new [assignments](../resources/educationassignment.md) created in the class. Callers can continue to specify custom values on each **assignment** creation if they don't want the default behaviors. Only teachers can perform this operation.

+Get the properties of an [education assignment resource](../resources/educationassignmentresource.md) associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Read the properties and relationships of an [educationAssignmentSettings](../resources/educationassignmentsettings.md) object. Only teachers can perform this operation.

+Delete an existing [category](../resources/educationcategory.md). Only teachers can perform this operation.

+Retrieve an [educationCategory](../resources/educationcategory.md) object. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of assignment objects. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationCategory](../resources/educationcategory.md) objects. Only teachers can perform this operation.

+Create a new assignment.

+Creates a new [educationCategory](../resources/educationcategory.md) on an [educationClass](../resources/educationclass.md). Only teachers can perform this operation.

+Update the properties of an [educationOutcome](../resources/educationoutcome.md) object. Only teachers can perform this operation.

+Delete an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve the properties and relationships of an [educationRubric](../resources/educationrubric.md) object. Only teachers and students can perform this operation.

+Update the properties of an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve a particular [submission](../resources/educationsubmission.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationOutcome](../resources/educationoutcome.md) objects. There are four types of outcomes: **educationPointsOutcome**, **educationFeedbackOutcome**, **educationRubricOutcome**, and **educationFeedbackResourceOutcome**. Only teachers, students, and applications with application permissions can perform this operation.

+List the resources associated with a [submission](../resources/educationsubmission.md). Only teachers, students, and applications with application permissions can perform this operation.

+List the [educationSubmissionResource](../resources/educationsubmissionresource.md) objects that have officially been submitted for grading. Only teachers, students, and applications with application permissions can perform this operation.

+Add an [educationSubmissionResource](../resources/educationsubmissionresource.md) to a submission resource list. Only teachers and students can perform this operation.

+The operation will not succeed if the **allowStudentsToAddResources** flag is not set to `true`.

+Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission. Only teachers and students can perform this operation.

+Indicate that a student is done with the work and is ready to hand in the assignment. Only teachers, students, and applications with application permissions can perform this operation.

+Indicate that a student wants to work on the submission of the assignment after it was turned in. Only teachers, students, and applications with application permissions can perform this operation.

+Delete an [educationSubmissionResource](../resources/educationsubmissionresource.md) from the submission. Only teachers and students can perform this operation.

+If the resource was copied from the assignment, a new copy of the resource will be created after the current copy is deleted. This allows you to "reset" the resource to its original state. If the resource was not copied from the assignment but was added from the student, the resource is simply deleted.

+Retrieve the properties of a specific resource associated with a [submission](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a [submitted resource](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Returns a list of [educationAssignment](../resources/educationassignment.md) assigned to a [educationUser](../resources/educationuser.md) for all [classes](../resources/educationclass.md). Only teachers, students, and applications with application permissions can perform this operation.

+An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code.

+An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code. For example, `/groups/{id}}/members/microsoft.graph.group` when the group is a Microsoft 365 group will return this error, because Microsoft 365 groups cannot have other groups as members.

+Get a list of the group's members. A group can different object types as members. For more information about supported member types for different groups, see [Group membership](../resources/groups-overview.md#group-membership).

+This operation is transitive and returns a flat list of all nested members. An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code.

+ An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code. For example, `/groups/{id}}/transitiveMembers/microsoft.graph.group` when the group is a Microsoft 365 group will return this error, because Microsoft 365 groups cannot have other groups as members.

+A group with **isAssignableToRole** property set to `true` cannot be of dynamic membership type, its **securityEnabled** must be set to `true`, and **visibility** can only be `Private`.

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+> [!CAUTION]

+>

+>- The **attendanceRecords** property does not return information about a breakout room.

+- Get details of an online meeting using [videoTeleconferenceId](#example-1-retrieve-an-online-meeting-by-videoteleconferenceid), [meeting ID](#example-2-retrieve-an-online-meeting-by-meeting-id), [joinWebURL](#example-3-retrieve-an-online-meeting-by-joinweburl), or [joinMeetingId](#example-4-retrieve-an-online-meeting-by-joinmeetingid).

+- Use the `/attendeeReport` path to get the attendee report of a [Microsoft Teams live event](/microsoftteams/teams-live-events/what-are-teams-live-events) in the form of a download link, as shown in [example 5](#example-5-fetch-attendee-report-of-a-teams-live-event).

+To get an **onlineMeeting** using **joinMeetingId** with delegated (`/me`) and app (`/users/{userId}`) permission:

+<!-- { "blockType": "ignored" } -->

+```http

+GET /me/onlineMeetings?$filter=joinMeetingIdSettings/joinMeetingId%20eq%20'{joinMeetingId}'

+GET /users/{userId}/onlineMeetings?$filter=joinMeetingIdSettings/joinMeetingId%20eq%20'{joinMeetingId}'

+```

+> - `userId` is the object ID of a user in [Azure user management portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade). For more details, see [Allow applications to access online meetings on behalf of a user](/graph/cloud-communication-online-meeting-application-access-policy).

+>- `joinMeetingId` is the meeting ID to be used to join a meeting.

+> [!NOTE]

+>- **joinMeetingIdSettings** might not be generated for some prescheduled meetings if the meeting was created before this feature was supported.

+The following is an example of a request.

+The following is an example of the response.

+> **Note:** The response object shown here might be shortened for readability.

+ "tollNumber": "5552478",

+ "tollFreeNumber": "5550588",

+ "threadId": "19:cbee7c1c860e465cebf7bee0d@thread.skype",

+ "messageId": "153367081"

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3a:meeting_NTg0NmQ3NTctZDVkZC00YzRhLThmNmEtOGQDdmZDZk@thread.v2/0?context=%7b%22Tid%22%3a%aa67bd4c-8475-432d-bd41-39f255720e0a%22%2c%22Oid%22%3a%22112f7296-5fa4-42ca-bb15d4b8%22%7d",

+ "id": "112f7296-5ca-bae8-6a692b15d4b8",

+ "id": "5810cedeb-b2c1-e9bd5d53ec96",

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+ },

+The following is an example of a request that uses a user (delegated) token.

+> **Note:** The meeting ID has been truncated for readability.

+The following is an example of the response.

+ "id": "MSpkYzE3Njc0Yy04MWQiMi04ZdFpHRTNaR1F6WGhyZWFkLnYy",

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3ameeting_MGQ4MDQyNTE2EtZWVkODYxODYzMmY2%40thread.v2/0?context=%7b%22Tid%22%3a%22909c6581-5130-43e9-88f3-fcb3582cde37%22%2c%22Oid%22%3a%22dc17674c-81d9-4adb-442e4622%22%7d",

+ "id": "dc17674c-81d9-4adb-a442e4622",

+ "tenantId": "909c6581-5188f3-fcb3582cde38",

+ },

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+The following is an example of a request that uses a user (delegated) token.

+The following is an example of the response.

+ "id": "dc17674c-81d9-4adb-bfb2-8f6a442e4622_19:meeting_MGQ4MDQyNTEtNTQVkODYxODYzMmY2@thread.v2",

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3ameeting_MGQ4MDQyNTEtNTQ2NS00YjQxLTlkMYzMmY2%40thread.v2/0?context=%7b%22Tid%22%3a%22909c6581-5130-43e9-882cde37%22%2c%22Oid%22%3a%22dc17674c-81d9-4adb-bfb2-8f6a442e4622%22%7d",

+ "id": "dc17674c-81d9-4adb-bf442e4622",

+ "tenantId": "909c6581-5130-43e93582cde38",

+ },

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+### Example 4: Retrieve an online meeting by joinMeetingId

+You can retrieve meeting information via the **joinMeetingId** by using either a user (delegated) or an application token.

+The following is an example of a request that uses a user (delegated) token.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get-an-online-meeting-by-joinmeetingid"

+} -->

+```msgraph-interactive

+GET https://graph.microsoft.com/v1.0/me/onlineMeetings?$filter=joinMeetingIdSettings/joinMeetingId%20eq%20'1234567890'

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+The following request uses an app token.

+<!-- { "blockType": "ignored" } -->

+```http

+GET https://graph.microsoft.com/v1.0/users/dc17674c-81d9-4adb-bfb2-8f6a442e4622/onlineMeetings?$filter=joinMeetingIdSettings/joinMeetingId%20eq%20'1234567890'

+```

+#### Response

+The following is an example of the response.

+> **Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.onlineMeeting"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "id": "dc17674c-81d9-4adb-bfb2-8f6a442e4622_19:meeting_MGQ4MDQyNtZWVkODYxODYzMmY2@thread.v2",

+ "creationDateTime": "2020-09-29T22:35:33.1594516Z",

+ "startDateTime": "2020-09-29T22:35:31.389759Z",

+ "endDateTime": "2020-09-29T23:35:31.389759Z",

+ "joinWebUrl": "https://teams.microsoft.com/l/meetup-join/19%3ameeting_MGQ4MDQyNTEtNZWVkODYxODYzMmY2%40thread.v2/0?context=%7b%22Tid%22%3a%22909c6581-5130-43e9-88cb3582cde37%22%2c%22Oid%22%3a%22dc17674c-81d9-4adb-bfb2-8f6a442e4622%22%7d",

+ "subject": null,

+ "autoAdmittedUsers": "EveryoneInCompany",

+ "isEntryExitAnnounced": true,

+ "allowedPresenters": "everyone",

+ "allowMeetingChat": "enabled",

+ "allowTeamworkReactions": true,

+ "videoTeleconferenceId": "(redacted)",

+ "participants": {

+ "organizer": {

+ "upn": "(redacted)",

+ "role": "presenter",

+ "identity": {

+ "user": {

+ "id": "dc174c-81db-bfb2-8f6622",

+ "displayName": null,

+ "tenantId": "9091-5130-48f3-fce38",

+ "identityProvider": "AAD"

+ }

+ }

+ },

+ "attendees": [],

+ "producers": [],

+ "contributors": []

+ },

+ "lobbyBypassSettings": {

+ "scope": "organization",

+ "isDialInBypassEnabled": false

+ },

+ "joinMeetingIdSettings": {

+ "isPasscodeRequired": false,

+ "joinMeetingId": "1234567890",

+ "passcode": null

+ }

+ }

+ ]

+}

+```

+### Example 5: Fetch attendee report of a Teams live event

+The following example shows a request to download an attendee report.

+#### Request

+The following request uses a user (delegated) token.

+The following is an example of the response.

+| Delegated (work or school account) | Tasks.ReadWrite, Group.ReadWrite.All |

+The following table shows the properties that are required when you create a [plannerPlan](../resources/plannerplan.md).

+|Property|Type|Description|

+|:|:|:|

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated.|

+|title|String|The title of the plan.|

+>**Note:** If the container is a Microsoft 365 group, the user who is creating the plan must be a member of the group that will contain the plan. When you create a new group by using [Create group](../api/group-post-groups.md), you are not added to the group as a member. After the group is created, add yourself as a member by using [group post members](../api/group-post-members.md).

+If successful, this method returns a `201 Created` response code and a [plannerPlan](../resources/plannerplan.md) object in the response body.

+This method can return any of the [HTTP status codes](/graph/errors). The most common errors that apps should handle for this method are the 400, 403, and 404 responses. For more information about these errors, see [Common Planner error conditions](../resources/planner-overview.md#common-planner-error-conditions).

+The following is an example of the request.

+ "container": {

+ "url": "https://graph.microsoft.com/beta/groups/ebf3b108-5234-4e22-b93d-656d7dae5874"

+ },

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ "id": "b108ebf3-4e22-b93d-5234-dae5874656d7"

+ "container": {

+ "@odata.type": "microsoft.graph.plannerPlanContainer",

+ "url": "https://graph.microsoft.com/beta/groups/ebf3b108-5234-4e22-b93d-656d7dae5874",

+ "containerId": "ebf3b108-5234-4e22-b93d-656d7dae5874",

+ "type": "group"

+ },

+description: "Retrieve the properties and relationships of a **plannerAssignedToTaskBoardTaskFormat** object."

+Retrieve the properties and relationships of a **plannerAssignedToTaskBoardTaskFormat** object.

+If successful, this method returns a `200 OK` response code and a [plannerAssignedToTaskBoardTaskFormat](../resources/plannerassignedtotaskboardtaskformat.md) object in the response body.

+### Request

+The following is an example of the request.

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ Title: "List printConnectors"

+description: "Retrieve a list of connectors."

+|Delegated (personal Microsoft account)|Not supported.|

+|Application| Not supported. |

+The following operators are not supported: `$count`, `$search`, `$filter`.

+The following is an example of a request.

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+ Title: "Get alert"

+description: "Retrieve the properties and relationships of an security alert object."

+ms.localizationpriority: medium

+# Get alert

+Namespace: microsoft.graph.security

+Get the properties and relationships of an [alert](../resources/security-alert.md) in an organization based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2/{alertId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [alert](../resources/security-alert.md) object in the response body.

+## Examples

+### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637578995287051192_756343937"],

+ "name": "get_security_alert"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/alerts_v2/da637578995287051192_756343937

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PHP](#tab/php)

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.alert"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637578995287051192_756343937",

+ "providerAlertId": "da637578995287051192_756343937",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637578995287051192_756343937?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+}

+```

+ Title: "Create comment for alert"

+description: "Adds a comment to the end of the alert comments list"

+ms.localizationpriority: medium

+# Create comment for alert

+Namespace: microsoft.graph

+Create a comment for an existing [alert](../resources/security-alert.md) based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/alerts_v2/{alertId}/comments

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, use `@odata.type` to specify the parameter type of [alertComment](../resources/security-alertcomment.md), and provide a JSON object for the parameter, `comment`. See an [example](#examples).

+| Parameter | Type |Description|

+|:|:--|:-|

+|comment|String|The comment to be added.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated list of all [alertComment](../resources/security-alertcomment.md) resources for the specified alert.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637865765418431569_-773071023"],

+ "name": "alert_v2_addcomment"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/security/alerts_v2/da637865765418431569_-773071023/comments

+Content-Type: application/json

+{

+ "@odata.type": "microsoft.graph.security.alertComment",

+ "comment": "Demo for docs"

+}

+```

+# [JavaScript](#tab/javascript)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "collection(microsoft.graph.security.alertComment)",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/alerts_v2('da637865765418431569_-773071023')/comments",

+ "value": [

+ {

+ "comment": "test",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:30.1606766Z"

+ },

+ {

+ "comment": "Demo for docs",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:40.3825324Z"

+ }

+ ]

+}

+```

+ Title: "Update alert"

+description: "Update the properties of an alert object."

+ms.localizationpriority: medium

+# Update alert

+Namespace: microsoft.graph

+Update the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/alerts_v2/{alertId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|status|microsoft.graph.security.alertStatus|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|

+|classification|microsoft.graph.security.alertClassification|Specifies the classification of the alert. Possible values are: `unknown`, `falsePositive`, `truePositive`, `benignPositive`, `unknownFutureValue`.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the alert. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated [alert](../resources/security-alert.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637551227677560813_-961444813"],

+ "name": "update_alert_v2"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/v1.0/security/alerts_v2/da637551227677560813_-961444813

+Content-Type: application/json

+Content-length: 2450

+{

+ "assignedTo": "secAdmin@contoso.onmicrosoft.com",

+ "classification": "truePositive",

+ "determination": "malware",

+ "status": "inProgress"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.alert",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "inProgress",

+ "severity": "low",

+ "classification": "truePositive",

+ "determination": "malware",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": "secAdmin@contoso.onmicrosoft.com",

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": []

+}

+```

+Delete Microsoft Teams messages contained in an [eDiscovery search](../resources/security-ediscoverysearch.md).

+ Title: "Get incident"

+description: "Retrieve the properties and relationships of an incident object."

+ms.localizationpriority: medium

+# Get incident

+Namespace: microsoft.graph.security

+Retrieve the properties and relationships of an [incident](../resources/security-incident.md) object.

+Attacks are typically inflicted on different types of entities, such as devices, users, and mailboxes, resulting in multiple [alert](../resources/security-alert.md) objects. Microsoft 365 Defender correlates alerts with the same attack techniques or the same attacker into an **incident**.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents/{incidentId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [incident](../resources/security-incident.md) object in the response body.

+## Examples

+### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2972395"],

+ "name": "get_incident"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/incidents/2972395

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "customTags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+}

+```

+ Title: "Create comment for incident"

+description: "Adds a comment to the end of the incident comments list"

+ms.localizationpriority: medium

+# Create comment

+Namespace: microsoft.graph

+Create a comment for an existing [incident](../resources/security-incident.md) based on the specified incident **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/incidents/{incidentId}/comments

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, use `@odata.type` to specify the parameter type of [alertComment](../resources/security-alertcomment.md), and provide a JSON object for the parameter, `comment`. See an [example](#examples).

+| Parameter | Type |Description|

+|:|:--|:-|

+|comment|String|The comment to be added.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated list of all [alertComment](../resources/security-alertcomment.md) resources of the incident.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["3962396"],

+ "name": "incident_addcomment"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/security/incidents/3962396/comments

+Content-Type: application/json

+{

+ "@odata.type": "microsoft.graph.security.alertComment",

+ "comment": "Demo for docs"

+}

+```

+# [JavaScript](#tab/javascript)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "collection(microsoft.graph.security.alertComment)",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts_v2('da637865765418431569_-773071023')/comments",

+ "value": [

+ {

+ "comment": "test",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:45.4626766Z"

+ },

+ {

+ "comment": "Demo for docs",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:50.5821324Z"

+ }

+ ]

+}

+```

+ Title: "Update incident"

+description: "Update the properties of an incident object."

+ms.localizationpriority: medium

+# Update incident

+Namespace: microsoft.graph.security

+Update the properties of an [incident](../resources/security-incident.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/incidents/{incidentId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.|

+|classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|status|microsoft.graph.security.incidentStatus|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.|

+|customTags|String collection|Array of custom tags associated with an incident.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated [incident](../resources/security-incident.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2972395"],

+ "name": "update_incident"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/v1.0/security/incidents/2972395

+Content-Type: application/json

+{

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "customTags": [

+ "Demo"

+ ]

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.incident",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "customTags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+}

+```

+ Title: "List alerts_v2"

+description: "Get a list of the security alert objects and their properties."

+ms.localizationpriority: medium

+# List alerts_v2

+Namespace: microsoft.graph.security

+Get a list of [alert](../resources/security-alert.md) resources that have been created to track suspicious activities in an organization.

+This operation lets you filter and sort through alerts to create an informed cyber security response. It exposes a collection of alerts that were flagged in your network, within the time range you specified in your environment retention policy. The most recent alerts are displayed at the top of the list.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2

+```

+## Optional query parameters

+This method supports the following OData query parameters to help customize the response: `$count`, `$filter`, `$skip`, `$top`.

+The following properties support `$filter` : **assignedTo**, **classification**, **determination**, **createdDateTime**, **lastUpdateDateTime**, **severity**, **serviceSource** and **status**.

+Use `@odata.nextLink` for pagination.

+The following are examples of their use:

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2?$filter={property}+eq+'{property-value}'

+GET /security/alerts_V2?$top=100&$skip=200

+```

+For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [alert](../resources/security-alert.md) objects in the response body.

+## Examples

+### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "security_list_alerts"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/alerts_v2

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PHP](#tab/php)

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.alert",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "List incidents"

+description: "Get a list of the incident objects and their properties."

+ms.localizationpriority: medium

+# List incidents

+Namespace: microsoft.graph.security

+Get a list of [incident](../resources/security-incident.md) objects that Microsoft 365 Defender has created to track attacks in an organization.

+Attacks are typically inflicted on different types of entities, such as devices, users, and mailboxes, resulting in multiple [alert](../resources/security-alert.md) objects. Microsoft 365 Defender correlates alerts with the same attack techniques or the same attacker into an **incident**.

+This operation allows you to filter and sort through incidents to create an informed cyber security response. It exposes a collection of incidents that were flagged in your network, within the time range you specified in your environment retention policy. The most recent incidents are displayed at the top of the list.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents

+```

+## Optional query parameters

+This method supports the following OData query parameters to help customize the response: `$count`, `$filter`, `$skip`, `$top`, `$expand`.

+The following properties support `$filter` : **assignedTo**, **classification**, **createdDateTime**, **determination**, **lastUpdateDateTime**, **severity**, and **status**.

+Use `@odata.nextLink` for pagination.

+The following are examples of their use:

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents?$count=true

+GET /security/incidents?$filter={property}+eq+'{property-value}'

+GET /security/incidents?$top=10

+```

+For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [incident](../resources/security-incident.md) objects in the response body.

+## Examples

+### Example 1: List all incidents

+#### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "list_incident_for_defender"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/incidents

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "customTags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+ }

+ ]

+}

+```

+### Example 2: List all incidents with their alerts

+#### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "list_incident_with_their_alerts"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/incidents?$expand=alerts

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "truePositive",

+ "determination": "multiStagedAttack",

+ "status": "active",

+ "severity": "medium",

+ "tags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ],

+ "alerts": [

+ {

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "security: runHuntingQuery"

+description: "Run Hunting query API"

+ms.localizationpriority: medium

+# security: runHuntingQuery

+Namespace: microsoft.graph.security

+Queries a specified set of event, activity, or entity data supported by Microsoft 365 Defender to proactively look for specific threats in your environment.

+This is the method for advanced hunting in Microsoft 365 Defender. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the [advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide&preserve-view=true) and a piped sequence of operators to filter or search that data, and format the query output in specific ways.

+Find out more about [hunting for threats across devices, emails, apps, and identities](/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide&preserve-view=true). Learn about [KQL](/azure/data-explorer/kusto/query/).

+For information on using advanced hunting in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide&preserve-view=true), see [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide&preserve-view=true).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|ThreatHunting.Read.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|ThreatHunting.Read.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/runHuntingQuery

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, provide a JSON object for the parameter, `Query`.

+| Parameter | Type |Description|

+|:|:--|:-|

+|Query|String|The hunting query in Kusto Query Language (KQL). For more information on KQL syntax, see [KQL quick reference](/azure/data-explorer/kql-quick-reference).|

+## Response

+If successful, this action returns a `200 OK` response code and a [huntingQueryResults](../resources/security-huntingqueryresults.md) in the response body.

+## Examples

+### Request

+This example specifies a KQL query which does the following:

+- Looks into the [DeviceProcessEvents](/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide&preserve-view=true) table in the advanced hunting schema.

+- Filters on the condition that the event is initiated by the powershell.exe process.

+- Specifies the output of 3 columns from the same table for each row: `Timestamp`, `FileName`, `InitiatingProcessFileName`.

+- Sorts the output by the `Timestamp` value.

+- Limits the output to 2 records (2 rows).

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "security_runhuntingquery"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/security/runHuntingQuery

+{

+ "Query": "DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PHP](#tab/php)

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.huntingQueryResults"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "schema": [

+ {

+ "Name": "Timestamp",

+ "Type": "DateTime"

+ },

+ {

+ "Name": "FileName",

+ "Type": "String"

+ },

+ {

+ "Name": "InitiatingProcessFileName",

+ "Type": "String"

+ }

+ ],

+ "results": [

+ {

+ "Timestamp": "2020-08-30T06:38:35.7664356Z",

+ "FileName": "conhost.exe",

+ "InitiatingProcessFileName": "powershell.exe"

+ },

+ {

+ "Timestamp": "2020-08-30T06:38:30.5163363Z",

+ "FileName": "conhost.exe",

+ "InitiatingProcessFileName": "powershell.exe"

+ }

+ ]

+}

+```

+ "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals",

+Use this API to add an owner for the [servicePrincipal](../resources/serviceprincipal.md). Service principal owners can be users, the service principal itself, or other service principals.

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+ Title: "Get user"

+# Get user

+### Example 5: Use `$filter` to retrieve specific users based on a property value

+This example shows how to use the `$filter` query parameter along with the `endswith` clause to retrieve a user with a specific value in the **mail** attribute. This request filters and returns all users with a mail address ending with contoso.com.

+#### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get_user_filter"

+} -->

+```msgraph-interactive

+GET https://graph.microsoft.com/v1.0/users?$count=true&ConsistencyLevel=eventual&$filter=endsWith(mail,'@contoso.com')

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+#### Response

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.user"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",

+ "@odata.count": 1350,

+ "@odata.nextLink": "https://graph.microsoft.com/v1.0/users?$count=true&$filter=endsWith(mail,'@contoso.com')&ConsistencyLevel=eventual&$skiptoken=m~AQAnOzEyN2NjN2I3NTQzYzQ0YzA4NjlhYjU5MzUzYmNhNGI2OzswOzA7",

+ "value": [

+ {

+ "businessPhones": [],

+ "displayName": "Phantom Space",

+ "givenName": "Space",

+ "jobTitle": null,

+ "mail": "Space.Phantom@cloudezzy.com",

+ "mobilePhone": null,

+ "officeLocation": null,

+ "preferredLanguage": null,

+ "surname": "Phantom",

+ "userPrincipalName": "Space.Phantom@contoso.com",

+ "id": "00111916-c5c5-4dd2-9e31-aab96af7511e"

+ }

+ ]

+}

+```

+# [PowerShell](#tab/powershell)

+The following is an example of the request.

+#### Response

+The following is an example of the response, which includes a **mailSearchFolder** that is a child folder under the Inbox.

+This example uses the `includeHiddenFolders` query parameter to get a list of mail folders including hidden mail folders. The response includes the "Clutters" folder that has the **isHidden** set to `true`.

+The following is an example of the response.

+ "address": "frannis@contoso.onmicrosoft.com"

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+ "/deployedge",

+ "/training",

+ "/windows-hardware"

+|id|String| Read-only. Unique ID of the user.|

+|roles| string collection | The roles for that user. |

+|userId| string | The guid of the user. |

+| reviewers |[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection| This collection of access review scopes is used to define who the reviewers are. Supports `$select`. For examples of options for assigning reviewers, see [Assign reviewers to your access review definition using the Microsoft Graph API](/graph/accessreviews-scope-concept).|

+| notificationTemplateType |String | Indicates the type of access review email to be sent. Supported template type is `CompletedAdditionalRecipients`, which sends review completion notifications to the recipients.|

+| queryType | String | Indicates the type of query. Allowed value is `MicrosoftGraph`. |

+| queryType | String | The type of query. Examples include `MicrosoftGraph` and `ARM`. |

+| backupReviewers (deprecated) |[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection| This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports `$select`. <br>**Note:** This property has been replaced by **fallbackReviewers**. However, specifying either **backupReviewers** or **fallbackReviewers** automatically populates the same values to the other property. |

+|stageSettings|[accessReviewStageSettings](../resources/accessreviewstagesettings.md) collection| Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages will be created sequentially based on the **dependsOn** property. Optional. <br/><br/>When this property is defined, its settings are used instead of the corresponding settings in the [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) object and its **settings**, **reviewers**, and **fallbackReviewers** properties. |

+|id|String| Unique identifier for this policy. Read-only.|

+description: "Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified."

+This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.

+This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in [Use the Microsoft Graph security API](security-api-overview.md#legacy-alerts). It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.

+To learn more, see the sample queries in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+| type | Int32 | For internal use only

+|acquiredByPrinter|Boolean|True if the job was acquired by a printer; false otherwise. Read-only.|

+|createdDateTime|DateTimeOffset|The dateTimeOffset when the job was created. Read-only.|

+|id|String|The archived print job's GUID. Read-only.|

+|printerId|String|The printer ID that the job was queued for. Read-only.|

+|processingState|printJobProcessingState|The print job's final processing state. Read-only.|

+| labelId | String | The unique identifier of the label. |

+|type|attendeeType| The type of attendee. The possible values are: `required`, `optional`, `resource`. Currently if the attendee is a person, [findMeetingTimes](../api/user-findmeetingtimes.md) always considers the person is of the `Required` type.|

+| dialinUrl | String | A URL to the externally-accessible web page that contains dial-in information. |

+|displayName|String| The display name is the friendly name of the authenticationContextClassReference object. This value should be used to identify the authentication context class reference when building user-facing admin experiences. For example, a selection UX.|

+|id|String| Identifier used to reference the authentication context class. The id is used to trigger step-up authentication for the referenced authentication requirements and is the value that will be issued in the `acrs` claim of an access token. This value in the claim is used to verify that the required authentication context has been satisfied. The allowed values are `c1` through `c25`. <br/> Supports `$filter` (`eq`).|

+|displayName|String| Inherited property. The human-readable name of the policy. Optional. Read-only.|

+|id|String| Inherited property. The identifier of the authentication flows policy. Optional. Read-only.|

+description: "A collection of groups that are enabled to use an authentication method as part of an authentication method policy."

+A collection of groups that are enabled to use an authentication method as part of an authentication method policy in Azure AD.

+|basis|String|Scope type. The possible values are: `AllTenants`, `TotalSeats`, `IndustryTypes`.|