Updates from: 02/15/2023 02:20:10
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Accessreviewset List Definitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/accessreviewset-list-definitions.md
This method supports the `$select`, `$top`, `$skip`, and `$filter` OData query p
The default page size for this API is 100 **accessReviewScheduleDefinition** objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging). ### Use the $filter query parameter
-The `$filter` query parameter with the `contains` operator is supported on the **scope** property of accessReviewScheduleDefinition. Use the following format for the request:
-
-```http
-GET /identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, '{object}')
-```
-
-The value of `{object}` can be one of the following:
-
-|Value|Description|
-|: |: |
-|/groups |List every accessReviewScheduleDefinition on individual groups (excludes definitions scoped to all Microsoft 365 groups with guest users).|
-|/groups/{group id} |List every accessReviewScheduleDefinition on a specific group (excludes definitions scoped to all Microsoft 365 groups with guest users).|
-|./members |List every accessReviewScheduleDefinition scoped to all Microsoft 365 groups with guest users.|
-|accessPackageAssignments |List every accessReviewScheduleDefinition on an access package.|
-|roleAssignmentScheduleInstances |List every accessReviewScheduleDefinition for service principals assigned to a privileged role.|
-
-The `$filter` query parameter is not supported on **accessReviewInactiveUserQueryScope** or **principalResourceMembershipScope**.
## Request headers None.
v1.0 Accessreviewset Post Historydefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/accessreviewset-post-historydefinitions.md
The following table shows the required properties used to create an [accessRevie
### Supported scope queries for accessReviewHistoryDefinition
-The **scopes** property of [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) is based on **accessReviewQueryScope**, a resource that allows you to configure different resources in it's **query** property. These resources then represent the scope of the history definition and dictate the type of review history data that is included in the downloadable CSV file which is generated when the history definition's [accessReviewHistoryInstances](../resources/accessreviewhistoryinstance.md) are created.
-
-Use the following format for the **query** property:
-
-```http
-/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '{object}')
-```
-
-The value of `{object}` is one of the resources that can be configured in an **accessReviewScheduleDefinition**. For example, the following includes every accessReviewScheduleDefinition review result on individual groups (and excludes definitions scoped to all Microsoft 365 groups with guest users).
-
-```http
-/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')
-```
-
-For more supported values, see Use the [$filter query parameter on accessReviewScheduleDefinition](accessreviewset-list-definitions.md#use-the-filter-query-parameter).
## Response
v1.0 Cloudpcorganizationsettings Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/cloudpcorganizationsettings-get.md
Content-Type: application/json
"value": { "@odata.type": "#microsoft.graph.cloudPcOrganizationSettings", "enableMEMAutoEnroll": false,
+ "enableSingleSignOn": true,
"id": "8660bf17-bf17-8660-17bf-608617bfffff", "osVersion": "windows11", "userAccountType": "standardUser",
v1.0 Cloudpcorganizationsettings Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/cloudpcorganizationsettings-update.md
PATCH /deviceManagement/virtualEndpoint/organizationSettings
|Property|Type|Description| |:|:|:| |enableMEMAutoEnroll|Boolean|Specifies whether new Cloud PCs will be automatically enrolled in Microsoft Endpoint Manager(MEM). The default value is `false`. Optional.|
+|enableSingleSignOn|Boolean|`True` if the provisioned Cloud PC can be accessed by single sign-on. `False` indicates that the provisioned Cloud PC doesn't support this feature. Default value is `false`. Windows 365 users can use single sign-on to authenticate to Azure Active Directory (Azure AD) with passwordless options (for example, FIDO keys) to access their Cloud PC. Optional.|
|osVersion|cloudPcOperatingSystem|The version of the operating system (OS) to provision on Cloud PCs. The possible values are: `windows10`, `windows11`, `unknownFutureValue`. Optional.| |userAccountType|cloudPcUserAccountType|The account type of the user on provisioned Cloud PCs. The possible values are: `standardUser`, `administrator`, `unknownFutureValue`. Optional.| |windowsSettings|cloudPcWindowsSettings|The settings to apply to Windows while creating Cloud PCs for this organization. The default language value is `en-US`.| - ## Response If successful, this method returns a `204 No Content` response code.
If successful, this method returns a `204 No Content` response code.
### Request
+The following is an example of a request.
+ # [HTTP](#tab/http) <!-- { "blockType": "request",
Content-length: 127
+### Response
+The following is an example of the response.
-### Response
<!-- { "blockType": "response", "truncated": true
v1.0 Cloudpcprovisioningpolicy Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/cloudpcprovisioningpolicy-get.md
Content-Type: application/json
"domainJoinType": "hybridAzureADJoin", "onPremisesConnectionId": "16ee6c71-fc10-438b-88ac-daa1ccafffff" },
+ "enableSingleSignOn": true,
"id": "1d164206-bf41-4fd2-8424-a3192d39ffff", "imageDisplayName": "Image Display Name value", "imageId": "Image ID value",
Content-Type: application/json
"windowsSettings": { "language": "en-US" },
- "managedBy": "windows365"
+ "managedBy": "windows365",
+ "provisioningType": "dedicated"
} ```
Content-Type: application/json
"regionName": null, "type": "hybridAzureADJoin" },
+ "enableSingleSignOn": true,
"id": "1d164206-bf41-4fd2-8424-a3192d39ffff", "imageDisplayName": "Image Display Name value", "imageId": "Image ID value",
Content-Type: application/json
} } ],
- "managedBy": "windows365"
+ "managedBy": "windows365",
+ "provisioningType": "dedicated"
} ```
Content-Type: application/json
"regionName": null, "type": "hybridAzureADJoin" },
+ "enableSingleSignOn": true,
"gracePeriodInHours": 2, "id": "1d164206-bf41-4fd2-8424-a3192d39ffff", "imageDisplayName": "myCustomImage",
Content-Type: application/json
"onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff", "windowsSettings": { "language": "en-US"
- }
+ },
+ "provisioningType": "dedicated"
} ```
v1.0 Cloudpcprovisioningpolicy Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/cloudpcprovisioningpolicy-update.md
The following table shows the properties that can be updated for the [cloudPcPro
|Property|Type|Description| |:|:|:|
-|displayName|String|The display name for the provisioning policy. |
|description|String|The provisioning policy description.|
+|displayName|String|The display name for the provisioning policy. |
|domainJoinConfiguration|[cloudPcDomainJoinConfiguration](../resources/cloudpcdomainjoinconfiguration.md)|Specifies how Cloud PCs will join Azure Active Directory.|
-|onPremisesConnectionId|String|The ID of the cloudPcOnPremisesConnection. To ensure that Cloud PCs have network connectivity and that they domain join, choose a connection with a virtual network thatΓÇÖs validated by the Cloud PC service.|
+|enableSingleSignOn|Boolean|`True` if the provisioned Cloud PC can be accessed by single sign-on. `False` indicates that the provisioned Cloud PC doesn't support this feature. Default value is `false`. Windows 365 users can use single sign-on to authenticate to Azure Active Directory (Azure AD) with passwordless options (for example, FIDO keys) to access their Cloud PC. Optional.|
+|imageDisplayName|String|The display name for the OS image you're provisioning.|
|imageId|String|The ID of the OS image you want to provision on Cloud PCs. The format for a gallery type image is: {publisher_offer_sku}. Supported values for each of the parameters are as follows: <ul><li>publisher: Microsoftwindowsdesktop.</li> <li>offer: windows-ent-cpc.</li> <li>sku: 21h1-ent-cpc-m365, 21h1-ent-cpc-os, 20h2-ent-cpc-m365, 20h2-ent-cpc-os, 20h1-ent-cpc-m365, 20h1-ent-cpc-os, 19h2-ent-cpc-m365 and 19h2-ent-cpc-os.</li></ul>|
-|imageDisplayName|String|The display name for the OS image youΓÇÖre provisioning.|
|imageType|cloudPcProvisioningPolicyImageType|The type of OS image (custom or gallery) you want to provision on Cloud PCs. Possible values are: `gallery`, `custom`.|
+|onPremisesConnectionId|String|The ID of the cloudPcOnPremisesConnection. To ensure that Cloud PCs have network connectivity and that they domain join, choose a connection with a virtual network thatΓÇÖs validated by the Cloud PC service.|
|windowsSettings|[cloudPcWindowsSettings](../resources/cloudpcwindowssettings.md)|The Windows operation system settings for the provisioned Cloud PCs with this provisioning policy, such as operation system language setting.| ## Response
If successful, this method returns a `204 No Content` response code.
### Request
+The following is an example of a request.
# [HTTP](#tab/http) <!-- {
Content-Type: application/json
- ### Response
+The following is an example of the response.
+ <!-- { "blockType": "response", "truncated": true,
v1.0 Cloudpcshareduseserviceplan Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/cloudpcshareduseserviceplan-get.md
+
+ Title: "Get cloudPcSharedUseServicePlan"
+description: "Read the properties and relationships of a cloudPcSharedUseServicePlan object."
+
+ms.localizationpriority: medium
++
+# Get cloudPcSharedUseServicePlan
+
+Namespace: microsoft.graph
++
+Read the properties and relationships of a [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | CloudPC.Read.All, CloudPC.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | CloudPC.Read.All, CloudPC.ReadWrite.All |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /deviceManagement/virtualEndpoint/sharedUseServicePlans/{cloudPcSharedUseServicePlanId}
+```
+
+## Optional query parameters
+
+This method supports the `$select` OData query parameter to help customize the response.. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of a request.
+
+<!-- {
+ "blockType": "request",
+ "name": "get_cloudpcshareduseserviceplan"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/sharedUseServicePlans/613a8d85-6c33-1268-9f55-b96a6540017c
+```
+
+### Response
+
+The following is an example of the response.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.cloudPcSharedUseServicePlan"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "value": {
+ "@odata.type": "#microsoft.graph.cloudPcSharedUseServicePlan",
+ "id": "613a8d85-6c33-1268-9f55-b96a6540017c",
+ "displayName": "Display Name Value",
+ "usedCount": "10",
+ "totalCount": "20"
+ }
+}
+```
v1.0 Device Delete Registeredusers https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/device-delete-registeredusers.md
One of the following permissions is required to call this API. To learn more, in
[!INCLUDE [limited-info](../../includes/limited-info.md)]
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference): *Global Administrator*, *Intune Administrator*, or *Windows 365 Administrator*.
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
v1.0 Device Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/device-get.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+
+* Global Administrator
+* Users
+* Directory Readers
+* Directory Writers
+* Compliance Administrator
+* Device Managers
+* Application Administrator
+* Security Reader
+* Security Administrator
+* Privileged Role Administrator
+* Cloud Application Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Desktop Analytics Administrator
+* Microsoft Managed Desktop Administrator
+* Teams Communications Administrator
+* Teams Communications Support Engineer
+* Teams Communications Support Specialist
+* Teams Administrator
+* Compliance Data Administrator
+* Security Operator
+* Kaizala Administrator
+* Global Reader
+* Directory Reviewer
+* Windows 365 Administrator
+ ## HTTP request You can address the device using either its **id** or **deviceId**.
v1.0 Device List Registeredusers https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/device-list-registeredusers.md
One of the following permissions is required to call this API. To learn more, in
[!INCLUDE [limited-info](../../includes/limited-info.md)]
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+
+* Global Administrator
+* Users
+* Directory Readers
+* Directory Writers
+* Compliance Administrator
+* Device Managers
+* Application Administrator
+* Security Reader
+* Security Administrator
+* Privileged Role Administrator
+* Cloud Application Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Desktop Analytics Administrator
+* Microsoft Managed Desktop Administrator
+* Teams Communications Administrator
+* Teams Communications Support Engineer
+* Teams Communications Support Specialist
+* Teams Administrator
+* Compliance Data Administrator
+* Security Operator
+* Kaizala Administrator
+* Global Reader
+* Directory Reviewer
+* Windows 365 Administrator
+ ## HTTP request You can address the device using either its **id** or **deviceId**.
v1.0 Device List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/device-list.md
One of the following permissions is required to call this API. To learn more, in
| Delegated (personal Microsoft account) | Not supported. | | Application | Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+
+* Global Administrator
+* Users
+* Directory Readers
+* Directory Writers
+* Compliance Administrator
+* Device Managers
+* Application Administrator
+* Security Reader
+* Security Administrator
+* Privileged Role Administrator
+* Cloud Application Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Desktop Analytics Administrator
+* Microsoft Managed Desktop Administrator
+* Teams Communications Administrator
+* Teams Communications Support Engineer
+* Teams Communications Support Specialist
+* Teams Administrator
+* Compliance Data Administrator
+* Security Operator
+* Kaizala Administrator
+* Global Reader
+* Directory Reviewer
+* Windows 365 Administrator
+ ## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Device Post Registeredusers https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/device-post-registeredusers.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Not supported. |
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference): *Global Administrator*, *Intune Administrator*, or *Windows 365 Administrator*.
+ ## HTTP request You can address the device using either its **id** or **deviceId**.
v1.0 Directory Deleteditems Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/directory-deleteditems-delete.md
If successful, this method returns `204 No Content` response code. It does not r
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "delete_directory"
+ "name": "delete_directory_deleteditem"
}--> ```http DELETE https://graph.microsoft.com/beta/directory/deleteditems/46cc6179-19d0-473e-97ad-6ff84347bbbb
v1.0 Directory Deleteditems Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/directory-deleteditems-get.md
The following is an example of a request.
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "get_directory"
+ "name": "get_directory_deleteditem"
}--> ```msgraph-interactive GET https://graph.microsoft.com/beta/directory/deleteditems/46cc6179-19d0-473e-97ad-6ff84347bbbb
v1.0 Directory Deleteditems Getuserownedobjects https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/directory-deleteditems-getuserownedobjects.md
Successful requests return `200 OK` response codes; the response object includes
## Example
-##### Request
+### Request
Here is an example of the request.
+<!-- {
+ "blockType": "request",
+ "name": "get_directory_deleteditem_getuserownedobjects"
+}-->
``` http POST https://graph.microsoft.com/beta/directory/deletedItems/getUserOwnedObjects Content-type: application/json
Content-type: application/json
} ```
-###### Response
+### Response
-Here is an example of the response. Note: This response object may be truncated for brevity. All supported properties are returned
-from actual calls.
+Here is an example of the response.
+> **Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.directoryObject",
+ "isCollection": true
+} -->
``` http
-HTTP/1.1 200
+HTTP/1.1 200 OK
Content-type: application/json {
-"value": [
- {
- "@odata.type": "#microsoft.graph.group",
- "id": "bfa7033a-7367-4644-85f5-95aaf385cbd7",
- "deletedDateTime": "2018-04-01T12:39:16Z",
- "classification": null,
- "createdDateTime": "2017-03-22T12:39:16Z",
- "description": null,
- "displayName": "Test",
- "groupTypes": [
- "Unified"
- ],
- "mail": "Test@contoso.com",
- "mailEnabled": true,
- "mailNickname": "Test",
- "membershipRule": null,
- "membershipRuleProcessingState": null,
- "preferredDataLocation": null,
- "preferredLanguage": null,
- "proxyAddresses": [
- "SMTP:Test@contoso.com"
- ],
- "renewedDateTime": "2017-09-22T22:30:39Z",
- "securityEnabled": false,
- "theme": null,
- "visibility": "Public"
- }
- ]
- }
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.group",
+ "id": "bfa7033a-7367-4644-85f5-95aaf385cbd7",
+ "deletedDateTime": "2018-04-01T12:39:16Z",
+ "classification": null,
+ "createdDateTime": "2017-03-22T12:39:16Z",
+ "description": null,
+ "displayName": "Test",
+ "groupTypes": [
+ "Unified"
+ ],
+ "mail": "Test@contoso.com",
+ "mailEnabled": true,
+ "mailNickname": "Test",
+ "membershipRule": null,
+ "membershipRuleProcessingState": null,
+ "preferredDataLocation": null,
+ "preferredLanguage": null,
+ "proxyAddresses": [
+ "SMTP:Test@contoso.com"
+ ],
+ "renewedDateTime": "2017-09-22T22:30:39Z",
+ "securityEnabled": false,
+ "theme": null,
+ "visibility": "Public"
+ }
+ ]
+}
```
v1.0 Directory Deleteditems List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/directory-deleteditems-list.md
If successful, this method returns a `200 OK` response code and collection of [d
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "get_deleteditems"
+ "name": "list_directory_deleteditems"
}--> ```msgraph-interactive GET https://graph.microsoft.com/beta/directory/deleteditems/microsoft.graph.group
Content-type: application/json
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "get_deleteditems_count"
+ "name": "list_directory_deleteditems_count"
}--> ```msgraph-interactive GET https://graph.microsoft.com/beta/directory/deletedItems/microsoft.graph.group?$count=true&$orderBy=deletedDateTime asc&$select=id,displayName,deletedDateTime
v1.0 Directory Deleteditems Restore https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/directory-deleteditems-restore.md
The calling app must be assigned one of the following [Azure AD roles](/azure/ac
|Delegated (personal Microsoft account) | Not supported. | |Application | User.ReadWrite.All |
+To restore users with privileged administrator roles in delegated scenarios, the app must be assigned with *Directory.AccessAsUser.All* delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+
+In app-only scenarios, the *User.ReadWrite.All* application permission isn't enough privilege to restore deleted users with privileged administrator roles. The app must be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+ ### For groups: |Permission type | Permissions (from least to most privileged) |
If successful, this method returns a `200 OK` response code and a [directoryObje
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "create_directoryobject_from_directory"
+ "name": "restore_directory_deleteditem"
}--> ```http POST https://graph.microsoft.com/beta/directory/deleteditems/46cc6179-19d0-473e-97ad-6ff84347bbbb/restore
v1.0 Organization Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/organization-get.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Organization.Read.All, Directory.Read.All, Organization.ReadWrite.All, Directory.ReadWrite.All |
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+
+* Global Administrator
+* User Administrator
+* User
+* Helpdesk Administrator
+* Service Support Administrator
+* Billing Administrator
+* Mailbox Administrator
+* Partner Tier1 Support
+* Partner Tier2 Support
+* Directory Readers
+* Directory Writers
+* AdHoc License Administrator
+* Application Administrator
+* Security Reader
+* Security Administrator
+* Privileged Role Administrator
+* Cloud Application Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Azure Information Protection Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Azure Information Protection Administrator
+* Desktop Analytics Administrator
+* License Administrator
+* Microsoft Managed Desktop Administrator
+* Authentication Administrator
+* Privileged Authentication Administrator
+* Teams Communications Administrator
+* Teams Communications Support Engineer
+* Teams Communications Support Specialist
+* Teams Administrator
+* Insights Administrator
+* Compliance Data Administrator
+* Security Operator
+* Kaizala Administrator
+* Global Reader
+* Volume Licensing Business Center User
+* Volume Licensing Service Center User
+* Modern Commerce User
+* Microsoft Store for Business User
+* Directory Reviewer
+* Guest User
+* Restricted Guest User
+ > **Note**: Applications granted the User.Read permission are able to read only the **id**, **displayName**, and **verifiedDomains** properties of the organization. All other properties will return with `null` values. To read all properties, use Organization.Read.All. ## HTTP request
v1.0 Organization Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/organization-update.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Organization.ReadWrite.All |
+The calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+
+* Global Administrator
+* Partner Tier2 Support
+* Billing Administrator
+ ## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Plannerroster Post Members https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/plannerroster-post-members.md
The following table shows the properties that are required when you create the [
|Property|Type|Description| |:|:|:|
-|userId|String|Identifier of the .|
+|userId|String|Identifier of the user.|
|tenantId|String|Identifier of the tenant the user belongs to. Optional. Currently roster members cannot be from different tenants.| |roles|String collection|Additional roles assigned to the user. Optional. Currently there are no additional roles available for users.|
v1.0 Range Unmerge https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/range-unmerge.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] Unmerge the range cells into separate cells.+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
POST /me/drive/items/{id}/workbook/worksheets/{id|name}/range(address='<address>
POST /me/drive/root:/{item-path}:/workbook/worksheets/{id|name}/range(address='<address>')/unmerge POST /me/drive/items/{id}/workbook/tables/{id|name}/columns/{id|name}/range/unmerge POST /me/drive/root:/{item-path}:/workbook/tables/{id|name}/columns/{id|name}/range/unmerge- ```+ ## Request headers | Name | Description| |:|:-|
POST /me/drive/root:/{item-path}:/workbook/tables/{id|name}/columns/{id|name}/ra
## Response
-If successful, this method returns `200 OK` response code. It does not return anything in the response body.
+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.
## Example
-Here is an example of how to call this API.
-##### Request
-Here is an example of the request.
+
+### Request
+The following is an example of the request.
# [HTTP](#tab/http) <!-- {
POST https://graph.microsoft.com/beta/me/drive/items/{id}/workbook/names/{name}/
-##### Response
-Here is an example of the response.
+### Response
+The following is an example of the response.
<!-- { "blockType": "response" } --> ```http
-HTTP/1.1 200 OK
+HTTP/1.1 204 No Content
``` <!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
v1.0 Rbacapplication List Transitiveroleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-transitiveroleassignments.md
Do not supply a request body for this method.
If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignment](../resources/unifiedroleassignment.md) objects in the response body.
+If your request doesn't include the **ConsistencyLevel** header set to `eventual`, this method returns `404 Not Found` response code.
+ ## Examples For the examples in this section, consider the following role assignment scenario. A user named Alice has both direct and transitive role assignments as follows:
v1.0 Schedule Post Shifts https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/schedule-post-shifts.md
Namespace: microsoft.graph
Create a new [shift](../resources/shift.md) instance in a [schedule](../resources/schedule.md).
+The duration of a shift cannot be less than 1 minute or longer than 24 hours.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Serviceprincipal Post Serviceprincipals https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/serviceprincipal-post-serviceprincipals.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.ReadWrite.All |
-> [!IMPORTANT]
-> The following additional requirements must be met for an app to create a service principal:
-> + If the backing application is registered in the calling app's home tenant, the calling app must be the owner of the backing application.
-> + If the backing application is registered in another Azure AD tenant, the calling app must be assigned the `Cloud Application Administrator` or `Application Administrator` role.
+For multi-tenant apps, the calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+++ Global Administrator++ Application Administrator++ Cloud Application Administrator roles+
+For single-tenant apps where the calling user is a non-admin user but is the owner of the backing application, the user must have the *Application Developer* role.
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Serviceprincipal Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/serviceprincipal-update.md
The following example shows how to assign a custom security attribute with a str
To assign custom security attributes, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.ReadWrite.All* permission.
-For other similar examples for users, see [Assign, update, or remove custom security attributes using the Microsoft Graph API](/graph/custom-security-attributes-examples).
+For other similar examples for users, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).
#### Request
v1.0 Shift Put https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/shift-put.md
Replace an existing [shift](../resources/shift.md).
If the specified [shift](../resources/shift.md) doesn't exist, this method returns `404 Not found`.
+The duration of a shift cannot be less than 1 minute or longer than 24 hours.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Teamsappsettings Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/teamsappsettings-get.md
Content-Type: application/json
"value": { "@odata.type": "#microsoft.graph.teamsAppSettings", "id": "65bdf003-0c4c-4bca-b102-0821ab0d1364",
+ "allowUserRequestsForAppAccess": true,
"isChatResourceSpecificConsentEnabled": "true" } }
v1.0 Teamsappsettings Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/teamsappsettings-update.md
PATCH /teamwork/teamsAppSettings
|Property|Type|Description| |:|:|:|
+|allowUserRequestsForAppAccess|Boolean|Indicates whether Teams users are allowed to request admins access to certain Teams apps.|
|isChatResourceSpecificConsentEnabled|Boolean|Indicates whether resource-specific consent for chats/meetings has been enabled for the tenant. If true, Teams apps that are allowed in the tenant and require resource-specific permissions can be installed inside chats and meetings. If false, the installation of any Teams app that requires resource-specific permissions in a chat or a meeting will be blocked.| - ## Response If successful, this method returns a `204 No Content` response code.
If successful, this method returns a `204 No Content` response code.
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "update_teamsappsettings"
+ "name": "update_teamsappsettings_1"
} --> ``` http
Content-Type: application/json
} ```
-# [C#](#tab/csharp)
+#### Response
-# [JavaScript](#tab/javascript)
+<!-- {
+ "blockType": "response"
+} -->
-# [Java](#tab/java)
+```http
+HTTP/1.1 204 No Content
+```
-# [Go](#tab/go)
+### Example 2: Allow Teams users to request admins for access to certain Teams Apps.
-# [PowerShell](#tab/powershell)
+#### Request
-# [PHP](#tab/php)
-
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "update_teamsappsettings_2"
+}
+-->
+``` http
+PATCH https://graph.microsoft.com/beta/teamwork/teamsAppSettings
+Content-Type: application/json
+{
+ "@odata.type": "#microsoft.graph.teamsAppSettings",
+ "allowUserRequestsForAppAccess": "true"
+}
+```
#### Response
v1.0 User Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/user-delete.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | User.ReadWrite.All |
-The calling user must be assigned one of the following Azure AD roles:
-+ [User Administrator](/azure/active-directory/roles/permissions-reference#user-administrator)
-+ [Privileged Authentication Administrator](/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator)
-+ [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)
+The calling user must be assigned one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference?toc=%2Fgraph%2Ftoc.json):
-To delete users with more privileged administrator roles, applications need to be assigned the *Directory.AccessAsUser.All* delegated permission and either the Global Admin role or the Privileged Auth Admin role.
+- User Administrator
+- Privileged Authentication Administrator
+- Global Administrator
-For more details, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).
+To delete users with privileged administrator roles in delegated scenarios, the app must be assigned the *Directory.AccessAsUser.All* delegated permission, and the calling user must have a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+
+In app-only scenarios, the *User.ReadWrite.All* application permission isn't enough privilege to delete users with privileged administrative roles. The app must be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
## HTTP request
v1.0 User Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/user-get.md
Content-type: application/json
} ```
-### Example 4: Get the custom security attribute assignments of the specified user
+### Example 4: Get the custom security attribute assignments for a user
-The following example gets the custom security attributes of the specified user.
+The following example shows how to get the custom security attribute assignments for a user.
Attribute #1
-+ Attribute set: `Engineering`
-+ Attribute: `Project`
-+ Attribute data type: Collection of Strings
-+ Attribute value: `["Baker","Cascade"]`
+- Attribute set: `Engineering`
+- Attribute: `Project`
+- Attribute data type: Collection of Strings
+- Attribute value: `["Baker","Cascade"]`
Attribute #2
-+ Attribute set: `Engineering`
-+ Attribute: `CostCenter`
-+ Attribute data type: Collection of Integers
-+ Attribute value: `[1001]`
+- Attribute set: `Engineering`
+- Attribute: `CostCenter`
+- Attribute data type: Collection of Integers
+- Attribute value: `[1001]`
Attribute #3
-+ Attribute set: `Engineering`
-+ Attribute: `Certification`
-+ Attribute data type: Boolean
-+ Attribute value: `true`
+- Attribute set: `Engineering`
+- Attribute: `Certification`
+- Attribute data type: Boolean
+- Attribute value: `true`
Attribute #4
-+ Attribute set: `Marketing`
-+ Attribute: `Level`
-+ Attribute data type: String
-+ Attribute value: `"Public"`
+- Attribute set: `Marketing`
+- Attribute: `EmployeeId`
+- Attribute data type: String
+- Attribute value: `"QN26904"`
To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.Read.All* or *CustomSecAttributeAssignment.ReadWrite.All* permission.
-#### Request
-
+For more examples of custom security attribute assignments, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).
+#### Request
-# [HTTP](#tab/http)
<!-- { "blockType": "request", "name": "get_user_customsecurityattributes"
To get custom security attribute assignments, the calling principal must be assi
GET https://graph.microsoft.com/beta/users/{id}?$select=customSecurityAttributes ```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
-
-# [PowerShell](#tab/powershell)
-
-# [PHP](#tab/php)
----- #### Response <!-- {
Content-type: application/json
{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(customSecurityAttributes)/$entity", "customSecurityAttributes": {
+ "Marketing": {
+ "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
+ "EmployeeId": "QN26904"
+ },
"Engineering": { "@odata.type": "#microsoft.graph.customSecurityAttributeValue", "Project@odata.type": "#Collection(String)",
Content-type: application/json
1001 ], "Certification": true
- },
- "Marketing": {
- "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
- "Level": "Public"
} } }
Content-type: application/json
"customSecurityAttributes": null } ```+ ### Example 5: Use `$filter` to retrieve specific users based on a property value This example shows how to use the `$filter` query parameter along with the `endswith` clause to retrieve a user with a specific value in the **mail** attribute. This request filters and returns all users with a mail address ending with contoso.com.
v1.0 User List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/user-list.md
Content-type: application/json
> **Note:** You can also apply `$filter` on the schema extension property to retrieve objects where a property in the collection matches a specified value. The syntax is `/users?$filter={schemaPropertyID}/{propertyName} eq 'value'`. For example, `GET /users?$select=ext55gb1l09_msLearnCourses&$filter=ext55gb1l09_msLearnCourses/courseType eq 'Developer'`. The `eq` and `not` operators are supported.
+### Example 13: List all users with a custom security attribute assignment that equals a value
+
+The following example shows how to list all users with a custom security attribute assignment that equals a value. The example retrieves users with a custom security attribute named `AppCountry` with a value that equals `Canada`. The filter value is case sensitive. You must add `ConsistencyLevel=eventual` in the request or the header. You must also include `$count=true` to ensure the request is routed correctly.
+
+User #1
+
+- Attribute set: `Marketing`
+- Attribute: `AppCountry`
+- Attribute data type: Collection of Strings
+- Attribute value: `["India","Canada"]`
+
+User #2
+
+- Attribute set: `Marketing`
+- Attribute: `AppCountry`
+- Attribute data type: Collection of Strings
+- Attribute value: `["Canada","Mexico"]`
+
+To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.Read.All* or *CustomSecAttributeAssignment.ReadWrite.All* permission.
+
+For examples of custom security attribute assignments, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "customsecurityattribute_filter_users_equals_value"
+}-->
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/users?$count=true&ConsistencyLevel=eventual&$select=id,displayName,customSecurityAttributes&$filter=customSecurityAttributes/Marketing/AppCountry eq 'Canada'
+```
+
+#### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.user"
+} -->
+```http
+HTTP/1.1 200 OK
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(id,displayName,customSecurityAttributes)",
+ "@odata.count": 2,
+ "value": [
+ {
+ "id": "dbaf3778-4f81-4ea0-ac1c-502a293c12ac",
+ "displayName": "Jiya",
+ "customSecurityAttributes": {
+ "Engineering": {
+ "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
+ "Datacenter@odata.type": "#Collection(String)",
+ "Datacenter": [
+ "India"
+ ]
+ },
+ "Marketing": {
+ "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
+ "AppCountry@odata.type": "#Collection(String)",
+ "AppCountry": [
+ "India",
+ "Canada"
+ ],
+ "EmployeeId": "KX19476"
+ }
+ }
+ },
+ {
+ "id": "6bac433c-48c6-4213-a316-1428de32701b",
+ "displayName": "Jana",
+ "customSecurityAttributes": {
+ "Marketing": {
+ "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
+ "AppCountry@odata.type": "#Collection(String)",
+ "AppCountry": [
+ "Canada",
+ "Mexico"
+ ],
+ "EmployeeId": "GS46982"
+ }
+ }
+ }
+ ]
+}
+```
<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79 2015-10-25 14:57:30 UTC -->
v1.0 User Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/user-update.md
One of the following permissions is required to call this API. To learn more, in
|Application | User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All | >[!NOTE]
-> - To update user properties, such as **businessPhones**, **mobilePhone** and **otherMails** for users with more privileged administrator roles, applications need to be assigned the *Directory.AccessAsUser.All* delegated permission and either the Global Admin role or the Privileged Auth Admin role. For more information about who can update sensitive properties or reset passwords, see [Authorization and privileges](/graph/api/resources/users#authorization-and-privileges).
+> - To update sensitive user properties, such as **accountEnabled**, **mobilePhone**, and **otherMails** for users with privileged administrator roles, the app must be assigned the *Directory.AccessAsUser.All* delegated permission, and the calling user must have a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
> - Your personal Microsoft account must be tied to an Azure AD tenant to update your profile with the *User.ReadWrite* delegated permission on a personal Microsoft account. > - Updating the **identities** property requires the *User.ManageIdentities.All* permission. Also, adding a [B2C local account](../resources/objectidentity.md) to an existing **user** object is not allowed, unless the **user** object already contains a local account identity.
The following example shows how to assign a custom security attribute with a str
To assign custom security attributes, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.ReadWrite.All* permission.
-For more examples for users, see [Assign, update, or remove custom security attributes using the Microsoft Graph API](/graph/custom-security-attributes-examples).
+For examples of custom security attribute assignments, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).
#### Request
v1.0 Virtualendpoint List Provisioningpolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/virtualendpoint-list-provisioningpolicies.md
Content-Type: application/json
"onPremisesConnectionId": "16ee6c71-fc10-438b-88ac-daa1ccafffff", "type": "hybridAzureADJoin" },
+ "enableSingleSignOn": true,
"id": "1d164206-bf41-4fd2-8424-a3192d39ffff", "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff", "imageDisplayName": "Image Display Name value",
Content-Type: application/json
"windowsSettings": { "language": "en-US" },
- "managedBy": "windows365"
+ "managedBy": "windows365",
+ "provisioningType": "dedicated"
} ] }
v1.0 Virtualendpoint List Shareduseserviceplans https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/virtualendpoint-list-shareduseserviceplans.md
+
+ Title: "List cloudPcSharedUseServicePlans"
+description: "Get a list of the cloudPcSharedUseServicePlan objects and their properties."
+
+ms.localizationpriority: medium
++
+# List cloudPcSharedUseServicePlans
+
+Namespace: microsoft.graph
++
+Get a list of the [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) objects and their properties.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+| :- | : |
+| Delegated (work or school account) | CloudPC.Read.All, CloudPC.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | CloudPC.Read.All, CloudPC.ReadWrite.All |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+GET /deviceManagement/virtualEndpoint/sharedUseServicePlans
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, `$orderBy`, and `$skip` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name | Description |
+| : | : |
+| Authorization | Bearer {token}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following is an example of a request.
+
+<!-- {
+ "blockType": "request",
+ "name": "list_cloudpcshareduseserviceplans"
+}
+-->
+
+``` http
+GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/sharedUseServicePlans
+```
+
+### Response
+
+The following is an example of the response.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.cloudPcSharedUseServicePlan",
+ "isCollection": true
+}
+-->
+
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.cloudPcSharedUseServicePlan",
+ "id": "1d164206-bf41-4fd2-8424-a3192d39ffff",
+ "displayName": "Display Name value",
+ "usedCount": 5,
+ "totalCount": 10
+ }
+ ]
+}
+```
v1.0 Virtualendpoint Post Provisioningpolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/virtualendpoint-post-provisioningpolicies.md
The following table shows the properties that are required when you create the [
|Property|Type|Description| |:|:|:|
-|displayName|String|The display name for the provisioning policy.|
|description|String|The provisioning policy description.|
+|displayName|String|The display name for the provisioning policy.|
|domainJoinConfiguration|[cloudPcDomainJoinConfiguration](../resources/cloudpcdomainjoinconfiguration.md)|Specifies how Cloud PCs will join Azure Active Directory.|
-|onPremisesConnectionId|String|The ID of the cloudPcOnPremisesConnection. To ensure that Cloud PCs have network connectivity and that they domain join, choose a connection with a virtual network thatΓÇÖs validated by the Cloud PC service.|
-|imageId|String|The ID of the OS image you want to provision on Cloud PCs. The format for a gallery type image is: {publisher_offer_sku}. Supported values for each of the parameters are as follows:<ul><li>publisher: Microsoftwindowsdesktop.</li> <li>offer: windows-ent-cpc.</li> <li>sku: 21h1-ent-cpc-m365, 21h1-ent-cpc-os, 20h2-ent-cpc-m365, 20h2-ent-cpc-os, 20h1-ent-cpc-m365, 20h1-ent-cpc-os, 19h2-ent-cpc-m365 and 19h2-ent-cpc-os.</li></ul>|
|imageDisplayName|String|The display name for the OS image youΓÇÖre provisioning.|
+|imageId|String|The ID of the OS image you want to provision on Cloud PCs. The format for a gallery type image is: {publisher_offer_sku}. Supported values for each of the parameters are as follows:<ul><li>publisher: Microsoftwindowsdesktop.</li> <li>offer: windows-ent-cpc.</li> <li>sku: 21h1-ent-cpc-m365, 21h1-ent-cpc-os, 20h2-ent-cpc-m365, 20h2-ent-cpc-os, 20h1-ent-cpc-m365, 20h1-ent-cpc-os, 19h2-ent-cpc-m365 and 19h2-ent-cpc-os.</li></ul>|
|imageType|cloudPcProvisioningPolicyImageType|The type of OS image (custom or gallery) you want to provision on Cloud PCs. Possible values are: `gallery`, `custom`.|
+|onPremisesConnectionId|String|The ID of the cloudPcOnPremisesConnection. To ensure that Cloud PCs have network connectivity and that they domain join, choose a connection with a virtual network thatΓÇÖs validated by the Cloud PC service.|
+|provisioningType|[cloudPcProvisioningType](../resources/cloudpcprovisioningpolicy.md#cloudpcprovisioningtype-values)|Specifies the type of license used when provisioning Cloud PCs using this policy. By default, the license type is `dedicated` if the **provisioningType** isn't specified when you create the **cloudPcProvisioningPolicy**. You can't change this property after the **cloudPcProvisioningPolicy** was created. Possible values are: `dedicated`, `shared`, `unknownFutureValue`.|
|windowsSettings|[cloudPcWindowsSettings](../resources/cloudpcwindowssettings.md)|Specific Windows settings to configure while creating Cloud PCs for this provisioning policy.| ## Response
If successful, this method returns a `201 Created` response code and a [cloudPcP
### Request
+The following is an example of a request.
# [HTTP](#tab/http) <!-- {
Content-Type: application/json
"domainJoinType": "hybridAzureADJoin", "onPremisesConnectionId": "16ee6c71-fc10-438b-88ac-daa1ccafffff" },
- "id": "1d164206-bf41-4fd2-8424-a3192d39ffff",
+ "enableSingleSignOn": true,
"imageDisplayName": "Windows-10 19h1-evd", "imageId": "MicrosoftWindowsDesktop_Windows-10_19h1-evd", "imageType":"gallery", "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff", "windowsSettings": { "language": "en-US"
- }
+ },
+ "provisioningType": "dedicated"
} ```
Content-Type: application/json
### Response
-**Note:** The response object shown here might be shortened for readability.
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
<!-- { "blockType": "response", "truncated": true,
Content-Type: application/json
"onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff", "type": "hybridAzureADJoin" },
+ "enableSingleSignOn": true,
"id": "1d164206-bf41-4fd2-8424-a3192d39ffff", "imageDisplayName": "Windows-10 19h1-evd", "imageId": "MicrosoftWindowsDesktop_Windows-10_19h1-evd",
Content-Type: application/json
"windowsSettings": { "language": "en-US" },
- "managedBy": "windows365"
+ "managedBy": "windows365",
+ "provisioningType": "dedicated"
} ```
v1.0 Workbookrange Resizedrange https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/workbookrange-resizedrange.md
Title: "workbookRange: resizedRange"
-description: "Gets a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns."
+description: "Get a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns."
ms.localizationpriority: medium ms.prod: "excel"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Gets a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns.
+Get a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
```http POST /me/drive/items/{id}/workbook/worksheets/{id}/range/resizedRange(deltaRows={n}, deltaColumns={n}) POST /me/drive/root:/{item-path}:/workbook/worksheets/{id}/range/resizedRange(deltaRows={n}, deltaColumns={n})- ``` ## Function parameters
POST /me/drive/root:/{item-path}:/workbook/worksheets/{id}/range/resizedRange(de
| Name | Description| |:|:-| | Authorization | Bearer {token}. Required. |
-| Workbook-Session-Id | Workbook session Id that determines if changes are persisted or not. Optional.|
+| Workbook-Session-Id | Workbook session ID that determines if changes are persisted or not. Optional.|
## Request body Do not supply a request body for this method. ## Response
-If successful, this method returns `200 OK` response code and [workbookRange](../resources/workbookrange.md) object in the response body.
+If successful, this method returns a `200 OK` response code and a [workbookRange](../resources/workbookrange.md) object in the response body.
## Example
-Here is an example of how to call this API.
-##### Request
-Here is an example of the request.
+
+### Request
+The following is an example of the request.
<!-- { "blockType": "request", "name": "workbookrange_resizedrange"
Here is an example of the request.
POST https://graph.microsoft.com/beta/drive/root/workbook/worksheets/{id}/range/resizedRange(deltarows={n}, deltaColumns={n}) ```
-##### Response
-Here is an example of the response. Note: The response object shown here might be shortened for readability.
+### Response
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
<!-- { "blockType": "response", "truncated": true,
v1.0 Callrecords Pstncalllogrow https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/callrecords-pstncalllogrow.md
Title: "pstnCallLogRow resource type"
-description: "Represents a row of data in the Public Switch Telephone Network (PSTN) call log."
+description: "Represents a row of data in the public switched telephone network (PSTN) call log."
ms.localizationpriority: medium ms.prod: "cloud-communications"
Namespace: microsoft.graph.callRecords
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents a row of data in the Public Switch Telephone Network (PSTN) call log. Each row maps to one call.
+Represents a row of data in the public switched telephone network (PSTN) call log. Each row maps to one call.
## Methods
Represents a row of data in the Public Switch Telephone Network (PSTN) call log.
|charge|Double|Amount of money or cost of the call that is charged to your account.| |conferenceId|String|ID of the audio conference.| |connectionCharge|Double|Connection fee price.|
-|currency|String|Type of currency used to calculate the cost of the call ([ISO 4217](https://en.wikipedia.org/wiki/ISO_4217)).|
+|currency|String|Type of currency used to calculate the cost of the call. For details, see [ISO 4217](https://en.wikipedia.org/wiki/ISO_4217).|
|destinationContext|String|Whether the call was domestic (within a country or region) or international (outside a country or region) based on the user's location.| |destinationName|String|Country or region dialed.| |duration|Int32|How long the call was connected, in seconds.|
Represents a row of data in the Public Switch Telephone Network (PSTN) call log.
|licenseCapability|String|The license used for the call.| |operator|String|The telecommunications operator which provided PSTN services for this call. This may be Microsoft, or it may be a third-party operator via the [Operator Connect Program](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/introducing-operator-connect-and-more-teams-calling-updates/ba-p/2176398).| |startDateTime|DateTimeOffset|Call start time.|
-|tenantCountryCode|String|Country code of the tenant, [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
-|usageCountryCode|String|Country code of the user, [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
+|tenantCountryCode|String|Country code of the tenant. For details, see [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
+|usageCountryCode|String|Country code of the user. For details, see [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
|userDisplayName|String|Display name of the user.| |userId|String|Calling user's ID in Graph. GUID. This and other user info will be null/empty for bot call types (ucap_in, ucap_out).|
-|userPrincipalName|String|UserPrincipalName (sign-in name) in Azure Active Directory. This is usually the same as user's SIP Address, and can be same as user's e-mail address.|
+|userPrincipalName|String|The user principal name (sign-in name) in Azure Active Directory. This is usually the same as the user's SIP address, and can be same as the user's e-mail address.|
## Relationships
The following is a JSON representation of the resource.
``` json { "@odata.type": "#microsoft.graph.callRecords.pstnCallLogRow",
- "id": "String (identifier)",
+ "callDurationSource": "String",
"callId": "String",
- "userId": "String",
- "userPrincipalName": "String",
- "userDisplayName": "String",
- "startDateTime": "String (timestamp)",
- "endDateTime": "String (timestamp)",
- "duration": "Integer",
- "charge": "Double",
"callType": "String",
- "currency": "String",
"calleeNumber": "String",
- "usageCountryCode": "String",
- "tenantCountryCode": "String",
- "connectionCharge": "Double",
"callerNumber": "String",
+ "charge": "Double",
+ "conferenceId": "String",
+ "connectionCharge": "Double",
+ "currency": "String",
"destinationContext": "String", "destinationName": "String",
- "conferenceId": "String",
- "licenseCapability": "String",
+ "duration": "Integer",
+ "endDateTime": "String (timestamp)",
+ "id": "String (identifier)",
"inventoryType": "String",
+ "licenseCapability": "String",
"operator": "String",
- "callDurationSource": "String"
+ "startDateTime": "String (timestamp)",
+ "tenantCountryCode": "String",
+ "usageCountryCode": "String",
+ "userDisplayName": "String",
+ "userId": "String",
+ "userPrincipalName": "String"
} ```
v1.0 Calltranscript https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/calltranscript.md
Represents a transcript associated with an [online meeting](onlinemeeting.md).
| Property | Type |Description| |:|:--|:-|
-| id| String| The transcript's unique identifier. Read-only.|
-| createdDateTime| dateTimeOffset| Date and time at which the transcript was created. Read-only.|
-| content| Stream| A field representing the content of the transcript. Read-only.|
+| content| Stream| A field that represents the content of the transcript. Read-only.|
+| createdDateTime| DateTimeOffset| Date and time at which the transcript was created. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.|
+| id| String| The unique identifier for the transcript. Read-only.|
+ ## JSON representation
-Here is a JSON representation of the resource.
+The following is a JSON representation of the resource.
<!-- { "blockType": "resource",
Here is a JSON representation of the resource.
```json {
- "id": "string (identifier)",
- "createdDateTime": "dateTimeOffset",
- "content": "stream"
+ "content": "stream",
+ "createdDateTime": "dateTimeOffset",
+ "id": "string (identifier)"
} ```
v1.0 Cloudpcmanagementgroupassignmenttarget https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/cloudpcmanagementgroupassignmenttarget.md
Inherits from [cloudPcManagementAssignmentTarget](../resources/cloudpcmanagement
|Property|Type|Description| |:|:|:|
-|groupId|String|The id of the assignment's target group|
+|groupId|String|The ID of the target group for the assignment. |
+|servicePlanId|String|The unique identifier for the service plan that indicates which size of the Cloud PC to provision for the user. Use a `null` value, when the **provisioningType** is `dedicated`.|
## Relationships
The following is a JSON representation of the resource.
``` json { "@odata.type": "#microsoft.graph.cloudPcManagementGroupAssignmentTarget",
- "groupId": "String"
+ "groupId": "String",
+ "servicePlanId": "String"
} ```
v1.0 Cloudpcorganizationsettings https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/cloudpcorganizationsettings.md
Represents the Cloud PC organization settings for a tenant. A tenant has only on
## Properties |Property|Type|Description| |:|:|:|
-|enableMEMAutoEnroll|Boolean|Specifies whether new Cloud PCs will be automatically enrolled in Microsoft Endpoint Manager(MEM). The default value is `false`.|
+|enableMEMAutoEnroll|Boolean|Specifies whether new Cloud PCs will be automatically enrolled in Microsoft Endpoint Manager (MEM). The default value is `false`.|
+|enableSingleSignOn|Boolean|`True` if the provisioned Cloud PC can be accessed by single sign-on. `False` indicates that the provisioned Cloud PC doesn't support this feature. Default value is `false`. Windows 365 users can use single sign-on to authenticate to Azure Active Directory (Azure AD) with passwordless options (for example, FIDO keys) to access their Cloud PC. Optional.|
|id|String|The ID of the organization settings.| |osVersion|[cloudPcOperatingSystem](#cloudpcoperatingsystem-values)|The version of the operating system (OS) to provision on Cloud PCs. The possible values are: `windows10`, `windows11`, `unknownFutureValue`.| |userAccountType|[cloudPcUserAccountType](#cloudpcuseraccounttype-values)|The account type of the user on provisioned Cloud PCs. The possible values are: `standardUser`, `administrator`, `unknownFutureValue`.|
The following is a JSON representation of the resource.
{ "@odata.type": "#microsoft.graph.cloudPcOrganizationSettings", "enableMEMAutoEnroll": "Boolean",
+ "enableSingleSignOn": "Boolean",
"id": "String (identifier)", "osVersion": "String", "userAccountType": "String",
v1.0 Cloudpcprovisioningpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/cloudpcprovisioningpolicy.md
Represents a Cloud PC provisioning policy.
|description|String|The provisioning policy description.| |displayName|String|The display name for the provisioning policy.| |domainJoinConfiguration|[cloudPcDomainJoinConfiguration](../resources/cloudpcdomainjoinconfiguration.md)|Specifies how Cloud PCs will join Azure Active Directory.|
+|enableSingleSignOn|Boolean|`True` if the provisioned Cloud PC can be accessed by single sign-on. `False` indicates that the provisioned Cloud PC doesn't support this feature. Default value is `false`. Windows 365 users can use single sign-on to authenticate to Azure Active Directory (Azure AD) with passwordless options (for example, FIDO keys) to access their Cloud PC. Optional.|
|gracePeriodInHours|Int32|The number of hours to wait before reprovisioning/deprovisioning happens. Read-only.| |id|String|Unique identifier for the Cloud PC provisioning policy. Read-only.| |imageDisplayName|String|The display name for the OS image youΓÇÖre provisioning.|
Represents a Cloud PC provisioning policy.
|managedBy|[cloudPcManagementService](../resources/cloudpconpremisesconnection.md#cloudpcmanagementservice-values)|Specifies which services manage the Azure network connection. Possible values are: `windows365`, `devBox`, `unknownFutureValue`, `rpaBox`. Note that you must use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `rpaBox`. Read-only.| |microsoftManagedDesktop|[microsoftManagedDesktop](../resources/microsoftManagedDesktop.md)|The specific settings for the Microsoft Managed Desktop, which enables customers to get a managed device experience for the Cloud PC. Before you can enable Microsoft Managed Desktop, an admin must configure it.| |onPremisesConnectionId|String|The ID of the cloudPcOnPremisesConnection. To ensure that Cloud PCs have network connectivity and that they domain join, choose a connection with a virtual network thatΓÇÖs validated by the Cloud PC service.|
+|provisioningType|[cloudPcProvisioningType](../resources/cloudpcprovisioningpolicy.md#cloudpcprovisioningtype-values)|Specifies the type of license used when provisioning Cloud PCs using this policy. By default, the license type is `dedicated` if the **provisioningType** isn't specified when you create the **cloudPcProvisioningPolicy**. You can't change this property after the **cloudPcProvisioningPolicy** was created. Possible values are: `dedicated`, `shared`, `unknownFutureValue`.|
|windowsSettings|[cloudPcWindowsSettings](../resources/cloudpcwindowssettings.md)|Specific Windows settings to configure while creating Cloud PCs for this provisioning policy.|
+### cloudPcProvisioningType values
+
+| Member | Description |
+|:--|:--|
+| dedicated | Indicates that a dedicated license is used for provisioning Cloud PCs. Default value. |
+| shared | Indicates that a shared license is used for provisioning Cloud PCs. |
+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |
+ ## Relationships |Relationship|Type|Description| |:|:|:|
-|assignments|[cloudPcProvisioningPolicyAssignment](../resources/cloudpcprovisioningpolicyassignment.md) collection|A defined collection of provisioning policy assignments. Represents the set of Microsoft 365 groups and security groups in Azure AD that have provisioning policy assigned. Returned only on `$expand`. See an [example](../api/cloudpcprovisioningpolicy-get.md) of getting the assignments relationship. |
+|assignments|[cloudPcProvisioningPolicyAssignment](../resources/cloudpcprovisioningpolicyassignment.md) collection|A defined collection of provisioning policy assignments. Represents the set of Microsoft 365 groups and security groups in Azure AD that have provisioning policy assigned. Returned only on `$expand`. For an example about how to get the assignments relationship, see [Get cloudPcProvisioningPolicy](../api/cloudpcprovisioningpolicy-get.md). |
## JSON representation
The following is a JSON representation of the resource.
"domainJoinConfiguration": { "@odata.type": "microsoft.graph.cloudPcDomainJoinConfiguration" },
- "gracePeriodInHours": "Integer",
+ "enableSingleSignOn": "Boolean",
+ "gracePeriodInHours": "Int32",
"id": "String (identifier)", "imageDisplayName": "String", "imageId": "String",
The following is a JSON representation of the resource.
"localAdminEnabled": "Boolean", "managedBy": "String", "microsoftManagedDesktop": {
- "type": "String",
- "profile": "String"
+ "@odata.type": "microsoft.graph.microsoftManagedDesktop"
}, "onPremisesConnectionId": "String",
+ "provisioningType": "String",
"windowsSettings": { "@odata.type": "microsoft.graph.cloudPcWindowsSettings" }
v1.0 Cloudpcshareduseserviceplan https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/cloudpcshareduseserviceplan.md
+
+ Title: "cloudPcSharedUseServicePlan resource type"
+description: "Represents a shared-use service plan that can be used by up to three Cloud PCs."
+
+ms.localizationpriority: medium
++
+# cloudPcSharedUseServicePlan resource type
+
+Namespace: microsoft.graph
++
+Represents a shared-use service plan that can be used by up to three Cloud PCs.
+
+## Methods
+
+|Method|Return type|Description|
+|:|:|:|
+|[List cloudPcSharedUseServicePlans](../api/virtualendpoint-list-shareduseserviceplans.md)|[cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) collection|Get a list of the [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) objects and their properties.|
+|[Get cloudPcSharedUseServicePlan](../api/cloudpcshareduseserviceplan-get.md)|[cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md)|Read the properties and relationships of a [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) object.|
+
+## Properties
+
+| Property | Type | Description |
+|:|:-|:--|
+| displayName | String | The display name of the shared-use service plan. |
+| id | String | The unique identifier for the shared-use service plan. |
+| totalCount | Int32 | Total number of shared-use service plans purchased by the customer. |
+| usedCount | Int32 | The number of service plans that the account uses. |
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.cloudPcSharedUseServicePlan",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.cloudPcSharedUseServicePlan",
+ "displayName": "String",
+ "id": "String (identifier)",
+ "usedCount": "Int32",
+ "totalCount": "Int32"
+}
+```
v1.0 Custom Security Attributes Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/custom-security-attributes-overview.md
ms.localizationpriority: medium ms.prod: "directory-management" doc_type: conceptualPageType Previously updated : 04/01/2022 Last updated : 02/14/2023 # Overview of custom security attributes using the Microsoft Graph API (Preview)
Custom security attributes can be assigned to the following objects by using the
+ [user](/graph/api/resources/user?view=graph-rest-beta&preserve-view=true) + [servicePrincipal](/graph/api/resources/serviceprincipal?view=graph-rest-beta&preserve-view=true)
-For examples of working with custom security attributes on supported resources, see [Assign, update, or remove custom security attributes using Microsoft Graph](/graph/custom-security-attributes-examples).
+For examples of custom security attribute assignments, see [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples).
## Limits and constraints
Using custom security attributes requires an Azure AD Premium P1 or P2 license.
## Next steps + [customSecurityAttributeDefinition resource type](/graph/api/resources/customsecurityattributedefinition)
-+ [Assign, update, or remove custom security attributes using the Microsoft Graph API](/graph/custom-security-attributes-examples)
++ [Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API](/graph/custom-security-attributes-examples) + [What are custom security attributes in Azure AD?](/azure/active-directory/fundamentals/custom-security-attributes-overview)
v1.0 Externalconnectors Urltoitemresolverbase https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/externalconnectors-urltoitemresolverbase.md
Namespace: microsoft.graph.externalConnectors
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Defines the rules for resolving a URL to the ID of an [externalItem](microsoft.graph.externalConnectors.externalItem](externalconnectors-externalitem.md).
+Defines the rules for resolving a URL to the ID of an [externalItem](externalconnectors-externalitem.md).
This is an abstract type.
v1.0 Identitygovernance https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/identitygovernance.md
None.
|appConsent|[appConsent](appconsentapprovalroute.md)| Container for base resources that expose the app consent request API and features. Currently exposes only the [appConsentRequests](appconsentrequest.md) resource.| |entitlementManagement|[entitlementManagement](entitlementmanagement.md)| Container for entitlement management resources, including [accessPackageCatalog](accesspackagecatalog.md), [connectedOrganization](connectedorganization.md), and [entitlementManagementSettings](entitlementmanagementsettings.md).| |termsOfUse|[termsOfUseContainer](termsofusecontainer.md)| Container for the resources that expose the terms of use API and its features, including [agreements](agreement.md) and [agreementAcceptances](agreementacceptance.md). |
-|Lifecycle Workflows|[lifecycleWorkflowsContainer](identitygovernance-lifecycleworkflowscontainer.md)| Container for Lifecycle Workflow resources, including [workflows](identitygovernance-workflow.md), [customTaskExtension](identitygovernance-customtaskextension.md), and [LifecycleManagementSettings](identitygovernance-lifecyclemanagementsettings.md|
+|lifecycleWorkflows|[microsoft.graph.identityGovernance.lifecycleWorkflowsContainer](identitygovernance-lifecycleworkflowscontainer.md)| Container for Lifecycle Workflow resources, including [workflow](identitygovernance-workflow.md), [customTaskExtension](identitygovernance-customtaskextension.md), and [lifecycleManagementSettings](identitygovernance-lifecyclemanagementsettings.md|
v1.0 Microsoftaccountuserconversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/microsoftaccountuserconversationmember.md
Inherits from [conversationMember](../resources/conversationmember.md).
|displayName|String|Display name of the user. Inherited from [conversationMember](../resources/conversationmember.md).| |id|String|Membership ID that represents this resource. Inherited from [entity](../resources/entity.md).| |roles|String collection|Special roles for this user. Inherited from [conversationMember](../resources/conversationmember.md).|
-|userId|String|ID of the user.|
+|userId|String|Microsoft Account ID of the user.|
|visibleHistoryStartDateTime|DateTimeOffset|The timestamp denoting how far back a conversation's history is shared with the conversation member. Inherited from [conversationMember](../resources/conversationmember.md).| ## Relationships
v1.0 Recommendation https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/recommendation.md
Inherits from [recommendationBase](../resources/recommendationbase.md).
|maxScore|Double|The maximum number of points attainable. Only applies to [recommendations](../resources/recommendation.md) with **category** set to `identitySecureScore`. Inherited from [recommendationBase](../resources/recommendationbase.md).| |postponeUntilDateTime|DateTimeOffset|The future date and time when the **status** of a postponed [recommendation](../resources/recommendation.md) will be `active` again. Inherited from [recommendationBase](../resources/recommendationbase.md).| |priority|recommendationPriority|Indicates the time sensitivity for a [recommendation](../resources/recommendation.md) to be completed. Microsoft auto assigns this value. The possible values are: `low`, `medium`, `high`. Inherited from [recommendationBase](../resources/recommendationbase.md). Read-only. <br><br> Supports `$filter`(`eq`).|
-|recommendationType|recommendationType|Friendly shortname to identify the [recommendation](../resources/recommendation.md). The possible values are: `adfsAppsMigration`, `enableDesktopSSO`, `enablePHS`, `enableProvisioning`, `switchFromPerUserMFA`, `tenantMFA`, `thirdPartyApps`, `turnOffPerUserMFA`, `useAuthenticatorApp`, `useMyApps`, `staleApps`, `staleAppCreds`, `applicationCredentialExpiry`, `servicePrincipalKeyExpiry`, `adminMFAV2`, `blockLegacyAuthentication`, `integratedApps`, `mfaRegistrationV2`, `pwagePolicyNew`, `passwordHashSync`, `oneAdmin`, `roleOverlap`, `selfServicePasswordReset`, `signinRiskPolicy`, `userRiskPolicy`, `verifyAppPublisher`, `privateLinkForAAD`, `appRoleAssignmentsGroups`, `appRoleAssignmentsUsers`, `managedIdentity`, `overprivilegedApps`, `unknownFutureValue`. Inherited from [recommendationBase](../resources/recommendationbase.md). <br><br> Supports `$filter`(`eq`).|
+|recommendationType|recommendationType|Friendly shortname to identify the [recommendation](../resources/recommendation.md). The possible values are: `adfsAppsMigration`, `enableDesktopSSO`, `enablePHS`, `enableProvisioning`, `switchFromPerUserMFA`, `tenantMFA`, `thirdPartyApps`, `turnOffPerUserMFA`, `useAuthenticatorApp`, `useMyApps`, `staleApps`, `staleAppCreds`, `applicationCredentialExpiry`, `servicePrincipalKeyExpiry`, `adminMFAV2`, `blockLegacyAuthentication`, `integratedApps`, `mfaRegistrationV2`, `pwagePolicyNew`, `passwordHashSync`, `oneAdmin`, `roleOverlap`, `selfServicePasswordReset`, `signinRiskPolicy`, `userRiskPolicy`, `verifyAppPublisher`, `privateLinkForAAD`, `appRoleAssignmentsGroups`, `appRoleAssignmentsUsers`, `managedIdentity`, `overprivilegedApps`, `unknownFutureValue`. Inherited from [recommendationBase](../resources/recommendationbase.md). <br><br> Currently, only eight types are available. For more information, see [Types of recommendations](recommendations-api-overview.md#types-of-recommendations). Supports `$filter`(`eq`).|
|remediationImpact|String|Description of the impact on users of the remediation. Only applies to [recommendations](../resources/recommendation.md) with **category** set to `identitySecureScore`. Inherited from [recommendationBase](../resources/recommendationbase.md).| |status|recommendationStatus| Indicates the status of the [recommendation](../resources/recommendation.md) based on user or system action. The possible values are: `active`, `completedBySystem`, `completedByUser`, `dismissed`, `postponed`, `unknownFutureValue`. By default, a recommendation's **status** is set to `active` when the recommendation is first generated. **Status** is set to `completedBySystem` when our service detects that a recommendation which was previously active no longer applies. Inherited from [recommendationBase](../resources/recommendationbase.md). <br><br> Supports `$filter`(`eq`).|
v1.0 Recommendations Api Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/recommendations-api-overview.md
+
+ Title: "Use the Azure AD recommendations API to implement Azure AD best practices for your tenant"
+description: "Azure Active Directory (Azure AD) recommendations are personalized and actionable insights for you to implement Azure AD best practices in your tenant."
+
+ms.localizationpriority: medium
Last updated : 02/10/2023++
+# Use the Azure AD recommendations API to implement Azure AD best practices for your tenant
+
+Azure Active Directory (Azure AD) recommendations are personalized and actionable insights for you to implement Azure AD best practices in your tenant. The Azure AD recommendation service runs daily to check your tenant against predefined conditions for every recommendation. If the service detects that a recommendation applies to your tenant, the corresponding recommendation object is generated and its status is set to active.
+
+Use the recommendations API in Microsoft Graph to identify and track the insights, assess and apply the guidance provided for implementing the best practices, and keep your tenant healthy, secure and optimized.
+
+## Manage recommendations
+
+Azure AD recommendations are made up of two building blocks: **recommendations** and **the Azure AD resources they apply to**.
+
+A single recommendation can apply to one or more Azure AD resource instances. For example, a recommendation relating to expiring application credentials will reference all apps in your tenant that have expiring application credentials.
+
+For each recommendation, you have the following data:
+
+- The type of recommendation. Eight types are currently supported. For more information about types of recommendations, see [Types of recommendations](#types-of-recommendations).
+- The Azure AD resources to which the recommendation applies. These include users, groups, and applications.
+- The recommended action plan to address the recommendation.
+- Where applicable, when Azure AD recommends the recommendation to have been completed before it impacts the associated service.
+- The impact of the recommendation, which can be tenant-wide or resource-specific.
+- A Microsoft-assigned priority ranking for the recommendation.
+- The status of the recommendation such as whether itΓÇÖs still active or has been completed, dismissed, or postponed to a future date.
+
+### Types of recommendations
+
+Eight types of recommendations are currently available in Azure AD recommendations. These recommendations are identified in a **recommendationType** property thatΓÇÖs part of the **recommendation** object in Microsoft Graph.
+
+The following table lists the recommendation types that are available, and maps the Microsoft Graph values to the user-friendly names that are used on the Azure portal.
+
+| recommendationType | Friendly name in the Azure portal | Comments |
+|--|-||
+| adfsAppsMigration | Migrate your eligible applications from AD FS to Azure AD for more security, productivity and automation | For more information, see [Migrate apps from ADFS to Azure AD](/azure/active-directory/reports-monitoring/recommendation-migrate-apps-from-adfs-to-azure-ad) |
+| switchFromPerUserMFA | Convert per-user MFA to Conditional Access MFA | For more information, see [Convert per-user MFA to Conditional Access MFA](/azure/active-directory/reports-monitoring/recommendation-turn-off-per-user-mfa) |
+| tenantMFA | Minimize MFA prompts for your users signing in from known devices | For more information, see [Minimize MFA prompts from known devices](/azure/active-directory/reports-monitoring/recommendation-mfa-from-known-devices) |
+| useAuthenticatorApp | Migrate eligible users from SMS and voice call to Microsoft Authenticator App for a better MFA user experience | For more information, see [Migrate to Microsoft authenticator](/azure/active-directory/reports-monitoring/recommendation-migrate-to-authenticator) |
+| staleApps | Remove unused applications | For more information, see [Remove unused applications](/azure/active-directory/reports-monitoring/recommendation-remove-unused-apps) |
+| staleAppCreds | Remove unused credentials from applications | For more information, see [Remove unused credentials from apps](/azure/active-directory/reports-monitoring/recommendation-remove-unused-credential-from-apps) |
+| applicationCredentialExpiry | Renew expiring application credentials | For more information, see [Renew expiring application credentials](/azure/active-directory/reports-monitoring/recommendation-remove-unused-credential-from-apps) |
+| servicePrincipalKeyExpiry | Renew expiring serivce principal credentials | For more information, see [Renew expiring service principal credentials](/azure/active-directory/reports-monitoring/recommendation-renew-expiring-service-principal-credential) |
+
+## API scenarios
+
+You manage recommendations through the [recommendation resource type](recommendation.md) and its associated methods. This resource type exposes the **impactedResources** relationship that you use to query the Azure AD resource to which the recommendations apply.
+
+The following are some of the most popular requests for working with the Microsoft Graph recommendations API:
+
+| Scenarios | API |
+|||
+| Retrieve all recommendations and their associated data, including the impacted resources. | [List recommendations](../api/directory-list-recommendation.md) |
+| Retrieve a recommendation and its associated data, including the impacted resources. | [Get recommendation](../api/recommendation-get.md) |
+| Act on a recommendation | [Dismiss](../api/recommendation-dismiss.md) <br/> [Postpone](../api/recommendation-postpone.md) <br/> [Complete](../api/recommendation-complete.md) <br/> [Reactivate](../api/recommendation-reactivate.md) |
+| Retrieve details of all impacted resources for a recommendation. | [List impactedResources](../api/recommendation-list-impactedresources.md) |
+| Retrieve details of an impacted resource for a recommendation. | [Get impactedResource](../api/impactedresource-get.md) |
+| Act on a recommendation for an impacted resource | [Dismiss](../api/impactedresource-dismiss.md) <br/> [Postpone](../api/impactedresource-postpone.md) <br/> [Complete](../api/impactedresource-complete.md) <br/> [Reactivate](../api/impactedresource-reactivate.md) |
+
+## License requirements
+
+The various recommendations have different license requirements. For more information about licenses for each type of recommendation, see [Azure AD recommendations: Roles and licenses](/azure/active-directory/reports-monitoring/overview-recommendations#roles-and-licenses).
+
+## See also
+
+- [What is Azure Active Directory recommendations (preview)]( /azure/active-directory/reports-monitoring/overview-recommendations)
v1.0 Serviceprincipal https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/serviceprincipal.md
This resource supports using [delta query](/graph/delta-query-overview) to track
|appOwnerOrganizationId|Guid|Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications.Supports `$filter` (`eq`, `ne`, `NOT`, `ge`, `le`).| |appRoleAssignmentRequired|Boolean|Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is `false`. Not nullable. <br><br>Supports `$filter` (`eq`, `ne`, `NOT`). | |appRoles|[appRole](approle.md) collection|The roles exposed by the application which this service principal represents. For more information see the **appRoles** property definition on the [application](application.md) entity. Not nullable. |
-|customSecurityAttributes|[customSecurityAttributeValue](../resources/customsecurityattributevalue.md)|An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `startsWith`).|
+|customSecurityAttributes|[customSecurityAttributeValue](../resources/customsecurityattributevalue.md)|An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `startsWith`). Filter value is case sensitive.|
| deletedDateTime | DateTimeOffset | The date and time the service principal was deleted. Read-only. | | description | String | Free text field to provide an internal end-user facing description of the service principal. End-user portals such [MyApps](/azure/active-directory/user-help/my-apps-portal-end-user-access) will display the application description in this field. The maximum allowed size is 1024 characters. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`) and `$search`.| | disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: `null` (default value), `NotDisabled`, and `DisabledDueToViolationOfServicesAgreement` (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). <br><br> Supports `$filter` (`eq`, `ne`, `not`). |
v1.0 Shift https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/shift.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-A unit of scheduled work in a [schedule](schedule.md).
+A unit of scheduled work in a [schedule](schedule.md).
+
+The duration of a shift cannot be less than 1 minute or longer than 24 hours.
## Methods
v1.0 Skypeforbusinessuserconversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/skypeforbusinessuserconversationmember.md
Inherits from [conversationMember](../resources/conversationmember.md).
|id|String|Membership ID that represents this resource. Inherited from [entity](../resources/entity.md).| |roles|String collection|Special roles for this user. Inherited from [conversationMember](../resources/conversationmember.md).| |tenantId|String|ID of the tenant that the user belongs to.|
-|userId|String|ID of the user.|
+|userId|String|Azure Active Directory ID of the user.|
|visibleHistoryStartDateTime|DateTimeOffset|The timestamp denoting how far back a conversation's history is shared with the conversation member. Inherited from [conversationMember](../resources/conversationmember.md).| ## Relationships
v1.0 Teamsappsettings https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/teamsappsettings.md
Inherits from [entity](../resources/entity.md).
## Properties |Property|Type|Description| |:|:|:|
+|allowUserRequestsForAppAccess|Boolean|Indicates whether Teams users are allowed to request admins access to certain Teams apps.|
|isChatResourceSpecificConsentEnabled|Boolean|Indicates whether resource-specific consent for chats/meetings has been enabled for the tenant. If true, Teams apps that are allowed in the tenant and require resource-specific permissions can be installed inside chats and meetings. If false, the installation of any Teams app that requires resource-specific permissions in a chat or a meeting will be blocked.| ## Relationships
The following is a JSON representation of the resource.
{ "@odata.type": "#microsoft.graph.teamsAppSettings", "id": "String (identifier)",
+ "allowUserRequestsForAppAccess": "Boolean",
"isChatResourceSpecificConsentEnabled": "Boolean" } ```
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/user.md
This resource supports:
| country | String | The country/region in which the user is located; for example, `US` or `UK`. Maximum length is 128 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). | | createdDateTime | DateTimeOffset | The date and time the user was created, in ISO 8601 format and in UTC time. The value cannot be modified and is automatically populated when the entity is created. Nullable. For on-premises users, the value represents when they were first created in Azure AD. Property is `null` for some users created before June 2018 and on-premises users that were synced to Azure AD before June 2018. Read-only. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`). | | creationType | String | Indicates whether the user account was created through one of the following methods: <br/> <ul><li>As a regular school or work account (`null`). <li>As an external account (`Invitation`). <li>As a local account for an Azure Active Directory B2C tenant (`LocalAccount`). <li>Through self-service sign-up by an internal user using email verification (`EmailVerified`). <li>Through self-service sign-up by an external user signing up through a link that is part of a user flow (`SelfServiceSignUp`). </ul> <br>Read-only.<br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
-|customSecurityAttributes|[customSecurityAttributeValue](../resources/customsecurityattributevalue.md)|An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `startsWith`).|
+|customSecurityAttributes|[customSecurityAttributeValue](../resources/customsecurityattributevalue.md)|An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `startsWith`). Filter value is case sensitive.|
| deletedDateTime | DateTimeOffset | The date and time the user was deleted. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, and `in`). | | department | String | The name for the department in which the user works. Maximum length is 64 characters.<br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, and `eq` on `null` values). | | displayName | String | The name displayed in the address book for the user. This value is usually the combination of the user's first name, middle initial, and last name. This property is required when a user is created and it cannot be cleared during updates. Maximum length is 256 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values), `$orderBy`, and `$search`.|
v1.0 Users https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/users.md
The following table lists the sensitive actions on user objects. All users can r
| Update user principal name | userPrincipalName | | Delete or restore users | Not applicable |
-### Who can reset passwords?
+### Who can reset passwords
-In the following table, the columns list the roles that can reset passwords. The rows list the roles for which their password can be reset.
+In the following table, the columns list the roles that can reset passwords and invalidate refresh tokens. The rows list the roles for which their password can be reset.
The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](/azure/active-directory/roles/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope).
User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_chec
User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: User Admin | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: Usage Summary Reports Reader | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
+All custom roles | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
\* A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has 0 Global Administrators. > [!NOTE]
-> The ability to reset a password includes the ability to update the following sensitive attributes required for [self-service password reset](/azure/active-directory/authentication/concept-sspr-howitworks):
+> The ability to reset a password includes the ability to update the following sensitive properties required for [self-service password reset](/azure/active-directory/authentication/concept-sspr-howitworks):
> - businessPhones > - mobilePhone > - otherMails
-### Who can update sensitive attributes?
+### Who can perform sensitive actions
-Some administrators can update the following sensitive attributes for some users. All users can read these sensitive attributes.
+Some administrators can perform the following sensitive actions for some users. All users can read the sensitive properties.
-- accountEnabled-- businessPhones-- mobilePhone-- onPremisesImmutableId-- otherMails-- passwordProfile-- userPrincipalName
+| Sensitive action | Sensitive property name |
+| | |
+| Disable or enable users | `accountEnabled` |
+| Update business phone | `businessPhones` |
+| Update mobile phone | `mobilePhone` |
+| Update on-premises immutable ID | `onPremisesImmutableId` |
+| Update other emails | `otherMails` |
+| Update password profile | `passwordProfile` |
+| Update user principal name | `userPrincipalName` |
+| Delete or restore users | Not applicable |
-In the following table, the columns list the roles that can update the sensitive attributes. The rows list the roles for which their sensitive attributes can be updated.
+In the following table, the columns list the roles that can perform sensitive actions. The rows list the roles for which the sensitive action can be performed upon.
The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](/azure/active-directory/roles/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope).
-Role that sensitive attributes can be updated | Auth Admin | User Admin | Privileged Auth Admin | Global Admin
+Role that sensitive action can be performed upon | Auth Admin | User Admin | Privileged Auth Admin | Global Admin
| | | | Auth Admin | :heavy_check_mark: | &nbsp; | :heavy_check_mark: | :heavy_check_mark: Directory Readers | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_chec
User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: User Admin | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: Usage Summary Reports Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
+All custom roles | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
+ ## User and group search limitations for guest users in organizations
v1.0 Virtualendpoint https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/virtualendpoint.md
Use the Cloud PC API to provision and manage virtual desktops for employees in a
|[List auditEvents](../api/virtualendpoint-list-auditevents.md)|[cloudPcAuditEvent](../resources/cloudpcauditevent.md) collection|List properties and relationships of the [cloudPcAuditEvent](../resources/cloudpcauditevent.md) objects.| |[List supportedRegions](../api/virtualendpoint-list-supportedregions.md)|[cloudPcSupportedRegion](../resources/cloudpcsupportedregion.md) collection|List properties and relationships of the [cloudPcSupportedRegion](../resources/cloudpcsupportedregion.md) objects.| |[List servicePlans](../api/virtualendpoint-list-serviceplans.md)|[cloudPcServicePlan](../resources/cloudpcserviceplan.md) collection|List properties and relationships of the [cloudPcServicePlan](../resources/cloudpcserviceplan.md) objects.|
+|[List sharedUseServicePlans](../api/virtualendpoint-list-shareduseserviceplans.md)|[cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) collection|List properties and relationships of the [cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) objects.|
|[List snapshots](../api/virtualendpoint-list-snapshots.md)|[cloudPcSnapshot](../resources/cloudpcsnapshot.md) collection|Get a list of [cloudPcSnapshot](../resources/cloudpcsnapshot.md) objects and their properties.| |[List externalPartnerSettings](../api/virtualendpoint-list-externalpartnersettings.md)|[cloudPcExternalPartnerSetting](../resources/cloudpcexternalpartnersetting.md) collection|Get a list of the [cloudPcExternalPartnerSetting](../resources/cloudpcexternalpartnersetting.md) objects and their properties.| |[Create cloudPcExternalPartnerSetting](../api/virtualendpoint-post-externalpartnersettings.md)|[cloudPcExternalPartnerSetting](../resources/cloudpcexternalpartnersetting.md)|Create a new [cloudPcExternalPartnerSetting](../resources/cloudpcexternalpartnersetting.md) object.|
Use the Cloud PC API to provision and manage virtual desktops for employees in a
|provisioningPolicies|[cloudPcProvisioningPolicy](../resources/cloudpcprovisioningpolicy.md) collection|Cloud PC provisioning policy.| |reports|[cloudPcReports](../resources/cloudpcreports.md)|Cloud PC related reports.| |servicePlans|[cloudPcServicePlan](../resources/cloudpcserviceplan.md) collection|Cloud PC service plans.|
+|sharedUseServicePlans|[cloudPcSharedUseServicePlan](../resources/cloudpcshareduseserviceplan.md) collection|Cloud PC shared-use service plans.|
|snapshots|[cloudPcSnapshot](../resources/cloudpcsnapshot.md) collection|Cloud PC snapshots.| |supportedRegions|[cloudPcSupportedRegion](../resources/cloudpcsupportedregion.md) collection|Cloud PC supported regions.| |userSettings|[cloudPcUserSetting](../resources/cloudpcusersetting.md) collection|Cloud PC user settings. |
v1.0 Workbooknameditem https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/workbooknameditem.md
Title: "workbookNamedItem resource type"
-description: "Represents a defined name for a range of cells or value. Names can be primitive named objects (as seen in the type below), range object, reference to a range. This object can be used to obtain range object associated with names."
+description: "Represents a defined name for a range of cells or value."
ms.localizationpriority: medium doc_type: resourcePageType ms.prod: "excel"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents a defined name for a range of cells or value. Names can be primitive named objects (as seen in the type below), range object, reference to a range. This object can be used to obtain range object associated with names.
+Represents a defined name for a range of cells or value. Names can be primitive named objects (as seen in the following type), range object, reference to a range. This object can be used to obtain range object associated with names.
## Methods | Method | Return Type |Description| |:|:--|:-|
-|[Add](../api/nameditem-add.md)|[workbookNamedItem](workbooknameditem.md)|Adds a new name to the collection of the given scope.|
-|[AddFormulaLocal](../api/nameditem-addformulalocal.md)|[workbookNamedItem](workbooknameditem.md)|Adds a new name to the collection of the given scope using the user's locale for the formula.|
-|[Get NamedItem](../api/nameditem-get.md) | [workbookNamedItem](workbooknameditem.md) |Read properties and relationships of namedItem object.|
-|[Update](../api/nameditem-update.md) | [workbookNamedItem](workbooknameditem.md) |Update NamedItem object. |
-|[Range](../api/nameditem-range.md)|[workbookRange](workbookrange.md)|Returns the range object that is associated with the name. Throws an exception if the named item's type is not a range.|
-|[List](../api/nameditem-list.md) | [workbookNamedItem](workbooknameditem.md) collection |Get namedItem object collection. |
+|[Add](../api/nameditem-add.md)|[workbookNamedItem](workbooknameditem.md)|Add a new name to the collection of the given scope.|
+|[AddFormulaLocal](../api/nameditem-addformulalocal.md)|[workbookNamedItem](workbooknameditem.md)|Add a new name to the collection of the given scope using the user's locale for the formula.|
+|[Get NamedItem](../api/nameditem-get.md) | [workbookNamedItem](workbooknameditem.md) |Read properties and relationships of **namedItem** object.|
+|[Update](../api/nameditem-update.md) | [workbookNamedItem](workbooknameditem.md) |Update a **namedItem** object. |
+|[Range](../api/nameditem-range.md)|[workbookRange](workbookrange.md)|Return the range object that is associated with the name. Throw an exception if the named item's type is not a range.|
+|[List](../api/nameditem-list.md) | [workbookNamedItem](workbooknameditem.md) collection |Get a collection of **namedItem** objects. |
| [Delete](../api/nameditem-delete.md) | None | Delete a [workbookNamedItem](workbooknameditem.md) object. | ## Properties | Property | Type |Description| |:|:--|:-|
-|name|string|The name of the object. Read-only.|
-|comment|string|Represents the comment associated with this name.|
-|scope|string|Indicates whether the name is scoped to the workbook or to a specific worksheet. Read-only.|
-|type|string|Indicates what type of reference is associated with the name. Possible values are: `String`, `Integer`, `Double`, `Boolean`, `Range`. Read-only.|
-|value|string|Represents the formula that the name is defined to refer to. E.g. =Sheet14!$B$2:$H$12, =4.75, etc. Read-only.|
-|visible|boolean|Specifies whether the object is visible or not.|
+|comment|String|Represents the comment associated with this name.|
+|name|String|The name of the object. Read-only.|
+|scope|String|Indicates whether the name is scoped to the workbook or to a specific worksheet. Read-only.|
+|type|String|Indicates what type of reference is associated with the name. Possible values are: `String`, `Integer`, `Double`, `Boolean`, `Range`. Read-only.|
+|value|String|Represents the formula that the name is defined to refer to. For example, `=Sheet14!$B$2:$H$12` and `=4.75`. Read-only.|
+|visible|Boolean|Specifies whether the object is visible or not.|
## Relationships | Relationship | Type |Description|
Represents a defined name for a range of cells or value. Names can be primitive
## JSON representation
-Here is a JSON representation of the resource.
+The following is a JSON representation of the resource.
<!-- { "blockType": "resource",
Here is a JSON representation of the resource.
```json {
- "name": "string",
- "comment": "string",
- "scope": "string",
- "type": "string",
- "value": "string",
- "visible": true
-
+ "comment": "String",
+ "name": "String",
+ "scope": "String",
+ "type": "String",
+ "value": "String",
+ "visible": "Boolean"
}- ``` <!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
Here is a JSON representation of the resource.
"suppressions": [] } -->--
v1.0 Accessreviewset List Definitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/accessreviewset-list-definitions.md
This method supports the `$select`, `$top`, `$skip`,`$orderBy`, and `$filter` OD
The default page size for this API is 100 **accessReviewScheduleDefinition** objects. To improve efficiency and avoid timeouts due to large result sets, apply pagination using the `$skip` and `$top` query parameters. For more information, see [Paging Microsoft Graph data in your app](/graph/paging). ### Use the $filter query parameter
-The `$filter` query parameter with the `contains` operator is supported on the **scope** property of accessReviewScheduleDefinition. Use the following format for the request:
-```http
-GET /identityGovernance/accessReviews/definitions?$filter=contains(scope/microsoft.graph.accessReviewQueryScope/query, '{object}')
-```
-
-The value of `{object}` can be one of the following:
-
-|Value|Description|
-|: |: |
-|`/groups` |List every accessReviewScheduleDefinition on individual groups (excludes definitions scoped to all Microsoft 365 groups with guest users).|
-|`/groups/{group id}` |List every accessReviewScheduleDefinition on a specific group (excludes definitions scoped to all Microsoft 365 groups with guest users).|
-|`./members` |List every accessReviewScheduleDefinition scoped to all Microsoft 365 groups with guest users.|
-|`accessPackageAssignments` |List every accessReviewScheduleDefinition on an access package.|
-|`roleAssignmentScheduleInstances` |List every accessReviewScheduleDefinition for service principals assigned to a privileged role.|
-
-The `$filter` query parameter is not supported on **accessReviewInactiveUserQueryScope** or **principalResourceMembershipScope**.
## Request headers |Name|Description|
v1.0 Accessreviewset Post Historydefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/accessreviewset-post-historydefinitions.md
The following table shows the required properties used to create an [accessRevie
The **scopes** property of [accessReviewHistoryDefinition](../resources/accessreviewhistorydefinition.md) is based on **accessReviewQueryScope**, a resource that allows you to configure different resources in it's **query** property. These resources then represent the scope of the history definition and dictate the type of review history data that is included in the downloadable CSV file which is generated when the history definition's [accessReviewHistoryInstances](../resources/accessreviewhistoryinstance.md) are created.
-Use the following format for the **query** property:
-
-```http
-/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '{object}')
-```
-
-The value of `{object}` is one of the resources that can be configured in an **accessReviewScheduleDefinition**. For example, the following includes every accessReviewScheduleDefinition review result on individual groups (and excludes definitions scoped to all Microsoft 365 groups with guest users).
-
-```http
-/identityGovernance/accessReviews/definitions?$filter=contains(scope/query, '/groups')
-```
-
-For more supported values, see Use the [$filter query parameter on accessReviewScheduleDefinition](accessreviewset-list-definitions.md#use-the-filter-query-parameter).
## Response
v1.0 Directory Deleteditems Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/directory-deleteditems-delete.md
If successful, this method returns `204 No Content` response code. It does not r
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "delete_directory"
+ "name": "delete_directory_deleteditem"
}--> ```http DELETE https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}
v1.0 Directory Deleteditems Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/directory-deleteditems-get.md
The following is an example of a request.
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "get_directory"
+ "name": "get_directory_deleteditem"
}--> ```msgraph-interactive GET https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}
v1.0 Directory Deleteditems Getuserownedobjects https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/directory-deleteditems-getuserownedobjects.md
Successful requests return `200 OK` response codes; the response object includes
## Example
-##### Request
+### Request
Here is an example of the request.
+<!-- {
+ "blockType": "request",
+ "name": "get_directory_deleteditem_getuserownedobjects"
+}-->
``` http POST https://graph.microsoft.com/v1.0/directory/deletedItems/getUserOwnedObjects Content-type: application/json
-```
-``` json
{ "userId":"55ac777c-109e-4022-b58c-470c8fcb6892", "type":"Group" } ```
-###### Response
+### Response
Here is an example of the response. Note: This response object may be truncated for brevity. All supported properties are returned from actual calls.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.directoryObject",
+ "isCollection": true
+} -->
``` http
-HTTP/1.1 200
+HTTP/1.1 200 OK
Content-type: application/json {
-"value": [
- {
- "@odata.type": "#microsoft.graph.group",
- "id": "bfa7033a-7367-4644-85f5-95aaf385cbd7",
- "deletedDateTime": 2018-04-01T12:39:16Z,
- "classification": null,
- "createdDateTime": "2017-03-22T12:39:16Z",
- "description": null,
- "displayName": "Test",
- "groupTypes": [
- "Unified"
- ],
- "mail": "Test@contoso.com",
- "mailEnabled": true,
- "mailNickname": "Test",
- "membershipRule": null,
- "membershipRuleProcessingState": null,
- "preferredDataLocation": null,
- "preferredLanguage": null,
- "proxyAddresses": [
- "SMTP:Test@contoso.com"
- ],
- "renewedDateTime": "2017-09-22T22:30:39Z",
- "securityEnabled": false,
- "theme": null,
- "visibility": "Public"
- }
- ]
- }
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.group",
+ "id": "bfa7033a-7367-4644-85f5-95aaf385cbd7",
+ "deletedDateTime": "2018-04-01T12:39:16Z",
+ "classification": null,
+ "createdDateTime": "2017-03-22T12:39:16Z",
+ "description": null,
+ "displayName": "Test",
+ "groupTypes": [
+ "Unified"
+ ],
+ "mail": "Test@contoso.com",
+ "mailEnabled": true,
+ "mailNickname": "Test",
+ "membershipRule": null,
+ "membershipRuleProcessingState": null,
+ "preferredDataLocation": null,
+ "preferredLanguage": null,
+ "proxyAddresses": [
+ "SMTP:Test@contoso.com"
+ ],
+ "renewedDateTime": "2017-09-22T22:30:39Z",
+ "securityEnabled": false,
+ "theme": null,
+ "visibility": "Public"
+ }
+ ]
+}
```
v1.0 Directory Deleteditems List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/directory-deleteditems-list.md
If successful, this method returns a `200 OK` response code and collection of [d
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "get_deleteditems"
+ "name": "list_directory_deleteditems"
}--> ```msgraph-interactive GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.group
Content-type: application/json
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "get_deleteditems_count"
+ "name": "list_directory_deleteditems_count"
}--> ```msgraph-interactive GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.group?$count=true&$orderBy=deletedDateTime asc&$select=id,DisplayName,deletedDateTime
v1.0 Directory Deleteditems Restore https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/directory-deleteditems-restore.md
The calling app must be assigned one of the following [Azure AD roles](/azure/ac
|Delegated (personal Microsoft account) | Not supported. | |Application | User.ReadWrite.All |
+To restore users with privileged administrator roles in delegated scenarios, the app must be assigned with *Directory.AccessAsUser.All* delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+
+In app-only scenarios, the *User.ReadWrite.All* application permission isn't enough privilege to restore deleted users with privilged administrator roles. The app must be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+ ### For groups: |Permission type | Permissions (from least to most privileged) |
If successful, this method returns a `200 OK` response code and a [directoryObje
# [HTTP](#tab/http) <!-- { "blockType": "request",
- "name": "create_directoryobject_from_directory"
+ "name": "restore_directory_deleteditem"
}--> ```http POST https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}/restore
v1.0 Domain Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-delete.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
v1.0 Domain Forcedelete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-forcedelete.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+ ## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Domain Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-get.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* User Administrator
+* Helpdesk Administrator
+* Service Support Administrator
+* Billing Administrator
+* Mailbox Administrator
+* Partner Tier1 Support
+* Partner Tier2 Support
+* Directory Readers
+* Directory Writers
+* AdHoc License Administrator
+* Application Administrator
+* Security Reader
+* Security Administrator
+* Privileged Role Administrator
+* Cloud Application Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Azure Information Protection Administrator
+* Desktop Analytics Administrator
+* License Administrator
+* Microsoft Managed Desktop Administrator
+* Authentication Administrator
+* Privileged Authentication Administrator
+* Teams Communications Administrator
+* Teams Communications Support Engineer
+* Teams Communications Support Specialist
+* Teams Administrator
+* Insights Administrator
+* Compliance Data Administrator
+* Security Operator
+* Kaizala Administrator
+* Global Reader
+* Volume Licensing Business Center User
+* Volume Licensing Service Center User
+* Modern Commerce User
+* Microsoft Store for Business User
+* Directory Reviewer
+ ## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Domain List Domainnamereferences https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-list-domainnamereferences.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+* Global Reader
+ [!INCLUDE [limited-info](../../includes/limited-info.md)] ## HTTP request
v1.0 Domain List Verificationdnsrecords https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-list-verificationdnsrecords.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+* Global Reader
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
v1.0 Domain List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-list.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* User Administrator
+* Helpdesk Administrator
+* Service Support Administrator
+* Billing Administrator
+* Mailbox Administrator
+* Partner Tier1 Support
+* Partner Tier2 Support
+* Directory Readers
+* Directory Writers
+* AdHoc License Administrator
+* Application Administrator
+* Security Reader
+* Security Administrator
+* Privileged Role Administrator
+* Cloud Application Administrator
+* Customer LockBox Access Approver
+* Dynamics 365 Administrator
+* Power BI Administrator
+* Azure Information Protection Administrator
+* Desktop Analytics Administrator
+* License Administrator
+* Microsoft Managed Desktop Administrator
+* Privileged Authentication Administrator
+* Teams Communications Administrator
+* Teams Communications Support Engineer
+* Authentication Administrator
+* Teams Communications Support Specialist
+* Teams Administrator
+* Insights Administrator
+* Compliance Data Administrator
+* Security Operator
+* Kaizala Administrator
+* Global Reader
+* Volume Licensing Business Center User
+* Volume Licensing Service Center User
+* Modern Commerce User
+* Microsoft Store for Business User
+* Directory Reviewer
+* Domain Name Administrator
+* Users
+* Guest User
+* Restricted Guest User
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
v1.0 Domain Post Domains https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-post-domains.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+ ## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Domain Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-update.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+* Security Administrator
+* External Identity Provider Administrator
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
v1.0 Domain Verify https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/domain-verify.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
+The work or school account needs to belong to one of the following roles:
+
+* Global Administrator
+* Domain Name Administrator
+* Partner Tier2 Support
+ ## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Group Post Members https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/group-post-members.md
The following table shows the least privileged permission that's required by eac
| [group](../resources/group.md) | GroupMember.ReadWrite.All and Group.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All and Group.ReadWrite.All | | [orgContact](../resources/device.md) | GroupMember.ReadWrite.All and OrgContact.Read.All | Not supported. | GroupMember.ReadWrite.All and OrgContact.Read.All | | [servicePrincipal](../resources/group.md) | GroupMember.ReadWrite.All and Application.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All and Application.ReadWrite.All |
-| [user](../resources/user.md) | GroupMember.ReadWrite.All and User.ReadWrite.All | Not supported. | UGroupMember.ReadWrite.All and User.ReadWrite.All |
+| [user](../resources/user.md) | GroupMember.ReadWrite.All and User.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All and User.ReadWrite.All |
> [!IMPORTANT] > To add members to a role-assignable group, the calling user must also be assigned the _RoleManagement.ReadWrite.Directory_ permission.
v1.0 Range Unmerge https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/range-unmerge.md
doc_type: apiPageType
Namespace: microsoft.graph Unmerge the range cells into separate cells.+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
POST /me/drive/items/{id}/workbook/worksheets/{id|name}/range(address='<address>
POST /me/drive/root:/{item-path}:/workbook/worksheets/{id|name}/range(address='<address>')/unmerge POST /me/drive/items/{id}/workbook/tables/{id|name}/columns/{id|name}/range/unmerge POST /me/drive/root:/{item-path}:/workbook/tables/{id|name}/columns/{id|name}/range/unmerge- ```+ ## Request headers | Name | Description| |:|:-|
POST /me/drive/root:/{item-path}:/workbook/tables/{id|name}/columns/{id|name}/ra
## Response
-If successful, this method returns `200 OK` response code. It does not return anything in the response body.
+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.
## Example
-Here is an example of how to call this API.
-##### Request
-Here is an example of the request.
+
+### Request
+The following is an example of the request.
# [HTTP](#tab/http) <!-- {
POST https://graph.microsoft.com/v1.0/me/drive/items/{id}/workbook/names/{name}/
-##### Response
-Here is an example of the response.
+### Response
+The following is an example of the response.
<!-- { "blockType": "response", "truncated": true } --> ```http
-HTTP/1.1 200 OK
+HTTP/1.1 204 No Content
``` <!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
v1.0 Schedule Post Shifts https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/schedule-post-shifts.md
Namespace: microsoft.graph
Create a new [shift](../resources/shift.md) instance in a [schedule](../resources/schedule.md).
+The duration of a shift cannot be less than 1 minute or longer than 24 hours.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Serviceprincipal Post Serviceprincipals https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/serviceprincipal-post-serviceprincipals.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All |
-> [!IMPORTANT]
-> The following additional requirements must be met for an app to create a service principal:
-> + If the backing application is registered in the calling app's home tenant, the calling app must be the owner of the backing application.
-> + If the backing application is registered in another Azure AD tenant, the calling app must be assigned the `Cloud Application Administrator` or `Application Administrator` role.
+For multi-tenant apps, the calling user must also be in one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference):
+++ Global Administrator++ Application Administrator++ Cloud Application Administrator roles+
+For single-tenant apps where the calling user is a non-admin user but is the owner of the backing application, the user must have the *Application Developer* role.
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Shift Put https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/shift-put.md
Replace an existing [shift](../resources/shift.md).
If the specified [shift](../resources/shift.md) doesn't exist, this method returns `404 Not found`.
+The duration of a shift cannot be less than 1 minute or longer than 24 hours.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 User Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/user-delete.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | User.ReadWrite.All |
-The calling user must be assigned one of the following Azure AD roles:
-+ [User Administrator](/azure/active-directory/roles/permissions-reference#user-administrator)
-+ [Privileged Authentication Administrator](/azure/active-directory/roles/permissions-reference#privileged-authentication-administrator)
-+ [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator)
+The calling user must be assigned one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference?toc=%2Fgraph%2Ftoc.json):
-To delete users with more privileged administrator roles, applications need to be assigned the *Directory.AccessAsUser.All* delegated permission and either the Global Admin role or the Privileged Auth Admin role.
+- User Administrator
+- Privileged Authentication Administrator
+- Global Administrator
-For more details, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).
+To delete users with privileged administrator roles in delegated scenarios, the app must be assigned the *Directory.AccessAsUser.All* delegated permission, and the calling user must have a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+
+In app-only scenarios, the *User.ReadWrite.All* application permission isn't enough privilege to delete users with privileged administrative roles. The app must be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
## HTTP request
v1.0 User Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/user-update.md
One of the following permissions is required to call this API. To learn more, in
|Application | User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All | >[!NOTE]
-> - To update user properties, such as **businessPhones**, **mobilePhone** and **otherMails** for users with more privileged administrator roles, applications need to be assigned the *Directory.AccessAsUser.All* delegated permission and either the Global Admin role or the Privileged Auth Admin role. For more information about who can update sensitive properties or reset passwords, see [Authorization and privileges](/graph/api/resources/users#authorization-and-privileges).
+> - To update sensitive user properties, such as **accountEnabled**, **mobilePhone**, and **otherMails** for users with privilged administrator roles, the app must be assigned the *Directory.AccessAsUser.All* delegated permission, and the calling user must have a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
> - Your personal Microsoft account must be tied to an Azure AD tenant to update your profile with the *User.ReadWrite* delegated permission on a personal Microsoft account. > - Updating the **identities** property requires the *User.ManageIdentities.All* permission. Also, adding a [B2C local account](../resources/objectidentity.md) to an existing **user** object is not allowed, unless the **user** object already contains a local account identity.
v1.0 Workbookrange Resizedrange https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/workbookrange-resizedrange.md
Title: "workbookRange: resizedRange"
-description: "Gets a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns."
+description: "Get a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns."
ms.localizationpriority: medium ms.prod: "excel"
doc_type: apiPageType
# workbookRange: resizedRange Namespace: microsoft.graph
-Gets a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns.
+
+Get a range object similar to the current range object, but with its bottom-right corner expanded (or contracted) by some number of rows and columns.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
One of the following permissions is required to call this API. To learn more, in
```http POST /me/drive/items/{id}/workbook/worksheets/{id}/range/resizedRange(deltaRows={n}, deltaColumns={n}) POST /me/drive/root:/{item-path}:/workbook/worksheets/{id}/range/resizedRange(deltaRows={n}, deltaColumns={n})- ``` ## Function parameters
POST /me/drive/root:/{item-path}:/workbook/worksheets/{id}/range/resizedRange(de
| Name | Description| |:|:-| | Authorization | Bearer {token}. Required. |
-| Workbook-Session-Id | Workbook session Id that determines if changes are persisted or not. Optional.|
+| Workbook-Session-Id | Workbook session ID that determines if changes are persisted or not. Optional.|
## Request body Do not supply a request body for this method. ### Response
-If successful, this method returns `200 OK` response code and [workbookRange](../resources/range.md) object in the response body.
+If successful, this method returns a `200 OK` response code and a [workbookRange](../resources/range.md) object in the response body.
## Example
-Here is an example of how to call this API.
-##### Request
-Here is an example of the request.
+
+### Request
+The following is an example of the request.
<!--{ "blockType": "request", "isComposable": true,
Here is an example of the request.
POST https://graph.microsoft.com/v1.0/me/drive/root/workbook/worksheets/{id}/range/resizedRange(deltaRows={n}, deltaColumns={n}) ```
-##### Response
-Here is an example of the response. Note: The response object shown here might be shortened for readability.
+### Response
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
<!-- { "blockType": "response", "truncated": true,
v1.0 Anonymousguestconversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/anonymousguestconversationmember.md
+
+ Title: "anonymousGuestConversationMember resource type"
+description: "Represents an anonymous guest in a chat."
+
+ms.localizationpriority: medium
++
+# anonymousGuestConversationMember resource type
+
+Namespace: microsoft.graph
+
+Represents an anonymous guest in a chat.
+
+Anonymous users do not have a Microsoft Teams identity and can join meetings using meeting join links. For more details, see [Anonymous users](/microsoftteams/non-standard-users#anonymous-users).
++
+Inherits from [conversationMember](../resources/conversationmember.md).
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|anonymousGuestId|String|Unique ID that represents the user. **Note:** This ID can change if the user leaves and rejoins the meeting, or joins from a different device.|
+|displayName|String|Name provided by the user when joining the meeting. Inherited from [conversationMember](../resources/conversationmember.md).|
+|id|String|Membership ID that represents this resource. Inherited from [entity](../resources/entity.md).|
+|roles|String collection|Special roles for this user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|visibleHistoryStartDateTime|DateTimeOffset|The timestamp denoting how far back a conversation's history is shared with the conversation member. Inherited from [conversationMember](../resources/conversationmember.md).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.anonymousGuestConversationMember",
+ "baseType": "microsoft.graph.conversationMember",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.anonymousGuestConversationMember",
+ "id": "String (identifier)",
+ "roles": [
+ "String"
+ ],
+ "displayName": "String",
+ "visibleHistoryStartDateTime": "String (timestamp)",
+ "anonymousGuestId": "String"
+}
+```
+
v1.0 Callrecords Pstncalllogrow https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/callrecords-pstncalllogrow.md
Title: "pstnCallLogRow resource type"
-description: "Represents a row of data in the Public Switch Telephone Network (PSTN) call log."
+description: "Represents a row of data in the public switched telephone network (PSTN) call log."
ms.localizationpriority: medium ms.prod: "cloud-communications"
doc_type: "resourcePageType"
Namespace: microsoft.graph.callRecords
-Represents a row of data in the Public Switch Telephone Network (PSTN) call log. Each row maps to one call.
+Represents a row of data in the public switched telephone network (PSTN) call log. Each row maps to one call.
## Methods
Represents a row of data in the Public Switch Telephone Network (PSTN) call log.
|charge|Double|Amount of money or cost of the call that is charged to your account.| |conferenceId|String|ID of the audio conference.| |connectionCharge|Double|Connection fee price.|
-|currency|String|Type of currency used to calculate the cost of the call ([ISO 4217](https://en.wikipedia.org/wiki/ISO_4217)).|
+|currency|String|Type of currency used to calculate the cost of the call. For details, see ([ISO 4217](https://en.wikipedia.org/wiki/ISO_4217).|
|destinationContext|String|Whether the call was domestic (within a country or region) or international (outside a country or region) based on the user's location.| |destinationName|String|Country or region dialed.| |duration|Int32|How long the call was connected, in seconds.|
Represents a row of data in the Public Switch Telephone Network (PSTN) call log.
|licenseCapability|String|The license used for the call.| |operator|String|The telecommunications operator which provided PSTN services for this call. This may be Microsoft, or it may be a third-party operator via the [Operator Connect Program](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/introducing-operator-connect-and-more-teams-calling-updates/ba-p/2176398).| |startDateTime|DateTimeOffset|Call start time.|
-|tenantCountryCode|String|Country code of the tenant, [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
-|usageCountryCode|String|Country code of the user, [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
+|tenantCountryCode|String|Country code of the tenant. For details, see [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
+|usageCountryCode|String|Country code of the user. For details, see [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).|
|userDisplayName|String|Display name of the user.| |userId|String|Calling user's ID in Graph. GUID. This and other user info will be null/empty for bot call types (ucap_in, ucap_out).|
-|userPrincipalName|String|UserPrincipalName (sign-in name) in Azure Active Directory. This is usually the same as user's SIP Address, and can be same as user's e-mail address.|
+|userPrincipalName|String|The user principal name (sign-in name) in Azure Active Directory. This is usually the same as the user's SIP address, and can be same as the user's e-mail address.|
## Relationships
v1.0 Conversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/conversationmember.md
doc_type: resourcePageType
Namespace: microsoft.graph Represents a user in a [team](team.md), a [channel](channel.md), or a [chat](chat.md).
-See also [aadUserConversationMember](aaduserconversationmember.md).
## Methods
The following is a JSON representation of the resource.
} ```
+## See also
+
+- [aadUserConversationMember](aaduserconversationmember.md)
+- [skypeForBusinessUserConversationMember](skypeForBusinessUserConversationMember.md)
+- [anonymousGuestConversationMember](anonymousGuestConversationMember.md)
+- [skypeUserConversationMember](skypeUserConversationMember.md)
+- [microsoftAccountUserConversationMember](microsoftAccountUserConversationMember.md)
+ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Microsoftaccountuserconversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/microsoftaccountuserconversationmember.md
+
+ Title: "microsoftAccountUserConversationMember resource type"
+description: "Represents a personal Microsoft account user in a chat."
+
+ms.localizationpriority: medium
++
+# microsoftAccountUserConversationMember resource type
+
+Namespace: microsoft.graph
+
+Represents a personal Microsoft account user in a chat.
++
+Inherits from [conversationMember](../resources/conversationmember.md).
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|displayName|String|Display name of the user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|id|String|Membership ID that represents this resource. Inherited from [entity](../resources/entity.md).|
+|roles|String collection|Special roles for this user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|userId|String|Microsoft Account ID of the user.|
+|visibleHistoryStartDateTime|DateTimeOffset|The timestamp denoting how far back a conversation's history is shared with the conversation member. Inherited from [conversationMember](../resources/conversationmember.md).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.microsoftAccountUserConversationMember",
+ "baseType": "microsoft.graph.conversationMember",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.microsoftAccountUserConversationMember",
+ "id": "String (identifier)",
+ "roles": [
+ "String"
+ ],
+ "displayName": "String",
+ "visibleHistoryStartDateTime": "String (timestamp)",
+ "userId": "String"
+}
+```
+
v1.0 Shift https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/shift.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents a unit of scheduled work in a [schedule](schedule.md).
+Represents a unit of scheduled work in a [schedule](schedule.md).
+
+The duration of a shift cannot be less than 1 minute or longer than 24 hours.
## Methods
v1.0 Skypeforbusinessuserconversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/skypeforbusinessuserconversationmember.md
+
+ Title: "skypeForBusinessUserConversationMember resource type"
+description: "Represents a Skype for Business user in a chat"
+
+ms.localizationpriority: medium
++
+# skypeForBusinessUserConversationMember resource type
+
+Namespace: microsoft.graph
+
+Represents a Skype for Business user in a chat.
+
+For information about Teams and Skype for Business interoperability, see [Understand Microsoft Teams and Skype for Business coexistence and interoperability](/microsoftteams/teams-and-skypeforbusiness-coexistence-and-interoperability).
+
+Inherits from [conversationMember](../resources/conversationmember.md).
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|displayName|String|Display name of the user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|id|String|Membership ID that represents this resource. Inherited from [entity](../resources/entity.md).|
+|roles|String collection|Special roles for this user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|tenantId|String|ID of the tenant that the user belongs to.|
+|userId|String|Azure Active Directory ID of the user.|
+|visibleHistoryStartDateTime|DateTimeOffset|The timestamp denoting how far back a conversation's history is shared with the conversation member. Inherited from [conversationMember](../resources/conversationmember.md).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.skypeForBusinessUserConversationMember",
+ "baseType": "microsoft.graph.conversationMember",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.skypeForBusinessUserConversationMember",
+ "id": "String (identifier)",
+ "roles": [
+ "String"
+ ],
+ "displayName": "String",
+ "visibleHistoryStartDateTime": "String (timestamp)",
+ "userId": "String",
+ "tenantId": "String"
+}
+```
+
v1.0 Skypeuserconversationmember https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/skypeuserconversationmember.md
+
+ Title: "skypeUserConversationMember resource type"
+description: "Represents a Skype user in a chat"
+
+ms.localizationpriority: medium
++
+# skypeUserConversationMember resource type
+
+Namespace: microsoft.graph
+
+Represents a Skype (consumer) user in a chat.
+
+For information about Teams and Skype for Business interoperability, see [Understand Microsoft Teams and Skype for Business coexistence and interoperability](/microsoftteams/teams-and-skypeforbusiness-coexistence-and-interoperability).
+
+Inherits from [conversationMember](../resources/conversationmember.md).
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|displayName|String|Display name of the user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|id|String|Membership ID that represents this resource. Inherited from [entity](../resources/entity.md).|
+|roles|String collection|Special roles for this user. Inherited from [conversationMember](../resources/conversationmember.md).|
+|skypeId|String|Skype ID of the user.|
+|visibleHistoryStartDateTime|DateTimeOffset|The timestamp denoting how far back a conversation's history is shared with the conversation member. Inherited from [conversationMember](../resources/conversationmember.md).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.skypeUserConversationMember",
+ "baseType": "microsoft.graph.conversationMember",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.skypeUserConversationMember",
+ "id": "String (identifier)",
+ "roles": [
+ "String"
+ ],
+ "displayName": "String",
+ "visibleHistoryStartDateTime": "String (timestamp)",
+ "skypeId": "String"
+}
+```
+
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/user.md
This resource supports:
|companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters.<br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| |consentProvidedForMinor|[consentProvidedForMinor](#consentprovidedforminor-values)|Sets whether consent has been obtained for minors. Allowed values: `null`, `Granted`, `Denied` and `NotRequired`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`).| |country|String|The country/region in which the user is located; for example, `US` or `UK`. Maximum length is 128 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
-|createdDateTime | DateTimeOffset |The date and time the user was created, in ISO 8601 format and in UTC time. The value cannot be modified and is automatically populated when the entity is created. Nullable. For on-premises users, the value represents when they were first created in Azure AD. Property is `null` for some users created before June 2018 and on-premises users that were synced to Azure AD before June 2018. Read-only. Read-only. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).|
+|createdDateTime | DateTimeOffset |The date and time the user was created, in ISO 8601 format and in UTC time. The value cannot be modified and is automatically populated when the entity is created. Nullable. For on-premises users, the value represents when they were first created in Azure AD. Property is `null` for some users created before June 2018 and on-premises users that were synced to Azure AD before June 2018. Read-only. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).|
| creationType | String | Indicates whether the user account was created through one of the following methods: <br/> <ul><li>As a regular school or work account (`null`). <li>As an external account (`Invitation`). <li>As a local account for an Azure Active Directory B2C tenant (`LocalAccount`). <li>Through self-service sign-up by an internal user using email verification (`EmailVerified`). <li>Through self-service sign-up by an external user signing up through a link that is part of a user flow (`SelfServiceSignUp`).</ul> <br>Read-only.<br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `in`). | |deletedDateTime| DateTimeOffset | The date and time the user was deleted. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). | |department|String|The name for the department in which the user works. Maximum length is 64 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, and `eq` on `null` values).|
v1.0 Users https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/users.md
The following table lists the sensitive actions on user objects. All users can r
| Update user principal name | userPrincipalName | | Delete or restore users | Not applicable |
-### Who can reset passwords?
+### Who can reset passwords
-In the following table, the columns list the roles that can reset passwords. The rows list the roles for which their password can be reset.
+In the following table, the columns list the roles that can reset passwords and invalidate refresh tokens. The rows list the roles for which their password can be reset.
The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](/azure/active-directory/roles/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope).
User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_chec
User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: User Admin | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: Usage Summary Reports Reader | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
+All custom roles | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
\* A Global Administrator cannot remove their own Global Administrator assignment. This is to prevent a situation where an organization has 0 Global Administrators. > [!NOTE]
-> The ability to reset a password includes the ability to update the following sensitive attributes required for [self-service password reset](/azure/active-directory/authentication/concept-sspr-howitworks):
+> The ability to reset a password includes the ability to update the following sensitive properties required for [self-service password reset](/azure/active-directory/authentication/concept-sspr-howitworks):
> - businessPhones > - mobilePhone > - otherMails
-### Who can update sensitive attributes?
+### Who can perform sensitive actions
-Some administrators can update the following sensitive attributes for some users. All users can read these sensitive attributes.
+Some administrators can perform the following sensitive actions for some users. All users can read the sensitive properties.
-- accountEnabled-- businessPhones-- mobilePhone-- onPremisesImmutableId-- otherMails-- passwordProfile-- userPrincipalName
+| Sensitive action | Sensitive property name |
+| | |
+| Disable or enable users | `accountEnabled` |
+| Update business phone | `businessPhones` |
+| Update mobile phone | `mobilePhone` |
+| Update on-premises immutable ID | `onPremisesImmutableId` |
+| Update other emails | `otherMails` |
+| Update password profile | `passwordProfile` |
+| Update user principal name | `userPrincipalName` |
+| Delete or restore users | Not applicable |
-In the following table, the columns list the roles that can update the sensitive attributes. The rows list the roles for which their sensitive attributes can be updated.
+In the following table, the columns list the roles that can perform sensitive actions. The rows list the roles for which the sensitive action can be performed upon.
The following table is for roles assigned at the scope of a tenant. For roles assigned at the scope of an administrative unit, [further restrictions apply](/azure/active-directory/roles/admin-units-assign-roles#roles-that-can-be-assigned-with-administrative-unit-scope).
-Role that sensitive attributes can be updated | Auth Admin | User Admin | Privileged Auth Admin | Global Admin
+Role that sensitive action can be performed upon | Auth Admin | User Admin | Privileged Auth Admin | Global Admin
| | | | Auth Admin | :heavy_check_mark: | &nbsp; | :heavy_check_mark: | :heavy_check_mark: Directory Readers | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
User<br/>(no admin role) | :heavy_check_mark: | :heavy_check_mark: | :heavy_chec
User<br/>(no admin role, but member or owner of a role-assignable group) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark: User Admin | &nbsp; | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: Usage Summary Reports Reader | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:-
+All custom roles | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:
## Common properties