+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+description: "Use this API to remove a member (user, group, or device) from an administrative unit."

+Use this API to remove a member (user, group, or device) from an administrative unit.

+### Request

+The following is an example of the request. In the example below, `{id1}` represents the identifier for the target administrative unit, and `{id2}` represents the unique identifier for the member user, group, or device to be removed from the target administrative unit.

+```msgraph-interactive

+### Response

+The following is an example of the response.

+### Request

+### Response

+Here is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+description: "Use this API to get a specific member (user, group, or device) in an administrative unit."

+Use this API to get a specific member (user, group, or device) in an administrative unit.

+If successful, this method returns a `200 OK` response code and a [user](../resources/user.md), [group](../resources/group.md), or [device](../resources/device.md) object in the response body.

+### Request

+The following is an example of the request.

+```msgraph-interactive

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+GET /directory/administrativeUnits/{id}

+### Request

+GET https://graph.microsoft.com/beta/administrativeUnits/4d7ea995-bc0f-45c0-8c3e-132e93bf95f8

+### Response

+Here is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#administrativeUnits/$entity",

+ "id": "4d7ea995-bc0f-45c0-8c3e-132e93bf95f8",

+ "deletedDateTime": null,

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "isMemberManagementRestricted": null,

+ "visibility": "HiddenMembership",

+ "membershipRule": null,

+ "membershipType": null,

+ "membershipRuleProcessingState": null

+description: "Use this API to get the members list (users, groups, and devices) in an administrative unit."

+Use this API to get the members list (users, groups, and devices) in an administrative unit.

+## Optional query parameters

+This method (when used without `$ref`) supports the [OData query parameters](/graph/query-parameters) to help customize the response, including `$search`, `$count`, and `$filter`. OData cast is also enabled, for example, you can cast to get just the users that are a member of the administrative unit.

+`$search` is supported on the **displayName** and **description** properties only. Some queries are supported only when you use the **ConsistencyLevel** header set to `eventual` and `$count`. For more information, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries).

+| Header |Value|

+| ConsistencyLevel | eventual. This header and `$count` are required when using `$search`, or in specific usage of `$filter`. For more information about the use of **ConsistencyLevel** and `$count`, see [Advanced query capabilities on Azure AD directory objects](/graph/aad-advanced-queries). |

+If successful, this method returns a `200 OK` response code and a collection of [user](../resources/user.md), [group](../resources/group.md), or [device](../resources/device.md) objects in the response body. Adding `$ref` at the end of the request returns a collection of only `@odata.id` URLs of the members.

+### Example 1: List member objects

+#### Request

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+### Example 2: List member references

+#### Request

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+description: "Use this API to add a member (user, group, or device) to an administrative unit."

+Use this API to add a member (user, group, or device) to an administrative unit or to create a new group within an administrative unit. All [group types](/graph/api/resources/groups-overview) can be created within an administrative unit.

+**Note:** Currently, it's only possible to add one member at a time to an administrative unit.`

+In the request body, provide the `id` of a [user](../resources/user.md), [group](../resources/group.md), [device](../resources/device.md), or [directoryObject](../resources/directoryobject.md) to be added.

+In the request body, provide the `id` of the [user](../resources/user.md), [group](../resources/group.md), or [device](../resources/device.md) object you want to add.

+PATCH /directory/administrativeUnits/{id}

+|description|String|Description for the administrative unit.|

+|displayName|String|Display name for the administrative unit.|

+Since the **administrativeUnit** resource supports [extensions](/graph/extensibility-overview), you can use the `PATCH` operation to add, update, or delete your own app-specific data in custom properties of an extension in an existing **administrativeUnit** instance.

+### Request

+PATCH https://graph.microsoft.com/beta/administrativeUnits/4d7ea995-bc0f-45c0-8c3e-132e93bf95f8

+ "displayName": "Greater Seattle District Technical Schools"

+### Response

+|guestUserRoleId|GUID| Represents role templateId for the role that should be granted to guest user. Refer to [List unifiedRoleDefinitions](./rbacapplication-list-roledefinitions.md) to find the list of available role templates. Only supported roles today are User (`a0b1b346-4d3e-4e8b-98f8-753987be4970`), Guest User (`10dae51f-b6af-4016-8d66-8c2a99b929b3`), and Restricted Guest User (`2af84b1e-32c8-42b7-82bc-daa82404023b`). |

+|User-Agent|The identifier for the calling application. This value contains information about the operating system and the browser used. Required.|

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+GET /informationProtection/bitlocker/recoveryKeys/{bitlockeryRecoveryKeyId}

+GET /informationProtection/bitlocker/recoveryKeys/{bitlockeryRecoveryKeyId}?$select=key

+|User-Agent|The identifier for the calling application. This value contains information about the operating system and the browser used. Required.|

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+ocp-client-name: "My Friendly Client"

+ocp-client-version: "1.2"

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+ Title: "Get cloudPcSnapshot"

+description: "Read the properties and relationships of a cloudPcSnapshot object."

+ms.localizationpriority: medium

+# Get cloudPcSnapshot

+Namespace: microsoft.graph

+Read the properties and relationships of a [cloudPcSnapshot](../resources/cloudpcsnapshot.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|CloudPC.Read.All, CloudPC.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|CloudPC.Read.All, CloudPC.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /deviceManagement/virtualEndpoint/snapshots/{cloudPcSnapshotId}

+```

+## Optional query parameters

+This method supports the `$select` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [cloudPcSnapshot](../resources/cloudpcsnapshot.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_cloudpcsnapshot"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/snapshots/A00009UV000_93aff428-61f2-467f-a879-1102af6fd4a8

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.cloudPcSnapshot"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": {

+ "@odata.type": "#microsoft.graph.cloudPcSnapshot",

+ "cloudPcId": "662009bc-7732-4f6f-8726-25883518b33e",

+ "createdDateTime": "2021-08-23T09:28:32.8260335Z",

+ "id": "A00009UV000_93aff428-61f2-467f-a879-1102af6fd4a8",

+ "lastRestoredDateTime": "2021-09-01T09:28:32.8260338Z",

+ "status": "ready"

+ }

+}

+```

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [columnDefinition][columnDefinition] object in the response body.

+The following is an example of a request.

+The following is an example of the response.

+ Title: "List memberOf"

+description: "Get groups or administrative units that this device is a direct member of. This operation is not transitive."

+# List memberOf

+Get [groups](../resources/group.md) and [administrative units](../resources/administrativeunit.md) that the device is a direct member of. This operation is not transitive.

+ Title: "List administrativeUnits"

+description: "Retrieve a list of administrativeUnit objects."

+ms.localizationpriority: medium

+# List administrativeUnits

+Namespace: microsoft.graph

+Retrieve a list of [administrativeUnit](../resources/administrativeunit.md) objects.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | AdministrativeUnit.Read.All, Directory.Read.All, AdministrativeUnit.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All |

+|Delegated (personal Microsoft account) | Not supported. |

+|Application | AdministrativeUnit.Read.All, Directory.Read.All, AdministrativeUnit.ReadWrite.All, Directory.ReadWrite.All |

+## HTTP request

+<!-- { "blockType": "ignored" } -->

+```http

+GET /administrativeUnits

+GET /directory/administrativeUnits

+```

+## Optional query parameters

+This method supports the `$count`, `$select`, `$search`, `$filter`, and `$expand` [OData query parameters](/graph/query-parameters) to help customize the response.

+## Request headers

+| Name |Description|

+|:-|:-|

+| Authorization | Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and collection of [administrativeUnit](../resources/administrativeunit.md) objects in the response body.

+## Example

+### Request

+Here is an example of the request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get_administrativeunits"

+}-->

+```msgraph-interactive

+GET https://graph.microsoft.com/beta/administrativeUnits

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+### Response

+Here is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.administrativeUnit",

+ "isCollection": true

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#administrativeUnits",

+ "value": [

+ {

+ "id": "4d7ea995-bc0f-45c0-8c3e-132e93bf95f8",

+ "deletedDateTime": null,

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "isMemberManagementRestricted": null,

+ "visibility": "HiddenMembership",

+ "membershipRule": null,

+ "membershipType": null,

+ "membershipRuleProcessingState": null

+ }

+ ]

+}

+```

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79

+2015-10-25 14:57:30 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "List administrativeUnits",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+ Title: "Create administrativeUnit"

+description: "Use this API to create a new administrativeUnit."

+ms.localizationpriority: medium

+# Create administrativeUnit

+Namespace: microsoft.graph

+Use this API to create a new [administrativeUnit](../resources/administrativeunit.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All |

+|Delegated (personal Microsoft account) | Not supported. |

+|Application | AdministrativeUnit.ReadWrite.All |

+## HTTP request

+<!-- { "blockType": "ignored" } -->

+```http

+POST /administrativeUnits

+POST /directory/administrativeUnits

+```

+## Request headers

+| Name |Description|

+|:-|:-|

+| Authorization | Bearer {token}. Required. |

+| Content-type | application/json. Required. |

+## Request body

+In the request body, supply a JSON representation of an [administrativeUnit](../resources/administrativeunit.md) object.

+Because the **administrativeUnit** resource supports [extensions](/graph/extensibility-overview), you can use the `POST` operation and add custom properties with your own data to the administrative unit while creating it.

+## Response

+If successful, this method returns a `201 Created` response code and an [administrativeUnit](../resources/administrativeunit.md) object in the response body.

+## Example

+### Request

+The following is an example of the request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "create_administrativeunit_from_administrativeunits"

+}-->

+```http

+POST https://graph.microsoft.com/beta/administrativeUnits

+Content-type: application/json

+{

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "visibility": "HiddenMembership"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+In the request body, supply a JSON representation of an [administrativeUnit](../resources/administrativeunit.md) object.

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.administrativeUnit"

+} -->

+```http

+HTTP/1.1 201 Created

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#administrativeUnits/$entity",

+ "id": "7a3dc8f3-b3a0-4164-9a99-ed36f3af039f",

+ "deletedDateTime": null,

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "visibility": "HiddenMembership"

+}

+```

+## See also

+- [Add custom data to resources using extensions](/graph/extensibility-overview)

+- [Add custom data to users using open extensions (preview)](/graph/extensibility-open-users)

+<!--

+- [Add custom data to groups using schema extensions (preview)](/graph/extensibility-schema-groups)

+-->

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79

+2015-10-25 14:57:30 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "Create administrativeUnit",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+|onBehalfOfUserId|GUID| The object ID of the user to impersonate when calling the API. The validation results are for the onBehalfOfUserId's attributes and roles. |

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+GET https://graph.microsoft.com/beta/me/events/AAMkADAGAADDdm4NAAA=/?$select=subject,start,end,occurrenceId,exceptionOccurrences,cancelledOccurrences&$expand=exceptionOccurrences

+|onBehalfOfUserId|GUID| The object ID of the user to impersonate when calling the API. The validation results are for the onBehalfOfUserId's attributes and roles. |

+|groupId|GUID| The id of the group to renew. |

+ "id":"GUID",

+ "id":"GUID",

+ "id":"GUID",

+ "id": "45715bb8-13f9-4bf6-927f-ef96c102d394",

+| servicePlanId | GUID | The plan identifier of the service plan to activate. |

+| skuId | GUID | The SKU identifier of the service plan. |

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+>**Note:** Inviting multiple participants in one request is only supported for group calls.

+If successful, this method returns a `200 OK` response code and a Location header with a URI to the [inviteParticipantsOperation](../resources/inviteparticipantsoperation.md) created for this request. The body of the response contains the [inviteParticipantsOperation](../resources/inviteparticipantsoperation.md) created.

+### Example 1: Invite one participant to an existing call

+ "status": "completed",

+ "clientContext": "d45324c1-fcb5-430a-902c-f20af696537c",

+ "resultInfo": null

+> [!NOTE]

+> A service principal can retrieve its own application and service principal details without being granted any application permissions.

+This method supports the [OData query parameters](/graph/query-parameters) to help customize the response.

+>**Note** This request might have replication delays for app role assignments that were recently granted or removed.

+>**Note** This request might have replication delays for app role assignments that were recently granted or removed.

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources and optionally specify in the POST request payload whether to include encrypted resource data in notifications.

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources and optionally specify in the POST request payload whether to include encrypted resource data in notifications.

+Some resources support the option to include encrypted resource data in change notifications. These resources include [chatMessage](../resources/chatmessage.md), [contact](../resources/contact.md), [event](../resources/event.md), [message](../resources/message.md), and [presence](../resources/presence.md). For more information, see [Set up change notifications that include resource data](/graph/webhooks-with-resource-data) and [Change notifications for Outlook resources in Microsoft Graph](/graph/outlook-change-notification-overview).

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources and optionally specify in the POST request payload whether to include encrypted resource data in notifications.

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources and optionally specify in the POST request payload whether to include encrypted resource data in notifications.

+ "name": "get_group_termstore"

+ "name": "get_group_termstore_sites"

+| servicePlanId | GUID | PlanId of the ServicePlan to activate. |

+| skuId | GUID | SkuId of SKU the service plan is on. |

+|removeLicenses|GUID collection|A collection of skuIds that identify the licenses to remove.|

+## Examples

+### Example 1: Assign licenses to the signed-in user

+#### Request

+ "addLicenses": [

+ {

+ "disabledPlans": [

+ "8a256a2b-b617-496d-b51b-e76466e88db0"

+ ],

+ "skuId": "84a661c4-e949-4bd2-a560-ed7766fcaf2b"

+ },

+ {

+ "disabledPlans": [],

+ "skuId": "f30db892-07e9-47e9-837c-80727f46fd3d"

+ }

+ ],

+ "removeLicenses": []

+#### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.user"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "accountEnabled": true,

+ "assignedLicenses": [

+ {

+ "disabledPlans": [

+ "8a256a2b-b617-496d-b51b-e76466e88db0"

+ ],

+ "skuId": "84a661c4-e949-4bd2-a560-ed7766fcaf2b"

+ },

+ {

+ "disabledPlans": [],

+ "skuId": "f30db892-07e9-47e9-837c-80727f46fd3d"

+ }

+ ],

+ "city": "Nairobi",

+ "companyName": "Contoso"

+}

+```

+### Example 2: Remove licenses from the signed-in user

+#### Request

+<!-- {

+ "blockType": "request",

+ "name": "user_assignlicense_removelicenses"

+}-->

+ "addLicenses": [],

+ "removeLicenses": [

+ "f30db892-07e9-47e9-837c-80727f46fd3d",

+ "84a661c4-e949-4bd2-a560-ed7766fcaf2b"

+ ]

+#### Response

+>**Note:** The response object shown here might be shortened for readability.

+ "assignedLicenses": [],

+ "city": "Nairobi",

+ "companyName": "Contoso"

+If successful, this method returns a `200 OK` response code.

+>This API has a [known issue](/graph/known-issues#revoke-sign-in-sessions-returns-wrong-http-code). It returns a different HTTP response code.

+### Request

+ "blockType": "ignored",

+### Response

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Edm.Boolean",

+ "value": true

+}

+ Title: "List snapshots"

+description: "Get a list of cloudPcSnapshot objects and their properties."

+ms.localizationpriority: medium

+# List snapshots

+Namespace: microsoft.graph

+Get a list of [cloudPcSnapshot](../resources/cloudpcsnapshot.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|CloudPC.Read.All, CloudPC.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|CloudPC.Read.All, CloudPC.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /deviceManagement/virtualEndpoint/snapshots

+```

+## Optional query parameters

+This method supports the `$filter` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [cloudPcSnapshot](../resources/cloudpcsnapshot.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_cloudpcsnapshot"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/snapshots

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.cloudPcSnapshot",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.cloudPcSnapshot",

+ "cloudPcId": "662009bc-7732-4f6f-8726-25883518b33e",

+ "createdDateTime": "2021-08-23T09:28:32.8260335Z",

+ "lastRestoredDateTime": "2021-09-01T09:28:32.8260338Z",

+ "id": "A00009UV000_93aff428-61f2-467f-a879-1102af6fd4a8",

+ "status": "ready"

+ }

+ ]

+}

+```

+description: "Delete the tenant-customized x509CertificateAuthenticationMethodConfiguration object and restore the default configuration."

+Delete the tenant-customized [x509CertificateAuthenticationMethodConfiguration](../resources/x509certificateauthenticationmethodconfiguration.md) object and restore the default configuration.

+The following response object shows an x509CertificateAuthenticationMethodConfiguration with its default configuration.

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

+ "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",

+ "id": "X509Certificate",

+ "state": "disabled",

+ "certificateUserBindings": [

+ {

+ "x509CertificateField": "PrincipalName",

+ "userProperty": "onPremisesUserPrincipalName",

+ "priority": 1

+ },

+ {

+ "x509CertificateField": "RFC822Name",

+ "userProperty": "userPrincipalName",

+ "priority": 2

+ }

+ ],

+ "authenticationModeConfiguration": {

+ "x509CertificateAuthenticationDefaultMode": "x509CertificateSingleFactor",

+ "rules": []

+ },

+ "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/authenticationMethodsPolicy/authenticationMethodConfigurations('X509Certificate')/microsoft.graph.x509CertificateAuthenticationMethodConfiguration/includeTargets",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false

+ }

+ ]

+The following is an example of an update request with the following settings:

+ "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",

+ "id": "X509Certificate",

+ "state": "enabled",

+ "certificateUserBindings": [

+ {

+ "x509CertificateField": "PrincipalName",

+ "userProperty": "onPremisesUserPrincipalName",

+ "priority": 1

+ }

+ ],

+ "authenticationModeConfiguration": {

+ "x509CertificateAuthenticationDefaultMode": "x509CertificateMultiFactor",

+ "rules": [

+ {

+ "x509CertificateRuleType": "issuerSubject",

+ "identifier": "CN=ContosoCA,DC=Contoso,DC=org ",

+ "x509CertificateAuthenticationMode": "x509CertificateMultiFactor"

+ },

+ {

+ "x509CertificateRuleType": "policyOID",

+ "identifier": "1.2.3.4",

+ "x509CertificateAuthenticationMode": "x509CertificateMultiFactor"

+ }

+ ]

+ },

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false

+ }

+ ]

+ "blockType": "response"

+ "service": "String",

+ "skuId": "GUID",

+ "servicePlanId": "GUID"

+ "id": "GUID",

+ "type": "String"

+An administrative unit provides a conceptual container for user, group, and device directory objects. Using administrative units, a company administrator can now delegate administrative responsibilities to manage the users, groups, and devices contained within or scoped to an administrative unit to a regional or departmental administrator.

+|[Create](../api/directory-post-administrativeunits.md) | [administrativeUnit](administrativeunit.md) | Create a new administrative unit.|

+|[List](../api/directory-list-administrativeunits.md) | [administrativeUnit](administrativeunit.md) collection |List properties of all administrativeUnits.|

+|[Add a member](../api/administrativeunit-post-members.md) |[directoryObject](directoryobject.md)| Add a member (user, group, or device).|

+|[List members](../api/administrativeunit-list-members.md) |[directoryObject](directoryobject.md) collection| Get the list of (user, group, and device) members.|

+|description|String|An optional description for the administrative unit. Supports `$filter` (`eq`, `ne`, `in`, `startsWith`), `$search`.|

+|displayName|String|Display name for the administrative unit. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values), `$search`, and `$orderBy`.|

+|id|String|Unique identifier for the administrative unit. Read-only. Supports `$filter` (`eq`).|

+|visibility|String|Controls whether the administrative unit and its members are hidden or public. Can be set to `HiddenMembership`. If not set (value is `null`), the default behavior is public. When set to `HiddenMembership`, only members of the administrative unit can list other members of the administrative unit.|

+The following is a JSON representation of the resource.

+ "description": "String",

+ "displayName": "String",

+ "id": "String (identifier)",

+ "visibility": "String"

+|knownClientApplications| GUID collection |Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you set the appID of the client app to this value, the user only consents once to the client app. Azure AD knows that consenting to the client means implicitly consenting to the web API and automatically provisions service principals for both APIs at the same time. Both the client and the web API app must be registered in the same tenant.|

+ "knownClientApplications": ["GUID"],

+| tokenEncryptionKeyId |GUID|Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user.|

+|id|GUID|Unique role identifier inside the **appRoles** collection. When creating a new app role, a new GUID identifier must be provided. |

+ "allowedMemberTypes": ["String"],

+ "description": "String",

+ "displayName": "String",

+ "id": "GUID",

+ "origin": "String",

+ "value": "String"

+| principalId | GUID | The unique identifier (**id**) for the [user](user.md), [group](group.md) or [service principal](serviceprincipal.md) being granted the app role. Required on create. |

+| resourceId | GUID |The unique identifier (**id**) for the resource [service principal](serviceprincipal.md) for which the assignment is made. Required on create. Supports `$filter` (`eq` only). |

+| appRoleId | GUID | The identifier (**id**) for the [app role](approle.md) which is assigned to the principal. This app role must be exposed in the **appRoles** property on the resource application's service principal (**resourceId**). If the resource application has not declared any app roles, a default app role ID of `00000000-0000-0000-0000-000000000000` can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |

+ "id": "String",

+ "principalDisplayName": "String",

+ "principalId": "GUID",

+ "principalType": "String",

+ "resourceDisplayName": "String",

+ "resourceId": "GUID",

+ "appRoleId": "GUID"

+| primaryApprovers | [userSet](userset.md) collection| The users who will be asked to approve requests. A collection of [singleUser](singleuser.md), [groupMembers](groupmembers.md), [requestorManager](requestormanager.md), [internalSponsors](internalsponsors.md) and [externalSponsors](externalsponsors.md). When creating or updating a [policy](accesspackageassignmentpolicy.md), include at least one **userSet** in this collection. |

+| escalationApprovers | [userSet](userset.md) collection| If escalation is enabled and the primary approvers do not respond before the escalation time, the escalationApprovers are the users who will be asked to approve requests. This can be a collection of [singleUser](singleuser.md), [groupMembers](groupmembers.md), [requestorManager](requestormanager.md), [internalSponsors](internalsponsors.md) and [externalSponsors](externalsponsors.md). When creating or updating a [policy](accesspackageassignmentpolicy.md), if there are no escalation approvers, or escalation approvers are not required for the stage, the value of this property should be an empty collection.|

+|disabledPlans|GUID collection|A collection of the unique identifiers for plans that have been disabled.|

+|skuId|GUID|The unique identifier for the SKU.|

+ "disabledPlans": ["GUID"],

+ "skuId": "GUID"

+|servicePlanId|GUID|A GUID that identifies the service plan.|

+ "capabilityStatus": "String",

+ "service": "String",

+ "servicePlanId": "GUID"

+|guestUserRoleId|GUID| Represents role templateId for the role that should be granted to guest user. Refer to [List unifiedRoleDefinitions](../api/rbacapplication-list-roledefinitions.md) to find the list of available role templates. Currently following roles are supported: User (`a0b1b346-4d3e-4e8b-98f8-753987be4970`), Guest User (`10dae51f-b6af-4016-8d66-8c2a99b929b3`), and Restricted Guest User (`2af84b1e-32c8-42b7-82bc-daa82404023b`). |

+ "guestUserRoleId": "GUID",

+|ClaimsTransformation|JSON object| Defines common transformations that can be applied to source data, to generate the output data for claims specified in the ClaimsSchema. For more information about ClaimsTransformation and the supported functions, see [Claims transformation](/azure/active-directory/develop/active-directory-claims-mapping#claims-transformation).|

+ Title: "cloudPcSnapshot resource type"

+description: "Represents a Cloud PC snapshot."

+ms.localizationpriority: medium

+# cloudPcSnapshot resource type

+Namespace: microsoft.graph

+Represents a snapshot of the device settings of a Cloud PC that can be used to restore the device system.

+Inherits from [entity](../resources/entity.md).

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List snapshots](../api/virtualendpoint-list-snapshots.md)|[cloudPcSnapshot](../resources/cloudpcsnapshot.md) collection|Get a list of the [cloudPcSnapshot](../resources/cloudpcsnapshot.md) objects and their properties.|

+|[Get cloudPcSnapshot](../api/cloudpcsnapshot-get.md)|[cloudPcSnapshot](../resources/cloudpcsnapshot.md)|Read the properties and relationships of a [cloudPcSnapshot](../resources/cloudpcsnapshot.md) object.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|cloudPcId|String|The unique identifier for the Cloud PC.|

+|createdDateTime|DateTimeOffset|The date and time at which the snapshot was taken. The timestamp is shown in ISO 8601 format and Coordinated Universal Time (UTC). For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|

+|id|String|The unique identifier for the snapshot of the Cloud PC device at a specific point in time. Inherited from [entity](../resources/entity.md).|

+|lastRestoredDateTime|DateTimeOffset|The date and time at which the snapshot was last used to restore the Cloud PC device. The timestamp is shown in ISO 8601 format and Coordinated Universal Time (UTC). For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|

+|status|[cloudPcSnapshotStatus](#cloudpcsnapshotstatus-values)|The status of the Cloud PC snapshot. The possible values are: `ready`, `unknownFutureValue`.|

+### cloudPcSnapshotStatus values

+|Member|Description|

+|:|:|

+|ready|The snapshot is ready to restore the Cloud PC device.|

+|unknownFutureValue|Evolvable enumeration sentinel value. Do not use.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.cloudPcSnapshot",

+ "baseType": "microsoft.graph.entity",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.cloudPcSnapshot",

+ "cloudPcId": "String",

+ "createdDateTime": "String (timestamp)",

+ "id": "String (identifier)",

+ "lastRestoredDateTime": "String (timestamp)",

+ "status": "String"

+}

+```

+|customerId|GUID|The unique identifier for the customer tenant referenced by this partnership. Corresponds to the id property of the customer tenant's organization resource. |

+ "customerId": "GUID",

+| permissionId | GUID | The unique identifier (**id**) for the delegated permission listed in the **publishedPermissionScopes** collection of the [servicePrincipal](servicePrincipal.md). Required on create. Does not support `$filter`. |

+|[List memberOf](../api/device-list-memberof.md) |[directoryObject](directoryobject.md) collection| List the groups and administrative units that the device is a direct member of. |

+|[List transitive memberOf](../api/device-list-transitivememberof.md) |[directoryObject](directoryobject.md) collection| List the groups and administrative units that the device is a member of. This operation is transitive. |

+|memberOf|[directoryObject](directoryobject.md) collection|Groups and administrative units that this device is a member of. Read-only. Nullable. Supports `$expand`. |

+|transitiveMemberOf |[directoryObject](directoryobject.md) collection| Groups and administrative units that this device is a member of. This operation is transitive. Supports `$expand`. |

+ "correlationId": "GUID",

+|externalPartnerTenantId|GUID| The tenant identifier for the partner tenant. Read-only. |

+| Member |

+|:|

+|modification|

+|suggestion|

+ "id": "GUID (identifier)",

+|keyId|GUID|The unique identifier for the key.|

+ "keyId": "GUID",

+|skuId|GUID| Unique identifier (GUID) for the service SKU. Equal to the skuId property on the related [SubscribedSku](subscribedsku.md) object. Read-only |

+ "skuId": "GUID",

+ Title: List resource

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- { "blockType": "resource",

+ "@odata.type": "microsoft.graph.list",

+ "keyProperty": "id",

+ "optionalProperties": [ "items", "drive"] } -->

+```json

+{

+ "activities": [{"@odata.type": "microsoft.graph.itemActivity"}],

+ "columns": [ { "@odata.type": "microsoft.graph.columnDefinition" }],

+ "contentTypes": [ { "@odata.type": "microsoft.graph.contentType" }],

+ "displayName": "title of list",

+ "drive": { "@odata.type": "microsoft.graph.drive" },

+ "items": [ { "@odata.type": "microsoft.graph.listItem" } ],

+ "list": {

+ "@odata.type": "microsoft.graph.listInfo",

+ "hidden": false,

+ "template": "documentLibrary | genericList | survey | links | announcements | contacts ..."

+ },

+ "system": false,

+ "subscriptions": [ {"@odata.type": "microsoft.graph.subscription"} ],

+ /* inherited from baseItem */

+ "id": "string",

+ "name": "name of list",

+ "createdBy": { "@odata.type": "microsoft.graph.identitySet" },

+ "createdDateTime": "timestamp",

+ "description": "description of list",

+ "eTag": "string",

+ "lastModifiedBy": { "@odata.type": "microsoft.graph.identitySet" },

+ "lastModifiedDateTime": "timestamp",

+ "webUrl": "url to visit the list in a browser"

+}

+```

+| keyId | GUID | The unique identifier for the password. |

+ "keyId": "GUID",

+|id|GUID|Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.|

+ "id": "GUID",

+ "adminConsentDisplayName": "String",

+ "adminConsentDescription": "String",

+ "userConsentDisplayName": "String",

+ "userConsentDescription": "String",

+ "value": "String",

+ "type": "String",

+|id|GUID|The unique identifier of an [app role](approle.md) or [delegated permission](permissionScope.md) exposed by the resource application. For delegated permissions, this should match the **id** property of one of the [delegated permissions](permissionscope.md) in the **oauth2PermissionScopes** collection of the resource application's [service principal](serviceprincipal.md). For app roles (application permissions), this should match the **id** property of an [app role](approle.md) in the **appRoles** collection of the resource application's [service principal](serviceprincipal.md).|

+|type|String|Specifies whether the **id** property references a [delegated permission](permissionscope.md) or an [app role](approle.md) (application permission). The possible values are: `Scope` (for delegated permissions) or `Role` (for app roles).|

+|riskEventType|string|The type of risk event detected. The possible values are `unlikelyTravel`, `anonymizedIPAddress`, `maliciousIPAddress`, `unfamiliarFeatures`, `malwareInfectedIPAddress`, `suspiciousIPAddress`, `leakedCredentials`, `investigationsThreatIntelligence`, `generic`,`adminConfirmedUserCompromised`, `mcasImpossibleTravel`, `mcasSuspiciousInboxManipulationRules`, `investigationsThreatIntelligenceSigninLinked`, `maliciousIPAddressValidCredentialsBlockedIP`, and `unknownFutureValue`. <br/> For more information about each value, see [riskEventType values](#riskeventtype-values).|

+### riskEventType values

+| Member | Description |

+|--|--|

+| unlikelyTravel | Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. |

+| anonymizedIPAddress | Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. |

+| maliciousIPAddress | Indicates sign-ins from IP addresses known to be malicious. Deprecated and no longer generated for new detections. |

+| unfamiliarFeatures | Indicates sign-ins with characteristics that deviate from past sign-in properties. |

+| malwareInfectedIPAddress | Indicates sign-ins from IP addresses infected with malware |

+| suspiciousIPAddress | Identifies logins from IP addresses that are known to be malicious at the time of the sign in. |

+| leakedCredentials | Indicates that the user's valid credentials have been leaked. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches. |

+| investigationsThreatIntelligence | Indicates a sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. |

+| generic | Indicates that the user was not enabled for Identity Protection. |

+| adminConfirmedUserCompromised | Indicates that an administrator has [confirmed the user is compromised](../api/riskyusers-confirmcompromised.md). |

+| mcasImpossibleTravel | Discovered by Microsoft Defender for Cloud Apps (MDCA). Identifies two user activities (a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials. |

+| mcasSuspiciousInboxManipulationRules | Discovered by Microsoft Defender for Cloud Apps (MDCA). Identifies suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.|

+| investigationsThreatIntelligenceSigninLinked | Identifies activity that is unusual with known attack patterns based on threat intelligence |

+| maliciousIPAddressValidCredentialsBlockedIP | Indicates that sign-in was made with valid credentials from a malicious IP address. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+The Microsoft Search API provides a [query](../api/search-query.md) method to search across your data in Microsoft Search, where you pass a [searchRequest](searchrequest.md) in the request body, defining the specifics of your search.

+This section lists the common use cases of the **query** method, based on the properties and parameters you set in the **query** [searchRequest](searchrequest.md) body.

+Spelling correction is a popular way to handle mismatches between typos in a user query and the correct words in matched contents. When typos are detected in the original user query, you can get the search result either for the original user query or the corrected alternate query. You can also get the spelling correction information for typos in the **queryAlterationResponse** property of the [searchResponse](searchresponse.md).

+To get the result template in the [searchResponse](searchresponse.md), you have to set **true** the **enableResultTemplate** property, defined in the [resultTemplateOptions](./resulttemplateoption.md), in the [searchRequest](./searchrequest.md). The response includes a **resultTemplateId** for every [search hit](./searchhit.md), which maps to one of the display layouts included in the **resultTemplates** dictionary that is included in the response.

+|enableSuggestion|Boolean|Indicates whether spelling suggestions are enabled. If enabled, the user will get the search results for the original search query and suggestions for spelling correction in the **queryAlterationResponse** property of the [response](/graph/api/resources/searchresponse?view=graph-rest-beta&preserve-view=true) for the typos in the query. Optional.|

+ "enableModification": "Boolean",

+ "enableSuggestion": "Boolean"

+|keyId|GUID|The unique identifier (GUID) for the key.|

+ "keyId": "GUID",

+|servicePlanId|GUID|The unique identifier of the service plan.|

+ "appliesTo": "String",

+ "provisioningStatus": "String",

+ "servicePlanId": "GUID",

+ "servicePlanName": "String"

+ "alternativeNames": "String",

+ "appDisplayName": "String",

+ "appId": "String",

+ "appOwnerOrganizationId": "GUID",

+ "applicationTemplateId": "String",

+ "disabledByMicrosoftStatus": "String",

+ "displayName": "String",

+ "errorUrl": "String",

+ "homepage": "String",

+ "id": "String (identifier)",

+ "loginUrl": "String",

+ "logoutUrl": "String",

+ "notificationEmailAddresses": ["String"],

+ "preferredSingleSignOnMode": "String",

+ "preferredTokenSigningKeyThumbprint": "String",

+ "replyUrls": ["String"],

+ "samlMetadataUrl": "String",

+ "servicePrincipalNames": ["String"],

+ "servicePrincipalType": "String",

+ "tags": ["String"],

+|skuId|GUID| The unique identifier (GUID) for the service SKU. |

+ "appliesTo": "String",

+ "capabilityStatus": "String",

+ "id": "String (identifier)",

+ "skuId": "GUID",

+ "skuPartNumber": "String"

+Represents a container for APIs to manage Cloud PCs.

+Use the Cloud PC API to provision and manage virtual desktops for employees in an organization, or along with the [Intune API](../resources/intune-graph-overview.md) to manage physical and virtual endpoints.

+|[List snapshots](../api/virtualendpoint-list-snapshots.md)|[cloudPcSnapshot](../resources/cloudpcsnapshot.md) collection|Get a list of [cloudPcSnapshot](../resources/cloudpcsnapshot.md) objects and their properties.|

+|id|String|The unique identifier for the virtual endpoint. Read-only.|

+|auditEvents|[cloudPcAuditEvent](../resources/cloudpcauditevent.md) collection|Cloud PC audit event.|

+|organizationSettings|[cloudPcOrganizationSettings](../resources/cloudpcorganizationsettings.md) |The Cloud PC organization settings for a tenant. |

+|snapshots|[cloudPcSnapshot](../resources/cloudpcsnapshot.md) collection|Cloud PC snapshots.|

+|supportedRegions|[cloudPcSupportedRegion](../resources/cloudpcsupportedregion.md) collection|Cloud PC supported regions.|

+|userSettings|[cloudPcUserSetting](../resources/cloudpcusersetting.md) collection|Cloud PC user settings. |

+| Outlook [event][] | Changes to all events in a user's mailbox:<br>`/users/{id}/events` | Yes |

+| Outlook [message][] | Changes to all messages in a user's mailbox: <br>`/users/{id}/messages`<br>Changes to messages in a user's Inbox:<br>`/users/{id}/mailFolders('inbox')/messages` | Yes |

+| Outlook personal [contact][] | Changes to all personal contacts in a user's mailbox:<br>`/users/{id}/contacts` | Yes |

+|[Delete x509CertificateAuthenticationMethodConfiguration](../api/x509certificateauthenticationmethodconfiguration-delete.md)|None| Delete the tenant-customized x509CertificateAuthenticationMethodConfiguration object and restore the default configuration.|

+ "completedDateTime": "2019-10-26T22:55:11.623Z",

+### Request

+GET https://graph.microsoft.com/v1.0/directory/administrativeUnits/4d7ea995-bc0f-45c0-8c3e-132e93bf95f8

+### Response

+Here is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directory/administrativeUnits/$entity",

+ "id": "4d7ea995-bc0f-45c0-8c3e-132e93bf95f8",

+ "deletedDateTime": null,

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "membershipRule": null,

+ "membershipType": null,

+ "membershipRuleProcessingState": null,

+ "visibility": "HiddenMembership"

+# Update administrativeUnit

+Since the **administrativeUnit** resource supports [extensions](/graph/extensibility-overview), you can use the `PATCH` operation to add, update, or delete your own app-specific data in custom properties of an extension in an existing **administrativeUnit** instance.

+### Request

+PATCH https://graph.microsoft.com/v1.0/directory/administrativeUnits/4d7ea995-bc0f-45c0-8c3e-132e93bf95f8

+ "displayName": "Greater Seattle District Technical Schools"

+### Response

+|User-Agent|The identifier for the calling application. This value contains information about the operating system and the browser used. Required.|

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+|User-Agent|The identifier for the calling application. This value contains information about the operating system and the browser used. Required.|

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+User-Agent: "Dsreg/10.0 (Windows 10.0.19043.1466)"

+ocp-client-name: "My Friendly Client"

+ocp-client-version: "1.2"

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [columnDefinition][columnDefinition] object in the response body.

+The following is an example of a request.

+The following is an example of the response.

+ Title: "List administrativeUnits"

+description: "Retrieve a list of administrativeUnit objects."

+ms.localizationpriority: medium

+# List administrativeUnits

+Namespace: microsoft.graph

+Retrieve a list of [administrativeUnit](../resources/administrativeunit.md) objects.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | AdministrativeUnit.Read.All, Directory.Read.All, AdministrativeUnit.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All |

+|Delegated (personal Microsoft account) | Not supported. |

+|Application | AdministrativeUnit.Read.All, Directory.Read.All, AdministrativeUnit.ReadWrite.All, Directory.ReadWrite.All |

+## HTTP request

+<!-- { "blockType": "ignored" } -->

+```http

+GET /directory/administrativeUnits

+```

+## Optional query parameters

+This method supports the `$count`, `$select`, `$search`, `$filter` (`eq`), and `$expand` [OData query parameters](/graph/query-parameters) to help customize the response.

+## Request headers

+| Name |Description|

+|:-|:-|

+| Authorization | Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and collection of [administrativeUnit](../resources/administrativeunit.md) objects in the response body.

+## Example

+### Request

+Here is an example of the request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "get_administrativeunits"

+}-->

+```msgraph-interactive

+GET https://graph.microsoft.com/v1.0/directory/administrativeUnits

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+### Response

+Here is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.administrativeUnit",

+ "isCollection": true

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directory/administrativeUnits",

+ "value": [

+ {

+ "id": "4d7ea995-bc0f-45c0-8c3e-132e93bf95f8",

+ "deletedDateTime": null,

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "membershipRule": null,

+ "membershipType": null,

+ "membershipRuleProcessingState": null,

+ "visibility": "HiddenMembership"

+ }

+ ]

+}

+```

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79

+2015-10-25 14:57:30 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "List administrativeUnits",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+ Title: "Create administrativeUnit"

+description: "Use this API to create a new administrativeUnit."

+ms.localizationpriority: medium

+# Create administrativeUnit

+Namespace: microsoft.graph

+Use this API to create a new [administrativeUnit](../resources/administrativeunit.md).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All |

+|Delegated (personal Microsoft account) | Not supported. |

+|Application | AdministrativeUnit.ReadWrite.All |

+## HTTP request

+<!-- { "blockType": "ignored" } -->

+```http

+POST /directory/administrativeUnits

+```

+## Request headers

+| Name |Description|

+|:-|:-|

+| Authorization | Bearer {token}. Required. |

+| Content-type | application/json. Required. |

+## Request body

+In the request body, supply a JSON representation of an [administrativeUnit](../resources/administrativeunit.md) object.

+Because the **administrativeUnit** resource supports [extensions](/graph/extensibility-overview), you can use the `POST` operation and add custom properties with your own data to the administrative unit while creating it.

+## Response

+If successful, this method returns a `201 Created` response code and an [administrativeUnit](../resources/administrativeunit.md) object in the response body.

+## Example

+### Request

+The following is an example of the request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "create_administrativeunit_from_administrativeunits"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/directory/administrativeUnits

+Content-type: application/json

+{

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "visibility": "HiddenMembership"

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Objective-C](#tab/objc)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+In the request body, supply a JSON representation of an [administrativeUnit](../resources/administrativeunit.md) object.

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.administrativeUnit"

+} -->

+```http

+HTTP/1.1 201 Created

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#administrativeUnits/$entity",

+ "id": "7a3dc8f3-b3a0-4164-9a99-ed36f3af039f",

+ "deletedDateTime": null,

+ "displayName": "Seattle District Technical Schools",

+ "description": "Seattle district technical schools administration",

+ "visibility": "HiddenMembership"

+}

+```

+## See also

+- [Add custom data to resources using extensions](/graph/extensibility-overview)

+- [Add custom data to users using open extensions (preview)](/graph/extensibility-open-users)

+<!--

+- [Add custom data to groups using schema extensions (preview)](/graph/extensibility-schema-groups)

+-->

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79

+2015-10-25 14:57:30 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "Create administrativeUnit",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+ "completedDateTime": "2019-10-26T22:55:11.623Z",

+>**Note:** This request might have replication delays for groups that were recently created, updated, or deleted.

+>**Note:** This request might have replication delays for groups that were recently created, updated, or deleted.

+|onBehalfOfUserId|GUID| The ID of the user to impersonate when calling the API. The validation results are for the **onBehalfOfUserId's** attributes and roles. |

+ "id":"45715bb8-13f9-4bf6-927f-ef96c102d394",

+ "id":"45715bb8-13f9-4bf6-927f-ef96c102d394",

+ "id": "45715bb8-13f9-4bf6-927f-ef96c102d394",

+>**Note:** Inviting multiple participants in one request is only supported for group calls.

+If successful, this method returns a `200 OK` response code and a location header with a URI to the [inviteParticipantsOperation](../resources/inviteparticipantsoperation.md) created for this request.

+### Example 1: Invite one participant to an existing call

+ "status": "completed",

+ "clientContext": "d45324c1-fcb5-430a-902c-f20af696537c",

+ "resultInfo": null

+description: "Retrieve the properties and relationships of servicePrincipal object."

+> [!NOTE]

+> A service principal can retrieve its own application and service principal details without being granted any application permissions.

+This method supports the [OData query parameters](/graph/query-parameters) to help customize the response.

+>**Note** This request might have replication delays for app role assignments that were recently granted or removed.

+>**Note** This request might have replication delays for app role assignments that were recently granted or removed.

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources.

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources.

+See the table in the [Permissions](#permissions) section for the list of resources that support subscribing to change notifications.

+Some resources support the option to include encrypted resource data in change notifications. These resources include [chatMessage](../resources/chatmessage.md), [contact](../resources/contact.md), [event](../resources/event.md), [message](../resources/message.md), and [presence](../resources/presence.md). For more information, see [Set up change notifications that include resource data](/graph/webhooks-with-resource-data) and [Change notifications for Outlook resources in Microsoft Graph](/graph/outlook-change-notification-overview).

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources.

+You can subscribe to changes in Outlook **contact**, **event**, or **message** resources.

+ "name": "get_group_termstore"

+|removeLicenses|GUID collection|A collection of GUIDs that identify the licenses to remove.|

+ "skuId": "45715bb8-13f9-4bf6-927f-ef96c102d394"

+> **Note:** Getting a user returns a default set of properties only (*businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName*). Use `$select` to get the other properties and relationships for the [user](../resources/user.md) object.

+>

+> This request might have replication delays for users that were recently created, updated, or deleted.

+>**Note:** This request might have replication delays for users that were recently created, updated, or deleted.

+If successful, this method returns a `200 OK` response code.

+>This API has a [known issue](/graph/known-issues#revoke-sign-in-sessions-returns-wrong-http-code). It returns a different HTTP response code.

+### Request

+ "blockType": "ignored",

+### Response

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean",

+ "value": true

+}

+|completedDateTime|DateTimeOffset|The date of the end of processing, either successful or failure, of a request. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.|

+ "completedDateTime": "String (timestamp)",

+ "id": "GUID",

+ "type": "String"

+|[Create](../api/directory-post-administrativeunits.md) | [administrativeUnit](administrativeunit.md) | Create a new administrative unit.|

+|[List](../api/directory-list-administrativeunits.md) | [administrativeUnit](administrativeunit.md) collection |List properties of all administrativeUnits.|

+|description|String|An optional description for the administrative unit. Supports `$filter` (`eq`, `ne`, `in`, `startsWith`), `$search`.|

+|displayName|String|Display name for the administrative unit. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values), `$search`, and `$orderBy`.|

+|id|String|Unique identifier for the administrative unit. Read-only. Supports `$filter` (`eq`).|

+|visibility|String|Controls whether the administrative unit and its members are hidden or public. Can be set to `HiddenMembership`. If not set (value is `null`), the default behavior is public. When set to `HiddenMembership`, only members of the administrative unit can list other members of the administrative unit.|

+ Title: "alterationResponse resource type"

+description: "Provides information related to spelling corrections in the alteration response."

+ms.localizationpriority: medium

+# alterationResponse resource type

+Namespace: microsoft.graph

+Provides information related to spelling corrections in the alteration response.

+## Properties

+| Property | Type | Description |

+|:-|:|:|

+|originalQueryString|String| Defines the original user query string.|

+|queryAlteration|[searchAlteration](searchalteration.md)| Defines the details of the alteration information for the spelling correction.|

+|queryAlterationType|searchAlterationType| Defines the type of the spelling correction. Possible values are: `suggestion`, `modification`.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.alterationResponse",

+ "baseType": null

+}-->

+```json

+{

+ "originalQueryString": "String",

+ "queryAlteration": "String",

+ "queryAlterationType": "String"

+}

+```

+ Title: "alteredQueryToken resource type"

+description: "Represents changed segments related to an original user query."

+ms.localizationpriority: medium

+# alteredQueryToken resource type

+Namespace: microsoft.graph

+Represents changed segments related to an original user query.

+## Properties

+| Property | Type | Description |

+|:-|:|:|

+|length|Int32| Defines the length of a changed segment.|

+|offset|Int32| Defines the offset of a changed segment.|

+|suggestion|String| Represents the corrected segment string.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.alteredQueryToken",

+ "baseType": null

+}-->

+```json

+{

+ "length": "Int32",

+ "offset": "Int32",

+ "suggestion": "String"

+}

+```

+|knownClientApplications| GUID collection |Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. If you set the appID of the client app to this value, the user only consents once to the client app. Azure AD knows that consenting to the client means implicitly consenting to the web API and automatically provisions service principals for both APIs at the same time. Both the client and the web API app must be registered in the same tenant.|

+ "knownClientApplications": ["GUID"],

+|id|GUID|Unique role identifier inside the **appRoles** collection. When creating a new app role, a new GUID identifier must be provided. |

+ "allowedMemberTypes": ["String"],

+ "description": "String",

+ "displayName": "String",

+ "id": "GUID",

+ "origin": "String",

+ "value": "String"

+| principalId | GUID | The unique identifier (**id**) for the [user](user.md), [group](group.md) or [service principal](serviceprincipal.md) being granted the app role. Required on create. |

+| resourceId | GUID |The unique identifier (**id**) for the resource [service principal](serviceprincipal.md) for which the assignment is made. Required on create. Supports `$filter` (`eq` only). |

+| appRoleId | GUID | The identifier (**id**) for the [app role](approle.md) which is assigned to the principal. This app role must be exposed in the **appRoles** property on the resource application's service principal (**resourceId**). If the resource application has not declared any app roles, a default app role ID of `00000000-0000-0000-0000-000000000000` can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |

+ "id": "String",

+ "principalDisplayName": "String",

+ "principalId": "GUID",

+ "principalType": "String",

+ "resourceDisplayName": "String",

+ "resourceId": "GUID",

+ "appRoleId": "GUID"

+|disabledPlans|GUID collection|A collection of the unique identifiers for plans that have been disabled.|

+|skuId|GUID|The unique identifier for the SKU.|

+ "disabledPlans": ["GUID"],

+ "skuId": "GUID"

+|servicePlanId|GUID|A GUID that identifies the service plan.|

+ "capabilityStatus": "String",

+ "service": "String",

+ "servicePlanId": "GUID"

+|guestUserRoleId|GUID| Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (`a0b1b346-4d3e-4e8b-98f8-753987be4970`), Guest User (`10dae51f-b6af-4016-8d66-8c2a99b929b3`), and Restricted Guest User (`2af84b1e-32c8-42b7-82bc-daa82404023b`). |

+ "guestUserRoleId": "GUID"

+The number of claims and transformations that can be added to a claims-mapping policy are limited to reduce token size. Any claims schema entries or transformations that are encountered after the limit has been reached are ignored and included in the issued token. For more information about the limits, see [Properties of a claims-mapping policy definition](#properties-of-a-claims-mapping-policy-definition)

+|ClaimsTransformation|JSON object| Defines common transformations that can be applied to source data, to generate the output data for claims specified in the ClaimsSchema. For more information about ClaimsTransformation and the supported functions, see [Claims transformation](/azure/active-directory/develop/active-directory-claims-mapping#claims-transformation).|

+|customerId|GUID|The unique identifier for the customer tenant referenced by this partnership. Corresponds to the id property of the customer tenant's organization resource. |

+ "customerId": "GUID",

+| permissionId | String | The unique identifier (**id**) for the delegated permission listed in the **oauth2PermissionScopes** collection of the [servicePrincipal](servicePrincipal.md). Required on create. Does not support `$filter`. |

+ "id": "String (identifier)",

+ "permissionId": "String",

+ "permissionName": "String"

+ "correlationId": "GUID",

+ "result": "String",

+|externalPartnerTenantId|GUID| The tenant identifier for the partner tenant. Read-only. |

+ "description": "String ",

+ "displayName": "String",

+ "externalPartnerTenantId": "String (identifier)",

+ "id": "String (identifier)",

+ "objectType": "String"

+### searchAlterationType values

+| Member |

+|:|

+|modification|

+|suggestion|

+ "id": "String (identifier)",

+|keyId|GUID|The unique identifier (GUID) for the key.|

+ "keyId": "GUID",

+|skuId|GUID| Unique identifier (GUID) for the service SKU. Equal to the skuId property on the related [SubscribedSku](subscribedsku.md) object. Read-only |

+ "skuId": "GUID",

+ Title: List resource

+## JSON representation

+The following is a JSON representation of the resource.

+<!--{

+ "blockType": "resource",

+ "optionalProperties": [

+ "items",

+ "drive"

+ ],

+ "keyProperty": "id",

+ "baseType": "microsoft.graph.baseItem",

+ "@odata.type": "microsoft.graph.list"

+}-->

+```json

+{

+ "columns": [ { "@odata.type": "microsoft.graph.columnDefinition" }],

+ "contentTypes": [ { "@odata.type": "microsoft.graph.contentType" }],

+ "displayName": "title of list",

+ "drive": { "@odata.type": "microsoft.graph.drive" },

+ "items": [ { "@odata.type": "microsoft.graph.listItem" } ],

+ "list": {

+ "@odata.type": "microsoft.graph.listInfo",

+ "hidden": false,

+ "template": "documentLibrary | genericList | survey | links | announcements | contacts | accessRequest ..."

+ },

+ "system": false,

+ "subscriptions": [ {"@odata.type": "microsoft.graph.subscription"} ],

+ /* inherited from baseItem */

+ "id": "string",

+ "name": "name of list",

+ "createdBy": { "@odata.type": "microsoft.graph.identitySet" },

+ "createdDateTime": "timestamp",

+ "description": "description of list",

+ "eTag": "string",

+ "lastModifiedBy": { "@odata.type": "microsoft.graph.identitySet" },

+ "lastModifiedDateTime": "timestamp",

+ "parentReference": { "@odata.type": "microsoft.graph.itemReference" },

+ "sharepointIds": { "@odata.type": "microsoft.graph.sharepointIds" },

+ "webUrl": "url to visit the list in a browser"

+}

+```

+| keyId | GUID | The unique identifier for the password. |

+ "keyId": "GUID",

+|id|GUID|Unique delegated permission identifier inside the collection of delegated permissions defined for a resource application.|

+ "id": "GUID",

+ "adminConsentDisplayName": "String",

+ "adminConsentDescription": "String",

+ "userConsentDisplayName": "String",

+ "userConsentDescription": "String",

+ "value": "String",

+ "type": "String",

+|id|GUID|The unique identifier of an [app role](approle.md) or [delegated permission](permissionScope.md) exposed by the resource application. For delegated permissions, this should match the **id** property of one of the [delegated permissions](permissionscope.md) in the **oauth2PermissionScopes** collection of the resource application's [service principal](serviceprincipal.md). For app roles (application permissions), this should match the **id** property of an [app role](approle.md) in the **appRoles** collection of the resource application's [service principal](serviceprincipal.md).|

+ Title: "resultTemplate resource type"

+description: "Represents a dictionary of resultTemplateIds and associated values, which include the name and JSON schema of the result templates."

+ms.localizationpriority: medium

+# resultTemplate resource type

+Namespace: microsoft.graph

+Represents a dictionary of **resultTemplateIds** and associated values, which includes the name and JSON schema of the result templates.

+## Properties

+| Property | Type | Description |

+|:-|:|:|

+|body|Json|JSON schema of the result template.|

+|displayName|String|Name of the result template.|

+|key|String|ID of a result template. The **key** property must map to a **resultTemplateId** in the [searchHit](searchhit.md) collection.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.resultTemplate",

+ "baseType": null

+}-->

+```json

+{

+ "resultTemplateId": {

+ "displayName": "String",

+ "body":{

+ "@odata.type":"microsoft.graph.Json"

+ }

+ }

+}

+```

+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98

+2019-02-04 14:57:30 UTC -->

+<!-- {

+ "type": "#page.annotation",

+ "description": "resultTemplate resource",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": ""

+}-->

+ Title: "resultTemplateOption resource type"

+description: "Provides the search result template options to render search results from connectors."

+ms.localizationpriority: medium

+# resultTemplateOption resource type

+Namespace: microsoft.graph

+Provides the search result template options to render search results from connectors.

+## Properties

+| Property | Type | Description |

+|:-|:|:|

+|enableResultTemplate|Boolean|Indicates whether search display layouts are enabled. If enabled, the user will get the result template to render the search results content in the **resultTemplates** property of the [response](/graph/api/resources/searchresponse). The result template is based on [Adaptive Cards](https://adaptivecards.io/). Optional. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.resultTemplateOption",

+ "baseType": null

+}-->

+```json

+ {

+ "enableResultTemplate": "Boolean"

+ }

+```

+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98

+2019-02-04 14:57:30 UTC -->

+<!-- {

+ "type": "#page.annotation",

+ "description": "resultTemplateOption resource",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": ""

+}-->

+|riskEventType|String|The type of risk event detected. The possible values are `unlikelyTravel`, `anonymizedIPAddress`, `maliciousIPAddress`, `unfamiliarFeatures`, `malwareInfectedIPAddress`, `suspiciousIPAddress`, `leakedCredentials`, `investigationsThreatIntelligence`, `generic`,`adminConfirmedUserCompromised`, `mcasImpossibleTravel`, `mcasSuspiciousInboxManipulationRules`, `investigationsThreatIntelligenceSigninLinked`, `maliciousIPAddressValidCredentialsBlockedIP`, and `unknownFutureValue`. If the risk detection is a premium detection, will show `generic`. <br/>For more information about each value, see [riskEventType values](#riskeventtype-values).|

+### riskEventType values

+| Member | Description |

+|--|--|

+| unlikelyTravel | Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. |

+| anonymizedIPAddress | Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. |

+| maliciousIPAddress | Indicates sign-ins from IP addresses known to be malicious. Deprecated and no longer generated for new detections. |

+| unfamiliarFeatures | Indicates sign-ins with characteristics that deviate from past sign-in properties. |

+| malwareInfectedIPAddress | Indicates sign-ins from IP addresses infected with malware |

+| suspiciousIPAddress | Identifies logins from IP addresses that are known to be malicious at the time of the sign in. |

+| leakedCredentials | Indicates that the user's valid credentials have been leaked. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they are checked against Azure AD users' current valid credentials to find valid matches. |

+| investigationsThreatIntelligence | Indicates a sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. |

+| generic | Indicates that the user was not enabled for Identity Protection. |

+| adminConfirmedUserCompromised | Indicates that an administrator has [confirmed the user is compromised](../api/riskyuser-confirmcompromised.md). |

+| mcasImpossibleTravel | Discovered by Microsoft Defender for Cloud Apps (MDCA). Identifies two user activities (a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it would have taken the user to travel from the first location to the second, indicating that a different user is using the same credentials. |

+| mcasSuspiciousInboxManipulationRules | Discovered by Microsoft Defender for Cloud Apps (MDCA). Identifies suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.|

+| investigationsThreatIntelligenceSigninLinked | Identifies activity that is unusual with known attack patterns based on threat intelligence |

+| maliciousIPAddressValidCredentialsBlockedIP | Indicates that sign-in was made with valid credentials from a malicious IP address. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+|[Request spelling correction](#request-spelling-correction)| **queryAlterationOptions** |

+|[Search display layout](#search-display-layout) (preview)| **resultTemplateOptions**|

+For examples that show how to use aggregation to enhance and narrow down search results, see [Refine search results](/graph/search-concept-aggregation).

+## Request spelling correction

+Spelling correction is a popular way to handle mismatches between typos in a user query and the correct words in matched contents. When typos are detected in the original user query, you can get the search result either for the original user query or the corrected alternate query. You can also get the spelling correction information for typos in the **queryAlterationResponse** property of the [searchResponse](searchresponse.md).

+In the request body of the [query](/graph/api/search-query) method, specify the **queryAlterationOptions** that should be applied to the query for the spelling corrections. The description of **queryAlterationOptions** is defined in the [searchRequest](./searchrequest.md).

+For examples that show how to use spelling corrections, see [Request spelling correction](/graph/search-concept-speller).

+## Search display layout

+The search API allows you to render search results from [connectors](/microsoftsearch/connectors-overview) by using the display layout or the result template configured by the IT admin for each connector. The result templates are [Adaptive Cards](https://adaptivecards.io/), which are a semantically meaningful combination of layout and data.

+To get the result template in the [searchResponse](searchresponse.md) you have to set the **enableResultTemplate** property to **true**, which is defined in the [resultTemplateOptions](./resulttemplateoption.md) in the [searchRequest](./searchrequest.md). The response includes a **resultTemplateId** for every [searchHit](./searchhit.md), which maps to one of the display layouts included in the **resultTemplates** dictionary that is part of the response.

+For examples that show how to render search results, see [Use search display layout](/graph/search-concept-display-layout).

+ - [Request spelling correction](/graph/search-concept-speller)

+ - [Use search display layout](/graph/search-concept-display-layout)

+ Title: "searchAlteration resource type"

+description: "Provides the details about the search alteration for spelling correction."

+ms.localizationpriority: medium

+# searchAlteration resource type

+Namespace: microsoft.graph

+Provides the details about the search alteration for spelling correction.

+## Properties

+| Property | Type | Description |

+|:-|:|:|

+|alteredHighlightedQueryString|String| Defines the altered highlighted query string with spelling correction. The annotation around the corrected segment is: `\ue000, \ue001`.|

+|alteredQueryString|String| Defines the altered query string with spelling correction.|

+|alteredQueryTokens|[alteredQueryToken](alteredquerytoken.md) collection| Represents changed segments related to an original user query.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.searchAlteration",

+ "baseType": null

+}-->

+```json

+{

+ "alteredHighlightedQueryString": "String",

+ "alteredQueryString": "String",

+ "alteredQueryTokens": [{"@odata.type": "microsoft.graph.alteredQueryToken"}]

+}

+```

+ Title: "searchAlterationOptions resource type"

+description: "Provides the search alteration options for spelling correction."

+ms.localizationpriority: medium

+# searchAlterationOptions resource type

+Namespace: microsoft.graph

+Provides the search alteration options for spelling correction.

+## Properties

+| Property | Type | Description |

+|:-|:|:|

+|enableModification|Boolean|Indicates whether spelling modifications are enabled. If enabled, the user will get the search results for the corrected query *in case of no results* for the original query with typos. The [response](/graph/api/resources/searchresponse) will also include the spelling modification information in the **queryAlterationResponse** property. Optional.|

+|enableSuggestion|Boolean|Indicates whether spelling suggestions are enabled. If enabled, the user will get the search results for the original search query and suggestions for spelling correction in the **queryAlterationResponse** property of the [response](/graph/api/resources/searchresponse) for the typos in the query. Optional.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.searchAlterationOptions",

+ "baseType": null

+}-->

+```json

+{

+ "enableModification": "Boolean",

+ "enableSuggestion": "Boolean"

+}

+```

+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98

+2019-02-04 14:57:30 UTC -->

+<!-- {

+ "type": "#page.annotation",

+ "description": "searchAlterationOptions resource",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": ""

+}-->

+|contentSource|String|The name of the content source which the **externalItem** is part of .|

+|resultTemplateId|String|ID of the result template used to render the search result. This ID must map to a display layout in the **resultTemplates** dictionary that is also included in the [searchResponse](searchresponse.md).|

+|summary|String|A summary of the result, if a summary is available.|

+ "hitId": "String",

+ "rank": "Int32",

+ "resultTemplateId": "String",

+ "resource": { "@odata.type": "microsoft.graph.entity" },

+ "summary": "String"

+| Property | Type | Description|

+|:-|:|:|

+|aggregations|[aggregationOption](aggregationOption.md) collection|Specifies aggregations (also known as refiners) to be returned alongside search results. Optional.|

+|fields|String collection |Contains the fields to be returned for each resource object specified in **entityTypes**, allowing customization of the fields returned by default; otherwise, including additional fields such as custom managed properties from SharePoint and OneDrive, or custom fields in **externalItem** from the content that Microsoft Graph connectors bring in. The **fields** property can use the [semantic labels](/microsoftsearch/configure-connector#step-6-assign-property-labels) applied to properties. For example, if a property is labeled as title, you can retrieve it using the following syntax: `label_title`. Optional.|

+|queryAlterationOptions|[searchAlterationOptions](searchalterationoptions.md)|Query alteration options formatted in a JSON blob that contains two optional flags related to spelling correction. Optional. |

+|resultTemplateOptions|[resultTemplateOption](resulttemplateoption.md) collection|Provides the search result template options to render search results from connectors.|

+ "aggregationFilters": ["String"],

+ "aggregations": {"@odata.type": "microsoft.graph.aggregationOption"},

+ "enableTopResults": "Boolean",

+ "from": "Int32",

+ "query": {"@odata.type": "microsoft.graph.searchQuery"},

+ "queryAlterationOptions": {"@odata.type": "microsoft.graph.searchAlterationOptions"},

+ "resultTemplateOptions": [{"@odata.type": "microsoft.graph.resultTemplateOption"}],

+ "size": "Int32"

+- Use [display layout](/graph/search-concept-display-layout.md)

+- Enable [spell corrections](/graph/search-concept-speller) in search results

+|resultTemplates|[resultTemplate](resulttemplate.md) collection|A dictionary of **resultTemplateIds** and associated values, which include the name and JSON schema of the result templates.|

+|queryAlterationResponse|[alterationResponse](alterationresponse.md)|Provides information related to spelling corrections in the alteration response.|

+ "queryAlterationResponse": {"@odata.type": "microsoft.graph.alterationResponse"},

+ "resultTemplates": [{"@odata.type":"microsoft.graph.resultTemplateDictionary"}],

+|keyId|GUID|The unique identifier (GUID) for the key.|

+ "keyId": "GUID",

+|servicePlanId|GUID|The unique identifier of the service plan.|

+ "appliesTo": "String",

+ "provisioningStatus": "String",

+ "servicePlanId": "GUID",

+ "servicePlanName": "String"

+ "alternativeNames": ["String"] ,

+ "appDisplayName": "String",

+ "appId": "String",

+ "appOwnerOrganizationId": "GUID",

+ "disabledByMicrosoftStatus": "String",

+ "displayName": "String",

+ "homepage": "String",

+ "id": "String (identifier)",

+ "logoutUrl": "String",

+ "notes": "String",

+ "replyUrls": ["String"],

+ "servicePrincipalNames": ["String"],

+ "servicePrincipalType": "String",

+ "tags": ["String"],

+|skuId|GUID| The unique identifier (GUID) for the service SKU. |

+ "appliesTo": "String",

+ "capabilityStatus": "String",

+ "id": "String (identifier)",

+ "skuId": "GUID",

+ "skuPartNumber": "String"

+Both **mail** and **proxyAddresses** can be retrieved through the [GET user](/graph/api/user-get) API on MS Graph. **mail** can be updated via the [PATCH method of the Update user](/graph/api/user-update) API, but **proxyAddresses** can't be updated via Microsoft Graph. When a user's **mail** property is updated, it triggers recalculation of **proxyAddresses** and the newly updated mail is set to be the primary proxy address, except in the following scenarios:

+ - name: Policies

+ - name: Overview

+ href: resources/policy-overview.md