Updates from: 02/08/2022 02:06:33
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Accesspackage List Accesspackagesincompatiblewith https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-list-accesspackagesincompatiblewith.md
One of the following permissions is required to call this API. To learn more, in
<!-- { "blockType": "ignored" } --> ```http
-GET /identityGovernance/entitlementManagement/accessPackage/{id}/accessPackagesIncompatibleWith
+GET /identityGovernance/entitlementManagement/accessPackages/{id}/accessPackagesIncompatibleWith
``` ## Optional query parameters
v1.0 Accesspackage List Incompatibleaccesspackages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-list-incompatibleaccesspackages.md
One of the following permissions is required to call this API. To learn more, in
<!-- { "blockType": "ignored" } --> ```http
-GET /identityGovernance/entitlementManagement/accessPackage/{id}/incompatibleAccessPackages
+GET /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages
``` ## Optional query parameters
v1.0 Accesspackage List Incompatiblegroups https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackage-list-incompatiblegroups.md
One of the following permissions is required to call this API. To learn more, in
<!-- { "blockType": "ignored" } --> ```http
-GET /identityGovernance/entitlementManagement/accessPackage/{id}/incompatibleGroups
+GET /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups
``` ## Optional query parameters
v1.0 Accesspackageassignmentrequest Reprocess https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/accesspackageassignmentrequest-reprocess.md
One of the following permissions is required to call this API. To learn more, in
} --> ```http
-POST /identityGovernance/entitlementManagement/accessPackageAssignmentsRequests/{id}/reprocess
+POST /identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}/reprocess
``` ## Request headers
The following is an example of the request.
<!-- { "blockType": "ignored",
- "name": "reprocess_accesspackageassignmentsrequest"
+ "name": "reprocess_accesspackageassignmentrequest"
}--> ```http POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/d82eb508-acc4-43cc-bcf1-7c1c4a2c073b/reprocess
v1.0 Allowedvalue Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/allowedvalue-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|CustomSecAttributeDefinition.ReadWrite.All|
+|Delegated (work or school account)|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
|Delegated (personal Microsoft account)|Not supported.|
-|Application|CustomSecAttributeDefinition.ReadWrite.All|
+|Application|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
The signed-in user must also be assigned one of the following [directory roles](/azure/active-directory/roles/permissions-reference):
v1.0 Attributeset Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/attributeset-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|CustomSecAttributeDefinition.ReadWrite.All|
+|Delegated (work or school account)|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
|Delegated (personal Microsoft account)|Not supported.|
-|Application|CustomSecAttributeDefinition.ReadWrite.All|
+|Application|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
The signed-in user must also be assigned one of the following [directory roles](/azure/active-directory/roles/permissions-reference):
v1.0 Channel Getallmessages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/channel-getallmessages.md
GET /teams/{team-id}/channels/getAllMessages
## Optional query parameters
-You can use the `model` query parameter, which supports the values `A` and `B`, based on the preferred licensing and payment requirements, as shown in the following examples.
+You can use `model` query parameter, which supports the values `A` and `B`, based on the preferred [licensing and payment model](/graph/teams-licenses),
+as shown in the following examples.
+If no `model` is specified, [evaluation mode](/graph/teams-licenses#evaluation-mode-default-requirements) will be used.
```http GET /teams/{team-id}/channels/getAllMessages?model=A
v1.0 Chats Getallmessages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/chats-getallmessages.md
GET /users/{id | user-principal-name}/chats/getAllMessages
## Optional query parameters
-You can use `model` query parameter which supports the values `A` and `B`, based on the preferred licensing and payment requirements. If no `model` is specified, [evaluation mode](/graph/teams-licenses#evaluation-mode-default-requirements) will be used. Following are the examples.
+You can use `model` query parameter, which supports the values `A` and `B`, based on the preferred [licensing and payment model](/graph/teams-licenses),
+as shown in the following examples.
+If no `model` is specified, [evaluation mode](/graph/teams-licenses#evaluation-mode-default-requirements) will be used.
```http GET /users/{id | user-principal-name}/chats/getAllMessages?model=A
v1.0 Crosstenantaccesspolicy Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicy-get.md
+
+ Title: "Get crossTenantAccessPolicy"
+description: "Read the properties and relationships of a crossTenantAccessPolicy object."
+
+ms.localizationpriority: medium
++
+# Get crossTenantAccessPolicy
+
+Namespace: microsoft.graph
++
+Read the properties and relationships of a [crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+GET /policies/crossTenantAccessPolicy
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md) object in the response body.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "get_crosstenantaccesspolicy"
+}
+-->
+
+``` http
+GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy
+```
+
+### Response
+
+>**Note:** If you have never modified your cross-tenant access settings, this response will return `{}`.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicy"
+}
+-->
+
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "value": {
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicy",
+ "displayName": "CrossTenantAccessPolicy",
+ "lastModifiedDateTime": "08-23-2021Z00:00:00",
+ "definition": "Cross tenant access policy..."
+ }
+}
+```
v1.0 Crosstenantaccesspolicy List Partners https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicy-list-partners.md
+
+ Title: "List partners"
+description: "Get a list of all partner configurations within a cross-tenant access policy."
+
+ms.localizationpriority: medium
++
+# List partners
+
+Namespace: microsoft.graph
++
+Get a list of all partner configurations within a cross-tenant access policy.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+GET /policies/crossTenantAccessPolicy/partners
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) objects in the response body.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "list_crosstenantaccesspolicyconfigurationpartner"
+}
+-->
+
+``` http
+GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners
+```
+
+### Response
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.crossTenantAccessPolicyConfigurationPartner)"
+}
+-->
+
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "value": [
+ {
+ "tenantId": "123f4846-ba00-4fd7-ba43-dac1f8f63013",
+ "inboundTrust": null,
+ "b2bCollaborationInbound": null,
+ "b2bCollaborationOutbound": null,
+ "b2bDirectConnectOutbound": null,
+ "b2bDirectConnectInbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "Office365",
+ "targetType": "application"
+ }
+ ]
+ }
+ }
+ }
+ ]
+}
+```
v1.0 Crosstenantaccesspolicy Post Partners https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicy-post-partners.md
+
+ Title: "Create crossTenantAccessPolicyConfigurationPartner"
+description: "Create a new partner configuration in a cross-tenant access policy."
+
+ms.localizationpriority: medium
++
+# Create crossTenantAccessPolicyConfigurationPartner
+
+Namespace: microsoft.graph
++
+Create a new partner configuration in a cross-tenant access policy.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+POST /policies/crossTenantAccessPolicy/partners
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+
+In the request body, supply a JSON representation of the [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) object.
+
+The following table shows the properties that are required when you create the [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md).
+
+|Property|Type|Description|
+|:|:|:|
+| b2bCollaborationInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. |
+| b2bCollaborationOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. |
+| b2bDirectConnectInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. |
+| b2bDirectConnectOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. |
+| inboundTrust | [crossTenantAccessPolicyInboundTrust](../resources/crosstenantaccesspolicyinboundtrust.md) | Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure AD organizations. |
+| tenantId | String | The tenant identifier for the partner Azure Active Directory (Azure AD) organization. |
+
+## Response
+
+If successful, this method returns a `201 Created` response code and a [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) object in the response body.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "create_crosstenantaccesspolicyconfigurationpartner_from_"
+}
+-->
+
+``` http
+POST https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners
+Content-Type: application/json
+
+{
+ "tenantId": "3d0f5dec-5d3d-455c-8016-e2af1ae4d31a",
+ "b2bDirectConnectOutbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "6f546279-4da5-4b53-a095-09ea0cef9971",
+ "targetType": "group"
+ }
+ ]
+ }
+ },
+ "b2bDirectConnectInbound":
+ {
+ "applications":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "Office365",
+ "targetType": "application"
+ }
+ ]
+ }
+ }
+}
+```
+
+### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationPartner"
+}
+-->
+
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "tenantId": "3d0f5dec-5d3d-455c-8016-e2af1ae4d31a",
+ "inboundTrust": null,
+ "b2bCollaborationInbound": null,
+ "b2bCollaborationOutbound": null,
+ "b2bDirectConnectOutbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "6f546279-4da5-4b53-a095-09ea0cef9971",
+ "targetType": "group"
+ }
+ ]
+ }
+ },
+ "b2bDirectConnectInbound":
+ {
+ "applications":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "Office365",
+ "targetType": "application"
+ }
+ ]
+ }
+ }
+}
+```
v1.0 Crosstenantaccesspolicy Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicy-update.md
+
+ Title: "Update crossTenantAccessPolicy"
+description: "Update the properties of a cross-tenant access policy."
+
+ms.localizationpriority: medium
++
+# Update crossTenantAccessPolicy
+
+Namespace: microsoft.graph
++
+Update the properties of a [cross-tenant access policy](../resources/crosstenantaccesspolicy.md).
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+PATCH /policies/crossTenantAccessPolicy
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
++
+|Property|Type|Description|
+|:|:|:|
+|displayName|String|The display name of the cross-tenant access policy.|
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+The [crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md) object size is currently limited to 25KB. This method will return a `400 Bad Request` error code if the size of the policy will exceed 25KB.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "update_crosstenantaccesspolicy"
+}
+-->
+
+``` http
+PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy
+Content-Type: application/json
+
+{
+ "displayName": "CrossTenantAccessPolicy",
+}
+```
+
+### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+
+``` http
+HTTP/1.1 204 No Content
+```
v1.0 Crosstenantaccesspolicyconfigurationdefault Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicyconfigurationdefault-get.md
+
+ Title: "Get crossTenantAccessPolicyConfigurationDefault"
+description: "Read the default configuration of a cross-tenant access policy."
+
+ms.localizationpriority: medium
++
+# Get crossTenantAccessPolicyConfigurationDefault
+
+Namespace: microsoft.graph
++
+Read the [default configuration](../resources/crosstenantaccesspolicyconfigurationdefault.md) of a cross-tenant access policy. This default configuration may be the service default assigned by Azure AD (**isServiceDefault** is `true`) or may be customized in your tenant (**isServiceDefault** is `false`).
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+GET /policies/crossTenantAccessPolicy/default
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [crossTenantAccessPolicyConfigurationDefault](../resources/crosstenantaccesspolicyconfigurationdefault.md) object in the response body.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "get_crosstenantaccesspolicyconfigurationdefault"
+}
+-->
+
+``` http
+GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default
+```
+
+### Response
+
+The following response object shows a default cross-tenant policy inherited from Azure AD, as identified by **isServiceDefault** set to `true`.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationDefault"
+}
+-->
+
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "isServiceDefault": true,
+ "inboundTrust":
+ {
+ "isMfaAccepted": false,
+ "isCompliantDeviceAccepted": false,
+ "isHybridAzureADJoinedDeviceAccepted": false,
+ },
+ "b2bCollaborationOutbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+ },
+ "b2bCollaborationInbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+ },
+ "b2bDirectConnectOutbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+ },
+ "b2bDirectConnectInbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+ }
+}
+```
v1.0 Crosstenantaccesspolicyconfigurationdefault Resettosystemdefault https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicyconfigurationdefault-resettosystemdefault.md
+
+ Title: "crossTenantAccessPolicyConfigurationDefault: resetToSystemDefault"
+description: "Reset any changes made to the default configuration in a cross-tenant access policy back to the system default."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyConfigurationDefault: resetToSystemDefault
+
+Namespace: microsoft.graph
++
+Reset any changes made to the default configuration in a cross-tenant access policy back to the system default.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+POST /policies/crossTenantAccessPolicy/default/resetToSystemDefault
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this action returns a `200 OK` response code and an empty response. To confirm that the default configuration has been restored to the system defaults, run [Get crossTenantAccessPolicyConfigurationDefault](../api/crosstenantaccesspolicyconfigurationdefault-get.md) and confirm that **isSystemDefault** is set to `true`.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "crosstenantaccesspolicyconfigurationdefault_resettosystemdefault"
+}
+-->
+
+``` http
+POST https://graph.microsoft.com/betefault
+```
+
+### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationDefault"
+}
+-->
+
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+
+}
+```
v1.0 Crosstenantaccesspolicyconfigurationdefault Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicyconfigurationdefault-update.md
+
+ Title: "Update crossTenantAccessPolicyConfigurationDefault"
+description: "Update the default configuration of a cross-tenant access policy."
+
+ms.localizationpriority: medium
++
+# Update crossTenantAccessPolicyConfigurationDefault
+
+Namespace: microsoft.graph
++
+Update the [default configuration](../resources/crosstenantaccesspolicyconfigurationdefault.md) of a cross-tenant access policy.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+PATCH /policies/crossTenantAccessPolicy/default
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
++
+|Property|Type|Description|
+|:|:|:|
+| inboundTrust | [crossTenantAccessPolicyInboundTrust](../resources/crosstenantaccesspolicyinboundtrust.md) | Determines the default configuration for trusting other Conditional Access claims from external Azure AD organizations. |
+| b2bCollaborationInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your default configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. |
+| b2bCollaborationOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your default configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. |
+| b2bDirectConnectInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your default configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. |
+| b2bDirectConnectOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your default configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. |
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "update_crosstenantaccesspolicyconfigurationdefault"
+}
+-->
+
+``` http
+PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/default
+Content-Type: application/json
+
+{
+ "b2bCollaborationOutbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "0be493dc-cb56-4a53-936f-9cf64410b8b0",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+ }
+}
+```
+
+### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+
+``` http
+HTTP/1.1 204 No Content
+```
v1.0 Crosstenantaccesspolicyconfigurationpartner Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicyconfigurationpartner-delete.md
+
+ Title: "Delete crossTenantAccessPolicyConfigurationPartner"
+description: "Delete a partner-specific configuration in a cross-tenant access policy."
+
+ms.localizationpriority: medium
++
+# Delete crossTenantAccessPolicyConfigurationPartner
+
+Namespace: microsoft.graph
++
+Delete a [partner-specific configuration](../resources/crosstenantaccesspolicyconfigurationpartner.md) in a cross-tenant access policy.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+DELETE /policies/crossTenantAccessPolicy/partners/{id}
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "delete_crosstenantaccesspolicyconfigurationpartner"
+}
+-->
+
+``` http
+DELETE https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9c5d131d-b1c3-4fc4-9e3f-c6557947d551
+```
+
+### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+
+``` http
+HTTP/1.1 204 No Content
+```
v1.0 Crosstenantaccesspolicyconfigurationpartner Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicyconfigurationpartner-get.md
+
+ Title: "Get crossTenantAccessPolicyConfigurationPartner"
+description: "Read the properties and relationships of a partner-specific configuration."
+
+ms.localizationpriority: medium
++
+# Get crossTenantAccessPolicyConfigurationPartner
+
+Namespace: microsoft.graph
++
+Read the properties and relationships of a [partner-specific](../resources/crosstenantaccesspolicyconfigurationpartner.md) configuration.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.Read.All, Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+GET /policies/crossTenantAccessPolicy/partners/{id}
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) object in the response body.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "get_crosstenantaccesspolicyconfigurationpartner"
+}
+-->
+
+``` http
+GET https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/9c5d131d-b1c3-4fc4-9e3f-c6557947d551
+```
+
+### Response
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationPartner"
+}
+-->
+
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "tenantId": "9c5d131d-b1c3-4fc4-9e3f-c6557947d551",
+ "inboundTrust": null,
+ "b2bCollaborationInbound": null,
+ "b2bCollaborationOutbound": null,
+ "b2bDirectConnectOutbound": null,
+ "b2bDirectConnectInbound":
+ {
+ "usersAndGroups":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications":
+ {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "Office365",
+ "targetType": "application"
+ }
+ ]
+ }
+ }
+}
+```
v1.0 Crosstenantaccesspolicyconfigurationpartner Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/crosstenantaccesspolicyconfigurationpartner-update.md
+
+ Title: "Update crossTenantAccessPolicyConfigurationPartner"
+description: "Update the properties of a partner-specific configuration."
+
+ms.localizationpriority: medium
++
+# Update crossTenantAccessPolicyConfigurationPartner
+
+Namespace: microsoft.graph
++
+Update the properties of a [partner-specific](../resources/crosstenantaccesspolicyconfigurationpartner.md) configuration.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.CrossTenantAccess|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application|Policy.ReadWrite.CrossTenantAccess|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+``` http
+PATCH /policies/crossTenantAccessPolicy/partners/{id}
+```
+
+## Request headers
+
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
++
+|Property|Type|Description|
+|:|:|:|
+| b2bCollaborationInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. |
+| b2bCollaborationOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. |
+| b2bDirectConnectInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. |
+| b2bDirectConnectOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. |
+| inboundTrust | [crossTenantAccessPolicyInboundTrust](../resources/crosstenantaccesspolicyinboundtrust.md) | Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure Active Directory (Azure AD) organizations. |
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "update_crosstenantaccesspolicyconfigurationpartner"
+}
+-->
+
+``` http
+PATCH https://graph.microsoft.com/beta/policies/crossTenantAccessPolicy/partners/90e29127-71ad-49c7-9ce8-db3f41ea06f1
+Content-Type: application/json
+
+{
+ "inboundTrust":
+ {
+ "isMfaAccepted": true,
+ "isCompliantDeviceAccepted": true,
+ "isHybridAzureADJoinedDeviceAccepted" : true
+ }
+}
+```
+
+### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+
+``` http
+HTTP/1.1 204 No Content
+```
v1.0 Customsecurityattributedefinition Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/customsecurityattributedefinition-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|CustomSecAttributeDefinition.ReadWrite.All|
+|Delegated (work or school account)|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
|Delegated (personal Microsoft account)|Not supported.|
-|Application|CustomSecAttributeDefinition.ReadWrite.All|
+|Application|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
The signed-in user must also be assigned one of the following [directory roles](/azure/active-directory/roles/permissions-reference):
v1.0 Customsecurityattributedefinition List Allowedvalues https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/customsecurityattributedefinition-list-allowedvalues.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|CustomSecAttributeDefinition.ReadWrite.All|
+|Delegated (work or school account)|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
|Delegated (personal Microsoft account)|Not supported.|
-|Application|CustomSecAttributeDefinition.ReadWrite.All|
+|Application|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
The signed-in user must also be assigned one of the following [directory roles](/azure/active-directory/roles/permissions-reference):
v1.0 Customsecurityattributedefinition Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/customsecurityattributedefinition-update.md
PATCH /directory/customSecurityAttributeDefinitions/{customSecurityAttributeDefi
|:|:| |Authorization|Bearer {token}. Required.| |Content-Type|application/json. Required.|
+|OData-Version|4.01. Optional.|
+
+> [!NOTE]
+> To update the predefined values for a custom security attribute, you must add the **OData-Version** header and assign it the value `4.01`.
## Request body In the request body, supply *only* the values for properties that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
Content-Type: application/json
HTTP/1.1 204 No Content ```
-### Example 2: Deactivate a custom security attribute
+### Example 2: Update the predefined values for a custom security attribute
+
+The following example updates the status of an existing predefined value and adds a new predefined value for a custom security attribute definition.
+++ Attribute set: `Engineering`++ Attribute: `Project`++ Attribute data type: Collection of Strings++ Update predefined value: `Baker`++ New predefined value: `Skagit`+
+> [!NOTE]
+> For this request, you must add the **OData-Version** header and assign it the value `4.01`.
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "update_customsecurityattributedefinition_allowedvalues"
+}
+-->
+``` msgraph-interactive
+PATCH https://graph.microsoft.com/beta/directory/customSecurityAttributeDefinitions/Engineering_Project
+Content-Type: application/json
+OData-Version: 4.01
+
+{
+ "allowedValues@delta": [
+ {
+ "id": "Baker",
+ "isActive": false
+ },
+ {
+ "id": "Skagit",
+ "isActive": true
+ }
+ ]
+}
+```
+
+#### Response
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
+### Example 3: Deactivate a custom security attribute
The following example deactivates a custom security attribute definition.
v1.0 Directory List Attributesets https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directory-list-attributesets.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|CustomSecAttributeDefinition.ReadWrite.All|
+|Delegated (work or school account)|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
|Delegated (personal Microsoft account)|Not supported.|
-|Application|CustomSecAttributeDefinition.ReadWrite.All|
+|Application|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
The signed-in user must also be assigned one of the following [directory roles](/azure/active-directory/roles/permissions-reference):
v1.0 Directory List Customsecurityattributedefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directory-list-customsecurityattributedefinitions.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|CustomSecAttributeDefinition.ReadWrite.All|
+|Delegated (work or school account)|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
|Delegated (personal Microsoft account)|Not supported.|
-|Application|CustomSecAttributeDefinition.ReadWrite.All|
+|Application|CustomSecAttributeDefinition.Read.All, CustomSecAttributeDefinition.ReadWrite.All|
The signed-in user must also be assigned one of the following [directory roles](/azure/active-directory/roles/permissions-reference):
v1.0 Directory Post Customsecurityattributedefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directory-post-customsecurityattributedefinitions.md
Content-length: 310
+#### Response
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.customSecurityAttributeDefinition"
+}
+-->
+
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#directory/customSecurityAttributeDefinitions/$entity",
+ "attributeSet": "Engineering",
+ "description": "Active projects for user",
+ "id": "Engineering_Project",
+ "isCollection": true,
+ "isSearchable": true,
+ "name": "Project",
+ "status": "Available",
+ "type": "String",
+ "usePreDefinedValuesOnly": true
+}
+```
+
+### Example 3: Add a custom security attribute with a list of predefined values
+
+The following example adds a new custom security attribute definition with a list of predefined values as a collection of strings.
+++ Attribute set: `Engineering`++ Attribute: `Project`++ Attribute data type: Collection of Strings++ Predefined values: `Alpine`, `Baker`, `Cascade`+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "create_customsecurityattributedefinition_allowedvalues"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/directory/customSecurityAttributeDefinitions
+Content-Type: application/json
+
+{
+ "attributeSet": "Engineering",
+ "description": "Active projects for user",
+ "isCollection": true,
+ "isSearchable": true,
+ "name": "Project",
+ "status": "Available",
+ "type": "String",
+ "usePreDefinedValuesOnly": true,
+ "allowedValues": [
+ {
+ "id": "Alpine",
+ "isActive": true
+ },
+ {
+ "id": "Baker",
+ "isActive": true
+ },
+ {
+ "id": "Cascade",
+ "isActive": true
+ }
+ ]
+}
+```
+ #### Response <!-- { "blockType": "response",
v1.0 Directoryobject Checkmembergroups https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directoryobject-checkmembergroups.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Check for membership in a specified list of groups, and return from that list those groups of which the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member. This function is transitive.
+Check for membership in a specified list of group IDs, and return from that list those groups (identified by IDs) of which the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member. This function is transitive.
You can check up to a maximum of 20 groups per request. This function supports all groups provisioned in Azure AD. Because Microsoft 365 groups cannot contain other groups, membership in a Microsoft 365 group is always direct.
v1.0 Directoryobject Checkmemberobjects https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directoryobject-checkmemberobjects.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Check for membership in a list of groups, administrative units, or directory roles for the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md). This method is transitive.
+Check for membership in a list of group IDs, administrative unit IDs, or directory role IDs, for the IDs of the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md). This method is transitive.
## Permissions
v1.0 Directoryobject Getmembergroups https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directoryobject-getmembergroups.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Return all the groups that the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
+Return all the group IDs for the groups that the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Directoryobject Getmemberobjects https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/directoryobject-getmemberobjects.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Return all the groups, administrative units, and directory roles that a [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
+Return all IDs for the groups, administrative units, and directory roles that a [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
**Note:** Only users and role-enabled groups can be members of directory roles.
v1.0 Meetingregistration Post https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/meetingregistration-post.md
In the request body, supply a JSON representation of a [meetingRegistration](../
## Response
-If successful, this method returns a `201 Created` response code and [meetingRegistration](../resources/meetingregistration.md) object in the response body.
+If successful, this method returns a `201 Created` response code and a [meetingRegistration](../resources/meetingregistration.md) object in the response body.
> [!NOTE] >
v1.0 Schedule List Shifts https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/schedule-list-shifts.md
GET /teams/{teamId}/schedule/shifts
``` ## Optional query parameters
-This method supports the $filter [OData query parameter](/graph/query-parameters) to help customize the response.
+This method supports the `$filter` [OData query parameter](/graph/query-parameters) to help customize the response.
## Request headers
v1.0 Serviceprincipal Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/serviceprincipal-get.md
Content-type: application/json
], "signInAudience": "AzureADandPersonalMicrosoftAccount", "tags": [],
+ "verifiedPublisher": {
+ "displayName": "publisher_contoso",
+ "verifiedPublisherId": "9999999",
+ "addedDateTime": "2021-04-24T17:49:44Z"
+ },
"addIns": [], "api": { "resourceSpecificApplicationPermissions": []
Attribute #4
+ Attribute data type: String + Attribute value: `"Public"`
-To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.ReadWrite.All* permission.
+To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.Read.All* or *CustomSecAttributeAssignment.ReadWrite.All* permission.
#### Request
v1.0 User Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/user-get.md
For a specific user:
GET /users/{id | userPrincipalName} ```
->**Note:**
-> + When the **userPrincipalName** begins with a `$` character, remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes. For example, `/users('$AdeleVance@contoso.com')`. For details, see the [known issues](/graph/known-issues#users) list.
+> [!TIP]
+>
+> + When the **userPrincipalName** begins with a `$` character, the GET request URL syntax `/users/$x@y.com` fails with a `400 Bad Request` error code. This is because this request URL violates the OData URL convention, which expects only system query options to be prefixed with a `$` character. Remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes, as follows: `/users('$x@y.com')`. For example, `/users('$AdeleVance@contoso.com')`.
> + To query a B2B user using the **userPrincipalName**, encode the hash (#) character. That is, replace the `#` symbol with `%23`. For example, `/users/AdeleVance_adatum.com%23EXT%23@contoso.com`. For the signed-in user:
Attribute #4
+ Attribute data type: String + Attribute value: `"Public"`
-To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.ReadWrite.All* permission.
+To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.Read.All* or *CustomSecAttributeAssignment.ReadWrite.All* permission.
#### Request
v1.0 User Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/user-update.md
Namespace: microsoft.graph
Update the properties of a [user](../resources/user.md) object. Not all properties can be updated by Member or Guest users with their default permissions without Administrator roles. [Compare member and guest default permissions](/azure/active-directory/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions) to see properties they can manage. ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+One of the following pefrmissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
|Permission type | Permissions (from least to most privileged) | |:--|:|
In the request body, supply the values for relevant fields that should be update
|:|:--|:-| |aboutMe|String|A freeform text entry field for the user to describe themselves.| |accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. A global administrator assigned the _Directory.AccessAsUser.All_ delegated permission can update the **accountEnabled** status of all administrators in the tenant.|
-| ageGroup | [ageGroup](../resources/user.md#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `minor`, `notAdult` and `adult`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
+| ageGroup | [ageGroup](../resources/user.md#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
|assignedLicenses|[assignedLicense](../resources/assignedlicense.md) collection|The licenses that are assigned to the user. Not nullable. | |birthday|DateTimeOffset|The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`| |businessPhones| String collection | The telephone numbers for the user. **NOTE:** Although this is a string collection, only one number can be set for this property.| |city|String|The city in which the user is located.|
-| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length of the company name is 64 characters. |
-| consentProvidedForMinor | [consentProvidedForMinor](../resources/user.md#consentprovidedforminor-values) | Sets whether consent has been obtained for minors. Allowed values: `null`, `granted`, `denied` and `notRequired`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
+| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters. |
+| consentProvidedForMinor | [consentProvidedForMinor](../resources/user.md#consentprovidedforminor-values) | Sets whether consent has been obtained for minors. Allowed values: `null`, `Granted`, `Denied` and `NotRequired`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
|country|String|The country/region in which the user is located; for example, `US` or `UK`.| |customSecurityAttributes|[customSecurityAttributeValue](../resources/customsecurityattributevalue.md)|An open complex type that holds the value of a custom security attribute that is assigned to a directory object.<br/><br/>To update this property, the calling principal must be assigned the Attribute Assignment Administrator role and must be granted the *CustomSecAttributeAssignment.ReadWrite.All* permission.| |department|String|The name for the department in which the user works.| |displayName|String|The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates.|
-|employeeId|String|The employee identifier assigned to the user by the organization.|
+|employeeId|String|The employee identifier assigned to the user by the organization. The maximum length is 16 characters.|
| employeeType | String | Captures enterprise worker type. For example, `Employee`, `Contractor`, `Consultant`, or `Vendor`.| |givenName|String|The given name (first name) of the user.| |employeeHireDate|DateTimeOffset|The hire date of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
v1.0 X509certificateauthenticationmethodconfiguration Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/x509certificateauthenticationmethodconfiguration-delete.md
+
+ Title: "Delete x509CertificateAuthenticationMethodConfiguration"
+description: "Delete a x509CertificateAuthenticationMethodConfiguration object and restores all the other properties to their default settings"
+
+ms.localizationpriority: medium
++
+# Delete x509CertificateAuthenticationMethodConfiguration
+Namespace: microsoft.graph
++
+Restore the [x509CertificateAuthenticationMethodConfiguration](../resources/x509certificateauthenticationmethodconfiguration.md) object to its default configuration.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|Not supported.|
+
+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+* Authentication Policy Administrator
+* Global Administrator
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "delete_x509certificateauthenticationmethodconfiguration"
+}
+-->
+``` http
+DELETE https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+```
+
+### Response
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
v1.0 X509certificateauthenticationmethodconfiguration Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/x509certificateauthenticationmethodconfiguration-get.md
+
+ Title: "Get x509CertificateAuthenticationMethodConfiguration"
+description: "Read the properties and relationships of a x509CertificateAuthenticationMethodConfiguration object."
+
+ms.localizationpriority: medium
++
+# Get x509CertificateAuthenticationMethodConfiguration
+Namespace: microsoft.graph
++
+Read the configuration details for the [X.509 certificate authentication method](../resources/x509certificateauthenticationmethodconfiguration.md) in the [authentication methods policy](../resources/authenticationmethodspolicy.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|Not supported.|
+
+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+* Global Reader
+* Authentication Policy Administrator
+* Global Administrator
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+```
+
+## Optional query parameters
+This method does not support the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [x509CertificateAuthenticationMethodConfiguration](../resources/x509certificateauthenticationmethodconfiguration.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_x509certificateauthenticationmethodconfiguration"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+```
+
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.x509CertificateAuthenticationMethodConfiguration"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
+ "id": "X509Certificate",
+ "state": "disabled",
+ "certificateUserBindings": [{
+ "x509CertificateField": "PrincipalName",
+ "userProperty": "onPremisesUserPrincipalName",
+ "priority": 1
+ },
+ {
+ "x509CertificateField": "RFC822Name",
+ "userProperty": "userPrincipalName",
+ "priority": 2
+ }
+ ],
+ "authenticationModeConfiguration": {
+ "x509CertificateAuthenticationDefaultMode": "x509CertificateSingleFactor",
+ "rules": []
+ },
+ "includeTargets": [{
+ "targetType": "group",
+ "id": "all_users",
+ "isRegistrationRequired": false
+ }]
+}
+```
+
v1.0 X509certificateauthenticationmethodconfiguration Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/x509certificateauthenticationmethodconfiguration-update.md
+
+ Title: "Update x509CertificateAuthenticationMethodConfiguration"
+description: "Update the properties of a x509CertificateAuthenticationMethodConfiguration object."
+
+ms.localizationpriority: medium
++
+# Update x509CertificateAuthenticationMethodConfiguration
+Namespace: microsoft.graph
++
+Update the properties of the [X.509 certificate authentication method](../resources/x509certificateauthenticationmethodconfiguration.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|Not supported.|
+
+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):
+
+* Authentication Policy Administrator
+* Global Administrator
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+The following properties can be updated.
+
+|Property|Type|Description|
+|:|:|:|
+|state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
+|certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
+|authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
+
+>**Note:** The `@odata.type` property with a value of `#microsoft.graph.x509CertificateAuthenticationMethodConfiguration` must be included in the body.
++
+## Response
+
+If successful, this method returns a `204 No Content` response code and an updated [x509CertificateAuthenticationMethodConfiguration](../resources/x509certificateauthenticationmethodconfiguration.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "update_x509certificateauthenticationmethodconfiguration"
+}
+-->
+``` http
+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
+Content-Type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
+ "id": "X509Certificate",
+ "state": "disabled",
+ "certificateUserBindings": [{
+ "x509CertificateField": "PrincipalName",
+ "userProperty": "onPremisesUserPrincipalName",
+ "priority": 1
+ },
+ {
+ "x509CertificateField": "RFC822Name",
+ "userProperty": "userPrincipalName",
+ "priority": 2
+ }
+ ],
+ "authenticationModeConfiguration": {
+ "x509CertificateAuthenticationDefaultMode": "x509CertificateSingleFactor",
+ "rules": []
+ },
+ "includeTargets": [{
+ "targetType": "group",
+ "id": "all_users",
+ "isRegistrationRequired": false
+ }]
+}
+```
+
+### Response
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+Content-Type: application/json
+```
+
v1.0 Authenticationmethodspolicies Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/authenticationmethodspolicies-overview.md
The authentication method policies APIs are used to manage policy settings. For
|[emailauthenticationmethodconfiguration](emailauthenticationmethodconfiguration.md)|Define users who can use email OTP on the Azure AD tenant.| |[passwordlessmicrosoftauthenticatorauthenticationmethodconfiguration](passwordlessmicrosoftauthenticatorauthenticationmethodconfiguration.md) (deprecated)|Define users who can use Passwordless Phone Sign-in to sign in to Azure AD.| |[temporaryaccesspassauthenticationmethodconfiguration](temporaryaccesspassauthenticationmethodconfiguration.md)|Define users who can use Temporary Access Pass to sign in to Azure AD.|
+|[x509CertificateAuthenticationMethodConfiguration](x509CertificateAuthenticationMethodConfiguration.md)|Define users who can use X.509 certificate to sign in to Azure AD.|
## Policies available to push users to set up authentication methods: |Policy | Description |
v1.0 Crosstenantaccesspolicy Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicy-overview.md
+
+ Title: "Cross-tenant access settings API overview"
+description: "Cross-tenant access settings let you manage both B2B collaboration and B2B direct connect for your organization."
+
+ms.localizationpriority: medium
++
+# Cross-tenant access settings API overview
+
+Namespace: microsoft.graph
++
+In the traditional Azure AD B2B collaboration, any invited user from an organization could use their identity to access resources in external organizations. Administrators didn't have control over the user identities in their tenant that are allowed to sign in to external organizations. These limited controls made it difficult to prevent identities from your organization from being used in unauthorized ways.
+
+**Cross-tenant access settings** let you control and manage collaboration between users in your organization and other organizations. The control can be on either **outbound access** (how your users collaborate with other organizations), **inbound access** (how other organizations collaborate with you), or both.
+
+Granular controls let you determine the users, groups, and apps, both in your organization and in external organizations, that can participate in Azure AD B2B collaboration and Azure AD B2B direct connect. These controls are implemented through:
+++ **Default cross-tenant access settings** which set the baseline inbound and outbound access settings.
+ + In Azure AD B2B collaboration, both access settings are enabled by default. This means all your users can be invited to external organizations, and all your users can invite external users.
+ + In Azure AD B2B direct connect, both access settings are disabled by default.
+ + The service default settings may be updated.
++ **Partner-specific access settings** which allow you to configure customized settings for individual organizations. For the configured organizations, this configuration takes precedence over the default settings. Therefore, while Azure AD B2B collaboration and Azure AD B2B direct connect might be disabled across your organization by default, you can enable these features for a specific external organization.+
+> [!IMPORTANT]
+>
+> By configuring B2B direct connect outbound settings, you agree to allow external organizations that you have enabled outbound settings with to access limited contact data about your users. Microsoft shares this data with those organizations to help them send a request to connect with your users. Data collected by external organizations, including limited contact data, is subject to the privacy policies and practices of those organizations.
+
+## Default cross-tenant access settings
+
+Default cross-tenant access settings determine your stance for inbound and outbound collaboration with all other Azure AD organizations. Any external collaboration with an organization not listed explicitly in your cross-tenant access settings will inherit these default settings. Default settings are defined using the [crossTenantAccessPolicyConfigurationDefault](../resources/crosstenantaccesspolicyconfigurationdefault.md) resource type.
+
+By default, Azure AD assigns all Azure AD tenants a service default configuration for cross-tenant access settings. You can override these service defaults with your own configuration to suit your organization. You can confirm whether you're using the service default settings or have modified the default settings by looking at the **isServiceDefault** property returned when you query the default endpoint.
+
+## Partner cross-tenant access settings
+
+Partner-specific cross-tenant access settings determine your stance for inbound and outbound collaboration with a specific Azure AD organization. Any collaboration with this organization will inherit these partner-specific settings. Partner settings are defined using the [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) resource type.
+
+Even though you have added a partner to your cross-tenant access settings, some of your default settings will still apply. For example, if you configure only **b2bCollaborationInbound** for a partner in your cross-tenant access settings, all other settings for that partner configuration will be inherited from the default cross-tenant access settings. When querying the partner endpoint, any property on the partner object that is `null` means that for that property, it's inheriting settings from the default policy.
+
+## Inbound trust settings in cross-tenant access settings
+
+Inbound trust settings enable you to trust the MFA external users perform in their home directories. This prevents external users from having to perform MFA both in their home directories and in your directory. With inbound trust settings, you enable a seamless authentication experience for your external users and save on the MFA costs incurred by your organization.
+
+For example, when you configure your trust settings to trust MFA, your MFA policies are still applied to external users, but users who have already completed MFA in their home tenants won't have to complete MFA again in your tenant.
+
+Inbound trust settings also enable you to trust devices that are compliant, or hybrid Azure AD joined in their home directories. With inbound trust settings in cross-tenant access settings, you can now protect access to your apps and resources by requiring that external users use compliant, or hybrid Azure AD joined devices.
+
+## Interpreting the API response
+
+The cross-tenant access settings API can be used to set up multiple configurations for allowing or blocking access to and from your organization. The following table highlights scenarios, shows an example of the API response, and what the interpretation should be of that response. **b2bSetting** is used as a placeholder for any B2B inbound (**b2bCollaborationInbound** or **b2bDirectConnectInbound**) or outbound (**b2bCollaborationOutbound** or **b2bDirectConnectOutbound**) configuration.
+
+<table>
+<tr>
+<td> Scenario </td> <td> API output </td> <td> Interpretation </td>
+</tr>
+<tr>
+<td> Block all users and block all applications </td>
+<td>
+
+``` json
+"b2bsetting": {
+ "usersAndGroups": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> - </td>
+</tr>
+<tr>
+<td> Allow all users and allow all applications </td>
+<td>
+
+``` json
+"b2bsetting": {
+ "usersAndGroups": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> - </td>
+</tr>
+<tr>
+<td> Allow users in group 'g1' to access any app </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "g1",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> Users in group 'g1' can access any app. All other users not in group 'g1' are blocked. </td>
+</tr>
+<tr>
+<td> Allow access to only application 'a1' </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "AllUsers",
+ "targetType": "user"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "a1",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> All users are only allowed to access application 'a1' </td>
+</tr>
+<tr>
+<td> Allow users in group 'g1' and block access to application 'a1' </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "g1",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "a1",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> All users in group 'g1' are allowed to access any application <b>except</b> application 'a1'. </td>
+</tr>
+<tr>
+<td> Block users in group 'g1' from accessing any application </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": " blocked",
+ "targets": [
+ {
+ "target": "g1",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "AllApplications",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> Users in group 'g1' can't access any application. Other users not in group 'g1' have access to all applications. </td>
+</tr>
+<tr>
+<td> Block users in group 'g1' and allow access to application 'a1' only </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "g1",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "a1",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> Users in group 'g1' can't access any application. Any user not in group 'g1' can only access application 'a1'. </td>
+</tr>
+<tr>
+<td> Allow users in group 'g1' to access to only application 'a1' </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "g1",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "allowed",
+ "targets": [
+ {
+ "target": "a1",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> Users in group 'g1' are only allowed to access application 'a1'. All users, including users in group 'g1', are blocked from accessing any other application. </td>
+</tr>
+<tr>
+<td> Block users in group 'g1' from accessing application 'a1' </td>
+<td>
+
+``` json
+"b2bSetting": {
+ "usersAndGroups": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "g1",
+ "targetType": "group"
+ }
+ ]
+ },
+ "applications": {
+ "accessType": "blocked",
+ "targets": [
+ {
+ "target": "a1",
+ "targetType": "application"
+ }
+ ]
+ }
+}
+```
+
+</td>
+<td> Users in group 'g1' are blocked from accessing application 'a1' only. All users, including users in group 'g1' are able to access any other application. </td>
+</tr>
+</table>
+
+## Cross-tenant access settings vs tenant restrictions
+
+Cross-tenant access settings outbound controls are for controlling how **your organization's accounts** are used for accessing resources in other Azure AD organizations. Tenant Restrictions are for controlling how your employees use **other Azure AD organizations' accounts while the employee is on your networks or devices**. Critically, outbound controls work all the time because they're associated with your accounts, while Tenant Restrictions require additional signals to be injected into the authentication requests to be enforced, because Tenant Restrictions are scoped to networks and devices, not accounts. Learn more about [Tenant Restrictions](/azure/active-directory/manage-apps/tenant-restrictions).
+
+## Next steps
+++ [Cross-tenant access settings documentation](/azure/active-directory/external-identities/cross-tenant-access-overview)++ [crossTenantAccessPolicyConfigurationDefault](../resources/crosstenantaccesspolicyconfigurationdefault.md) resource type++ [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) resource type
v1.0 Crosstenantaccesspolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicy.md
+
+ Title: "crossTenantAccessPolicy resource type"
+description: "Cross-tenant access policy represents the base policy in the directory for cross-tenant access settings."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicy resource type
+
+Namespace: microsoft.graph
++
+Represents the base policy in the directory for cross-tenant access settings.
+
+Inherits from [tenantRelationshipAccessPolicyBase](../resources/tenantrelationshipaccesspolicybase.md).
+
+## Methods
+
+|Method|Return type|Description|
+|:|:|:|
+|[Get crossTenantAccessPolicy](../api/crosstenantaccesspolicy-get.md)|[crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md)|Read the properties and relationships of a [crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md) object.|
+|[Update crossTenantAccessPolicy](../api/crosstenantaccesspolicy-update.md)|[crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md)|Update the properties of a [crossTenantAccessPolicy](../resources/crosstenantaccesspolicy.md) object.|
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| displayName | String | The display name of the cross-tenant access policy. Inherited from [policyBase](../resources/policybase.md).|
+| lastModifiedDateTime | DateTimeOffset | The time that the cross tenant access policy was last modified represented using ISO 8601 format and always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
+| definition (deprecated) | String | The raw JSON definition of the cross-tenant access policy. **Deprecated. Do not use.**|
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|default|[crossTenantAccessPolicyConfigurationDefault](../resources/crosstenantaccesspolicyconfigurationdefault.md)|Defines the default configuration for how your organization interacts with external Azure Active Directory organizations.|
+|partners|[crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) collection|Defines partner-specific configurations for external Azure Active Directory organizations.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicy",
+ "baseType": "microsoft.graph.tenantRelationshipAccessPolicyBase",
+ "openType": false
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicy",
+ "displayName": "String",
+ "lastModifiedDateTime": "String (timestamp)",
+ "definition": "String"
+}
+```
v1.0 Crosstenantaccesspolicyb2bsetting https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicyb2bsetting.md
+
+ Title: "crossTenantAccessPolicyB2BSetting resource type"
+description: "Defines the inbound and outbound rulesets for Azure Active Directory (Azure AD) B2B collaboration."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyB2BSetting resource type
+
+Namespace: microsoft.graph
++
+Defines the inbound and outbound rulesets for Azure Active Directory (Azure AD) B2B collaboration.
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+|applications|[crossTenantAccessPolicyTargetConfiguration](../resources/crosstenantaccesspolicytargetconfiguration.md)|The list of applications targeted with your cross-tenant access policy.|
+|usersAndGroups|[crossTenantAccessPolicyTargetConfiguration](../resources/crosstenantaccesspolicytargetconfiguration.md)|The list of users and groups targeted with your cross-tenant access policy.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyB2BSetting",
+ "usersAndGroups": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyTargetConfiguration"
+ },
+ "applications": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyTargetConfiguration"
+ }
+}
+```
v1.0 Crosstenantaccesspolicyconfigurationbase https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicyconfigurationbase.md
+
+ Title: "crossTenantAccessPolicyConfigurationBase resource type"
+description: "Defines the properties that are common in a cross-tenant access policy configuration for the default and partner-specific settings."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyConfigurationBase resource type
+
+Namespace: microsoft.graph
++
+An abstract type that defines the properties that are common in a cross-tenant access policy configuration for the default and partner-specific settings that govern Azure Active Directory (Azure AD) B2B collaboration and B2B direct connect.
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+|b2bCollaborationInbound|[crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md)|Defines your configuration for users from other organizations accessing your resources via Azure AD B2B collaboration.|
+|b2bCollaborationOutbound|[crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md)|Defines your configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration.|
+|b2bDirectConnectInbound|[crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md)|Defines your configuration for users from other organizations accessing your resources via Azure AD B2B direct connect.|
+|b2bDirectConnectOutbound|[crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md)|Defines your configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect.|
+|inboundTrust|[crossTenantAccessPolicyInboundTrust](../resources/crosstenantaccesspolicyinboundtrust.md)|Determines the configuration for trusting other Conditional Access claims from external Azure AD organizations.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationBase",
+ "openType": false
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyConfigurationBase",
+ "inboundTrust": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyInboundTrust"
+ },
+ "b2bCollaborationOutbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bCollaborationInbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bDirectConnectOutbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bDirectConnectInbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ }
+}
+```
v1.0 Crosstenantaccesspolicyconfigurationdefault https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicyconfigurationdefault.md
+
+ Title: "crossTenantAccessPolicyConfigurationDefault resource type"
+description: "The default configuration defined for inbound and outbound settings of Azure AD B2B collaboration and B2B direct connect."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyConfigurationDefault resource type
+
+Namespace: microsoft.graph
++
+The default configuration defined for inbound and outbound settings of Azure AD B2B collaboration and B2B direct connect.
+
+Inherits from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md).
+
+## Methods
+
+|Method|Return type|Description|
+|:|:|:|
+|[Get crossTenantAccessPolicyConfigurationDefault](../api/crosstenantaccesspolicyconfigurationdefault-get.md)|[crossTenantAccessPolicyConfigurationDefault](../resources/crosstenantaccesspolicyconfigurationdefault.md)|Get the default configuration for B2B collaboration and B2B direct connect inbound and outbound settings.|
+|[Update crossTenantAccessPolicyConfigurationDefault](../api/crosstenantaccesspolicyconfigurationdefault-update.md)|None|Update the default configuration for B2B collaboration and B2B direct connect inbound and outbound settings.|
+|[Reset to system default](../api/crosstenantaccesspolicyconfigurationdefault-resettosystemdefault.md)|None|Reset the default configuration for a cross-tenant access policy to the system default settings.|
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| b2bCollaborationInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) |Defines your default configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| b2bCollaborationOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) |Defines your default configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| b2bDirectConnectInbound |[crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your default configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| b2bDirectConnectOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) |Defines your default configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| inboundTrust | [crossTenantAccessPolicyInboundTrust](../resources/crosstenantaccesspolicyinboundtrust.md) | Determines the default configuration for trusting other Conditional Access claims from external Azure AD organizations. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| isServiceDefault | Boolean | If `true`, the default configuration is set to the system default configuration. If `false`, the default settings have been customized. |
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationDefault",
+ "baseType": "microsoft.graph.crossTenantAccessPolicyConfigurationBase",
+ "openType": false
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyConfigurationDefault",
+ "inboundTrust": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyInboundTrust"
+ },
+ "b2bCollaborationOutbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bCollaborationInbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bDirectConnectOutbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bDirectConnectInbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "isServiceDefault": "Boolean"
+}
+```
v1.0 Crosstenantaccesspolicyconfigurationpartner https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicyconfigurationpartner.md
+
+ Title: "crossTenantAccessPolicyConfigurationPartner resource type"
+description: "The partner-specific configuration that is defined for inbound and outbound settings of Azure AD B2B collaboration and B2B direct connect."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyConfigurationPartner resource type
+
+Namespace: microsoft.graph
++
+The partner-specific configuration that is defined for inbound and outbound settings of Azure AD B2B and B2B direct connect collaboration.
+
+For any partner-specific property that is `null`, these settings will inherit the behavior configured in your [default cross tenant access settings](../resources/crosstenantaccesspolicyconfigurationdefault.md).
+
+Inherits from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md).
+
+## Methods
+
+|Method|Return type|Description|
+|:|:|:|
+| [List partners](../api/crosstenantaccesspolicy-list-partners.md) | [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) collection | Get a list of all partner-specific configurations. |
+| [Create crossTenantAccessPolicyConfigurationPartner](../api/crosstenantaccesspolicy-post-partners.md) | [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) | Create a new partner-specific configuration. |
+| [Get crossTenantAccessPolicyConfigurationPartner](../api/crosstenantaccesspolicyconfigurationpartner-get.md) | [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) | Read the partner-specific configuration settings. |
+| [Update crossTenantAccessPolicyConfigurationPartner](../api/crosstenantaccesspolicyconfigurationpartner-update.md) | [crossTenantAccessPolicyConfigurationPartner](../resources/crosstenantaccesspolicyconfigurationpartner.md) | Update the properties of a partner-specific configuration. |
+| [Delete crossTenantAccessPolicyConfigurationPartner](../api/crosstenantaccesspolicyconfigurationpartner-delete.md) | None | Delete the partner-specific configuration. |
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| b2bCollaborationInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| b2bCollaborationOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| b2bDirectConnectInbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure B2B direct connect. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| b2bDirectConnectOutbound | [crossTenantAccessPolicyB2BSetting](../resources/crosstenantaccesspolicyb2bsetting.md) | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| inboundTrust | [crossTenantAccessPolicyInboundTrust](../resources/crosstenantaccesspolicyinboundtrust.md) | Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure AD organizations. Inherited from [crossTenantAccessPolicyConfigurationBase](../resources/crosstenantaccesspolicyconfigurationbase.md). |
+| isServiceProvider | Boolean | Identifies whether the partner-specific configuration is a Cloud Service Provider for your organization. |
+| tenantId | String | The tenant identifier for the partner Azure AD organization. Read-only.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyConfigurationPartner",
+ "baseType": "microsoft.graph.crossTenantAccessPolicyConfigurationBase",
+ "openType": false
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyConfigurationPartner",
+ "tenantId": "String",
+ "inboundTrust": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyInboundTrust"
+ },
+ "b2bCollaborationOutbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bCollaborationInbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bDirectConnectOutbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "b2bDirectConnectInbound": {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyB2BSetting"
+ },
+ "isServiceProvider": "Boolean"
+}
+```
v1.0 Crosstenantaccesspolicyinboundtrust https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicyinboundtrust.md
+
+ Title: "crossTenantAccessPolicyInboundTrust resource type"
+description: "Defines the Conditional Access claims you want to accept from other organizations via your cross-tenant access policy configuration."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyInboundTrust resource type
+
+Namespace: microsoft.graph
++
+Defines the Conditional Access claims you want to accept from other Azure AD organizations via your cross-tenant access policy configuration. These can be configured in your default configuration, partner-specific configuration, or both.
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| isCompliantDeviceAccepted | Boolean | Specifies whether compliant devices from external Azure AD organizations are trusted. |
+| isHybridAzureADJoinedDeviceAccepted | Boolean | Specifies whether hybrid Azure AD joined devices from external Azure AD organizations are trusted. |
+| isMfaAccepted | Boolean | Specifies whether MFA from external Azure AD organizations is trusted.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyInboundTrust"
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyInboundTrust",
+ "isMfaAccepted": "Boolean",
+ "isCompliantDeviceAccepted": "Boolean",
+ "isHybridAzureADJoinedDeviceAccepted": "Boolean"
+}
+```
v1.0 Crosstenantaccesspolicytarget https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicytarget.md
+
+ Title: "crossTenantAccessPolicyTarget resource type"
+description: "Defines how to target your cross-tenant access policy settings. Settings can be targeted to specific users, groups, or applications."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyTarget resource type
+
+Namespace: microsoft.graph
++
+Defines how to target your cross-tenant access policy settings. Settings can be targeted to specific users, groups, or applications. You can also use keywords to target specific groups or applications.
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| target | String | The unique identifier of the user, group, or application; one of the following keywords: `AllUsers` and `AllApplications`; or for targets that are applications, you may use [reserved values](#reserved-values-for-targets-that-are-applications). |
+| targetType | crossTenantAccessPolicyTargetType | The type of resource that you want to target. The possible values are: `user`, `group`, `application`, `unknownFutureValue`. |
+
+### Reserved values for targets that are applications
+
+When setting application targets, you can also use the following reserved values:
+
+| Symbol | Description |
+|:|:|
+| AllMicrosoftApps | Refers to any [Microsoft cloud application](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#microsoft-cloud-applications). |
+| Office365 | Includes the applications mentioned as part of the [Office365](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#office-365) suite. |
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyTarget"
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyTarget",
+ "target": "String",
+ "targetType": "microsoft.graph.crossTenantAccessPolicyTargetType"
+}
+```
v1.0 Crosstenantaccesspolicytargetconfiguration https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/crosstenantaccesspolicytargetconfiguration.md
+
+ Title: "crossTenantAccessPolicyTargetConfiguration resource type"
+description: "Defines the target of a cross-tenant access policy setting configuration."
+
+ms.localizationpriority: medium
++
+# crossTenantAccessPolicyTargetConfiguration resource type
+
+Namespace: microsoft.graph
++
+Defines the target of a cross-tenant access policy setting configuration.
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| accessType| crossTenantAccessPolicyTargetConfigurationAccessType | Defines whether access is allowed or blocked. The possible values are: `allowed`, `blocked`, `unknownFutureValue`. |
+|targets|[crossTenantAccessPolicyTarget](../resources/crosstenantaccesspolicytarget.md) collection|Specifies whether to target users, groups, or applications with this rule.|
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyTargetConfiguration"
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.crossTenantAccessPolicyTargetConfiguration",
+ "accessType": "String",
+ "targets": [
+ {
+ "@odata.type": "microsoft.graph.crossTenantAccessPolicyTarget"
+ }
+ ]
+}
+```
v1.0 Enums https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/enums.md
Namespace: microsoft.graph
+### crossTenantAccessPolicyTargetConfigurationAccessType values
+
+|Member|
+|:|
+|allowed|
+|blocked|
+|unknownFutureValue|
+
+### crossTenantAccessPolicyTargetType values
+
+|Member|
+|:|
+|user|
+|group|
+ ### accessPackageFilterByCurrentUserOptions values |Member|
Namespace: microsoft.graph
|block| |unknownFutureValue|
+### x509CertificateAuthenticationMode values
+|Member|
+|:|
+|x509CertificateSingleFactor|
+|x509CertificateMultiFactor|
+|unknownFutureValue|
+
+### x509CertificateRuleType values
+|Member|
+|:|
+|issuerSubject|
+|policyOID|
+|unknownFutureValue|
+ ### anniversaryType values |Member|
Possible values for user account types (group membership), per Windows definitio
|or| |and| - ### subjectRightsRequestStage values |Member|
v1.0 Extensionproperty https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/extensionproperty.md
Extensions can be added to [user](user.md), [group](group.md), [organization](or
|:-|:|:| |appDisplayName|String| Display name of the application object on which this extension property is defined. Read-only. | |dataType|String| Specifies the data type of the value the extension property can hold. Following values are supported. Not nullable. <ul><li>`Binary` - 256 bytes maximum</li><li>`Boolean`</li><li>`DateTime` - Must be specified in ISO 8601 format. Will be stored in UTC.</li><li>`Integer` - 32-bit value.</li><li>`LargeInteger` - 64-bit value.</li><li>`String` - 256 characters maximum</li></ul>|
-|isSyncedFromOnPremises|Boolean| Indicates if this extension property was sycned from onpremises directory using Azure AD Connect. Read-only. |
+|isSyncedFromOnPremises|Boolean| Indicates if this extension property was synced from on-premises active directory using Azure AD Connect. Read-only. |
|name|String| Name of the extension property. Not nullable. | |targetObjects|String collection| Following values are supported. Not nullable. <ul><li>`User`</li><li>`Group`</li><li>`Organization`</li><li>`Device`</li><li>`Application`</li></ul>|
v1.0 Licenseassignmentstate https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/licenseAssignmentState.md
The **licenseAssignmentStates** property of the [user](user.md) entity is a coll
|:|:--|:-| |assignedByGroup|string|The id of the group that assigns this license. If the assignment is a direct-assigned license, this field will be Null. Read-Only.| |disabledPlans|Collection(String)|The service plans that are disabled in this assignment. Read-Only.|
-|error|String|License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. Possible values: `CountViolation`, `MutuallyExclusiveViolation`, `DependencyViolation`, `ProhibitedInUsageLocationViolation`, `UniquenessViolation`, and `Others`. For more information on how to identify and resolve license assignment errors see [here](/azure/active-directory/users-groups-roles/licensing-groups-resolve-problems).|
+|error|String|License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. The possible values are `CountViolation`, `MutuallyExclusiveViolation`, `DependencyViolation`, `ProhibitedInUsageLocationViolation`, `UniquenessViolation`, and `Other`. For more information on how to identify and resolve license assignment errors see [here](/azure/active-directory/users-groups-roles/licensing-groups-resolve-problems).|
|lastUpdatedDateTime|DateTimeOffset|The timestamp when the state of the license assignment was last updated.| |skuId|String|The unique identifier for the SKU. Read-Only.|
-|state|String|Indicate the current state of this assignment. Read-Only. Possible values: Active, ActiveWithError, Disabled and Error.|
+|state|String|Indicate the current state of this assignment. Read-Only. The possible values are `Active`, `ActiveWithError`, `Disabled`, and `Error`.|
## JSON representation
v1.0 Policyroot https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/policyroot.md
None
## Properties None - ## Relationships
-| Relationship | Type | Description |
-|:|:-|:|
-| accessReviewPolicy | [accessReviewPolicy](accessreviewpolicy.md) | The policy that contains directory-level access review settings. |
-| activityBasedTimeoutPolicies | [activityBasedTimeoutPolicy](activitybasedtimeoutpolicy.md) collection | The policy that controls the idle time out for web sessions for applications. |
-| adminConsentRequestPolicy | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) | The policy by which consent requests are created and managed for the entire tenant. |
-| appManagementPolicies | [appManagementPolicy](appmanagementpolicy.md) collection | The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy. |
-| authenticationFlowsPolicy | [authenticationFlowsPolicy](authenticationflowspolicy.md) | The policy configuration of the self-service sign-up experience of external users. |
-| authenticationMethodsPolicy | [authenticationMethodsPolicy](authenticationmethodspolicy.md) | The authentication methods and the users that are allowed to use them to sign in and perform multi-factor authentication (MFA) in Azure Active Directory (Azure AD). |
-| authorizationPolicy | [authorizationPolicy](authorizationpolicy.md) collection | The policy that controls Azure AD authorization settings. |
-| b2cAuthenticationMethodsPolicy | [b2cAuthenticationMethodsPolicy](b2cauthenticationmethodspolicy.md) | The Azure AD B2C policies that define how end users register via local accounts. |
-| claimsMappingPolicies | [claimsMappingPolicy](claimsmappingpolicy.md) collection | The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. |
-| conditionalAccessPolicies | [conditionalAccessPolicy](conditionalaccesspolicy.md) | The custom rules that define an access scenario. |
-| defaultAppManagementPolicy | [tenantAppManagementPolicy](tenantappmanagementpolicy.md) | The tenant-wide policy that enforces app management restrictions for all applications and service principals. |
-| deviceRegistrationPolicy | [deviceRegistrationPolicy](deviceregistrationpolicy.md) | Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. |
-| featureRolloutPolicies | [featureRolloutPolicy](featurerolloutpolicy.md) collection | The feature rollout policy associated with a directory object. |
-| homeRealmDiscoveryPolicies | [homeRealmDiscoveryPolicy](homerealmdiscoverypolicy.md) collection | The policy to control Azure AD authentication behavior for federated users. |
-| identitySecurityDefaultsEnforcementPolicy | [identitySecurityDefaultsEnforcementPolicy](identitysecuritydefaultsenforcementpolicy.md) | The policy that represents the security defaults that protect against common attacks. |
-| mobileAppManagementPolicies | [mobilityManagementPolicy](mobilitymanagementpolicy.md) collection | The policy that defines auto-enrollment configuration for a mobility management (MDM or MAM) application. |
-| permissionGrantPolicies | [permissionGrantPolicy](permissiongrantpolicy.md) collection | The policy that specifies the conditions under which consent can be granted. |
-| roleManagementPolicies | [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection | Represents the role management policies. |
-| roleManagementPolicyAssignments | [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection | Represents the role management policy assignments. |
-| tokenIssuancePolicies | [tokenIssuancePolicy](tokenissuancepolicy.md) collection | The policy that specifies the characteristics of SAML tokens issued by Azure AD. |
-| tokenLifetimePolicies | [tokenLifetimePolicy](tokenlifetimepolicy.md) collection | The policy that controls the lifetime of a JWT access token, an ID token, or a SAML 1.1/2.0 token issued by Azure AD. |
+
+| Relationship | Type | Description |
+|:|:-|:|
+| accessReviewPolicy | [accessReviewPolicy](accessreviewpolicy.md) | The policy that contains directory-level access review settings. |
+| activityBasedTimeoutPolicies | [activityBasedTimeoutPolicy](activitybasedtimeoutpolicy.md) collection | The policy that controls the idle time out for web sessions for applications. |
+| adminConsentRequestPolicy | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) | The policy by which consent requests are created and managed for the entire tenant. |
+| appManagementPolicies | [appManagementPolicy](appmanagementpolicy.md) collection | The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy. |
+| authenticationFlowsPolicy | [authenticationFlowsPolicy](authenticationflowspolicy.md) | The policy configuration of the self-service sign-up experience of external users. |
+| authenticationMethodsPolicy | [authenticationMethodsPolicy](authenticationmethodspolicy.md) | The authentication methods and the users that are allowed to use them to sign in and perform multi-factor authentication (MFA) in Azure Active Directory (Azure AD). |
+| authorizationPolicy | [authorizationPolicy](authorizationpolicy.md) collection | The policy that controls Azure AD authorization settings. |
+| b2cAuthenticationMethodsPolicy | [b2cAuthenticationMethodsPolicy](b2cauthenticationmethodspolicy.md) | The Azure AD B2C policies that define how end users register via local accounts. |
+| claimsMappingPolicies | [claimsMappingPolicy](claimsmappingpolicy.md) collection | The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. |
+| conditionalAccessPolicies | [conditionalAccessPolicy](conditionalaccesspolicy.md) | The custom rules that define an access scenario. |
+| crossTenantAccessPolicy | [crossTenantAccessPolicy](crosstenantaccesspolicy.md) | The custom rules that define an access scenario when interacting with external Azure AD tenants. |
+| defaultAppManagementPolicy | [tenantAppManagementPolicy](tenantappmanagementpolicy.md) | The tenant-wide policy that enforces app management restrictions for all applications and service principals. |
+| featureRolloutPolicies | [featureRolloutPolicy](featurerolloutpolicy.md) collection | The feature rollout policy associated with a directory object. |
+| homeRealmDiscoveryPolicies | [homeRealmDiscoveryPolicy](homerealmdiscoverypolicy.md) collection | The policy to control Azure AD authentication behavior for federated users. |
+| identitySecurityDefaultsEnforcementPolicy | [identitySecurityDefaultsEnforcementPolicy](identitysecuritydefaultsenforcementpolicy.md) | The policy that represents the security defaults that protect against common attacks. |
+| mobileAppManagementPolicies | [mobilityManagementPolicy](mobilitymanagementpolicy.md) collection | The policy that defines auto-enrollment configuration for a mobility management (MDM or MAM) application. |
+| permissionGrantPolicies | [permissionGrantPolicy](permissiongrantpolicy.md) collection | The policy that specifies the conditions under which consent can be granted. |
+| roleManagementPolicies | [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection | Represents the role management policies. |
+| roleManagementPolicyAssignments | [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection | Represents the role management policy assignments. |
+| tokenIssuancePolicies | [tokenIssuancePolicy](tokenissuancepolicy.md) collection | The policy that specifies the characteristics of SAML tokens issued by Azure AD. |
+| tokenLifetimePolicies | [tokenLifetimePolicy](tokenlifetimepolicy.md) collection | The policy that controls the lifetime of a JWT access token, an ID token, or a SAML 1.1/2.0 token issued by Azure AD. |
## JSON representation The following is a JSON representation of the resource.
The following is a JSON representation of the resource.
"@odata.type": "#microsoft.graph.policyRoot" } ```-
v1.0 Resulttemplate https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/resulttemplate.md
The following is a JSON representation of the resource.
```json {
- "resultTemplateId": {
- "displayName": "String",
- "body": "Json schema"
- }
+ "resultTemplateId": {
+ "displayName": "String",
+ "body": "Json schema"
+ }
} ```
v1.0 Tenantrelationshipaccesspolicybase https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/tenantrelationshipaccesspolicybase.md
+
+ Title: "tenantRelationshipAccessPolicyBase resource type"
+description: "The base type that defines a tenant relationship."
+
+ms.localizationpriority: medium
++
+# tenantRelationshipAccessPolicyBase resource type
+
+Namespace: microsoft.graph
++
+The base type that defines a tenant relationship. This is an abstract type that's inherited by cross-tenant policy objects including [crossTenantAccessPolicy](crosstenantaccesspolicy.md).
+
+Inherits from [policyBase](policybase.md).
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+| definition (deprecated) | String collection | The raw JSON definition of the cross-tenant access policy. **Deprecated. Do not use.** |
+| description | String | Description for this policy. Required. Inherited from [policyBase](../resources/policybase.md). |
+| displayName | String collection | Display name for this policy. Required. Inherited from [policyBase](../resources/policybase.md). |
+
+## Relationships
+
+None.
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.tenantRelationshipAccessPolicyBase",
+ "baseType": "microsoft.graph.policyBase",
+ "openType": false
+}
+-->
+
+``` json
+{
+ "@odata.type": "#microsoft.graph.tenantRelationshipAccessPolicyBase",
+ "definition": [
+ "String"
+ ],
+ "description": "String",
+ "displayName": "String"
+}
+```
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/user.md
This resource supports:
|:|:--|:| | aboutMe | String | A freeform text entry field for the user to describe themselves. <br><br>Returned only on `$select`. | | accountEnabled | Boolean | `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
-| ageGroup | [ageGroup](#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `minor`, `notAdult` and `adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
+| ageGroup | [ageGroup](#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
| assignedLicenses | [assignedLicense](assignedlicense.md) collection | The licenses that are assigned to the user, including inherited (group-based) licenses. <br><br>Not nullable. Supports `$filter` (`eq` and `not`). | | assignedPlans | [assignedPlan](assignedplan.md) collection | The plans that are assigned to the user. Read-only. Not nullable.<br><br>Supports `$filter` (`eq` and `not`). | | birthday | DateTimeOffset | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z` <br><br>Returned only on `$select`. | | businessPhones | String collection | The telephone numbers for the user. Only one number can be set for this property. <br><br>Read-only for users synced from on-premises directory. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`).| | city | String | The city in which the user is located. Maximum length is 128 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). |
-| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length of the company name is 64 characters.<br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
-| consentProvidedForMinor | [consentProvidedForMinor](#consentprovidedforminor-values) | Sets whether consent has been obtained for minors. Allowed values: `null`, `granted`, `denied` and `notRequired`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
+| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters.<br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
+| consentProvidedForMinor | [consentProvidedForMinor](#consentprovidedforminor-values) | Sets whether consent has been obtained for minors. Allowed values: `null`, `Granted`, `Denied` and `NotRequired`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
| country | String | The country/region in which the user is located; for example, `US` or `UK`. Maximum length is 128 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). | | createdDateTime | DateTimeOffset | The date and time the user was created. The value cannot be modified and is automatically populated when the entity is created. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. Property is nullable. A null value indicates that an accurate creation time couldn't be determined for the user. Read-only. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`). | | creationType | String | Indicates whether the user account was created through one of the following methods: <br/> <ul><li>As a regular school or work account (`null`). <li>As an external account (`Invitation`). <li>As a local account for an Azure Active Directory B2C tenant (`LocalAccount`). <li>Through self-service sign-up by an internal user using email verification (`EmailVerified`). <li>Through self-service sign-up by an external user signing up through a link that is part of a user flow (`SelfServiceSignUp`). </ul> <br>Read-only.<br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
This resource supports:
| department | String | The name for the department in which the user works. Maximum length is 64 characters.<br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, and `eq` on `null` values). | | displayName | String | The name displayed in the address book for the user. This value is usually the combination of the user's first name, middle initial, and last name. This property is required when a user is created and it cannot be cleared during updates. Maximum length is 256 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values), `$orderBy`, and `$search`.| | employeeHireDate | DateTimeOffset | The date and time when the user was hired or will start work in case of a future hire. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).|
-| employeeId | String | The employee identifier assigned to the user by the organization. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
+| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters.<br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
|employeeOrgData|[employeeOrgData](employeeorgdata.md) |Represents organization data (e.g. division and costCenter) associated with a user. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).| | employeeType | String | Captures enterprise worker type. For example, `Employee`, `Contractor`, `Consultant`, or `Vendor`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`).| | externalUserState | String | For an external user invited to the tenant using the [invitation API](../api/invitation-post.md), this property represents the invited user's invitation status. For invited users, the state can be `PendingAcceptance` or `Accepted`, or `null` for all other users. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `in`). |
This resource supports:
| isResourceAccount | Boolean | Do not use ΓÇô reserved for future use. | | jobTitle | String | The user's job title. Maximum length is 128 characters. <br><br>Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| | lastPasswordChangeDateTime | DateTimeOffset | The time when this Azure AD user last changed their password or when their password was created, , whichever date the latest action was performed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. <br><br>Returned only on `$select`. |
-| legalAgeGroupClassification | [legalAgeGroupClassification](#legalagegroupclassification-values) | Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on **ageGroup** and **consentProvidedForMinor** properties. Allowed values: `null`, `minorWithOutParentalConsent`, `minorWithParentalConsent`, `minorNoParentalConsentRequired`, `notAdult` and `adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. |
+| legalAgeGroupClassification | [legalAgeGroupClassification](#legalagegroupclassification-values) | Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on **ageGroup** and **consentProvidedForMinor** properties. Allowed values: `null`, `MinorWithOutParentalConsent`, `MinorWithParentalConsent`, `MinorNoParentalConsentRequired`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. |
| licenseAssignmentStates | [licenseAssignmentState](licenseassignmentstate.md) collection | State of license assignments for this user. Read-only. <br><br>Returned only on `$select`. | | mail | String | The SMTP address for the user, for example, `admin@contoso.com`. Changes to this property will also update the user's **proxyAddresses** collection to include the value as an SMTP address. For Azure AD B2C accounts, this property can be updated up to only ten times with unique SMTP addresses. This property cannot contain accent characters. <br><br> Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`, and `eq` on `null` values). | | mailboxSettings | [mailboxSettings](mailboxsettings.md) | Settings for the primary mailbox of the signed-in user. You can [get](../api/user-get-mailboxsettings.md) or [update](../api/user-update-mailboxsettings.md) settings for sending automatic replies to incoming messages, locale, and time zone. For more information, see [User preferences for languages and regional formats](#user-preferences-for-languages-and-regional-formats). <br><br>Returned only on `$select`. |
For example: Cameron is administrator of a directory for an elementary school in
| Member | Description| |:|:-| |null|Default value, no **ageGroup** has been set for the user.|
-|minorWithoutParentalConsent |(Reserved for future use)|
-|minorWithParentalConsent| The user is considered a minor based on the age-related regulations of their country or region and the administrator of the account has obtained appropriate consent from a parent or guardian.|
-|adult|The user considered an adult based on the age-related regulations of their country or region.|
-|notAdult|The user is from a country or region that has additional age-related regulations (such as the United States, United Kingdom, European Union or South Korea), and the user's age is between a minor and an adult age (as stipulated based on country or region). Generally, this means that teenagers are considered as `notAdult` in regulated countries.|
-|minorNoParentalConsentRequired|The user is a minor but is from a country or region that has no age-related regulations.|
+|MinorWithoutParentalConsent |(Reserved for future use)|
+|MinorWithParentalConsent| The user is considered a minor based on the age-related regulations of their country or region and the administrator of the account has obtained appropriate consent from a parent or guardian.|
+|Adult|The user considered an adult based on the age-related regulations of their country or region.|
+|NotAdult|The user is from a country or region that has additional age-related regulations (such as the United States, United Kingdom, European Union or South Korea), and the user's age is between a minor and an adult age (as stipulated based on country or region). Generally, this means that teenagers are considered as `notAdult` in regulated countries.|
+|MinorNoParentalConsentRequired|The user is a minor but is from a country or region that has no age-related regulations.|
#### ageGroup values | Member | Description| |:|:--| |null|Default value, no **ageGroup** has been set for the user.|
-|minor|The user is considered a minor.|
-|notAdult|The user is from a country that has statutory regulations United States, United Kingdom, European Union or South Korea) and user's age is more than the upper limit of kid age (as per country) and less than lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as `notAdult` in regulated countries.|
-|adult|The user should be a treated as an adult.|
+|Minor|The user is considered a minor.|
+|NotAdult|The user is from a country that has statutory regulations United States, United Kingdom, European Union or South Korea) and user's age is more than the upper limit of kid age (as per country) and less than lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as `notAdult` in regulated countries.|
+|Adult|The user should be a treated as an adult.|
#### consentProvidedForMinor values | Member | Description| |:|:-| |null|Default value, no **consentProvidedForMinor** has been set for the user.|
-|granted|Consent has been obtained for the user to have an account.|
-|denied|Consent has not been obtained for the user to have an account.|
-|notRequired|The user is from a location that does not require consent.|
+|Granted|Consent has been obtained for the user to have an account.|
+|Denied|Consent has not been obtained for the user to have an account.|
+|NotRequired|The user is from a location that does not require consent.|
## Relationships
v1.0 X509certificateauthenticationmethodconfiguration https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/x509certificateauthenticationmethodconfiguration.md
+
+ Title: "x509CertificateAuthenticationMethodConfiguration resource type"
+description: "Represents the details of the Azure AD native Certificate-Based Authentication (CBA) in the tenant, including whether the authentication method is enabled or disabled and the users and groups who can register and use it."
+
+ms.localizationpriority: medium
++
+# x509CertificateAuthenticationMethodConfiguration resource type
+
+Namespace: microsoft.graph
++
+Represents the details of the Azure AD native Certificate-Based Authentication (CBA) in the tenant, including whether the authentication method is enabled or disabled and the users and groups who can register and use it.
+
+Inherits from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[Get x509CertificateAuthenticationMethodConfiguration](../api/x509certificateauthenticationmethodconfiguration-get.md)|[x509CertificateAuthenticationMethodConfiguration](../resources/x509certificateauthenticationmethodconfiguration.md)|Read the properties and relationships of a x509CertificateAuthenticationMethodConfiguration object.|
+|[Update x509CertificateAuthenticationMethodConfiguration](../api/x509certificateauthenticationmethodconfiguration-update.md)|[x509CertificateAuthenticationMethodConfiguration](../resources/x509certificateauthenticationmethodconfiguration.md)|Update the properties of a x509CertificateAuthenticationMethodConfiguration object.|
+|[Delete x509CertificateAuthenticationMethodConfiguration](../api/x509certificateauthenticationmethodconfiguration-delete.md)|None| Restore the x509CertificateAuthenticationMethodConfiguration object to its default configuration.|
++
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|id|String|The identifier for the authentication method policy. The value is always `X509Certificate`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
+|state|authenticationMethodState|The possible values are: `enabled`, `disabled`. Inherited from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).|
+|certificateUserBindings|[x509CertificateUserBinding](../resources/x509certificateuserbinding.md) collection|Defines fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user. The **priority** of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
+|authenticationModeConfiguration|[x509CertificateAuthenticationModeConfiguration](../resources/x509certificateauthenticationmodeconfiguration.md)|Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
++
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of users or groups who are enabled to use the authentication method.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
+ "baseType": "microsoft.graph.authenticationMethodConfiguration",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.x509CertificateAuthenticationMethodConfiguration",
+ "id": "String (identifier)",
+ "state": "String",
+ "certificateUserBindings": [
+ {
+ "@odata.type": "microsoft.graph.x509CertificateUserBinding"
+ }
+ ],
+ "authenticationModeConfiguration": {
+ "@odata.type": "microsoft.graph.x509CertificateAuthenticationModeConfiguration"
+ }
+}
+```
+
v1.0 X509certificateauthenticationmodeconfiguration https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/x509certificateauthenticationmodeconfiguration.md
+
+ Title: "x509CertificateAuthenticationModeConfiguration resource type"
+description: "Defines the strong authentication configurations for the X.509 certificate. This configuration includes the default authentication mode and the different rules of strong authentication bindings."
+
+ms.localizationpriority: medium
++
+# x509CertificateAuthenticationModeConfiguration resource type
+
+Namespace: microsoft.graph
++
+Defines the strong authentication configurations for the X.509 certificate. This configuration includes the default authentication mode and the different rules of strong authentication bindings.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|rules|[x509CertificateRule](../resources/x509certificaterule.md) collection| Rules are configured in addition to the authentication mode to bind a specific **x509CertificateRuleType** to an **x509CertificateAuthenticationMode**. For example, bind the `policyOID` with identifier `1.32.132.343` to `x509CertificateMultiFactor` authentication mode.|
+|x509CertificateAuthenticationDefaultMode|x509CertificateAuthenticationMode| The type of strong authentication mode. The possible values are: `x509CertificateSingleFactor`, `x509CertificateMultiFactor`, `unknownFutureValue`.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.x509CertificateAuthenticationModeConfiguration"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.x509CertificateAuthenticationModeConfiguration",
+ "x509CertificateAuthenticationDefaultMode": "String",
+ "rules": [
+ {
+ "@odata.type": "microsoft.graph.x509CertificateRule"
+ }
+ ]
+}
+```
+
v1.0 X509certificaterule https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/x509certificaterule.md
+
+ Title: "x509CertificateRule resource type"
+description: "Defines the strong authentication configuration rules for the X.509 certificate. Rules are configured in addition to the authentication mode."
+
+ms.localizationpriority: medium
++
+# x509CertificateRule resource type
+
+Namespace: microsoft.graph
++
+Defines the strong authentication configuration rules for the X.509 certificate. Rules are configured in addition to the authentication mode.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|identifier|String| The identifier of the X.509 certificate. Required.|
+|x509CertificateAuthenticationMode|x509CertificateAuthenticationMode| The type of strong authentication mode. The possible values are: `x509CertificateSingleFactor`, `x509CertificateMultiFactor`, `unknownFutureValue`. Required.|
+|x509CertificateRuleType|x509CertificateRuleType| The type of the X.509 certificate mode configuration rule. The possible values are: `issuerSubject`, `policyOID`, `unknownFutureValue`. Required.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.x509CertificateRule"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.x509CertificateRule",
+ "x509CertificateRuleType": "String",
+ "identifier": "String",
+ "x509CertificateAuthenticationMode": "String"
+}
+```
+
v1.0 X509certificateuserbinding https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/x509certificateuserbinding.md
+
+ Title: "x509CertificateUserBinding resource type"
+description: "Defines the fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user account."
+
+ms.localizationpriority: medium
++
+# x509CertificateUserBinding resource type
+
+Namespace: microsoft.graph
++
+Defines the fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user account.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|priority|Int32|The priority of the binding. Azure AD uses the binding with the highest priority. This value must be a non-negative integer and unique in the collection of objects in the **certificateUserBindings** property of an **x509CertificateAuthenticationMethodConfiguration** object. Required|
+|userProperty|String|Defines the Azure AD user property of the user object to use for the binding. The possible values are: **userPrincipalName**, `onPremisesUserPrincipalName`, `email`. Required.|
+|x509CertificateField|String|The field on the X.509 certificate to use for the binding. The possible values are: `PrincipalName`, `RFC822Name`.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.x509CertificateUserBinding"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.x509CertificateUserBinding",
+ "x509CertificateField": "String",
+ "userProperty": "String",
+ "priority": "Integer"
+}
+```
+
v1.0 Accesspackagecatalog Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/accesspackagecatalog-update.md
If successful, this method returns a `204 No Content` response code.
} --> ```http
-PATCH https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}
+PATCH https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}
Content-Type: application/json {
v1.0 Application Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/application-get.md
Content-type: application/json
"addIns": [], "publisherDomain": "contoso.onmicrosoft.com", "signInAudience": "AzureADandPersonalMicrosoftAccount",
+ "verifiedPublisher": {
+ "displayName": "publisher_contoso",
+ "verifiedPublisherId": "9999999",
+ "addedDateTime": "2021-04-24T17:49:44Z"
+ },
"tags": [], "tokenEncryptionKeyId": null, "api": {
v1.0 Channel Getallmessages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/channel-getallmessages.md
GET /teams/{team-id}/channels/getAllMessages
## Optional query parameters
-You can use `model` query parameter, which supports the values `A` and `B`, based on the preferred licensing and payment requirements, as shown in the following examples.
+You can use `model` query parameter, which supports the values `A` and `B`, based on the preferred [licensing and payment model](/graph/teams-licenses),
+as shown in the following examples.
+If no `model` is specified, [evaluation mode](/graph/teams-licenses#evaluation-mode-default-requirements) will be used.
```http GET /teams/{team-id}/channels/getAllMessages?model=A
v1.0 Chats Getallmessages https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/chats-getallmessages.md
GET /users/{id | user-principal-name}/chats/getAllMessages
## Optional query parameters
-You can use `model` query parameter, which supports the values `A` and `B`, based on the preferred licensing and payment requirements, as shown in the following examples.
+You can use `model` query parameter, which supports the values `A` and `B`, based on the preferred [licensing and payment model](/graph/teams-licenses),
+as shown in the following examples.
+If no `model` is specified, [evaluation mode](/graph/teams-licenses#evaluation-mode-default-requirements) will be used.
```http GET /users/{id | user-principal-name}/chats/getAllMessages?model=A
v1.0 Directoryobject Checkmembergroups https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/directoryobject-checkmembergroups.md
doc_type: apiPageType
Namespace: microsoft.graph
-Check for membership in a specified list of groups, and return from that list those groups of which the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member. This function is transitive.
+Check for membership in a specified list of group IDs, and return from that list those groups (identified by IDs) of which the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member. This function is transitive.
You can check up to a maximum of 20 groups per request. This function supports all groups provisioned in Azure AD. Because Microsoft 365 groups cannot contain other groups, membership in a Microsoft 365 group is always direct.
v1.0 Directoryobject Checkmemberobjects https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/directoryobject-checkmemberobjects.md
doc_type: "apiPageType"
Namespace: microsoft.graph
-Check for membership in a list of groups, administrative units, or directory roles for the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md). This method is transitive.
+Check for membership in a list of group IDs, administrative unit IDs, or directory role IDs, for the IDs of the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md). This method is transitive.
## Permissions
v1.0 Directoryobject Getmembergroups https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/directoryobject-getmembergroups.md
doc_type: apiPageType
Namespace: microsoft.graph
-Return all the groups that the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
+Return all the group IDs for the groups that the specified [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Directoryobject Getmemberobjects https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/directoryobject-getmemberobjects.md
doc_type: apiPageType
Namespace: microsoft.graph
-Return all the groups, administrative units, and directory roles that a [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
+Return all IDs for the groups, administrative units, and directory roles that a [user](../resources/user.md), [group](../resources/group.md), [service principal](../resources/serviceprincipal.md), [organizational contact](../resources/orgcontact.md), [device](../resources/device.md), or [directory object](../resources/directoryobject.md) is a member of. This function is transitive.
**Note:** Only users and role-enabled groups can be members of directory roles.
v1.0 Schedule List Shifts https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/schedule-list-shifts.md
GET /teams/{teamId}/schedule/shifts
``` ## Optional query parameters
-This method supports the $filter [OData query parameter](/graph/query-parameters) to help customize the response.
+This method supports the `$filter` [OData query parameter](/graph/query-parameters) to help customize the response.
## Request headers
v1.0 Serviceprincipal Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/serviceprincipal-get.md
Content-type: application/json
"endpoints": [], "homepage": null, "id": "00af5dfb-85da-4b41-a677-0c6b86dd34f8",
+ "verifiedPublisher": {
+ "displayName": "publisher_contoso",
+ "verifiedPublisherId": "9999999",
+ "addedDateTime": "2021-04-24T17:49:44Z"
+ },
"info": { "termsOfServiceUrl": null, "supportUrl": null,
v1.0 Serviceprincipal List Homerealmdiscoverypolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/serviceprincipal-list-homerealmdiscoverypolicies.md
HTTP/1.1 200 OK
Content-type: application/json {
- "value": [
- {
- "definition": [
- "definition-value"
- ],
- "displayName": "displayName-value",
- "isOrganizationDefault": true,
- "id": "id-value"
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.homeRealmDiscoveryPolicy)",
+ "value": [
+ {
+ "id": "6c6f154f-cb39-4ff9-bf5b-62d5ad585cde",
+ "deletedDateTime": null,
+ "definition": [
+ "{\"HomeRealmDiscoveryPolicy\": {\"AccelerateToFederatedDomain\":true, \"PreferredDomain\":\"federated.example.edu\", \"AlternateIdLogin\":{\"Enabled\":true}}}"
+ ],
+ "displayName": "Contoso default HRD Policy",
+ "isOrganizationDefault": false
+ }
+ ]
} ```
v1.0 User Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-get.md
For a specific user:
GET /users/{id | userPrincipalName} ```
->**Note:**
-> + When the **userPrincipalName** begins with a `$` character, remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes. For example, `/users('$AdeleVance@contoso.com')`. For details, see the [known issues](/graph/known-issues#users) list.
+> [!TIP]
+>
+> + When the **userPrincipalName** begins with a `$` character, the GET request URL syntax `/users/$x@y.com` fails with a `400 Bad Request` error code. This is because this request URL violates the OData URL convention, which expects only system query options to be prefixed with a `$` character. Remove the slash (/) after `/users` and enclose the **userPrincipalName** in parentheses and single quotes, as follows: `/users('$x@y.com')`. For example, `/users('$AdeleVance@contoso.com')`.
> + To query a B2B user using the **userPrincipalName**, encode the hash (#) character. That is, replace the `#` symbol with `%23`. For example, `/users/AdeleVance_adatum.com%23EXT%23@contoso.com`. For the signed-in user:
v1.0 User Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-update.md
In the request body, supply the values for relevant fields that should be update
|:|:--|:-| |aboutMe|String|A freeform text entry field for the user to describe themselves.| |accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. A global administrator assigned the _Directory.AccessAsUser.All_ delegated permission can update the **accountEnabled** status of all administrators in the tenant.|
-| ageGroup | [ageGroup](../resources/user.md#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `minor`, `notAdult` and `adult`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
+| ageGroup | [ageGroup](../resources/user.md#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
|birthday|DateTimeOffset|The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`| |businessPhones| String collection | The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property.| |city|String|The city in which the user is located.|
-| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length of the company name is 64 characters. |
-| consentProvidedForMinor | [consentProvidedForMinor](../resources/user.md#consentprovidedforminor-values) | Sets whether consent has been obtained for minors. Allowed values: `null`, `granted`, `denied` and `notRequired`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
+| companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters. |
+| consentProvidedForMinor | [consentProvidedForMinor](../resources/user.md#consentprovidedforminor-values) | Sets whether consent has been obtained for minors. Allowed values: `null`, `Granted`, `Denied` and `NotRequired`. Refer to the [legal age group property definitions](../resources/user.md#legal-age-group-property-definitions) for further information. |
|country|String|The country/region in which the user is located; for example, `US` or `UK`.| |department|String|The name for the department in which the user works.| |displayName|String|The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. |
-| employeeId | String | The employee identifier assigned to the user by the organization. |
+| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. |
| employeeType | String | Captures enterprise worker type. For example, `Employee`, `Contractor`, `Consultant`, or `Vendor`. Returned only on `$select`.| |givenName|String|The given name (first name) of the user.| |employeeHireDate|DateTimeOffset|The hire date of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`|
v1.0 Extensionproperty https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/extensionproperty.md
Extensions can be added to [user](user.md), [group](group.md), [organization](or
|:-|:|:| |appDisplayName|String| Display name of the application object on which this extension property is defined. Read-only. | |dataType|String| Specifies the data type of the value the extension property can hold. Following values are supported. Not nullable. <ul><li>`Binary` - 256 bytes maximum</li><li>`Boolean`</li><li>`DateTime` - Must be specified in ISO 8601 format. Will be stored in UTC.</li><li>`Integer` - 32-bit value.</li><li>`LargeInteger` - 64-bit value.</li><li>`String` - 256 characters maximum</li></ul>|
-|isSyncedFromOnPremises|Boolean| Indicates if this extension property was sycned from onpremises directory using Azure AD Connect. Read-only. |
+|isSyncedFromOnPremises|Boolean| Indicates if this extension property was synced from on-premises active directory using Azure AD Connect. Read-only. |
|name|String| Name of the extension property. Not nullable. | |targetObjects|String collection| Following values are supported. Not nullable. <ul><li>`User`</li><li>`Group`</li><li>`Organization`</li><li>`Device`</li><li>`Application`</li></ul>|
v1.0 Licenseassignmentstate https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/licenseassignmentstate.md
The **licenseAssignmentStates** property of the [user](user.md) entity is a coll
|:|:--|:-| |assignedByGroup|string|The id of the group that assigns this license. If the assignment is a direct-assigned license, this field will be Null. Read-Only.| |disabledPlans|Collection(String)|The service plans that are disabled in this assignment. Read-Only.|
-|error|String|License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. Possible values: `CountViolation`, `MutuallyExclusiveViolation`, `DependencyViolation`, `ProhibitedInUsageLocationViolation`, `UniquenessViolation`, and `Others`. For more information on how to identify and resolve license assignment errors see [here](/azure/active-directory/users-groups-roles/licensing-groups-resolve-problems).|
+|error|String|License assignment failure error. If the license is assigned successfully, this field will be Null. Read-Only. The possible values are `CountViolation`, `MutuallyExclusiveViolation`, `DependencyViolation`, `ProhibitedInUsageLocationViolation`, `UniquenessViolation`, and `Other`. For more information on how to identify and resolve license assignment errors see [here](/azure/active-directory/users-groups-roles/licensing-groups-resolve-problems).|
|lastUpdatedDateTime|DateTimeOffset|The timestamp when the state of the license assignment was last updated.| |skuId|String|The unique identifier for the SKU. Read-Only.|
-|state|String|Indicate the current state of this assignment. Read-Only. Possible values: Active, ActiveWithError, Disabled and Error.|
+|state|String|Indicate the current state of this assignment. Read-Only. The possible values are `Active`, `ActiveWithError`, `Disabled`, and `Error`.|
## JSON representation
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/user.md
This resource supports:
|:|:--|:-| |aboutMe|String|A freeform text entry field for the user to describe themselves. Returned only on `$select`.| |accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
-|ageGroup|[ageGroup](#agegroup-values)|Sets the age group of the user. Allowed values: `null`, `minor`, `notAdult` and `adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
+|ageGroup|[ageGroup](#agegroup-values)|Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
|assignedLicenses|[assignedLicense](assignedlicense.md) collection|The licenses that are assigned to the user, including inherited (group-based) licenses. Not nullable. Returned only on `$select`. Supports `$filter` (`eq` and `not`). | |assignedPlans|[assignedPlan](assignedplan.md) collection|The plans that are assigned to the user. Read-only. Not nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq` and `not`). | |birthday|DateTimeOffset|The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. <br><br>Returned only on `$select`.| |businessPhones|String collection|The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. Read-only for users synced from on-premises directory. <br><br>Returned by default. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`).| |city|String|The city in which the user is located. Maximum length is 128 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
-|companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length of the company name is 64 characters.<br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
-|consentProvidedForMinor|[consentProvidedForMinor](#consentprovidedforminor-values)|Sets whether consent has been obtained for minors. Allowed values: `null`, `granted`, `denied` and `notRequired`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
+|companyName | String | The company name which the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters.<br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
+|consentProvidedForMinor|[consentProvidedForMinor](#consentprovidedforminor-values)|Sets whether consent has been obtained for minors. Allowed values: `null`, `Granted`, `Denied` and `NotRequired`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
|country|String|The country/region in which the user is located; for example, `US` or `UK`. Maximum length is 128 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| |createdDateTime | DateTimeOffset |The created date of the user object. Read-only. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).| | creationType | String | Indicates whether the user account was created through one of the following methods: <br/> <ul><li>As a regular school or work account (`null`). <li>As an external account (`Invitation`). <li>As a local account for an Azure Active Directory B2C tenant (`LocalAccount`). <li>Through self-service sign-up by an internal user using email verification (`EmailVerified`). <li>Through self-service sign-up by an external user signing up through a link that is part of a user flow (`SelfServiceSignUp`).</ul> <br>Read-only.<br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `in`). |
This resource supports:
|department|String|The name for the department in which the user works. Maximum length is 64 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, and `eq` on `null` values).| |displayName|String|The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial and last name. This property is required when a user is created and it cannot be cleared during updates. Maximum length is 256 characters. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values), `$orderBy`, and `$search`.| | employeeHireDate | DateTimeOffset | The date and time when the user was hired or will start work in case of a future hire. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).|
-| employeeId | String | The employee identifier assigned to the user by the organization. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
+| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).|
|employeeOrgData|[employeeOrgData](employeeorgdata.md) |Represents organization data (e.g. division and costCenter) associated with a user. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`).| | employeeType | String | Captures enterprise worker type. For example, `Employee`, `Contractor`, `Consultant`, or `Vendor`. Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`).| |externalUserState|String|For an external user invited to the tenant using the [invitation API](../api/invitation-post.md), this property represents the invited user's invitation status. For invited users, the state can be `PendingAcceptance` or `Accepted`, or `null` for all other users. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not` , `in`).|
This resource supports:
|isResourceAccount|Boolean| Do not use ΓÇô reserved for future use.| |jobTitle|String|The user's job title. Maximum length is 128 characters. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not` , `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).| |lastPasswordChangeDateTime| DateTimeOffset | The time when this Azure AD user last changed their password or when their password was created, whichever date the latest action was performed. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. <br><br>Returned only on `$select`.|
-|legalAgeGroupClassification|[legalAgeGroupClassification](#legalagegroupclassification-values)| Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on **ageGroup** and **consentProvidedForMinor** properties. Allowed values: `null`, `minorWithOutParentalConsent`, `minorWithParentalConsent`, `minorNoParentalConsentRequired`, `notAdult` and `adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`.|
+|legalAgeGroupClassification|[legalAgeGroupClassification](#legalagegroupclassification-values)| Used by enterprise applications to determine the legal age group of the user. This property is read-only and calculated based on **ageGroup** and **consentProvidedForMinor** properties. Allowed values: `null`, `MinorWithOutParentalConsent`, `MinorWithParentalConsent`, `MinorNoParentalConsentRequired`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`.|
|licenseAssignmentStates|[licenseAssignmentState](licenseassignmentstate.md) collection|State of license assignments for this user. Read-only. <br><br>Returned only on `$select`.| |mail|String|The SMTP address for the user, for example, `jeff@contoso.onmicrosoft.com`.<br>Changes to this property will also update the user's **proxyAddresses** collection to include the value as an SMTP address. For Azure AD B2C accounts, this property can be updated up to only ten times with unique SMTP addresses. This property cannot contain accent characters.<br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, `endsWith`, and `eq` on `null` values).| |mailboxSettings|[mailboxSettings](mailboxsettings.md)|Settings for the primary mailbox of the signed-in user. You can [get](../api/user-get-mailboxsettings.md) or [update](../api/user-update-mailboxsettings.md) settings for sending automatic replies to incoming messages, locale and time zone. <br><br>Returned only on `$select`.|
For example: Cameron is administrator of a directory for an elementary school in
| Member | Description| |:|:-| |null|Default value, no **ageGroup** has been set for the user.|
-|minorWithoutParentalConsent |(Reserved for future use)|
-|minorWithParentalConsent| The user is considered a minor based on the age-related regulations of their country or region and the administrator of the account has obtained appropriate consent from a parent or guardian.|
-|adult|The user considered an adult based on the age-related regulations of their country or region.|
-|notAdult|The user is from a country or region that has additional age-related regulations (such as the United States, United Kingdom, European Union or South Korea), and the user's age is between a minor and an adult age (as stipulated based on country or region). Generally, this means that teenagers are considered as `notAdult` in regulated countries.|
-|minorNoParentalConsentRequired|The user is a minor but is from a country or region that has no age-related regulations.|
+|MinorWithoutParentalConsent |(Reserved for future use)|
+|MinorWithParentalConsent| The user is considered a minor based on the age-related regulations of their country or region and the administrator of the account has obtained appropriate consent from a parent or guardian.|
+|Adult|The user considered an adult based on the age-related regulations of their country or region.|
+|NotAdult|The user is from a country or region that has additional age-related regulations (such as the United States, United Kingdom, European Union or South Korea), and the user's age is between a minor and an adult age (as stipulated based on country or region). Generally, this means that teenagers are considered as `notAdult` in regulated countries.|
+|MinorNoParentalConsentRequired|The user is a minor but is from a country or region that has no age-related regulations.|
#### ageGroup values | Member | Description| |:|:--| |null|Default value, no **ageGroup** has been set for the user.|
-|minor|The user is considered a minor.|
-|notAdult|The user is from a country that has statutory regulations (such as the United States, United Kingdom, European Union or South Korea) and user's age is more than the upper limit of kid age (as per country) and less than lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as `notAdult` in regulated countries.|
-|adult|The user should be a treated as an adult.|
+|Minor|The user is considered a minor.|
+|NotAdult|The user is from a country that has statutory regulations (such as the United States, United Kingdom, European Union or South Korea) and user's age is more than the upper limit of kid age (as per country) and less than lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as `notAdult` in regulated countries.|
+|Adult|The user should be a treated as an adult.|
#### consentProvidedForMinor values | Member | Description| |:|:-| |null|Default value, no **consentProvidedForMinor** has been set for the user.|
-|granted|Consent has been obtained for the user to have an account.|
-|denied|Consent has not been obtained for the user to have an account.|
-|notRequired|The user is from a location that does not require consent.|
+|Granted|Consent has been obtained for the user to have an account.|
+|Denied|Consent has not been obtained for the user to have an account.|
+|NotRequired|The user is from a location that does not require consent.|
## Relationships
v1.0 Toc.Yml https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/toc.yml a/api-reference/v1.0/toc.yml
items:
- name: Assignment settings href: resources/educationassignmentsettings.md items:
- - name: Get assignment settings
+ - name: Get
href: api/educationassignmentsettings-get.md
- - name: Update assignment settings
+ - name: Update
href: api/educationassignmentsettings-update.md - name: Assignment defaults href: resources/educationassignmentdefaults.md items:
- - name: Get assignment defaults
+ - name: Get
href: api/educationassignmentdefaults-get.md
- - name: Update assignment defaults
+ - name: Update
href: api/educationassignmentdefaults-update.md - name: Category href: resources/educationcategory.md items:
- - name: Create category
+ - name: Create
href: api/educationclass-post-category.md
- - name: Get category
+ - name: Get
href: api/educationcategory-get.md
- - name: Delete category
+ - name: Delete
href: api/educationcategory-delete.md - name: Rubric href: resources/educationrubric.md items:
- - name: Create rubric
+ - name: Create
href: api/educationuser-post-rubrics.md
- - name: Get rubric
+ - name: Get
href: api/educationrubric-get.md
- - name: Update rubric
+ - name: Update
href: api/educationrubric-update.md
- - name: Delete rubric
+ - name: Delete
href: api/educationrubric-delete.md - name: Submission href: resources/educationsubmission.md