-# [PowerShell](#tab/powershell)

-# [PowerShell](#tab/powershell)

-You can't delete an access package if it has any **accessPackageAssignment**. To delete the access package, first [query if there are any assignments](entitlementmanagement-list-accesspackageassignments.md) with a filter to indicate the specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. For more information on how to remove assignments that are still in the delivered state, see [Remove an assignment](entitlementmanagement-post-accesspackageassignmentrequests.md#example-4-remove-an-assignment).

-When calling on behalf of a user, the user needs to belong to one of the following directory roles. To learn more about directory roles, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):

-+ Global Administrator

-When calling on behalf of a user, the user needs to belong to the [Global Administrator](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) directory role.

-To update an administrative unit, the calling principal must be assigned one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):

-* Privileged Role Administrator

-* Global Administrator

-It includes apps from the Microsoft Teams store, and apps from your organization's app catalog (the tenant app catalog). To get apps from your organization's app catalog only, specify `organization` as the **distributionMethod** in the request.

-> **Note**:

-The Directory.Read.All and Directory.ReadWrite.All permissions are supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission and avoid using these permissions going forward.

-The following example lists applications with a given ID, and expands **appDefinitions** to return the **publishingState**, which reflects the submission review state of the app. `Submitted` means the review is pending, `published` means the admin approved the app, and `rejected` means the the admin rejected the app.

-Adds a strong password to an [application](../resources/application.md).

-| Property | Type |Description|

-> Adding [**passwordCredential**](../resources/passwordcredential.md) when creating applications is not supported. Use the [addPassword](application-addpassword.md) method to add passwords or secrets for an application.

-### Request

-### Response

-> **Notes:**

-> - For a call with app-hosted media, you need the Calls.AccessMedia.All permission in addition to one of the permissions listed in the previous table.

-> - Cloud Video Interop solutions that are [Certified for Microsoft Teams](/MicrosoftTeams/cloud-video-interop) have permission to call this API to join meetings for which they have meeting join links, similar to external users joining through a browser.

-To use the OnlineMeetings.ReadWrite.All application permission for this API, tenant administrators must create an [application access policy](/graph/cloud-communication-online-meeting-application-access-policy) and grant it to a user to authorize the app configured in the policy to create online meetings on behalf of that user (with user ID specified in the request path).

->- **userId** is the object ID of a user in [Microsoft Entra admin center > user management page](https://entra.microsoft.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade). For more details, see [Allow applications to access online meetings on behalf of a user](/graph/cloud-communication-online-meeting-application-access-policy).

-The value `privilegedAdmin` consists of the following privileged admin roles:

-The value `admin` includes all Azure Active Director admin roles.

-The value `privilegedAdmin` consists of the following privileged admin roles:

-Read the properties and relationships of an [azureADAuthentication](../resources/azureadauthentication.md) object to find the level of Microsoft Entra authentication availability for your tenant. The Microsoft Entra service Level Agreement (SLA) commits to at least 99.99% authentication availability, as described in [Microsoft Entra SLA performance](/azure/active-directory/reports-monitoring/reference-azure-ad-sla-performance). This object provides you with your tenantΓÇÖs actual performance against this commitment.

-In addition to the delegated permissions, the signed-in user needs to belong to one of the following directory roles that allow them to read sign-in reports. To learn more about directory roles, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):

-+ Global Administrator

-If successful, this method returns a `200 OK` response code and an [azureADAuthentication](../resources/azureadauthentication.md) object in the response body. Each returned value includes a score indicating the availability percentage of the tenantΓÇÖs authentications for the month, along with a startDate and endDate indicating the month that the availability percentage is assigned to.

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-# [PowerShell](#tab/powershell)

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-Update the [apiConnectorConfiguration](../resources/userflowapiconnectorconfiguration.md) property in a [b2cIdentityUserFlow](../resources/b2cidentityuserflow.md) to enable or disable an API connector in a user flow. Each relationship of the [apiConnectorConfiguration](../resources/userflowapiconnectorconfiguration.md) corresponds to a specific step in the user flow that can be configured to call an API connector. You configure an API connector for a particular step one at a time as shown below.

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-### Example 1: Enable API connector for Post IDP Federation on sign up

-### Example 2: Enable API connector for Post Attribute Collection on sign up

-### Example 3: Disable an API connector for Post Attribute Collection on sign up

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External ID user flow administrator

-DELETE https://graph.microsoft.com/beta/sites/{site-id}/pages/{page-id}

-GET /sites/{site-id}/pages/{page-id}

- "webUrl": "SitePages/Electronic Convertible.aspx",

-[basesitepage]: ../resources/baseSitePage.md

-[sitepage]: ../resources/sitePage.md

-GET /sites/{site-id}/pages

- "webUrl": "SitePages/Account holistic.aspx",

- "webUrl": "SitePages/Analyst Fresh.aspx",

-For delegated permissions to allow apps to get **bitLockerRecoveryKey** resources on behalf of the signed-in user, the user must be the registered owner of the device that the BitLocker recovery key was originally backed up from, or the calling user must be in one of the following directory roles:

-* Global administrator

-* Cloud device administrator

-* Helpdesk administrator

-* Intune service administrator

-* Security administrator

-* Security reader

-* Global reader

->**Note:** For delegated permissions to allow apps to get **bitLockerRecoveryKey** resources on behalf of the signed-in user, the tenant administrator must have assigned the user one of the following roles, or the user must be the **registered owner** of the device that the BitLocker key was originally backed up from:

-* Global administrator

-* Cloud device administrator

-* Helpdesk administrator

-* Intune service administrator

-* Security administrator

-* Security reader

-* Global reader

-# [C#](#tab/csharp)

-# [CLI](#tab/cli)

-# [Go](#tab/go)

-# [Java](#tab/java)

-# [PHP](#tab/php)

-# [Python](#tab/python)

- "moderationSettings": null

- "membershipType": "private"

-> **Note**: The Group.ReadWrite.All permission is supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

-> **Note**: Application permissions are *only* supported for [migration](/microsoftteams/platform/graph-api/import-messages/import-external-messages-to-teams).

-In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported.

-A [teamsTab](../resources/teamstab.md).

-> **Note**: The Chat.Manage.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note**: The Chat.Manage.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note**: The TeamsTab.Delete.Chat and TeamsTab.ReadWrite.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note**:

-The TeamsAppInstallation.Read.Chat and Chat.Manage.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-The following example gets the list of any [resource-specific permissions that were granted to an app](../resources/teamsapppermissionset.md) as part of installation. A `$select` query parameterd is required to show the consented permission set.

-> **Note**: The TeamsAppInstallation.Read.Chat and Chat.Manage.Chat pPermissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-This operation does not support the [OData query parameters](/graph/query-parameters) to customize the response.

-> **Note**: The TeamsTab.Read.Chat and TeamsTab.ReadWrite.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note**: The ChatSettings.Read.Chat, ChatSettings.ReadWrite.Chat, and Chat.Manage.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note:**

-The following permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent):

-> **Note**: The ChatMember.Read.Chat and Chat.Manage.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note:** The ChatMessage.Read.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-The other [OData query parameters](/graph/query-parameters) are not currently supported.

-> **Note:** The ChatSettings.Read.Chat and ChatSettings.ReadWrite.Chat, and Chat.Manage.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note**: The TeamsAppInstallation.Read.Chat and Chat.Manage.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note:** If the chat is associated with an [onlineMeeting](../resources/onlinemeeting.md) instance, then, effectively, the tab pinned in the meeting will be updated.

-> **Note:** The TeamsTab.ReadWrite.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-In the request body, supply a JSON representation of [tab](../resources/teamstab.md) object.

-> **Note:**S The ChatSettings.ReadWrite.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Notes:**

-> **Note:** The Chat.Manage.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note:** If the chat is associated with an [onlineMeeting](../resources/onlinemeeting.md) instance, then, effectively, the tab will get added to the meeting.

-> **Note:** The TeamsTab.Create.Chat and TeamsTab.ReadWrite.Chat permissions use [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

->**Note:** The TeamsActivity.Send.Chat permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Notes:**

-> **Note**: The _ChannelMessage.Read.Group_ and _ChatMessage.Read.Chat_ permissions use [resource-specific consent]( https://aka.ms/teams-rsc).

-This method does not support the [OData query parameters](/graph/query-parameters) to customize the response.

-Retrieve the list of [chatMessageHostedContent](../resources/chatmessagehostedcontent.md) objects from a message. This API only lists the hosted content objects. To get the content bytes, see [get chatmessage hosted content](chatmessagehostedcontent-get.md)

-> **Note**: The Group.Read.All and Group.ReadWrite.All permissions are supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

-> **Note**: The _ChannelMessage.Read.Group_ and _ChatMessage.Read.Chat_ permissions use [resource-specific consent]( https://aka.ms/teams-rsc).

-> **Note:** The ChannelMessage.Read.Group permission uses [resource-specific consent](/microsoftteams/platform/graph-api/rsc/resource-specific-consent).

-> **Note**: The Group.ReadWrite.All permission is supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

-> **Note**: Application permissions are *only* supported for [migration](/microsoftteams/platform/graph-api/import-messages/import-external-messages-to-teams).

-In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported.

-> **Notes:**

-> **Note**: The Group.ReadWrite.All permission is supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

-> **Note**: Application permissions are *only* supported for [migration](/microsoftteams/platform/graph-api/import-messages/import-external-messages-to-teams). In the future, Microsoft may require you or your customers to pay additional fees based on the amount of data imported.

-### Example 5: Send inline images along with the message

- "name": "post_chatmessage_5",

-### Example 6: Send a card with inline images

- "name": "post_chatmessage_6",

-### Example 7: @mention a channel in a channel message

-### Example 8: @mention a team in a channel message

-### Example 9: @mention a tag in a channel message

-### Example 10: Send message that contains cards that are attributed to a Teams app

- "name": "post_chatmessage_e10",

-### Example 11: Send a message that contains an announcement

- "name": "post_chatmessage_11",

-### Example 12: Send a message with an emoji

- "name": "post_chatmessage_12",

-This method does not support federation. Only the user in the tenant who sent the message can perform data loss prevention (DLP) updates on the specified chat message.

-> **Note:** The Group.ReadWrite.All permission is supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

-If no `model` is specified, [evaluation mode](/graph/teams-licenses#evaluation-mode-default-requirements) will be used.

-> **Note:**: The Group.Read.All and Group.ReadWrite.All permissionsare supported only for backward compatibility. We recommend that you update your solutions to use an alternative permission listed in the previous table and avoid using these permissions going forward.

-This operation does not support the [OData query parameters](/graph/query-parameters) to customize the response.

- "provisioningType": "shared",

-GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/cloudPCs/40cee9d2-03fb-4066-8d35-dbdf2875c33f?$select=id,displayName,imageDisplayName,lastModifiedDateTime,lastRemoteActionResult,lastLoginResult,connectivityResult

- }

- "provisioningType": "shared",

- "@odata.type": "#microsoft.graph.cloudPcAuditEvent",

- "id": "250473f5-029f-4037-813d-ba4768201d61",

- "displayName": "Display Name value",

- "componentName": "Component Name value",ΓÇ»

- "activity": "Activity value",ΓÇ»

- "activityDateTime": "2021-02-14T13:10:51.814636+08:00",

- "activityType": " Activity Type value", 

- "activityOperationType": "Activity Operation Type value",

- "activityResult": "Activity Result value",ΓÇ»

- "correlationId": "a5c71cc6-2271-4d5c-9bfe-d94781e83fe6",

- "category": "Category value",

- "actor": {

- "@odata.type": "microsoft.graph.cloudPcAuditActor",

- "type": "Type value",

- "userPermissions": [

- "User Permissions value"

- ],

- "applicationId": "Application Id value",

- "applicationDisplayName": "Application Display Name value",

- "userPrincipalName": "User Principal Name value",

- "servicePrincipalName": "Service Principal Name value",

- "ipAddress": "Ip Address value",

- "userId": "User Id value",

- "userRoleScopeTags": [

- {

- "@odata.type": "microsoft.graph.cloudPcUserRoleScopeTagInfo",

- "displayName": "Display Name value",

- "roleScopeTagId": "Role Scope Tag Id value"

- }

- ],

- "remoteTenantId": "Remote Tenant Id value",

- "remoteUserId": "Remote User Id value"

- },

- "resources": [

- "@odata.type": "microsoft.graph.cloudPcAuditResource",

- "displayName": "Display Name value",

- "modifiedProperties": [

- {

- "@odata.type": "microsoft.graph.cloudPcAuditProperty",

- "displayName": "Display Name value",

- "oldValue": "Old Value value",

- "newValue": "New Value value"

- }

- ],

- "type": "Type value",

- "resourceId": "Resource Id value"

- ]

-Use this GET operation to verify the **exportJobStatus** property of the **cloudPcExportJob** resource. When the property becomes `completed`, the report has finished downloading in the location specified by the **exportUrl** property.

-Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).

-The following example shows how to get an export job that was created by the POST request for the `TotalAggregatedRemoteConnectionReports` report.

-The following example shows how to get an export job that was created by the POST request for the `RemoteConnectionQualityReports` report.

- "domainJoinConfiguration": {

- "domainJoinType": "hybridAzureADJoin",

- "onPremisesConnectionId": "16ee6c71-fc10-438b-88ac-daa1ccafffff"

- },

- "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff",

- "windowsSettings": {

- "language": "en-US"

- },

- "domainJoinConfiguration": {

- "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff",

- "regionName": null,

- "type": "hybridAzureADJoin"

- },

- "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff",

- "windowsSettings": {

- "language": "en-US"

- },

-GET https://graph.microsoft.com/beta/deviceManagement/virtualEndpoint/provisioningPolicies/60b94f83-3e22-430e-a69d-440f65b922d6?$select=id,description,displayName,domainJoinConfiguration,imageDisplayName,imageId,imageType,onPremisesConnectionId,windowsSetting,managedBy,cloudPcGroupDisplayName,gracePeriodInHours,localAdminEnabled,alternateResourceUrl

- "domainJoinConfiguration": {

- "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff",

- "regionName": null,

- "type": "hybridAzureADJoin"

- },

- "onPremisesConnectionId": "4e47d0f6-6f77-44f0-8893-c0fe1701ffff",

- "windowsSettings": {

- "language": "en-US"

- },

-|domainJoinConfiguration (deprecated)|[cloudPcDomainJoinConfiguration](../resources/cloudpcdomainjoinconfiguration.md)|Specifies how Cloud PCs join Microsoft Entra ID.|

-|onPremisesConnectionId (deprecated)|String|The ID of the cloudPcOnPremisesConnection. To ensure that Cloud PCs have network connectivity and that they domain join, choose a connection with a virtual network thatΓÇÖs validated by the Cloud PC service.|

-|filter|String|OData filter syntax. Supported filters include `and`, `or`, `lt`, `le`, `gt`, `ge` and `eq`.|

- "RemoteSignInTimeInSec",

- "skip": 0,

-description: "Get a list of daily activeUsersBreakdown objects on apps registered in your tenant configured for Microsoft Entra External ID for customers."

-doc_type: apiPageType

-# List daily activeUsersBreakdown (deprecated)

-Namespace: microsoft.graph

-> [!CAUTION]

-> This API is deprecated and will stop returning data on March 9, 2024. Use the [List monthly activeUsers](../api/monthlyuserinsightmetricsroot-list-activeusers.md) API instead.

-Get a list of daily [activeUsersBreakdown](../resources/activeusersbreakdownmetric.md) objects on apps registered in your tenant configured for Microsoft Entra External ID for customers.

-## Permissions

-Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).

-<!-- { "blockType": "permissions", "name": "dailyuserinsightmetricsroot_list_activeusersbreakdown" } -->

-## HTTP request

-<!-- {

- "blockType": "ignored"

-}

-``` http

-GET /reports/userInsights/daily/activeUsersBreakdown

-```

-## Optional query parameters

-This method supports the `$filter` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

-## Request headers

-|Name|Description|

-|:|:|

-|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|

-## Request body

-Don't supply a request body for this method.

-## Response

-If successful, this method returns a `200 OK` response code and a collection of [activeUsersBreakdownMetric](../resources/activeusersbreakdownmetric.md) objects in the response body.

-## Examples

-### Request

-The following example shows a request.

-# [HTTP](#tab/http)

-<!-- {

- "blockType": "request",

- "name": "list_dailyactiveusersbreakdownmetric"

-}

-``` http

-GET https://graph.microsoft.com/beta/reports/userInsights/daily/activeUsersBreakdown

-```

-# [C#](#tab/csharp)

-# [CLI](#tab/cli)

-# [Go](#tab/go)

-# [Java](#tab/java)

-# [JavaScript](#tab/javascript)

-# [PHP](#tab/php)

-# [PowerShell](#tab/powershell)

-# [Python](#tab/python)

-### Response

-The following example shows the response.

->**Note:** The response object shown here might be shortened for readability.

-<!-- {

- "blockType": "response",

- "truncated": true,

- "@odata.type": "Collection(microsoft.graph.activeUsersBreakdownMetric)"

-}

-``` http

-HTTP/1.1 200 OK

-Content-Type: application/json

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.activeUsersBreakdownMetric)",

- "value": [

- {

- "id": "2",

- "appId": "7a30b8ef-42h3-4d1e-84ad-17d4ca3c9a52",

- "appName": "Bank",

- "count": 1,

- "factDate": "2023-09-28",

- "os": "Windows"

- },

- {

- "id": "1",

- "appId": "65e59557-d9d1-485f-87c5-80b92a99dfda",

- "appName": "Kiosk",

- "count": 1,

- "factDate": "2023-09-20",

- "os": "Ios"

- }

- ]

-}

-```

-Update the properties of a [delegatedAdminRelationship](../resources/delegatedadminrelationship.md) object. You can only update a relationship when it's in the `created` **status**. However, you can update the **autoExtendDuration** property when the relationship is in either the `created` or `active` **status**.

-If successful, this method returns a `200 OK` response code and an updated [delegatedAdminRelationship](../resources/delegatedadminrelationship.md) object in the response body.

-The calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Global Administrator*, *Intune Administrator*, or *Windows 365 Administrator*.

-The calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Global Administrator*, *Intune Administrator*, *Windows 365 Administrator*, or *Cloud Device Administrator*.

-The calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):

-* Global Administrator

-The calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):

-* Global Administrator

-* Global Administrator

-The calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Global Administrator*, *Intune Administrator*, or *Windows 365 Administrator*.

-The calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Global Administrator*, *Intune Administrator*, or *Windows 365 Administrator*.

-In delegated scenarios, the calling user must also be in one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json): *Global Administrator*, *Intune Administrator*. A calling user in the *Cloud Device Administrator* role can only enable or disable devices using this API and a user with the *Windows 365 Administrator* role can only update basic device properties.

-### Examples using the $orderby OData query parameter

-The `$orderby` OData query parameter is supported on the **deletedDateTime**, **displayName**, and **userPrincipalName** properties of the deleted object types. On the **deletedDateTime** property, the query requires adding the [advanced query parameters](/graph/aad-advanced-queries) (**ConsistencyLevel** header set to `true` and `$count=true` query string).

-To create an administrative unit, the calling principal must be assigned one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):

-* Privileged Role Administrator

-* Global Administrator

-description: "Deletes a domain from a tenant."

-Deletes a domain from a tenant.

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-description: "Deletes a domain using an asynchronous operation."

-Deletes a domain using an asynchronous operation.

-Prior to calling [forceDelete](domain-forcedelete.md), you must update or remove any references to **Exchange** as the provisioning service.

-* If one of the applications to be renamed is a multi-tenant app, an error is returned.

-After the domain deletion completes, API operations for the deleted domain will return a 404 HTTP response code. To verify deletion of a domain, you can perform a [get domain](domain-get.md). If the domain was successfully deleted, a 404 HTTP response code will be returned in the response.

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-|disableUserAccounts|Boolean| Option to disable renamed user accounts. If a user account is disabled, the user will not be allowed to sign in.<br>*True* (default) - User accounts renamed as part of this operation are disabled.<br>*False* - User accounts renamed as part of this operation are not disabled. |

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-* Global Reader

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-* Global Reader

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-|signingCertificate|String|Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. <br>This property is used in the following scenarios: <li> If a rollover is required outside of the autorollover update <li> A new federation service is being set up <li> If the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.<br>Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the domain when a new certificate is available.|

-|nextSigningCertificate|String|Fallback token signing certificate that is used to sign tokens when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the **signingCertificate**, the **nextSigningCertificate** property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.|

-+ Switching between **federatedIdpMfaBehavior** and **SupportsMfa** is not supported.

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-Update the properties of domain object.

-> **Important:**

-> Only verified domains can be updated.

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-description: "Validates the ownership of the domain."

-Validates the ownership of the domain.

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* Domain Name Administrator

-This API is part of Microsoft SharePoint and OneDrive APIs that perform advanced premium administrative functions and is considered a protected API. Protected APIs require you to have more validation, beyond permission and consent, before you can use them. Before you call this API, you must [request access](https://aka.ms/PreviewSPOPremiumAPI).

-For more information about sensitivity labels from an administrator's perspective, see [Enable sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide&preserve-view=true).

-> This is a metered API and some charges for use may apply. For details, see [Overview of metered Microsoft 365 APIs in Microsoft Graph](/graph/metered-api-overview).

-DELETE https://graph.microsoft.com/beta/education/classes/11003/members/14008

-The following example shows a request for a direct assignment, in which the administrator is requesting the creation of an assignment for the user. Because the [accessPackageSubject](../resources/accesspackagesubject.md) might not yet exist, the value of the **targetID** is the object ID of the user being assigned, the value of the **accessPackageId** is the desired access package for that user, and the value of **assignmentPolicyId** is a direct assignment policy in that access package.

-

-### Example 2: User requests a package and answers questions for approval

-

-### Example 3: Request a package and provide a justification

-#### Request

-

-> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

-### Example 4: Remove an assignment

-To remove assignments, create a new accessPackageAssignmentRequest object with the following settings:

-+ The value of the **requestType** property set to `AdminRemove`.

-+ In the accessPackageAssignment property, include an object with the identifier of the accessPackageAssignment objects to delete.

-The following example shows how to remove an assignment.

- "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_remove_assignment"

- "requestType": "AdminRemove",

- "accessPackageAssignment":{

- "id": "a6bb6942-3ae1-4259-9908-0133aaee9377"

- }

-> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignmentRequests/$entity",

- "id": "78eaee8c-e6cf-48c9-8f99-aae44c35e379",

- "requestType": "AdminRemove",

- "requestState": "Submitted",

- "requestStatus": "Accepted"

-### Example 5: Admin requests a direct assignment for a user not yet in the directory

-#### Request

-The following example shows a request for a direct assignment, in which the administrator is requesting the creation of an assignment for the user, for a user who does not exist in the directory. The value of the **accessPackageId** is the desired access package for that user, and the value of **assignmentPolicyId** is a direct assignment policy in that access package.

- "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_direct_assignment"

- "requestType": "AdminAdd",

- "accessPackageAssignment":{

- "target": {

- "email": "user@contoso.com"

- },

- "assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",

- "accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"

- }

-> **Note:** The response object shown here might be shortened for readability.

- "id": "7e382d02-4454-436b-b700-59c7dd77f466",

- "requestType": "AdminAdd",

- "requestState": "Submitted",

- "requestStatus": "Accepted",

- "isValidationOnly": false

-The following example shows a request for a direct assignment, in which the administrator is requesting the creation of an assignment for the user. Because the [accessPackageSubject](../resources/accesspackagesubject.md) might not yet exist, the value of the **targetID** is the object ID of the user being assigned, the value of the **accessPackageId** is the desired access package for that user, and the value of **assignmentPolicyId** is a direct assignment policy in that access package.

- "id": "7e382d02-4454-436b-b700-59c7dd77f466",

-To remove assignments, create a new accessPackageAssignmentRequest object with the following settings:

-+ The value of the **requestType** property set to `adminRemove`.

-+ In the assignment property, include an object with the identifier of the accessPackageAssignment object to delete.

-> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#accessPackageAssignmentRequests/$entity",

-### Example 3: Request an assignment

-The following example shows how a user can request an access package assignment for themselves.

- "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_packageID"

- "accessPackageId": "d7be3253-b9c6-4fab-adef-30d30de8da2b"

-> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentRequests/$entity",

- "id": "724bc62d-90ff-48f3-903f-b59ec8453343",

- "state": "submitted"

-### Example 4: Request an assignment by providing answers to questions

-The following example shows how a user can request an access package assignment for themselves by answering questions required by the policy while making the request.

- "name": "create_accesspackageassignmentrequest_from_accesspackageassignmentrequests_requestor_answer_approver"

- "@odata.type": "#microsoft.graph.accessPackageAssignmentRequest",

- "requestType": "userAdd",

- "answers": [

- {

- "@odata.type": "#microsoft.graph.accessPackageAnswerString",

- "displayValue": "This is the answer to a multiple choice question",

- "value": "MultipleChoiceAnswerValue",

- "answeredQuestion": {

- "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",

- "id": "8fe745e7-80b2-490d-bd22-4e708c77288c"

- }

- },

- {

- "@odata.type": "#microsoft.graph.accessPackageAnswerString",

- "value": "This is my answer to a text input question.",

- "displayValue": "This is my answer.",

- "answeredQuestion": {

- "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",

- "id": "7aaa18c9-8e4f-440f-bd5a-3a7ce312cbe6"

- }

- }

- ],

- "assignment": {

- "accessPackageId": "977c7ff4-ef8f-4910-9d31-49048ddf3120"

- }

-> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#accessPackageAssignmentRequests/$entity",

- "id": "7a6ab703-0780-4b37-8445-81f679b2d75c",

- "requestType": "userAdd",

- "state": "submitted",

- "status": "Accepted",

- "completedDateTime": null,

- "answers": [

- {

- "@odata.type": "#microsoft.graph.accessPackageAnswerString",

- "value": "MultipleChoiceAnswerValue",

- "answeredQuestion": {

- "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",

- "id": "8fe745e7-80b2-490d-bd22-4e708c77288c"

- },

- "displayValue": "This is the answer to a multiple choice question"

- },

- {

- "@odata.type": "#microsoft.graph.accessPackageAnswerString",

- "value": "This is my answer to a text input question.",

- "answeredQuestion": {

- "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",

- "id": "7aaa18c9-8e4f-440f-bd5a-3a7ce312cbe6"

- },

- "displayValue": "This is my answer."

- ]

-### Example 5: Request an update to answers for an assignment

-The following example shows how an admin can request updates to an assignment to edit their responses to questions that were answered while requesting the assignment.

- "name": "update_accesspackageassignmentrequest_from_accesspackageassignmentrequests_requestor_answer_to_approver"

-> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

- "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#accessPackageAssignmentRequests/$entity",

-For delegated scenarios, the calling user needs one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json).

-+ For delegated scenarios, the app must be assigned the _RoleManagement.ReadWrite.Directory_ delegated permission, and the calling user must be the creator of the group or a global administrator or a privileged role administrator.

-+ For app-only scenarios, the calling app must be the owner of the group or be assigned the _RoleManagement.ReadWrite.Directory_ application permission or be assigned the Global Administrator or Privileged Role Administrator Microsoft Entra role.

- By default, this operation returns only a subset of the properties for each group. For a list of properties that are returned by default, see thethe [Properties](../resources/group.md#properties) section of the [group](../resources/group.md) resource. To get properties that are _not_ returned by default, do a [GET operation](group-get.md) and specify the properties in a `$select` OData query option.

-**Note**: To create a [team](../resources/team.md), first create a group then add a team to it, see [create team](../api/team-put-teams.md).

-| displayName | string | The name to display in the address book for the group. Maximum length is 256 characters. Required. |

-| mailEnabled | boolean | Set to `true` for mail-enabled groups. Required. |

-| mailNickname | string | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the [ASCII character set 0 - 127](/office/vba/language/reference/user-interface-help/character-set-0127) except the following: ` @ () \ [] " ; : <> , SPACE`. Required. |

-| securityEnabled | boolean | Set to `true` for security-enabled groups, including Microsoft 365 groups. Required. **Note:** Groups created using the Microsoft Entra admin center or the Azure portal always have **securityEnabled** initially set to `true`. |

->

->

->

-> - To following properties can't be set in the initial POST request and must be set in a subsequent PATCH request: **allowExternalSenders**, **autoSubscribeNewMembers**, **hideFromAddressLists**, **hideFromOutlookClients**, **isSubscribedByMail**, **unseenCount**.

-The following example creates a security group with an owner and members specified because a group with the specified **uniqueName** value does not exist. Note that a maximum of 20 relationships, such as owners and members, can be added as part of group creation. You can subsequently add multiple additional members by using [add member](/graph/api/group-post-members?view=graph-rest-beta&preserve-view=true) API or JSON batching.

-## See also

-Do not supply a request body with this method.

-DELETE https://graph.microsoft.com/beta/sites/{sitesId}/pages/{sitePageId}/microsoft.graph.sitePage/canvasLayout/horizontalSections/{horizontalSectionId}

-ve

-GET https://graph.microsoft.com/beta/sites/{sitesId}/pages/{sitePageId}/microsoft.graph.sitePage/canvasLayout/horizontalSections/{horizontalSectionId}

-With `select` and `expand` statements, you can retrieve horizontalSection metadata and column information in a single request.

-GET https://graph.microsoft.com/beta/sites/{sitesId}/pages/{sitePageId}/microsoft.graph.sitePage/canvasLayout/horizontalSections/{horizontalSectionId}?select=id,expand=columns

-GET https://graph.microsoft.com/beta/sites/{sitesId}/pages/{sitePageId}/microsoft.graph.sitePage/canvasLayout/horizontalSections

-PATCH https://graph.microsoft.com/beta/sites/{site-id}/pages/{page-id}/microsoft.graph.sitePage/canvasLayout/horizontalSections/{horizontalSectionId}

-GET https://graph.microsoft.com/beta/sites/{sitesId}/pages/{sitePageId}/microsoft.graph.sitePage/canvasLayout/horizontalSections/{horizontalSectionId}/columns/{horizontalSectionColumnId}

-With `select` and `expand` statements, you can retrieve horizontalSectionColumn metadata and associated webParts in a single request.

-GET https://graph.microsoft.com/beta/sites/{sitesId}/pages/{sitePageId}/microsoft.graph.sitePage/canvasLayout/horizontalSections/{horizontalSectionId}/columns/{horizontalSectionColumnId}?select=id,expand=webparts

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity User Flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

- "@odata.count": 16,

- "category": "joiner,leaver",

- "displayName": "Add User To Groups",

- "displayName": "Disable User Account",

- "parameters": []

- "displayName": "Enable User Account",

- "parameters": []

- "category": "joiner,leaver",

- "displayName": "Generate TAP And Send Email",

- "displayName": "Send Welcome Email",

- "parameters": []

- "category": "joiner,leaver",

- "description": "Add user to selected teams",

- "displayName": "Add User To Teams",

- "displayName": "Delete User Account",

- "parameters": []

- "category": "joiner,leaver",

- "category": "joiner,leaver",

- "parameters": []

- "parameters": []

- "displayName": "Generate TAP And Send Email",

- "displayName": "Enable User Account",

- "displayName": "Send Welcome Email",

- "displayName": "Add User To Groups",

- "displayName": "Delete User Account",

- "displayName": "Disable User Account",

- "displayName": "Delete User Account",

-description: "Create a new workflow object. You can create up to 50 workflows in a tenant."

-Create a new [workflow](../resources/identitygovernance-workflow.md) object. You can create up to 50 workflows in a tenant.

-|category|[microsoft.graph.identityGovernance.lifecycleWorkflowCategory](../resources/identitygovernance-workflow.md)|The category of the workflow. The possible values are: `joiner`, `leaver`, `unknownFutureValue`. Can be only one value. Required.|

-|executionConditions|[microsoft.graph.identityGovernance.workflowExecutionConditions](../resources/identitygovernance-workflowexecutionconditions.md)|Defines for who and when a workflow will run. Required. |

-### Example 1: Create a new workflow

-+ It's a "joiner" workflow that's enabled and schedule to run.

-+ It runs for new users that are based in Australia, on their employeeHireDate.

-### Example 2: Create a new version of a task with customized email

-The following example shows a request.

- "name": "lifecycleworkflows_create_workflow_from_customemail"

- "category": "joiner",

- "description": "Configure new hire tasks for onboarding employees on their first day",

- "displayName": "custom email marketing API test",

- "isSchedulingEnabled": false,

- "rule": "(department eq 'Marketing')"

- "@odata.type": "#microsoft.graph.identityGovernance.timeBasedAttributeTrigger",

- "timeBasedAttribute": "employeeHireDate",

- "offsetInDays": 0

- "description": "Enable user account in the directory",

- "displayName": "Enable User Account",

- "taskDefinitionId": "6fc52c9d-398b-4305-9763-15f42c1676fc",

- "description": "Send welcome email to new hire",

- "displayName": "Send Welcome Email",

- "taskDefinitionId": "70b29d51-b59a-4773-9280-8841dfd3f2ea",

- "arguments": [

- {

- "name": "cc",

- "value": "1baa57fa-3c4e-4526-ba5a-db47a9df95f0"

- },

- {

- "name": "customSubject",

- "value": "Welcome to the organization {{userDisplayName}}!"

- },

- {

- "name": "customBody",

- "value": "Welcome to our organization {{userGivenName}}!"

- },

- "name": "locale",

- "value": "en-us"

-HTTP/1.1 200 OK

- "workflow":{

- "category": "joiner",

- "description": "Configure new hire tasks for onboarding employees on their first day",

- "displayName": "Global onboard new hire employee",

- "isEnabled": true,

- "isSchedulingEnabled": false,

- "executionConditions": {

- "@odata.type": "#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions",

- "scope": {

- "@odata.type": "#microsoft.graph.identityGovernance.ruleBasedSubjectSet",

- "rule": "(department eq 'Marketing')"

- },

- "trigger": {

- "@odata.type": "#microsoft.graph.identityGovernance.timeBasedAttributeTrigger",

- "timeBasedAttribute": "employeeHireDate",

- "offsetInDays": 1

- }

- "tasks": [

- {

- "continueOnError": false,

- "description": "Enable user account in the directory",

- "displayName": "Enable User Account",

- "isEnabled": true,

- "taskDefinitionId": "6fc52c9d-398b-4305-9763-15f42c1676fc",

- "arguments": []

- },

- {

- "continueOnError": false,

- "description": "Send welcome email to new hire",

- "displayName": "Send Welcome Email",

- "isEnabled": true,

- "taskDefinitionId": "70b29d51-b59a-4773-9280-8841dfd3f2ea",

- "arguments": [

- {

- "name": "cc",

- "value": "b47471b9-af8f-4a5a-bfa2-b78e82398f6e, a7a23ce0-909b-40b9-82cf-95d31f0aaca2"

- },

- {

- "name": "customSubject",

- "value": "Welcome to the organization {{userDisplayName}}!"

- },

- {

- "name": "customBody",

- "value": "Welcome to our organization {{userGivenName}} {{userSurname}}. \nFor more information, reach out to your manager {{managerDisplayName}} at {{managerEmail}}."

- },

- {

- "name": "locale",

- "value": "en-us"

- },

- ]

- }

- ]

-### Example 1: Create a new version of a workflow

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global administrator

-* External Identity Provider administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator

-* External ID user flow administrator

-The work or school account needs to belong to one of the following roles:

-* Global Administrator

-* External Identity Provider Administrator