+GET /applications/{id}/federatedIdentityCredentials

+POST /applications/{id}/federatedIdentityCredentials

+|audiences|String collection|The audience that can appear in the external token. This field is mandatory and should be set to `api://AzureADTokenExchange` for Azure AD. It says what Microsoft identity platform should accept in the `aud` claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required.|

+|issuer|String|TThe URL of the external identity provider and must match the issuer claim of the external token being exchanged. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Required.|

+|name|String|The unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created|

+|subject|String|Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. It has a limit of 600 characters. The combination of **issuer** and **subject** must be unique on the app.|

+| [$orderBy](/graph/query-parameters#orderby-parameter) | Currently supports **lastModifiedDateTime** (default) and **createdDateTime** in **descending** order. Ascending order is currently not supported.|

+This method supports the following [OData query parameters](/graph/query-parameters).

+| Name | Description |

+|:-|:|

+| [$expand](/graph/query-parameters#expand-parameter)| Currently supports **members** and **lastMessagePreview** properties. |

+| [$top](/graph/query-parameters#top-parameter)| Controls the number of items per response. Maximum allowed `$top` value is 50. |

+| [$filter](/graph/query-parameters#filter-parameter)| Filters results. |

+| [$orderBy](/graph/query-parameters#orderby-parameter) | Currently supports **lastMessagePreview/createdDateTime** in descending order. Ascending order is currently not supported.|

+The other [OData query parameters](/graph/query-parameters) are not currently supported.

+The following is an example of a request.

+The following is an example of the response.

+The following is an example of a request.

+The following is an example of the response.

+The following is an example of the response.

+The following is an example of a request that will filter all the chats based on a specific member's display name.

+The following is an example of the response.

+### Example 5: List all chats in order of the most to least recent chat messages

+#### Request

+The following is an example of a request. **lastMessagePreview/createdDateTime** is passed to sort chats by the most to least recent chat messages.

+<!-- {

+ "blockType": "request",

+ "name": "list_chats_orderby"

+}-->

+```msgraph-interactive

+GET https://graph.microsoft.com/beta/chats?$orderBy=lastMessagePreview/createdDateTime desc

+```

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.chat",

+ "isCollection": true

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#chats",

+ "@odata.count": 2,

+ "@odata.nextLink": "https://graph.microsoft.com/betRTVOekF0TURFdE1ERlVNREE2BAATcggAcWlMQ0psYm2YAJB4T1Rjd0xUQXgEACJWRFQAAAQABmAA8F8xZExDSjZaWEp2VEUxVFZFUmxiR2wyWlhKbFpGTmxaMjFsYm5SeklqcGJYU3dpYzI5eWRFOXlaR1Z5SWpveExDSnBibU5zZFdSbFdtVnliMHhOVTFRaU9uUnlkV1Y5rExhc3RQYWdlU2l6ZaIyMA%3d%3d",

+ "value": [

+ {

+ "id": "19:670374fa-3b0e-4a3b-9d33-0e1bc5ff1956_bfb5bb25-3a8d-487d-9828-7875ced51a30@unq.gbl.spaces",

+ "topic": null,

+ "createdDateTime": "2021-11-17T18:48:57.986Z",

+ "lastUpdatedDateTime": "2021-11-17T18:48:57.986Z",

+ "chatType": "oneOnOne",

+ "webUrl": "https://teams.microsoft.com/l/chat/19%3A670374fa-3b0e-4a3b-9d33-0e1bc5ff1956_bfb5bb25-3a8d-487d-9828-7875ced51a30%40unq.gbl.spaces/0?tenantId=2432b57b-0abd-43db-aa7b-16eadd115d34",

+ "tenantId": "2432b57b-0abd-43db-aa7b-16eadd115d34",

+ "onlineMeetingInfo": null,

+ "viewpoint": {

+ "isHidden": false,

+ "lastMessageReadDateTime": "2022-05-03T18:15:42.307Z"

+ }

+ },

+ {

+ "id": "19:82fe7758-5bb3-4f0d-a43f-e555fd399c6f_bfb5bb25-3a8d-487d-9828-7875ced51a30@unq.gbl.spaces",

+ "topic": null,

+ "createdDateTime": "2021-05-26T00:07:00.751Z",

+ "lastUpdatedDateTime": "2021-05-26T00:07:14.894Z",

+ "chatType": "oneOnOne",

+ "webUrl": "https://teams.microsoft.com/l/chat/19%3A82fe7758-5bb3-4f0d-a43f-e555fd399c6f_bfb5bb25-3a8d-487d-9828-7875ced51a30%40unq.gbl.spaces/0?tenantId=2432b57b-0abd-43db-aa7b-16eadd115d34",

+ "tenantId": "2432b57b-0abd-43db-aa7b-16eadd115d34",

+ "onlineMeetingInfo": null,

+ "viewpoint": {

+ "isHidden": true,

+ "lastMessageReadDateTime": "2022-03-08T19:55:30.491Z"

+ }

+ }

+ ]

+}

+```

+|topic|String|The title of the chat. This can only be set for a chat with a **chatType** value of `group`. Maximum length is **255** characters. Use of **':'** is not allowed.|

+|definition|String collection| A string collection containing a JSON string that defines the rules and settings for this policy. Required.|

+ Title: "educationSubmission: setUpResourcesFolder"

+description: "Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission."

+ms.localizationpriority: medium

+# educationSubmission: setUpResourcesFolder

+Namespace: microsoft.graph

+Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission.

+Note that files must be located in this folder in order to be added as resources. Only a student in the class can determine what files to upload in a given submission-level resource folder.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | EduAssignments.ReadBasic, EduAssignments.Read |

+|Delegated (personal Microsoft account) | Not supported. |

+|Application | Not supported. |

+## HTTP request

+<!-- { "blockType": "ignored" } -->

+```http

+POST /education/classes/{id}/assignments/{id}/submissions/{id}/setUpResourcesFolder

+```

+## Request headers

+| Header | Value |

+|:|:--|

+| Authorization | Bearer `{token}`. Required. |

+## Request body

+Provide an empty json `{}` as request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code. The body will contain the submission model.

+If the assignment is already in submitted state or if the assignment is no longer open for submission, this method returns a `400 Bad Request` response code.

+## Examples

+### Example 1: Set up a resource folder for a submission

+#### Request

+The following is an example of a request that triggers the creation of a SharePoint resource folder for a submission.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "educationsubmission_setupresourcesfolder"

+}-->

+```msgraph-interactive

+POST https://graph.microsoft.com/beta/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/1e5222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder

+Content-type: application/json

+{

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationSubmission"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#education/classes('b07edbef-7420-4b3d-8f7c-d599cf21e069')/assignments('1e5222bd-b7d2-4d64-8a22-74b722ce2fc6')/submissions/$entity",

+ "status": "working",

+ "submittedDateTime": null,

+ "unsubmittedDateTime": null,

+ "returnedDateTime": null,

+ "resourcesFolderUrl": "https://graph.microsoft.com/v1.0/drives/b!6SQl0y4WHkS2P5MeIsSGpKwfynEIaD1OvPVeH4wbOp_1uyhNwJMSSpseJneB7Z4F/items/01YT2AIJRQLVYT24IWWFAJHMRRNYCB3GE2",

+ "id": "803fb5dd-3553-455f-3d94-f79fb54a1003",

+ "recipient": {

+ "@odata.type": "#microsoft.graph.educationSubmissionIndividualRecipient",

+ "userId": "f8bbb2a4-2cdd-4d49-ac81-d4113fc72dc1"

+ },

+ "submittedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": "f8bbb2a4-2cdd-4d49-ac81-d4113fc72dc1",

+ "displayName": null

+ }

+ },

+ "unsubmittedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ },

+ "returnedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ },

+ "resources": [],

+ "submittedResources": []

+}

+```

+### Example 2: Set up a resource folder when the assignment is no longer open for submission

+#### Request

+The following is an example of a request that tries to set up a resource folder but fails with a `400 Bad Request` response code because the assignment is no longer open for submission.

+<!-- {

+ "blockType": "request",

+ "name": "educationsubmission_setupresourcesfolder"

+}-->

+```msgraph-interactive

+POST https://graph.microsoft.com/beta/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/1e5222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder

+Content-type: application/json

+{

+}

+```

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationSubmission"

+} -->

+```http

+HTTP/1.1 400 Bad Request

+Content-type: application/json

+{

+ "error": {

+ "code": "badRequest",

+ "message": "Bad request.",

+ "innerError": {

+ "code": "assignmentHasBeenSubmitted",

+ "message": "Resource folder cannot be set up for assignments that are no longer open for submissions."

+ }

+ }

+}

+```

+### Example 3: Set up a resource folder when the assignment is already in submitted state

+#### Request

+The following is an example of a request that tries to set up a resource folder but fails with a `400 Bad Request` response code because the assignment has already been submitted.

+<!-- {

+ "blockType": "request",

+ "name": "educationsubmission_setupresourcesfolder"

+}-->

+```msgraph-interactive

+POST https://graph.microsoft.com/beta/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/1e5222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder

+Content-type: application/json

+{

+}

+```

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationSubmission"

+} -->

+```http

+HTTP/1.1 400 Bad Request

+Content-type: application/json

+{

+ "error": {

+ "code": "badRequest",

+ "message": "Bad request.",

+ "innerError": {

+ "code": "assignmentHasBeenSubmitted",

+ "message": "Resource folder cannot be set up while the submission is in the submitted state."

+ }

+ }

+}

+```

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-d4113fc72dc1

+2021-05-12 12:00:00 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "educationSubmission: setUpResourcesFolder",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+ Title: "externalItem: addActivities"

+description: "Append additional instances of externalActivity on an externalitem."

+ms.localizationpriority: medium

+# externalItem: addActivities

+Namespace: microsoft.graph.externalConnectors

+Append additional instances of [externalActivity](../resources/externalconnectors-externalactivity.md) objects on an [externalitem](../resources/externalconnectors-externalitem.md).

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+|:|:--|

+| Delegated (work or school account) | Not supported |

+| Delegated (personal Microsoft account) | Not supported |

+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /connections/{connectionsId}/items/{externalItemId}/addActivities

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+|Parameter|Type|Description|

+|:|:|:|

+|activities|[microsoft.graph.externalConnectors.externalActivity](../resources/externalconnectors-externalactivity.md) collection|Collection of activities involving an **externalItem**.|

+## Response

+If successful, this action returns a `200 OK` response code and a collection of [externalConnectors.externalActivityResult](../resources/externalconnectors-externalactivityresult.md) objects in the response body.

+If a `207` response is returned, this indicates that only some of the added **externalActivity** instances were successfully processed. The caller should inspect the response payload, looking at the error field for each **externalActivityResult** to determine why the **externalActivity** instance was not processed and what action can be taken. If the error field is null, that indicates a successful **externalActivityResult**.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "externalitemthis.addactivities"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/connections/{connectionsId}/items/{externalItemId}/addActivities

+Content-Type: application/json

+Content-length: 190

+{

+ "activities": [

+ {

+ "@odata.type": "#microsoft.graph.externalConnectors.externalActivity",

+ "type": "String",

+ "startDateTime": "String (timestamp)"

+ }

+ ]

+}

+```

+### Response

+The following example shows the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.externalConnectors.externalActivityResult)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.externalConnectors.externalActivityResult",

+ "type": "String",

+ "startDateTime": "String (timestamp)",

+ "error": {

+ "@odata.type": "microsoft.graph.publicError"

+ }

+ }

+ ]

+}

+```

+DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}

+DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}

+GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}

+GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}

+PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}

+PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}

+|audiences|String collection|The audience that can appear in the issued token. For Azure AD, set its value to `api://AzureADTokenExchange`. This field can only accept a single value and has a limit of 600 characters. |

+|description|String|A user-provided description of what the federatedIdentityCredential is used for. It has a limit of 600 characters. |

+|issuer|String|The URL of the incoming trusted issuer (Secure Token Service). Matches the issuer claim of an access token. For example, with the Customer Managed Keys scenario, Azure AD is the issuer and a valid value would be `https://login.microsoftonline.com/{tenantid}/v2.0`. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters.|

+|subject|String|<li>For Azure AD issuer, the `objectId` of the servicePrincipal (can represent a managed identity) that can impersonate the app. The object associated with this GUID needs to exist in the tenant.</li><li>For all other issuers, a string with no additional validation</ul><br><br>The combination of the values of **issuer** and **subject** must be unique on the app.It has a limit of 600 characters.|

+ Title: "informationProtectionLabel: evaluateApplication (deprecated)"

+description: "Evaluate which label to apply based on existing content info and desired content state. Deprecated."

+# informationProtectionLabel: evaluateApplication (deprecated)

+ Title: "informationProtectionLabel: evaluateClassificationResults (deprecated)"

+description: "Evaluate which label to apply based on existing content info and a classification result. Deprecated."

+# informationProtectionLabel: evaluateClassificationResults (deprecated)

+| classificationResults | [classificationResult](../resources/classificationresult.md) collection | Contains the set of classification results returned by the data classification endpoint. Classification information is used to determine the appropriate label based on the Microsoft Purview Information Protection policy label configuration in Microsoft 365 Security and Compliance Center. |

+ Title: "informationProtectionLabel: evaluateRemoval (deprecated)"

+description: "Evaluate which label to remove and how to remove it based on existing content info. Deprecated."

+# informationProtectionLabel: evaluateRemoval (deprecated)

+ Title: "informationProtectionLabel: extractLabel (deprecated)"

+description: "Retrieve informationProtectionContentLabel using metadata from a labeled object. Deprecated."

+# informationProtectionLabel: extractLabel (deprecated)

+ Title: "Get informationProtectionLabel (deprecated)"

+description: "Retrieve the properties and relationships of the specified informationProtectionLabel object. Deprecated."

+# Get informationProtectionLabel (deprecated)

+ Title: "informationProtectionLabel: listLabels (deprecated)"

+description: "Retrieve a list of information protection labels. Deprecated."

+# informationProtectionLabel: listLabels (deprecated)

+ Title: "List sensitivityLabels"

+description: "Get the sensitivityLabel resources from the sensitivityLabels navigation property."

+ms.localizationpriority: medium

+# List sensitivityLabels

+Namespace: microsoft.graph.security

+Get a list of [sensitivityLabel](../resources/security-sensitivitylabel.md) objects associated with a user or organization.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To get labels available to the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+GET /users/{usersId}/security/informationProtection/sensitivityLabels

+GET /me/security/informationProtection/sensitivityLabels

+```

+To get labels available to the organization as a service principal (application permission):

+```http

+GET /security/informationProtection/sensitivityLabels

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| User-Agent | Describes the name and version of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [sensitivityLabel](../resources/security-sensitivitylabel.md) objects in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "list_sensitivitylabel"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/sensitivityLabels

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "list_sensitivitylabel",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.sensitivityLabel",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('bob%40contoso.com')/security/informationProtection/sensitivityLabels",

+ "value": [

+ {

+ "id": "0d39dc11-75ff-4309-8b32-ff94f0e41607",

+ "name": "Any User (No Protection)",

+ "description": "",

+ "color": "",

+ "sensitivity": 7,

+ "tooltip": "The most sensitive information stored by Milt0rCorp; product plans, customer information, and other trade secrets. Data labeled for Any User will not be protected and should be used with caution and sparingly.",

+ "isActive": true,

+ "isAppliable": true,

+ "contentFormats": [

+ "file",

+ "email",

+ "schematizeddata"

+ ],

+ "hasProtection": false,

+ "parent@odata.context": "https://graph.microsoft.com/beta/$metadata#users('bob%40constoso.com')/security/informationProtection/sensitivityLabels('0d39dc11-75ff-4309-8b32-ff94f0e41607')/parent/$entity",

+ "parent": {

+ "id": "566663c7-4d8d-4b8f-b280-784a31971dbe",

+ "name": "Highly Confidential",

+ "description": "",

+ "color": "",

+ "sensitivity": 7,

+ "tooltip": "The most sensitive information at Milt0rCorp; product plans, customer information, data not shareable even under NDA.",

+ "isActive": false,

+ "isAppliable": false,

+ "contentFormats": [

+ "file",

+ "email",

+ "schematizeddata"

+ ],

+ "hasProtection": false,

+ "parent@odata.context": "https://graph.microsoft.com/beta/$metadata#users('bob%40contoso.com')/security/informationProtection/sensitivityLabels('0d39dc11-75ff-4309-8b32-ff94f0e41607')/parent/parent/$entity",

+ "parent": null

+ }

+ }

+ ]

+}

+```

+ Title: "Get informationProtectionPolicySetting"

+description: "Fetch users-specific Microsoft Purview Information Protection policy settings for a user."

+ms.localizationpriority: medium

+# Get informationProtectionPolicySetting

+Namespace: microsoft.graph.security

+Read the properties and relationships of an [informationProtectionPolicySetting](../resources/security-informationprotectionpolicysetting.md) object. The settings exposed by this API should be used in applications to populate the **moreInfoUrl** property for Microsoft Purview Information Protection help, and indicate whether labeling is mandatory for the user and whether justification must be provided on downgrade.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To get policy settings available to the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+GET /users/{usersId}/security/informationProtection/labelPolicySettings

+GET /me/security/informationProtection/labelPolicySettings

+```

+To get policy settings available to the organization as a service principal (application permission):

+```http

+GET /security/informationProtection/labelPolicySettings

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| User-Agent | Describes the name and version of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [informationProtectionPolicySetting](../resources/security-informationprotectionpolicysetting.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_informationprotectionpolicysetting"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/labelPolicySettings

+```

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "name": "get_informationprotectionpolicysetting",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.informationProtectionPolicySetting"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://canary.graph.microsoft.com/testprodbetamipdev/$metadata#users('bob%40contoso.com')/security/informationProtection/labelPolicySettings/$entity",

+ "id": "BFB31DC0E2183F5872EEC3FEC1A254B8118DF1156CC19E783EA6D36304242B7FCFA4CF1DA3374481AA9919D8F3D63F7C",

+ "moreInfoUrl": "https://contoso.com/MIPInfo",

+ "isMandatory": false,

+ "isDowngradeJustificationRequired": true

+}

+```

+ Title: "sensitivityLabel: evaluateApplication"

+description: "Evaluate which label to apply based on an existing content information and a desired content state."

+ms.localizationpriority: medium

+# sensitivityLabel: evaluateApplication

+Namespace: microsoft.graph.security

+Compute the [sensitivity label](../resources/security-sensitivitylabel.md) that should be applied and return the set of actions that must be taken to correctly label the information. This API is useful when a label should be set manually or explicitly by a user or service, rather than automatically based on file contents.

+Given [contentInfo](../resources/security-contentinfo.md), which includes existing content metadata [key-value pairs](../resources/security-keyvaluepair.md), and [labelingOptions](../resources/security-labelingoptions.md) as an input, the API returns an [informationProtectionAction](../resources/security-informationprotectionaction.md) object that contains one of more of the following:

+* [addContentFooterAction](../resources/security-addcontentfooteraction.md)

+* [addContentHeaderAction](../resources/security-addcontentheaderaction.md)

+* [addWatermarkAction](../resources/security-addwatermarkaction.md)

+* [applyLabelAction](../resources/security-applylabelaction.md)

+* [customAction](../resources/security-customaction.md)

+* [justifyAction](../resources/security-justifyaction.md)

+* [metadataAction](../resources/security-metadataaction.md)

+* [protectAdhocAction](../resources/security-protectadhocaction.md)

+* [protectByTemplateAction](../resources/security-protectbytemplateaction.md)

+* [protectionDoNotForwardAction](../resources/security-protectdonotforwardaction.md)

+* [recommendLabelAction](../resources/security-recommendlabelaction.md)

+* [removeContentFooterAction](../resources/security-removecontentfooteraction.md)

+* [removeContentHeaderAction](../resources/security-removecontentheaderaction.md)

+* [removeProtectionAction](../resources/security-removeprotectionaction.md)

+* [removeWatermarkAction](../resources/security-removewatermarkaction.md)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To evaluate as the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+POST /users/{usersId}/security/informationProtection/sensitivityLabels/evaluateApplication

+POST /me/security/informationProtection/sensitivityLabels/evaluateApplication

+```

+To evaluate as a service principal (application permission):

+``` http

+POST /security/informationProtection/sensitivityLabels/evaluateApplication

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| Content-type | application/json. Required. |

+| User-Agent | Describes the name of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+| Parameter | Type | Description |

+| :-- | :- | :- |

+| contentInfo | [contentInfo](../resources/security-contentinfo.md) | Provides details on the content format, content state, and existing [metadata](../resources/security-keyvaluepair.md) as key-value pairs. |

+| labelingOptions | [labelingOptions](../resources/security-labelingoptions.md) | Provides details about the desired state of the content. |

+## Response

+If successful, this action returns a `200 OK` response code and an [informationProtectionAction](../resources/security-informationprotectionaction.md) collection in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "sensitivitylabelthis.evaluateapplication"

+}

+-->

+``` http

+POST https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/sensitivityLabels/evaluateApplication

+Content-Type: application/json

+Content-length: 181

+User-agent: ContosoLobApp/1.0

+{

+ "contentInfo": {

+ "@odata.type": "#microsoft.graph.security.contentInfo",

+ "format@odata.type": "#microsoft.graph.security.contentFormat",

+ "contentFormat": "File",

+ "format": "default",

+ "identifier": null,

+ "state@odata.type": "#microsoft.graph.security.contentState",

+ "state": "rest",

+ "metadata@odata.type": "#Collection(microsoft.graph.security.keyValuePair)",

+ "metadata": [

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_Enabled",

+ "value": "True"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_Method",

+ "value": "Standard"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_SetDate",

+ "value": "1/1/0001 12:00:00 AM"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_SiteId",

+ "value": "cfa4cf1d-a337-4481-aa99-19d8f3d63f7c"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_Name",

+ "value": "LabelScopedToBob_Tests"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_ContentBits",

+ "value": "0"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_3a80e051-487c-40d4-b491-73ad25d997e6_ActionId",

+ "value": "00000000-0000-0000-0000-000000000000"

+ }

+ ]

+ },

+ "labelingOptions": {

+ "@odata.type": "#microsoft.graph.security.labelingOptions",

+ "assignmentMethod@odata.type": "#microsoft.graph.security.assignmentMethod",

+ "assignmentMethod": "standard",

+ "labelId@odata.type": "#Guid",

+ "labelId": "836ff34f-b604-4a62-a68c-d6be4205d569",

+ "downgradeJustification": {

+ "justificationMessage": "Justified",

+ "isDowngradeJustified": true

+ },

+ "extendedProperties@odata.type": "#Collection(microsoft.graph.security.keyValuePair)",

+ "extendedProperties": []

+ }

+}

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "sensitivitylabelthis.evaluateapplication",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.informationProtectionAction",

+ "isCollection": true

+}

+-->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.security.informationProtectionAction)",

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.addContentHeaderAction",

+ "uiElementName": "MSIPCM_v1_header",

+ "text": "HIGHLY CONFIDENTIAL",

+ "fontName": "Calibri",

+ "fontSize": 12,

+ "fontColor": "#000000",

+ "alignment": "left",

+ "margin": 5

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.addWatermarkAction",

+ "uiElementName": "MSIPWM_v1_main",

+ "layout": "diagonal",

+ "text": "HIGHLY CONFIDENTIAL",

+ "fontName": "Calibri",

+ "fontSize": 72,

+ "fontColor": "#000000"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.addContentFooterAction",

+ "uiElementName": "MSIPCM_v1_footer",

+ "text": "HIGHLY CONFIDENTIAL",

+ "fontName": "Calibri",

+ "fontSize": 12,

+ "fontColor": "#000000",

+ "alignment": "left",

+ "margin": 5

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.protectByTemplateAction",

+ "templateId": "684d0d40-83d4-4ce6-a5e7-0efb9fffb2dc"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.metadataAction",

+ "metadataToRemove": [],

+ "metadataToAdd": [

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Enabled",

+ "value": "true"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_SetDate",

+ "value": "2022-03-04T22:48:13Z"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Method",

+ "value": "Standard"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Name",

+ "value": "FTEs_HC"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_SiteId",

+ "value": "29375103-6ce7-4dba-81ec-8e33884c6f0f"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_ActionId",

+ "value": "14368e92-2e6a-46c4-9a48-5117de375b66"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_ContentBits",

+ "value": "15"

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "sensitivityLabel: evaluateClassificationResults"

+description: "Evaluate which label to apply based on an existing content information and a classification result."

+ms.localizationpriority: medium

+# sensitivityLabel: evaluateClassificationResults

+Namespace: microsoft.graph.security

+Use the [classification results](../resources/security-classificationresult.md) to compute the [sensitivity label](../resources/security-sensitivitylabel.md) that should be applied and return the set of actions that must be taken to correctly label the information. This API is useful when a label should be set automatically based on classification of the file contents, rather than labeled directly by a user or service.

+To evaluate based on classification results, provide the [contentInfo](../resources/security-contentinfo.md), which includes existing content metadata [key-value pairs](../resources/security-keyvaluepair.md), and [classification results](../resources/security-classificationresult.md). The API returns an [informationProtectionAction](../resources/security-informationprotectionaction.md) that contains one of more of the following:

+* [addContentFooterAction](../resources/security-addcontentfooteraction.md)

+* [addContentHeaderAction](../resources/security-addcontentheaderaction.md)

+* [addWatermarkAction](../resources/security-addwatermarkaction.md)

+* [applyLabelAction](../resources/security-applylabelaction.md)

+* [customAction](../resources/security-customaction.md)

+* [justifyAction](../resources/security-justifyaction.md)

+* [metadataAction](../resources/security-metadataaction.md)

+* [protectAdhocAction](../resources/security-protectadhocaction.md)

+* [protectByTemplateAction](../resources/security-protectbytemplateaction.md)

+* [protectionDoNotForwardAction](../resources/security-protectdonotforwardaction.md)

+* [recommendLabelAction](../resources/security-recommendlabelaction.md)

+* [removeContentFooterAction](../resources/security-removecontentfooteraction.md)

+* [removeContentHeaderAction](../resources/security-removecontentheaderaction.md)

+* [removeProtectionAction](../resources/security-removeprotectionaction.md)

+* [removeWatermarkAction](../resources/security-removewatermarkaction.md)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To evaluate as the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+POST /users/{usersId}/security/informationProtection/sensitivityLabels/evaluateClassificationResults

+POST /users/me/security/informationProtection/sensitivityLabels/evaluateClassificationResults

+```

+To evaluate as a service principal (application permission):

+``` http

+POST /users/security/informationProtection/sensitivityLabels/evaluateClassificationResults

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| Content-type | application/json. Required. |

+| User-Agent | Describes the name and version of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+| Parameter | Type | Description |

+| :-- | :- | : |

+| contentInfo | [contentInfo](../resources/security-contentInfo.md) | Provides details about the content format, content state, and existing [metadata](../resources/security-keyvaluepair.md) as key-value pairs. |

+| classificationResults | [classificationResult](../resources/security-classificationresult.md) collection | Contains the set of classification results returned by the data classification endpoint. Classification information is used to determine the appropriate label based on the Microsoft Purview Information Protection policy label configuration in Microsoft 365 Security and Compliance Center. |

+## Response

+If successful, this action returns a `200 OK` response code and an [informationProtectionAction](../resources/security-informationprotectionaction.md) collection in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "sensitivitylabelthis.evaluateclassificationresults"

+}

+-->

+```http

+POST https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/sensitivityLabels/evaluateClassificationResults

+Content-type: application/json

+User-agent: ContosoLOBApp/1.0

+{

+ "contentInfo": {

+ "@odata.type": "#microsoft.graph.security.contentInfo",

+ "format@odata.type": "#microsoft.graph.security.contentFormat",

+ "format": "default",

+ "contentFormat": "File",

+ "identifier": "c:\\user\\new.docx",

+ "state@odata.type": "#microsoft.graph.security.contentState",

+ "state": "rest",

+ "metadata": []

+ },

+ "classificationResults": [

+ {

+ "sensitiveTypeId": "50842eb7-edc8-4019-85dd-5a5c1f2bb085", //Credit Card

+ "count": 7,

+ "confidenceLevel": 99

+ }

+ ]

+}

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "sensitivitylabelthis.evaluateclassificationresults",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.informationProtectionAction",

+ "isCollection": true

+}

+-->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.security.informationProtectionAction)",

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.applyLabelAction",

+ "responsibleSensitiveTypeIds": [

+ "cb353f78-2b72-4c3c-8827-92ebe4f69fdf"

+ ],

+ "actionSource": "automatic",

+ "label": {

+ "id": "722a5300-ac39-4c9a-88e3-f54c46676417",

+ "name": "Top Secret",

+ "description": "",

+ "color": "#000000",

+ "sensitivity": 13,

+ "tooltip": "This information is Top Secret.",

+ "isActive": true

+ },

+ "actions": [

+ {

+ "@odata.type": "#microsoft.graphsecurity..protectByTemplateAction",

+ "templateId": "0e7fea72-7bba-4438-a070-95c292cd6f8c"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.metadataAction",

+ "metadataToRemove": [],

+ "metadataToAdd": [

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_Enabled",

+ "value": "true"

+ },

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_SetDate",

+ "value": "2019-10-03T21:50:20Z"

+ },

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_Method",

+ "value": "Standard"

+ },

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_Name",

+ "value": "Top Secret"

+ },

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_SiteId",

+ "value": "cb46c030-1825-4e81-a295-151c039dbf02"

+ },

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_ActionId",

+ "value": "76dc494e-6c59-43e6-88a1-0000edd58fca"

+ },

+ {

+ "name": "MSIP_Label_722a5300-ac39-4c9a-88e3-f54c46676417_ContentBits",

+ "value": "8"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "sensitivityLabel: evaluateRemoval"

+description: "Evaluate which label to remove and how to remove it based on an existing content information."

+ms.localizationpriority: medium

+# sensitivityLabel: evaluateRemoval

+Namespace: microsoft.graph.security

+Indicate to the consuming application what actions it should take to remove the label information.

+Given [contentInfo](../resources/contentinfo.md) as an input, which includes existing content metadata [key-value pairs](../resources/security-keyvaluepair.md), the API returns an [informationProtectionAction](../resources/security-informationprotectionaction.md) that contains some combination of one or more of the following:

+* [justifyAction](../resources/security-justifyaction.md)

+* [metadataAction](../resources/security-metadataaction.md)

+* [removeContentFooterAction](../resources/security-removecontentfooteraction.md)

+* [removeContentHeaderAction](../resources/security-removecontentheaderaction.md)

+* [removeProtectionAction](../resources/security-removeprotectionaction.md)

+* [removeWatermarkAction](../resources/security-removewatermarkaction.md)

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To evaluate removal as the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+POST /users/{usersId}/security/informationProtection/sensitivityLabels/evaluateRemoval

+POST /users/me/security/informationProtection/sensitivityLabels/evaluateRemoval

+```

+To evaluate removal as a service principal (application permission):

+``` http

+POST /users/security/informationProtection/sensitivityLabels/evaluateRemoval

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| Content-type | application/json. Required. |

+| User-Agent | Describes the name and version of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameters that can be used with this action.

+| Parameter | Type | Description |

+| : | : | :- |

+| contentInfo | [contentInfo](../resources/security-contentinfo.md) | Provides details about the content format, content state, and existing [metadata](../resources/security-keyvaluepair.md) as key-value pairs. |

+| downgradeJustification | [downgradeJustification](../resources/security-downgradejustification.md) | Justification that must be provided by the user or application logic. |

+## Response

+If successful, this action returns a `200 OK` response code and an [informationProtectionAction](../resources/security-informationprotectionaction.md) collection in the response body. The [informationProtectionAction](../resources/security-informationprotectionaction.md) object will contain a [metadataAction](../resources/security-metadataaction.md) object that informs the application which metadata to remove.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "sensitivitylabelthis.evaluateremoval"

+}

+-->

+```http

+POST https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/sensitivityLabels/evaluateRemoval

+Content-type: application/json

+User-agent: ContosoLOBApp/1.0

+{

+ "contentInfo": {

+ "@odata.type": "#microsoft.graph.security.contentInfo",

+ "identifier": null,

+ "state": "rest",

+ "metadata": [

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Enabled",

+ "value": "True"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Method",

+ "value": "Standard"

+ },

+ {

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_SetDate",

+ "value": "1/1/0001 12:00:00 AM"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_SiteId",

+ "value": "cfa4cf1d-a337-4481-aa99-19d8f3d63f7c"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Name",

+ "value": "LabelScopedToBob_Tests"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_ContentBits",

+ "value": "0"

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_ActionId",

+ "value": "00000000-0000-0000-0000-000000000000"

+ }

+ ]

+ },

+ "downgradeJustification": {

+ "justificationMessage": "The information has been declassified.",

+ "isDowngradeJustified": true

+ }

+}

+```

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "name": "sensitivitylabelthis.evaluateremoval",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.informationProtectionAction",

+ "isCollection": true

+}

+-->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.security.informationProtectionAction)",

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.metadataAction",

+ "metadataToRemove": [

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Enabled",

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Method",

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_SetDate",

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_SiteId",

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_Name",

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_ContentBits",

+ "MSIP_Label_836ff34f-b604-4a62-a68c-d6be4205d569_ActionId"

+ ],

+ "metadataToAdd": []

+ }

+ ]

+}

+```

+ Title: "sensitivityLabel: extractContentLabel"

+description: "Retrieve the contentLabel using the metadata from a labeled object."

+ms.localizationpriority: medium

+# sensitivityLabel: extractContentLabel

+Namespace: microsoft.graph.security

+Use the metadata that exists on an already-labeled piece of information to resolve the metadata to a specific sensitivity label. The [contentInfo](../resources/security-contentinfo.md) input is resolved to [informationProtectionContentLabel](../resources/security-contentlabel.md).

+>[!NOTE]

+>The [contentLabel](../resources/security-contentlabel.md) resource represents a sensitivity label that has been applied to a piece of information. [sensitivityLabels](../resources/security-sensitivitylabel.md) objects are the abstract labels that are part of the organizational labeling policy and can be applied to the information.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To extract the content label as the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+POST /users/{usersId}/security/informationProtection/sensitivityLabels/extractContentLabel

+POST /users/me/security/informationProtection/sensitivityLabels/extractContentLabel

+```

+To extract the content label as a service principal (application permission):

+``` http

+POST /users/security/informationProtection/sensitivityLabels/extractContentLabel

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| Content-type | Content-type: application/json. Required. |

+| User-Agent | Describes the name and version of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+In the request body, supply a JSON representation of the parameters.

+The following table shows the parameter that can be used with this action.

+| Parameter | Type | Description |

+| :- | :-- | :- |

+| contentInfo | [contentInfo](../resources/security-contentinfo.md) | Provides details about the content format, content state, and existing [metadata](../resources/security-keyvaluepair.md) as key-value pairs. |

+## Response

+If successful, this action returns a `200 OK` response code and a [contentLabel](../resources/security-contentlabel.md) object in the response body.

+## Examples

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "request",

+ "name": "sensitivitylabelthis.extractcontentlabel"

+}

+-->

+```http

+POST https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/sensitivityLabels/extractContentLabel

+Content-type: application/json

+User-agent: ContosoLOBApp/1.0

+{

+ "contentInfo": {

+ "format": "default",

+ "identifier": "MyDoc.docx",

+ "state": "rest",

+ "metadata": [

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_Enabled",

+ "value": "True"

+ },

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_Method",

+ "value": "Standard"

+ },

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_SetDate",

+ "value": "1/1/0001 12:00:00 AM"

+ },

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_SiteId",

+ "value": "cfa4cf1d-a337-4481-aa99-19d8f3d63f7c"

+ },

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_Name",

+ "value": "LabelScopedToBob_Tests"

+ },

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_ContentBits",

+ "value": "0"

+ },

+ {

+ "name": "MSIP_Label_0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3_ActionId",

+ "value": "00000000-0000-0000-0000-000000000000"

+ }

+ ]

+ }

+}

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "sensitivitylabelthis.extractcontentlabel",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.contentLabel"

+}

+-->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.security.contentLabel",

+ "createdDateTime": "2001-01-01T12:00:00Z",

+ "assignmentMethod": "standard",

+ "sensitivityLabelId": "0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3"

+}

+```

+ Title: "Get sensitivityLabel"

+description: "Read the properties and relationships of a sensitivityLabel object."

+ms.localizationpriority: medium

+# Get sensitivityLabel

+Namespace: microsoft.graph.security

+Read the properties and relationships of a [sensitivityLabel](../resources/security-sensitivitylabel.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | InformationProtectionPolicy.Read |

+| Delegated (personal Microsoft account) | Not supported. |

+| Application | InformationProtectionPolicy.Read.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+To get a label as the signed-in user (delegated permission) or a specified user (application permission):

+``` http

+GET /users/{usersId}/security/informationProtection/sensitivityLabels/{sensitivityLabelId}

+GET /me/security/informationProtection/sensitivityLabels/{sensitivityLabelId}

+```

+To get labels available to the organization as a service principal (application permission):

+```http

+GET /security/informationProtection/sensitivityLabels/{sensitivityLabelId}

+```

+## Optional query parameters

+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer {token}. Required. |

+| User-Agent | Describes the name and version of the calling application. Details will surface in Azure Information Protection Analytics. Suggested format is `ApplicationName/Version`. Optional. |

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [sensitivityLabel](../resources/security-sensitivitylabel.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_sensitivitylabel"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/users/bob@contoso.com/security/informationProtection/sensitivityLabel/5aa3cb3c-f0bd-9d1f-bc54-af399bed88e2

+```

+### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "name": "get_sensitivitylabel",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.sensitivityLabel"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('bob%40contoso.com')/security/informationProtection/sensitivityLabels/$entity",

+ "id": "0ed12617-d0ef-4053-b8e4-ecf5bcf2ffb3",

+ "name": "FTEs, Approved Partners, and Vendors",

+ "description": "",

+ "color": "",

+ "sensitivity": 2,

+ "tooltip": "This label is intended to protect NDA-level data and share with external and internal vendors and partners, as well as all FTEs. FTEs will have full control of the protected information.",

+ "isActive": true,

+ "isAppliable": true,

+ "contentFormats": [

+ "file",

+ "email",

+ "site",

+ "unifiedgroup",

+ "schematizeddata"

+ ],

+ "hasProtection": true

+}

+```

+ Title: "addContentFooterAction resource type (deprecated)"

+description: "Represents an action that specifies the details on the content footer to be added to the information, if applicable. Deprecated."

+# addContentFooterAction resource type (deprecated)

+ Title: "addContentHeaderAction resource type (deprecated)"

+description: "Represents an action that specifies the details on the content header to be added to the information, if applicable. Deprecated."

+# addContentHeaderAction resource type (deprecated)

+ Title: "addWatermarkAction resource type (deprecated)"

+description: "Represents an action that specifies the details on the content watermark to be added to the information, if applicable. Deprecated."

+# addWatermarkAction resource type (deprecated)

+ Title: "applyLabelAction resource type (deprecated)"

+description: "Represents a set of actions that should be taken to apply or update a label. Deprecated."

+# applyLabelAction resource type (deprecated)

+| responsibleSensitiveTypeIds | Guid collection | If the label was the result of an automatic classification, supply the list of sensitive info type GUIDs that resulted in the returned label. |

+ Title: "classificationResult resource type (deprecated)"

+description: "Represents the result of a classification request. Deprecated."

+# classificationResult resource type (deprecated)

+Represents the result of a classification operation from the Microsoft Classification Engine. Data classification results from Azure Information Protection, Office, and other Microsoft services may return a [well-defined set of classification types](/office365/securitycompliance/what-the-sensitive-information-types-look-for). These types can be provided to the [evaluateClassificationResults](../api/informationprotectionlabel-evaluateclassificationresults.md) API to resolve a sensitive information to a Microsoft Purview Information Protection label.

+ Title: "contentInfo resource type (deprecated)"

+description: "Represents the current state of some information that is to be labeled. Deprecated."

+# contentInfo resource type (deprecated)

+ Title: "customAction resource type (deprecated)"

+description: "Represents any custom actions that a label may provide, if configured by the administrator. Deprecated."

+# customAction resource type (deprecated)

+ Title: "downgradeJustification resource type (deprecated)"

+description: "Represents user input on why downgrade was performed. Deprecated."

+# downgradeJustification resource type (deprecated)

+### externalActivityType values

+|Member

+|:--

+|viewed

+|modified

+|created

+|commented

+|unknownFutureValue

+### identityType values

+| Member

+|:--

+| user

+| group

+| externalGroup

+| unknownFutureValue

+### ruleOperation values

+ Title: "activitySettings resource type"

+description: "Collects configurable settings related to activities involving connector content."

+ms.localizationpriority: medium

+# activitySettings resource type

+Namespace: microsoft.graph.externalConnectors

+Collects configurable settings related to activities involving connector content.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|urlToItemResolvers|[microsoft.graph.externalConnectors.urlToItemResolverBase](../resources/externalconnectors-urltoitemresolverbase.md) collection|Specifies configurations to identify an **externalItem** based on a shared URL.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.activitySettings"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.activitySettings",

+ "urlToItemResolvers": [

+ {

+ "@odata.type": "microsoft.graph.externalConnectors.urlToItemResolverBase"

+ }

+ ]

+}

+```

+ Title: "externalActivity resource type"

+description: "Represents a record of a user interaction with an externalItem object."

+ms.localizationpriority: medium

+# externalActivity resource type

+Namespace: microsoft.graph.externalConnectors

+Represents a record of a user interaction with an [externalItem](externalconnectors-externalitem.md) object.

+Inherits from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md).

+## Methods

+None.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|startDateTime|DateTimeOffset|When the particular activity occurred. Inherited from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md).|

+|type|externalConnectors.externalActivityType|The type of activity performed. Inherited from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md). The possible values are: `viewed`, `modified`, `created`, `commented`, `unknownFutureValue`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|performedBy|[identity](../resources/externalconnectors-identity.md)|Represents an identity used to identify who is responsible for the activity. Inherited from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md).|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.externalActivity",

+ "baseType": "microsoft.graph.externalConnectors.externalActivityBase",

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.externalActivity",

+ "type": "String",

+ "startDateTime": "String (timestamp)"

+}

+```

+ Title: "externalActivityBase resource type"

+description: "Represents the basetype for a user interaction with an external item."

+ms.localizationpriority: medium

+# externalActivityBase resource type

+Namespace: microsoft.graph.externalConnectors

+Represents the base type for a user interaction with an [externalitem](../resources/externalconnectors-externalitem.md).

+This is an abstract type. Base type of [externalActivity](../resources/externalconnectors-externalactivity.md) and [externalActivityResult](../resources/externalconnectors-externalactivityresult.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|startDateTime|DateTimeOffset|When the particular activity occurred.|

+|type|externalConnectors.externalActivityType|The type of activity performed. The possible values are: `viewed`, `modified`, `created`, `commented`, `unknownFutureValue`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|performedBy|[identity](../resources/externalconnectors-identity.md)|Represents an identity used to identify who is responsible for the activity.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.externalActivityBase",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.externalActivityBase",

+ "type": "String",

+ "startDateTime": "String (timestamp)"

+}

+```

+ Title: "externalActivityResult resource type"

+description: "Represents the result of processing an externalActivity"

+ms.localizationpriority: medium

+# externalActivityResult resource type

+Namespace: microsoft.graph.externalConnectors

+Represents the result of processing an [externalActivity](../resources/externalconnectors-externalactivity.md). Null if successful.

+Inherits from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|error|[microsoft.graph.publicError](../resources/publicerror.md)|Error information explaining failure to process external activity.|

+|startDateTime|DateTimeOffset|When the particular activity occurred. Inherited from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md).|

+|type|externalConnectors.externalActivityType|The type of activity performed. Inherited from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md). The possible values are: `viewed`, `modified`, `created`, `commented`, `unknownFutureValue`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|performedBy|[identity](../resources/externalconnectors-identity.md)|Represents an identity used to identify who is responsible for the activity. Inherited from [externalActivityBase](../resources/externalconnectors-externalactivitybase.md).|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.externalActivityResult",

+ "baseType": "microsoft.graph.externalConnectors.externalActivityBase",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.externalActivityResult",

+ "type": "String",

+ "startDateTime": "String (timestamp)",

+ "error": {

+ "@odata.type": "microsoft.graph.publicError"

+ }

+}

+```

+| activitySettings|[microsoft.graph.externalConnectors.searchSettings](../resources/externalconnectors-searchsettings.md)| Collects configurable settings related to activities involving connector content.|

+``` json

+ "@odata.type": "#microsoft.graph.externalConnectors.externalConnection",

+ "description": "String",

+ "configuration": {

+ "@odata.type": "microsoft.graph.externalConnectors.configuration"

+ },

+ "state": "String",

+ "connectorId": "String",

+ "searchSettings": {

+ "@odata.type": "microsoft.graph.externalConnectors.searchSettings"

+ },

+ "activitySettings": {

+ "@odata.type": "microsoft.graph.externalConnectors.activitySettings"

+ }

+| [Create externalItem](../api/externalconnectors-externalconnection-put-items.md) | [externalItem](externalconnectors-externalitem.md) | Create an **externalItem**. |

+| [Get externalItem](../api/externalconnectors-externalitem-get.md) | [externalItem](externalconnectors-externalitem.md) | Get an **externalItem**. |

+| [Update externalItem](../api/externalconnectors-externalitem-update.md) | [externalItem](externalconnectors-externalitem.md) | Update an **externalItem**. |

+|[addActivities](../api/externalconnectors-externalitem-addactivities.md)|[microsoft.graph.externalConnectors.externalActivityBase](../resources/externalconnectors-externalactivityBase.md) collection|Append additional instances of [externalActivity](../resources/externalconnectors-externalactivity.md) objects on an **externalItem**.|

+| content | [microsoft.graph.externalConnectors.externalItemContent](externalconnectors-externalitemcontent.md) | A plain-text representation of the contents of the item. The text in this property is full-text indexed. Optional. |

+| Relationship | Type | Description |

+|:-|:|:|

+| activities | [microsoft.graph.externalConnectors.externalActivityBase](externalconnectors-externalactivitybase.md) collection | Write-only property. Returns results. |

+ "content": { "@odata.type": "microsoft.graph.externalConnectors.externalItemContent" },

+ Title: "identity resource type"

+description: "Represents an identity used to set permissions on external content added to Microsoft Graph."

+ms.localizationpriority: medium

+# identity resource type

+Namespace: microsoft.graph.externalConnectors

+Represents an entity used to set permissions on external content added to Microsoft Graph.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[Create identity](../api/externalconnectors-externalgroup-post-members.md)|[microsoft.graph.externalConnectors.identity](externalconnectors-identity.md)|Create an [identity](../resources/externalconnectors-identity.md) resource for a new member in an [externalGroup](../resources/externalconnectors-externalgroup.md).|

+|[Delete identity](../api/externalconnectors-externalgroup-delete.md)|None|Delete an [identity](../resources/externalconnectors-identity.md) resource to remove the corresponding member from an [externalGroup](../resources/externalconnectors-externalgroup.md).|

+## Properties

+| Property | Type | Description |

+|:|:|:|

+| id | String | The unique ID of the identity. It would be the objectId property in case of Azure Active Directory (Azure AD) users or groups and the **id** property of the **externalGroup** in the case of external groups. |

+| type | microsoft.graph.externalConnectors.identityType | The type of identity. Possible values are: `user` or `group` for Azure AD identities and `externalgroup` for groups in an external system. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.externalConnectors.externalGroupMember",

+ "openType": false

+}

+-->

+``` json

+{

+ "id": "String (identifier)",

+ "type": "String"

+}

+```

+ Title: "itemIdResolver resource type"

+description: Defines the rules for resolving a given URL to a connector item's ID."

+ms.localizationpriority: medium

+# itemIdResolver resource type

+Namespace: microsoft.graph.externalConnectors

+Defines the rules for resolving a URL to the ID of an [externalItem](microsoft.graph.externalConnectors.externalItem](externalconnectors-externalitem.md).

+Inherits from [urlToItemResolverBase](../resources/externalconnectors-urltoitemresolverbase.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|itemId|String|Pattern that specifies how to form the ID of the external item that the URL represents. The named groups from the regular expression in **urlPattern** within the [urlMatchInfo](../resources/externalconnectors-urlmatchinfo.md) can be referenced by inserting the group name inside curly brackets.|

+|priority|Int32|Priority of each urlToItemResolverBase instance. Inherited from [urlToItemResolverBase](../resources/externalconnectors-urltoitemresolverbase.md).|

+|urlMatchInfo|[microsoft.graph.externalConnectors.urlMatchInfo](../resources/externalconnectors-urlmatchinfo.md)|Configurations to match and resolve URL.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.itemIdResolver"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.itemIdResolver",

+ "priority": "Integer",

+ "itemId": "String",

+ "urlMatchInfo": {

+ "@odata.type": "microsoft.graph.externalConnectors.urlMatchInfo"

+ }

+}

+```

+ Title: "urlMatchInfo resource type"

+description: Collects the settings for the pattern that a URL must follow to be processed by an instance of urlToItemResolverBase.

+ms.localizationpriority: medium

+# urlMatchInfo resource type

+Namespace: microsoft.graph.externalConnectors

+Collects the settings for the pattern that a URL must follow to be processed by an instance of [urlToItemResolverBase](../resources/externalconnectors-urltoitemresolverbase.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|baseUrls|String collection|A list of the URL prefixes that must match URLs to be processed by this URL-to-item-resolver.|

+|urlPattern|String|A regular expression that will be matched towards the URL that is processed by this URL-to-item-resolver. The ECMAScript specification for regular expressions (ECMA-262) is used for the evaluation. The named groups defined by the regular expression will be used later to extract values from the URL.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.urlMatchInfo"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.urlMatchInfo",

+ "baseUrls": [

+ "String"

+ ],

+ "urlPattern": "String"

+}

+```

+ Title: "urlToItemResolverBase resource type"

+description: "Defines the rules for resolving a given URL to a connector item."

+ms.localizationpriority: medium

+# urlToItemResolverBase resource type

+Namespace: microsoft.graph.externalConnectors

+Defines the rules for resolving a URL to the ID of an [externalItem](microsoft.graph.externalConnectors.externalItem](externalconnectors-externalitem.md).

+This is an abstract type.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|priority|Int32|The priority which defines the sequence in which the urlToItemResolverBase instances are evaluated. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.externalConnectors.urlToItemResolverBase"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.externalConnectors.urlToItemResolverBase",

+ "priority": "Integer"

+}

+```

+| audiences | String collection | The audience that can appear in the external token. This field is mandatory and should be set to `api://AzureADTokenExchange` for Azure AD. It says what Microsoft identity platform should accept in the `aud` claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required. |

+| description | String | The un-validated, user-provided description of the federated identity credential. It has a limit of 600 characters. Optional. |

+| issuer | String | The URL of the external identity provider and must match the `issuer` claim of the external token being exchanged. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Required. |

+| name | String | is the unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created. Required. Not nullable. Supports `$filter` (`eq`). |

+| subject | String | Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the `sub` claim within the token presented to Azure AD. The combination of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Supports `$filter` (`eq`). |

+ Title: "informationProtectionAction resource type (deprecated)"

+description: "Describes the abstract informationProtectionAction entity. Deprecated."

+# informationProtectionAction resource type (deprecated)

+ Title: "informationProtectionContentLabel resource type (deprecated)"

+description: "Describes the informationProtectionContentLabel object that defines MIP metadata on an object. Deprecated."

+# informationProtectionContentLabel resource type (deprecated)

+ Title: "informationProtectionLabel resource type (deprecated)"

+description: "Describes the information protection label that details how to properly apply a sensitivity label to information. Deprecated."

+# informationProtectionLabel resource type (deprecated)

+| [List informationProtectionLabel](../api/informationprotectionpolicy-list-labels.md) (deprecated) | [informationProtectionLabel](informationprotectionlabel.md) collection | List all configured information protection labels for a user or tenant. |

+| [Get informationProtectionLabel](../api/informationprotectionlabel-get.md) (deprecated) | [informationProtectionLabel](informationprotectionlabel.md) | Given a specific label ID, return the **informationProtectionLabel**. |

+| [evaluateapplication](../api/informationprotectionlabel-evaluateapplication.md) (deprecated) | [informationProtectionAction](informationprotectionaction.md) collection | Given an input of [contentInfo](contentinfo.md) and [labelingOptions](labelingoptions.md), compute the set of actions require to apply the label. |

+| [evaluateClassificationResults](../api/informationprotectionlabel-evaluateclassificationresults.md) (deprecated) | [informationProtectionAction](informationprotectionaction.md) collection | Given an input of [contentInfo](contentinfo.md) and classification results, compute the set of actions require to apply the label. |

+| [evaluateRemoval](../api/informationprotectionlabel-evaluateremoval.md) (deprecated) | [informationProtectionAction](informationprotectionaction.md) collection | Given an input of [contentInfo](contentinfo.md) and [downgradeJustification](downgradejustification.md), compute the actions that should be taken to remove the label. |

+| [extractLabel](../api/informationprotectionlabel-extractlabel.md) (deprecated) | [informationProtectionContentLabel](informationprotectioncontentlabel.md) | Given an input of [contentInfo](contentinfo.md), return details on the [informationProtectionLabel](informationprotectionlabel.md) that the metadata represents. |

+ Title: "justifyAction resource type (deprecated)"

+description: "Indicates that a justification is required for the specified operation. Deprecated."

+# justifyAction resource type (deprecated)

+ Title: "labelingOptions resource type (deprecated)"

+description: "Represents the labeling options that can be provided to the evaluation APIs. Deprecated."

+# labelingOptions resource type (deprecated)

+ Title: "metadataAction resource type (deprecated)"

+description: "Represents the metadata to be written or removed from a file. Deprecated."

+# metadataAction resource type (deprecated)

+ Title: "protectAdhocAction resource type (deprecated)"

+description: "Informs the application that ad hoc protection should be applied. Deprecated."

+# protectAdhocAction resource type (deprecated)

+Informs the application that ad hoc protection should be applied. The **protectAdhocAction** informs that applications that the label should apply ad hoc protection. Ad hoc protection is defined at runtime by the user or application. The consuming application must use the Microsoft Purview Information Protection SDK to locally apply the protection to the file or data.

+ Title: "protectByTemplateAction resource type (deprecated)"

+description: "Informs the application that an Azure Information Protection protection template should be applied. Deprecated."

+# protectByTemplateAction resource type (deprecated)

+Informs the application that an Azure Information Protection protection template should be applied. **protectionByTemplateAction** may be returned by [evaluateApplication](../api/informationprotectionlabel-evaluateapplication.md) or [evaluateClassificationResults](../api/informationprotectionlabel-evaluateclassificationresults.md) if the resulting label has been configured to apply protection. The consuming application must read the templateId from the result and then use a client library, such as the Microsoft Purview Information Protection SDK, to apply protection via Azure Information Protection.

+ Title: "protectDoNotForwardAction resource type (deprecated)"

+description: "Informs the application to apply Do Not Forward protection. Deprecated."

+# protectDoNotForwardAction resource type (deprecated)

+ Title: "recommendLabelAction resource type (deprecated)"

+description: "Represents a label that should be recommended to the user for application to the file based on sensitive information types. Deprecated."

+# recommendLabelAction resource type (deprecated)

+| Property | Type | Description |

+| :-- | :-- | :- |

+| actionSource | String | Possible values are: `manual`, `automatic`, `recommended`, `default`. |

+| actions | [informationProtectionAction](informationprotectionaction.md) collection | Actions to take if the label is accepted by the user. |

+| label | [labelDetails](labeldetails.md) | The label that is being recommended. |

+| responsibleSensitiveTypeIds | Guid collection | The sensitive information type GUIDs that caused the recommendation to be given. |

+ Title: "removeContentFooterAction resource type (deprecated)"

+description: "Represents an action that specifies the details on the content footer to be removed from the information, if applicable. Deprecated."

+# removeContentFooterAction resource type (deprecated)

+ Title: "removeContentHeaderAction resource type (deprecated)"

+description: "Represents an action that specifies the details on the content header to be removed from the information, if applicable. Deprecated."

+# removeContentHeaderAction resource type (deprecated)

+ Title: "removeProtectionAction resource type (deprecated)"

+description: "Represents an action to remove protection from the file or information. Deprecated."

+# removeProtectionAction resource type (deprecated)

+Represents an action to remove protection from the file or information. The [evaluateApplication](../api/informationprotectionlabel-evaluateapplication.md), [evaluateClassificationResults](../api/informationprotectionlabel-evaluateclassificationresults.md), or [evaluateRemoval](../api/informationprotectionlabel-evaluateremoval.md) APIs may return the **removeProtectionAction** if protection is to be removed as a result of updating or removing the label. The action instructs the consuming application to remove the specific UI element that contains the previously-applicable content header. Protection should be removed via a client library, such as the Microsoft Purview Information Protection SDK, only if the calling user has sufficient rights to remove protection.

+ Title: "removeWatermarkAction resource type (deprecated)"

+description: "Represents an action that specifies the details on the content watermark to be removed from the information, if applicable. Deprecated."

+# removeWatermarkAction resource type (deprecated)

+ Title: "addContentFooterAction resource type"

+description: "Represents an action that specifies the details on the content footer to be added to the information, if applicable."

+ms.localizationpriority: medium

+# addContentFooterAction resource type

+Namespace: microsoft.graph.security

+Represents an action that specifies the details on the content footer to be added to the information, if applicable.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | : |

+| alignment | String | The horizontal alignment of the footer. |

+| fontColor | String | Color of the font to use for the footer. |

+| fontName | String | Name of the font to use for the footer. |

+| fontSize | Int32 | Font size to use for the footer. |

+| margin | Int32 | The margin of the header from the bottom of the document. |

+| text | String | The contents of the footer itself. |

+| uiElementName | String | The name of the UI element where the footer should be placed. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.addContentFooterAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.addContentFooterAction",

+ "alignment": "String",

+ "fontColor": "String",

+ "fontName": "String",

+ "fontSize": "Integer",

+ "margin": "Integer",

+ "text": "String",

+ "uiElementName": "String"

+}

+```

+ Title: "addContentHeaderAction resource type"

+description: "Represents an action that specifies the details on the content header to be added to the information, if applicable."

+ms.localizationpriority: medium

+# addContentHeaderAction resource type

+Namespace: microsoft.graph.security

+Represents an action that specifies the details on the content header to be added to the information, if applicable.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | : |

+| alignment | String | The horizontal alignment of the header. |

+| fontColor | String | Color of the font to use for the header. |

+| fontName | String | Name of the font to use for the header. |

+| fontSize | Int32 | Font size to use for the header. |

+| margin | Int32 | The margin of the header from the top of the document. |

+| text | String | The contents of the header itself. |

+| uiElementName | String | The name of the UI element where the header should be placed. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.addContentHeaderAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.addContentHeaderAction",

+ "alignment": "String",

+ "fontColor": "String",

+ "fontName": "String",

+ "fontSize": "Integer",

+ "margin": "Integer",

+ "text": "String",

+ "uiElementName": "String"

+}

+```

+ Title: "addWatermarkAction resource type"

+description: "Represents an action that specifies the details on the content watermark to be added to the information, if applicable."

+ms.localizationpriority: medium

+# addWatermarkAction resource type

+Namespace: microsoft.graph.security

+Represents an action that specifies the details on the content watermark to be added to the information, if applicable.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | :-- |

+| fontColor | String | Color of the font to use for the watermark. |

+| fontName | String | Name of the font to use for the watermark. |

+| fontSize | Int32 | Font size to use for the watermark. |

+| layout | String | The layout of the watermark. Possible values are: `horizontal`, `diagonal`. |

+| text | String | The contents of the watermark itself. |

+| uiElementName | String | The name of the UI element where the watermark should be placed. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.addWatermarkAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.addWatermarkAction",

+ "fontColor": "String",

+ "fontName": "String",

+ "fontSize": "Integer",

+ "layout": "String",

+ "text": "String",

+ "uiElementName": "String"

+}

+```

+ Title: "applyLabelAction resource type"

+description: "Represents a set of actions that should be taken to apply or update a label."

+ms.localizationpriority: medium

+# applyLabelAction resource type

+Namespace: microsoft.graph.security

+Represents a set of actions that should be taken to apply or update a label. **applyLabelAction** is returned when the result of a label evaluation operation is that a label should be applied. The **actions** property contains an [informationProtectionAction](security-informationprotectionaction.md) collection that describes the full set of actions to apply the label, including removal of old metadata, content marking, and protection.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| :-- | : | :-- |

+| actions | [informationProtectionAction](../resources/security-informationprotectionaction.md) collection | The collection of actions that should be implemented by the caller. |

+| actionSource | [actionSource](../resources/enums.md#actionsource-values) | Specifies why the label was selected. Possible values are: `manual`, `automatic`, `recommended`, `default`. |

+| responsibleSensitiveTypeIds | GUID collection | If the label was the result of an automatic classification, supply the list of sensitive info type GUIDs that resulted in the returned label. |

+## Relationships

+| Relationship | Type | Description |

+| : | : | :-- |

+| sensitivityLabel | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) | The label that corresponds to the set of actions returned by the API. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.applyLabelAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.applyLabelAction",

+ "actions": [

+ {

+ "@odata.type": "microsoft.graph.security.addContentFooterAction"

+ }

+ ],

+ "actionSource": "String",

+ "responsibleSensitiveTypeIds": [

+ "GUID"

+ ]

+}

+```

+ Title: "classificationResult resource type"

+description: "Represents the result of a classification request."

+ms.localizationpriority: medium

+# classificationResult resource type

+Namespace: microsoft.graph.security

+Represents the result of a classification operation from the Microsoft classification engine. Data classification results from Azure Information Protection, Office, and other Microsoft services might return a [well-defined set of classification types](/office365/securitycompliance/what-the-sensitive-information-types-look-for). These types can be provided to the [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) API to resolve a sensitive information to a Microsoft Purview Information Protection label.

+## Properties

+| Property | Type | Description |

+| :-- | :- | : |

+| confidenceLevel | Int32 | The confidence level, 0 to 100, of the result. |

+| count | Int32 | The number of instances of the specific information type in the input. |

+| sensitiveTypeId | GUID | The GUID of the discovered sensitive information type. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.classificationResult"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.classificationResult",

+ "confidenceLevel": "Integer",

+ "count": "Integer",

+ "sensitiveTypeId": "GUID"

+}

+```

+ Title: "contentInfo resource type"

+description: "Represents the current state of information that is to be labeled."

+ms.localizationpriority: medium

+# contentInfo resource type

+Namespace: microsoft.graph.security

+Represents the current state of some information that is to be labeled. **contentInfo** is passed in to the [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md), [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), and [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) APIs to describe to the API the current state of the information. This **contentInfo** detail drives the results on what metadata, content marking, and protection should be added or removed when the label is applied, updated, or removed.

+## Properties

+| Property | Type | Description |

+| : | :- | : |

+| contentFormat | String | The format of the content to be labeled. Possible values are: `file`, `email`. |

+| identifier | String | Identifier used for Azure Information Protection Analytics. |

+| metadata | [keyValuePair](../resources/security-keyvaluepair.md) collection | Existing Microsoft Purview Information Protection metadata is passed as key-value pairs, where the key is the `MSIP_Label_GUID_PropName`. |

+| state | contentState | The usage state of the content. The possible values are: `rest`, `motion`, or `use`. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.contentInfo"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.contentInfo",

+ "contentFormat": "String",

+ "format": "String",

+ "identifier": "String",

+ "metadata": [

+ {

+ "@odata.type": "microsoft.graph.security.keyValuePair"

+ }

+ ],

+ "state": "String"

+}

+```

+ Title: "contentLabel resource type"

+description: "Describes the contentLabel object that defines Microsoft Purview Information Protection metadata on an object."

+ms.localizationpriority: medium

+# contentLabel resource type

+Namespace: microsoft.graph.security

+Describes the **contentLabel** object that defines Microsoft Purview Information Protection metadata on an object. The **contentLabel** returned by the [extractContentLabel](../api/security-sensitivitylabel-extractcontentlabel.md) API resolve the **sensitivityLabel** that is currently applied to a file.

+## Properties

+| Property | Type | Description |

+| : | :- | :- |

+| assignmentMethod | String | Describes whether the label was applied by an automated (`standard`) process or a person (`privileged`). |

+| creationDateTime | DateTimeOffset | Timestamp of when the **contentLabel** was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. |

+## Relationships

+| Relationship | Type | Description |

+| : | : | : |

+| sensitivityLabel | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) | The **sensitivityLabel** referred to by the content metadata. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.contentLabel"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.contentLabel",

+ "assignmentMethod": "String",

+ "creationDateTime": "String (timestamp)"

+}

+```

+ Title: "customAction resource type"

+description: "Represents any custom actions that a label may provide, if configured by the administrator."

+ms.localizationpriority: medium

+# customAction resource type

+Namespace: microsoft.graph.security

+Represents any custom actions that a label may provide, if configured by the administrator. Custom actions might be defined as part of an [sensitivityLabel](security-sensitivitylabel.md) via the Microsoft 365 Security and Compliance Center module for PowerShell. The consuming application must understand the actions.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | : |

+| name | String | Name of the custom action. |

+| properties | [keyValuePair](keyvaluepair.md) collection | Properties, in key-value pair format, of the action. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.customAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.customAction",

+ "name": "String",

+ "properties": [

+ {

+ "@odata.type": "microsoft.graph.security.keyValuePair"

+ }

+ ]

+}

+```

+ Title: "downgradeJustification resource type"

+description: "Represents the user input on why downgrade was performed."

+ms.localizationpriority: medium

+# downgradeJustification resource type

+Namespace: microsoft.graph.security

+Represents the user input on why downgrade was performed. The downgrade justification might be required based on the label policy configuration in Office Security and Compliance Center.

+## Properties

+| Property | Type | Description |

+| :- | : | : |

+| isDowngradeJustified | Boolean | Indicates whether the downgrade is or is not justified. |

+| justificationMessage | String | Message that indicates why a downgrade is justified. The message will appear in administrative logs. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.downgradeJustification"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.downgradeJustification",

+ "isDowngradeJustified": "Boolean",

+ "justificationMessage": "String"

+}

+```

+ Title: "informationProtection resource type"

+description: "Exposes methods that you can use to get Microsoft Purview Information Protection labels and label policies."

+ms.localizationpriority: medium

+# informationProtection resource type

+Namespace: microsoft.graph.security

+Exposes methods that you can use to get Microsoft Purview Information Protection labels and label policies.

+## Methods

+| Method | Return type | Description |

+| :-- | :-- | :- |

+| [Get informationProtectionPolicySetting](../api/security-informationprotectionpolicysetting-get.md) | [microsoft.graph.security.informationProtectionPolicySetting](../resources/security-informationprotectionpolicysetting.md) collection | Read the properties and relationships of an [informationProtectionPolicySetting](security-informationprotectionpolicysetting.md) object. |

+| [List sensitivityLabels](../api/security-informationprotection-list-sensitivitylabels.md) | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) collection | Get a list of [sensitivityLabel](../resources/security-sensitivitylabel.md) objects associated with a user or organization. |

+## Properties

+None.

+## Relationships

+| Relationship | Type | Description |

+| : | : | :-- |

+| labelPolicySettings | [microsoft.graph.security.informationProtectionPolicySetting](../resources/security-informationprotectionpolicysetting.md) | Read the Microsoft Purview Information Protection policy settings for the user or organization. |

+| sensitivityLabels | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) collection |Read the Microsoft Purview Information Protection labels for the user or organization. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.informationProtection",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.informationProtection"

+}

+```

+ Title: "informationProtectionAction resource type"

+description: "Describes the abstract informationProtectionAction entity."

+ms.localizationpriority: medium

+# informationProtectionAction resource type

+Namespace: microsoft.graph.security

+Describes an abstract entity that is returned as the result of any of the information protection evaluation APIs. The object contains one or more of the following actions that instruct the application on how to apply, update, or remove the information protection label.

+* [addContentFooterAction](../resources/security-addcontentfooteraction.md)

+* [addContentHeaderAction](../resources/security-addcontentheaderaction.md)

+* [addWatermarkAction](../resources/security-addwatermarkaction.md)

+* [applyLabelAction](../resources/security-applylabelaction.md)

+* [customAction](../resources/security-customaction.md)

+* [justifyAction](../resources/security-justifyaction.md)

+* [metadataAction](../resources/security-metadataaction.md)

+* [protectAdhocAction](../resources/security-protectadhocaction.md)

+* [protectByTemplateAction](../resources/security-protectbytemplateaction.md)

+* [protectionDoNotForwardAction](../resources/security-protectdonotforwardaction.md)

+* [recommendLabelAction](../resources/security-recommendlabelaction.md)

+* [removeContentFooterAction](../resources/security-removecontentfooteraction.md)

+* [removeContentHeaderAction](../resources/security-removecontentheaderaction.md)

+* [removeProtectionAction](../resources/security-removeprotectionaction.md)

+* [removeWatermarkAction](../resources/security-removewatermarkaction.md)

+## Properties

+None.

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.informationProtectionAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.informationProtectionAction"

+}

+```

+ Title: "informationProtectionPolicySetting resource type"

+description: "Represents the settings for a Microsoft Purview Information Protection label policy."

+ms.localizationpriority: medium

+# informationProtectionPolicySetting resource type

+Namespace: microsoft.graph.security

+Represents the settings for a Microsoft Purview Information Protection label policy

+## Methods

+| Method | Return type | Description |

+| :-- | : | :- |

+| [Get informationProtectionPolicySetting](../api/security-informationprotectionpolicysetting-get.md) | [microsoft.graph.security.informationProtectionPolicySetting](../resources/security-informationprotectionpolicysetting.md) | Read the properties and relationships of an [informationProtectionPolicySetting](../resources/security-informationprotectionpolicysetting.md) object. |

+## Properties

+| Property | Type | Description |

+| :- | : | :- |

+| id | String | Unique identifier for the policy. |

+| isDowngradeJustificationRequired | Boolean | Exposes whether justification input is required on label downgrade. |

+| isMandatory | Boolean | Exposes whether mandatory labeling is enabled. |

+| moreInfoUrl | String | Exposes the more information URL that can be configured by the administrator. |

+## Relationships

+| Relationship | Type | Description |

+| :-- | : | : |

+| defaultLabel | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) | Represents the default label for an organization. If no label is selected, the default label will be applied. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.informationProtectionPolicySetting",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.informationProtectionPolicySetting",

+ "id": "String (identifier)",

+ "isDowngradeJustificationRequired": "Boolean",

+ "isMandatory": "Boolean",

+ "moreInfoUrl": "String"

+}

+```

+ Title: "justifyAction resource type"

+description: "Indicates that a justification is required for the specified operation."

+ms.localizationpriority: medium

+# justifyAction resource type

+Namespace: microsoft.graph.security

+Indicates that a justification is required for the specified operation. The [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md), or [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md) APIs might return the **justifyAction**. Justification is provided via [labelingOptions](../resources/security-labelingoptions.md). The previous call should be repeated, but with the **downgradeJustification** property of **labelingOptions** set with a justification message, provided via user input or application logic.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+None.

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.justifyAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.justifyAction"

+}

+```

+ Title: "keyValuePair resource type"

+description: "Represents a key-value pair for sensitivity labels in Microsoft Purview Information Protection."

+ms.localizationpriority: medium

+# keyValuePair resource type

+Namespace: microsoft.graph.security

+Represents a key-value pair for sensitivity labels in Microsoft Purview Information Protection.

+## Properties

+| Property | Type | Description |

+| :- | :-- | :-- |

+| name | String | Name for this key-value pair. |

+| value | String | Value for this key-value pair. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.keyValuePair"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.keyValuePair",

+ "name": "String",

+ "value": "String"

+}

+```

+ Title: "labelingOptions resource type"

+description: "Represents the labeling options that can be provided to the evaluation APIs."

+ms.localizationpriority: medium

+# labelingOptions resource type

+Namespace: microsoft.graph.security

+Represents the labeling options that can be provided to the evaluation APIs. **labelingOptions** must be passed in to the [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md) API to specify details about the label that is to be applied.

+## Properties

+| Property | Type | Description |

+| : | :-- | :-- |

+| assignmentMethod | String | Describes whether the label was applied by an automated (`standard`) process or a person (`privileged`). |

+| downgradeJustification | [downgradeJustification](security-downgradejustification.md) | The downgrade justification object that indicates if downgrade was justified and, if so, the reason. |

+| extendedProperties | [keyValuePair](keyvaluepair.md) collection | Extended properties will be parsed and returned in the standard Microsoft Purview Information Protection labeled metadata format as part of the label information. |

+| labelId | GUID | The GUID of the label that should be applied to the information. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.labelingOptions"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.labelingOptions",

+ "assignmentMethod": "String",

+ "downgradeJustification": {

+ "@odata.type": "microsoft.graph.security.downgradeJustification"

+ },

+ "extendedProperties": [

+ {

+ "@odata.type": "microsoft.graph.security.keyValuePair"

+ }

+ ],

+ "labelId": "GUID"

+}

+```

+ Title: "metadataAction resource type"

+description: "Represents the metadata to be written or removed from a file."

+ms.localizationpriority: medium

+# metadataAction resource type

+Namespace: microsoft.graph.security

+Represents the metadata to be written or removed from a file. **metadataAction** might be returned by the [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md), [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), and [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) APIs. The action informs the consuming application of the specific key-value pairs that should be added to the file or the specific metadata keys that should be removed from the file. This metadata is what describes the file or information as being *labeled*.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | : |

+| metadataToAdd | [keyValuePair](keyvaluepair.md) collection | A collection of key-value pairs that should be added to the file. |

+| metadataToRemove | String collection | A collection of strings that indicate which keys to remove from the file metadata. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.metadataAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.metadataAction",

+ "metadataToAdd": [

+ {

+ "@odata.type": "microsoft.graph.security.keyValuePair"

+ }

+ ],

+ "metadataToRemove": [

+ "String"

+ ]

+}

+```

+ Title: "protectAdhocAction resource type"

+description: "Informs the application that ad hoc protection should be applied."

+ms.localizationpriority: medium

+# protectAdhocAction resource type

+Namespace: microsoft.graph.security

+Informs the application that ad hoc protection should be applied. The **protectAdhocAction** informs applications that the label should apply ad hoc protection. Ad hoc protection is defined at runtime by the user or application. The consuming application must use the Microsoft Purview Information Protection SDK to locally apply the protection to the file or data.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+None.

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.protectAdhocAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.protectAdhocAction"

+}

+```

+ Title: "protectByEncryptOnlyAction resource type"

+description: "Informs the application that an Azure Information Protection encrypt-only protection should be applied."

+ms.localizationpriority: medium

+# protectByEncryptOnlyAction resource type

+Namespace: microsoft.graph.security

+Informs the application that an Azure Information Protection encrypt-only protection should be applied. **protectByEncryptOnlyAction** might be returned by [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md) or [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) if the resulting label has been configured to apply protection. The consuming application must use a client library, such as the Microsoft Purview Information Protection SDK, to apply protection via Microsoft Purview Information Protection.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | :- |

+| templateId | String | Returns the encrypt-only GUID. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.protectByEncryptOnlyAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.protectByEncryptOnlyAction",

+ "templateId": "String"

+}

+```

+ Title: "protectByTemplateAction resource type"

+description: "Informs the application that a protection template in Microsoft Purview Information Protection should be applied."

+ms.localizationpriority: medium

+# protectByTemplateAction resource type

+Namespace: microsoft.graph.security

+Informs the application that a protection template in Microsoft Purview Information Protection should be applied. **protectionByTemplateAction** might be returned by [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md) or [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) if the resulting label has been configured to apply protection. The consuming application must read the **templateId** from the result and then use a client library, such as the Microsoft Purview Information Protection SDK, to apply protection via Azure Information Protection.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| : | :-- | :-- |

+| templateId | String | The unique identifier for a protection template in Microsoft Purview Information Protection to apply to the content. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.protectByTemplateAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.protectByTemplateAction",

+ "templateId": "String"

+}

+```

+ Title: "protectDoNotForwardAction resource type"

+description: "Informs the application to apply Do Not Forward protection."

+ms.localizationpriority: medium

+# protectDoNotForwardAction resource type

+Namespace: microsoft.graph.security

+Informs the application to apply **Do Not Forward** protection. **protectionDoNotForwardAction** might be returned by [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md) or [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) if the resulting label has been configured to apply [Do Not Forward protection](/azure/information-protection/configure-usage-rights#do-not-forward-option-for-emails). The consuming application must use a client library to apply protection via Azure Information Protection.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+None.

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.protectDoNotForwardAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.protectDoNotForwardAction"

+}

+```

+ Title: "recommendLabelAction resource type"

+description: "Represents a label that should be recommended to the user for application to the file based on discovered sensitive information types."

+ms.localizationpriority: medium

+# recommendLabelAction resource type

+Namespace: microsoft.graph.security

+Represents a label that should be recommended to the user for application to the file based on discovered sensitive information types. The [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) might return a **recommendLabelAction** if the Microsoft Purview Information Protection labeling policy is set to `recommend` a label rather than `enforce` a label. The user or application might choose to ignore or accept the recommendation.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| :-- | : | :- |

+| actions | [informationProtectionAction](../resources/security-informationprotectionaction.md) collection | Actions to take if the label is accepted by the user. |

+| actionSource | String | Specifies why the label was selected. Possible values are: `manual`, `automatic`, `recommended`, `default`. |

+| responsibleSensitiveTypeIds | GUID collection | The sensitive information type GUIDs that caused the recommendation to be given. |

+## Relationships

+| Relationship | Type | Description |

+| : | : | :-- |

+| sensitivityLabel | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) | The label that is being recommended. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.recommendLabelAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.recommendLabelAction",

+ "actions": [

+ {

+ "@odata.type": "microsoft.graph.security.addContentFooterAction"

+ }

+ ],

+ "actionSource": "String",

+ "responsibleSensitiveTypeIds": [

+ "GUID"

+ ]

+}

+```

+ Title: "removeContentFooterAction resource type"

+description: "Represents an action that specifies the details on the content footer to be removed from the information, if applicable."

+ms.localizationpriority: medium

+# removeContentFooterAction resource type

+Namespace: microsoft.graph.security

+Represents an action that specifies the details on the content footer to be removed from the information, if applicable. The [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md), or [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md) APIs might return the **removeContentFooterAction** if the footer is to be removed as a result of updating or removing the label. The action instructs the consuming application to remove the specific UI element that contains the previously-applicable content footer.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| :- | :- | : |

+| uiElementNames | String collection | The name of the UI element of the footer to be removed. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.removeContentFooterAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.removeContentFooterAction",

+ "uiElementNames": [

+ "String"

+ ]

+}

+```

+ Title: "removeContentHeaderAction resource type"

+description: "Represents an action that specifies the details on the content header to be removed from the information, if applicable."

+ms.localizationpriority: medium

+# removeContentHeaderAction resource type

+Namespace: microsoft.graph.security

+Represents an action that specifies the details on the content header to be removed from the information, if applicable. The [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md), or [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md) APIs might return the **removeContentHeaderAction** if the header is to be removed as a result of updating or removing the label. The action instructs the consuming application to remove the specific UI element that contains the previously-applicable content header.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| :- | :- | : |

+| uiElementNames | String collection | The name of the UI element of the header to be removed. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.removeContentHeaderAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.removeContentHeaderAction",

+ "uiElementNames": [

+ "String"

+ ]

+}

+```

+ Title: "removeProtectionAction resource type"

+description: "Represents an action to remove protection from the file or information."

+ms.localizationpriority: medium

+# removeProtectionAction resource type

+Namespace: microsoft.graph.security

+Represents an action to remove protection from the file or information. The [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md), or [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md) APIs might return the **removeProtectionAction** if protection is to be removed as a result of updating or removing the label. Protection should be removed via a client library, such as the Microsoft Purview Information Protection SDK, only if the calling user has sufficient rights to remove protection.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+None.

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.removeProtectionAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.removeProtectionAction"

+}

+```

+ Title: "removeWatermarkAction resource type"

+description: "Represents an action that specifies the details on the content watermark to be removed from the information, if applicable."

+ms.localizationpriority: medium

+# removeWatermarkAction resource type

+Namespace: microsoft.graph.security

+Represents an action that specifies the details on the content watermark to be removed from the information, if applicable. The [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md), [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md), or [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md) APIs might return the **removeWatermarkAction** if the watermark is to be removed as a result of updating or removing the label. The action instructs the consuming application to remove the specific UI element that contains the previously-applicable content watermark.

+Inherits from [informationProtectionAction](../resources/security-informationprotectionaction.md).

+## Properties

+| Property | Type | Description |

+| :- | :- | :-- |

+| uiElementNames | String collection | The name of the UI element of watermark to be removed. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.removeWatermarkAction"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.removeWatermarkAction",

+ "uiElementNames": [

+ "String"

+ ]

+}

+```

+ Title: "sensitivityLabel resource type"

+description: "Describes the sensitivity protection label that details how to properly apply a sensitivity label to information."

+ms.localizationpriority: medium

+# sensitivityLabel resource type

+Namespace: microsoft.graph.security

+Describes the information protection label that details how to properly apply a sensitivity label to information. The **informationProtectionLabel** resource describes the configuration of sensitivity labels that apply to a user or tenant.

+

+## Methods

+| Method | Return type | Description |

+| :- | : | : |

+| [List sensitivityLabels](../api/security-informationprotection-list-sensitivitylabels.md) | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) collection | Get a list of the [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) objects and their properties. |

+| [Get sensitivityLabel](../api/security-sensitivitylabel-get.md) | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) | Read the properties and relationships of a [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) object. |

+| [evaluateApplication](../api/security-sensitivitylabel-evaluateapplication.md) | [microsoft.graph.security.informationProtectionAction](../resources/security-informationprotectionaction.md) collection | Given an input of [contentInfo](contentinfo.md) and [labelingOptions](labelingoptions.md), compute the set of actions required to apply the label. |

+| [evaluateClassificationResults](../api/security-sensitivitylabel-evaluateclassificationresults.md) | [microsoft.graph.security.informationProtectionAction](../resources/security-informationprotectionaction.md) collection | Given an input of [contentInfo](contentinfo.md) and classification results, compute the set of actions required to apply the label. |

+| [evaluateRemoval](../api/security-sensitivitylabel-evaluateremoval.md) | [microsoft.graph.security.informationProtectionAction](../resources/security-informationprotectionaction.md) collection | Given an input of [contentInfo](contentinfo.md) and [downgradeJustification](downgradejustification.md), compute the actions that should be taken to remove the label. |

+| [extractContentLabel](../api/security-sensitivitylabel-extractcontentlabel.md) | [microsoft.graph.security.contentLabel](../resources/security-contentlabel.md) | Given an input of [contentInfo](contentinfo.md), return details on the [informationProtectionLabel](informationprotectionlabel.md) that the metadata represents. |

+## Properties

+| Property | Type | Description |

+| :- | :- | : |

+| color | String | The color that the UI should display for the label, if configured. |

+| contentFormats | String collection | Returns the supported content formats for the label. |

+| description | String | The admin-defined description for the label. |

+| hasProtection | Boolean | Indicates whether the label has protection actions configured. |

+| id | String | The label ID is a globally unique identifier (GUID). |

+| isActive | Boolean | Indicates whether the label is active or not. Active labels should be hidden or disabled in the UI. |

+| isAppliable | Boolean | Indicates whether the label can be applied to content. `False` if the label is a parent with child labels. |

+| name | String | The plaintext name of the label. |

+| sensitivity | Int32 | The sensitivity value of the label, where lower is less sensitive. |

+| tooltip | String | The tooltip that should be displayed for the label in a UI. |

+## Relationships

+| Relationship | Type | Description |

+| :-- | : | : |

+| parent | [microsoft.graph.security.sensitivityLabel](../resources/security-sensitivitylabel.md) | The parent label associated with a child label. `Null` if the label has no parent. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.sensitivityLabel",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.sensitivityLabel",

+ "color": "String",

+ "contentFormats": [

+ "String"

+ ],

+ "description": "String",

+ "hasProtection": "Boolean",

+ "id": "String (identifier)",

+ "isActive": "Boolean",

+ "isAppliable": "Boolean",

+ "name": "String",

+ "sensitivity": "Integer",

+ "tooltip": "String"

+}

+```

+ Title: "List federatedIdentityCredentials"

+description: "Get a list of the federatedIdentityCredential objects and their properties."

+ms.localizationpriority: medium

+# List federatedIdentityCredentials

+Namespace: microsoft.graph

+Get a list of the [federatedIdentityCredential](../resources/federatedidentitycredential.md) objects and their properties.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | Application.Read.All, Application.ReadWrite.All |

+|Delegated (personal Microsoft account) | Application.ReadWrite.All |

+|Application | Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /applications/{id}/federatedIdentityCredentials

+```

+## Optional query parameters

+This method supports the `$filter` (`eq`) and `$select` [OData query parameters](/graph/query-parameters) to help customize the response. For example, `/applications/{id}/federatedIdentityCredentials?$filter=subject eq 'value'`.

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [federatedIdentityCredential](../resources/federatedidentitycredential.md) objects in the response body.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "list_federatedidentitycredential"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/

+```

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "Collection(microsoft.graph.federatedIdentityCredential)"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.id": "https://graph.microsoft.com/v2/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/directoryObjects/$/Microsoft.DirectoryServices.Application('bcd7c908-1c4d-4d48-93ee-ff38349a75c8')/federatedIdentityCredentials/bdad0963-4a7a-43ae-b569-e67e1da3f2c0",

+ "id": "bdad0963-4a7a-43ae-b569-e67e1da3f2c0",

+ "name": "testing",

+ "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",

+ "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",

+ "description": "This is my test federated identity credential 03",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+ ]

+}

+```

+ Title: "Create federatedIdentityCredential"

+description: "Create a new federatedIdentityCredential object for an application."

+ms.localizationpriority: medium

+# Create federatedIdentityCredential

+Namespace: microsoft.graph

+Create a new [federatedIdentityCredential](../resources/federatedidentitycredential.md) object for an application. By [configuring a trust relationship](/azure/active-directory/develop/workload-identity-federation-create-trust) between your Azure AD application registration and the identity provider for your compute platform, you can use tokens issued by that platform to authenticate with Microsoft identity platform and call APIs in the Microsoft ecosystem. Maximum of 20 objects can be added to an application.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | Application.ReadWrite.All |

+|Delegated (personal Microsoft account) | Application.ReadWrite.All |

+|Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /applications/{id}/federatedIdentityCredentials

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.

+The following table shows the properties that are required when you create the [federatedIdentityCredential](../resources/federatedidentitycredential.md).

+|Property|Type|Description|

+|:|:|:|

+|audiences|String collection|The audience that can appear in the external token. This field is mandatory and should be set to `api://AzureADTokenExchange` for Azure AD. It says what Microsoft identity platform should accept in the `aud` claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required.|

+|issuer|String|TThe URL of the external identity provider and must match the issuer claim of the external token being exchanged. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Required.|

+|name|String|The unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created|

+|subject|String|Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. It has a limit of 600 characters. The combination of **issuer** and **subject** must be unique on the app.|

+## Response

+If successful, this method returns a `201 Created` response code and a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object in the response body.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "create_federatedidentitycredential_from_"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/

+Content-Type: application/json

+{

+ "name": "testing02",

+ "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",

+ "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+}

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.federatedIdentityCredential"

+}

+-->

+``` http

+HTTP/1.1 201 Created

+Content-Type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('bcd7c908-1c4d-4d48-93ee-ff38349a75c8')/federatedIdentityCredentials/$entity",

+ "@odata.id": "https://graph.microsoft.com/v2/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/directoryObjects/$/Microsoft.DirectoryServices.Application('bcd7c908-1c4d-4d48-93ee-ff38349a75c8')/federatedIdentityCredentials/d9b7bf1e-429e-4678-8132-9b00c9846cc4",

+ "id": "d9b7bf1e-429e-4678-8132-9b00c9846cc4",

+ "name": "testing02",

+ "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",

+ "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",

+ "description": null,

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+}

+```

+|topic|String|The title of the chat. This can only be set for a chat with a **chatType** value of `group`. Maximum length is **255** characters. Use of **':'** is not allowed.|

+|definition|String collection| A string collection containing a JSON string that defines the rules and settings for this policy. Required.|

+ Title: "educationSubmission: setUpResourcesFolder"

+description: "Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission."

+ms.localizationpriority: medium

+# educationSubmission: setUpResourcesFolder

+Namespace: microsoft.graph

+Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission.

+Note that files must be located in this folder in order to be added as resources. Only a student in the class can determine what files to upload in a given submission-level resource folder.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | EduAssignments.ReadBasic, EduAssignments.Read |

+|Delegated (personal Microsoft account) | Not supported. |

+|Application | Not supported. |

+## HTTP request

+<!-- { "blockType": "ignored" } -->

+```http

+POST /education/classes/{id}/assignments/{id}/submissions/{id}/setUpResourcesFolder

+```

+## Request headers

+| Header | Value |

+|:|:--|

+| Authorization | Bearer `{token}`. Required. |

+## Request body

+Provide an empty json `{}` as request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code. The body will contain the submission model.

+If the assignment is already in submitted state or if the assignment is no longer open for submission, this method returns a `400 Bad Request` response code.

+## Examples

+### Example 1: Set up a resource folder for a submission

+#### Request

+The following is an example of a request that triggers the creation of a SharePoint resource folder for a submission.

+### Example 1: Set up a resource folder for a submission

+#### Request

+The following is an example of a request that triggers the creation of a SharePoint resource folder for a submission.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "educationsubmission_setupresourcesfolder"

+}-->

+```msgraph-interactive

+POST https://graph.microsoft.com/v1.0/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder

+Content-type: application/json

+{

+}

+```

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationSubmission"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#education/classes('b07edbef-7420-4b3d-8f7c-d599cf21e069')/assignments('1e5222bd-b7d2-4d64-8a22-74b722ce2fc6')/submissions/$entity",

+ "status": "working",

+ "submittedDateTime": null,

+ "unsubmittedDateTime": null,

+ "returnedDateTime": null,

+ "resourcesFolderUrl": "https://graph.microsoft.com/v1.0/drives/b!6SQl0y4WHkS2P5MeIsSGpKwfynEIaD1OvPVeH4wbOp_1uyhNwJMSSpseJneB7Z4F/items/01YT2AIJRQLVYT24IWWFAJHMRRNYCB3GE2",

+ "id": "803fb5dd-3553-455f-3d94-f79fb54a1003",

+ "recipient": {

+ "@odata.type": "#microsoft.graph.educationSubmissionIndividualRecipient",

+ "userId": "f8bbb2a4-2cdd-4d49-ac81-d4113fc72dc1"

+ },

+ "submittedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": "f8bbb2a4-2cdd-4d49-ac81-d4113fc72dc1",

+ "displayName": null

+ }

+ },

+ "unsubmittedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ },

+ "returnedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": null,

+ "displayName": null

+ }

+ },

+ "resources": [],

+ "submittedResources": []

+}

+```

+### Example 2: Set up a resource folder when the assignment is no longer open for submission

+#### Request

+The following is an example of a request that tries to set up a resource folder but fails with a `400 Bad Request` response code because the assignment is no longer open for submission.

+<!-- {

+ "blockType": "request",

+ "name": "educationsubmission_setupresourcesfolder"

+}-->

+```msgraph-interactive

+POST https://graph.microsoft.com/v1.0/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/1e5222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder

+Content-type: application/json

+{

+}

+```

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationSubmission"

+} -->

+```http

+HTTP/1.1 400 Bad Request

+Content-type: application/json

+{

+ "error": {

+ "code": "badRequest",

+ "message": "Bad request.",

+ "innerError": {

+ "code": "assignmentHasBeenSubmitted",

+ "message": "Resource folder cannot be set up for assignments that are no longer open for submissions."

+ }

+ }

+}

+```

+### Example 3: Set up a resource folder when the assignment is already in submitted state

+#### Request

+The following is an example of a request that tries to set up a resource folder but fails with a `400 Bad Request` response code because the assignment has already been submitted.

+<!-- {

+ "blockType": "request",

+ "name": "educationsubmission_setupresourcesfolder"

+}-->

+```msgraph-interactive

+POST https://graph.microsoft.com/v1.0/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/1e5222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder

+Content-type: application/json

+{

+}

+```

+#### Response

+The following is an example of the response.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationSubmission"

+} -->

+```http

+HTTP/1.1 400 Bad Request

+Content-type: application/json

+{

+ "error": {

+ "code": "badRequest",

+ "message": "Bad request.",

+ "innerError": {

+ "code": "assignmentHasBeenSubmitted",

+ "message": "Resource folder cannot be set up while the submission is in the submitted state."

+ }

+ }

+}

+```

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-d4113fc72dc1

+2021-05-12 12:00:00 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "educationSubmission: setUpResourcesFolder",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": [

+ ]

+}

+-->

+ Title: "Delete federatedIdentityCredential"

+description: "Delete a federatedIdentityCredential object."

+ms.localizationpriority: medium

+# Delete federatedIdentityCredential

+Namespace: microsoft.graph

+Delete a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object from an application.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | Application.ReadWrite.All |

+|Delegated (personal Microsoft account) | Application.ReadWrite.All |

+|Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}

+DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "delete_federatedidentitycredential"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/v1.0/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/d9b7bf1e-429e-4678-8132-9b00c9846cc4

+```

+### Response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get federatedIdentityCredential"

+description: "Read the properties and relationships of a federatedIdentityCredential object."

+ms.localizationpriority: medium

+# Get federatedIdentityCredential

+Namespace: microsoft.graph

+Read the properties and relationships of a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | Application.ReadWrite.All |

+|Delegated (personal Microsoft account) | Application.ReadWrite.All |

+|Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}

+GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}

+```

+## Optional query parameters

+This method supports the `$select` [OData query parameter](/graph/query-parameters) to help customize the response.

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object in the response body.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "get_federatedidentitycredential"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/applications/acd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/bdad0963-4a7a-43ae-b569-e67e1da3f2c0

+```

+### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.federatedIdentityCredential"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": {

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications('cd7c908-1c4d-4d48-93ee-ff38349a75c8')/federatedIdentityCredentials/$entity",

+ "@odata.id": "https://graph.microsoft.com/v2/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/directoryObjects/$/Microsoft.DirectoryServices.Application('bcd7c908-1c4d-4d48-93ee-ff38349a75c8')/federatedIdentityCredentials('bdad0963-4a7a-43ae-b569-e67e1da3f2c0')/bdad0963-4a7a-43ae-b569-e67e1da3f2c0",

+ "id": "bdad0963-4a7a-43ae-b569-e67e1da3f2c0",

+ "name": "testing",

+ "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",

+ "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",

+ "description": "This is my test federated identity credential",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+ }

+}

+```

+ Title: "Update federatedIdentityCredential"

+description: "Update the properties of a federatedIdentityCredential object."

+ms.localizationpriority: medium

+# Update federatedIdentityCredential

+Namespace: microsoft.graph

+Update the properties of a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type | Permissions (from least to most privileged) |

+|:--|:|

+|Delegated (work or school account) | Application.ReadWrite.All |

+|Delegated (personal Microsoft account) | Application.ReadWrite.All |

+|Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All |

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}

+PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|audiences|String collection|The audience that can appear in the issued token. For Azure AD, set its value to `api://AzureADTokenExchange`. This field can only accept a single value and has a limit of 600 characters.|

+|description|String|A user-provided description of what the federatedIdentityCredential is used for. It has a limit of 600 characters. |

+|issuer|String|The URL of the incoming trusted issuer (Secure Token Service). Matches the issuer claim of an access token. For example, with the Customer Managed Keys scenario, Azure AD is the issuer and a valid value would be `https://login.microsoftonline.com/{tenantid}/v2.0`. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. |

+|subject|String|<li>For Azure AD issuer, the `objectId` of the servicePrincipal (can represent a managed identity) that can impersonate the app. The object associated with this GUID needs to exist in the tenant.</li><li>For all other issuers, a string with no additional validation</ul><br><br>The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters.|

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "update_federatedidentitycredential"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/v1.0/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0

+Content-Type: application/json

+{

+ "name": "testing02",

+ "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",

+ "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",

+ "description": "Updated description",

+ "audiences": [

+ "api://AzureADTokenExchange"

+ ]

+}

+```

+### Response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+|**Federated identity credentials**| | |

+| [List federatedIdentityCredential](../api/application-list-federatedidentitycredentials.md) | [federatedIdentityCredential](../resources/federatedidentitycredential.md) collection | List federated identity credentials on an application object. |

+| [Create federatedIdentityCredential](../api/application-post-federatedidentitycredentials.md) | [federatedIdentityCredential](../resources/federatedidentitycredential.md) | Create a federated identity credential on an application object. |

+| [Get federatedIdentityCredential](../api/federatedidentitycredential-get.md) | [federatedIdentityCredential](../resources/federatedidentitycredential.md) | Retrieve the properties of a federated identity credential. |

+| [Update federatedIdentityCredential](../api/federatedidentitycredential-update.md) | None | Update a federated identity credential of an application object. |

+| [Delete federatedIdentityCredential](../api/federatedidentitycredential-delete.md) | None | Delete a federated identity credential from an application object. |

+|federatedIdentityCredentials|[federatedIdentityCredential](federatedidentitycredential.md) collection |Federated identities for applications. Supports `$expand` and `$filter` (`eq` when counting empty collections).|

+ Title: "federatedIdentityCredential resource type"

+description: "References an application's federated identity credentials. These federated identity credentials are used in workload identity federation when exchanging a token from a trusted issuer for an access token linked to an application registered on Azure AD."

+ms.localizationpriority: medium

+# federatedIdentityCredential resource type

+Namespace: microsoft.graph

+References an application's federated identity credentials. These federated identity credentials are used in [workload identity federation](/azure/active-directory/develop/workload-identity-federation) when exchanging a token from a trusted issuer for an access token linked to an application registered on Azure AD.

+Inherits from [entity](../resources/entity.md).

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List federatedIdentityCredentials](../api/application-list-federatedidentitycredentials.md)|[federatedIdentityCredential](../resources/federatedidentitycredential.md) collection|Get a list of the [federatedIdentityCredential](../resources/federatedidentitycredential.md) objects and their properties.|

+|[Create federatedIdentityCredential](../api/application-post-federatedidentitycredentials.md)|[federatedIdentityCredential](../resources/federatedidentitycredential.md)|Create a new [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.|

+|[Get federatedIdentityCredential](../api/federatedidentitycredential-get.md)|[federatedIdentityCredential](../resources/federatedidentitycredential.md)|Read the properties and relationships of a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.|

+|[Update federatedIdentityCredential](../api/federatedidentitycredential-update.md)|None|Update the properties of a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.|

+|[Delete federatedIdentityCredential](../api/federatedidentitycredential-delete.md)|None|Deletes a [federatedIdentityCredential](../resources/federatedidentitycredential.md) object.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+| audiences | String collection | The audience that can appear in the external token. This field is mandatory and should be set to `api://AzureADTokenExchange` for Azure AD. It says what Microsoft identity platform should accept in the `aud` claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required. |

+| description | String | The un-validated, user-provided description of the federated identity credential. It has a limit of 600 characters. Optional. |

+| id| String | The unique identifier for the federated identity. Required. Read-only. |

+| issuer | String | The URL of the external identity provider and must match the `issuer` claim of the external token being exchanged. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Required. |

+| name | String | is the unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created. Required. Not nullable. Supports `$filter` (`eq`). |

+| subject | String | Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the `sub` claim within the token presented to Azure AD. The combination of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Supports `$filter` (`eq`). |

+## Relationships

+None

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.federatedIdentityCredential",

+ "baseType": "microsoft.graph.entity",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.federatedIdentityCredential",

+ "name": "String",

+ "issuer": "String",

+ "subject": "String",

+ "description": "String",

+ "audiences": [

+ "String"

+ ]

+}

+```

+ Title: "Overview of federated identity credentials in Azure Active Directory"

+description: "Federated identity credentials allow you to access Azure and Microsoft Graph resources without having to manage secrets. This is part of workload identity federation in Azure AD."

+ms.localizationpriority: medium

+# Overview of federated identity credentials in Azure Active Directory

+Namespace: microsoft.graph

+Traditionally, developers use certificates or client secrets for their application's credentials to authenticate with and access services in Azure AD. To access the services in their Azure AD tenant, developers have had to store and manage application credentials outside Azure, introducing the following bottlenecks:

+**Federated identity credentials** are a new type of credential that enables workload identity federation for software workloads. Workload identity federation allows you to access Azure Active Directory (Azure AD) protected resources without needing to manage secrets (for supported scenarios).

+## How do federated identity credentials work?

+You create a trust relationship between an external identity provider (IdP) and an app in Azure AD by configuring a federated identity credential. The federated identity credential is used to indicate which token from the external IdP should be trusted by your application. After that trust relationship is created, your software workload can exchange trusted tokens from the external identity provider for access tokens from the Microsoft identity platform. Your software workload then uses that access token to access the Azure AD protected resources to which the workload has been granted access. This eliminates the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire. For more information and supported scenarios, see [workload identity federation](/azure/active-directory/develop/workload-identity-federation).

+## Set up federated identity credentials through Microsoft Graph

+The [federatedIdentityCredential](federatedidentitycredential.md) resource represents the configuration of a federated identity credential via Microsoft Graph. The following properties are the building blocks of federated identity credentials:

+The combination of **issuer** and **subject** must be unique on the app. When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the **issuer** and **subject** values of the federated identity credential are checked against the `issuer` and `subject` claims provided in the external token. If that validation check passes, Microsoft identity platform issues an access token to the external software workload.

+## Design considerations

+Federated identity credentials are supported on applications only. A maximum of 20 federated identity credentials can be added per application object.

+## See also

+<!--

+Future: add links to articles that use federated identity credentials to access Azure AD resources.

+>

+|federatedIdentityCredentials|[federatedIdentityCredential](federatedidentitycredential.md) collection |Federated identities for a specific type of service principal - managed identity. Supports `$expand` and `$filter` (`eq` when counting empty collections).|

+-->

+ - name: Extensions

+ items:

+ - name: Extension property

+ href: resources/extensionproperty.md

+ items:

+ - name: List

+ href: api/application-list-extensionproperty.md

+ - name: Create

+ href: api/application-post-extensionproperty.md

+ - name: Get

+ href: api/extensionproperty-get.md

+ - name: Delete

+ href: api/extensionproperty-delete.md

+ - name: Get available extension properties

+ href: api/directoryobject-getavailableextensionproperties.md

+ - name: Federated identity credentials

+ items:

+ - name: Overview

+ href: resources/federatedidentitycredentials-overview.md

+ - name: Federated identity credentials

+ href: resources/federatedidentitycredential.md

+ items:

+ - name: List

+ href: api/application-list-federatedidentitycredentials.md

+ - name: Create

+ href: api/application-post-federatedidentitycredentials.md

+ - name: Get

+ href: api/federatedidentitycredential-get.md

+ - name: Update

+ href: api/federatedidentitycredential-update.md

+ - name: Delete

+ href: api/federatedidentitycredential-delete.md