Microsoft Entra
Microsoft Entra (formerly Azure Active Directory) provides identity and access management services including authentication, authorization, and directory services.
14 APIs
8 Features
Access ManagementAuthenticationAzure ADEntraIdentityIdentity GovernanceMicrosoftNetwork SecuritySecurityZero Trust
Core identity and access management API for user authentication, authorization, and directory management.
API for identity risk detection, investigation, and remediation.
API for managing conditional access policies and controls.
API for managing privileged access and just-in-time administration.
API for issuing and verifying decentralized identity credentials.
API for managing customer and partner identity and access management.
API for managing identity governance including access reviews, entitlement management, and lifecycle workflows to ensure the right people have the right access at the right time.
API for registering, configuring, and managing applications and service principals in Microsoft Entra ID.
API for managing user authentication methods including FIDO2 security keys, passwordless phone sign-in, Microsoft Authenticator, and MFA registration.
API for managing and securing identities for software workloads such as applications, services, scripts, and containers.
API for automating user provisioning and deprovisioning using SCIM protocol, including API-driven inbound provisioning from any system of record.
API for managing Microsoft Entra Internet Access and Microsoft Entra Private Access, providing identity-centric secure web gateway and zero-trust network access.
API endpoints for OAuth 2.0, OpenID Connect, and SAML authentication protocols enabling application integration with Microsoft Entra ID.
API for creating, securing, and monitoring AI agent identities, providing authentication, authorization, and lifecycle management for AI agents.
Find a user by UPN, read its profile, and list its group memberships.
ARAZZO
Create a security group, add a member, and list its members.
ARAZZO
Create a Unified M365 group, add a member, and read the group back.
ARAZZO
Find a service principal by appId, delete it, then delete the app.
ARAZZO
Disable a user account, then delete the user from the directory.
ARAZZO
Find an app by appId, update its display name, and read it back.
ARAZZO
Find a group by display name, update it, and read it back.
ARAZZO
Find a user by UPN, update its profile, and read the result.
ARAZZO
Grant an app role to a service principal then list its assignments.
ARAZZO
Find a user by UPN, remove it from a group, and verify removal.
ARAZZO
Create a user, add it to an existing group, and confirm membership.
ARAZZO
Create a new Entra ID user and read back the provisioned account.
ARAZZO
Create an app registration then instantiate its service principal.
ARAZZO
Add a fresh client secret to an app, then remove the old one.
ARAZZO
Identity and Access Management
Manage user identities, authentication, and authorization across cloud and hybrid environments with single sign-on.
Conditional Access
Enforce adaptive access policies based on user, device, location, and risk signals for zero trust security.
Identity Governance
Automate access reviews, entitlement management, and lifecycle workflows to ensure proper access controls.
Privileged Identity Management
Manage, control, and monitor privileged access with just-in-time and approval-based activation.
Verified ID
Issue and verify decentralized identity credentials using open standards for portable, self-sovereign identity.
External Identities
Enable secure collaboration with external partners and customers through B2B and B2C identity management.
Global Secure Access
Provide identity-centric secure web gateway and zero-trust network access for internet and private resources.
Workload Identities
Secure and manage identities for applications, services, scripts, and containers running as software workloads.
Zero Trust Implementation
Implement zero trust architecture with identity-based access controls, conditional access policies, and continuous verification.
Hybrid Identity Management
Synchronize and manage identities across on-premises Active Directory and cloud environments.
Application Single Sign-On
Enable SSO for thousands of SaaS and on-premises applications with SAML, OIDC, and password-based authentication.
Automated User Provisioning
Automate user lifecycle management with SCIM-based provisioning and deprovisioning across integrated applications.
AI Agent Identity Management
Create, secure, and monitor identities for AI agents with authentication, authorization, and lifecycle management.
Microsoft 365
Deep integration for identity and access management across all Microsoft 365 applications and services.
Azure Services
Native identity provider for Azure resources including VMs, databases, storage, and managed identities.
Active Directory
Hybrid identity synchronization with on-premises Active Directory using Azure AD Connect.
Salesforce
SAML and SCIM integration for single sign-on and automated user provisioning with Salesforce.
ServiceNow
SSO and automated provisioning integration with ServiceNow ITSM platform.
Workday
Inbound provisioning from Workday HR to automate user lifecycle management.
SAP
SSO and provisioning integration with SAP applications and S/4HANA.
Okta
Cross-platform identity federation and migration support with Okta identity provider.
opencollection: 1.0.0
info:
name: Microsoft Entra Microsoft Graph Identity API
version: v1.0
request:
auth:
type: oauth2
flow: client_credentials
accessTokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
credentials:
clientId: '{{clientId}}'
clientSecret: '{{clientSecret}}'
items:
- info:
name: Users
type: folder
items:
- info:
name: Microsoft Entra List Users
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/users
headers:
- name: ConsistencyLevel
value: ''
params:
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $filter
value: startswith(displayName,'J')
type: query
description: OData filter expression to restrict the returned collection
- name: $orderby
value: displayName asc
type: query
description: Comma-separated list of properties to sort results by
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
- name: $skip
value: ''
type: query
description: Number of items to skip in the result set
- name: $count
value: ''
type: query
description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
to eventual.
- name: $search
value: '"displayName:John"'
type: query
description: Search string to filter results using tokenized search across displayName and description properties.
Requires ConsistencyLevel header set to eventual.
- name: $expand
value: memberOf
type: query
description: Comma-separated list of relationships to expand and include
docs: Retrieve a list of user objects in the directory. Returns a paged collection of user resources with support for
OData query parameters including $select, $filter, $orderby, $top, $skip, $count, $search, and $expand.
- info:
name: Microsoft Entra Create User
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/users
body:
type: json
data: '{}'
docs: Create a new user in the directory. The request body must contain the required properties including displayName,
accountEnabled, mailNickname, userPrincipalName, and passwordProfile.
- info:
name: Microsoft Entra Get User
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/users/:user-id
params:
- name: user-id
value: ''
type: path
description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $expand
value: memberOf
type: query
description: Comma-separated list of relationships to expand and include
docs: Retrieve the properties and relationships of a user object. Specify the user by id or userPrincipalName.
- info:
name: Microsoft Entra Update User
type: http
http:
method: PATCH
url: https://graph.microsoft.com/v1.0/users/:user-id
params:
- name: user-id
value: ''
type: path
description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
body:
type: json
data: '{}'
docs: Update the properties of a user object. Not all properties can be updated by member or guest users with their default
permissions without administrator roles.
- info:
name: Microsoft Entra Delete User
type: http
http:
method: DELETE
url: https://graph.microsoft.com/v1.0/users/:user-id
params:
- name: user-id
value: ''
type: path
description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
docs: Delete a user object. The user is moved to the deletedItems container and can be restored within 30 days. After
30 days the user is permanently deleted.
- info:
name: Microsoft Entra List User Group Memberships
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/users/:user-id/memberOf
params:
- name: user-id
value: ''
type: path
description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $filter
value: startswith(displayName,'J')
type: query
description: OData filter expression to restrict the returned collection
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
docs: Get the groups, directory roles, and administrative units that the user is a direct member of.
- info:
name: Groups
type: folder
items:
- info:
name: Microsoft Entra List Groups
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/groups
headers:
- name: ConsistencyLevel
value: ''
params:
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $filter
value: startswith(displayName,'J')
type: query
description: OData filter expression to restrict the returned collection
- name: $orderby
value: displayName asc
type: query
description: Comma-separated list of properties to sort results by
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
- name: $skip
value: ''
type: query
description: Number of items to skip in the result set
- name: $count
value: ''
type: query
description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
to eventual.
- name: $search
value: '"displayName:John"'
type: query
description: Search string to filter results using tokenized search across displayName and description properties.
Requires ConsistencyLevel header set to eventual.
- name: $expand
value: memberOf
type: query
description: Comma-separated list of relationships to expand and include
docs: List all groups in the directory including Microsoft 365 groups, security groups, mail-enabled security groups,
and distribution groups. Returns a paged collection with OData query support.
- info:
name: Microsoft Entra Create Group
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/groups
body:
type: json
data: '{}'
docs: Create a new group in the directory. You can create Microsoft 365 groups, security groups, or mail-enabled security
groups. Specify the groupTypes, mailEnabled, and securityEnabled properties to determine the type of group.
- info:
name: Microsoft Entra Get Group
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/groups/:group-id
params:
- name: group-id
value: ''
type: path
description: Unique identifier of the group (object ID)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $expand
value: memberOf
type: query
description: Comma-separated list of relationships to expand and include
docs: Get the properties and relationships of a group object. Returns the default set of properties unless $select is
specified.
- info:
name: Microsoft Entra Update Group
type: http
http:
method: PATCH
url: https://graph.microsoft.com/v1.0/groups/:group-id
params:
- name: group-id
value: ''
type: path
description: Unique identifier of the group (object ID)
body:
type: json
data: '{}'
docs: Update the properties of a group object. Not all properties can be updated depending on the group type.
- info:
name: Microsoft Entra Delete Group
type: http
http:
method: DELETE
url: https://graph.microsoft.com/v1.0/groups/:group-id
params:
- name: group-id
value: ''
type: path
description: Unique identifier of the group (object ID)
docs: Delete a group. Deleting a Microsoft 365 group moves it to the deletedItems container where it can be restored within
30 days. Security groups are permanently deleted immediately.
- info:
name: Microsoft Entra List Group Members
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/groups/:group-id/members
headers:
- name: ConsistencyLevel
value: ''
params:
- name: group-id
value: ''
type: path
description: Unique identifier of the group (object ID)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $filter
value: startswith(displayName,'J')
type: query
description: OData filter expression to restrict the returned collection
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
- name: $count
value: ''
type: query
description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
to eventual.
docs: Get the direct members of a group. A group can have users, devices, other groups, organizational contacts, and service
principals as members.
- info:
name: Microsoft Entra Add Group Member
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/groups/:group-id/members/$ref
params:
- name: group-id
value: ''
type: path
description: Unique identifier of the group (object ID)
body:
type: json
data: '{}'
docs: Add a member to a Microsoft 365 group or a security group by posting a reference to the directory object to add.
- info:
name: Microsoft Entra Remove Group Member
type: http
http:
method: DELETE
url: https://graph.microsoft.com/v1.0/groups/:group-id/members/:directoryObject-id/$ref
params:
- name: group-id
value: ''
type: path
description: Unique identifier of the group (object ID)
- name: directoryObject-id
value: ''
type: path
description: Unique identifier of the directory object to remove
docs: Remove a member from a group via the members navigation property. Specify the member to remove by its directory
object id.
- info:
name: Applications
type: folder
items:
- info:
name: Microsoft Entra List Applications
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/applications
headers:
- name: ConsistencyLevel
value: ''
params:
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $filter
value: startswith(displayName,'J')
type: query
description: OData filter expression to restrict the returned collection
- name: $orderby
value: displayName asc
type: query
description: Comma-separated list of properties to sort results by
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
- name: $skip
value: ''
type: query
description: Number of items to skip in the result set
- name: $count
value: ''
type: query
description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
to eventual.
- name: $search
value: '"displayName:John"'
type: query
description: Search string to filter results using tokenized search across displayName and description properties.
Requires ConsistencyLevel header set to eventual.
docs: Get the list of application registrations in the directory. Returns the application objects with their configuration
properties including credentials, permissions, and sign-in settings.
- info:
name: Microsoft Entra Create Application
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/applications
body:
type: json
data: '{}'
docs: Create a new application registration in the directory. The application object represents the global definition
of the app including its identity, access configuration, and settings.
- info:
name: Microsoft Entra Get Application
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/applications/:application-id
params:
- name: application-id
value: ''
type: path
description: Unique identifier of the application (object ID, not appId)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $expand
value: memberOf
type: query
description: Comma-separated list of relationships to expand and include
docs: Get the properties and relationships of an application object by its id (object id, not appId).
- info:
name: Microsoft Entra Update Application
type: http
http:
method: PATCH
url: https://graph.microsoft.com/v1.0/applications/:application-id
params:
- name: application-id
value: ''
type: path
description: Unique identifier of the application (object ID, not appId)
body:
type: json
data: '{}'
docs: Update the properties of an application object.
- info:
name: Microsoft Entra Delete Application
type: http
http:
method: DELETE
url: https://graph.microsoft.com/v1.0/applications/:application-id
params:
- name: application-id
value: ''
type: path
description: Unique identifier of the application (object ID, not appId)
docs: Delete an application object. The application is moved to the deletedItems container and can be restored within
30 days.
- info:
name: Microsoft Entra Add Password Credential
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/applications/:application-id/addPassword
params:
- name: application-id
value: ''
type: path
description: Unique identifier of the application (object ID, not appId)
body:
type: json
data: '{}'
docs: Add a strong password or secret to an application. The response includes the generated secretText which is only
returned at creation time and cannot be retrieved later.
- info:
name: Microsoft Entra Remove Password Credential
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/applications/:application-id/removePassword
params:
- name: application-id
value: ''
type: path
description: Unique identifier of the application (object ID, not appId)
body:
type: json
data: '{}'
docs: Remove a password credential from an application by specifying the keyId of the password to remove.
- info:
name: ServicePrincipals
type: folder
items:
- info:
name: Microsoft Entra List Service Principals
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/servicePrincipals
headers:
- name: ConsistencyLevel
value: ''
params:
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $filter
value: startswith(displayName,'J')
type: query
description: OData filter expression to restrict the returned collection
- name: $orderby
value: displayName asc
type: query
description: Comma-separated list of properties to sort results by
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
- name: $skip
value: ''
type: query
description: Number of items to skip in the result set
- name: $count
value: ''
type: query
description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
to eventual.
- name: $search
value: '"displayName:John"'
type: query
description: Search string to filter results using tokenized search across displayName and description properties.
Requires ConsistencyLevel header set to eventual.
docs: Retrieve a list of service principal objects in the directory. A service principal represents an instance of an
application in a tenant and is the identity used for authentication and authorization.
- info:
name: Microsoft Entra Create Service Principal
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/servicePrincipals
body:
type: json
data: '{}'
docs: Create a new service principal in the directory. The appId property in the request body is required and must reference
an existing application registration.
- info:
name: Microsoft Entra Get Service Principal
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id
params:
- name: servicePrincipal-id
value: ''
type: path
description: Unique identifier of the service principal (object ID)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $expand
value: memberOf
type: query
description: Comma-separated list of relationships to expand and include
docs: Retrieve the properties and relationships of a service principal object.
- info:
name: Microsoft Entra Update Service Principal
type: http
http:
method: PATCH
url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id
params:
- name: servicePrincipal-id
value: ''
type: path
description: Unique identifier of the service principal (object ID)
body:
type: json
data: '{}'
docs: Update the properties of a service principal object.
- info:
name: Microsoft Entra Delete Service Principal
type: http
http:
method: DELETE
url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id
params:
- name: servicePrincipal-id
value: ''
type: path
description: Unique identifier of the service principal (object ID)
docs: Delete a service principal object. This removes the application instance from the tenant but does not delete the
application registration.
- info:
name: Microsoft Entra List App Role Assignments
type: http
http:
method: GET
url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id/appRoleAssignments
params:
- name: servicePrincipal-id
value: ''
type: path
description: Unique identifier of the service principal (object ID)
- name: $select
value: id,displayName,mail
type: query
description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
is returned.
- name: $top
value: ''
type: query
description: Maximum number of items to return in the response
docs: Get the app role assignments granted to this service principal. App role assignments represent permissions granted
to the service principal to call another application's API.
- info:
name: Microsoft Entra Grant App Role Assignment
type: http
http:
method: POST
url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id/appRoleAssignments
params:
- name: servicePrincipal-id
value: ''
type: path
description: Unique identifier of the service principal (object ID)
body:
type: json
data: '{}'
docs: Grant an app role assignment to a service principal. App roles assigned to service principals are also known as
application permissions.
bundled: true