Microsoft Entra website screenshot

Microsoft Entra

Microsoft Entra (formerly Azure Active Directory) provides identity and access management services including authentication, authorization, and directory services.

14 APIs 8 Features
Access ManagementAuthenticationAzure ADEntraIdentityIdentity GovernanceMicrosoftNetwork SecuritySecurityZero Trust

APIs

Microsoft Entra ID (Azure AD) API

Core identity and access management API for user authentication, authorization, and directory management.

Microsoft Entra ID Protection API

API for identity risk detection, investigation, and remediation.

Microsoft Entra Conditional Access API

API for managing conditional access policies and controls.

Microsoft Entra Privileged Identity Management API

API for managing privileged access and just-in-time administration.

Microsoft Entra Verified ID API

API for issuing and verifying decentralized identity credentials.

Microsoft Entra External ID API

API for managing customer and partner identity and access management.

Microsoft Entra ID Governance API

API for managing identity governance including access reviews, entitlement management, and lifecycle workflows to ensure the right people have the right access at the right time.

Microsoft Entra Application Management API

API for registering, configuring, and managing applications and service principals in Microsoft Entra ID.

Microsoft Entra Authentication Methods API

API for managing user authentication methods including FIDO2 security keys, passwordless phone sign-in, Microsoft Authenticator, and MFA registration.

Microsoft Entra Workload ID API

API for managing and securing identities for software workloads such as applications, services, scripts, and containers.

Microsoft Entra Provisioning API

API for automating user provisioning and deprovisioning using SCIM protocol, including API-driven inbound provisioning from any system of record.

Microsoft Entra Global Secure Access API

API for managing Microsoft Entra Internet Access and Microsoft Entra Private Access, providing identity-centric secure web gateway and zero-trust network access.

Microsoft Identity Platform API

API endpoints for OAuth 2.0, OpenID Connect, and SAML authentication protocols enabling application integration with Microsoft Entra ID.

Microsoft Entra Agent ID API

API for creating, securing, and monitoring AI agent identities, providing authentication, authorization, and lifecycle management for AI agents.

Collections

Arazzo Workflows

Microsoft Entra Audit User Memberships

Find a user by UPN, read its profile, and list its group memberships.

ARAZZO

Microsoft Entra Create Group With Member

Create a security group, add a member, and list its members.

ARAZZO

Microsoft Entra Create Microsoft 365 Group With Member

Create a Unified M365 group, add a member, and read the group back.

ARAZZO

Microsoft Entra Decommission Application

Find a service principal by appId, delete it, then delete the app.

ARAZZO

Microsoft Entra Deprovision User

Disable a user account, then delete the user from the directory.

ARAZZO

Microsoft Entra Find And Update Application

Find an app by appId, update its display name, and read it back.

ARAZZO

Microsoft Entra Find And Update Group

Find a group by display name, update it, and read it back.

ARAZZO

Microsoft Entra Find And Update User

Find a user by UPN, update its profile, and read the result.

ARAZZO

Microsoft Entra Grant App Role Assignment

Grant an app role to a service principal then list its assignments.

ARAZZO

Microsoft Entra Offboard User From Group

Find a user by UPN, remove it from a group, and verify removal.

ARAZZO

Microsoft Entra Onboard User To Group

Create a user, add it to an existing group, and confirm membership.

ARAZZO

Microsoft Entra Provision User

Create a new Entra ID user and read back the provisioned account.

ARAZZO

Microsoft Entra Register Application With Service Principal

Create an app registration then instantiate its service principal.

ARAZZO

Microsoft Entra Rotate Application Secret

Add a fresh client secret to an app, then remove the old one.

ARAZZO

Pricing Plans

Rate Limits

Microsoft Entra Rate Limits

9 limits

RATE LIMITS

FinOps

Features

Identity and Access Management

Manage user identities, authentication, and authorization across cloud and hybrid environments with single sign-on.

Conditional Access

Enforce adaptive access policies based on user, device, location, and risk signals for zero trust security.

Identity Governance

Automate access reviews, entitlement management, and lifecycle workflows to ensure proper access controls.

Privileged Identity Management

Manage, control, and monitor privileged access with just-in-time and approval-based activation.

Verified ID

Issue and verify decentralized identity credentials using open standards for portable, self-sovereign identity.

External Identities

Enable secure collaboration with external partners and customers through B2B and B2C identity management.

Global Secure Access

Provide identity-centric secure web gateway and zero-trust network access for internet and private resources.

Workload Identities

Secure and manage identities for applications, services, scripts, and containers running as software workloads.

Use Cases

Zero Trust Implementation

Implement zero trust architecture with identity-based access controls, conditional access policies, and continuous verification.

Hybrid Identity Management

Synchronize and manage identities across on-premises Active Directory and cloud environments.

Application Single Sign-On

Enable SSO for thousands of SaaS and on-premises applications with SAML, OIDC, and password-based authentication.

Automated User Provisioning

Automate user lifecycle management with SCIM-based provisioning and deprovisioning across integrated applications.

AI Agent Identity Management

Create, secure, and monitor identities for AI agents with authentication, authorization, and lifecycle management.

Integrations

Microsoft 365

Deep integration for identity and access management across all Microsoft 365 applications and services.

Azure Services

Native identity provider for Azure resources including VMs, databases, storage, and managed identities.

Active Directory

Hybrid identity synchronization with on-premises Active Directory using Azure AD Connect.

Salesforce

SAML and SCIM integration for single sign-on and automated user provisioning with Salesforce.

ServiceNow

SSO and automated provisioning integration with ServiceNow ITSM platform.

Workday

Inbound provisioning from Workday HR to automate user lifecycle management.

SAP

SSO and provisioning integration with SAP applications and S/4HANA.

Okta

Cross-platform identity federation and migration support with Okta identity provider.

Semantic Vocabularies

Microsoft Entra Context

0 classes · 5 properties

JSON-LD

Microsoft Entra Graph Identity Context

0 classes · 0 properties

JSON-LD

API Governance Rules

Microsoft Entra API Rules

7 rules · 7 errors

SPECTRAL

JSON Structure

Microsoft Entra Graph Identity Group Structure

18 properties

JSON STRUCTURE

Microsoft Entra Graph Identity User Structure

31 properties

JSON STRUCTURE

Microsoft Entra Structure

0 properties

JSON STRUCTURE

Example Payloads

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🌐
Portal
Portal
🚀
GettingStarted
GettingStarted
📰
Blog
Blog
💬
Support
Support
🟢
StatusPage
StatusPage
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
📄
ChangeLog
ChangeLog
📦
SDKs
SDKs
👥
GitHubOrganization
GitHubOrganization
🔑
Authentication
Authentication
💰
Pricing
Pricing
🔗
JSONLD
JSONLD
🔗
JSONSchema
JSONSchema
🔗
JSONSchema
JSONSchema

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Microsoft Entra Microsoft Graph Identity API
  version: v1.0
request:
  auth:
    type: oauth2
    flow: client_credentials
    accessTokenUrl: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    credentials:
      clientId: '{{clientId}}'
      clientSecret: '{{clientSecret}}'
items:
- info:
    name: Users
    type: folder
  items:
  - info:
      name: Microsoft Entra List Users
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/users
      headers:
      - name: ConsistencyLevel
        value: ''
      params:
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $filter
        value: startswith(displayName,'J')
        type: query
        description: OData filter expression to restrict the returned collection
      - name: $orderby
        value: displayName asc
        type: query
        description: Comma-separated list of properties to sort results by
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
      - name: $skip
        value: ''
        type: query
        description: Number of items to skip in the result set
      - name: $count
        value: ''
        type: query
        description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
          to eventual.
      - name: $search
        value: '"displayName:John"'
        type: query
        description: Search string to filter results using tokenized search across displayName and description properties.
          Requires ConsistencyLevel header set to eventual.
      - name: $expand
        value: memberOf
        type: query
        description: Comma-separated list of relationships to expand and include
    docs: Retrieve a list of user objects in the directory. Returns a paged collection of user resources with support for
      OData query parameters including $select, $filter, $orderby, $top, $skip, $count, $search, and $expand.
  - info:
      name: Microsoft Entra Create User
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/users
      body:
        type: json
        data: '{}'
    docs: Create a new user in the directory. The request body must contain the required properties including displayName,
      accountEnabled, mailNickname, userPrincipalName, and passwordProfile.
  - info:
      name: Microsoft Entra Get User
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/users/:user-id
      params:
      - name: user-id
        value: ''
        type: path
        description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $expand
        value: memberOf
        type: query
        description: Comma-separated list of relationships to expand and include
    docs: Retrieve the properties and relationships of a user object. Specify the user by id or userPrincipalName.
  - info:
      name: Microsoft Entra Update User
      type: http
    http:
      method: PATCH
      url: https://graph.microsoft.com/v1.0/users/:user-id
      params:
      - name: user-id
        value: ''
        type: path
        description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
      body:
        type: json
        data: '{}'
    docs: Update the properties of a user object. Not all properties can be updated by member or guest users with their default
      permissions without administrator roles.
  - info:
      name: Microsoft Entra Delete User
      type: http
    http:
      method: DELETE
      url: https://graph.microsoft.com/v1.0/users/:user-id
      params:
      - name: user-id
        value: ''
        type: path
        description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
    docs: Delete a user object. The user is moved to the deletedItems container and can be restored within 30 days. After
      30 days the user is permanently deleted.
  - info:
      name: Microsoft Entra List User Group Memberships
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/users/:user-id/memberOf
      params:
      - name: user-id
        value: ''
        type: path
        description: Unique identifier of the user (object ID) or the userPrincipalName (e.g., user@contoso.com)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $filter
        value: startswith(displayName,'J')
        type: query
        description: OData filter expression to restrict the returned collection
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
    docs: Get the groups, directory roles, and administrative units that the user is a direct member of.
- info:
    name: Groups
    type: folder
  items:
  - info:
      name: Microsoft Entra List Groups
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/groups
      headers:
      - name: ConsistencyLevel
        value: ''
      params:
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $filter
        value: startswith(displayName,'J')
        type: query
        description: OData filter expression to restrict the returned collection
      - name: $orderby
        value: displayName asc
        type: query
        description: Comma-separated list of properties to sort results by
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
      - name: $skip
        value: ''
        type: query
        description: Number of items to skip in the result set
      - name: $count
        value: ''
        type: query
        description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
          to eventual.
      - name: $search
        value: '"displayName:John"'
        type: query
        description: Search string to filter results using tokenized search across displayName and description properties.
          Requires ConsistencyLevel header set to eventual.
      - name: $expand
        value: memberOf
        type: query
        description: Comma-separated list of relationships to expand and include
    docs: List all groups in the directory including Microsoft 365 groups, security groups, mail-enabled security groups,
      and distribution groups. Returns a paged collection with OData query support.
  - info:
      name: Microsoft Entra Create Group
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/groups
      body:
        type: json
        data: '{}'
    docs: Create a new group in the directory. You can create Microsoft 365 groups, security groups, or mail-enabled security
      groups. Specify the groupTypes, mailEnabled, and securityEnabled properties to determine the type of group.
  - info:
      name: Microsoft Entra Get Group
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/groups/:group-id
      params:
      - name: group-id
        value: ''
        type: path
        description: Unique identifier of the group (object ID)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $expand
        value: memberOf
        type: query
        description: Comma-separated list of relationships to expand and include
    docs: Get the properties and relationships of a group object. Returns the default set of properties unless $select is
      specified.
  - info:
      name: Microsoft Entra Update Group
      type: http
    http:
      method: PATCH
      url: https://graph.microsoft.com/v1.0/groups/:group-id
      params:
      - name: group-id
        value: ''
        type: path
        description: Unique identifier of the group (object ID)
      body:
        type: json
        data: '{}'
    docs: Update the properties of a group object. Not all properties can be updated depending on the group type.
  - info:
      name: Microsoft Entra Delete Group
      type: http
    http:
      method: DELETE
      url: https://graph.microsoft.com/v1.0/groups/:group-id
      params:
      - name: group-id
        value: ''
        type: path
        description: Unique identifier of the group (object ID)
    docs: Delete a group. Deleting a Microsoft 365 group moves it to the deletedItems container where it can be restored within
      30 days. Security groups are permanently deleted immediately.
  - info:
      name: Microsoft Entra List Group Members
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/groups/:group-id/members
      headers:
      - name: ConsistencyLevel
        value: ''
      params:
      - name: group-id
        value: ''
        type: path
        description: Unique identifier of the group (object ID)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $filter
        value: startswith(displayName,'J')
        type: query
        description: OData filter expression to restrict the returned collection
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
      - name: $count
        value: ''
        type: query
        description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
          to eventual.
    docs: Get the direct members of a group. A group can have users, devices, other groups, organizational contacts, and service
      principals as members.
  - info:
      name: Microsoft Entra Add Group Member
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/groups/:group-id/members/$ref
      params:
      - name: group-id
        value: ''
        type: path
        description: Unique identifier of the group (object ID)
      body:
        type: json
        data: '{}'
    docs: Add a member to a Microsoft 365 group or a security group by posting a reference to the directory object to add.
  - info:
      name: Microsoft Entra Remove Group Member
      type: http
    http:
      method: DELETE
      url: https://graph.microsoft.com/v1.0/groups/:group-id/members/:directoryObject-id/$ref
      params:
      - name: group-id
        value: ''
        type: path
        description: Unique identifier of the group (object ID)
      - name: directoryObject-id
        value: ''
        type: path
        description: Unique identifier of the directory object to remove
    docs: Remove a member from a group via the members navigation property. Specify the member to remove by its directory
      object id.
- info:
    name: Applications
    type: folder
  items:
  - info:
      name: Microsoft Entra List Applications
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/applications
      headers:
      - name: ConsistencyLevel
        value: ''
      params:
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $filter
        value: startswith(displayName,'J')
        type: query
        description: OData filter expression to restrict the returned collection
      - name: $orderby
        value: displayName asc
        type: query
        description: Comma-separated list of properties to sort results by
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
      - name: $skip
        value: ''
        type: query
        description: Number of items to skip in the result set
      - name: $count
        value: ''
        type: query
        description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
          to eventual.
      - name: $search
        value: '"displayName:John"'
        type: query
        description: Search string to filter results using tokenized search across displayName and description properties.
          Requires ConsistencyLevel header set to eventual.
    docs: Get the list of application registrations in the directory. Returns the application objects with their configuration
      properties including credentials, permissions, and sign-in settings.
  - info:
      name: Microsoft Entra Create Application
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/applications
      body:
        type: json
        data: '{}'
    docs: Create a new application registration in the directory. The application object represents the global definition
      of the app including its identity, access configuration, and settings.
  - info:
      name: Microsoft Entra Get Application
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/applications/:application-id
      params:
      - name: application-id
        value: ''
        type: path
        description: Unique identifier of the application (object ID, not appId)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $expand
        value: memberOf
        type: query
        description: Comma-separated list of relationships to expand and include
    docs: Get the properties and relationships of an application object by its id (object id, not appId).
  - info:
      name: Microsoft Entra Update Application
      type: http
    http:
      method: PATCH
      url: https://graph.microsoft.com/v1.0/applications/:application-id
      params:
      - name: application-id
        value: ''
        type: path
        description: Unique identifier of the application (object ID, not appId)
      body:
        type: json
        data: '{}'
    docs: Update the properties of an application object.
  - info:
      name: Microsoft Entra Delete Application
      type: http
    http:
      method: DELETE
      url: https://graph.microsoft.com/v1.0/applications/:application-id
      params:
      - name: application-id
        value: ''
        type: path
        description: Unique identifier of the application (object ID, not appId)
    docs: Delete an application object. The application is moved to the deletedItems container and can be restored within
      30 days.
  - info:
      name: Microsoft Entra Add Password Credential
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/applications/:application-id/addPassword
      params:
      - name: application-id
        value: ''
        type: path
        description: Unique identifier of the application (object ID, not appId)
      body:
        type: json
        data: '{}'
    docs: Add a strong password or secret to an application. The response includes the generated secretText which is only
      returned at creation time and cannot be retrieved later.
  - info:
      name: Microsoft Entra Remove Password Credential
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/applications/:application-id/removePassword
      params:
      - name: application-id
        value: ''
        type: path
        description: Unique identifier of the application (object ID, not appId)
      body:
        type: json
        data: '{}'
    docs: Remove a password credential from an application by specifying the keyId of the password to remove.
- info:
    name: ServicePrincipals
    type: folder
  items:
  - info:
      name: Microsoft Entra List Service Principals
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/servicePrincipals
      headers:
      - name: ConsistencyLevel
        value: ''
      params:
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $filter
        value: startswith(displayName,'J')
        type: query
        description: OData filter expression to restrict the returned collection
      - name: $orderby
        value: displayName asc
        type: query
        description: Comma-separated list of properties to sort results by
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
      - name: $skip
        value: ''
        type: query
        description: Number of items to skip in the result set
      - name: $count
        value: ''
        type: query
        description: Include a count of the total number of items in the collection. Requires ConsistencyLevel header set
          to eventual.
      - name: $search
        value: '"displayName:John"'
        type: query
        description: Search string to filter results using tokenized search across displayName and description properties.
          Requires ConsistencyLevel header set to eventual.
    docs: Retrieve a list of service principal objects in the directory. A service principal represents an instance of an
      application in a tenant and is the identity used for authentication and authorization.
  - info:
      name: Microsoft Entra Create Service Principal
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/servicePrincipals
      body:
        type: json
        data: '{}'
    docs: Create a new service principal in the directory. The appId property in the request body is required and must reference
      an existing application registration.
  - info:
      name: Microsoft Entra Get Service Principal
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id
      params:
      - name: servicePrincipal-id
        value: ''
        type: path
        description: Unique identifier of the service principal (object ID)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $expand
        value: memberOf
        type: query
        description: Comma-separated list of relationships to expand and include
    docs: Retrieve the properties and relationships of a service principal object.
  - info:
      name: Microsoft Entra Update Service Principal
      type: http
    http:
      method: PATCH
      url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id
      params:
      - name: servicePrincipal-id
        value: ''
        type: path
        description: Unique identifier of the service principal (object ID)
      body:
        type: json
        data: '{}'
    docs: Update the properties of a service principal object.
  - info:
      name: Microsoft Entra Delete Service Principal
      type: http
    http:
      method: DELETE
      url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id
      params:
      - name: servicePrincipal-id
        value: ''
        type: path
        description: Unique identifier of the service principal (object ID)
    docs: Delete a service principal object. This removes the application instance from the tenant but does not delete the
      application registration.
  - info:
      name: Microsoft Entra List App Role Assignments
      type: http
    http:
      method: GET
      url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id/appRoleAssignments
      params:
      - name: servicePrincipal-id
        value: ''
        type: path
        description: Unique identifier of the service principal (object ID)
      - name: $select
        value: id,displayName,mail
        type: query
        description: Comma-separated list of properties to include in the response. If unspecified, a default set of properties
          is returned.
      - name: $top
        value: ''
        type: query
        description: Maximum number of items to return in the response
    docs: Get the app role assignments granted to this service principal. App role assignments represent permissions granted
      to the service principal to call another application's API.
  - info:
      name: Microsoft Entra Grant App Role Assignment
      type: http
    http:
      method: POST
      url: https://graph.microsoft.com/v1.0/servicePrincipals/:servicePrincipal-id/appRoleAssignments
      params:
      - name: servicePrincipal-id
        value: ''
        type: path
        description: Unique identifier of the service principal (object ID)
      body:
        type: json
        data: '{}'
    docs: Grant an app role assignment to a service principal. App roles assigned to service principals are also known as
      application permissions.
bundled: true