Azure Active Directory · Schema
Azure Active Directory User
Represents a user account in Azure Active Directory (Microsoft Entra ID). A user is a core identity object in the Microsoft identity platform, containing profile information, authentication credentials, organizational relationships, and license assignments. This schema is based on the Microsoft Graph v1.0 user resource type as documented at https://learn.microsoft.com/en-us/graph/api/resources/user.
AuthenticationAuthorizationIdentityMicrosoftMicrosoft EntraOAuthOpenID ConnectSAMLSCIMSingle Sign-OnZero Trust
Properties
| Name | Type | Description |
|---|---|---|
| @odata.type | string | The OData type annotation for the user resource. |
| id | string | The unique identifier for the user. This is a GUID assigned by Azure AD when the user object is created. Read-only. |
| deletedDateTime | stringnull | The date and time the user was deleted. Null if the user has not been deleted. Read-only. |
| accountEnabled | boolean | True if the account is enabled; otherwise, false. This property is required when creating a user. A disabled account cannot authenticate. |
| ageGroup | stringnull | Sets the age group of the user. Allowed values: null, Minor, NotAdult, Adult. |
| assignedLicenses | array | The licenses assigned to the user, including specific disabled service plans. Read-only. Not nullable. |
| assignedPlans | array | The plans assigned to the user from subscriptions. Read-only. Not nullable. |
| businessPhones | array | The telephone numbers for the user. Only one number can be set for this property. Read-only for users synced from on-premises directory. |
| city | stringnull | The city where the user is located. Maximum length is 128 characters. |
| companyName | stringnull | The name of the company associated with the user. This property can be useful for describing the company that an external user comes from. Maximum length is 64 characters. |
| consentProvidedForMinor | stringnull | Sets whether consent was obtained for minors. Allowed values: null, Granted, Denied, NotRequired. |
| country | stringnull | The country or region where the user is located. Use the ISO 3166 two-letter country code format (e.g., US, GB, DE). Maximum length is 128 characters. |
| createdDateTime | stringnull | The date and time the user was created in ISO 8601 format and UTC time. Read-only. |
| creationType | stringnull | Indicates whether the user account was created through one of the following methods: as a regular school or work account (null), as an external account (Invitation), as a local account for an Azure Ac |
| department | stringnull | The name of the department in which the user works. Maximum length is 64 characters. |
| displayName | string | The name displayed in the address book for the user. This is usually the combination of the first name, middle initial, and last name. This property is required when a user is created and cannot be cl |
| employeeHireDate | stringnull | The date and time when the user was hired or will start work in case of a future hire. |
| employeeId | stringnull | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. |
| employeeLeaveDateTime | stringnull | The date and time when the user left or will leave the organization. |
| employeeOrgData | object | Represents organization data (e.g., division and costCenter) associated with a user. |
| employeeType | stringnull | Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor. |
| externalUserState | stringnull | For an external user invited to the tenant, this property represents the invited user's invitation status. Possible values: PendingAcceptance, Accepted, null. Read-only. |
| externalUserStateChangeDateTime | stringnull | Shows the timestamp for the latest change to the externalUserState property. Read-only. |
| faxNumber | stringnull | The fax number of the user. |
| givenName | stringnull | The given name (first name) of the user. Maximum length is 64 characters. |
| identities | array | Represents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft, by organizations, or by social identity providers. May contain multiple items with |
| imAddresses | array | The instant message voice-over-IP (VOIP) session initiation protocol (SIP) addresses for the user. Read-only. |
| isResourceAccount | booleannull | Do not use. Reserved for future use. |
| jobTitle | stringnull | The user's job title. Maximum length is 128 characters. |
| lastPasswordChangeDateTime | stringnull | The time when this Azure AD user last changed their password or when their password was created. Read-only. |
| legalAgeGroupClassification | stringnull | Used by enterprise applications to determine the legal age group of the user. Read-only. |
| licenseAssignmentStates | array | State of license assignments for this user. Read-only. |
| stringnull | The SMTP address for the user (e.g., [email protected]). Changes to this property also update the user's proxyAddresses collection to include the value as an SMTP address. This property cannot contain | |
| mailNickname | string | The mail alias for the user. This property must be specified when a user is created. Maximum length is 64 characters. |
| mobilePhone | stringnull | The primary cellular telephone number for the user. Read-only for users synced from on-premises directory. |
| officeLocation | stringnull | The office location in the user's place of business. |
| onPremisesDistinguishedName | stringnull | Contains the on-premises Active Directory distinguished name or DN. Read-only. |
| onPremisesDomainName | stringnull | Contains the on-premises domainFQDN, also called dnsDomainName, synced from the on-premises directory. Read-only. |
| onPremisesExtensionAttributes | object | Contains extensionAttributes1-15 for the user. These extension attributes are also known as Exchange custom attributes. Read-only for cloud-only users. |
| onPremisesImmutableId | stringnull | This property is used to associate an on-premises Active Directory user account to their Azure AD user object. This property must be specified when creating a new user if you are using a federated dom |
| onPremisesLastSyncDateTime | stringnull | Indicates the last time at which the object was synced with the on-premises directory. Read-only. |
| onPremisesProvisioningErrors | array | Errors when using Microsoft synchronization product during provisioning. Read-only. |
| onPremisesSamAccountName | stringnull | Contains the on-premises samAccountName synced from the on-premises directory. Read-only. |
| onPremisesSecurityIdentifier | stringnull | Contains the on-premises security identifier (SID) for the user that was synced from on-premises to the cloud. Read-only. |
| onPremisesSyncEnabled | booleannull | True if this user object is currently being synced from an on-premises Active Directory (AD); otherwise, the user isn't being synced and can be managed in Azure Active Directory. Read-only. |
| onPremisesUserPrincipalName | stringnull | Contains the on-premises userPrincipalName synced from the on-premises directory. Read-only. |
| otherMails | array | A list of additional email addresses for the user (e.g., ["[email protected]", "[email protected]"]). |
| passwordPolicies | stringnull | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. Disab |
| passwordProfile | object | Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. |
| postalCode | stringnull | The postal code for the user's postal address. The postal code is specific to the user's country/region. Maximum length is 40 characters. |
| preferredLanguage | stringnull | The preferred language for the user, expressed in ISO 639-1 code format (e.g., en-US). |
| preferredDataLocation | stringnull | The preferred data location for the user, indicating the geographic region for their data. |
| provisionedPlans | array | The plans that are provisioned for the user. Read-only. Not nullable. |
| proxyAddresses | array | A list that includes the user's SMTP and SIP proxy addresses. For example: ["SMTP:[email protected]", "smtp:[email protected]"]. The address prefixed with SMTP (uppercase) is the primary. Read-only. |
| securityIdentifier | stringnull | Security identifier (SID) of the user, used in Windows scenarios. Read-only. |
| showInAddressList | booleannull | Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin center instead. |
| signInActivity | object | Get the last signed-in date and request ID of the sign-in for a given user. Read-only. Requires Azure AD Premium P1 or P2 license. |
| signInSessionsValidFromDateTime | stringnull | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated a |
| state | stringnull | The state or province in the user's address. Maximum length is 128 characters. |
| streetAddress | stringnull | The street address of the user's place of business. Maximum length is 1024 characters. |
| surname | stringnull | The user's surname (family name or last name). Maximum length is 64 characters. |
| usageLocation | stringnull | A two-letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirements to check for availability of services in countries/regions. Examples include |
| userPrincipalName | string | The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format |
| userType | stringnull | A string value that can be used to classify user types in your directory, such as Member and Guest. |