Microsoft Graph API

the microsoft graph api connector allows for streamlined access and management of microsoft cloud services data, enabling automation of complex workflows and interactions microsoft graph api is a unified gateway to data and intelligence in microsoft 365, providing secure access to a wide range of resources including users, mail, files, and more this connector enables seamless integration with third party tools, allowing users to automate tasks within swimlane turbine, such as incident management, email operations, and user authentication by leveraging this connector, end users can streamline their security workflows, enhance data accessibility, and improve response times to security events configuration prerequisites to utilize the microsoft graph api connector within swimlane turbine, ensure you have the following prerequisites client credentials and tenant id authentication with these parameters url endpoint for microsoft graph api client id application id registered in azure ad client secret key generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions the app requires oauth 2 0 client credentials with these parameters url endpoint for microsoft graph api client id application id registered in azure ad client secret key generated for the application in azure ad token url url to retrieve the oauth2 token scope permissions the app requires delegated flow authentication with these parameters url endpoint for microsoft graph api tenant id directory id of the azure ad tenant and so on authentication methods oauth 2 0 client credentials authentication with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad token url url to retrieve the oauth token scope permissions the app requires password grant (delegated authentication) for acting on behalf of a user url endpoint for microsoft graph api tenant id directory id of the azure ad tenant oauth un user's username to authenticate oauth pwd user's password to authenticate oauth cl id application (client) id registered in azure ad oauth cl secret client secret (key) generated for the application in azure ad login url login url default value is https //login microsoftonline com https //login microsoftonline com (optional) scope permissions the app requires optional field (optional) url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions the app requires url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad refresh token refresh token scope permissions the app requires capabilities the microsoft graph api connector gives the ability to get and update security alerts, and modify user licenses and sessions add group member add group owner add identity directory device registered user add identity directory role member add incident comment add member to directory administrative unit add members assign and remove license audit logs get signin audit logs list signins cancel security action create contact create event create rejectedsender create group and so on asset setup client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) user readwrite all calendars readwrite directory readwrite all directory accessasuser all securityevents read all securityevents readwrite all mail readwrite mail send sites readwrite all files readwrite all auditlog read all mail readbasic all securityanalyzedmessage readwrite all securityalert readwrite all user manageidentities all, and so on sites readwrite all is needed by sharepoint actions only in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset password flow (delegated auth) use delegated permissions, instead of application permissions, and generate client id , tenant id , and client secret as described in the above client credential flow authentication we also need an username and a password for this authentication authentication flow for oauth2 refresh token oauth 2 0 refresh token grant, which requires a refresh token , tenant id , client id and client secret use this auth with accounts which have mfa enabled to generate a refresh token please follow the instructions below in step 3 of the above mentioned setup instructions, please provide a redirect uri and select the platform as 'web', before clicking on register at the the bottom proceed with the remaining steps to generate 'client id', tenant id and client secret add the permissions in delegated permissions the swimlane team will provide a python script and instructions on how to use the script to generate the refresh token limit access to specific mailboxes administrators who want to limit app access to specific mailboxes can create an application access policy by using the new applicationaccesspolicy powershell cmdlet for more information please see the article limiting application permissions to specific exchange online mailboxes https //docs microsoft com/en us/graph/auth limit mailbox access action setup odata filters information on the filter input formatting can be found here https //docs microsoft com/en us/graph/query parameters#filter parameter keep in mind that not specifying a folder as an input will result in the query affecting all possible folders example if we want to ingest only unread emails, and we don't set the input "folder", we will ingest all unread emails from all folders, including "deleted items", "junk", etc well known folders well known folders can be used instead of folder ids for email actions all well known folder names can be found here https //docs microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 sites get site all the sites actions require the site id to be executed the site id can be obtained using the action sites get site, in order to run the action the site hostname and site name are needed this two values can be found in a site url https //{site hostname} sharepoint com/sites/{site name} for example if our site url is https //swimlaneintegrations sharepoint com/sites/integrationssite we should use site hostname swimlaneintegrations site name integrationssite after the action execution you can find the site id on the id output field sites create list in order to create a list with its columns, use the input columns you can find all the possible values with its configuration on the following table property name type description boolean booleancolumn https //docs microsoft com/en us/graph/api/resources/booleancolumn?view=graph rest 1 0 this column stores boolean values calculated calculatedcolumn https //docs microsoft com/en us/graph/api/resources/calculatedcolumn?view=graph rest 1 0 this column's data is calculated based on other columns choice choicecolumn https //docs microsoft com/en us/graph/api/resources/choicecolumn?view=graph rest 1 0 this column stores data from a list of choices currency currencycolumn https //docs microsoft com/en us/graph/api/resources/currencycolumn?view=graph rest 1 0 this column stores currency values datetime datetimecolumn https //docs microsoft com/en us/graph/api/resources/datetimecolumn?view=graph rest 1 0 this column stores datetime values geolocation geolocationcolumn https //docs microsoft com/en us/graph/api/resources/geolocationcolumn?view=graph rest 1 0 this column stores a geolocation lookup lookupcolumn https //docs microsoft com/en us/graph/api/resources/lookupcolumn?view=graph rest 1 0 this column's data is looked up from another source in the site number numbercolumn https //docs microsoft com/en us/graph/api/resources/numbercolumn?view=graph rest 1 0 this column stores number values personorgroup personorgroupcolumn https //docs microsoft com/en us/graph/api/resources/personorgroupcolumn?view=graph rest 1 0 this column stores person or group values text textcolumn https //docs microsoft com/en us/graph/api/resources/textcolumn?view=graph rest 1 0 this column stores text values validation columnvalidation https //docs microsoft com/en us/graph/api/resources/columnvalidation?view=graph rest 1 0 this column stores validation formula and message for the column hyperlinkorpicture hyperlinkorpicturecolumn https //docs microsoft com/en us/graph/api/resources/hyperlinkorpicturecolumn?view=graph rest 1 0 this column stores hyperlink or picture values term termcolumn https //docs microsoft com/en us/graph/api/resources/termcolumn?view=graph rest 1 0 this column stores taxonomy terms thumbnail thumbnailcolumn https //docs microsoft com/en us/graph/api/resources/thumbnailcolumn?view=graph rest 1 0 this column stores thumbnail values contentapprovalstatus contentapprovalstatuscolumn https //docs microsoft com/en us/graph/api/resources/contentapprovalstatuscolumn?view=graph rest 1 0 this column stores content approval status for a complete version of this table please see the official column definition table https //docs microsoft com/en us/graph/api/resources/columndefinition?view=graph rest 1 0#properties create list column refer to the above table to get the type properties and column type input the type properties are documented within the links in the type column get list items in order to use the filter input please refer to the microsoft graph api /#odata filters section the column used to filter the output must be indexed, see the microsoft documentation https //support microsoft com/en us/office/add an index to a list or library column f3f00554 b7dc 44d1 a2ed d477eac463b0?ui=en us\&rs=en us\&ad=us to add an index to a list limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation the assign/remove user license requires either the disabled plans and accompanying sku ids to assign licenses or the sku id of the license you want to remove the get security alert has additional information it can return there are a large number of fields that don't relate to many alerts, so they are not mapped; you can add them if desired notes an introduction to microsoft graph api https //social technet microsoft com/wiki/contents/articles/33525 an introduction to microsoft graph api aspxmicrosoft graph security api homepage https //www microsoft com/en us/security/intelligence security apimicrosoft graph rest api v1 0 reference https //docs microsoft com/en us/graph/api/overview?view=graph rest 1 0query parameters documentation odata v4 https //docs microsoft com/en us/graph/query parametersmicrosoft graph security api v1 0 refrence https //docs microsoft com/en us/graph/api/resources/security api overview?view=graph rest betaazure ad oauth2 flow https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth codeoauthlib legacy application client https //requests oauthlib readthedocs io/en/latest/oauth2 workflow\ html#legacy application flow , this is sort of a hack to bypass manual login (typically required) limiting application permissions to specific exchange online mailboxes https //docs microsoft com/en us/graph/auth limit mailbox accessmicrosoft graph reports audit logs api reference https //learn microsoft com/en us/graph/api/resources/azure ad auditlog overview?view=graph rest 1 0 configurations microsoft graph api asset tenant id authenticates using client credentials and tenant id configuration parameters parameter description type required url a url to the target host string required tenant id the tenant id string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional password grant (delegated authentication) authenticates on behalf of a user using oauth 2 0 credentials configuration parameters parameter description type required url a url to the target host string required login url string optional tenant id string required oauth un the username for authentication string required oauth pwd the password for authentication string required oauth cl id the client id string required oauth cl secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional ms graph openid connect refresh token grant authenticates using refresh token configuration parameters parameter description type required url a url to the target host string required cl id the client id string required cl secret the client secret string required refresh token refresh token string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add incident comment appends a user defined comment to an existing incident in microsoft graph api using the specified incidentid endpoint url /v1 0/security/incidents/{{incidentid}}/comments method post input argument name type required description path parameters incidentid string required id of the incident @odata type string optional response data comment string optional the comment to be added input example {"json body" {"@odata type" "microsoft graph security alertcomment","comment" "demo for docs"},"path parameters" {"incidentid" "545"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value comment string value for the parameter value createdbydisplayname string name of the resource value createddatetime string value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#security/incidents('545')/comments","value" \[{"comment" "demo for docs","createdbydisplayname" "api app\ defender test jhyap","createddatetime" "2024 06 13t06 38 20 6536162z"},{"comment" "demo for docs","createdbydisplayname" "api app\ defender test jhyap","createddatetime" "2024 06 13t06 51 40 9010261z"},{"comment" "demo for docs","createdbydisplayname" "defender test jhyap","createddatetime" "2024 06 13t06 54 26 9428449z"} add members adds a new member to a specified group in microsoft graph api using the 'group id' and member's '@odata id' endpoint url /v1 0/groups/{{group id}}/members/$ref method post input argument name type required description path parameters group id string required the id of the group to which the member will be added @odata id string optional the id of the directory object to add as a member input example {"json body" {"@odata id" "https //graph microsoft com/v1 0/directoryobjects/{id}"},"path parameters" {"group id" "f0b2d6f5 097d 4177 91af a24e530b53cc"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {} audit logs get signin retrieve details for a specific sign in event in microsoft entra using the provided tenant's unique id endpoint url /v1 0/auditlogs/signins/{{id}} method get input argument name type required description path parameters id string required parameters for the audit logs get signin action input example {"path parameters" {"id" "66ea54eb 6301 4ee5 be62 ff5a759b0100"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value createddatetime string value for the parameter value userdisplayname string name of the resource value userprincipalname string name of the resource value userid string unique identifier value appid string unique identifier value appdisplayname string name of the resource value ipaddress string value for the parameter value clientappused string value for the parameter value correlationid string unique identifier value conditionalaccessstatus string status value value isinteractive boolean value for the parameter value riskdetail string value for the parameter value risklevelaggregated string value for the parameter value risklevelduringsignin string value for the parameter value riskstate string value for the parameter value riskeventtypes array type of the resource value riskeventtypes file name string name of the resource value riskeventtypes file string type of the resource value resourcedisplayname string name of the resource value resourceid string unique identifier output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#auditlogs/signins","value" \[{"id" "66ea54eb 6301 4ee5 be62 ff5a759b0100","createddatetime" "2023 12 01t16 03 24z","userdisplayname" "test contoso","userprincipalname" "testaccount1\@contoso com","userid" "26be570a ae82 4189 b4e2 a37c6808512d","appid" "de8bc8b5 d9f9 48b1 a8ad b748da725064","appdisplayname" "graph explorer","ipaddress" "131 107 159 37","clientappused" "browser","correlationid" "d79f5bee 5860 4832 928f 3133e22ae912","cond audit logs list signins retrieve microsoft entra user sign in logs to analyze access patterns and trends for a specified tenant endpoint url /v1 0/auditlogs/signins method get input argument name type required description parameters $top number optional sets the page size of results parameters $skiptoken string optional retrieves the next page of results from result sets that span multiple pages parameters $filter string optional filters results (rows) input example {"parameters" {"$top" 2,"$skiptoken" "9177f2e3532fcd4c4d225f68f7b9bdf7 1","$filter" "createddatetime ge 2024 07 01t00 00 00z and createddatetime le 2024 07 14t23 59 59z"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value createddatetime string value for the parameter value userdisplayname string name of the resource value userprincipalname string name of the resource value userid string unique identifier value appid string unique identifier value appdisplayname string name of the resource value ipaddress string value for the parameter value clientappused string value for the parameter value correlationid string unique identifier value conditionalaccessstatus string status value value isinteractive boolean value for the parameter value riskdetail string value for the parameter value risklevelaggregated string value for the parameter value risklevelduringsignin string value for the parameter value riskstate string value for the parameter value riskeventtypes array type of the resource value riskeventtypes file name string name of the resource value riskeventtypes file string type of the resource value resourcedisplayname string name of the resource output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","userdisplayname" "example name","userprincipalname" "example name","userid" "string","appid" "string","appdisplayname" "example name","ipaddress" "string","clientappused" "string","correlationid" "string","conditionalaccessstatus" "active","isinteractive"\ true,"riskdetail" "string","risklevelaggregated" "string","risklevelduringsignin" "string"}]} create contact adds a new contact to a specified folder in microsoft graph api using the provided 'id' requires path parameters and json body endpoint url /v1 0/users/{{id}}/contacts method post input argument name type required description path parameters id string required parameters for the create contact action givenname string optional the contact's given name surname string optional the contact's surname emailaddresses array optional the contact's email addresses emailaddresses address string optional the email address of the contact emailaddresses name string optional the display name of the contact businessphones array optional the contact's business phone numbers input example {"json body" {"givenname" "pavel","surname" "bansky","emailaddresses" \[{"address" "pavelb\@contoso com","name" "pavel bansky"}],"businessphones" \["+1 732 555 0102"]},"path parameters" {"id" "aaron ooi swimlane com#ext#@swimlaneintegrations onmicrosoft com"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier createddatetime string time value lastmodifieddatetime string time value displayname string name of the resource output example {"id" "id value","createddatetime" "2015 11 09t02 14 32z","lastmodifieddatetime" "2015 11 09t02 14 32z","displayname" "pavel bansky"} create event creates a new calendar event in a specified user's calendar by using their email address via the microsoft graph api endpoint url /v1 0/users/{{email address}}/events method post input argument name type required description path parameters email address string required parameters for the create event action headers object optional http headers for the request headers prefer string optional specify the time zone for the start and end times in the response subject string optional the text of the event's subject line body object optional the body of the message associated with the event it can be in html or text format body contenttype string optional the content of the item body content string optional the type of the content start object optional the start date, time, and time zone of the event by default, the start time is in utc start datetime string optional a single point of time in a combined date and time representation ({date}t{time}; for example, 2017 08 29t04 00 00 0000000) start timezone string optional represents a time zone, for example, "pacific standard time" end object optional the date, time, and time zone that the event ends by default, the end time is in utc end datetime string optional a single point of time in a combined date and time representation ({date}t{time}; for example, 2017 08 29t04 00 00 0000000) end timezone string optional represents a time zone, for example, "pacific standard time" location object optional the location of the event location displayname string optional the name associated with the location locations array optional the locations where the event is held or attended from the location and locations properties always correspond with each other if you update the location property, any prior locations in the locations collection would be removed and replaced by the new location value locations displayname string optional the name associated with the location locations locationtype string optional the type of location locations uniqueidtype string optional for internal use only locations locationemailaddress string optional optional email address of the location locations locationuri string optional optional uri representing the location locations uniqueid string optional for internal use only locations address object optional the street address of the location locations address city string optional the city locations address countryorregion string optional the country or region it's a free format string value, for example, "united states" input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com"},"headers" {"prefer" "outlook timezone=\\"pacific standard time\\""}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata etag string response data id string unique identifier createddatetime string time value lastmodifieddatetime string time value changekey string output field changekey categories array output field categories transactionid object unique identifier originalstarttimezone string output field originalstarttimezone originalendtimezone string output field originalendtimezone icaluid string unique identifier uid string unique identifier reminderminutesbeforestart number output field reminderminutesbeforestart isreminderon boolean output field isreminderon hasattachments boolean output field hasattachments subject string output field subject bodypreview string request body data importance string output field importance sensitivity string output field sensitivity isallday boolean output field isallday iscancelled boolean output field iscancelled isorganizer boolean output field isorganizer responserequested boolean output field responserequested output example {"@odata context" "string","@odata etag" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","changekey" "string","categories" \["string"],"transactionid" {},"originalstarttimezone" "string","originalendtimezone" "string","icaluid" "string","uid" "string","reminderminutesbeforestart" 123,"isreminderon"\ true,"hasattachments"\ true} create rejectedsender add a user or group to the rejected sender list in microsoft graph api by specifying their unique id endpoint url /v1 0/groups/{{id}}/rejectedsenders/$ref method post input argument name type required description path parameters id string required the unique identifier for the group @odata id string optional the id of a user or group object input example {"json body" {"@odata id" "https //graph microsoft com/v1 0/users/alexd\@contoso com"},"path parameters" {"id" "732227b1 1927 49d4 bba9 cc30e6baf602"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete email permanently deletes an email from a specified mailbox using the email address and email id via microsoft graph api endpoint url /v1 0/users/{{email address}}/messages/{{email id}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters email id string required the id of the email input example {"path parameters" {"email address" "string","email id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete email authentication method removes a user's specified email authentication method in microsoft graph api using their email address and method id endpoint url /v1 0/users/{{email address}}/authentication/emailmethods/{{emailmethods id}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters emailmethods id string required the id of the email authentication method, referenced by {emailmethods id}, is always 3ddfcfc8 9383 446f 83cc 3ab9be4be18f delete the email method from your own account for a signed in user to update their own authentication method, they must have satisfied a multi factor authentication requirement during sign in input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","emailmethods id" "3ddfcfc8 9383 446f 83cc 3ab9be4be18f"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete fido2 authentication method removes a user's fido2 security key authentication method in microsoft graph api using their email address and method id endpoint url /v1 0/users/{{email address}}/authentication/fido2methods/{{id}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters id string required the id of the fido2 security key authentication method input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","id" " jpur tgztk6aqclf3bqja2"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete microsoft authenticator auth method removes a user's specific microsoft authenticator method using their email address and authenticator id endpoint url /v1 0/users/{{email address}}/authentication/microsoftauthenticatormethods/{{microsoftauthenticatorauthenticationmethodid}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters microsoftauthenticatorauthenticationmethodid string required the id of the microsoft authenticator authentication method input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","microsoftauthenticatorauthenticationmethodid" " jpur tgztk6aqclf3bqja2"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete phone authentication method removes a user's phone authentication method in microsoft graph api using their email address and the specific phonemethodid endpoint url /v1 0/users/{{email address}}/authentication/phonemethods/{{phonemethodid}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters phonemethodid string required the id of the phone authentication method the phone method id values correspond to deleting specific phone types are b6332ec1 7057 4abe 9331 3d72feddfe41 for alternatemobile, e37fc753 ff3b 4958 9484 eaa9425c82bc for office, and 3179e48a 750b 4051 897c 87b9720928f7 for mobile input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","phonemethodid" "3179e48a 750b 4051 897c 87b9720928f7"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete software oath authentication method removes a user's software oath token authentication method in microsoft graph api using their email address and id endpoint url /v1 0/users/{{email address}}/authentication/softwareoathmethods/{{id}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters id string required the id of the software oath token authentication method input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","id" "b172893e 893e b172 3e89 72b13e8972b1"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete temporary access pass auth method removes a user's temporary access pass authentication method in microsoft graph api using their email address and id endpoint url /v1 0/users/{{email address}}/authentication/temporaryaccesspassmethods/{{id}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters id string required the id of the temporary access pass authentication method input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","id" "05267842 25b2 4b21 8abd 8e4982796f7f"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete windows hello for business auth method removes a specific windows hello for business authentication method for a user using their email address and method id endpoint url /v1 0/users/{{email address}}/authentication/windowshelloforbusinessmethods/{{windowshelloforbusinessauthenticationmethodid}} method delete input argument name type required description path parameters email address string required the account associated with the email path parameters windowshelloforbusinessauthenticationmethodid string required the id of the windows hello for business authentication method input example {"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","windowshelloforbusinessauthenticationmethodid" " jpur tgztk6aqclf3bqja2"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} expand and get item properties attached to message retrieves properties of an email attachment in microsoft graph api using the provided email address, email id, and attachment id endpoint url /v1 0/users/{{email address}}/messages/{{email id}}/attachments/{{attachment id}}/ method get input argument name type required description path parameters email address string required the account associated with the email path parameters email id string required the id of the email to retrieve attachments from path parameters attachment id string required attachment id remove content bytes boolean optional remove content bytes from the response parameters $expand string optional to get the properties of an item attachment (contact, event, or message) input example {"parameters" {"$expand" "microsoft graph itemattachment/item"},"path parameters" {"email address" "integrations\@ onmicrosoft com","email id" "aamkadmxzmu3zwq4ltmzngitngy3zc1im2uxlwm3mdqzogvjmzlknwbgaaaaaaahypwuvwmwsrfeylv6xhmzbwcbjrt9 oidtlplg45rvpkcaaaaaaemaacbjrt9 oidtlplg45rvpkcaaqxsrlaaaa=","attachment id" "aamkadmxzmu3zwq4ltmzngitngy3zc1im2uxlwm3mdqzogvjmzlknwbgaaaaaaahypwuvwmwsrfeylv6xhmzbwcbjrt9 oidtlplg45rvpkcaaaaaaemaacbjrt9 oidtlplg45rvpkcaaqxsrlaaaabegaqabype5lwci5cg91dh8n8e s="},"remove content bytes"\ true} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata type string response data id string unique identifier lastmodifieddatetime string time value name string name of the resource contenttype object type of the resource size number output field size isinline boolean output field isinline item\@odata associationlink string response data item\@odata navigationlink string response data item object output field item item \@odata type string response data item id string unique identifier item createddatetime string time value item lastmodifieddatetime string time value item receiveddatetime string time value item sentdatetime string time value item hasattachments boolean output field item hasattachments item internetmessageid string unique identifier item subject string output field item subject item bodypreview string request body data item importance string output field item importance item conversationid string unique identifier output example {"@odata context" "string","@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","lastmodifieddatetime" "string","name" "example name","contenttype" {},"size" 123,"isinline"\ true,"item\@odata associationlink" "string","item\@odata navigationlink" "string","item" {"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","receiveddatetime" "string","sentdatetime" "string","hasattachments"\ true,"internetmessageid" "stri export email as eml exports an email as an eml file using a specified id and email address through the microsoft graph api endpoint url /v1 0/users/{{email address}}/messages/{{id}}/$value method get input argument name type required description path parameters email address string required parameters for the export email as eml action path parameters id string required parameters for the export email as eml action filename string optional filename for the generated eml file default {first 20 characters of message id} eml input example {"path parameters" {"email address" "travis riley\@swimlaneintegrations onmicrosoft com","id" "kh5kvs jt3jbwcgdzougk1yryre5w5mstjuaaaaaaemaacgdzougk1yryre5w5mstjuaaoqsnsjaaa="}} output parameter type description status code number http status code of the response reason string response reason phrase file object attachments file file string output field file file file file name string name of the resource output example {"file" {"file" "string","file name" "example name"}} forward email forwards an email from a specified address to designated recipients with an optional comment using microsoft graph api endpoint url /v1 0/users/{{email address}}/messages/{{email id}}/forward method post input argument name type required description path parameters email address string required the account associated with the email path parameters email id string required the id of the email comment string optional a comment to include can be an empty string torecipients array optional the list of direct recipient objects torecipients emailaddress object required parameter for forward email torecipients emailaddress address string required parameter for forward email torecipients emailaddress name string optional name of the resource input example {"path parameters" {"email address" "string","email id" "string"},"comment" "string","torecipients" \[{"emailaddress" {"address" "string","name" "example name"}}]} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} get a user retrieves a user account from microsoft graph api using the sign in name to access user data seamlessly endpoint url /v1 0/users method get input argument name type required description parameters $select string optional select results parameters $filter string optional filters results (rows) parameters $count boolean optional include count of items parameters $expand string optional expand related entities parameters $orderby string optional order items by property values parameters $search string optional search items by search phrases parameters $top integer optional show only the first n items input example {"parameters" {"$select" "string","$filter" "string","$count"\ true,"$expand" "string","$orderby" "string","$search" "string","$top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value businessphones array value for the parameter value businessphones file name string name of the resource value businessphones file string value for the parameter value displayname string name of the resource value givenname object name of the resource value jobtitle object value for the parameter value mail object value for the parameter value mobilephone object value for the parameter value officelocation object value for the parameter value preferredlanguage object value for the parameter value surname object name of the resource value userprincipalname string name of the resource value id string unique identifier output example {"@odata context" "string","value" \[{"businessphones" \[],"displayname" "example name","givenname" {},"jobtitle" {},"mail" {},"mobilephone" {},"officelocation" {},"preferredlanguage" {},"surname" {},"userprincipalname" "example name","id" "12345678 1234 1234 1234 123456789abc"}]} get email attachments retrieve all attachments from a specified email by using the email address and email id in microsoft graph api endpoint url /v1 0/users/{{email address}}/messages/{{email id}}/attachments method get input argument name type required description path parameters email address string required the account associated with the email path parameters email id string required the id of the email to retrieve attachments from parameters $expand string optional to get the properties of an item attachment (contact, event, or message) remove content bytes boolean optional the account associated with the email input example {"parameters" {"$expand" "microsoft graph itemattachment/item"}} output parameter type description status code number http status code of the response reason string response reason phrase attachments array output field attachments attachments 0 object output field attachments 0 attachments 0 file name string name of the resource attachments 0 file string output field attachments 0 file @odata context string response data value array value for the parameter value \@odata type string response data value \@odata mediacontenttype string response data value id string unique identifier value lastmodifieddatetime string value for the parameter value name string name of the resource value contenttype string type of the resource value size number value for the parameter value isinline boolean value for the parameter value contentid object unique identifier value contentlocation object value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#users('integrations%40swimlaneintegra ","value" \[{"@odata type" "#microsoft graph fileattachment","@odata mediacontenttype" "image/png","id" "aamkadmxzmu3zwq4ltmzngitngy3zc1im2uxlwm3mdqzogvjmzlknwbgaaaaaaahypwuvwmwsrfeylv6 ","lastmodifieddatetime" "2022 05 11t04 55 25z","name" "test file png","contenttype" "image/png","size" 1569,"isinline"\ false,"contentid"\ null,"contentlocation"\ null}]} get emails retrieves a list of emails from a specified 'email address' via the microsoft graph api, granting access to the user's messages endpoint url /v1 0/users/{{email address}}/messages method get input argument name type required description path parameters email address string required the account associated with the email parameters count string optional include a count of the total number of items in a collection alongside the page of data values returned from microsoft graph parameters filter string optional use the $filter query parameter to retrieve just a subset of a collection for guidance on using $filter, see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional to sort the results in ascending or descending order, append either asc or desc to the field name, separated by a space parameters top number optional sets the page size of results headers object optional http headers for the request headers prefer string optional the format of the body and uniquebody properties to be returned in values can be "text" or "html" a preference applied header is returned as confirmation if this prefer header is specified if the header is not specified, the body and uniquebody properties are returned in html format input example {"headers" {"prefer" "outlook body content type='text'"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value \@odata etag string response data value id string unique identifier value createddatetime string value for the parameter value lastmodifieddatetime string value for the parameter value changekey string value for the parameter value categories array value for the parameter value categories file name string name of the resource value categories file string value for the parameter value receiveddatetime string value for the parameter value sentdatetime string value for the parameter value hasattachments boolean value for the parameter value internetmessageid string unique identifier value subject string value for the parameter value bodypreview string request body data value importance string value for the parameter value parentfolderid string unique identifier value conversationid string unique identifier value conversationindex string value for the parameter value isdeliveryreceiptrequested object value for the parameter value isreadreceiptrequested boolean value for the parameter output example {"@odata context" "string","@odata count" 123,"value" \[{"@odata etag" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","changekey" "string","categories" \[],"receiveddatetime" "string","sentdatetime" "string","hasattachments"\ true,"internetmessageid" "string","subject" "string","bodypreview" "string","importance" "string","parentfolderid" "string","conversationid" "string"}],"@odata nextlink" "string"} get emails from a folder retrieve emails from a specified folder in a user's mailbox on microsoft graph api using the email address and folder id endpoint url /v1 0/users/{{email address}}/mailfolders/{{folder id}}/messages method get input argument name type required description path parameters email address string required the account associated with the email path parameters folder id string required the folder to get emails from parameters count string optional include a count of the total number of items in a collection alongside the page of data values returned from microsoft graph parameters filter string optional use the $filter query parameter to retrieve just a subset of a collection for guidance on using $filter, see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional to sort the results in ascending or descending order, append either asc or desc to the field name, separated by a space parameters top number optional sets the page size of results headers object optional http headers for the request headers prefer string optional the format of the body and uniquebody properties to be returned in values can be "text" or "html" a preference applied header is returned as confirmation if this prefer header is specified if the header is not specified, the body and uniquebody properties are returned in html format input example {"headers" {"prefer" "outlook body content type='text'"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value \@odata etag string response data value id string unique identifier value createddatetime string value for the parameter value lastmodifieddatetime string value for the parameter value changekey string value for the parameter value categories array value for the parameter value categories file name string name of the resource value categories file string value for the parameter value receiveddatetime string value for the parameter value sentdatetime string value for the parameter value hasattachments boolean value for the parameter value internetmessageid string unique identifier value subject string value for the parameter value bodypreview string request body data value importance string value for the parameter value parentfolderid string unique identifier value conversationid string unique identifier value conversationindex string value for the parameter value isdeliveryreceiptrequested object value for the parameter value isreadreceiptrequested boolean value for the parameter output example {"@odata context" "string","@odata count" 123,"value" \[{"@odata etag" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","changekey" "string","categories" \[],"receiveddatetime" "string","sentdatetime" "string","hasattachments"\ true,"internetmessageid" "string","subject" "string","bodypreview" "string","importance" "string","parentfolderid" "string","conversationid" "string"}],"@odata nextlink" "string"} get emails from folder retrieve emails from a specified folder within a user's microsoft graph api account by using the email address and folder id endpoint url /v1 0/users/{{email address}}/mailfolders/{{folder id}}/messages method get input argument name type required description path parameters email address string required the account associated with the email path parameters folder id string required the folder id, or a well known folder name for a list of supported well known folder names, see https //learn microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 https //learn microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 parameters count string optional include a count of the total number of items in a collection alongside the page of data values returned from microsoft graph parameters filter string optional use the $filter query parameter to retrieve just a subset of a collection for guidance on using $filter, see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional to sort the results in ascending or descending order, append either asc or desc to the field name, separated by a space parameters top number optional sets the page size of results input example {"path parameters" {"email address" "string","folder id" "string"},"parameters" {"count" "false","filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value \@odata etag string response data value id string unique identifier value createddatetime string value for the parameter value lastmodifieddatetime string value for the parameter value changekey string value for the parameter value categories array value for the parameter value categories file name string name of the resource value categories file string value for the parameter value receiveddatetime string value for the parameter value sentdatetime string value for the parameter value hasattachments boolean value for the parameter value internetmessageid string unique identifier value subject string value for the parameter value bodypreview string request body data value importance string value for the parameter value parentfolderid string unique identifier value conversationid string unique identifier value conversationindex string value for the parameter value isdeliveryreceiptrequested boolean value for the parameter value isreadreceiptrequested boolean value for the parameter output example {"@odata context" "string","@odata count" 123,"value" \[{"@odata etag" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","changekey" "string","categories" \[],"receiveddatetime" "string","sentdatetime" "string","hasattachments"\ true,"internetmessageid" "string","subject" "string","bodypreview" "string","importance" "string","parentfolderid" "string","conversationid" "string"}],"@odata nextlink" "string"} get folders retrieves a list of email folders for a given 'email address' via the microsoft graph api, enabling organization and access to folder data endpoint url v1 0/users/{{email address}}/mailfolders method get input argument name type required description path parameters email address string required the account associated with the email parameters include hidden folders boolean optional include hidden folders in the results input example {"path parameters" {"email address" "string"},"parameters" {"include hidden folders"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value displayname string name of the resource value parentfolderid string unique identifier value childfoldercount number value for the parameter value unreaditemcount number value for the parameter value totalitemcount number value for the parameter value sizeinbytes number value for the parameter value ishidden boolean unique identifier @odata nextlink string response data output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#users('integrations%40swimlaneintegra ","value" \[{"id" "aqmkadmxzmu3zwq4ltmzadriltrmn2qtyjnlms1jnza0mzhlyzm5zdcalgaaawdg c5xaxzksv7iu pcczmbaielfp3 iinmukudjlg8 qiaaaibowaaaa==","displayname" "archive","parentfolderid" "aqmkadmxzmu3zwq4ltmzadriltrmn2qtyjnlms1jnza0mzhlyzm5zdcalgaaawdg c5xaxzksv7iu pcczmbaielfp3 iinmukudjlg8 qiaaaibcaaaaa==","childfoldercount" 0,"unreaditemcount" 1,"totalitemcount" 7,"sizeinbytes" 777420,"ishidden"\ fa get list of child folders retrieve child folders within a specific folder from microsoft graph api, using an email address and folder id endpoint url /v1 0/users/{{email address}}/mailfolders/{{folder id}}/childfolders method get input argument name type required description path parameters email address string required the account associated with the email path parameters folder id string required the mailfolder's unique identifier parameters includehiddenfolders boolean optional to include hidden child folders in the response input example {"parameters" {"includehiddenfolders"\ true},"path parameters" {"email address" "saikumarbadri845\@gmail com","folder id" "aqmkadawatnizmyazc1jodnklti5mjutmdacltawcgauaaad4nnqhykabkob7n4gzr"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value displayname string name of the resource value parentfolderid string unique identifier value childfoldercount number value for the parameter value unreaditemcount number value for the parameter value totalitemcount number value for the parameter value sizeinbytes number value for the parameter value ishidden boolean unique identifier output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","displayname" "example name","parentfolderid" "string","childfoldercount" 123,"unreaditemcount" 123,"totalitemcount" 123,"sizeinbytes" 123,"ishidden"\ true}]} get manager root level retrieve the direct manager's root level details in microsoft graph api by specifying a user's id or userprincipalname endpoint url v1 0/users/{{id|userprincipalname}} method get input argument name type required description `path parameters id userprincipalname` string required the user's id or userprincipalname headers object optional http headers for the request headers consistencylevel string optional required when the request includes the $levels=n in the $expand query parameter parameters $levels string optional the n value of $levels can be max (to return all managers) or a number between 1 and 1000 parameters $select string optional to select the individual manager's properties parameters $expand string optional to retrieve the manager's information for specified levels, selected id and displayname input example {"parameters" {"$levels" "max","$select" "id","$expand" "manager($levels=max;$select=id,displayname)"},"path parameters" {"id|userprincipalname" "357b1656 cfad 4b3f a4c4 4a03bdcd6468"},"headers" {"consistencylevel" "eventual"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data businessphones array output field businessphones businessphones file name string name of the resource businessphones file string output field businessphones file displayname string name of the resource givenname object name of the resource jobtitle object output field jobtitle mail string output field mail mobilephone object output field mobilephone officelocation object output field officelocation preferredlanguage object output field preferredlanguage surname object name of the resource userprincipalname string name of the resource id string unique identifier output example {"@odata context" "string","businessphones" \[{"file name" "example name","file" "string"}],"displayname" "example name","givenname" {},"jobtitle" {},"mail" "string","mobilephone" {},"officelocation" {},"preferredlanguage" {},"surname" {},"userprincipalname" "example name","id" "12345678 1234 1234 1234 123456789abc"} get presence retrieves the presence status of a specified user in microsoft graph api by using their unique id endpoint url /users/{{id}}/presence method get input argument name type required description path parameters id string required the unique identifier of the user input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier availability string output field availability activity string output field activity outofofficesettings object output field outofofficesettings outofofficesettings message object response message outofofficesettings isoutofoffice boolean output field outofofficesettings isoutofoffice sequencenumber string output field sequencenumber output example {"id" "66825e03 7ef5 42da 9069 724602c31f6b","availability" "donotdisturb","activity" "presenting","outofofficesettings" {"message"\ null,"isoutofoffice"\ false},"sequencenumber" "a0129311063"} get user by id retrieve detailed information for a specific user by their unique id in microsoft graph api, using the 'id' path parameter endpoint url v1 0/users/{{id}} method get input argument name type required description path parameters id string required parameters for the get user by id action parameters $select string optional parameters for the get user by id action input example {"parameters" {"$select" "displayname,givenname,postalcode"},"path parameters" {"id" "87d349ed 44d7 43e1 9a83 5f2406dee5bd"}} output parameter type description status code number http status code of the response reason string response reason phrase businessphones array output field businessphones displayname string name of the resource givenname string name of the resource jobtitle string output field jobtitle mail string output field mail mobilephone string output field mobilephone officelocation string output field officelocation preferredlanguage string output field preferredlanguage surname string name of the resource userprincipalname string name of the resource id string unique identifier output example {"businessphones" \["string"],"displayname" "example name","givenname" "example name","jobtitle" "string","mail" "string","mobilephone" "string","officelocation" "string","preferredlanguage" "string","surname" "example name","userprincipalname" "example name","id" "12345678 1234 1234 1234 123456789abc"} list a users direct membership retrieve direct group memberships, directory roles, and administrative units for a user in microsoft graph api by email address endpoint url /v1 0/users/{{email address}}/memberof method get input argument name type required description path parameters email address string required the account associated with the email parameters $filter string optional filters results (rows) parameters $count string optional include count of items parameters $search string optional search items by search phrases input example {"parameters" {"$search" "search","$count" "count","$filter" "filter"},"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value deleteddatetime object value for the parameter value description string value for the parameter value displayname string name of the resource value roletemplateid string unique identifier value ismembermanagementrestricted boolean value for the parameter value membershiprule object value for the parameter value membershiptype object type of the resource value membershipruleprocessingstate object value for the parameter value visibility object value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#directoryobjects","value" \[{"@odata type" "#microsoft graph directoryrole","id" "4c04548e 9bc4 45fb 8738 168610ddbe0c","deleteddatetime"\ null,"description" "can manage all aspects of azure ad and microsoft services that use azure ad identities ","displayname" "global administrator","roletemplateid" "62e90394 69f5 4237 9190 012177145e10"},{"@odata type" "#microsoft graph directoryrole","id" "417c2fd9 6d31 4d37 927f a6e54d37a4a4","delet list analyzed emails retrieve a comprehensive list of analyzed email objects with their properties from the microsoft graph api endpoint url /beta/security/collaboration/analyzedemails method get input argument name type required description parameters $count boolean optional retrieves the total count of matching resources parameters $filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters $top number optional sets the page size of results parameters $skiptoken string optional retrieves the next page of results from result sets that span multiple pages (some apis use $skip instead ) parameters starttime string optional the start time of the email search parameters endtime string optional the end time of the email search input example {"parameters" {"$count"\ true,"$filter" "startswith(givenname, 'j')","$top" 10,"$skiptoken" "x%274453707402000100000017"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value loggeddatetime string value for the parameter value networkmessageid string unique identifier value internetmessageid string unique identifier value senderdetail object value for the parameter value senderdetail \@odata type string response data value recipientemailaddress string value for the parameter value distributionlist string value for the parameter value subject string value for the parameter value returnpath string value for the parameter value directionality string value for the parameter value originaldelivery object value for the parameter value originaldelivery \@odata type string response data value latestdelivery object value for the parameter value latestdelivery \@odata type string response data value attachmentscount string value for the parameter value urlscount string url endpoint for the request value language string value for the parameter value sizeinbytes string value for the parameter value alertids array unique identifier value exchangetransportrules array value for the parameter output example {"value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","loggeddatetime" "string","networkmessageid" "string","internetmessageid" "string","senderdetail" {},"recipientemailaddress" "string","distributionlist" "string","subject" "string","returnpath" "string","directionality" "string","originaldelivery" {},"latestdelivery" {},"attachmentscount" "string","urlscount" "string"}]} list riskyusers retrieve a list of riskyuser objects from microsoft graph api to identify potential security risks endpoint url /v1 0/identityprotection/riskyusers method get input argument name type required description parameters $filter string optional filters results (rows) parameters $select string optional filters properties (columns) parameters $top number optional sets the page size of results the maximum page size with top is 500 objects input example {"parameters" {"$filter" "risklevel eq 'high' ","$select" "givenname,surname","$top" 10}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value isdeleted boolean value for the parameter value isprocessing boolean value for the parameter value risklastupdateddatetime string value for the parameter value risklevel string value for the parameter value riskstate string value for the parameter value riskdetail string value for the parameter value userdisplayname string name of the resource value userprincipalname string name of the resource output example {"value" \[{"@odata type" "#microsoft graph riskyuser","id" "d1d4a5d4 a5d4 d1d4 d4a5 d4d1d4a5d4d1","isdeleted"\ true,"isprocessing"\ true,"risklastupdateddatetime" "2025 06 05t05 18 27z","risklevel" "high","riskstate" "active","riskdetail" "suspicious activity detected","userdisplayname" "john doe","userprincipalname" "johndoe\@example com"}]} list password methods retrieve a user's registered password authentication methods in microsoft graph api using their user id endpoint url /v1 0/users/{{id}}/authentication/passwordmethods method get input argument name type required description path parameters id string required user id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value password object value for the parameter value creationdatetime object value for the parameter value createddatetime object value for the parameter output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","password" {},"creationdatetime" {},"createddatetime" {}}]} reset password initiate a password reset for a specified user by providing their id and methodid via the microsoft graph api endpoint url /v1 0/users/{{id}}/authentication/methods/{{methodid}}/resetpassword method post input argument name type required description path parameters id string required user id path parameters methodid string required password method id newpassword string optional the new password required for tenants with hybrid password scenarios if omitted for a cloud only password, the system returns a system generated password include uppercase boolean optional include atleast one uppercase letter include lowercase boolean optional include atleast one lowercase letter include digit boolean optional include atleast one one digit include special boolean optional include atleast one special character length number optional password length with minimum 20 auto generate boolean optional auto generate random password input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc","methodid" "string"},"newpassword" "string","include uppercase"\ true,"include lowercase"\ true,"include digit"\ true,"include special"\ true,"length" 20,"auto generate"\ true} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data newpassword string output field newpassword output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#microsoft graph passwordresetresponse","newpassword" "cuyo5459"} get identity directory device registered user list retrieve a list of users registered to a specific device in microsoft graph api by providing the device's unique 'id' endpoint url /v1 0/devices/{{id}}/registeredusers method get input argument name type required description path parameters id string required device id parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value businessphones array value for the parameter value displayname string name of the resource value givenname string name of the resource value jobtitle object value for the parameter value mail object value for the parameter value mobilephone object value for the parameter value officelocation object value for the parameter value preferredlanguage string value for the parameter value surname string name of the resource value userprincipalname string name of the resource output example {"@odata context" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","businessphones" \[],"displayname" "example name","givenname" "example name","jobtitle" {},"mail" {},"mobilephone" {},"officelocation" {},"preferredlanguage" "string","surname" "example name","userprincipalname" "example name"}]} get identity directory objects by ids list acquire specific users or groups from microsoft graph api by specifying 'ids' and 'types' parameters for targeted data retrieval endpoint url /v1 0/directoryobjects/getbyids method post input argument name type required description ids array optional a collection of ids for which to return objects the ids are guids, represented as strings you can specify up to 1000 ids types array optional a collection of resource types that specifies the set of resource collections to search, for example user , group , and device objects input example {"ids" \["string"],"types" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value deleteddatetime object value for the parameter value classification object value for the parameter value createddatetime string value for the parameter value creationoptions array value for the parameter value description string value for the parameter value displayname string name of the resource value expirationdatetime object value for the parameter value grouptypes array type of the resource value isassignabletorole object value for the parameter value mail string value for the parameter value mailenabled boolean value for the parameter value mailnickname string name of the resource value membershiprule object value for the parameter value membershipruleprocessingstate object value for the parameter value onpremisesdomainname object name of the resource value onpremiseslastsyncdatetime object value for the parameter value onpremisesnetbiosname object name of the resource value onpremisessamaccountname object name of the resource value onpremisessecurityidentifier object unique identifier output example {"@odata context" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"classification" {},"createddatetime" "string","creationoptions" \[],"description" "string","displayname" "example name","expirationdatetime" {},"grouptypes" \[],"isassignabletorole" {},"mail" "string","mailenabled"\ true,"mailnickname" "example name","membershiprule" {}}]} delete identity directory device registered user remove a registered user from a device in the microsoft graph api directory using the specified 'id' and 'userid' endpoint url /v1 0/devices/{{id}}/registeredusers/{{userid}}/$ref method delete input argument name type required description path parameters id string required device id path parameters userid string required user id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc","userid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} delete identity directory device removes a specified device from the microsoft graph identity directory using its unique id endpoint url /v1 0/devices/{{id}} method delete input argument name type required description path parameters id string required device id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get identity directory device retrieve details for a specific device from the microsoft graph identity directory using the unique device id endpoint url /v1 0/devices/{{id}} method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results path parameters id string required device id input example {"parameters" {"filter" "string","orderby" "string","top" 123},"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier deleteddatetime object time value accountenabled boolean output field accountenabled approximatelastsignindatetime string time value complianceexpirationdatetime object time value createddatetime string time value devicecategory object output field devicecategory deviceid string unique identifier devicemetadata object response data deviceownership string output field deviceownership deviceversion number output field deviceversion displayname string name of the resource domainname object name of the resource enrollmentprofilename object name of the resource enrollmenttype string type of the resource externalsourcename object name of the resource iscompliant boolean output field iscompliant ismanaged boolean output field ismanaged isrooted boolean output field isrooted managementtype string type of the resource manufacturer string output field manufacturer mdmappid string unique identifier output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"accountenabled"\ true,"approximatelastsignindatetime" "string","complianceexpirationdatetime" {},"createddatetime" "string","devicecategory" {},"deviceid" "string","devicemetadata" {},"deviceownership" "string","deviceversion" 123,"displayname" "example name","domainname" {},"enrollmentprofilename" {}} create identity directory device registers a new device in the microsoft graph api directory with details like account status, display name, os, and version endpoint url /v1 0/devices method post input argument name type required description accountenabled boolean optional true if the account is enabled; otherwise, false required default is true alternativesecurityids array optional alternative security ids alternativesecurityids type number optional unique identifier alternativesecurityids identityprovider string optional unique identifier alternativesecurityids key string optional unique identifier displayname string optional the display name for the device operatingsystem string optional the type of operating system on the device operatingsystemversion string optional the version of the operating system on the device approximatelastsignindatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time complianceexpirationdatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time deviceid string optional unique identifier extensionattributes object optional contains extension attributes 1 15 for the device the individual extension attributes are not selectable these properties are mastered in cloud and can be set during creation or update of a device object in azure ad extensionattributes extensionattribute1 string optional parameter for create identity directory device extensionattributes extensionattribute2 string optional parameter for create identity directory device extensionattributes extensionattribute3 string optional parameter for create identity directory device extensionattributes extensionattribute4 string optional parameter for create identity directory device extensionattributes extensionattribute5 string optional parameter for create identity directory device extensionattributes extensionattribute6 string optional parameter for create identity directory device extensionattributes extensionattribute7 string optional parameter for create identity directory device extensionattributes extensionattribute8 string optional parameter for create identity directory device extensionattributes extensionattribute9 string optional parameter for create identity directory device extensionattributes extensionattribute10 string optional parameter for create identity directory device extensionattributes extensionattribute11 string optional parameter for create identity directory device extensionattributes extensionattribute12 string optional parameter for create identity directory device extensionattributes extensionattribute13 string optional parameter for create identity directory device input example {"accountenabled"\ true,"alternativesecurityids" \[{"type" 123,"identityprovider" "string","key" "string"}],"displayname" "example name","operatingsystem" "string","operatingsystemversion" "string","approximatelastsignindatetime" "string","complianceexpirationdatetime" "string","deviceid" "string","extensionattributes" {"extensionattribute1" "string","extensionattribute2" "string","extensionattribute3" "string","extensionattribute4" "string","extensionattribute5" "string","extensionattribute6" "string","extensionattribute7" "string","extensionattribute8" "string","extensionattribute9" "string","extensionattribute10" "string","extensionattribute11" "string","extensionattribute12" "string","extensionattribute13" "string","extensionattribute14" "string","extensionattribute15" "string"},"iscompliant"\ true,"ismanaged"\ true,"onpremiseslastsyncdatetime" "string","onpremisessyncenabled"\ true,"profiletype" "registereddevice","systemlabels" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} add identity directory device reg user registers a new user to a specified device in the microsoft graph api directory using the device id and user's @odata id endpoint url /v1 0/devices/{{id}}/registeredusers/$ref method post input argument name type required description path parameters id string required device id @odata id string optional odata id type user input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"@odata id" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get identity directory device groups list retrieve groups associated with a device by using its directory id in microsoft graph api; 'id' path parameter is required endpoint url /v1 0/devices/{{id}}/memberof method get input argument name type required description path parameters id string required device id parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value file name string name of the resource value file string value for the parameter output example {"@odata context" "string","value" \[{"file name" "example name","file" "string"}]} get identity directory device list retrieve a list of registered devices, including identifiers and display names, from the microsoft graph identity directory endpoint url /v1 0/devices method get input argument name type required description parameters $filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters $orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters $top number optional sets the page size of results input example {"parameters" {"$filter" "string","$orderby" "string","$top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value deleteddatetime object value for the parameter value accountenabled boolean value for the parameter value approximatelastsignindatetime string value for the parameter value complianceexpirationdatetime object value for the parameter value createddatetime string value for the parameter value devicecategory object value for the parameter value deviceid string unique identifier value devicemetadata object response data value deviceownership string value for the parameter value deviceversion number value for the parameter value displayname string name of the resource value domainname object name of the resource value enrollmentprofilename object name of the resource value enrollmenttype string type of the resource value externalsourcename object name of the resource value iscompliant boolean value for the parameter value ismanaged boolean value for the parameter value isrooted boolean value for the parameter value managementtype string type of the resource output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"accountenabled"\ true,"approximatelastsignindatetime" "string","complianceexpirationdatetime" {},"createddatetime" "string","devicecategory" {},"deviceid" "string","devicemetadata" {},"deviceownership" "string","deviceversion" 123,"displayname" "example name","domainname" {},"enrollmentprofilename" {},"enrollmenttype" "string"}]} create identity directory role member adds a new member to a specified directory role in microsoft graph api using the role's unique id endpoint url /v1 0/directoryroles/{{id}}/members/$ref method post input argument name type required description path parameters id string required directory role id @odata id string optional odata id type user input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"@odata id" "string"} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete identity directory role assignment removes a directory role assignment in microsoft graph api using the provided unique identifier endpoint url /v1 0/rolemanagement/directory/roleassignments/{{id}} method delete input argument name type required description path parameters id string required role assignment id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} create identity directory role management creates a new directory role in microsoft graph api with a specific display name, status, and permissions endpoint url /v1 0/rolemanagement/directory/roledefinitions method post input argument name type required description displayname string optional the display name for the role definition isenabled boolean optional flag indicating if the role is enabled for assignment if false , the role is not available for assignment rolepermissions array optional list of permissions included in the role rolepermissions allowedresourceactions array optional set of tasks that can be performed on a resource rolepermissions condition string optional optional constraints that must be met for the permission to be effective rolepermissions excludedresourceactions array optional set of tasks that may not be performed on a resource description string optional the description for the unifiedroledefinition id string optional the unique identifier for the role definition key, not nullable, read only inherited from entity isbuiltin boolean optional flag indicating whether the role definition is part of the default set included in azure active directory (azure ad) or a custom definition resourcescopes array optional list of the scopes or permissions the role definition applies to templateid string optional custom template identifier that can be set when isbuiltin is false but is read only when isbuiltin is true this identifier is typically used if one needs an identifier to be the same across different directories version string optional indicates version of the role definition input example {"displayname" "example name","isenabled"\ true,"rolepermissions" \[{"allowedresourceactions" \["string"],"condition" "string","excludedresourceactions" \["string"]}],"description" "string","id" "12345678 1234 1234 1234 123456789abc","isbuiltin"\ true,"resourcescopes" \["string"],"templateid" "string","version" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} add directory administrative unit member adds a member to a specified directory administrative unit in microsoft graph api using the provided unit id and member's @odata id endpoint url /v1 0/directory/administrativeunits/{{id}}/members/$ref method post input argument name type required description path parameters id string required unit id @odata id string optional the odata id of the user, group or directoryobject to add input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"@odata id" "string"} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} delete directory administrative unit member removes a member from a specified directory administrative unit in microsoft graph api using 'id' and 'memberid' endpoint url /v1 0/directory/administrativeunits/{{id}}/members/{{memberid}}/$ref method delete input argument name type required description path parameters id string required unit id path parameters memberid string required member id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc","memberid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} get directory administrative unit list retrieve a list of administrative units for directory segmentation and management via the microsoft graph api endpoint url /v1 0/directory/administrativeunits method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value deleteddatetime object value for the parameter value displayname string name of the resource value description object value for the parameter value membershiprule object value for the parameter value membershiptype object type of the resource value membershipruleprocessingstate object value for the parameter value visibility object value for the parameter output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"displayname" "example name","description" {},"membershiprule" {},"membershiptype" {},"membershipruleprocessingstate" {},"visibility" {}}]} get directory administrative unit member retrieve member details from a specific directory administrative unit in microsoft graph api using 'id' and 'memberid' endpoint url /v1 0/directory/administrativeunits/{{id}}/members/{{memberid}} method get input argument name type required description path parameters id string required id path parameters memberid string required member id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc","memberid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata type string response data id string unique identifier businessphones array output field businessphones businessphones file name string name of the resource businessphones file string output field businessphones file displayname string name of the resource givenname string name of the resource jobtitle object output field jobtitle mail string output field mail mobilephone object output field mobilephone officelocation object output field officelocation preferredlanguage string output field preferredlanguage surname object name of the resource userprincipalname string name of the resource output example {"@odata context" "string","@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","businessphones" \[{"file name" "example name","file" "string"}],"displayname" "example name","givenname" "example name","jobtitle" {},"mail" "string","mobilephone" {},"officelocation" {},"preferredlanguage" "string","surname" {},"userprincipalname" "example name"} get directory admin unit member list retrieve members of a specific directory administrative unit in microsoft graph api using the unit's unique id endpoint url /v1 0/directory/administrativeunits/{{id}}/members method get input argument name type required description path parameters id string required unit id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value businessphones array value for the parameter value businessphones file name string name of the resource value businessphones file string value for the parameter value displayname string name of the resource value givenname string name of the resource value jobtitle object value for the parameter value mail string value for the parameter value mobilephone object value for the parameter value officelocation object value for the parameter value preferredlanguage string value for the parameter value surname object name of the resource value userprincipalname string name of the resource output example {"@odata context" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","businessphones" \[],"displayname" "example name","givenname" "example name","jobtitle" {},"mail" "string","mobilephone" {},"officelocation" {},"preferredlanguage" "string","surname" {},"userprincipalname" "example name"}]} get directory administrative unit retrieve details of a specified directory administrative unit in microsoft graph api using its unique id endpoint url /v1 0/directory/administrativeunits/{{id}} method get input argument name type required description path parameters id string required unit id parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier deleteddatetime object time value displayname string name of the resource description object output field description ismembermanagementrestricted boolean output field ismembermanagementrestricted visibility object output field visibility membershiprule object output field membershiprule membershiptype object type of the resource membershipruleprocessingstate object output field membershipruleprocessingstate output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"displayname" "example name","description" {},"ismembermanagementrestricted"\ true,"visibility" {},"membershiprule" {},"membershiptype" {},"membershipruleprocessingstate" {}} delete identity directory role member removes a user from a directory role in microsoft graph api by utilizing the provided 'id' and 'memberid' endpoint url /v1 0/directoryroles/{{id}}/members/{{memberid}}/$ref method delete input argument name type required description path parameters id string required role id path parameters memberid string required member id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc","memberid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get identity directory role retrieve details for a specific directory role in microsoft graph api using the provided unique id endpoint url /v1 0/directoryroles/{{id}} method get input argument name type required description path parameters id string required directory role id parameters count string optional include a count of the total number of items in a collection alongside the page of data values returned from microsoft graph parameters filter string optional use the $filter query parameter to retrieve just a subset of a collection for guidance on using $filter, see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional to sort the results in ascending or descending order, append either asc or desc to the field name, separated by a space parameters top number optional sets the page size of results input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"count" "false","filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier deleteddatetime object time value description string output field description displayname string name of the resource roletemplateid string unique identifier output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"description" "string","displayname" "example name","roletemplateid" "string"} get identity directory role assignment member retrieve directory role assignment details for a specified identity in microsoft graph api using the unique identifier endpoint url /v1 0/rolemanagement/directory/roleassignments/{{id}} method get input argument name type required description path parameters id string required role assignment id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} delete identity directory role management removes a specified directory role in microsoft graph api using the provided unique identifier endpoint url /v1 0/rolemanagement/directory/roledefinitions/{{id}} method delete input argument name type required description path parameters id string required role management id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "resourcenotfound","message" "invalid version rolemanagement","innererror" {"date" "2022 12 20t20 37 28","request id" "14c4462e 7088 48de adf6 d6283055090d","client request id" "14c4462e 7088 48de adf6 d6283055090d"}}} get identity directory role management list retrieve a list of directory roles for identity and access management from microsoft graph api endpoint url /v1 0/rolemanagement/directory/roledefinitions method get output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value description string value for the parameter value displayname string name of the resource value isbuiltin boolean value for the parameter value isenabled boolean value for the parameter value resourcescopes array value for the parameter value templateid string unique identifier value version string value for the parameter value rolepermissions array value for the parameter value rolepermissions allowedresourceactions array value for the parameter value rolepermissions condition object value for the parameter value inheritspermissionsfrom\@odata context string response data value inheritspermissionsfrom array value for the parameter value inheritspermissionsfrom file name string name of the resource value inheritspermissionsfrom file string value for the parameter output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","description" "string","displayname" "example name","isbuiltin"\ true,"isenabled"\ true,"resourcescopes" \[],"templateid" "string","version" "string","rolepermissions" \[],"inheritspermissionsfrom\@odata context" "string","inheritspermissionsfrom" \[]}]} get identity directory role management retrieve details for a specific directory role in microsoft graph api using the role's unique id endpoint url /v1 0/rolemanagement/directory/roledefinitions/{{id}} method get input argument name type required description path parameters id string required role management id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} delete identity directory domain removes a specified domain from a microsoft tenant using the unique domain id endpoint url v1 0/domains/{{id}} method delete input argument name type required description path parameters id string required parameters for the delete identity directory domain action input example {"path parameters" {"id" "myradom test directory"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} get identity directory domain retrieve details for a specific domain in microsoft graph api using the provided domain id endpoint url v1 0/domains/{{id}} method get input argument name type required description path parameters id string required parameters for the get identity directory domain action input example {"path parameters" {"id" "myradom test directory"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data authenticationtype string type of the resource availabilitystatus object status value id string unique identifier isadminmanaged boolean output field isadminmanaged isdefault boolean output field isdefault isinitial boolean output field isinitial isroot boolean output field isroot isverified boolean output field isverified supportedservices array output field supportedservices supportedservices file name string name of the resource supportedservices file string output field supportedservices file passwordvalidityperiodindays object unique identifier passwordnotificationwindowindays object output field passwordnotificationwindowindays state object output field state output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#domains/$entity","authenticationtype" "managed","availabilitystatus"\ null,"id" "myradom test directory","isadminmanaged"\ true,"isdefault"\ false,"isinitial"\ false,"isroot"\ false,"isverified"\ false,"supportedservices" \[],"passwordvalidityperiodindays"\ null,"passwordnotificationwindowindays"\ null,"state"\ null} get identity directory domain list retrieve a list of all configured domains within the microsoft graph api for identity management endpoint url v1 0/domains method get input argument name type required description parameters count string optional include a count of the total number of items in a collection alongside the page of data values returned from microsoft graph parameters filter string optional use the $filter query parameter to retrieve just a subset of a collection for guidance on using $filter, see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional to sort the results in ascending or descending order, append either asc or desc to the field name, separated by a space parameters top number optional sets the page size of results input example {"parameters" {"count" "false","filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value authenticationtype string type of the resource value availabilitystatus object status value value id string unique identifier value isadminmanaged boolean value for the parameter value isdefault boolean value for the parameter value isinitial boolean value for the parameter value isroot boolean value for the parameter value isverified boolean value for the parameter value supportedservices array value for the parameter value passwordvalidityperiodindays number unique identifier value passwordnotificationwindowindays number value for the parameter value state object value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#domains","value" \[{"authenticationtype" "managed","availabilitystatus"\ null,"id" "bestcompanyever com","isadminmanaged"\ true,"isdefault"\ false,"isinitial"\ false,"isroot"\ false,"isverified"\ false,"supportedservices" \[],"passwordvalidityperiodindays"\ null,"passwordnotificationwindowindays"\ null,"state"\ null},{"authenticationtype" "managed","availabilitystatus"\ null,"id" "swimlaneintegrations onmicrosoft com","isadminmanaged"\ true,"isdef create identity directory domain adds a new domain to the microsoft graph api tenant with the provided 'id' in the json body input endpoint url v1 0/domains method post input argument name type required description authenticationtype string optional type of the resource availabilitystatus string optional status value id string optional unique identifier isadminmanaged boolean optional parameter for create identity directory domain isdefault boolean optional parameter for create identity directory domain isinitial boolean optional parameter for create identity directory domain isroot boolean optional parameter for create identity directory domain isverified boolean optional parameter for create identity directory domain passwordnotificationwindowindays number optional parameter for create identity directory domain passwordvalidityperiodindays number optional unique identifier state object optional parameter for create identity directory domain state \@odata type string optional response data supportedservices array optional parameter for create identity directory domain input example {"authenticationtype" "string","availabilitystatus" "active","id" "12345678 1234 1234 1234 123456789abc","isadminmanaged"\ true,"isdefault"\ true,"isinitial"\ true,"isroot"\ true,"isverified"\ true,"passwordnotificationwindowindays" 123,"passwordvalidityperiodindays" 123,"state" {"@odata type" "string"},"supportedservices" \["string"]} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data authenticationtype string type of the resource availabilitystatus object status value id string unique identifier isadminmanaged boolean output field isadminmanaged isdefault boolean output field isdefault isinitial boolean output field isinitial isroot boolean output field isroot isverified boolean output field isverified supportedservices array output field supportedservices supportedservices file name string name of the resource supportedservices file string output field supportedservices file passwordvalidityperiodindays object unique identifier passwordnotificationwindowindays object output field passwordnotificationwindowindays state object output field state output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#domains/$entity","authenticationtype" "managed","availabilitystatus"\ null,"id" "myradom test directory","isadminmanaged"\ true,"isdefault"\ false,"isinitial"\ false,"isroot"\ false,"isverified"\ false,"supportedservices" \[],"passwordvalidityperiodindays"\ null,"passwordnotificationwindowindays"\ null,"state"\ null} get identity directory object retrieves a specific directory object from microsoft graph api using a unique identifier endpoint url /v1 0/directoryobjects/{{id}} method get input argument name type required description path parameters id string required directory object id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata type string response data id string unique identifier deleteddatetime object time value classification object output field classification createddatetime string time value creationoptions array output field creationoptions description string output field description displayname string name of the resource expirationdatetime object time value grouptypes array type of the resource isassignabletorole object output field isassignabletorole mail string output field mail mailenabled boolean output field mailenabled mailnickname string name of the resource membershiprule object output field membershiprule membershipruleprocessingstate object output field membershipruleprocessingstate onpremisesdomainname object name of the resource onpremiseslastsyncdatetime object time value onpremisesnetbiosname object name of the resource onpremisessamaccountname object name of the resource onpremisessecurityidentifier object unique identifier onpremisessyncenabled object output field onpremisessyncenabled output example {"@odata context" "string","@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","deleteddatetime" {},"classification" {},"createddatetime" "string","creationoptions" \["string"],"description" "string","displayname" "example name","expirationdatetime" {},"grouptypes" \["string"],"isassignabletorole" {},"mail" "string","mailenabled"\ true,"mailnickname" "example name"} get identity directory role members list retrieve a list of members assigned to a specific directory role in microsoft graph api using the provided 'role id' endpoint url v1 0/directoryroles/{{role id}}/members method get input argument name type required description path parameters role id string required parameters for the get identity directory role members list action input example {"path parameters" {"role id" "b8d0b017 384c 40cb b37b 99ee5d3f8a8f"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value businessphones array value for the parameter value businessphones file name string name of the resource value businessphones file string value for the parameter value displayname string name of the resource value givenname string name of the resource value jobtitle object value for the parameter value mail string value for the parameter value mobilephone object value for the parameter value officelocation object value for the parameter value preferredlanguage object value for the parameter value surname string name of the resource value userprincipalname string name of the resource output example {"@odata context" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","businessphones" \[],"displayname" "example name","givenname" "example name","jobtitle" {},"mail" "string","mobilephone" {},"officelocation" {},"preferredlanguage" {},"surname" "example name","userprincipalname" "example name"}]} cancel security action cancels an ongoing security action in microsoft graph api using the provided action id endpoint url /beta/security/securityactions/{{action id}}/cancelsecurityaction method post input argument name type required description path parameters action id string required action id input example {"path parameters" {"action id" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} create security action initiates a new security action in microsoft graph api with details such as name, reason, vendor information, and parameters endpoint url /beta/security/securityactions method post input argument name type required description name string optional action name actionreason string optional action reason vendorinformation object optional vendor information vendorinformation vendor string required vendor vendorinformation provider string required provider parameters array optional collection of parameters (key value pairs) necessary to invoke the action, for example, url or filehash to block) parameters name string required parameters for the create security action action parameters value string required parameters for the create security action action input example {"name" "example name","actionreason" "string","vendorinformation" {"vendor" "string","provider" "string"},"parameters" \[{"name" "example name","value" "string"}]} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get security action retrieve details for a specific security action in microsoft graph api using the provided 'action id' endpoint url /beta/security/securityactions/{{action id}} method get input argument name type required description path parameters action id string required action id parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"path parameters" {"action id" "string"},"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get security actions list retrieve configurations and details of security actions from the microsoft graph security api endpoint url /beta/security/securityactions method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value file name string name of the resource value file string value for the parameter output example {"@odata context" "string","value" \[{"file name" "example name","file" "string"}]} get alert retrieve detailed information for a specific security alert using the alert id from the microsoft graph security api endpoint url /v1 0/security/alerts v2/{{alert id}} method get input argument name type required description path parameters alert id string required id of the alert input example {"path parameters" {"alert id" "fabefb2117 8e9b d555 b800 08dc0572c0de"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier provideralertid string unique identifier incidentid string unique identifier status string status value severity string output field severity classification string output field classification determination string output field determination servicesource string output field servicesource detectionsource string output field detectionsource productname string name of the resource detectorid string unique identifier tenantid string unique identifier title string output field title description string output field description recommendedactions string output field recommendedactions category string output field category assignedto string output field assignedto alertweburl string url endpoint for the request incidentweburl string url endpoint for the request actordisplayname object name of the resource threatdisplayname object name of the resource threatfamilyname object name of the resource output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","provideralertid" "string","incidentid" "string","status" "active","severity" "string","classification" "string","determination" "string","servicesource" "string","detectionsource" "string","productname" "example name","detectorid" "string","tenantid" "string","title" "string","description" "string"} list alerts retrieve security alerts from the microsoft graph security api to monitor potential threats and anomalies endpoint url /v1 0/security/alerts v2 method get input argument name type required description parameters $count string optional retrieves the total count of matching resources parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results parameters $filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter input example {"parameters" {"$count" "string","$skip" 123,"$top" 123,"$filter" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value provideralertid string unique identifier value incidentid string unique identifier value status string status value value severity string value for the parameter value classification string value for the parameter value determination string value for the parameter value servicesource string value for the parameter value detectionsource string value for the parameter value productname string name of the resource value detectorid string unique identifier value tenantid string unique identifier value title string value for the parameter value description string value for the parameter value recommendedactions string value for the parameter value category string value for the parameter value assignedto string value for the parameter value alertweburl string url endpoint for the request value incidentweburl string url endpoint for the request value actordisplayname object name of the resource value threatdisplayname object name of the resource output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","provideralertid" "string","incidentid" "string","status" "active","severity" "string","classification" "string","determination" "string","servicesource" "string","detectionsource" "string","productname" "example name","detectorid" "string","tenantid" "string","title" "string","description" "string","recommendedactions" "string"}]} get control profile retrieve a detailed security control profile using its unique id from the microsoft graph security api endpoint url /v1 0/security/securescorecontrolprofiles/{{id}} method get input argument name type required description path parameters id string required control profile id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier actiontype string type of the resource actionurl string url endpoint for the request controlcategory string output field controlcategory title string output field title deprecated boolean output field deprecated implementationcost string output field implementationcost lastmodifieddatetime object time value maxscore number score value rank number output field rank remediation string output field remediation remediationimpact string output field remediationimpact service string output field service threats array output field threats threats file name string name of the resource threats file string output field threats file tier string output field tier userimpact string output field userimpact vendorinformation object output field vendorinformation vendorinformation provider string unique identifier vendorinformation providerversion object unique identifier output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","actiontype" "string","actionurl" "string","controlcategory" "string","title" "string","deprecated"\ true,"implementationcost" "string","lastmodifieddatetime" {},"maxscore" 123,"rank" 123,"remediation" "string","remediationimpact" "string","service" "string"} get secure scores list obtain a list of secure scores via the microsoft graph security api to evaluate your organization's security stance endpoint url /v1 0/security/securescores method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value azuretenantid string unique identifier value activeusercount number value for the parameter value createddatetime string value for the parameter value currentscore number value for the parameter value enabledservices array value for the parameter value licensedusercount number value for the parameter value maxscore number value for the parameter value vendorinformation object value for the parameter value vendorinformation provider string unique identifier value vendorinformation providerversion object unique identifier value vendorinformation subprovider object unique identifier value vendorinformation vendor string value for the parameter value averagecomparativescores array value for the parameter value averagecomparativescores file name string name of the resource value averagecomparativescores file string value for the parameter value controlscores array value for the parameter value controlscores controlcategory string value for the parameter value controlscores controlname string name of the resource value controlscores description object value for the parameter output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","activeusercount" 123,"createddatetime" "string","currentscore" 123,"enabledservices" \[],"licensedusercount" 123,"maxscore" 123,"vendorinformation" {},"averagecomparativescores" \[],"controlscores" \[]}]} get secure control profiles retrieve a list of secure control profiles to enhance your organization's security posture via the microsoft graph security api endpoint url /v1 0/security/securescorecontrolprofiles method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value id string unique identifier value azuretenantid string unique identifier value actiontype string type of the resource value actionurl string url endpoint for the request value controlcategory string value for the parameter value title string value for the parameter value deprecated boolean value for the parameter value implementationcost string value for the parameter value lastmodifieddatetime object value for the parameter value maxscore number value for the parameter value rank number value for the parameter value remediation string value for the parameter value remediationimpact string value for the parameter value service string value for the parameter value threats array value for the parameter value threats file name string name of the resource value threats file string value for the parameter value tier string value for the parameter value userimpact string value for the parameter value vendorinformation object value for the parameter output example {"@odata context" "string","@odata nextlink" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","actiontype" "string","actionurl" "string","controlcategory" "string","title" "string","deprecated"\ true,"implementationcost" "string","lastmodifieddatetime" {},"maxscore" 123,"rank" 123,"remediation" "string","remediationimpact" "string","service" "string","threats" \[]}]} get secure score retrieves a specified secure score from the microsoft graph security api using the provided 'id' endpoint url /v1 0/security/securescores/{{id}} method get input argument name type required description path parameters id string required secure score id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier activeusercount number count value createddatetime string time value currentscore number score value enabledservices array output field enabledservices licensedusercount number count value maxscore number score value vendorinformation object output field vendorinformation vendorinformation provider string unique identifier vendorinformation providerversion object unique identifier vendorinformation subprovider object unique identifier vendorinformation vendor string output field vendorinformation vendor averagecomparativescores array output field averagecomparativescores averagecomparativescores file name string name of the resource averagecomparativescores file string output field averagecomparativescores file controlscores array output field controlscores controlscores controlcategory string output field controlscores controlcategory controlscores controlname string name of the resource controlscores description string output field controlscores description controlscores score number score value controlscores isapplicable string output field controlscores isapplicable output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","activeusercount" 123,"createddatetime" "string","currentscore" 123,"enabledservices" \["string"],"licensedusercount" 123,"maxscore" 123,"vendorinformation" {"provider" "string","providerversion" {},"subprovider" {},"vendor" "string"},"averagecomparativescores" \[{"file name" "example name","file" "string"}],"controlscores" \[{"controlcategory" "string","controlname" "example name","description" "string" get threat assessment retrieve detailed insights on a specific threat by supplying an 'id' to the microsoft graph security api endpoint url /v1 0/informationprotection/threatassessmentrequests/{{id}}?$expand=results method get input argument name type required description path parameters id string required assessment id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata type string response data id string unique identifier createddatetime string time value contenttype string type of the resource expectedassessment string output field expectedassessment category string output field category status string status value requestsource string output field requestsource recipientemail string output field recipientemail destinationroutingreason string response reason phrase contentdata string response data createdby object output field createdby createdby user object output field createdby user createdby user id string unique identifier createdby user displayname string name of the resource results\@odata context string response data results array result of the operation results id string unique identifier results createddatetime string result of the operation results resulttype string type of the resource results message string result of the operation output example {"@odata context" "string","@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","contenttype" "string","expectedassessment" "string","category" "string","status" "active","requestsource" "string","recipientemail" "string","destinationroutingreason" "string","contentdata" "string","createdby" {"user" {"id" "12345678 1234 1234 1234 123456789abc","displayname" "example name"}},"results\@odata context" "string","results" \[{"id" "12345678 1234 1234 1234 1234567 get threat assessment list retrieve and analyze threat assessments to enhance security posture using the microsoft graph security api endpoint url /v1 0/informationprotection/threatassessmentrequests method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value createddatetime string value for the parameter value contenttype string type of the resource value expectedassessment string value for the parameter value category string value for the parameter value status string status value value requestsource string value for the parameter value recipientemail string value for the parameter value destinationroutingreason string value for the parameter value contentdata string response data value createdby object value for the parameter value createdby user object value for the parameter output example {"@odata context" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","contenttype" "string","expectedassessment" "string","category" "string","status" "active","requestsource" "string","recipientemail" "string","destinationroutingreason" "string","contentdata" "string","createdby" {}}]} delete threat intelligence indicator removes a specified threat intelligence indicator from microsoft graph security api using the provided unique id endpoint url /beta/security/tiindicators/{{id}} method delete input argument name type required description path parameters id string required threat intelligence indicator id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get threat intelligence indicator retrieve a specific threat intelligence indicator from microsoft graph security api using a unique id endpoint url /beta/security/tiindicators/{{id}} method get input argument name type required description path parameters id string required threat intelligence indicator id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier action string output field action additionalinformation object output field additionalinformation activitygroupnames array name of the resource activitygroupnames file name string name of the resource activitygroupnames file string name of the resource confidence object unique identifier description string output field description diamondmodel object output field diamondmodel emailencoding object output field emailencoding emaillanguage object output field emaillanguage emailrecipient object output field emailrecipient emailsenderaddress object output field emailsenderaddress emailsendername object name of the resource emailsourcedomain object output field emailsourcedomain emailsourceipaddress object output field emailsourceipaddress emailsubject object output field emailsubject emailxmailer object output field emailxmailer expirationdatetime string time value externalid object unique identifier filecompiledatetime object time value output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[{"file name" "example name","file" "string"}],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {}} get threat intelligence indicators list retrieve threat intelligence indicators from the microsoft graph security api to enhance analysis and threat detection endpoint url /beta/security/tiindicators method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value azuretenantid string unique identifier value action string value for the parameter value additionalinformation object value for the parameter value activitygroupnames array name of the resource value activitygroupnames file name string name of the resource value activitygroupnames file string name of the resource value confidence object unique identifier value description string value for the parameter value diamondmodel object value for the parameter value emailencoding object value for the parameter value emaillanguage object value for the parameter value emailrecipient object value for the parameter value emailsenderaddress object value for the parameter value emailsendername object name of the resource value emailsourcedomain object value for the parameter value emailsourceipaddress object value for the parameter value emailsubject object value for the parameter value emailxmailer object value for the parameter value expirationdatetime string value for the parameter value externalid object unique identifier output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {},"emailsourceipaddress" {}}]} update alert updates an existing alert in the microsoft graph security api using the provided alert id and additional details endpoint url /v1 0/security/alerts v2/{{alert id}} method patch input argument name type required description path parameters alert id string required id of the alert assignedto string optional owner of the incident, or null if no owner is assigned determination string optional specifies the determination of the alert classification string optional specifies the classification of the alert customdetails string optional user defined custom fields with string values status string optional alert lifecycle status (stage) input example {"path parameters" {"alert id" "string"},"assignedto" "string","determination" "string","classification" "string","customdetails" "string","status" "active"} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier provideralertid string unique identifier incidentid string unique identifier status string status value severity string output field severity classification string output field classification determination object output field determination servicesource string output field servicesource detectionsource string output field detectionsource productname string name of the resource detectorid string unique identifier tenantid string unique identifier title string output field title description string output field description recommendedactions string output field recommendedactions category string output field category assignedto string output field assignedto alertweburl string url endpoint for the request incidentweburl string url endpoint for the request actordisplayname object name of the resource threatdisplayname object name of the resource threatfamilyname object name of the resource output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#security/alerts v2/$entity","id" "maf25f0fa0 126a 4297 aff6 ae579cb984a3","provideralertid" "f25f0fa0 126a 4297 aff6 ae579cb984a3","incidentid" "563","status" "new","severity" "medium","classification" "truepositive","determination"\ null,"servicesource" "microsoftappgovernance","detectionsource" "appgovernancedetection","productname" "app governance","detectorid" "b62ae531 7aa6 4bc8 91b9 49a9be960145","tenantid" "f5d73c4c bb3d 421b 8b create threat intel indicator azure sentinel creates a threat intelligence indicator in azure sentinel with details like threat type, target product, and tlp level endpoint url /beta/security/tiindicators method post input argument name type required description action string optional the action to apply if the indicator is matched from within the targetproduct security tool possible values are unknown , allow , block or alert activitygroupnames array optional the cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator additionalinformation string optional a catchall area into which extra data from the indicator not covered by the other tiindicator properties may be placed data placed into additionalinformation will typically not be utilized by the targetproduct security tool azuretenantid string optional stamped by the system when the indicator is ingested the azure active directory tenant id of submitting client confidence number optional an integer representing the confidence the data within the indicator accurately identifies malicious behavior acceptable values are 0 100 with 100 being the highest description string optional brief description (100 characters or less) of the threat represented by the indicator diamondmodel string optional the area of the diamond model in which this indicator exists possible values are unknown , adversary , capability , infrastructure and victim domainname string optional domain name associated with this indicator should be of the format subdomain domain topleveldomain (for example, baddomain domain net) emailencoding string optional the type of text encoding used in the email emaillanguage string optional the language of the email emailrecipient string optional email recipient address emailsenderaddress string optional email sender address emailsendername string optional email sender name emailsourcedomain string optional parameter for create threat intel indicator azure sentinel emailsourceipaddress string optional parameter for create threat intel indicator azure sentinel emailsubject string optional parameter for create threat intel indicator azure sentinel emailxmailer string optional x mailer value used in the email expirationdatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time externalid string optional unique identifier filecompiledatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filecreateddatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filehashtype string optional the type of hash stored in filehashvalue possible values are unknown , sha1 , sha256 , md5 , authenticodehash256 , lshash , ctph filehashvalue string optional value for the parameter filemutexname string optional name of the resource filename string optional name of the resource input example {"action" "string","activitygroupnames" \["string"],"additionalinformation" "string","azuretenantid" "string","confidence" 123,"description" "string","diamondmodel" "string","domainname" "example name","emailencoding" "string","emaillanguage" "string","emailrecipient" "string","emailsenderaddress" "string","emailsendername" "example name","emailsourcedomain" "string","emailsourceipaddress" "string","emailsubject" "string","emailxmailer" "string","expirationdatetime" "string","externalid" "string","filecompiledatetime" "string","filecreateddatetime" "string","filehashtype" "string","filehashvalue" "string","filemutexname" "example name","filename" "example name","filepacker" "string","filepath" "string","filesize" 123,"filetype" "string","isactive" "string","killchain" \["string"],"knownfalsepositives" "string","lastreporteddatetime" "string","malwarefamilynames" "example name","networkcidrblock" "string","networkdestinationasn" 123,"networkdestinationcidrblock" "string","networkdestinationipv4" "string","networkdestinationipv6" "string","networkdestinationport" 123,"networkipv4" "string","networkipv6" "string","networkport" 123,"networkprotocol" 123,"networksourceasn" 123,"networksourcecidrblock" "string","networksourceipv4" "string","networksourceipv6" "string","networksourceport" 123,"passiveonly" "string"} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier action string output field action additionalinformation object output field additionalinformation activitygroupnames array name of the resource activitygroupnames file name string name of the resource activitygroupnames file string name of the resource confidence object unique identifier description string output field description diamondmodel object output field diamondmodel emailencoding object output field emailencoding emaillanguage object output field emaillanguage emailrecipient object output field emailrecipient emailsenderaddress object output field emailsenderaddress emailsendername object name of the resource emailsourcedomain object output field emailsourcedomain emailsourceipaddress object output field emailsourceipaddress emailsubject object output field emailsubject emailxmailer object output field emailxmailer expirationdatetime string time value externalid object unique identifier filecompiledatetime object time value output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[{"file name" "example name","file" "string"}],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {}} create threat intel indicator microsoft defender creates a threat intelligence indicator in microsoft defender with specified action and active status endpoint url /beta/security/tiindicators method post input argument name type required description action string optional the action to apply if the indicator is matched from within the targetproduct security tool possible values are unknown , allow , block or alert activitygroupnames array optional the cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator additionalinformation string optional a catchall area into which extra data from the indicator not covered by the other tiindicator properties may be placed data placed into additionalinformation will typically not be utilized by the targetproduct security tool azuretenantid string optional stamped by the system when the indicator is ingested the azure active directory tenant id of submitting client confidence number optional an integer representing the confidence the data within the indicator accurately identifies malicious behavior acceptable values are 0 100 with 100 being the highest description string optional brief description (100 characters or less) of the threat represented by the indicator diamondmodel string optional the area of the diamond model in which this indicator exists possible values are unknown , adversary , capability , infrastructure and victim domainname string optional domain name associated with this indicator should be of the format subdomain domain topleveldomain (for example, baddomain domain net) emailencoding string optional the type of text encoding used in the email emaillanguage string optional the language of the email emailrecipient string optional email recipient address emailsenderaddress string optional email sender address emailsendername string optional email sender name emailsourcedomain string optional parameter for create threat intel indicator microsoft defender emailsourceipaddress string optional parameter for create threat intel indicator microsoft defender emailsubject string optional parameter for create threat intel indicator microsoft defender emailxmailer string optional x mailer value used in the email expirationdatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time externalid string optional unique identifier filecompiledatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filecreateddatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filehashtype string optional the type of hash stored in filehashvalue possible values are unknown , sha1 , sha256 , md5 , authenticodehash256 , lshash , ctph filehashvalue string optional value for the parameter filemutexname string optional name of the resource filename string optional name of the resource input example {"action" "string","activitygroupnames" \["string"],"additionalinformation" "string","azuretenantid" "string","confidence" 123,"description" "string","diamondmodel" "string","domainname" "example name","emailencoding" "string","emaillanguage" "string","emailrecipient" "string","emailsenderaddress" "string","emailsendername" "example name","emailsourcedomain" "string","emailsourceipaddress" "string","emailsubject" "string","emailxmailer" "string","expirationdatetime" "string","externalid" "string","filecompiledatetime" "string","filecreateddatetime" "string","filehashtype" "string","filehashvalue" "string","filemutexname" "example name","filename" "example name","filepacker" "string","filepath" "string","filesize" 123,"filetype" "string","isactive" "string","killchain" \["string"],"knownfalsepositives" "string","lastreporteddatetime" "string","malwarefamilynames" "example name","networkcidrblock" "string","networkdestinationasn" 123,"networkdestinationcidrblock" "string","networkdestinationipv4" "string","networkdestinationipv6" "string","networkdestinationport" 123,"networkipv4" "string","networkipv6" "string","networkport" 123,"networkprotocol" 123,"networksourceasn" 123,"networksourcecidrblock" "string","networksourceipv4" "string","networksourceipv6" "string","networksourceport" 123,"passiveonly" "string"} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier action string output field action additionalinformation object output field additionalinformation activitygroupnames array name of the resource activitygroupnames file name string name of the resource activitygroupnames file string name of the resource confidence object unique identifier description string output field description diamondmodel object output field diamondmodel emailencoding object output field emailencoding emaillanguage object output field emaillanguage emailrecipient object output field emailrecipient emailsenderaddress object output field emailsenderaddress emailsendername object name of the resource emailsourcedomain object output field emailsourcedomain emailsourceipaddress object output field emailsourceipaddress emailsubject object output field emailsubject emailxmailer object output field emailxmailer expirationdatetime string time value externalid object unique identifier filecompiledatetime object time value output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[{"file name" "example name","file" "string"}],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {}} get ediscovery case retrieve details and relationships of a specific ediscovery case in microsoft graph api using the provided ediscoverycaseid endpoint url /v1 0/security/cases/ediscoverycases/{{ediscoverycaseid}} method get input argument name type required description path parameters ediscoverycaseid string required ediscovery case id input example {"path parameters" {"ediscoverycaseid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data description string output field description lastmodifieddatetime string time value status string status value closeddatetime object time value externalid string unique identifier id string unique identifier displayname string name of the resource createddatetime string time value lastmodifiedby object output field lastmodifiedby closedby object output field closedby output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases/$entit ","description" "","lastmodifieddatetime" "2022 05 22t18 36 46 597z","status" "active","closeddatetime"\ null,"externalid" "324516","id" "22aa2acd 7554 4330 9ba9 ce20014aaae4","displayname" "contoso litigation 005","createddatetime" "2022 05 22t18 36 46 597z","lastmodifiedby"\ null,"closedby"\ null} list ediscovery cases retrieve a comprehensive list of ediscoverycase objects with properties from the microsoft graph api endpoint url /v1 0/security/cases/ediscoverycases method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value description string value for the parameter value lastmodifieddatetime string value for the parameter value status string status value value closeddatetime object value for the parameter value externalid string unique identifier value id string unique identifier value displayname string name of the resource value createddatetime string value for the parameter value lastmodifiedby object value for the parameter value lastmodifiedby application object value for the parameter value lastmodifiedby user object value for the parameter value lastmodifiedby user id object unique identifier value lastmodifiedby user displayname string name of the resource value closedby object value for the parameter value closedby application object value for the parameter value closedby user object value for the parameter value closedby user id object unique identifier value closedby user displayname string name of the resource output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases","@odata count" 22,"value" \[{"description" "","lastmodifieddatetime" "2022 05 19t23 30 41 23z","status" "active","closeddatetime"\ null,"externalid" "","id" "60f86305 ac3e 408b baa2 ea585dd8b0c0","displayname" "my case 1","createddatetime" "2022 05 19t23 30 41 23z","lastmodifiedby" {},"closedby" {}},{"description" "","lastmodifieddatetime" "2022 05 18t23 05 07 82z","status" "active","closeddatetime"\ null, list ediscovery case custodians retrieve a list of custodian objects and their properties from microsoft graph api using a specific ediscoverycaseid endpoint url /v1 0/security/cases/ediscoverycases/{{ediscoverycaseid}}/custodians method get input argument name type required description path parameters ediscoverycaseid string required ediscovery case id input example {"path parameters" {"ediscoverycaseid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value status string status value value holdstatus string status value value createddatetime string value for the parameter value lastmodifieddatetime string value for the parameter value releaseddatetime object value for the parameter value id string unique identifier value displayname string name of the resource value email string value for the parameter value acknowledgeddatetime string value for the parameter output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases('b0073 ","@odata count" 1,"value" \[{"status" "active","holdstatus" "notapplied","createddatetime" "2022 05 23t00 58 19 0702426z","lastmodifieddatetime" "2022 05 23t00 58 19 0702436z","releaseddatetime"\ null,"id" "0053a61a3b6c42738f7606791716a22a","displayname" "alex wilber","email" "alexw\@m365x809305 onmicrosoft com","acknowledgeddatetime" "0001 01 01t00 00 00z"}]} list ediscovery case operations retrieve caseoperation objects with properties from microsoft graph api using a specified ediscoverycaseid endpoint url /v1 0/security/cases/ediscoverycases/{{ediscoverycaseid}}/operations method get input argument name type required description path parameters ediscoverycaseid string required ediscovery case id input example {"path parameters" {"ediscoverycaseid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value createddatetime string value for the parameter value completeddatetime string value for the parameter value percentprogress number value for the parameter value status string status value value action string value for the parameter value id string unique identifier value createdby object value for the parameter value createdby application object value for the parameter value createdby user object value for the parameter value createdby user id string unique identifier value createdby user displayname object name of the resource value createdby user userprincipalname object name of the resource output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases('b0073 ","value" \[{"createddatetime" "2022 05 23t01 09 36 834501z","completeddatetime" "2022 05 23t01 10 08 8710734z","percentprogress" 100,"status" "succeeded","action" "holdupdate","id" "1ab699d7e53d46de944144c4a650d66f","createdby" {}}]} list ediscovery case review sets retrieve ediscovery review sets for a given case id from the microsoft graph api, requiring the ediscoverycaseid path parameter endpoint url /v1 0/security/cases/ediscoverycases/{{ediscoverycaseid}}/reviewsets method get input argument name type required description path parameters ediscoverycaseid string required ediscovery case id input example {"path parameters" {"ediscoverycaseid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value displayname string name of the resource value id string unique identifier value createddatetime string value for the parameter value createdby object value for the parameter value createdby application object value for the parameter value createdby user object value for the parameter value createdby user id string unique identifier value createdby user displayname string name of the resource value createdby user userprincipalname string name of the resource output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases('b0073 ","value" \[{"displayname" "my review set","id" "025852b3 5062 4169 9609 9861a6fe2fe5","createddatetime" "2022 05 23t16 26 08 7203883z","createdby" {}}]} list ediscovery case searches retrieve ediscovery search resources associated with a specific case id in microsoft graph api, utilizing the mandatory ediscoverycaseid endpoint url /v1 0/security/cases/ediscoverycases/{{ediscoverycaseid}}/searches method get input argument name type required description path parameters ediscoverycaseid string required ediscovery case id input example {"path parameters" {"ediscoverycaseid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value datasourcescopes string response data value description string value for the parameter value lastmodifieddatetime string value for the parameter value contentquery string value for the parameter value id string unique identifier value displayname string name of the resource value createddatetime string value for the parameter value lastmodifiedby object value for the parameter value createdby object value for the parameter value createdby user object value for the parameter value createdby user id string unique identifier value createdby user displayname string name of the resource value createdby user userprincipalname string name of the resource value createdby application object value for the parameter value createdby application id string unique identifier value createdby application displayname string name of the resource output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases('b0073 ","value" \[{"datasourcescopes" "none","description" "my first search","lastmodifieddatetime" "2022 05 23t04 38 07 5787454z","contentquery" "(author=\\"edison\\")","id" "46867792 68e6 41db 9cd0 f651c2290d91","displayname" "my search 2","createddatetime" "2022 05 23t04 38 07 5787454z","lastmodifiedby"\ null,"createdby" {}},{"datasourcescopes" "none","description" "my first search","lastmodifieddateti list ediscovery case tags retrieves a list of ediscoveryreviewtag objects for a specified case in microsoft graph api, requiring the ediscoverycaseid endpoint url /v1 0/security/cases/ediscoverycases/{{ediscoverycaseid}}/tags method get input argument name type required description path parameters ediscoverycaseid string required ediscovery case id input example {"path parameters" {"ediscoverycaseid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata count number response data value array value for the parameter value displayname string name of the resource value lastmodifieddatetime string value for the parameter value childselectability string value for the parameter value id string unique identifier value createdby object value for the parameter value createdby user object value for the parameter value createdby user id string unique identifier value createdby user displayname string name of the resource value createdby user userprincipalname string name of the resource value description string value for the parameter output example {"@odata context" "https //graph microsoft com/beta/$metadata#security/cases/ediscoverycases('58399 ","@odata count" 5,"value" \[{"displayname" "my tag","lastmodifieddatetime" "2022 05 23t19 41 01 7432683z","childselectability" "many","id" "062de822f17a4a2e9b833aa3f6c37108","createdby" {"user" {"id" "c25c3914 f9f7 43ee 9cba a25377e0cec6","displayname" "mod administrator","userprincipalname" "admin\@m365x809305 onmicrosoft com"}}},{"displayname" "responsive","description" "","lastmodifieddatetime get incident retrieve detailed information and relationships for a specified incident id from microsoft graph api endpoint url /v1 0/security/incidents/{{incidentid}} method get input argument name type required description path parameters incidentid string required incident id input example {"path parameters" {"incidentid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier incidentweburl string url endpoint for the request redirectincidentid object unique identifier displayname string name of the resource tenantid string unique identifier createddatetime string time value lastupdatedatetime string time value assignedto string output field assignedto classification string output field classification determination string output field determination status string status value severity string output field severity customtags array output field customtags comments array output field comments comments comment string output field comments comment comments createdby string output field comments createdby comments createdtime string time value output example {"@odata type" "#microsoft graph incident","id" "2972395","incidentweburl" "https //security microsoft com/incidents/2972395?tid=12f988bf 16f1 11af 11ab 1d7 ","redirectincidentid"\ null,"displayname" "multi stage incident involving initial access & command and control on multiple ","tenantid" "b3c1b5fc 828c 45fa a1e1 10d74f6d6e9c","createddatetime" "2021 08 13t08 43 35 5533333z","lastupdatedatetime" "2021 09 30t09 35 45 1133333z","assignedto" "kaic\@contoso onmicrosoft com","classification" " get repeat offenders lists tenant users compromised multiple times in simulation and training campaigns through the microsoft graph api endpoint url /v1 0/reports/security/getattacksimulationrepeatoffenders method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value repeatoffencecount number value for the parameter value attacksimulationuser object value for the parameter value attacksimulationuser userid string unique identifier value attacksimulationuser displayname string name of the resource value attacksimulationuser email string value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#collection(microsoft graph attacksimu ","@odata nextlink" "https //graph microsoft com/v1 0/reports/security/getattacksimulationrepeatoffen ","value" \[{"repeatoffencecount" 5,"attacksimulationuser" {}},{"repeatoffencecount" 638,"attacksimulationuser" {}}]} get simulation retrieve details of an attack simulation campaign by providing the unique simulationid in microsoft graph api endpoint url /v1 0/security/attacksimulation/simulations/{{simulationid}} method get input argument name type required description path parameters simulationid string required simulation id input example {"path parameters" {"simulationid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier incidentweburl string url endpoint for the request redirectincidentid object unique identifier displayname string name of the resource tenantid string unique identifier createddatetime string time value lastupdatedatetime string time value assignedto string output field assignedto classification string output field classification determination string output field determination status string status value severity string output field severity customtags array output field customtags comments array output field comments comments comment string output field comments comment comments createdby string output field comments createdby comments createdtime string time value output example {"@odata type" "#microsoft graph incident","id" "2972395","incidentweburl" "https //security microsoft com/incidents/2972395?tid=12f988bf 16f1 11af 11ab 1d7 ","redirectincidentid"\ null,"displayname" "multi stage incident involving initial access & command and control on multiple ","tenantid" "b3c1b5fc 828c 45fa a1e1 10d74f6d6e9c","createddatetime" "2021 08 13t08 43 35 5533333z","lastupdatedatetime" "2021 09 30t09 35 45 1133333z","assignedto" "kaic\@contoso onmicrosoft com","classification" " get simulation automation retrieve details of a specified attack simulation automation in microsoft graph api using the provided simulationid endpoint url /v1 0/security/attacksimulation/simulationautomations/{{simulationid}} method get input argument name type required description path parameters simulationid string required simulation id input example {"path parameters" {"simulationid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier displayname string name of the resource description string output field description status string status value createddatetime string time value createdby object output field createdby createdby id string unique identifier createdby displayname string name of the resource createdby email string output field createdby email lastmodifieddatetime string time value lastmodifiedby object output field lastmodifiedby lastmodifiedby id string unique identifier lastmodifiedby displayname string name of the resource lastmodifiedby email string output field lastmodifiedby email lastrundatetime string time value nextrundatetime string time value output example {"@odata type" "#microsoft graph simulationautomation","id" "fbad62b0 b32d b6ac 9f48 d84bbea08f96","displayname" "reed flores","description" "sample simulation automation description","status" "running","createddatetime" "2022 01 01t01 01 01 01z","createdby" {"id" "99af58b9 ef1a 412b a581 cb42fe8c8e21","displayname" "reed flores","email" "reed\@contoso com"},"lastmodifieddatetime" "2022 01 01t01 01 01 01z","lastmodifiedby" {"id" "99af58b9 ef1a 412b a581 cb42fe8c8e21","displayname" "reed flores"," get simulation coverage for users lists tenant users' training coverage for attack simulation and training campaigns via microsoft graph api endpoint url /v1 0/reports/security/getattacksimulationsimulationusercoverage method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value simulationcount object value for the parameter value latestsimulationdatetime object value for the parameter value clickcount object value for the parameter value compromisedcount object value for the parameter value attacksimulationuser object value for the parameter value attacksimulationuser userid string unique identifier value attacksimulationuser displayname string name of the resource value attacksimulationuser email string value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#collection(microsoft graph attacksimu ","@odata nextlink" "https //graph microsoft com/v1 0/reports/security/getattacksimulationsimulationu ","value" \[{"simulationcount" 1063,"latestsimulationdatetime" "2022 02 10t10 45 50z","clickcount" 0,"compromisedcount" 0,"attacksimulationuser" {}},{"simulationcount"\ null,"latestsimulationdatetime"\ null,"clickcount"\ null,"compromisedcount"\ null,"attacksimulationuser" {}}]} get simulation overview retrieve an overview of a specific attack simulation and training campaign using the simulationid in microsoft graph api endpoint url /v1 0/security/attacksimulation/simulations/{{simulationid}}/report/overview method get input argument name type required description path parameters simulationid string required simulation id input example {"path parameters" {"simulationid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value displayname string name of the resource value description string value for the parameter value status string status value value createddatetime string value for the parameter value createdby object value for the parameter value createdby id string unique identifier value createdby displayname string name of the resource value createdby email string value for the parameter value lastmodifieddatetime string value for the parameter value lastmodifiedby object value for the parameter value lastmodifiedby id string unique identifier value lastmodifiedby displayname string name of the resource value lastmodifiedby email string value for the parameter value lastrundatetime string value for the parameter value nextrundatetime string value for the parameter output example {"value" \[{"@odata type" "#microsoft graph simulationautomation","id" "fbad62b0 b32d b6ac 9f48 d84bbea08f96","displayname" "reed flores","description" "sample simulation automation description","status" "running","createddatetime" "2022 01 01t01 01 01 01z","createdby" {},"lastmodifieddatetime" "2022 01 01t01 01 01 01z","lastmodifiedby" {},"lastrundatetime" "2022 01 01t01 01 01 01z","nextrundatetime" "2022 01 01t01 01 01 01z"}]} get training coverage for users lists tenant users' training coverage in attack simulation and training campaigns via microsoft graph api endpoint url /v1 0/reports/security/getattacksimulationtrainingusercoverage method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata nextlink string response data value array value for the parameter value usertrainings array value for the parameter value usertrainings assigneddatetime string value for the parameter value usertrainings completiondatetime string value for the parameter value usertrainings trainingstatus string status value value usertrainings displayname string name of the resource value attacksimulationuser object value for the parameter value attacksimulationuser userid string unique identifier value attacksimulationuser displayname object name of the resource value attacksimulationuser email object value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#collection(microsoft graph attacksimu ","@odata nextlink" "https //graph microsoft com/v1 0/reports/security/getattacksimulationtraininguse ","value" \[{"usertrainings" \[],"attacksimulationuser" {}}]} list incidents retrieve and monitor incidents from microsoft 365 defender for managing and tracking organizational attacks endpoint url /v1 0/security/incidents method get input argument name type required description parameters $count string optional retrieves the total count of matching resources parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results parameters $expand string optional retrieves related resources parameters $filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter input example {"parameters" {"$count" "string","$skip" 123,"$top" 123,"$expand" "string","$filter" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value incidentweburl string url endpoint for the request value redirectincidentid object unique identifier value tenantid string unique identifier value displayname string name of the resource value createddatetime string value for the parameter value lastupdatedatetime string value for the parameter value assignedto string value for the parameter value classification string value for the parameter value determination string value for the parameter value status string status value value severity string value for the parameter value customtags array value for the parameter value comments array value for the parameter value comments comment string value for the parameter value comments createdby string value for the parameter value comments createdtime string value for the parameter output example {"value" \[{"@odata type" "#microsoft graph security incident","id" "2972395","incidentweburl" "https //security microsoft com/incidents/2972395?tid=12f988bf 16f1 11af 11ab 1d7 ","redirectincidentid"\ null,"tenantid" "b3c1b5fc 828c 45fa a1e1 10d74f6d6e9c","displayname" "multi stage incident involving initial access & command and control on multiple ","createddatetime" "2021 08 13t08 43 35 5533333z","lastupdatedatetime" "2021 09 30t09 35 45 1133333z","assignedto" "kaic\@contoso onmicrosoft com" list simulation automations retrieve an overview of attack simulation automations and security test settings in a microsoft graph tenant endpoint url /v1 0/security/attacksimulation/simulationautomations method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value displayname string name of the resource value description string value for the parameter value status string status value value createddatetime string value for the parameter value createdby object value for the parameter value createdby id string unique identifier value createdby displayname string name of the resource value createdby email string value for the parameter value lastmodifieddatetime string value for the parameter value lastmodifiedby object value for the parameter value lastmodifiedby id string unique identifier value lastmodifiedby displayname string name of the resource value lastmodifiedby email string value for the parameter value lastrundatetime string value for the parameter value nextrundatetime string value for the parameter output example {"value" \[{"@odata type" "#microsoft graph simulationautomation","id" "fbad62b0 b32d b6ac 9f48 d84bbea08f96","displayname" "reed flores","description" "sample simulation automation description","status" "running","createddatetime" "2022 01 01t01 01 01 01z","createdby" {},"lastmodifieddatetime" "2022 01 01t01 01 01 01z","lastmodifiedby" {},"lastrundatetime" "2022 01 01t01 01 01 01z","nextrundatetime" "2022 01 01t01 01 01 01z"}]} list simulation users retrieve a list of users and their actions from an attack simulation campaign using the 'simulationid' endpoint url /v1 0/security/attacksimulation/simulations/{{simulationid}}/report/simulationusers method get input argument name type required description path parameters simulationid string required simulation id input example {"path parameters" {"simulationid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value iscompromised boolean value for the parameter value compromiseddatetime string value for the parameter value simulationevents array value for the parameter value simulationevents eventname string name of the resource value simulationevents eventdatetime string value for the parameter value simulationevents ipaddress string value for the parameter value simulationevents osplatformdevicedetails string value for the parameter value simulationevents browser string value for the parameter value trainingevents array value for the parameter value trainingevents displayname string name of the resource value trainingevents latesttrainingstatus string status value value trainingevents trainingassignedproperties object value for the parameter value trainingevents trainingassignedproperties contentdatetime string value for the parameter value trainingevents trainingassignedproperties ipaddress string value for the parameter value trainingevents trainingassignedproperties osplatformdevicedetails string value for the parameter value trainingevents trainingassignedproperties browser string value for the parameter value trainingevents trainingassignedproperties potentialscoreimpact number value for the parameter value trainingevents trainingupdatedproperties object value for the parameter value trainingevents trainingupdatedproperties contentdatetime string value for the parameter value trainingevents trainingupdatedproperties ipaddress string value for the parameter value trainingevents trainingupdatedproperties osplatformdevicedetails string value for the parameter value trainingevents trainingupdatedproperties browser string value for the parameter output example {"value" \[{"iscompromised"\ true,"compromiseddatetime" "2021 01 01t01 02 01 01z","simulationevents" \[],"trainingevents" \[],"assignedtrainingscount" 1,"completedtrainingscount" 0,"inprogresstrainingscount" 0,"reportedphishdatetime" "2021 01 01t01 01 01 01z","simulationuser" {}}]} list simulations retrieve attack simulation campaigns from a microsoft graph tenant to evaluate security preparedness endpoint url /v1 0/security/attacksimulation/simulations method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value displayname string name of the resource value description string value for the parameter value attacktype string type of the resource value attacktechnique string value for the parameter value status string status value value createddatetime string value for the parameter value createdby object value for the parameter value createdby id string unique identifier value createdby displayname string name of the resource value createdby email string value for the parameter value lastmodifieddatetime string value for the parameter value lastmodifiedby object value for the parameter value lastmodifiedby id string unique identifier value lastmodifiedby displayname string name of the resource value lastmodifiedby email string value for the parameter value launchdatetime string value for the parameter value completiondatetime string value for the parameter value isautomated boolean value for the parameter value automationid string unique identifier value payloaddeliveryplatform string value for the parameter output example {"value" \[{"id" "f1b13829 3829 f1b1 2938 b1f12938b1f1","displayname" "sample simulation","description" "sample simulation description","attacktype" "social","attacktechnique" "credentialharvesting","status" "scheduled","createddatetime" "2021 01 01t01 01 01 01z","createdby" {},"lastmodifieddatetime" "2021 01 01t01 01 01 01z","lastmodifiedby" {},"launchdatetime" "2021 01 01t02 01 01 01z","completiondatetime" "2021 01 07t01 01 01 01z","isautomated"\ false,"automationid" "f1b13829 3829 f1b1 2938 b1f run hunting query execute advanced threat hunting queries via microsoft graph api to pinpoint potential threats in microsoft 365 defender endpoint url /v1 0/security/runhuntingquery method post input argument name type required description query string optional the hunting query in kusto query language (kql) input example {"query" "string"} output parameter type description status code number http status code of the response reason string response reason phrase schema array output field schema schema name string name of the resource schema type string type of the resource results array result of the operation results timestamp string result of the operation results filename string name of the resource results initiatingprocessfilename string name of the resource output example {"schema" \[{"name" "timestamp","type" "datetime"},{"name" "filename","type" "string"},{"name" "initiatingprocessfilename","type" "string"}],"results" \[{"timestamp" "2020 08 30t06 38 35 7664356z","filename" "conhost exe","initiatingprocessfilename" "powershell exe"},{"timestamp" "2020 08 30t06 38 30 5163363z","filename" "conhost exe","initiatingprocessfilename" "powershell exe"}]} post threat assessment email submits an email for threat assessment to microsoft graph api, analyzing the recipient and attachments for potential security risks endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description attachments array optional parameter for post threat assessment email attachments contentdata string optional response data recipientemail string optional the mail recipient whose policies are used to assess the mail expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"attachments" \[{"contentdata" "string"}],"recipientemail" "string","expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} post threat assessment file submits a file to microsoft graph api for security threat assessment, requiring an attachment endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description attachments array optional parameter for post threat assessment file attachments contentdata string optional response data attachments filename string optional name of the resource expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"attachments" \[{"contentdata" "string","filename" "example name"}],"expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} post threat assessment uri submits a uri to microsoft graph api for threat assessment, requiring 'messageuri' and 'recipientemail' in the json body endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description messageuri string optional the resource uri of the mail message for assessment recipientemail string optional the mail recipient whose policies are used to assess the mail expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"messageuri" "string","recipientemail" "string","expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} post threat assessment url initiates a security threat assessment on a specified url using microsoft graph api to identify potential risks requires a 'url' in the json body endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description url string optional the url string expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"url" "https //example com/api/resource","expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} move email relocate an email to a specified folder in a user's mailbox on microsoft graph api using their email address, email id, and destination id endpoint url /v1 0/users/{{email address}}/messages/{{email id}}/move method post input argument name type required description path parameters email address string required the account associated with the email path parameters email id string required the id of the email destinationid string optional the destination folder id, or a well known folder name input example {"path parameters" {"email address" "string","email id" "string"},"destinationid" "string"} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata etag string response data id string unique identifier createddatetime string time value lastmodifieddatetime string time value changekey string output field changekey categories array output field categories categories file name string name of the resource categories file string output field categories file receiveddatetime string time value sentdatetime string time value hasattachments boolean output field hasattachments internetmessageid string unique identifier subject string output field subject bodypreview string request body data importance string output field importance parentfolderid string unique identifier conversationid string unique identifier conversationindex string output field conversationindex isdeliveryreceiptrequested object output field isdeliveryreceiptrequested isreadreceiptrequested boolean output field isreadreceiptrequested isread boolean output field isread isdraft boolean output field isdraft output example {"@odata context" "string","@odata etag" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","changekey" "string","categories" \[{"file name" "example name","file" "string"}],"receiveddatetime" "string","sentdatetime" "string","hasattachments"\ true,"internetmessageid" "string","subject" "string","bodypreview" "string","importance" "string","parentfolderid" "string"} reply to email send a custom reply to an email by specifying the recipient's address and email id using microsoft graph api endpoint url /v1 0/users/{{email address}}/messages/{{email id}}/reply method post input argument name type required description path parameters email address string required the account associated with the email path parameters email id string required the id of the email comment string optional a comment to include can be an empty string savetosentitems boolean optional indicates whether to save the message in sent items specify it only if the parameter is false; default is true optional message object optional the message to send message subject string optional the subject of the email message body object optional the body of the message it can be in html or text format message body content string optional the content of the item message body contenttype string optional the type of the content possible values are text and html message sender object optional the account that is actually used to generate the message in most cases, this value is the same as the from property message sender address string required response message message sender name string optional name of the resource message replyto array optional the email addresses to use when replying message replyto emailaddress object required response message message replyto emailaddress address string required response message message replyto emailaddress name string optional name of the resource message torecipients array optional the list of direct recipient objects message torecipients emailaddress object required response message message torecipients emailaddress address string required response message message torecipients emailaddress name string optional name of the resource message ccrecipients array optional the list of cc recipient objects message ccrecipients emailaddress object required response message message ccrecipients emailaddress address string required response message message ccrecipients emailaddress name string optional name of the resource message bccrecipients array optional the list of bcc recipient objects input example {"path parameters" {"email address" "string","email id" "string"},"comment" "string","savetosentitems"\ true,"message" {"subject" "string","body" {"content" "string","contenttype" "string"},"sender" {"address" "string","name" "example name"},"replyto" \[{"emailaddress" {"address" "string","name" "example name"}}],"torecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"ccrecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"bccrecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"attachments" \[{"contentbytes" "string","name" "example name","@odata type" "#microsoft graph fileattachment","contenttype" "text/plain"}]}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} retrieve authentication methods retrieve a user's authentication methods in microsoft graph api using their mail id endpoint url /v1 0/users/{{mailid}}/authentication/methods method get input argument name type required description path parameters mailid string required the account associated with the email input example {"path parameters" {"mailid" "integrations\@swimlaneintegrations onmicrosoft com"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @microsoft graph tips string output field @microsoft graph tips value array value for the parameter value \@odata type string response data value id string unique identifier value password object value for the parameter value createddatetime string value for the parameter value secretkey object value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#users('integrations%40swimlaneintegra ","@microsoft graph tips" "use $select to choose only the properties your app needs, as this can lead to pe ","value" \[{"@odata type" "#microsoft graph passwordauthenticationmethod","id" "28c10230 6103 485e b985 444c60001490","password"\ null,"createddatetime" "2021 12 15t01 31 09z"},{"@odata type" "#microsoft graph softwareoathauthenticationmethod","id" "c03db085 34e7 47bc b7d6 b54069b6042f"," revoke signin sessions invalidates all refresh tokens and browser session cookies for a user, ensuring secure sign out via microsoft graph api endpoint url v1 0/users/{{id}}/revokesigninsessions method post input argument name type required description path parameters id string required user id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value boolean value for the parameter output example {"@odata context" "https //graph microsoft com/v1 0/$metadata#edm boolean","value"\ true} send email sends a custom email via microsoft graph api using specified recipient's email address and message content endpoint url /v1 0/users/{{email address}}/sendmail method post input argument name type required description path parameters email address string required the account associated with the email savetosentitems boolean optional indicates whether to save the message in sent items specify it only if the parameter is false; default is true optional message object optional the message to send message subject string optional the subject of the email message body object optional the body of the message it can be in html or text format message body content string optional the content of the item message body contenttype string optional the type of the content possible values are text and html message replyto array optional the email addresses to use when replying message replyto emailaddress object required response message message replyto emailaddress address string required response message message replyto emailaddress name string optional name of the resource message torecipients array required the list of direct recipient objects message torecipients emailaddress object required response message message torecipients emailaddress address string required response message message torecipients emailaddress name string optional name of the resource message ccrecipients array optional the list of cc recipient objects message ccrecipients emailaddress object required response message message ccrecipients emailaddress address string required response message message ccrecipients emailaddress name string optional name of the resource message bccrecipients array optional the list of bcc recipient objects message bccrecipients emailaddress object required response message message bccrecipients emailaddress address string required response message message bccrecipients emailaddress name string optional name of the resource message attachments array optional items attached to this email message attachments contentbytes string optional response content input example {"path parameters" {"email address" "string"},"savetosentitems"\ true,"message" {"subject" "string","body" {"content" "string","contenttype" "string"},"replyto" \[{"emailaddress" {"address" "string","name" "example name"}}],"torecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"ccrecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"bccrecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"attachments" \[{"contentbytes" "string","name" "example name","@odata type" "#microsoft graph fileattachment","contenttype" "text/plain"}]}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} set email read status marks an email as read in microsoft graph api using the specified email address and id with 'isread' parameter endpoint url /v1 0/users/{{email address}}/messages/{{email id}} method patch input argument name type required description path parameters email address string required parameters for the set email read status action path parameters email id string required parameters for the set email read status action isread string optional parameter for set email read status input example {"json body" {"isread" "true"},"path parameters" {"email address" "integrations\@swimlaneintegrations onmicrosoft com","email id" "ed7b3366 10f2 4992 9edc 31024afd556b\@bn8nam12ft082 eop nam12 prod protection outlook com"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata etag string response data id string unique identifier createddatetime string time value lastmodifieddatetime string time value changekey string output field changekey categories array output field categories categories file name string name of the resource categories file string output field categories file receiveddatetime string time value sentdatetime string time value hasattachments boolean output field hasattachments internetmessageid string unique identifier subject string output field subject bodypreview string request body data importance string output field importance parentfolderid string unique identifier conversationid string unique identifier conversationindex string output field conversationindex isdeliveryreceiptrequested object output field isdeliveryreceiptrequested isreadreceiptrequested boolean output field isreadreceiptrequested isread boolean output field isread isdraft boolean output field isdraft output example {"@odata context" "string","@odata etag" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","lastmodifieddatetime" "string","changekey" "string","categories" \[{"file name" "example name","file" "string"}],"receiveddatetime" "string","sentdatetime" "string","hasattachments"\ true,"internetmessageid" "string","subject" "string","bodypreview" "string","importance" "string","parentfolderid" "string"} update incident updates an incident's details in microsoft graph api, including classification, determination, and custom tags using a specific incidentid endpoint url /v1 0/security/incidents/{{incidentid}} method patch input argument name type required description path parameters incidentid string required id of the incident classification string optional parameter for update incident determination string optional parameter for update incident customtags array optional parameter for update incident assignedto string optional owner of the incident, or null if no owner is assigned free editable text status string optional status value input example {"json body" {"classification" "truepositive","determination" "multistagedattack","customtags" \["demo"],"assignedto" "john smith","status" "unknown"},"path parameters" {"incidentid" "2972395"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier incidentweburl string url endpoint for the request redirectincidentid object unique identifier displayname string name of the resource tenantid string unique identifier createddatetime string time value lastupdatedatetime string time value assignedto string output field assignedto classification string output field classification determination string output field determination status string status value severity string output field severity customtags array output field customtags comments array output field comments comments comment string output field comments comment comments createdby string output field comments createdby comments createdtime string time value output example {"@odata type" "#microsoft graph incident","id" "2972395","incidentweburl" "https //security microsoft com/incidents/2972395?tid=12f988bf 16f1 11af 11ab 1d7 ","redirectincidentid"\ null,"displayname" "multi stage incident involving initial access & command and control on multiple ","tenantid" "b3c1b5fc 828c 45fa a1e1 10d74f6d6e9c","createddatetime" "2021 08 13t08 43 35 5533333z","lastupdatedatetime" "2021 09 30t09 35 45 1133333z","assignedto" "kaic\@contoso onmicrosoft com","classification" " update message updates a message's properties in microsoft graph api using the specified userprincipalname and message id endpoint url /users/{{userprincipalname}}/messages/{{id}} method patch input argument name type required description path parameters userprincipalname string required the email address of the user path parameters id string required the unique identifier of the message bccrecipients array optional the list of bcc recipient objects bccrecipients emailaddress object required parameter for update message bccrecipients emailaddress address string required parameter for update message bccrecipients emailaddress name string optional name of the resource body object optional the body of the message updatable only if isdraft = true body contenttype string required request body data body content string required request body data categories array optional the categories associated with the message ccrecipients array optional the cc recipients for the message ccrecipients emailaddress object required parameter for update message ccrecipients emailaddress address string required parameter for update message ccrecipients emailaddress name string optional name of the resource flag object optional the flag value that indicates the status, start date, due date, or completion date for the message flag flagstatus string optional status value flag startdatetime object optional time value flag startdatetime datetime string optional time value flag startdatetime timezone string optional parameter for update message flag duedatetime object optional time value flag duedatetime datetime string optional time value flag duedatetime timezone string optional parameter for update message flag completeddatetime object optional time value flag completeddatetime datetime string optional time value flag completeddatetime timezone string optional parameter for update message input example {"path parameters" {"userprincipalname" "example name","id" "12345678 1234 1234 1234 123456789abc"},"bccrecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"body" {"contenttype" "string","content" "string"},"categories" \["string"],"ccrecipients" \[{"emailaddress" {"address" "string","name" "example name"}}],"flag" {"flagstatus" "active","startdatetime" {"datetime" "string","timezone" "string"},"duedatetime" {"datetime" "string","timezone" "string"},"completeddatetime" {"datetime" "string","timezone" "string"}},"from" {"emailaddress" {"address" "string","name" "example name"}},"importance" "string","inferenceclassification" "string","internetmessageid" "string","isdeliveryreceiptrequested"\ true,"isread"\ true,"isreadreceiptrequested"\ true,"multivalueextendedproperties" \[{"id" "12345678 1234 1234 1234 123456789abc","value" \["string"]}],"replyto" \[{"emailaddress" {"address" "string","name" "example name"}}],"sender" {"emailaddress" {"address" "string","name" "example name"}},"singlevalueextendedproperties" \[{"id" "12345678 1234 1234 1234 123456789abc","value" "string"}],"subject" "string","torecipients" \[{"emailaddress" {"address" "string","name" "example name"}}]} output parameter type description status code number http status code of the response reason string response reason phrase receiveddatetime string time value sentdatetime string time value hasattachments boolean output field hasattachments subject string output field subject body object request body data body contenttype string request body data body content string request body data bodypreview string request body data inferenceclassification string output field inferenceclassification output example {"receiveddatetime" "datetime value","sentdatetime" "datetime value","hasattachments"\ true,"subject" "subject value","body" {"contenttype" "","content" "content value"},"bodypreview" "bodypreview value","inferenceclassification" "other"} update user updates a user's properties in microsoft graph api using the specified 'user id' and provided json body data endpoint url /v1 0/users/{{user id}} method patch input argument name type required description path parameters user id string required parameters for the update user action aboutme string optional a freeform text entry field for the user to describe themselves accountenabled boolean optional true if the account is enabled; otherwise, false agegroup string optional sets the age group of the user birthday string optional the birthday of the user businessphones array optional the telephone numbers for the user city string optional the city in which the user is located companyname string optional the name of the company that the user is associated consentprovidedforminor string optional sets whether consent has been obtained for minors country string optional the country/region in which the user is located customsecurityattributes object optional an open complex type that holds the value of a custom security attribute that is assigned to a directory object customsecurityattributes \@odata type string optional response data department string optional the name for the department in which the user works displayname string optional the name displayed in the address book for the user employeeid string optional the employee identifier assigned to the user by the organization employeetype string optional captures enterprise worker type givenname string optional the given name (first name) of the user employeehiredate string optional the hire date of the user the timestamp type represents date and time information using iso 8601 format and is always in utc time employeeleavedatetime string optional the date and time when the user left or will leave the organization the timestamp type represents date and time information using iso 8601 format and is always in utc time employeeorgdata object optional represents organization data (for example, division and costcenter) associated with a user employeeorgdata costcenter string optional the cost center associated with the user employeeorgdata division string optional the name of the division in which the user works interests array optional a list for the user to describe their interests jobtitle string optional the user's job title mail string optional the smtp address for the user, input example {"json body" {"aboutme" "name","accountenabled"\ true,"agegroup" "adult","birthday" "2014 01 01t00 00 00z","businessphones" \["+44 20 7946 0958","+91 9876543210"],"city" "london","companyname" "global enterprises","consentprovidedforminor" "granted","country" "us","customsecurityattributes" {"@odata type" "#microsoft graph customsecurityattributevalue"},"department" "engineering","displayname" "ane m smith","employeeid" "emp123456789","employeetype" "contractor","givenname" "sana","employeehiredate" "2024 05 27t00 00 00z","employeeleavedatetime" "2014 01 01t00 00 00z ","employeeorgdata" {"costcenter" "string","division" "string"},"interests" \["cooking","playing"],"jobtitle" "software engineer","mail" "jeff\@contoso com","mailnickname" "john","mobilephone" "+1234567890","mysite" "https //www example com/johndoe","officelocation" "hyderabad","onpremisesextensionattributes" {"extensionattribute1" "string","extensionattribute2" "string","extensionattribute3" "string","extensionattribute4" "string","extensionattribute5" "string","extensionattribute6" "string","extensionattribute7" "string","extensionattribute8" "string","extensionattribute9" "string","extensionattribute10" "string","extensionattribute11" "string","extensionattribute12" "string","extensionattribute13" "string","extensionattribute14" "string","extensionattribute15" "string"},"onpremisesimmutableid" "01234567 89ab cdef 0123 456789abcdef","othermails" \["bob\@contoso com","robert\@fabrikam com"],"passwordpolicies" "disablestrongpassword","passwordprofile" {"forcechangepasswordnextsignin"\ true,"forcechangepasswordnextsigninwithmfa"\ false,"password" "string"},"pastprojects" \["project alpha","project gama"],"postalcode" "12345","preferredlanguage" "en us","responsibilities" \["managing client relationships","project management"],"schools" \["high school abc","high school xyz"],"skills" \["data analysis","data science"],"state" "ap","streetaddress" "sreeram nagar","surname" "sana","usagelocation" "us","userprincipalname" "john doe\@example com","usertype" "guest"},"path parameters" {"user id" "678f80e5 e506 4f10 895d bf664699475d"}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"response text" "string"} response headers header description example cache control directives for caching mechanisms no cache client request id http response header client request id fffdaaac 17ba 4eb6 8fac 779da55a44b3 content encoding http response header content encoding gzip content length the length of the response body in bytes 140 content type the media type of the resource application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=false;charset=utf 8 date the date and time at which the message was originated fri, 04 nov 2022 23 07 11 gmt deprecation http response header deprecation link http response header link location the url to redirect a page to https //graph microsoft com https //graph microsoft com odata version http response header odata version 4 0 request id http response header request id 3378699e 5ce6 48bf a2bf df77a101ca85 strict transport security http response header strict transport security max age=31536000 sunset http response header sunset transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x ms ags diagnostic http response header x ms ags diagnostic {"serverinfo" {"datacenter" "brazil south","slice" "e","ring" "3","scaleunit" "001","roleinstance" "cp1pepf0000307a"}} x ms resource unit http response header x ms resource unit 3