Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have an idea or feature suggestion based on your experience with Microsoft Graph? Please share these with us by submitting your idea below or voting up ideas submitted by other users. This forum will be directly monitored by the Microsoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, please choose the corresponding category. Please submit any broad ideas related to Microsoft Graph or ideas across more than one service to the “General” category.

This site is only for feature suggestions and ideas! If you need technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on Microsoft Graph, please checkout https://graph.microsoft.com.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Restrict permissions to app-only Azure AD applications consuming Office 365 services on resource level

    Large organization start leveraging the Graph API to provide integrations between their third party applications and Office 365. In such companies it is common to delegate the development of integrations from the central IT organization to other business units.
    The current app-only permission priviledges are not appropriate for such types of setups since there is currently no way to limit the permissions for that app to a specific resource in Office 365. This makes such use cases impossible to implement.

    As an example we could consider SharePoint Online. Whever a business unit has to develop a daemon tool that exchanges…

    515 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    62 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    Work has started. This feature is currently in preview for certain Teams resources with the name “resource-specific consent” (RSC).

    Admin documentation: https://docs.microsoft.com/en-us/MicrosoftTeams/resource-specific-consent

    Developer documentation: https://docs.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent

    We intend to continue adding support for additional resource types in the future (e.g. SharePoint content), but we have no ETA to share at this time.

  2. Support Re-register for MFA for a user with Graph

    Admins and apps should be able to programmatically enforce "Re-register MFA" for a user. This is missing in Graph.

    See also https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
    "Require Re-register MFA makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method."

    Thx, Toni

    27 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Access review creation - please add "Additional content for reviewer email" or "Friendly description" property that appears in the "Advanced

    According to this page https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review?source=docs#feedback you can set the "Additional content for reviewer email" or "Friendly description" property that is a way to communicate additional information such as additional instructions or contact information, those kind of details to the users.
    Checking the Graph API Reference still in beta https://docs.microsoft.com/en-us/graph/api/accessreview-create?view=graph-rest-beta I couldn't find those properties. I am using a lot the access reviews and in case there is the need to update this value, in this moment is possible just adding it manually in Azure Identity Governance> Access reviews UI only? How can it be updated through an automatic process using…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. [Feature Request] MultiTenant Application - Tenant Specific client secret

    Need support for tenant specific client secret (Just like permissions). Sharing of client secret would be easy for integrations, can avoid exposer to other tenant data, just by change tenant id.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Graph API /passwordAuthenticationMethod/resetPassword - Option to not prompt users for password change

    When using the /passwordAuthenticationMethod/resetPassword Graph API endpoint, we need an option to not prompt users to change their password upon login. This option is available via MSOL powershell, as well as in admin.microsoft.com, but not via this Graph endpoint.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Make it possible to expand manager for groups with only GroupMember.Read.All

    Recently it was made possible to request managers information when querying data from all users in Azure AD, using just the User.Read.All permission. When requesting the same information for the members of a group GroupMember.Read.All is not sufficient, and the least permission I've found that successfully can run the query is Directory.Read.All, which is considered not acceptable by many of our customers.

    Would it be possible to expand the manager fields when query data from a list of group members just using the GroupMember.Read.All permission?
    Example query:
    GET https://graph.microsoft.com/v1.0/groups/[groupId]/members/microsoft.graph.user?$select=id&$expand=manager

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Make AAD Portal configuration options queryable via supported API

    It's surprising that there are Azure AD options that are configurable only in the portal, including account lockout/smart lockout and the 'restrict access to AAD admin portal' option. When working on an infrastructure-as-code environment, it's disruptive when there are portal-only actions that you want to inspect or set.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Do not require AppRoleAssignment.ReadWrite.All for a service principal if the service principal is an Owner

    It seems Service Principals that manage an Application's AppRole currently require AppRoleAssignment.ReadWrite.All Graph role, which would grant it write permissions on all applications. This would make this Service Principal an attack vector and essentially make it impossible for a security-conscious admin to grant this role.
    Graph could check that the Service Principal making an attempt to create an AppRole assignment is an Owner of the Application (like it does when a User is requesting this operation) and avoid requiring the highly-privileged AppRoleAssignment.ReadWrite.All.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Policy Simulator API

    We are using Azure AD through APIs. I'm looking for an equivalent of https://policysim.aws.amazon.com/ in Azure. The goal is to provide the user context, resource context and Action, and evaluate "Effective Privileges" for the user to perform that specific action on the resource. Came across What-If in Azure AD for conditional access. Seems to be the closest feature available; but not quite the same.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. An Application should be able to read its own manifest

    By default an Application should be able to read its own manifest, getting access to «requiredResourceAccess» (to know what permissions have been assigned to the application) and to «passwordCredentials» (to know the App secret expiration date).
    This would be useful to let the customer know if there is a permission issue or that the App secret will expire soon.

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow Creation of Application Roles

    There seems to be no method that allows creation of a new Role in an Application.
    The only way appears to be to add App Roles using the Azure AD Graph API.
    Surely this is also required by the Azure Portal?

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. User Depatment Contains filter

    Please contruct a way to Filter the Users Department Field, as Starts with, ends with and eq is not useful good on a national platfrom.

    The User Odata options (Search and Filtering) need prioritized as they are not lacking behind competitiors and also OData standard.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Variable throttling limits depending on license or app

    When we need to get data out of O365 speed is important. The throttling is excessive. Suggest something in the line of E3 4X  standard E5 10X standard. You could even limit the increase to the app IDs of certain level of partners.

    19 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide a programmatic way to request Azure MFA verification of users.

    Provide a programmatic way to request verification of users (e.g. push, sms, etc) via Azure MFA.

    I would use this in two ways:

    a. Custom step-up authentication in our custom applications, where we want to do a push auth, but we don’t want the user to enter a password.

    b. Allowing help desk analysts to authenticate users remotely before providing assistance.

    A competitor has a similar restful API:
    https://duo.com/docs/authapi#/auth

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Grouping Enterprise Application for Assign into Conditional Access Policy

    I see the Conditional Access Policy can be assigned into several apps https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps. But, for me I need to assign much apps. I met the limitation to assign the cloud apps. I think we need a kind of grouping the apps, so I do not need assign many apps in the Conditional Access Policy.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Graph API support for finding out shared mailboxes and Public folders

    Graph API support for finding out shared mailboxes and Public folders.

    This info is accessible by powershell only.

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Delta query with "relationship" properties

    As discussed in detail over at SO (https://stackoverflow.com/questions/63935182/microsoft-graph-user-delta-manager-issue) and with internal Microsoft folks, currently delta queries behave differently when a "relationship" property, such as manager, is requested.

    To be more specific, the following query will result in duplicate objects returned

    https://graph.microsoft.com/v1.0/users/delta?$select=id,displayName,manager

    The initial reply will contain the user along with the corresponding manager, if any. Subsequent nextLink pages will return the same user, without the manager property. In contrast, running the same query without the manager property does not result in duplication of the user objects returned.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. add 'Status' and other missing attributes to the riskDetections endpoint

    There are some very useful attributes present in the RiskySignIns report downloadable from the Azure AD admin center Security section. The most important one in my mind is 'Status', but there is also 'Application' and 'Sign-in error code' and 'Failure' and others. It would be very useful to have these included in the response from the riskDetections endpoint.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Primary Refresh Token

    Add identifiable Primary Refresh Token (PRT) data to the Azure Activity Directory (AAD) sign-in logs so detections can be on Pass-the-PRT.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. API to retrieve application SAML SSO User Attributes & Claims data

    Need API to get Enterprise application's SAML configuration data. Currently certain data can be get through applications or servicePrincipals API, but not full SAML configuration.

    For example User Attributes & Claims. ( I have checked https://graph.microsoft.com/v1.0/servicePrincipals/<appid>/claimsMappingPolicies but it always return empty result ).

    We have hundreds of enterprise applications with SAML SSO configured in our tenant, it's difficult to audit all those SSO configurations without API.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base