Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have an idea or feature suggestion based on your experience with Microsoft Graph? Please share these with us by submitting your idea below or voting up ideas submitted by other users. This forum will be directly monitored by the Microsoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, please choose the corresponding category. Please submit any broad ideas related to Microsoft Graph or ideas across more than one service to the “General” category.

This site is only for feature suggestions and ideas! If you need technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on Microsoft Graph, please checkout https://graph.microsoft.com.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Microsoft Graph API to support Enterprise Application User Querying

    Support for the ability to query AD users that are provisioned to an enterprise application.

    Based off of the Microsoft Graphi API there is no way to actively see the users and their associated permissions to an enterprise application.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    This API does exist and you can find it here:
    https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-beta&tabs=http

    Granted – this documentation can be massively improved. In the response you need to look at the principalType as it can be user, group or servicePrincipal. For your scenario, you can ignore servicePrincipal, but if a group is provisioned to an enterprise application, you’ll need to get the group’s direct group members (using GET ../groups/{id)/members) to find the users assigned (indirectly) to this enterprise application.

  2. Need API to get Azure AD tenant type: B2C or not

    We manage multiple Azure AD tenants and we need a property to distinguish b2c and non-b2c tenants. Right now we use a workarround - run MS Graph Delta API and analyse if error occurred. b2c doesn't support Delta - so we can understand that it is b2c.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support Re-register for MFA for a user with Graph

    Admins and apps should be able to programmatically enforce "Re-register MFA" for a user. This is missing in Graph.

    See also https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
    "Require Re-register MFA makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method."

    Thx, Toni

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Directory.AccessAsUser.All, How to add this permission to my registered app. Its a Delegated permission but I need it in Application.

    Directory.AccessAsUser.All, How to add this permission to my registered app. Its a Delegated permission but I need it in Application permissions. So my app can have access to Reset password.

    When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Return the nextlifecycledate from subscribedSkus

    Return the nextlifecycledate for
    GET https://graph.microsoft.com/beta/subscribedSkus

    get-msolsubscription returns this property. As you encourage people to use graph APIs, instead of MSOL commandlets, please try to provided equivalent functionality in the graph api world.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow data such as SAML, 2FA, conditional access in Azure AD through Graph API

    I guess the graph API is relatively new with some good features but still lacks certain resources.

    Access to data like SAML, 2FA, conditional access corresponding to every App in Azure AD through Graph API would be great.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Handle Admin Consent App Authorization Errors

    This site lists which errors will be sent back via the redirect_uri:
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code

    However it would be good to add at the following error to this list so that it can also be handled on the app side:
    "This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow Dynamic scoping to Application access policies in Exchange.

    When Using ApplicationAccessPolicy to limit Application permissoins in Exchange, you can only use Mail Enabled security groups. You cannot create a dynamic mail enabled security group. This creates a problem when trying to limit an application to a dynamic group of mailboxes. (Application Permissions)
    We have a need to manage applications on a country level. An application in one country may be only approved to work on mailboxes in that country. We have not found a way to secure GraphAPI Application access within Exchange to only the mailboxes in that country because there is not a way to dynamically manage…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Graph API support for finding out shared mailboxes and Public folders

    Graph API support for finding out shared mailboxes and Public folders.

    This info is accessible by powershell only.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow Application Permission to privilegedApproval API

    Allow Application Permission to privilegedApproval GraphAPI to allow create other interfaces to approve PIM Requests.
    (Or just put Teams approval function for PIM)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Connect to outlook Office 365 IMAP using OAUTH2

    From https://stackoverflow.com/questions/29747477/imap-auth-in-office-365-using-oauth2

    It would be way easier to integrate with Office 365 if only you could allow us to login to IMAP using OAuth2. I understand that you are biased towards REST API but it's just making a developer life a hell.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. API for create and modify service principals with SAML SSO settings (example is SalesForce app)

    We need API to create or modify SAML SSO enabled applications in Azure AD. Use case is: somebody by a mistake deleted SalesForce application - we want the script to restore this app with all settings.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow service apps to create subscriptions for emails, contacts, etc. for an entire tenant

    When an admin grants consent to my service application, I would like to able to create a subscription for changes to emails, contacts, and other resource types, across the entire tenant. Unless I'm mistaken, I currently have to create a subscription for each user separately. It would be easier to only have to create one subscription for all users in the tenant and theoretically that would allow me to support more than 50,000 users (the max number of subscriptions that an application can create).

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Improve audit API signal-to-noise ratio by publishing MS-initiated events on a different endpoint

    User-initiated audit events often get drowned out by floods of MS-initiated events. These MS events are undocumented, don't present any obvious utility to the observer and can't easily be filtered out. They really should be on a separate endpoint so they can be ignored unless there were some need to monitor them. I understand that the Azure Graph is being deprecated. I hope this can be taken into consideration if and when the audit and reporting events get moved to the MS graph.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Expose the passwordDescription field for application's client credential keys in Microsoft Graph API or Azure Graph API

    Currently when get a list of keys for an application through the Graph API, it returns the startDate, endDate, KeyId and Type. However, through the Azure Web portal we are able the set and view a description field when we go to settings -> keys. I don't see why this field should not be exposed through the APIs as well.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Provide details of license dependency in subscribed sku resposne

    It would be very if we get details of which license plan depends on which another license plan of same SKU. Because many times we get failure in license plan assignment/removal with error like

    License assignment failed because service plan <a>depends on the service plan(s) <b>

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. make it possible to utilize other domains than .com for Graph extensions

    Currently one can only register schema extensions that have a name of a validated .com domain within the Azure Active Directory tenant. It should be possible to utilize other domains than .com for this purpose.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add $count and $select capabilities to all auditLogs resources

    Analyzing logs is heavy on data in large environments. It would make a lot of sense to make it possible to use $count and $select for these kind of queries.

    Reduce Microsoft Graph load, bandwidth usage, and client resource usage, by making $count and $select available to all resource types that falls inside auditLogs.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Provide a programmatic way to request Azure MFA verification of users.

    Provide a programmatic way to request verification of users (e.g. push, sms, etc) via Azure MFA.

    I would use this in two ways:

    a. Custom step-up authentication in our custom applications, where we want to do a push auth, but we don’t want the user to enter a password.

    b. Allowing help desk analysts to authenticate users remotely before providing assistance.

    A competitor has a similar restful API:
    https://duo.com/docs/authapi#/auth

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes

    Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes, Resource Mailboxes, etc. Currently the documentation for the New-ApplicationAccessPolicy cmdlet indicates that policy scopes (PolicyScopeGroupID parameter) "only accepts recipients that are security principals. The following types of recipients are not security principals, so you can't use them with this parameter: Discovery mailboxes, Dynamic distribution groups, Distribution groups, Shared mailboxes".

    We have an urgent need to be able to scope Graph API based non-interactive applications to only be able to access specific Shared Mailboxes, not all mailboxes in the tenant. We thought we could use App Scoping…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base