Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have an idea or feature suggestion based on your experience with Microsoft Graph? Please share these with us by submitting your idea below or voting up ideas submitted by other users. This forum will be directly monitored by the Microsoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, please choose the corresponding category. Please submit any broad ideas related to Microsoft Graph or ideas across more than one service to the “General” category.

This site is only for feature suggestions and ideas! If you need technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on Microsoft Graph, please checkout https://graph.microsoft.com.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Restrict permissions to app-only Azure AD applications consuming Office 365 services on resource level

    Large organization start leveraging the Graph API to provide integrations between their third party applications and Office 365. In such companies it is common to delegate the development of integrations from the central IT organization to other business units.
    The current app-only permission priviledges are not appropriate for such types of setups since there is currently no way to limit the permissions for that app to a specific resource in Office 365. This makes such use cases impossible to implement.

    As an example we could consider SharePoint Online. Whever a business unit has to develop a daemon tool that exchanges…

    367 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    49 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    Work has started. We plan to build an experience where end users and administrators can pick a specific resource to grant consent to, such as a specific group or site. This will be programmable through Microsoft Graph API.

  2. Variable throttling limits depending on license or app

    When we need to get data out of O365 speed is important. The throttling is excessive. Suggest something in the line of E3 4X  standard E5 10X standard. You could even limit the increase to the app IDs of certain level of partners.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support Re-register for MFA for a user with Graph

    Admins and apps should be able to programmatically enforce "Re-register MFA" for a user. This is missing in Graph.

    See also https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
    "Require Re-register MFA makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method."

    Thx, Toni

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow Dynamic scoping to Application access policies in Exchange.

    When Using ApplicationAccessPolicy to limit Application permissoins in Exchange, you can only use Mail Enabled security groups. You cannot create a dynamic mail enabled security group. This creates a problem when trying to limit an application to a dynamic group of mailboxes. (Application Permissions)
    We have a need to manage applications on a country level. An application in one country may be only approved to work on mailboxes in that country. We have not found a way to secure GraphAPI Application access within Exchange to only the mailboxes in that country because there is not a way to dynamically manage…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Graph API Beta - Un-assign Policy from Service Principal

    Today there is an endpoint to assign Azure AD Policies to service principals, but there is no endpoint to un-assign a policy from a Service Principal.

    Here is the endpoint to assign a policy:
    https://docs.microsoft.com/en-us/graph/api/policy-assign?view=graph-rest-beta

    Here is a link to the powershell cmdlet for unassign policy:
    https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadserviceprincipalpolicy?view=azureadps-2.0-preview

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    First note is that we now have named policies rather than a single policy type. This change was made in February, just after your post. See https://docs.microsoft.com/en-us/graph/changelog#identity-and-access-azure-ad-3

    The docs have recently been updated to ensure that the Add, List and Remove topics are present. Please see and example:
    https://docs.microsoft.com/en-gb/graph/api/serviceprincipal-delete-claimsmappingpolicies?view=graph-rest-beta&tabs=http

    While policies are ALSO in v1.0, you can’t currently assign them to servicePrincipals as we only just added this to v1.0. An update will go out in a couple of weeks to enable add, list and remove typed policies to/from a servicePrincipal.

  6. Add $count and $select capabilities to all auditLogs resources

    Analyzing logs is heavy on data in large environments. It would make a lot of sense to make it possible to use $count and $select for these kind of queries.

    Reduce Microsoft Graph load, bandwidth usage, and client resource usage, by making $count and $select available to all resource types that falls inside auditLogs.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add getServicePrincipalsByAppIds

    graph.windows.net provides an endpoint to retrieve a service principal using the App Id property: "https://graph.windows.net/myorganization/getServicePrincipalsByAppIds?api-version=2.0"

    Microsoft Graph requires us to use the list endpoint with a displayName filter. It would be beneficial to retrieve a service principal using the appId.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow notification for user registration (creation) in Azure B2C tenant

    Applications in a B2C workflow need to be able to know when new users have registered.

    In our current flow a user purchases a license to our product. The billing software will call a webhook to our application which triggers a transactional email with a registration link (this is an azure B2C registration link). We need to be able to know once the user has completed registration (e.g. we need to be able to subscribe to a "user created" event that calls our application whenever the user signs up). This is important to send a welcome email and bootstrap the…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. create retention event

    Hi,

    There is the ability available to create an event using REST api - https://docs.microsoft.com/en-us/microsoft-365/compliance/automate-event-driven-retention?view=o365-worldwide
    However this only seems to work with basic authentication which some Orgs dont allow.
    Can you extend Graph api to provide permissions for this also?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Graph API support for finding out shared mailboxes and Public folders

    Graph API support for finding out shared mailboxes and Public folders.

    This info is accessible by powershell only.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow Application Permission to privilegedApproval API

    Allow Application Permission to privilegedApproval GraphAPI to allow create other interfaces to approve PIM Requests.
    (Or just put Teams approval function for PIM)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Provide a programmatic way to request Azure MFA verification of users.

    Provide a programmatic way to request verification of users (e.g. push, sms, etc) via Azure MFA.

    I would use this in two ways:

    a. Custom step-up authentication in our custom applications, where we want to do a push auth, but we don’t want the user to enter a password.

    b. Allowing help desk analysts to authenticate users remotely before providing assistance.

    A competitor has a similar restful API:
    https://duo.com/docs/authapi#/auth

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes

    Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes, Resource Mailboxes, etc. Currently the documentation for the New-ApplicationAccessPolicy cmdlet indicates that policy scopes (PolicyScopeGroupID parameter) "only accepts recipients that are security principals. The following types of recipients are not security principals, so you can't use them with this parameter: Discovery mailboxes, Dynamic distribution groups, Distribution groups, Shared mailboxes".

    We have an urgent need to be able to scope Graph API based non-interactive applications to only be able to access specific Shared Mailboxes, not all mailboxes in the tenant. We thought we could use App Scoping…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Application permission on domain level

    We are working with enterprise companies with a lot of concerning legal entities. We are building a third party app and are always running in trouble, if there is a tenant with different domains/legal entities, because usually domain admins will not give permissions to parts of the enterprise, who are not covered by contracts.

    It would be great, if application permission can be combinded with domain (easiest) OR some part of AAD-information (like Devision or an extra attribut).

    In example: I am domain admin of the tenant contexxt.ai, and i've a legal entity called zukunftsdidaktik.de in my tenant. i want…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. API to get notification email addresses listed on SAML certs

    We need a way either through Powershell or API get the notification email address(es) listed on a SAML signing cert and be able to update them. This way we can check if the correct email address is listed and update it if needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. log of the activity across your one drive account so if your account gets hacked you can see what activity that hacker performed

    log of the activity across your one drive account so if your account gets hacked you can see what activity that hacker performed - did they view any files, did they down load any files etc

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Make it possible to manipulate CustomAttributes for organizational Contacts

    Organizational Contacts make it possible to share contacts via Tenant to Tenant. The only decent way to key off source tenant is via adding ExternalDirectoryObjectId to a custom attribute. Please consider adding this to the Graph API. Graph is phenomenal, however, the details really matter when collaborating T2T.

    orgcontact #orgcontacts

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Failed to admin consent for Microsoft Graph API from Azure portal

    created a Public Client App in Azure Portal, then add all Microsoft Graph API delegatedPermission, totally the 208 permissions. then when clicked 'On behalf of Admin Consent', wait for a while, i got the following error message:
    unable to grant consent
    : Value length '10462' is out of the valid range of '1' to '8000' for property 'DelegationScope'. [WUCaV]

    I tried to use https://xxxx/adminconsent, it failed with the same error message. please suggest if what i missed. thanks!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Extend MSGraph to only query failed sign-ins. Not possible now.

    I'm trying to query only the failed sign-ins using the $filter parameter but it only supports status/errorCode eq [errorcode].

    This means that i need to know all errorcodes on forehand. Which i don't.

    Can this filter be extended with status/errorCode ge 1 ?

    This would really make life easier.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. To provide user's base location/country.

    Currently, User's Country is shown as Null through Graph API. It would be helpful, if the Country field is populated with location where user is currently based. If the user moves from one country to another, the country field must be updated.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base