Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have an idea or feature suggestion based on your experience with Microsoft Graph? Please share these with us by submitting your idea below or voting up ideas submitted by other users. This forum will be directly monitored by the Microsoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, please choose the corresponding category. Please submit any broad ideas related to Microsoft Graph or ideas across more than one service to the “General” category.

This site is only for feature suggestions and ideas! If you need technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on Microsoft Graph, please checkout https://graph.microsoft.com.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Delta query with "relationship" properties

    As discussed in detail over at SO (https://stackoverflow.com/questions/63935182/microsoft-graph-user-delta-manager-issue) and with internal Microsoft folks, currently delta queries behave differently when a "relationship" property, such as manager, is requested.

    To be more specific, the following query will result in duplicate objects returned

    https://graph.microsoft.com/v1.0/users/delta?$select=id,displayName,manager

    The initial reply will contain the user along with the corresponding manager, if any. Subsequent nextLink pages will return the same user, without the manager property. In contrast, running the same query without the manager property does not result in duplication of the user objects returned.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Policy Simulator API

    We are using Azure AD through APIs. I'm looking for an equivalent of https://policysim.aws.amazon.com/ in Azure. The goal is to provide the user context, resource context and Action, and evaluate "Effective Privileges" for the user to perform that specific action on the resource. Came across What-If in Azure AD for conditional access. Seems to be the closest feature available; but not quite the same.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. An Application should be able to read its own manifest

    By default an Application should be able to read its own manifest, getting access to «requiredResourceAccess» (to know what permissions have been assigned to the application) and to «passwordCredentials» (to know the App secret expiration date).
    This would be useful to let the customer know if there is a permission issue or that the App secret will expire soon.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. add 'Status' and other missing attributes to the riskDetections endpoint

    There are some very useful attributes present in the RiskySignIns report downloadable from the Azure AD admin center Security section. The most important one in my mind is 'Status', but there is also 'Application' and 'Sign-in error code' and 'Failure' and others. It would be very useful to have these included in the response from the riskDetections endpoint.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Primary Refresh Token

    Add identifiable Primary Refresh Token (PRT) data to the Azure Activity Directory (AAD) sign-in logs so detections can be on Pass-the-PRT.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. API to retrieve application SAML SSO User Attributes & Claims data

    Need API to get Enterprise application's SAML configuration data. Currently certain data can be get through applications or servicePrincipals API, but not full SAML configuration.

    For example User Attributes & Claims. ( I have checked https://graph.microsoft.com/v1.0/servicePrincipals/<appid>/claimsMappingPolicies but it always return empty result ).

    We have hundreds of enterprise applications with SAML SSO configured in our tenant, it's difficult to audit all those SSO configurations without API.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. Expose API to update primary (MFA used) Email on AAD B2C. This is critical when AAD B2C not the SOR. 100K Users affected.

    Expose API to update primary (MFA used) Email on AAD B2C. This is critical when AAD B2C not the SOR. 100K Users affected currently. (Ernst & Young)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support Managed Identity

    Various other resources support the use of Managed Identity, like Azure KeyVault does. This prevents the hassle of juggling secrets. The Graph API could use this as well.

    The current (clean) workaround seems to be to use Azure KeyVault with Managed Identity, and then get the client secret used for the Graph API from there.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add a way to refresh the accessPackageResource object's properties.

    Currently, resources in the Entitlement Management resource catalog get their properties from the resource when it is added to the catalog. If the resource's name changes, it becomes out of sync with the catalog causing confusion. Ideally, it would be best if the properties were synced. However, a workaround could be to add another method to the graph API accessPackageCatalog resource type to refresh the properties on all the accessPackageResource objects contained in the catalog.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. orgContacts should support "msExchHideFromAddressLists"

    Full story: Our goal was to query an API that is "like" the tradional GAL. In theory the GAL is just a combination of users and contacts, so we thought that this would be ok-ish just get all users first and then query orgContacts.

    Unfortunately we discovered that the orgContacts API (https://docs.microsoft.com/en-us/graph/api/orgcontact-list?view=graph-rest-1.0&tabs=http) will return all contacts from the tenant.
    In our tenant some contacts are flagged with msExchHideFromAddressLists and this would be a NoGo four our application to surface such "hidden" contacts. We didn't found a way to filter them.

    It would be nice to have this "old…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add $count and $select capabilities to all auditLogs resources

    Analyzing logs is heavy on data in large environments. It would make a lot of sense to make it possible to use $count and $select for these kind of queries.

    Reduce Microsoft Graph load, bandwidth usage, and client resource usage, by making $count and $select available to all resource types that falls inside auditLogs.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. create retention event

    Hi,

    There is the ability available to create an event using REST api - https://docs.microsoft.com/en-us/microsoft-365/compliance/automate-event-driven-retention?view=o365-worldwide
    However this only seems to work with basic authentication which some Orgs dont allow.
    Can you extend Graph api to provide permissions for this also?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support Re-register for MFA for a user with Graph

    Admins and apps should be able to programmatically enforce "Re-register MFA" for a user. This is missing in Graph.

    See also https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings
    "Require Re-register MFA makes it so that when the user signs in next time, they're requested to set up a new MFA authentication method."

    Thx, Toni

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Application permission on domain level

    We are working with enterprise companies with a lot of concerning legal entities. We are building a third party app and are always running in trouble, if there is a tenant with different domains/legal entities, because usually domain admins will not give permissions to parts of the enterprise, who are not covered by contracts.

    It would be great, if application permission can be combinded with domain (easiest) OR some part of AAD-information (like Devision or an extra attribut).

    In example: I am domain admin of the tenant contexxt.ai, and i've a legal entity called zukunftsdidaktik.de in my tenant. i want…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. API to get notification email addresses listed on SAML certs

    We need a way either through Powershell or API get the notification email address(es) listed on a SAML signing cert and be able to update them. This way we can check if the correct email address is listed and update it if needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow Dynamic scoping to Application access policies in Exchange.

    When Using ApplicationAccessPolicy to limit Application permissoins in Exchange, you can only use Mail Enabled security groups. You cannot create a dynamic mail enabled security group. This creates a problem when trying to limit an application to a dynamic group of mailboxes. (Application Permissions)
    We have a need to manage applications on a country level. An application in one country may be only approved to work on mailboxes in that country. We have not found a way to secure GraphAPI Application access within Exchange to only the mailboxes in that country because there is not a way to dynamically manage…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Graph API support for finding out shared mailboxes and Public folders

    Graph API support for finding out shared mailboxes and Public folders.

    This info is accessible by powershell only.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. can you please also add the azure ad b2c user flows with this application.

    please integrate azure ad b2c SignUpandSignIn flow in this application.

    there is no proper end to end document or sample android code is available for b2c userflows

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Provide a programmatic way to request Azure MFA verification of users.

    Provide a programmatic way to request verification of users (e.g. push, sms, etc) via Azure MFA.

    I would use this in two ways:

    a. Custom step-up authentication in our custom applications, where we want to do a push auth, but we don’t want the user to enter a password.

    b. Allowing help desk analysts to authenticate users remotely before providing assistance.

    A competitor has a similar restful API:
    https://duo.com/docs/authapi#/auth

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes

    Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes, Resource Mailboxes, etc. Currently the documentation for the New-ApplicationAccessPolicy cmdlet indicates that policy scopes (PolicyScopeGroupID parameter) "only accepts recipients that are security principals. The following types of recipients are not security principals, so you can't use them with this parameter: Discovery mailboxes, Dynamic distribution groups, Distribution groups, Shared mailboxes".

    We have an urgent need to be able to scope Graph API based non-interactive applications to only be able to access specific Shared Mailboxes, not all mailboxes in the tenant. We thought we could use App Scoping…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base