Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have anidea or feature suggestion based on your experience with Microsoft Graph?Please share these with us by submitting your idea below or voting up ideassubmitted by other users. This forum will be directly monitored by theMicrosoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, pleasechoose the corresponding category. Please submit any broad ideas related toMicrosoft Graph or ideas across more than one service to the “General”category.

This site is only for feature suggestions and ideas! If youneed technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on the Microsoft Graph, please checkout https://graph.microsoft.com .


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Restrict permissions to app-only Azure AD applications consuming Office 365 services on resource level

    Large organization start leveraging the Graph API to provide integrations between their third party applications and Office 365. In such companies it is common to delegate the development of integrations from the central IT organization to other business units.
    The current app-only permission priviledges are not appropriate for such types of setups since there is currently no way to limit the permissions for that app to a specific resource in Office 365. This makes such use cases impossible to implement.

    As an example we could consider SharePoint Online. Whever a business unit has to develop a daemon tool that exchanges…

    215 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    Work has started. We plan to build an experience where end users and administrators can pick a specific resource to grant consent to, such as a specific group or site. This will be programmable through Microsoft Graph API.

  2. Expand navigation property of children with a single query

    Impossible to get members of Azure AD group with expanded 'manager' property in one request.
    for example:
    https://graph.windows.net/<tenantid>/directoryObjects/<groupid>/members/?api-version=1.6&$expand=manager

    we gets the following response:
    {"code":"Request_UnsupportedQuery","message":{"lang":"en","value":"An unsupported query was observed. Please ensure you query does not navigate across multiple reference-properties."}

    I suppose reason of such response is clear. and current workaround is the following:
    1) Get group members
    2) for each five members(using OData batch) get manager
    But this way make us do a lot of requests to Azure AD and we expect performance degradation here.

    We develop multi tenant application which access Azure AD of all our customers…

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    We are still looking into it! It is due to current platform limitation, and there is some work going on to address this. Again, thank you for the suggestions! Keep the votes coming.

  3. Support Azure Conditional Access for Microsoft Graph

    A lot of Microsoft products does not work as expected due to the fact the Microsoft Graph does not support Azure Conditional Access. Among the applications I can mention is Microsoft Teams, ToDo, etc. that all rely on the Microsoft Graph and breaks to to limited support or no support for Azure Conditional Access.

    Teams:
    https://microsoftteams.uservoice.com/forums/555103-public/suggestions/32657161-conditional-access-team-authentication

    ToDo:
    https://todo.uservoice.com/forums/597175-feature-suggestions/suggestions/32007451-add-support-for-conditional-access

    /Peter Selch Dahl - Azure MVP

    37 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow to set the background color of your app in the O365 app launcher

    Currently the color is grey by default and will most likely not go well with all types of icons SaaS apps will come in. Being able to define the own color would allow a SaaS app vendor to also use that color for identification purposes etc.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. 16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    WhenCreated (createdDateTime) is already exposed on some objects, like user, and organization in Microsoft Graph. This may get extended to other objects. NOTE for the user resource you will need to explicitly $select this property to get it in the response.

    We don’t currently expose WhenChanged. I don’t think this is even in the backlog – sorry. We would also need to look at the history aspect, but you could build your own history (including when changed) by using the directory audit logs – https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0

  6. Support Azure AD B2C local account

    There is currently no easy way to manage Azure AD B2C local account from a .Net Core app.

    Currently the only way to manage B2C local account is with Azure AD Graph API through Microsoft.Azure.ActiveDirectory.GraphClient nuget. But since those projects are deprecated and only maintained for critical issues, they will not be ported to .Net Core.

    If you have an ASP.Net Core WebApp or WebApi you need to use the Microsoft Graph .NET Client Library which support .Net Standard 1.1. But as Microsoft Graph API does not support local account, it is useless if your tenant is an Azure AD…

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    This is now in Microsoft Graph beta. Please see the identities property of the user resource https://docs.microsoft.com/graph/api/resources/user?view=graph-rest-beta and the objectIdentity resource type: https://docs.microsoft.com/graph/api/resources/objectidentity?view=graph-rest-beta. You can see an example of creating a user with the identities property here (second example): https://docs.microsoft.com/graph/api/user-post-users?view=graph-rest-beta&tabs=http

    We hope to have this in GA by end of 2019 Q4, but it might roll into 2020 Q1.

  7. Expose New API to work with Company Branding via Graph API

    Expose new API to work with company branding like Sign-in page background image, Sign in page text, Sign-in page background color etc.
    or extend /organization endpoint.

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Graph - Add "isAdmin: true/false" to /me to identify users I can prompt for Admin consent

    My application can be used in a basic mode without Admin permissions. I would like to prompt Administrators for advanced permissions. Currently I cannot detect who is an Admin without already being granted Directory.Read.All permission by an Admin.

    If the "me" route could identify whether the user is an Admin or not it would allow much more control from our application side, without exposing much information

    11 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add user.readBasic.all permission as an app permission in Graph

    Azure AD graph has delegated permissions for user.readBasic.all which restricts the information that a 3rd party accessing this api can capture from our tenancy directory. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.

    I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow programmatic access of BitLocker recovery keys

    Currently it is possible (if you have permission) to view BitLocker recovery keys on the "Device" page of the Azure Active Directory portal.

    It is also possible to view Device information through the API or through Microsoft Graph, but this does not include the BitLocker recovery information.

    A programmatic way to view this data would be incredibly useful for creating a secure backup of the recovery keys.

    Another use case, which is what I was hoping to achieve, is to have users in the field encrypt data with their BitLocker key and then send a CD containing the encrypted data…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. REST API Support for Creating Directories

    REST API should support the ability to create/suspend/delete whole directories towards Azure AD. This is something that has to me done manually today, not that good for creating automated services with Azure Stack with a lot of directories.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. User schema extension properties can be configured to show up in token claims

    Allow developers/tenant admins to configure apps so that schema extension properties (added to users through Microsoft Graph) can show up as claims in id and access tokens

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    This work is on the backlog and currently isn’t scheduled. The feature will be updated here once dev work is started. -EY

  13. Support more OData filters (like endswith or substringof)

    When using the 'classic' Get-MSOLUser, the -Domain parameter can be used to filter users by an equivalent "endswith(userPrincipalName, "domain.blah") filter, but this is not possible with the Graph API or the AzureAD v2 PowerShell module.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    In Backlog  ·  1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. Calculate & expose device's primary user based on usage (user to device affinity)

    In many reporting scenarios it is necessary to map between users/devices. E.g.,
    * VIP Victor is complaining about something, we need a list of the devices he uses
    * I need to report on crashes (or some other device data) by the user's department/building/etc.

    Today we have registeredUsers and registeredOwners, but these can't be used for this purpose because:
    A) They seem to reflect primarily administrative enrollment activity, not end-user-affinity
    B) They are many:many and don't automatically calculate a "primary user" based on logon activity

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow complex query for assignedLicenses

    Allow filters such as "assignedLicenses/any(x:x/skuId eq guid'4075ceb4-6426-4341-a899-f6a4430f5162')"

    The O365 admin portal can return such results easily, but using PowerShell/API requires me to retrieve 200,000+ objects and filter locally

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add manager to list Users graph api

    Currently we allow customer to connect to the Azure AD for listing all people in their AD for an up-to-date personell system.
    If they need to have the hierarchy in our software as well (who is the manager of who) this is near impossible as you have to retrieve the manager object per user.

    Please allow an extra attribute to request the manager information when listing users instead of 'per user' basis.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Need API to get Azure AD tenant type: B2C or not

    We manage multiple Azure AD tenants and we need a property to distinguish b2c and non-b2c tenants. Right now we use a workarround - run MS Graph Delta API and analyse if error occurred. b2c doesn't support Delta - so we can understand that it is b2c.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. Security Granularity of Graph Access

    When accessing sites with Graph, the access level is not granular enough. For example writing a daemon to query a sharepoint site where the daemon should only have access to query that one site for meta data. The application should only be able to query that one site, not all of the company sharepoint sites.
    I would think this would be available in some form, but having spent many days researching this I have found no way to enable Graph access to only one or a limited group of company sharepoint sites.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Detecting MFA using the v2.0 endpoint

    The AMR claim is detectable within the v1 endpoint in order to determine if the user has used multi factor, but it is not possible to detect in the v2 endpoint.

    Please enhance the v2 endpoint.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Microsoft Graph API to support Enterprise Application User Querying

    Support for the ability to query AD users that are provisioned to an enterprise application.

    Based off of the Microsoft Graphi API there is no way to actively see the users and their associated permissions to an enterprise application.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base