Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have an idea or feature suggestion based on your experience with Microsoft Graph? Please share these with us by submitting your idea below or voting up ideas submitted by other users. This forum will be directly monitored by the Microsoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, please choose the corresponding category. Please submit any broad ideas related to Microsoft Graph or ideas across more than one service to the “General” category.

This site is only for feature suggestions and ideas! If you need technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on Microsoft Graph, please checkout https://graph.microsoft.com.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Restrict permissions to app-only Azure AD applications consuming Office 365 services on resource level

    Large organization start leveraging the Graph API to provide integrations between their third party applications and Office 365. In such companies it is common to delegate the development of integrations from the central IT organization to other business units.
    The current app-only permission priviledges are not appropriate for such types of setups since there is currently no way to limit the permissions for that app to a specific resource in Office 365. This makes such use cases impossible to implement.

    As an example we could consider SharePoint Online. Whever a business unit has to develop a daemon tool that exchanges…

    361 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    49 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    Work has started. We plan to build an experience where end users and administrators can pick a specific resource to grant consent to, such as a specific group or site. This will be programmable through Microsoft Graph API.

  2. Expand navigation property of children with a single query

    Impossible to get members of Azure AD group with expanded 'manager' property in one request.
    for example:
    https://graph.windows.net/<tenantid>/directoryObjects/<groupid>/members/?api-version=1.6&$expand=manager

    we gets the following response:
    {"code":"Request_UnsupportedQuery","message":{"lang":"en","value":"An unsupported query was observed. Please ensure you query does not navigate across multiple reference-properties."}

    I suppose reason of such response is clear. and current workaround is the following:
    1) Get group members
    2) for each five members(using OData batch) get manager
    But this way make us do a lot of requests to Azure AD and we expect performance degradation here.

    We develop multi tenant application which access Azure AD of all our customers…

    69 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    We are still looking into it! It is due to current platform limitation, and there is some work going on to address this. Again, thank you for the suggestions! Keep the votes coming.

  3. Support Azure Conditional Access for Microsoft Graph

    A lot of Microsoft products does not work as expected due to the fact the Microsoft Graph does not support Azure Conditional Access. Among the applications I can mention is Microsoft Teams, ToDo, etc. that all rely on the Microsoft Graph and breaks to to limited support or no support for Azure Conditional Access.

    Teams:
    https://microsoftteams.uservoice.com/forums/555103-public/suggestions/32657161-conditional-access-team-authentication

    ToDo:
    https://todo.uservoice.com/forums/597175-feature-suggestions/suggestions/32007451-add-support-for-conditional-access

    /Peter Selch Dahl - Azure MVP

    38 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Allow to set the background color of your app in the O365 app launcher

    Currently the color is grey by default and will most likely not go well with all types of icons SaaS apps will come in. Being able to define the own color would allow a SaaS app vendor to also use that color for identification purposes etc.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. Throttling

    When we need to get data out of O365 speed is important. The throttling is excessive. Suggest something in the line of E3 4X  standard E5 10X standard. You could even limit the increase to the app IDs of certain level of partners.

    17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. 17 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    WhenCreated (createdDateTime) is already exposed on some objects, like user, and organization in Microsoft Graph. This may get extended to other objects. NOTE for the user resource you will need to explicitly $select this property to get it in the response.

    We don’t currently expose WhenChanged. I don’t think this is even in the backlog – sorry. We would also need to look at the history aspect, but you could build your own history (including when changed) by using the directory audit logs – https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-auditlog-overview?view=graph-rest-1.0

  7. Expose New API to work with Company Branding via Graph API

    Expose new API to work with company branding like Sign-in page background image, Sign in page text, Sign-in page background color etc.
    or extend /organization endpoint.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support more OData filters (like endswith or substringof)

    When using the 'classic' Get-MSOLUser, the -Domain parameter can be used to filter users by an equivalent "endswith(userPrincipalName, "domain.blah") filter, but this is not possible with the Graph API or the AzureAD v2 PowerShell module.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    In Backlog  ·  1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add manager to list Users graph api

    Currently we allow customer to connect to the Azure AD for listing all people in their AD for an up-to-date personell system.
    If they need to have the hierarchy in our software as well (who is the manager of who) this is near impossible as you have to retrieve the manager object per user.

    Please allow an extra attribute to request the manager information when listing users instead of 'per user' basis.

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    Update: The bug fix (so that select and expand play nice together) is committed, and should be rolled out this quarter (Q2 2020). That should enable things like

    GET ../users?$select=id,userPrincipalName&$expand=manager

  10. Make it possible to manipulate CustomAttributes for organizational Contacts

    Organizational Contacts make it possible to share contacts via Tenant to Tenant. The only decent way to key off source tenant is via adding ExternalDirectoryObjectId to a custom attribute. Please consider adding this to the Graph API. Graph is phenomenal, however, the details really matter when collaborating T2T.

    orgcontact #orgcontacts

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  11. Graph - Add "isAdmin: true/false" to /me to identify users I can prompt for Admin consent

    My application can be used in a basic mode without Admin permissions. I would like to prompt Administrators for advanced permissions. Currently I cannot detect who is an Admin without already being granted Directory.Read.All permission by an Admin.

    If the "me" route could identify whether the user is an Admin or not it would allow much more control from our application side, without exposing much information

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow notification for user registration (creation) in Azure B2C tenant

    Applications in a B2C workflow need to be able to know when new users have registered.

    In our current flow a user purchases a license to our product. The billing software will call a webhook to our application which triggers a transactional email with a registration link (this is an azure B2C registration link). We need to be able to know once the user has completed registration (e.g. we need to be able to subscribe to a "user created" event that calls our application whenever the user signs up). This is important to send a welcome email and bootstrap the…

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Calculate & expose device's primary user based on usage (user to device affinity)

    In many reporting scenarios it is necessary to map between users/devices. E.g.,
    * VIP Victor is complaining about something, we need a list of the devices he uses
    * I need to report on crashes (or some other device data) by the user's department/building/etc.

    Today we have registeredUsers and registeredOwners, but these can't be used for this purpose because:
    A) They seem to reflect primarily administrative enrollment activity, not end-user-affinity
    B) They are many:many and don't automatically calculate a "primary user" based on logon activity

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. REST API Support for Creating Directories

    REST API should support the ability to create/suspend/delete whole directories towards Azure AD. This is something that has to me done manually today, not that good for creating automated services with Azure Stack with a lot of directories.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow programmatic access of BitLocker recovery keys

    Currently it is possible (if you have permission) to view BitLocker recovery keys on the "Device" page of the Azure Active Directory portal.

    It is also possible to view Device information through the API or through Microsoft Graph, but this does not include the BitLocker recovery information.

    A programmatic way to view this data would be incredibly useful for creating a secure backup of the recovery keys.

    Another use case, which is what I was hoping to achieve, is to have users in the field encrypt data with their BitLocker key and then send a CD containing the encrypted data…

    9 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add user.readBasic.all permission as an app permission in Graph

    Azure AD graph has delegated permissions for user.readBasic.all which restricts the information that a 3rd party accessing this api can capture from our tenancy directory. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.

    I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. User schema extension properties can be configured to show up in token claims

    Allow developers/tenant admins to configure apps so that schema extension properties (added to users through Microsoft Graph) can show up as claims in id and access tokens

    8 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    This work is on the backlog and currently isn’t scheduled. The feature will be updated here once dev work is started. -EY

  18. Graph API - Azure AD B2B - Organizational Relationships Whitelist

    Azure Active Directory > Organizational Relationships > Settings > Collaboration restrictions ... when "Allow invitations only to the specified domains (most restrictive)" option is set, it would be very nice if I could programmaticly add domains to this list and query them back. I am looking to automate the end-to-end Auzre AD B2B invitation process from an internal portal, and this will be a requirement.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Graph API Beta - Un-assign Policy from Service Principal

    Today there is an endpoint to assign Azure AD Policies to service principals, but there is no endpoint to un-assign a policy from a Service Principal.

    Here is the endpoint to assign a policy:
    https://docs.microsoft.com/en-us/graph/api/policy-assign?view=graph-rest-beta

    Here is a link to the powershell cmdlet for unassign policy:
    https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadserviceprincipalpolicy?view=azureadps-2.0-preview

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    First note is that we now have named policies rather than a single policy type. This change was made in February, just after your post. See https://docs.microsoft.com/en-us/graph/changelog#identity-and-access-azure-ad-3

    The docs have recently been updated to ensure that the Add, List and Remove topics are present. Please see and example:
    https://docs.microsoft.com/en-gb/graph/api/serviceprincipal-delete-claimsmappingpolicies?view=graph-rest-beta&tabs=http

    While policies are ALSO in v1.0, you can’t currently assign them to servicePrincipals as we only just added this to v1.0. An update will go out in a couple of weeks to enable add, list and remove typed policies to/from a servicePrincipal.

  20. Microsoft Graph API to support Enterprise Application User Querying

    Support for the ability to query AD users that are provisioned to an enterprise application.

    Based off of the Microsoft Graphi API there is no way to actively see the users and their associated permissions to an enterprise application.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    This API does exist and you can find it here:
    https://docs.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-beta&tabs=http

    Granted – this documentation can be massively improved. In the response you need to look at the principalType as it can be user, group or servicePrincipal. For your scenario, you can ignore servicePrincipal, but if a group is provisioned to an enterprise application, you’ll need to get the group’s direct group members (using GET ../groups/{id)/members) to find the users assigned (indirectly) to this enterprise application.

← Previous 1 3 4 5
  • Don't see your idea?

Feedback and Knowledge Base