Microsoft Graph Feature Requests

Welcome to the Microsoft Graph UserVoice! Do you have an idea or feature suggestion based on your experience with Microsoft Graph? Please share these with us by submitting your idea below or voting up ideas submitted by other users. This forum will be directly monitored by the Microsoft Graph engineering teams who are working on new features every day.

If you have feedback on a specific API service, please choose the corresponding category. Please submit any broad ideas related to Microsoft Graph or ideas across more than one service to the “General” category.

This site is only for feature suggestions and ideas! If you need technical help, please go to the Microsoft Graph StackOverflow or if you have a Premier support contract raise a support ticket.

For more information on Microsoft Graph, please checkout https://graph.microsoft.com.


  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. create retention event

    Hi,

    There is the ability available to create an event using REST api - https://docs.microsoft.com/en-us/microsoft-365/compliance/automate-event-driven-retention?view=o365-worldwide
    However this only seems to work with basic authentication which some Orgs dont allow.
    Can you extend Graph api to provide permissions for this also?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow Application Permission to privilegedApproval API

    Allow Application Permission to privilegedApproval GraphAPI to allow create other interfaces to approve PIM Requests.
    (Or just put Teams approval function for PIM)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes

    Allow Exchange Application Access Policies to scope access to non-user mailboxes, e.g. Shared Mailboxes, Resource Mailboxes, etc. Currently the documentation for the New-ApplicationAccessPolicy cmdlet indicates that policy scopes (PolicyScopeGroupID parameter) "only accepts recipients that are security principals. The following types of recipients are not security principals, so you can't use them with this parameter: Discovery mailboxes, Dynamic distribution groups, Distribution groups, Shared mailboxes".

    We have an urgent need to be able to scope Graph API based non-interactive applications to only be able to access specific Shared Mailboxes, not all mailboxes in the tenant. We thought we could use App Scoping…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  4. Application permission on domain level

    We are working with enterprise companies with a lot of concerning legal entities. We are building a third party app and are always running in trouble, if there is a tenant with different domains/legal entities, because usually domain admins will not give permissions to parts of the enterprise, who are not covered by contracts.

    It would be great, if application permission can be combinded with domain (easiest) OR some part of AAD-information (like Devision or an extra attribut).

    In example: I am domain admin of the tenant contexxt.ai, and i've a legal entity called zukunftsdidaktik.de in my tenant. i want…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  5. API to get notification email addresses listed on SAML certs

    We need a way either through Powershell or API get the notification email address(es) listed on a SAML signing cert and be able to update them. This way we can check if the correct email address is listed and update it if needed.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add the raw user agent to Azure AD audit log scheme

    As of today, only parsed user agent information is available as part of the Azure AD audit log (in sign-in in particular). In many cases, the parsing does not work well and most of the parsed fields are 'null'.
    It will be great if we can get the raw user agent string and use our own parsing.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  7. log of the activity across your one drive account so if your account gets hacked you can see what activity that hacker performed

    log of the activity across your one drive account so if your account gets hacked you can see what activity that hacker performed - did they view any files, did they down load any files etc

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  8. Make it possible to manipulate CustomAttributes for organizational Contacts

    Organizational Contacts make it possible to share contacts via Tenant to Tenant. The only decent way to key off source tenant is via adding ExternalDirectoryObjectId to a custom attribute. Please consider adding this to the Graph API. Graph is phenomenal, however, the details really matter when collaborating T2T.

    orgcontact #orgcontacts

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  9. Failed to admin consent for Microsoft Graph API from Azure portal

    created a Public Client App in Azure Portal, then add all Microsoft Graph API delegatedPermission, totally the 208 permissions. then when clicked 'On behalf of Admin Consent', wait for a while, i got the following error message:
    unable to grant consent
    : Value length '10462' is out of the valid range of '1' to '8000' for property 'DelegationScope'. [WUCaV]

    I tried to use https://xxxx/adminconsent, it failed with the same error message. please suggest if what i missed. thanks!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  10. Add manager to list Users graph api

    Currently we allow customer to connect to the Azure AD for listing all people in their AD for an up-to-date personell system.
    If they need to have the hierarchy in our software as well (who is the manager of who) this is near impossible as you have to retrieve the manager object per user.

    Please allow an extra attribute to request the manager information when listing users instead of 'per user' basis.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →

    Update: The bug fix (so that select and expand play nice together) is committed, and should be rolled out this quarter (Q2 2020). That should enable things like

    GET ../users?$select=id,userPrincipalName&$expand=manager

  11. Extend MSGraph to only query failed sign-ins. Not possible now.

    I'm trying to query only the failed sign-ins using the $filter parameter but it only supports status/errorCode eq [errorcode].

    This means that i need to know all errorcodes on forehand. Which i don't.

    Can this filter be extended with status/errorCode ge 1 ?

    This would really make life easier.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  12. To provide user's base location/country.

    Currently, User's Country is shown as Null through Graph API. It would be helpful, if the Country field is populated with location where user is currently based. If the user moves from one country to another, the country field must be updated.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  13. Deliver fileData for Get agreement request

    Performing a GET request for https://docs.microsoft.com/en-us/graph/api/agreement-get?view=graph-rest-beta&tabs=http
    on "agreement" does not deliver the fileData for the ToU files configured in the policy.
    Please deliver the bytes not only the metadata.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  14. enable all User attributes (which can be queried in the MS Graph API) as custom access token claims

    There are a select few of "optional attributes" to attach to an Azure AD Access Token. Ideally, any "user" attribute can be incorporated into an access token. In our case, we need mailNickname, but I see other attributes being requested such as employeeId. We should be able to name "User" as the source and select any property available as an AD attribute attached to the user.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  15. Expose New API to work with Company Branding via Graph API

    Expose new API to work with company branding like Sign-in page background image, Sign in page text, Sign-in page background color etc.
    or extend /organization endpoint.

    16 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  16. Graph API - Azure AD B2B - Organizational Relationships Whitelist

    Azure Active Directory > Organizational Relationships > Settings > Collaboration restrictions ... when "Allow invitations only to the specified domains (most restrictive)" option is set, it would be very nice if I could programmaticly add domains to this list and query them back. I am looking to automate the end-to-end Auzre AD B2B invitation process from an internal portal, and this will be a requirement.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  17. Graph - Add "isAdmin: true/false" to /me to identify users I can prompt for Admin consent

    My application can be used in a basic mode without Admin permissions. I would like to prompt Administrators for advanced permissions. Currently I cannot detect who is an Admin without already being granted Directory.Read.All permission by an Admin.

    If the "me" route could identify whether the user is an Admin or not it would allow much more control from our application side, without exposing much information

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  18. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  19. Raise limit of 100 schema extension property values allowed per resource instance

    Removing the limit of 100 schema extensions property values allowed per resource instance would allow me to build a comprehensive directory with many, many fields for my organization. My on-premise AD has hundreds of fields that I would like to extend to AAD.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  20. Get department manager

    I would like to query managers based on department, where I send department name for instance and get the details of the manager of the department in Graph\User return type

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Identity and Access  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base