With Microsoft Graph, you can access Azure Active Directory (Azure AD) resources that you can use to enable several different scenarios. This includes managing administrator (directory) roles, inviting external users to an organization, and, if you are Cloud Solution Provider (CSP), managing your customer's data. Microsoft Graph also provides several methods that can be used by many kinds of apps; for example, to discover information about transitive group and role memberships of users.
To call the Microsoft Graph APIs on Azure AD resources, your app will need the appropriate permissions. Many of the APIs exposed on Azure AD resources require one of the Directory permissions. Directory permissions are highly privileged and always require administrator consent.
There are two kinds of permissions: delegated and application. If your app is calling an API on behalf of a user, it will need delegated permissions. If it is calling an API as itself without a signed-in user, it will need application permissions. This latter scenario is generally the case with back-end services or daemons. For more information about delegated and application permissions, see Permissions.
Finally, if your app is acting on behalf of a user, that user will likely need to be a member of an appropriate administrator role for your app to successfully call many of the Azure AD APIs.
The following table lists some common scenarios that Azure AD resources can be used for.
|Use cases||REST resources||See also|
|Directory object and methods|
|Manage directory (administrator) roles|
|Activate directory roles in an Azure AD tenant and manage user memberships in directory roles. Directory roles are also known as administrator roles.||directoryRole
|For more information about directory (admistrator) roles, see Assigning administrator roles in Azure Active Directory.|
|Manage devices registered in the organization. Devices are registered to users and include items like laptops, desktops, tablets, and mobile phones. Devices are typically created in the cloud using the Device Registration Service or by Microsoft Intune. They're used by conditional access policies for multi-factor authentication.||device||For more information about Device Registration Service, see Getting started with Azure Active Directory device registration.
For more information about Microsoft Intune, see What is InTune? and Enroll devices for management in InTune.
|Partner tenant management|
|Get information about partnerships with customer tenants.||contract||Exists in partner tenants only. Partner tenants are Azure AD tenants that belong to Microsoft partners who are either part of Microsoft Cloud Solution Provider, Office 365 Syndication, or Microsoft Advisor partner programs.
For more information about managing customer data through Microsoft Graph as a Cloud Solution Provider, see Call Microsoft Graph from a Cloud Solution Provider application.
|Manage domains associated with a tenant. Domain operations enable registrars to automate domain association for services such as Office 365.||domain||For more information, see Add a custom domain name to Azure Active Directory.|
|Get information about an organization like its business address, technical and notification contacts, the service plans that it's subscribed to, and the domains associated with it.||organization||N/A|
|Get information about the service SKUs that a company is subscribed to.||subscribedSku||N/A|
|Invite external (guest) users to an organization.||invitation||For more information, see What is Azure AD B2B collaboration?.|
Directory resources and APIs can open up new ways for you to engage with users and manage their experiences with Microsoft Graph:
Need more ideas? See how some of our partners are using Microsoft Graph.