Microsoft.Graph groups
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Note
Permissions for personal Microsoft accounts cannot be used to deploy Microsoft Graph resources declared in Bicep files.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Group.ReadWrite.All | Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Group.Create | Directory.ReadWrite.All, Group.ReadWrite.All |
Resource format
To create a Microsoft.Graph/groups resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Graph/groups@beta' = {
classification: 'string'
description: 'string'
displayName: 'string'
groupTypes: [
'string'
]
infoCatalogs: [
'string'
]
isAssignableToRole: bool
mailEnabled: bool
mailNickname: 'string'
members: [
'string'
]
membershipRule: 'string'
membershipRuleProcessingState: 'string'
organizationId: 'string'
owners: [
'string'
]
preferredDataLocation: 'string'
preferredLanguage: 'string'
resourceBehaviorOptions: [
'string'
]
resourceProvisioningOptions: [
'string'
]
securityEnabled: bool
serviceProvisioningErrors: [
{
createdDateTime: 'string'
isResolved: bool
serviceInstance: 'string'
}
]
theme: 'string'
uniqueName: 'string'
visibility: 'string'
writebackConfiguration: {
isEnabled: bool
onPremisesGroupType: 'string'
}
}
Property values
groups
| Name | Description | Value |
|---|---|---|
| apiVersion | The resource api version | 'beta' (ReadOnly) |
| classification | Describes a classification for the group (such as low, medium or high business impact) | string |
| createdByAppId | App ID of the app used to create the group. Can be null for some groups. Read-only | string (ReadOnly) |
| createdDateTime | Timestamp of when the group was created. The value can't be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. | string (ReadOnly) |
| deletedDateTime | Date and time when this object was deleted. Always null when the object hasn't been deleted. | string (ReadOnly) |
| description | An optional description for the group | string |
| displayName | The display name for the group. Required. Maximum length is 256 characters | string (Required) |
| expirationDateTime | Timestamp of when the group is set to expire. It is null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. | string (ReadOnly) |
| groupTypes | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static | string[] |
| id | The unique identifier for an entity. Read-only. | string (ReadOnly) |
| infoCatalogs | Identifies the info segments assigned to the group | string[] |
| isAssignableToRole | Indicates whether this group can be assigned to a Microsoft Entra role. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes can't contain DynamicMembership). Only callers with at least the Privileged Role Administrator role can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Microsoft Entra role assignmentsUsing this feature requires a Microsoft Entra ID P1 license | bool |
| isManagementRestricted | Indicates whether the group is a member of a restricted management administrative unit, in which case it requires a role scoped to the restricted administrative unit to manage. The default value is false. Read-only. To manage a group member of a restricted administrative unit, the calling app must be assigned the Directory.Write.Restricted permission. For delegated scenarios, the administrators must also be explicitly assigned supported roles at the restricted administrative unit scope. | bool (ReadOnly) |
| The SMTP address for the group, for example, 'serviceadmins@contoso.com'. Read-only | string (ReadOnly) | |
| mailEnabled | Specifies whether the group is mail-enabled. Required | bool (Required) |
| mailNickname | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () / [] ' ; : <> , SPACE | string (Required) |
| members | Direct group members, who can be users, devices, other groups, or service principals. Supports the List members, Add member, and Remove member operations. Nullable | string[] |
| membershipRule | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax | string |
| membershipRuleProcessingState | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused | string |
| onPremisesDomainName | Contains the on-premises domain FQDN, also called dnsDomainName synchronized from the on-premises directory. Read-only. | string (ReadOnly) |
| onPremisesLastSyncDateTime | Indicates the last time at which the group was synced with the on-premises directory.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only | string (ReadOnly) |
| onPremisesNetBiosName | Contains the on-premises netBios name synchronized from the on-premises directory. Read-only. | string (ReadOnly) |
| onPremisesProvisioningErrors | Errors when using Microsoft synchronization product during provisioning | MicrosoftGraphOnPremisesProvisioningError[] (ReadOnly) |
| onPremisesSamAccountName | Contains the on-premises SAM account name synchronized from the on-premises directory. Read-only. | string (ReadOnly) |
| onPremisesSecurityIdentifier | Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud. Read-only. | string (ReadOnly) |
| onPremisesSyncEnabled | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). Read-only | bool (ReadOnly) |
| organizationId | string | |
| owners | The owners of the group who can be users or service principals. Nullable. If this property isn't specified when creating a Microsoft 365 group, the calling user is automatically assigned as the group owner | string[] |
| preferredDataLocation | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling app must be granted the Directory.ReadWrite.All permission and the user be assigned at least one of the following Microsoft Entra roles: User Account Administrator Directory Writer Exchange Administrator SharePoint Administrator For more information about this property, see OneDrive Online Multi-Geo and Create a Microsoft 365 group with a specific PDL. Nullable | string |
| preferredLanguage | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example, en-US | string |
| proxyAddresses | Email addresses for the group that direct to the same group mailbox. For example: ['SMTP: bob@contoso.com', 'smtp: bob@sales.contoso.com']. The any operator is required for filter expressions on multi-valued properties. Read-only. Not nullable | string[] (ReadOnly) |
| renewedDateTime | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. | string (ReadOnly) |
| resourceBehaviorOptions | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This property can be set only as part of creation (POST). For the list of possible values, see Microsoft 365 group behaviors and provisioning options. | string[] |
| resourceProvisioningOptions | Specifies the group resources that are associated with the Microsoft 365 group. The possible value is Team. For more information, see Microsoft 365 group behaviors and provisioning options | string[] |
| securityEnabled | Specifies whether the group is a security group | bool (Required) |
| securityIdentifier | Security identifier of the group, used in Windows scenarios. Read-only | string (ReadOnly) |
| serviceProvisioningErrors | Errors published by a federated service describing a non-transient, service-specific error regarding the properties or link from a group object. | MicrosoftGraphServiceProvisioningError[] |
| theme | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red | string |
| type | The resource type | 'Microsoft.Graph/groups' (ReadOnly) |
| uniqueName | The unique identifier that can be assigned to a group and used as an alternate key. Immutable | string (Required) |
| visibility | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation. If visibility value isn't specified during group creation on Microsoft Graph, a security group is created as Private by default, and Microsoft 365 group is Public. Groups assignable to roles are always Private. To learn more, see group visibility options. Nullable. | string |
| writebackConfiguration | Specifies whether or not a group is configured to write back group object properties to on-premises Active Directory. These properties are used when group writeback is configured in the Microsoft Entra Connect sync client. | MicrosoftGraphGroupWritebackConfiguration |
MicrosoftGraphOnPremisesProvisioningError
| Name | Description | Value |
|---|---|---|
| category | Category of the provisioning error. Note: Currently, there is only one possible value. Possible value: PropertyConflict - indicates a property value is not unique. Other objects contain the same value for the property. | string |
| occurredDateTime | The date and time at which the error occurred. | string |
| propertyCausingError | Name of the directory property causing the error. Current possible values: UserPrincipalName or ProxyAddress | string |
| value | Value of the property causing the error. | string |
MicrosoftGraphServiceProvisioningError
| Name | Description | Value |
|---|---|---|
| createdDateTime | The date and time at which the error occurred. | string |
| isResolved | Indicates whether the Error has been attended to. | bool |
| serviceInstance | Qualified service instance (for example, 'SharePoint/Dublin') that published the service error information. | string |
MicrosoftGraphGroupWritebackConfiguration
| Name | Description | Value |
|---|---|---|
| isEnabled | Indicates whether writeback of cloud groups to on-premise Active Directory is enabled. Default value is true for Microsoft 365 groups and false for security groups. | bool |
| onPremisesGroupType | Indicates the target on-premises group type the cloud object is written back as. Nullable. The possible values are: universalDistributionGroup, universalSecurityGroup, universalMailEnabledSecurityGroup.If the cloud group is a unified (Microsoft 365) group, this property can be one of the following: universalDistributionGroup, universalSecurityGroup, universalMailEnabledSecurityGroup. Microsoft Entra security groups can be written back as universalSecurityGroup. If isEnabled or the NewUnifiedGroupWritebackDefault group setting is true but this property isn't explicitly configured: Microsoft 365 groups are written back as universalDistributionGroup by defaultSecurity groups are written back as universalSecurityGroup by default | string |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for