What's new in Microsoft Graph

Microsoft Graph provides a unified programmability model that you can use to access data in Microsoft 365, Windows, and Enterprise Mobility + Security. This article provides information about what's new in Microsoft Graph APIs, documentation, SDKs, and more.

For more detailed API-level updates, see the Microsoft Graph API changelog.

For details about previous updates to Microsoft Graph, see Microsoft Graph what's new history.

November 2025: New and generally available

Backup storage

The driveItem: restore method was expanded to enable restoring a driveItem deleted from a fileStorageContainer without mapping it to a recycleBinItem. This complements existing functionality in recycleBinItem: restore which continues to work as expected.

Files

• Deprecated the drive: recent and drive: sharedWithMe methods of the drive resource.
• Removed the endpoint /driveitem/retentionLabel as a supported request URL from the following API topics:
  • driveItem: getRetentionLabel
  • driveItem: lockOrUnlockRecorddriveItem: lockOrUnlockRecord
  • driveItem: removeRetentionLabel
  • driveItem: setRetentionLabel

Teamwork and communications | Calls and online meetings

Use resource-specific consent (RSC) permissions for virtual events. For more information, see Virtual events town hall API use cases and Virtual events webinar API use cases.

November 2025: New in preview only

Agents

Use the Microsoft Entra Agent ID APIs to manage identities for AI agents using the same identity and access management capabilities that protect human users. The APIs include capabilities to manage the following objects:

• Agent registrations
• Agent users
• The Microsoft Entra agent registry

Additionally, the first-class Microsoft Entra experience allows you to leverage the familiar automation capabilities in Conditional Access, ID Governance, and Identity Protection.

Applications

Added the riskFactors and riskScore properties to the applicationTemplate resource type which represents apps on the Microsoft Entra app gallery. These properties provide insights into the security posture of application templates.

Calendars | Places

• Use the wifiState property on building to indicate whether a building has Wi-Fi.
• Use the heightAdjustableState property on desk to indicate whether a desk is height adjustable.
• Use the teamsEnabledState property on room to indicate whether a room is enabled for Microsoft Teams.
• Removed the placeId property from the place resource and its derived types. Going forward only the following derived types of place have the placeId property: room and workspace.
• Removed the offlinePlaceMode resource in favor of the unavailablePlaceMode resource.

Files

• Use the SharePoint cross-tenant migration APIs in Microsoft Graph to enable organizations to manage identity mappings during tenant-to-tenant migrations. For more information, see sharePointUserIdentityMapping and sharePointGroupIdentityMapping.
• Deprecated the drive: recent and drive: sharedWithMe methods of the drive resource.

Identity and access | Governance

Added the customDataProvidedResource resource to support ser-centric access reviews.

Identity and access | Identity and sign-in

• Added support for managing Microsoft Entra agent identities using Conditional Access policies with the introduction of the following changes:

  • Added agentIdServicePrincipalFilter, excludeAgentIdServicePrincipals, and includeAgentIdServicePrincipals properties to the conditionalAccessApplications resource.
  • Added the agentIdRiskLevels property to the conditionalAccessConditionSet and signInConditions resources.
  • Added agentIdRisk, agentIdentities as possible values for analysisReasons property of the whatIfAnalysisResult resource that's part of the What If evaluation API.

• Added the agentRiskDetection and riskyAgent resources to support detecting and managing risky agents through Microsoft Entra Identity Protection.

• Added the organizationalBrandingTheme and organizationalBrandingThemeLocalization resource types to apply branding themes to applications as opposed to the global tenant-based branding for sign-in experiences. This also enabled locale-specific branding for applications.

• In Microsoft Entra External ID for customer tenants, you can now enable your customers to sign-in with their username or alias. This capability includes a sign-in identifiers policy for you to configure whether username can be used as a sign-in identifier and you can specify a custom regex to be applied at run-time. For more information, see the signInIdentifierBase resource type and its associated APIs.

• Added the verifiedIdProfile resource type to represent a verified identity profile as one of the supported authentication methods in Microsoft Entra.

• Added the defaultPasskeyProfile property and the passkeyProfiles navigation property to the FIDO2 authentication method policy resource. In addition, use the passkeyType property in the FIDO2 authentication method resource to configure allowed passkeys for the user's FIDO2 authentication method.

Identity and access | Network access

• Added APIs for reporting metrics related to Global Secure Access in the serviceActivity resource that reports on service activity for various Microsoft services. The following APIs are now available:

  • Get network access internet app policy blocked users metrics
  • Get network access internet app policy blocked apps metrics
  • Get network access internet app policy allowed users metrics
  • Get network access internet app policy allowed apps metrics
  • Get network access private app users blocked by connector metrics
  • Get network access private apps blocked by connector metrics
  • Get network access private app users allowed by connector metrics
  • Get network access private apps allowed by connector metrics
  • Get network access remote network branches alive metrics
  • Get network access remote network branches tunnel disconnected metrics
  • Get network access remote network branches tunnel connected metrics
  • Get network access remote network branches BGP disconnected metrics
  • Get network access remote network branches BGP connected metrics

• Added the categories property to the cloudApplicationMetadata resource.

Microsoft MCP Server for Enterprise

Introducing the Microsoft MCP Server for Enterprise - the official MCP server for querying Microsoft Entra data using natural language. The server calls the Microsoft Entra APIs on Microsoft Graph to retrieve data and generate responses based on user queries. It supports a wide range of Microsoft Entra data, including users, groups, devices, applications, and more. See Overview of Microsoft MCP server for Enterprise for more information.

Reports | Identity and access reports

• Added support for sign in logs for Microsoft Entra agent identities to Microsoft Entra sign-in reports with the introduction of the following changes:
  • Added agentSubjectParentId and agentSubjectType properties to the agentSignIn resource.
  • Added agentIdentityBlueprintPrincipal and agentIDuser enumeration members to the agentType property of the agentSignIn resource.

Security

• Use the Security Copilot APIs to integrate advanced AI assistance related to Microsoft Entra into your custom portals and applications. The APIs provide capabilities to create sessions, prompts, and evaluations using the available plugins, enabling tailored AI-driven security workflows for your line-of-business applications.
• Added the identityAccounts resource type to represent user and service accounts associated with an identity in the context of security investigations and alerts in Microsoft Defender for Identity.

Tasks and plans

• Get the usage rights for a specific plan based on its sensitivity label assignment and the requesting user's permissions.
• Use the contentSensitivityLabelAssignment property on plannerPlan to get or set the sensitivity label assignment for a plan.

Teamwork and communications | Calls and online meetings

• Added the sensitivityLabelAssignment property to the onlineMeeting, which represents the meeting’s sensitivity level. This ID corresponds to the identifier configured in the Microsoft Purview portal.
• Use the Accept-Language header with the Create virtualEventWebinar and Create virtualEventTownhall methods to specify an acceptable human language for the response.

Removed the endpoint /driveitem/retentionLabel as a supported request URL from the following API topics:

• driveItem: getRetentionLabel
• driveItem: lockOrUnlockRecord
• driveItem: removeRetentionLabel
• driveItem: setRetentionLabel
• Use the expiryDateTime property on onlineMeeting and virtualEventSession to indicate the date and time when the meeting resource expires.
• Use the meetingSpokenLanguageTag property on onlineMeeting and virtualEventSession to specify the spoken language used during the meeting for recording and transcription purposes.
• Use the Accept-Language header with the Create virtualEventWebinar and Create virtualEventTownhall methods to specify an acceptable human language for the response.

October 2025: New and generally available

Backup storage

• Use the protectionSources property on driveProtectionUnit, mailboxProtectionUnit, and siteProtectionUnit to get the sources by which a protection unit is currently protected.
• Update a driveProtectionRule or a mailboxProtectionRule.
• Delete and unprotect all the artifacts protected by a dynamic rule in a driveProtectionRule or a mailboxProtectionRule.

Device and app management | Cloud PC

List the Cloud PC devices that are attributed to the signed-in user.

Education

• Add an existing educationGradingScheme to an existing educationAssignment.
• Add the default educationGradingScheme to an educationAssignmentSettings object.
• Use the languageTag property on educationAssignment to specify the language in which UI notifications for an assignment are displayed.
• Create and manage a custom scheme for grading.
• List the dependent education assignment resources for a given education assignment resource.
• List the dependent education submission resources for a given education submission resource.

Identity and access | Directory management

• Addressed a permissions issue for internalDomainFederation write operations. Previously, delegated scenarios required the high-privilege Directory.AccessAsUser.All permission. Two new, lesser-privileged permissions are now available for managing the internalDomainFederation resource:

  • Domain-InternalFederation.Read.All – Read internalDomainFederation resources.
  • Domain-InternalFederation.ReadWrite.All – Read and write internalDomainFederation resources.

• Added the Domain-InternalFederation.ReadWrite.All delegated and application permissions as lower-privilege alternatives for updating a domain. This also enables updating the authenticationType property of a domain in both delegated and application contexts, whereas previously only delegated scenarios with Directory.AccessAsUser.All permission were supported.

These new permissions enable more granular access control for managing internalDomainFederation and domain resources.

Identity and access | Identity and sign-in

Microsoft Graph now supports new delegated and application permissions scoped to individual authentication methods supported by Microsoft Entra. These permissions provide lesser-privileged alternatives to the more widely scoped UserAuthenticationMethod.Read, UserAuthenticationMethod.ReadWrite.All, UserAuthenticationMethod.ReadWrite and UserAuthenticationMethod.Read.All permissions, helping you improve your organization's security posture by adopting least privilege practices.

Permission	Supported authentication methods	Delegated	Application
UserAuthMethod-Email.Read	Email
UserAuthMethod-Email.Read.All	Email
UserAuthMethod-Email.ReadWrite.All	Email
UserAuthMethod-External.Read	External
UserAuthMethod-External.Read.All	External
UserAuthMethod-External.ReadWrite.All	External
UserAuthMethod-HardwareOATH.Read	Hardware OATH
UserAuthMethod-HardwareOATH.Read.All	Hardware OATH
UserAuthMethod-HardwareOATH.ReadWrite	Hardware OATH
UserAuthMethod-HardwareOATH.ReadWrite.All	Hardware OATH
UserAuthMethod-MicrosoftAuthApp.Read	Microsoft Authenticator
UserAuthMethod-MicrosoftAuthApp.Read.All	Microsoft Authenticator
UserAuthMethod-MicrosoftAuthApp.ReadWrite	Microsoft Authenticator
UserAuthMethod-MicrosoftAuthApp.ReadWrite.All	Microsoft Authenticator
UserAuthMethod-Passkey.Read	FIDO2
UserAuthMethod-Passkey.Read.All	FIDO2
UserAuthMethod-Passkey.ReadWrite	FIDO2
UserAuthMethod-Passkey.ReadWrite.All	FIDO2
UserAuthMethod-Password.Read	Password
UserAuthMethod-Password.Read.All	Password
UserAuthMethod-Password.ReadWrite	Password
UserAuthMethod-Password.ReadWrite.All	Password
UserAuthMethod-Phone.Read	Phone
UserAuthMethod-Phone.Read.All	Phone
UserAuthMethod-Phone.ReadWrite	Phone
UserAuthMethod-Phone.ReadWrite.All	Phone
UserAuthMethod-PlatformCred.Read	Platform Credential
UserAuthMethod-PlatformCred.Read.All	Platform Credential
UserAuthMethod-PlatformCred.ReadWrite	Platform Credential
UserAuthMethod-PlatformCred.ReadWrite.All	Platform Credential
UserAuthMethod-QR.Read	QR Code
UserAuthMethod-QR.Read.All	QR Code
UserAuthMethod-QR.ReadWrite	QR Code
UserAuthMethod-QR.ReadWrite.All	QR Code
UserAuthMethod-SoftwareOATH.Read	Software OATH
UserAuthMethod-SoftwareOATH.Read.All	Software OATH
UserAuthMethod-SoftwareOATH.ReadWrite	Software OATH
UserAuthMethod-SoftwareOATH.ReadWrite.All	Software OATH
UserAuthMethod-TAP.Read	Temporary Access Pass
UserAuthMethod-TAP.Read.All	Temporary Access Pass
UserAuthMethod-TAP.ReadWrite	Temporary Access Pass
UserAuthMethod-TAP.ReadWrite.All	Temporary Access Pass
UserAuthMethod-WindowsHello.Read	Windows Hello for Business
UserAuthMethod-WindowsHello.Read.All	Windows Hello for Business
UserAuthMethod-WindowsHello.ReadWrite	Windows Hello for Business
UserAuthMethod-WindowsHello.ReadWrite.All	Windows Hello for Business

Security | Alerts and incidents

Use the investigationState property on alert to get the current status of an investigation.

Teamwork and communications | Calls and online meetings

Use the callEvent and emergencyCallEvent resources to provide detailed information about both standard and emergency call events. For more information, see Change notification for active meeting call events and change notification for emergency call events.

Teamwork and communications | Messaging

Use the originalSourceMembershipUrl annotation with the List allMembers API to identify the source of a member's membership and distinguish between direct and indirect members.

October 2025: New in preview only

Calendars | Places

• Applied the following prerequisites for the Places list and descendant APIs before you can use these APIs; otherwise, they don't return any places.
• Added wifi as a new supported value for the sensorType property of the workplaceSensor and workplaceSensorDeviceTelemetry resources.

Device and app management | Cloud PC

• Use the sessionStartDateTime property on cloudPcFrontlineSharedDeviceDetail to get the date and time when the current user session starts, or null if no current user session exists.
• Deprecated the getCloudPcLaunchInfo method in favor of the retrieveCloudPcLaunchDetail API.
• Deprecated the cloudPcExternalPartnerSetting resource and replaced with the cloudPcExternalPartner resource.
• Deprecated the frontlineCloudPcAvailability property of cloudPC in favor of the retrieveFrontlineCloudPcDetail method.
• Create, get, or update an external partner of Cloud PC, such as the partner status, and enable or disable the connection.
• Import, purge, or retrieve an external snapshot of a Cloud PC.
• Get information about licenses that the Cloud PC service directly manages using the cloudPcManagedLicense resource and the list managedLicenses operation. These cloudpc-managed licenses help administrators track license allocation, status, and usage across their Cloud PC deployments.
• Use the userSettingsPersistenceConfiguration property on cloudPcProvisioningPolicy to enable the persistence of user application settings between Cloud PC sessions.
• Deprecated the cloudPcReports: retrieveCloudPcRecommendationReports method in favor of the cloudPcReport: retrieveCloudPcRecommendationReports API.
• Deprecated the cloudPcReports resource in favor of the cloudPcReport resource.

Education

• List the dependent education assignment resources for a given education assignment resource.
• List the dependent education submission resources for a given education submission resource.

Teamwork and communications | Calls and online meetings

Use the meetingOptionsWebUrl property on onlineMeeting and virtualEventSession to get the URL to the Teams meeting options page for the specified meeting.

Files

Use the itemDefaultSensitivityLabelId property on fileStorageContainerSettings to get or set the ID of the default sensitivity label for items in the container. Added the following new endpoints as supported request URLs for the driveItem: createUploadSession API:

• POST /drives/{driveId}/items/{parentItemId}:/{fileName}:/createUploadSession
• POST /groups/{groupId}/drive/items/{parentItemId}:/{fileName}:/createUploadSession
• POST /sites/{siteId}/drive/items/{parentItemId}:/{fileName}:/createUploadSession
• POST /users/{userId}/drive/items/{parentItemId}:/{fileName}:/createUploadSession

Security | Alerts and incidents

Use the investigationState property on alert to get the current status of an investigation.

Sites and lists

Create a SharePoint site and monitor its creation status.

Tasks and plans

Use the extended properties API to store or get custom data in the todoTask resource.

Contribute to Microsoft Graph

Are there scenarios you'd like Microsoft Graph to support?

• Suggest and vote for new features by using the Microsoft Graph Feedback Portal. Some new features originate as popular requests from the developer community. The Microsoft Graph team regularly evaluates customer needs and releases new features to the beta (https://graph.microsoft.com/beta) and v1.0 (https://graph.microsoft.com/v1.0) endpoints.

• Join the weekly Microsoft 365 platform community call and become an active member of the Microsoft Graph community. To discover the full calendar of developer calls, visit the Microsoft 365 and Power Platform community page.

• Join our research panel to provide your input on our developer experiences.

Related content

• Microsoft Graph developer blog.
• Microsoft Graph API changelog.
• Microsoft Graph what's new history.