ESC
Type to search...
Navigate Open ESC Close

Directory.AccessAsUser.All

Export JSON
Export CSV
Copy URL
Print
Delegated Read All Resources

Allows the app to have the same access to information in the directory as the signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Delegated Permission Admin consent required

Access directory as the signed in user

Allows the app to have the same access to information in the directory as the signed-in user.

User sees: Allows the app to have the same access to information in your work or school directory as you do.
Permission ID: 0e263e50-5827-48a4-b97c-d940288653c7

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
id String A unique identifier for the object; for example, 12345678-9abc-def0-1234-56789abcde. Key. Not nullable. Read-only. Inherited from entity.
administrativeUnits administrativeUnit collection Conceptual container for user and group directory objects.
attributeSets attributeSet collection Group of related custom security attribute definitions.
customSecurityAttributeDefinitions customSecurityAttributeDefinition collection Schema of a custom security attributes (key-value pairs).
deletedItems directoryObject collection Recently deleted items. Read-only. Nullable.
deviceLocalCredentials deviceLocalCredentialInfo collection The credentials of the device's local administrator account backed up to Microsoft Entra ID.
federationConfigurations identityProviderBase collection Configure domain federation with organizations whose identity provider (IdP) supports either the SAML or WS-Fed protocol.
onPremisesSynchronization onPremisesDirectorySynchronization collection A container for on-premises directory synchronization functionalities that are available for the organization.
publicKeyInfrastructure object The collection of public key infrastructure instances for the certificate-based authentication feature for users in a Microsoft Entra tenant.
subscriptions companySubscription collection List of commercial subscriptions that an organization acquired.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.directory"
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
administrativeUnits administrativeUnit collection Conceptual container for user and group directory objects.
attributeSets attributeSet collection Group of related custom security attribute definitions.
customSecurityAttributeDefinitions customSecurityAttributeDefinition collection Schema of a custom security attributes (key-value pairs).
deletedItems directoryObject collection Recently deleted items. Read-only. Nullable.
deviceLocalCredentials deviceLocalCredential collection The credentials of the device's local administrator account backed up to Microsoft Entra ID.
federationConfigurations identityProviderBase collection Configure domain federation with organizations whose identity provider (IdP) supports either the SAML or WS-Fed protocol.
onPremisesSynchronization onPremisesDirectorySynchronization A container for on-premises directory synchronization functionalities that are available for the organization.
publicKeyInfrastructure publicKeyInfrastructureRoot The collection of public key infrastructure instances for the certificate-based authentication feature for users in a Microsoft Entra tenant.
subscriptions companySubscription collection List of commercial subscriptions that an organization acquired.
externalUserProfiles externalUserProfile collection Collection of external user profiles that represent collaborators in the directory.
featureRolloutPolicies featureRolloutPolicy collection Related featureRolloutPolicies data exposed by this resource.
impactedResources impactedResource collection Related impactedResources data exposed by this resource.
inboundSharedUserProfiles inboundSharedUserProfile collection A collection of external users whose profile data is shared with the Microsoft Entra tenant. Nullable.
outboundSharedUserProfiles outboundSharedUserProfile collection Related outboundSharedUserProfiles data exposed by this resource.
pendingExternalUserProfiles pendingExternalUserProfile collection Collection of pending external user profiles representing collaborators in the directory that are unredeemed.
recommendations recommendation collection List of recommended improvements to improve tenant posture.
sharedEmailDomains sharedEmailDomain collection Related sharedEmailDomains data exposed by this resource.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST /devices
POST /devices(deviceId='{deviceId}')/registeredOwners/$ref
POST /devices(deviceId='{deviceId}')/registeredUsers/$ref
POST /devices/{id}/registeredOwners/$ref
POST /devices/{id}/registeredUsers/$ref
PATCH /devices(deviceId='{deviceId}')
PATCH /devices/{id}
PATCH /me/authentication/qrCodePinMethod/pin/updatepin
PATCH /users/{usersId}/authentication/qrCodePinMethod/pin/updatepin
DELETE /devices(deviceId='{deviceId}')
DELETE /devices/{id}
DELETE /devices/{id}/registeredOwners/{id}/$ref
DELETE /devices/{id}/registeredUsers/{id}/$ref
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST /devices
POST /devices(deviceId='{deviceId}')/registeredOwners/$ref
POST /devices(deviceId='{deviceId}')/registeredUsers/$ref
POST /devices/{id}/registeredOwners/$ref
POST /devices/{id}/registeredUsers/$ref
POST /groups/{groupsId}/deletePasswordSingleSignOnCredentials
POST /groups/{groupsId}/getPasswordSingleSignOnCredentials
POST /users/{usersId}/deletePasswordSingleSignOnCredentials
POST /users/{usersId}/getPasswordSingleSignOnCredentials
PATCH /devices(deviceId='{deviceId}')
PATCH /devices/{id}
PATCH /me/authentication/qrCodePinMethod/pin/updatepin
PATCH /users/{usersId}/authentication/qrCodePinMethod/pin/updatepin
DELETE /devices(deviceId='{deviceId}')
DELETE /devices/{id}
DELETE /devices/{id}/registeredOwners/{id}/$ref
DELETE /devices/{id}/registeredUsers/{id}/$ref
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
New-MgDevice /devices
Create device
New-MgDeviceRegisteredOwnerByRef /devices/{id}/registeredOwners/$ref
Create registeredOwner
New-MgDeviceRegisteredUserByRef /devices/{id}/registeredUsers/$ref
Create registeredUser
Remove-MgDevice /devices/{id}
Delete device
Remove-MgDeviceRegisteredOwnerDirectoryObjectByRef /devices/{id}/registeredOwners/{id}/$ref
Delete registeredOwners
Remove-MgDeviceRegisteredUserDirectoryObjectByRef /devices/{id}/registeredUsers/{id}/$ref
Delete registeredUsers
Update-MgDevice /devices/{id}
Update device
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaGroupPasswordSingleSignOnCredential /groups/{groupsId}/getPasswordSingleSignOnCredentials
group: getPasswordSingleSignOnCredentials
Get-MgBetaUserPasswordSingleSignOnCredential /users/{usersId}/getPasswordSingleSignOnCredentials
user: getPasswordSingleSignOnCredentials
New-MgBetaDevice /devices
Create device
New-MgBetaDeviceRegisteredOwnerByRef /devices/{id}/registeredOwners/$ref
Create registeredOwner
New-MgBetaDeviceRegisteredUserByRef /devices/{id}/registeredUsers/$ref
Create registeredUser
Remove-MgBetaDevice /devices/{id}
Delete device
Remove-MgBetaDeviceRegisteredOwnerDirectoryObjectByRef /devices/{id}/registeredOwners/{id}/$ref
Delete registeredowners
Remove-MgBetaDeviceRegisteredUserDirectoryObjectByRef /devices/{id}/registeredUsers/{id}/$ref
Delete registeredUsers
Remove-MgBetaGroupPasswordSingleSignOnCredential /groups/{groupsId}/deletePasswordSingleSignOnCredentials
group: deletePasswordSingleSignOnCredentials
Remove-MgBetaUserPasswordSingleSignOnCredential /users/{usersId}/deletePasswordSingleSignOnCredentials
user: deletePasswordSingleSignOnCredentials
Update-MgBetaDevice /devices/{id}
Update device

Code Examples

C# / .NET SDK
Create device
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Device
{
	AccountEnabled = false,
	AlternativeSecurityIds = new List<AlternativeSecurityId>
	{
		new AlternativeSecurityId
		{
			Type = 2,
			Key = Convert.FromBase64String("base64Y3YxN2E1MWFlYw=="),
		},
	},
	DeviceId = "4c299165-6e8f-4b45-a5ba-c5d250a707ff",
	DisplayName = "Test device",
	OperatingSystem = "linux",
	OperatingSystemVersion = "1",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Devices.PostAsync(requestBody);
JavaScript
Create device
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const device = {
  accountEnabled: false,
  alternativeSecurityIds: 
  [
    {
      type: 2,
      key: 'base64Y3YxN2E1MWFlYw=='
    }
  ],
  deviceId: '4c299165-6e8f-4b45-a5ba-c5d250a707ff',
  displayName: 'Test device',
  operatingSystem: 'linux',
  operatingSystemVersion: '1'
};

await client.api('/devices')
	.post(device);
PowerShell
Create device
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.DirectoryManagement

$params = @{
	accountEnabled = $false
	alternativeSecurityIds = @(
		@{
			type = 2
			key = [System.Text.Encoding]::ASCII.GetBytes("base64Y3YxN2E1MWFlYw==")
		}
	)
	deviceId = "4c299165-6e8f-4b45-a5ba-c5d250a707ff"
	displayName = "Test device"
	operatingSystem = "linux"
	operatingSystemVersion = "1"
}

New-MgDevice -BodyParameter $params
Python
Create device
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.device import Device
from msgraph.generated.models.alternative_security_id import AlternativeSecurityId
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Device(
	account_enabled = False,
	alternative_security_ids = [
		AlternativeSecurityId(
			type = 2,
			key = base64.urlsafe_b64decode("base64Y3YxN2E1MWFlYw=="),
		),
	],
	device_id = "4c299165-6e8f-4b45-a5ba-c5d250a707ff",
	display_name = "Test device",
	operating_system = "linux",
	operating_system_version = "1",
)

result = await graph_client.devices.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Delegated permissions and search for Directory.AccessAsUser.All

4

Grant Admin Consent

This delegated permission requires admin consent.