Domain.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write domains
Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains.
Permission ID:
7e05723c-0bb0-42da-be95-ae9f08a6e53c
Delegated Permission
Admin consent required
Read and write domains
Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify and remove domains.
User sees: Allows the app to read and write all domain properties on your behalf. Also allows the app to add, verify and remove domains.
Permission ID:
0b5d694c-a244-4bde-86e6-eb5cd07730fe
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
authenticationType |
String |
Indicates the configured authentication type for the domain. The value is either Managed or Federated. Managed indicates a cloud managed domain where Microsoft Entra ID performs user authentication. Federated indicates authentication is federated with an identity provider such as the tenant's on-premises Active Directory via Active Directory Federation Services. Not nullable. , , To update this property in delegated scenarios, the calling app must be assigned the Domain-InternalFederation.ReadWrite.All permission. |
availabilityStatus |
StringNullable |
This property is always null except when the verify action is used. When the verify action is used, a domain entity is returned in the response. The availabilityStatus property of the domain entity in the response is either AvailableImmediately or EmailVerifiedDomainTakeoverScheduled. |
id |
String |
The fully qualified name of the domain. Key, immutable, not nullable, unique. |
isAdminManaged |
Boolean |
The value of the property is false if the DNS record management of the domain is delegated to Microsoft 365. Otherwise, the value is true. Not nullable |
isDefault |
Boolean |
true if this is the default domain that is used for user creation. There's only one default domain per company. Not nullable. |
isInitial |
Boolean |
true if this is the initial domain created by Microsoft Online Services (contoso.com). There's only one initial domain per company. Not nullable |
isRoot |
Boolean |
true if the domain is a verified root domain. Otherwise, false if the domain is a subdomain or unverified. Not nullable. |
isVerified |
Boolean |
true if the domain completed domain ownership verification. Not nullable. |
passwordNotificationWindowInDays |
Int32Nullable |
Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used. |
passwordValidityPeriodInDays |
Int32Nullable |
Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used. |
state |
domainState |
Status of asynchronous operations scheduled for the domain. |
supportedServices |
String collection |
The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable. |
domainNameReferences |
directoryObject collection |
The objects such as users and groups that reference the domain ID. Read-only, Nullable. Doesn't support $expand. Supports $filter by the OData type of objects returned. For example, /domains/{domainId}/domainNameReferences/microsoft.graph.user and /domains/{domainId}/domainNameReferences/microsoft.graph.group. |
federationConfiguration |
internalDomainFederation collection |
Domain settings configured by a customer when federated with Microsoft Entra ID. Doesn't support $expand. |
manufacturer |
stringNullable |
Showing 15 of 19 properties.
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"authenticationType": "String",
"availabilityStatus": "String",
"id": "String (identifier)",
"isAdminManaged": true,
"isDefault": true,
"isInitial": true,
"isRoot": true,
"isVerified": true,
"passwordNotificationWindowInDays": 14,
"passwordValidityPeriodInDays": 90,
"state": {
"@odata.type": "microsoft.graph.domainState"
},
"supportedServices": [
"String"
]
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
domainNameReferences |
directoryObject collection |
The objects such as users and groups that reference the domain ID. Read-only, Nullable. Doesn't support $expand. Supports $filter by the OData type of objects returned. For example, /domains/{domainId}/domainNameReferences/microsoft.graph.user and /domains/{domainId}/domainNameReferences/microsoft.graph.group. |
federationConfiguration |
internalDomainFederation |
Domain settings configured by a customer when federated with Microsoft Entra ID. Doesn't support $expand. |
rootDomain |
domain |
Root domain of a subdomain. Read-only, Nullable. Supports $expand. |
serviceConfigurationRecords |
domainDnsRecord collection |
DNS records the customer adds to the DNS zone file of the domain before the domain can be used by Microsoft Online services. Read-only, Nullable. Doesn't support $expand. |
verificationDnsRecords |
domainDnsRecord collection |
DNS records that the customer adds to the DNS zone file of the domain before the customer can complete domain ownership verification with Microsoft Entra ID. Read-only, Nullable. Doesn't support $expand. |
supportedServices |
string collection |
The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable. |
sharedEmailDomainInvitations |
sharedEmailDomainInvitation collection |
Related sharedEmailDomainInvitations data exposed by this resource. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Create domain
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Domain
{
Id = "contoso.com",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Domains.PostAsync(requestBody);
JavaScript
Create domain
const options = {
authProvider,
};
const client = Client.init(options);
const domain = {
id: 'contoso.com'
};
await client.api('/domains')
.post(domain);
PowerShell
Create domain
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$params = @{
id = "contoso.com"
}
New-MgDomain -BodyParameter $params
Python
Create domain
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.domain import Domain
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Domain(
id = "contoso.com",
)
result = await graph_client.domains.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for Domain.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.