OnPremDirectorySynchronization.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to read and write all on-premises directory synchronization information for the organization, without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write all on-premises directory synchronization information
Allows the app to read and write all on-premises directory synchronization information for the organization, without a signed-in user.
Permission ID:
c22a92cc-79bf-4bb1-8b6c-e0a05d3d80ce
Delegated Permission
Admin consent required
Read and write all on-premises directory synchronization information
Allows the app to read and write all on-premises directory synchronization information for the organization, on behalf of the signed-in user.
User sees: Allows the app to read and write all on-premises directory synchronization information for the organization, on your behalf.
Permission ID:
c2d95988-7604-4ba1-aaed-38a5f82a51c7
Properties
Microsoft Graph v1.0
endpoint-derived-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
id |
String |
A unique identifier for the object; for example, 12345678-9abc-def0-1234-56789abcde. Key. Not nullable. Read-only. Inherited from entity. |
administrativeUnits |
administrativeUnit collection |
Conceptual container for user and group directory objects. |
attributeSets |
attributeSet collection |
Group of related custom security attribute definitions. |
customSecurityAttributeDefinitions |
customSecurityAttributeDefinition collection |
Schema of a custom security attributes (key-value pairs). |
deletedItems |
directoryObject collection |
Recently deleted items. Read-only. Nullable. |
deviceLocalCredentials |
deviceLocalCredentialInfo collection |
The credentials of the device's local administrator account backed up to Microsoft Entra ID. |
federationConfigurations |
identityProviderBase collection |
Configure domain federation with organizations whose identity provider (IdP) supports either the SAML or WS-Fed protocol. |
onPremisesSynchronization |
onPremisesDirectorySynchronization collection |
A container for on-premises directory synchronization functionalities that are available for the organization. |
publicKeyInfrastructure |
object |
The collection of public key infrastructure instances for the certificate-based authentication feature for users in a Microsoft Entra tenant. |
subscriptions |
companySubscription collection |
List of commercial subscriptions that an organization acquired. |
JSON Representation
Microsoft Graph v1.0
endpoint-derived-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.directory"
}Relationships
Microsoft Graph v1.0
endpoint-derived-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
administrativeUnits |
administrativeUnit collection |
Conceptual container for user and group directory objects. |
attributeSets |
attributeSet collection |
Group of related custom security attribute definitions. |
customSecurityAttributeDefinitions |
customSecurityAttributeDefinition collection |
Schema of a custom security attributes (key-value pairs). |
deletedItems |
directoryObject collection |
Recently deleted items. Read-only. Nullable. |
deviceLocalCredentials |
deviceLocalCredential collection |
The credentials of the device's local administrator account backed up to Microsoft Entra ID. |
federationConfigurations |
identityProviderBase collection |
Configure domain federation with organizations whose identity provider (IdP) supports either the SAML or WS-Fed protocol. |
onPremisesSynchronization |
onPremisesDirectorySynchronization |
A container for on-premises directory synchronization functionalities that are available for the organization. |
publicKeyInfrastructure |
publicKeyInfrastructureRoot |
The collection of public key infrastructure instances for the certificate-based authentication feature for users in a Microsoft Entra tenant. |
subscriptions |
companySubscription collection |
List of commercial subscriptions that an organization acquired. |
externalUserProfiles |
externalUserProfile collection |
Collection of external user profiles that represent collaborators in the directory. |
featureRolloutPolicies |
featureRolloutPolicy collection |
Related featureRolloutPolicies data exposed by this resource. |
impactedResources |
impactedResource collection |
Related impactedResources data exposed by this resource. |
inboundSharedUserProfiles |
inboundSharedUserProfile collection |
A collection of external users whose profile data is shared with the Microsoft Entra tenant. Nullable. |
outboundSharedUserProfiles |
outboundSharedUserProfile collection |
Related outboundSharedUserProfiles data exposed by this resource. |
pendingExternalUserProfiles |
pendingExternalUserProfile collection |
Collection of pending external user profiles representing collaborators in the directory that are unredeemed. |
recommendations |
recommendation collection |
List of recommended improvements to improve tenant posture. |
sharedEmailDomains |
sharedEmailDomain collection |
Related sharedEmailDomains data exposed by this resource. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
| Methods |
|---|
GET
/directory/onPremisesSynchronization
|
PATCH
/directory/onPremisesSynchronization/{id}
|
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
| Methods |
|---|
GET
/directory/onPremisesSynchronization
|
PATCH
/directory/onPremisesSynchronization/{id}
|
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Update onPremisesDirectorySynchronization
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new OnPremisesDirectorySynchronization
{
Configuration = new OnPremisesDirectorySynchronizationConfiguration
{
AccidentalDeletionPrevention = new OnPremisesAccidentalDeletionPrevention
{
SynchronizationPreventionType = OnPremisesDirectorySynchronizationDeletionPreventionType.EnabledForCount,
AlertThreshold = 500,
},
},
Features = new OnPremisesDirectorySynchronizationFeature
{
GroupWriteBackEnabled = true,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Directory.OnPremisesSynchronization["{onPremisesDirectorySynchronization-id}"].PatchAsync(requestBody);
JavaScript
Update onPremisesDirectorySynchronization
const options = {
authProvider,
};
const client = Client.init(options);
const onPremisesDirectorySynchronization = {
configuration: {
accidentalDeletionPrevention: {
synchronizationPreventionType: 'enabledForCount',
alertThreshold: 500
}
},
features: {
groupWriteBackEnabled: true
}
};
await client.api('/directory/onPremisesSynchronization/{id}')
.update(onPremisesDirectorySynchronization);
PowerShell
Update onPremisesDirectorySynchronization
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$params = @{
configuration = @{
accidentalDeletionPrevention = @{
synchronizationPreventionType = "enabledForCount"
alertThreshold = 500
}
}
features = @{
groupWriteBackEnabled = $true
}
}
Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $onPremisesDirectorySynchronizationId -BodyParameter $params
Python
Update onPremisesDirectorySynchronization
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.on_premises_directory_synchronization import OnPremisesDirectorySynchronization
from msgraph.generated.models.on_premises_directory_synchronization_configuration import OnPremisesDirectorySynchronizationConfiguration
from msgraph.generated.models.on_premises_accidental_deletion_prevention import OnPremisesAccidentalDeletionPrevention
from msgraph.generated.models.on_premises_directory_synchronization_deletion_prevention_type import OnPremisesDirectorySynchronizationDeletionPreventionType
from msgraph.generated.models.on_premises_directory_synchronization_feature import OnPremisesDirectorySynchronizationFeature
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = OnPremisesDirectorySynchronization(
configuration = OnPremisesDirectorySynchronizationConfiguration(
accidental_deletion_prevention = OnPremisesAccidentalDeletionPrevention(
synchronization_prevention_type = OnPremisesDirectorySynchronizationDeletionPreventionType.EnabledForCount,
alert_threshold = 500,
),
),
features = OnPremisesDirectorySynchronizationFeature(
group_write_back_enabled = True,
),
)
result = await graph_client.directory.on_premises_synchronization.by_on_premises_directory_synchronization_id('onPremisesDirectorySynchronization-id').patch(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for OnPremDirectorySynchronization.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.