SynchronizationData-User.Upload.OwnedBy

Permission Details

Application Permission

Upload user data to the identity sync service for apps that this application creates or owns

Allows the application to upload bulk user data to the identity synchronization service for apps that this application creates or owns, without a signed-in user.

Permission ID: 25c32ff3-849a-494b-b94f-20a8ac4e6774

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`accountEnabled`	`Boolean`Nullable	true if the service principal account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Supports $filter (eq, ne, not, in).
`addIns`	`addIn collection`	Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on.
`alternativeNames`	`String collection`	Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith).
`appDescription`	`String`Nullable	The description exposed by the associated application.
`appDisplayName`	`String`Nullable	The display name exposed by the associated application. Maximum length is 256 characters.
`appId`	`String`Nullable	The unique identifier for the associated application (its appId property). Alternate key. Supports $filter (eq, ne, not, in, startsWith).
`applicationTemplateId`	`String`Nullable	Unique identifier of the applicationTemplate. Supports $filter (eq, not, ne). Read-only. null if the service principal wasn't created from an application template.
`appOwnerOrganizationId`	`Guid`Nullable	Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le).
`appRoleAssignmentRequired`	`Boolean`	Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. Not nullable. , , Supports $filter (eq, ne, NOT).
`appRoles`	`appRole collection`	The roles exposed by the application that's linked to this service principal. For more information, see the appRoles property definition on the application entity. Not nullable.
`createdByAppId`	`String`	The appId of the application that created this service principal. Set internally by Microsoft Entra ID. Read-only.
`customSecurityAttributes`	`customSecurityAttributeValue`	An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. , , Returned only on $select. Supports $filter (eq, ne, not, startsWith). Filter value is case sensitive. , <liTo read this property, the calling app must be assigned the CustomSecAttributeAssignment.Read.All permission. To write this property, the calling app must be assigned the CustomSecAttributeAssignment.ReadWrite.All permissions. <liTo read or write this property in delegated scenarios, the admin must be assigned the Attribute Assignment Administrator role.
`deletedDateTime`	`DateTimeOffset`Nullable	The date and time the service principal was deleted. Read-only.
`description`	`String`Nullable	Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps displays the application description in this field. The maximum allowed size is 1,024 characters. Supports $filter (eq, ne, not, ge, le, startsWith) and $search.
`disabledByMicrosoftStatus`	`String`Nullable	Specifies whether Microsoft has disabled the registered application. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). , , Supports $filter (eq, ne, not).

Showing 15 of 55 properties.

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "accountEnabled": true,
  "addIns": [
    {
      "@odata.type": "microsoft.graph.addIn"
    }
  ],
  "alternativeNames": [
    "String"
  ],
  "appDisplayName": "String",
  "appId": "String",
  "appOwnerOrganizationId": "Guid",
  "appRoleAssignmentRequired": true,
  "appRoles": [
    {
      "@odata.type": "microsoft.graph.appRole"
    }
  ],
  "createdByAppId": "String",
  "customSecurityAttributes": {
    "@odata.type": "microsoft.graph.customSecurityAttributeValue"
  },
  "disabledByMicrosoftStatus": "String",
  "displayName": "String",
  "homepage": "String",
  "id": "String (identifier)",
  "info": {
    "@odata.type": "microsoft.graph.informationalUrl"
  },
  "keyCredentials": [
    {
      "@odata.type": "microsoft.graph.keyCredential"
    }
  ],
  "logoutUrl": "String",
  "notes": "String",
  "oauth2PermissionScopes": [
    {
      "@odata.type": "microsoft.graph.permissionScope"
    }
  ],
  "passwordCredentials": [
    {
      "@odata.type": "microsoft.graph.passwordCredential"
    }
  ],
  "preferredTokenSigningKeyThumbprint": "String",
  "replyUrls": [
    "String"
  ],
  "resourceSpecificApplicationPermissions": [
    {
      "@odata.type": "microsoft.graph.resourceSpecificPermission"
    }
  ],
  "servicePrincipalNames": [
    "String"
  ],
  "servicePrincipalType": "String",
  "tags": [
    "String"
  ],
  "tokenEncryptionKeyId": "String",
  "verifiedPublisher": {
    "@odata.type": "microsoft.graph.verifiedPublisher"
  }
}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`appManagementPolicies`	`appManagementPolicy collection`	The appManagementPolicy applied to this application.
`appRoleAssignedTo`	`appRoleAssignment`	App role assignments for this app or service, granted to users, groups, and other service principals. Supports $expand.
`appRoleAssignments`	`appRoleAssignment collection`	App role assignment for another app or service, granted to this service principal. Supports $expand.
`claimsMappingPolicies`	`claimsMappingPolicy collection`	The claimsMappingPolicies assigned to this service principal. Supports $expand.
`createdObjects`	`directoryObject collection`	Directory objects created by this service principal. Read-only. Nullable.
`federatedIdentityCredentials`	`federatedIdentityCredential collection`	Federated identities for a specific type of service principal - managed identity. Supports $expand and $filter (/$count eq 0, /$count ne 0).
`homeRealmDiscoveryPolicies`	`homeRealmDiscoveryPolicy collection`	The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand.
`memberOf`	`directoryObject collection`	Roles that this service principal is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand.
`oauth2PermissionGrants`	`oAuth2PermissionGrant collection`	Delegated permission grants authorizing this service principal to access an API on behalf of a signed-in user. Read-only. Nullable.
`ownedObjects`	`directoryObject collection`	Directory objects that this service principal owns. Read-only. Nullable. Supports $expand, $select nested in $expand, and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1).
`owners`	`directoryObject collection`	Directory objects that are owners of this servicePrincipal. The owners are a set of nonadmin users or servicePrincipals who are allowed to modify this object. Supports $expand, $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1), and $select nested in $expand.
`remoteDesktopSecurityConfiguration`	`remoteDesktopSecurityConfiguration`	The remoteDesktopSecurityConfiguration object applied to this service principal. Supports $filter (eq) for isRemoteDesktopProtocolEnabled property.
`synchronization`	`synchronization`	Represents the capability for Microsoft Entra identity synchronization through the Microsoft Graph API.
`tokenIssuancePolicies`	`tokenIssuancePolicy collection`	The tokenIssuancePolicies assigned to this service principal.
`tokenLifetimePolicies`	`tokenLifetimePolicy collection`	The tokenLifetimePolicies assigned to this service principal.
`addIns`	`addIn collection`	Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on.
`alternativeNames`	`string collection`	Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith).
`appOwnerOrganizationId`	`uuid`	Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le).
`appRoles`	`appRole collection`	The roles exposed by the application that's linked to this service principal. For more information, see the appRoles property definition on the application entity. Not nullable.
`delegatedPermissionClassifications`	`delegatedPermissionClassification collection`	Related delegatedPermissionClassifications data exposed by this resource.
`endpoints`	`endpoint collection`	Related endpoints data exposed by this resource.
`keyCredentials`	`keyCredential collection`	The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le).
`notificationEmailAddresses`	`string collection`	Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications.
`oauth2PermissionScopes`	`permissionScope collection`	The delegated permissions exposed by the application. For more information, see the oauth2PermissionScopes property on the application entity's api property. Not nullable.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST `/servicePrincipals/{servicePrincipalId}/synchronization/jobs/{jobId}/bulkUpload`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
POST `/servicePrincipals/{servicePrincipalId}/synchronization/jobs/{jobId}/bulkUpload`

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Code Examples

C# / .NET SDK

using Azure.Identity;
using Microsoft.Graph;

var scopes = new[] { "SynchronizationData-User.Upload.OwnedBy" };
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        ClientId = "YOUR_CLIENT_ID",
        TenantId = "YOUR_TENANT_ID",
        RedirectUri = new Uri("http://localhost")
    });

var graphClient = new GraphServiceClient(credential, scopes);
var response = await graphClient
    .WithUrl("https://graph.microsoft.com/v1.0/servicePrincipals/{id}/synchronization/jobs/{id}/bulkUpload")
    .GetAsync();

JavaScript

Perform bulkUpload

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

const bulkUpload = {
    schemas: ['urn:ietf:params:scim:api:messages:2.0:BulkRequest'],
    Operations: [
    {
        method: 'POST',
        bulkId: '701984',
        path: '/Users',
        data: {
            schemas: ['urn:ietf:params:scim:schemas:core:2.0:User',
            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'],
            externalId: '701984',
            userName: '[email protected]',
            name: {
                formatted: 'Ms. Barbara J Jensen, III',
                familyName: 'Jensen',
                givenName: 'Barbara',
                middleName: 'Jane',
                honorificPrefix: 'Ms.',
                honorificSuffix: 'III'
            },
            displayName: 'Babs Jensen',
            nickName: 'Babs',
            emails: [
            {
              value: '[email protected]',
              type: 'work',
              primary: true
            }
            ],
            addresses: [
            {
              type: 'work',
              streetAddress: '234300 Universal City Plaza',
              locality: 'Hollywood',
              region: 'CA',
              postalCode: '91608',
              country: 'USA',
              formatted: '100 Universal City Plaza\nHollywood, CA 91608 USA',
              primary: true
            }
            ],
            phoneNumbers: [
            {
              value: '555-555-5555',
              type: 'work'
            }
            ],
            userType: 'Employee',
            title: 'Tour Guide',
            preferredLanguage: 'en-US',
            locale: 'en-US',
            timezone: 'America/Los_Angeles',
            active: true,
            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
                employeeNumber: '701984',
                costCenter: '4130',
                organization: 'Universal Studios',
                division: 'Theme Park',
                department: 'Tour Operations',
                manager: {
                  value: '89607',
                  displayName: 'John Smith'
                 }
            }
        }
    },
    {
        method: 'POST',
        bulkId: '701985',
        path: '/Users',
        data: {
            schemas: ['urn:ietf:params:scim:schemas:core:2.0:User',
            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'],
            externalId: '701985',
            userName: '[email protected]',
            name: {
                formatted: 'Ms. Kathy J Jensen, III',
                familyName: 'Jensen',
                givenName: 'Kathy',
                middleName: 'Jane',
                honorificPrefix: 'Ms.',
                honorificSuffix: 'III'
            },
            displayName: 'Kathy Jensen',
            nickName: 'Kathy',
            emails: [
            {
              value: '[email protected]',
              type: 'work',
              primary: true
            }
            ],
            addresses: [
            {
              type: 'work',
              streetAddress: '100 Oracle City Plaza',
              locality: 'Hollywood',
              region: 'CA',
              postalCode: '91618',
              country: 'USA',
              formatted: '100 Oracle City Plaza\nHollywood, CA 91618 USA',
              primary: true
            }
            ],
            phoneNumbers: [
            {
              value: '555-555-5545',
              type: 'work'
            }
            ],
            userType: 'Employee',
            title: 'Tour Lead',
            preferredLanguage: 'en-US',
            locale: 'en-US',
            timezone: 'America/Los_Angeles',
            active: true,
            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
              employeeNumber: '701984',
              costCenter: '4130',
              organization: 'Universal Studios',
              division: 'Theme Park',
              department: 'Tour Operations',
              manager: {
                value: '701984',
                displayName: 'Barbara Jensen'
              }
            }
        }
    }
],
    failOnErrors: null
};

await client.api('/servicePrincipals/{servicePrincipalId}/synchronization/jobs/{jobId}/bulkUpload')
	.post(bulkUpload);

PowerShell

Connect-MgGraph -Scopes "SynchronizationData-User.Upload.OwnedBy"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/servicePrincipals/{id}/synchronization/jobs/{id}/bulkUpload"

Python

from azure.identity import InteractiveBrowserCredential
import requests

credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)

token = credential.get_token("SynchronizationData-User.Upload.OwnedBy")
response = requests.get(
    "https://graph.microsoft.com/v1.0/servicePrincipals/{id}/synchronization/jobs/{id}/bulkUpload",
    headers={"Authorization": f"Bearer {token.token}"}
)

print(response.json())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions and search for SynchronizationData-User.Upload.OwnedBy

4

Grant Admin Consent

Application permissions always require admin consent.