What's new in Microsoft Graph

Microsoft Graph provides a unified programmability model that you can use to access data in Microsoft 365, Windows, and Enterprise Mobility + Security. This article provides information about what's new in Microsoft Graph APIs, documentation, SDKs, and more.

For more detailed API-level updates, see the Microsoft Graph API changelog.

For details about previous updates to Microsoft Graph, see Microsoft Graph what's new history.

June 2026: New and generally available

Applications | Service principal

Evaluate applications in the Microsoft Entra application gallery by using the applicationTemplate resource type, including the riskScore and riskFactors properties for risk assessment.

Identity and access | Identity and sign-in

Added support for programmatic FIDO2 passkey registration. Use the creationOptions function to get WebAuthn credential creation options, then complete registration by posting the new publicKeyCredential property to the fido2AuthenticationMethod resource.

Users

Application permissions for the user: translateExchangeIds API are supported only for request URLs that identify a user in the path.

June 2026: New in preview only

Backup storage

Use the new full workload backup APIs to protect entire Microsoft 365 workloads (SharePoint Online, OneDrive for work or school, and Exchange Online) with minimal administrative overhead. Instead of manually selecting each item to protect, you can create a protection policy that backs up all data in a workload and then specify only the items to exclude from backup. For more information, see exclusionUnitBase and exclusionUnitBulkAdditionJob.

Device and app management | Cloud PC

Use the cloudPcProvisioningPolicy: apply method to apply policy settings such as region and singleSignOn. This method also supports reprovisioning for frontline shared mode Cloud PCs by using the reservePercentage parameter to control the percentage of Cloud PCs that remain available during the process.

Mail

Use the user configuration API in Microsoft Graph to build solutions that store and retrieve per-folder configuration data alongside Exchange Online mailbox content.

Security | Microsoft Defender for Identity

Introduced sensor migration capabilities to migrate eligible Microsoft Defender for Identity sensors.

Sites and lists

Added the sharePointReportSettings resource type and related methods for managing SharePoint API usage report metrics. Use the enableApiUsageReport and disableApiUsageReport methods to control which metrics are collected and reported for your tenant.

Tenants | Governance

Added the groupDisplayName property to the delegatedAdministrationRoleAssignment and delegatedAdministrationRoleAssignmentSnapshot resources. This property surfaces the display name of the security group inline, so consumers don't need to make a separate Microsoft Graph /groups/{id} call to resolve it.

Users

Application permissions for the user: translateExchangeIds API are supported only for request URLs that identify a user in the path.

May 2026: New and generally available

Agents

• Added the agentUser resource type and related methods for managing the lifecycle of agent user identities.
• Added verifiedIdProfile resources and related profile configuration for configuring Microsoft Entra Verified ID.

Files

Use the Upsert permissions API to create or update up to 10 permission objects on a fileStorageContainer in a single request.

Groups

Added the ownerlessGroupPolicy resource type and related methods to the v1.0 endpoint. Use this policy to configure actionable email notifications that prompt active members of ownerless Microsoft 365 groups to accept ownership when the sole owner leaves the organization or their account is disabled.

Identity and access | Directory management

Use the deviceRegistrationPolicy resource type and its related methods to manage the policy that controls device registration quota restrictions, additional authentication, and authorization policies for your Microsoft Entra tenant.

Identity and access | Identity and sign-in

• Added the onVerifiedIdClaimValidationCustomExtension and onVerifiedIdClaimValidationListener resource types and associated methods to support custom logic for claim validation from Verified ID credential presentations during authentication flows through Microsoft Entra custom authentication extensions in External ID.
• Added claim validation and match-confidence capabilities to Verified ID profiles, enabling stronger claim verification and more flexible matching.
• Enhanced the x509CertificateAuthenticationMethodConfiguration resource type with the following capabilities for certificate-based authentication (CBA):
  • Scoping CBA to specific certificate authorities and restrict which groups of users can authenticate using certificates from those CAs.
  • Controlling whether issuer hints are sent to the client to filter the certificates shown in the certificate picker.
• Updated the targetedAuthenticationMethod property of the authenticationMethodsRegistrationCampaignIncludeTarget resource to support Fido2 in addition to microsoftAuthenticator for authentication method registration campaigns. Organizations can now use registration campaigns to nudge users to register and sign in with phishing-resistant passkeys (FIDO2).

Mailbox import and export

Use the mailbox import and export APIs in Microsoft Graph to build solutions that integrate with mailbox resources for data import and export scenarios. For more information, see Overview of the mailbox import and export APIs in Microsoft Graph.

Security | Alerts and incidents

• Added the migration guide Migrate from legacy alerts to the alerts and incidents API to help you transition your apps from the deprecated Microsoft Graph security alerts v1 API to the new alerts and incidents API.
• Extended the alertEvidence base type with additional derived types to provide detailed context about various artifacts involved in security alerts.
• Added the categories property to the alert resource.
• Deprecated the category property on the alert resource. Use the categories property instead.

Teamwork and communications | Messaging

• Enable migration mode on an existing channel to support channel migration of external messages.
• Enable migration mode on an existing chat to support chat migration of external messages.
• Complete chat migration by disabling migration mode.
• Added the migrationMode and originalCreatedDateTime properties to the channel resource.
• Added the migrationMode and originalCreatedDateTime properties to the chat resource.
• Added the migrationMode enum.

Teamwork and communications | Shifts

Supports additional theme colors in the scheduleEntityTheme enumeration for the theme property on openShiftItem, shiftItem, shiftActivity, and timeOffItem.

May 2026: New in preview only

Device and app management | Cloud PC

• Updated retrieveCloudPcTroubleshootReports on the cloudPcReports resource to support new troubleshooting report types across tenant, configuration, user and device, and view data table scopes.
• Create or delete a cloud app.
• Extended the appDetail property on cloudPcCloudApp to support the cloudPcAutomaticDiscoveredAppDetail type for apps automatically discovered from the start menu, and the cloudPcFilePathAppDetail type for apps manually created when a file path is specified.
• Added the iconPathInvalid and filePathInvalid members as supported values for the actionFailedErrorCode property on the cloudPcCloudApp. Use these members to indicate that the icon or file path specified for the cloud app is invalid.
• Added the cloudPcPool resource and its derived type cloudPcAgentPool to enable management of Cloud PC pools for agentic workloads.
• Added the cloudPcPoolAssignment resource and its derived type cloudPcAgentPoolUserAssignment to manage pool assignments.
• Use australiaNewZealand as a new supported value in the geographicLocationType property of the cloudPcSupportedRegion and cloudPcDomainJoinConfiguration resources.

Files

Use the Upsert permissions API to create or update up to 10 permission objects on a fileStorageContainer in a single request.

Identity and access | Governance

Added the approverDelegate and identityGovernanceUserSettings resources to enable users to delegate their approval responsibilities for access package approvals and access reviews.

Identity and access | Identity and sign-in

• Added the blueprintId and source agent-descriptive properties to agentRiskDetection and riskyAgent resources.
• Added the onVerifiedIdClaimValidationCustomExtension and onVerifiedIdClaimValidationListener resource types and associated methods to support custom logic for claim validation from Verified ID credential presentations during authentication flows through Microsoft Entra custom authentication extensions in External ID.
• Updated the targetedAuthenticationMethod property of the authenticationMethodsRegistrationCampaignIncludeTarget resource to support Fido2 in addition to microsoftAuthenticator for authentication method registration campaigns. Organizations can now use registration campaigns to nudge users to register and sign in with phishing-resistant passkeys (FIDO2).

People and workplace intelligence | People admin settings

Use the isVisible property on profileCardProperty to indicate whether the given directory property should be shown on a user's profile card.

People and workplace intelligence | Photo update settings

Use the List and Update methods as the only operations for the photoUpdateSettings to get and update the photoUpdateSettings properties.

Reports | Identity and access reports

Added the identityCorrelation resource type and related methods for viewing identity correlation reports between on-premises directories and Microsoft Entra ID.

Security | Alerts and incidents

• Use the following new resources that extend the alertEvidence base type to provide detailed context about various artifacts involved in security alerts:
  • dnsEvidence
  • fileHashEvidence
  • gitHubOrganizationEvidence
  • gitHubRepoEvidence
  • gitHubUserEvidence
  • hostLogonSessionEvidence
  • malwareEvidence
  • networkConnectionEvidence
  • sasTokenEvidence
  • servicePrincipalEvidence
  • submissionMailEvidence
• Added the categories property to the alert resource.
• Deprecated the category property on the alert resource. Use the categories property instead.

Use the Create manualAlert method to create a manual security alert with specified entities and metadata. The new manualAlert resource type derives from alert and uses the entityDefinitionInput complex type to specify associated entities.

Security | Data security and compliance

Added the contentActivityMetadata resource to represent and track Data Loss Prevention (DLP) enforcement result metadata for content entries, including identifiers, timestamps, and policy statuses.

Teamwork and communications | Apps

Use the scopeInfo property on teamsAppInstallation to get the details of the scope in which the app is installed.

Teamwork and communications | Calls and online meetings

• Use the virtualEventTownhallRegistrationConfiguration resource to manage attendee access for town halls and enable more controlled, scalable audience management.
• Added the capacity property to virtual event town hall. This property allows customers to specify the expected attendee size when creating or updating a town hall or session and retrieve it later. Validation ensures compliance with SKU and licensing limits, returning actionable errors when capacity exceeds entitlement.

Tenants | Cross-tenant access

Added the following properties and their associated complex types to the crossTenantAccessPolicyConfigurationDefault and crossTenantAccessPolicyConfigurationPartner resources of cross-tenant access policy APIs to support Microsoft 365 collaboration and app service connect settings:

• appServiceConnectInbound property to get or set the default or partner-specific configuration for inbound app service connect settings.
• m365CollaborationInbound property to get or set the default or partner-specific configuration for inbound Microsoft 365 collaboration settings.
• m365CollaborationOutbound property get or set the default or partner-specific configuration for outbound Microsoft 365 collaboration settings.

April 2026: New and generally available

Tenants | Configuration management

The new Tenant Configuration Management APIs in Microsoft Graph allow administrators to control and manage configuration settings across a single workload or multiple workloads within an organization. To learn more about supported use cases, see Use the Tenant Configuration Management APIs in Microsoft Graph.

Calendars | Places

Added a known issue of RBAC in Places update API: update requests may still succeed without Exchange Administrator role but result in unexpected behaviors.

March 2026: New in preview only

Applications

• Added the approvedClientApp resource type for managing approved client applications for remote desktop access.
• Added the managerApplications property to the application and agentIdentityBlueprint resources to enable Microsoft first-party applications to be designated as managers of agent blueprints.
• Made the following changes to application management policies:
  • Added identifier URI restrictions to allow tenant administrators to enforce secure settings of application ID URIs.
  • Added excluded actors feature to all restrictions to allow tenant administrators to specify set of users and service principals, who are allowed to modify properties that would be otherwise restricted by the policy.

Backup storage

• When a protection policy is deactivated, backup activity stops immediately, no new backups are taken, and the protected resources are no longer covered by the policy. Any backups taken before deactivation are retained according to the retention policy, after which they're offboarded. You can restore data using previous restore points even after deactivation.
• A protection policy can be deleted only after it was deactivated. When you delete a policy, all associated protection units are removed, and backup protection stops for the resources previously covered by the policy. Existing backup data is retained according to the retention policy before it's offboarded. You can restore data using previous restore points even after deletion.
• Use browse sessions to browse backed up OneDriveForBusiness and SharePoint data at a specific point in time. Create a oneDriveForBusinessBrowseSession or sharePointBrowseSession, and then call the browse method to explore the backed up content.
• Use granular restore artifacts for fine-grained restores of individual items. List granularDriveRestoreArtifact objects from a oneDriveForBusinessRestoreSession, or list granularSiteRestoreArtifact objects from a sharePointRestoreSession.

Files

• Use the height and width parameters to download a file in another format when format=jpg.
• Use the List activities API to retrieve recent activities that took place on a drive, list, item, or within an item hierarchy.
• Added support for sharePointGroup and its members in a SharePoint Embedded container, enabling apps to work with SharePoint permission groups and manage their members.

Identity and access | Governance

Use approverRemove as a new supported value for the requestType property of the accessPackageAssignmentRequest resource. For more information, see accessPackageAssignmentRequest.

Identity and access | Identity and sign-in

• Added the verifiableCredentialsAuthenticationMethodConfiguration resource type and related methods to the v1.0 endpoint. Use it to configure verifiable credentials as an authentication method for user sign-in.
• Added the verifiableCredentialAuthenticationMethodTarget resource type to the v1.0 endpoint. Use it to specify groups and users enabled to use verifiable credentials for authentication.
• Use riskRemediation as part of conditional access grant controls to enforce a User Risk conditional access policy. When you select "Require risk remediation" in your policy's grant controls, Microsoft Entra ID Protection manages the appropriate remediation flow based on the threat observed and the user's authentication method. In passwordless Risky User sessions, it updates risk details with microsoftRevokedSessions.

Security | Alerts and incidents

• Added the categories property to the alert resource.
• Deprecated the category property on the alert resource. Use the categories property instead.

Teamwork and communications | Apps

Manage Teams apps at the channel level within a team using the following APIs:

• List apps in a channel.
• Get an app in a channel.
• Enable a new Teams app in a channel.
• Disable an app in a channel.

Teamwork and communications | Messaging

Added support for $expand on the items relationship of the teamworkSection resource to retrieve a section together with its items in a single request.

Contribute to Microsoft Graph

Are there scenarios you'd like Microsoft Graph to support?

• Suggest and vote for new features by using the Microsoft Graph Feedback Portal. Some new features originate as popular requests from the developer community. The Microsoft Graph team regularly evaluates customer needs and releases new features to the beta (https://graph.microsoft.com/beta) and v1.0 (https://graph.microsoft.com/v1.0) endpoints.

• Join the weekly Microsoft 365 platform community call and become an active member of the Microsoft Graph community. To discover the full calendar of developer calls, visit the Microsoft 365 and Power Platform community page.

• Join our research panel to provide your input on our developer experiences.

Related content

• Microsoft Graph developer blog.
• Microsoft Graph API changelog.
• Microsoft Graph what's new history.