Entra ID ÜbersichtEntra ID Overview
Grundlagen, Lizenzstufen, Portale, Limits und erste Automatisierungsschritte für Administratoren.Foundations, licensing tiers, portals, limits, and first automation steps for administrators.
Azure AD wurde im Juni 2023 zu Microsoft Entra ID umbenannt.Azure AD was renamed to Microsoft Entra ID in June 2023.
Ein Tenant ist das Sicherheits- und Verwaltungsobjekt für Identitäten, Apps und Richtlinien.A tenant is the security and management boundary for identities, apps, and policies.
Graph PowerShell und Microsoft Graph API bilden die primären Automatisierungsschnittstellen.Graph PowerShell and Microsoft Graph API are the primary automation interfaces.
Was ist Microsoft Entra ID?What is Microsoft Entra ID?
Microsoft Entra ID ist der cloudbasierte Identitäts- und Zugriffsverwaltungsdienst von Microsoft. Der Dienst stellt Benutzer, Gruppen, Geräte, Anwendungen, Authentifizierungsrichtlinien und Governance-Funktionen zentral bereit.Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It centrally provides users, groups, devices, applications, authentication policies, and governance features.
Technisch ist Entra ID der direkte Nachfolger von Azure Active Directory. Der Namenswechsel im Juni 2023 änderte das Produktbranding, nicht jedoch die Kernarchitektur oder die Graph-APIs.Technically, Entra ID is the direct successor to Azure Active Directory. The June 2023 rename changed the product branding, not the core architecture or Graph APIs.
| ZeitpunktPoint in time | EreignisEvent | BedeutungMeaning |
|---|---|---|
| 20142014 | Azure Active Directory etabliert sich als Cloud-IAM.Azure Active Directory becomes established as cloud IAM. | Basis für M365, Azure und SaaS-SSO.Foundation for Microsoft 365, Azure, and SaaS SSO. |
| 20202020 | Conditional Access, Identity Protection und PIM werden breit eingesetzt.Conditional Access, Identity Protection, and PIM become widely adopted. | Zero-Trust-Szenarien werden Standard.Zero-trust scenarios become standard. |
| Juni 2023June 2023 | Rename von Azure AD zu Microsoft Entra ID.Azure AD is renamed to Microsoft Entra ID. | Dokumentation, Portale und Lizenzbezeichnungen werden angepasst.Documentation, portals, and licensing language are updated. |
| 2024+2024+ | Entra-Plattform bündelt Governance, External ID und Netzwerkzugriff.The Entra platform unifies governance, External ID, and network access. | IAM wird Teil einer größeren Identity-Familie.IAM becomes part of a broader identity family. |
Viele APIs, PowerShell-Cmdlets und Felder verwenden weiterhin Begriffe wie AzureAD oder AAD. Das ist normal und kein Hinweis auf ein veraltetes Tenant-Modell.Many APIs, PowerShell cmdlets, and fields still use terms like AzureAD or AAD. That is normal and does not indicate an outdated tenant model.
Connect-MgGraph -Scopes "Organization.Read.All"
Get-MgOrganization |
Select-Object Id, DisplayName, TenantTypeGET https://graph.microsoft.com/v1.0/organization?$select=id,displayName,tenantType
Authorization: Bearer <token>Tenant-KonzepteTenant concepts
Ein Tenant ist die logische Sicherheitsgrenze für Verzeichnisobjekte, Richtlinien, Apps und administrative Rollen. Jeder Tenant besitzt eine unveränderliche Tenant-ID und mindestens eine initiale Domäne im Format tenant.onmicrosoft.com.A tenant is the logical security boundary for directory objects, policies, apps, and administrative roles. Every tenant has an immutable tenant ID and at least one initial domain in the tenant.onmicrosoft.com format.
| BegriffConcept | BeschreibungDescription | Administrativer NutzenAdministrative use |
|---|---|---|
| Tenant IDTenant ID | GUID des Verzeichnisses.GUID of the directory. | Wird für API-Aufrufe, Trusts und Skripte verwendet.Used for API calls, trusts, and scripts. |
| Primary DomainPrimary Domain | Standard-Anmeldedomäne, oft *.onmicrosoft.com.Default sign-in domain, often *.onmicrosoft.com. | Fallback für UPNs und interne Prozesse.Fallback for UPNs and internal processes. |
| Custom DomainCustom Domain | Verifizierte eigene SMTP-/UPN-Domäne.Verified custom SMTP/UPN domain. | Benutzerfreundliche UPNs und Mailadressen.User-friendly UPNs and mail addresses. |
| DirectoryDirectory | Sammlung aus Benutzern, Gruppen, Geräten, Apps und Richtlinien.Collection of users, groups, devices, apps, and policies. | Zentrale Verwaltungsfläche für Identitäten.Central identity management surface. |
| Tenant TypeTenant Type | Managed, federated, B2C oder kundenspezifische Varianten.Managed, federated, B2C, or tenant-specific variants. | Beeinflusst Authentifizierungsfluss und Features.Affects authentication flows and features. |
| Verified DomainVerified Domain | Domäne mit DNS-Nachweis.Domain with DNS proof. | Erhöht u. a. Objektlimits im Free-Tier.Increases object limits in the free tier, among other effects. |
| Default Usage LocationDefault Usage Location | Zentrale Länder-/Regionslogik für Lizenzen.Country/region logic for licenses. | Relevant für Dienstverfügbarkeit und SKU-Zuweisung.Relevant for service availability and SKU assignment. |
| Cross-Tenant AccessCross-Tenant Access | Steuert B2B/B2B Direct Connect Beziehungen.Controls B2B/B2B Direct Connect relationships. | Governance für Zusammenarbeit mit Partnern.Governance for partner collaboration. |
Die Tenant-ID ist dauerhaft. Ein Rebranding oder Domänenwechsel ändert die GUID nicht. Planen Sie daher Skripte und Integrationen tenantbasiert, nicht nur namensbasiert.The tenant ID is permanent. Rebranding or domain changes do not change the GUID. Therefore, plan scripts and integrations around the tenant, not only around names.
Connect-MgGraph -Scopes "Organization.Read.All","Domain.Read.All"
Get-MgOrganization | Select-Object Id, DisplayName
Get-MgDomain | Select-Object Id, IsVerified, IsDefaultGET https://graph.microsoft.com/v1.0/organization?$select=id,displayName,verifiedDomains
GET https://graph.microsoft.com/v1.0/domains?$select=id,isVerified,isDefault
Authorization: Bearer <token>Portal-NavigationPortal navigation
Microsoft Entra ID wird heute über mehrere Verwaltungsportale administriert. Das Entra Admin Center ist die primäre Oberfläche für Identitäten, während Azure Portal und Microsoft 365 Admin Center weiterhin angrenzende Aufgaben enthalten.Microsoft Entra ID is administered through several portals. The Entra admin center is the primary surface for identities, while Azure portal and Microsoft 365 admin center still contain adjacent tasks.
| PortalPortal | URLURL | Typische NavigationTypical navigation | EinsatzUse case |
|---|---|---|---|
| Entra Admin CenterEntra Admin Center | entra.microsoft.comentra.microsoft.com | Identity > Users / Groups / Roles / ApplicationsIdentity > Users / Groups / Roles / Applications | Primäre Identitätsverwaltung.Primary identity administration. |
| Azure PortalAzure Portal | portal.azure.comportal.azure.com | Microsoft Entra ID > Overview / Properties / DevicesMicrosoft Entra ID > Overview / Properties / Devices | Azure-Ressourcen plus Identitätskontext.Azure resources plus identity context. |
| Microsoft 365 Admin CenterMicrosoft 365 Admin Center | admin.microsoft.comadmin.microsoft.com | Users > Active users / Billing > LicensesUsers > Active users / Billing > Licenses | Lizenz- und Workload-nahe Verwaltung.License and workload-oriented administration. |
| Intune Admin CenterIntune Admin Center | intune.microsoft.comintune.microsoft.com | Devices > All devices / Endpoint securityDevices > All devices / Endpoint security | Geräte- und Compliance-Verwaltung.Device and compliance management. |
| Security PortalSecurity Portal | security.microsoft.comsecurity.microsoft.com | Identity / Incidents / AlertsIdentity / Incidents / Alerts | Sicherheitsanalysen und Reaktion.Security analytics and response. |
Achten Sie im Header des Portals auf den aktiven Mandanten und die aktive Rolle.In the portal header, verify the active tenant and active role.
Im Entra Portal sind Identity, Protection, Applications und Governance die Kernkategorien.In the Entra portal, Identity, Protection, Applications, and Governance are the core categories.
Wechseln Sie nur für Workload-spezifische Aufgaben zu Azure, M365, Intune oder Security.Only switch to Azure, Microsoft 365, Intune, or Security for workload-specific tasks.
Connect-MgGraph -Scopes "Organization.Read.All"
Get-MgContext | Select-Object TenantId, Scopes, AuthTypeGET https://graph.microsoft.com/v1.0/organization
Authorization: Bearer <token>Editionen-VergleichEdition comparison
Die Lizenzstufen Free, P1 und P2 bauen aufeinander auf. Free deckt Basisverzeichnis, SSO und einfache Sicherheit ab, P1 erweitert Automatisierung und Zugriffssteuerung, P2 ergänzt Risiko- und Privilegmanagement.The Free, P1, and P2 licensing tiers build on each other. Free covers core directory, SSO, and basic security; P1 adds automation and access control; P2 adds risk and privilege management.
| FeatureFeature | FreeFree | P1P1 | P2P2 |
|---|---|---|---|
| Grundlegende VerzeichnisdiensteBasic directory services | JaYes | JaYes | JaYes |
| Benutzer- und GruppenverwaltungUser and group management | JaYes | JaYes | JaYes |
| SSO für SaaS-AppsSSO for SaaS apps | JaYes | JaYes | JaYes |
| Security DefaultsSecurity defaults | JaYes | JaYes | JaYes |
| Selbstbedienungs-KennwortänderungSelf-service password change | BegrenztLimited | ErweitertExpanded | ErweitertExpanded |
| SSPR für Cloud-BenutzerSSPR for cloud users | JaYes | JaYes | JaYes |
| SSPR-WritebackSSPR writeback | NeinNo | JaYes | JaYes |
| Hybrididentität (PHS/PTA)Hybrid identity (PHS/PTA) | BasisBasic | JaYes | JaYes |
| Dynamische GruppenDynamic groups | NeinNo | JaYes | JaYes |
| Gruppenbasierte LizenzierungGroup-based licensing | NeinNo | JaYes | JaYes |
| Self-Service Group ManagementSelf-service group management | NeinNo | JaYes | JaYes |
| Application ProxyApplication Proxy | NeinNo | JaYes | JaYes |
| Conditional AccessConditional Access | NeinNo | JaYes | JaYes |
| Named LocationsNamed locations | NeinNo | JaYes | JaYes |
| Authentication StrengthsAuthentication strengths | NeinNo | JaYes | JaYes |
| Administrative UnitsAdministrative Units | NeinNo | JaYes | JaYes |
| Custom Security AttributesCustom security attributes | NeinNo | JaYes | JaYes |
| Entitlement ManagementEntitlement management | NeinNo | BegrenztLimited | JaYes |
| Access ReviewsAccess reviews | NeinNo | BegrenztLimited | JaYes |
| Identity ProtectionIdentity Protection | NeinNo | NeinNo | JaYes |
| Risikobasierter Conditional AccessRisk-based Conditional Access | NeinNo | NeinNo | JaYes |
| PIM für RollenPIM for roles | NeinNo | NeinNo | JaYes |
| PIM für GruppenPIM for groups | NeinNo | NeinNo | JaYes |
| Lifecycle WorkflowsLifecycle Workflows | NeinNo | NeinNo | JaYes |
Für viele reale Zero-Trust-Szenarien ist P1 der Mindeststandard. P2 wird typischerweise dann benötigt, wenn Risiken, privilegierte Rollen oder formale Governance ins Spiel kommen.For many real-world zero-trust scenarios, P1 is the minimum standard. P2 is typically required when risk, privileged roles, or formal governance enter the picture.
Connect-MgGraph -Scopes "Organization.Read.All","Directory.Read.All"
Get-MgSubscribedSku |
Select-Object SkuPartNumber, ConsumedUnits, PrepaidUnitsGET https://graph.microsoft.com/v1.0/subscribedSkus
Authorization: Bearer <token>Wichtige LimitsImportant limits
Servicegrenzen sind besonders relevant für große Tenants, Automatisierung, Token-Größen und Governance-Designs. Einige Limits sind hart, andere können über Support oder Architekturentscheidungen abgefedert werden.Service limits are especially relevant for large tenants, automation, token sizes, and governance designs. Some limits are hard limits, others can be mitigated through support or architecture decisions.
| KategorieCategory | GrenzeLimit | HinweisNote |
|---|---|---|
| Mandanten pro BenutzerTenants per user | 500 Mitglied/Gast500 member/guest | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Lizenzbasierte Abonnements pro TenantLicense-based subscriptions per tenant | 300300 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Verwaltete DomänenManaged domains | 5.0005,000 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Empfohlene föderierte DomänenRecommended federated domains | 300300 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Maximale föderierte DomänenMaximum federated domains | 2.5002,500 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Neue Tenants in den ersten 2 TagenNew tenants in first 2 days | 600 Objekte600 objects | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Free ohne verifizierte DomäneFree without verified domain | 50.000 Objekte50,000 objects | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Free mit verifizierter DomäneFree with verified domain | 300.000 Objekte300,000 objects | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Pricing-Referenz PaidPricing reference paid | 500.000 Objekte500,000 objects | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Nicht-Admin Ressourcen erstellenNon-admin resource creation | 250250 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| App-Besitzer pro AppApp owners per app | 100100 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Manifest-EinträgeApplication manifest entries | 1.2001,200 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Dynamische Gruppen + dyn. AUsDynamic groups + dynamic AUs | 15.00015,000 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Rollenzuweisbare GruppenRole-assignable groups | 500500 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Gruppen pro Token (Kerberos)Groups per token (Kerberos) | 1.0101,010 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Gruppenanspruch in JWTGroup claim in JWT | 200200 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Gruppenanspruch in SAMLGroup claim in SAML | 150150 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Gruppen für CA-AuswertungGroups for CA evaluation | 4.0964,096 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Mitglieder pro synchronisierter GruppeMembers per synced group | 250.000250,000 | Für Planung und Skalierung beachten.Consider for planning and scale. |
| Gruppenablauf bei AuswahlmodusGroup expiration with selected list | 500 M365-Gruppen500 Microsoft 365 groups | Für Planung und Skalierung beachten.Consider for planning and scale. |
Token-Overage bei Gruppenansprüchen ist eine häufige Ursache für unerwartetes Verhalten in Anwendungen. Verwenden Sie App-Rollen, Filter oder gruppenarme Zuweisungsmodelle, wenn Benutzer sehr viele Gruppenmitgliedschaften besitzen.Token overage on group claims is a common cause of unexpected application behavior. Use app roles, filtering, or low-group assignment models when users have many group memberships.
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All","Application.Read.All"
@{
Users = (Get-MgUser -All).Count
Groups = (Get-MgGroup -All).Count
Applications = (Get-MgApplication -All).Count
}GET https://graph.microsoft.com/v1.0/users/$count
GET https://graph.microsoft.com/v1.0/groups/$count
GET https://graph.microsoft.com/v1.0/applications/$count
ConsistencyLevel: eventual
Authorization: Bearer <token>Entra ID vs On-Premises ADEntra ID vs on-premises AD
Microsoft Entra ID ersetzt kein klassisches Active Directory in jedem Szenario. Vielmehr adressiert es moderne Cloud- und SaaS-Identitäten, während AD klassische Windows- und Netzwerkdomänen bedient.Microsoft Entra ID does not replace classic Active Directory in every scenario. Instead, it addresses modern cloud and SaaS identities, while AD serves classic Windows and network domains.
| AspektAspect | Entra IDEntra ID | On-Premises ADOn-Premises AD |
|---|---|---|
| IdentitätsquelleIdentity source | CloudverzeichnisCloud directory | On-premises LDAP/Kerberos-VerzeichnisOn-premises LDAP/Kerberos directory |
| ProtokolleProtocols | OAuth 2.0, OIDC, SAML, SCIMOAuth 2.0, OIDC, SAML, SCIM | LDAP, Kerberos, NTLM, GPOLDAP, Kerberos, NTLM, GPO |
| GeräteverwaltungDevice management | Entra Join, Hybrid Join, MDMEntra Join, Hybrid Join, MDM | Domain Join, GPODomain Join, GPO |
| NetzwerkabhängigkeitNetwork dependency | Internetbasiert, globalInternet-based, global | LAN/VPN-orientiertLAN/VPN oriented |
| SSOSSO | Cloud-Apps und SaaSCloud apps and SaaS | Windows-/LDAP-basierte AppsWindows/LDAP-based apps |
| MFA und CAMFA and CA | Nativ integriertNative integration | Zusatzlösungen erforderlichRequires add-ons |
| SkalierungScale | DienstbasiertService-based | InfrastrukturabhängigInfrastructure dependent |
| RollenmodellRole model | RBACRBAC | Delegation/ACLsDelegation/ACLs |
| Dynamische GruppenDynamic groups | Ja mit P1/P2Yes with P1/P2 | Nein nativNot native |
| ZugriffsprotokollierungAccess logging | Sign-in Logs und Audit LogsSign-in logs and audit logs | Event Viewer, AD LogsEvent Viewer, AD logs |
| Externe IdentitätenExternal identities | B2B/B2C/External IDB2B/B2C/External ID | Aufwendig, oft separatComplex, often separate |
| LebenszyklusLifecycle | Automatisierung über Graph und WorkflowsAutomation through Graph and workflows | Skripte/Provisioning nötigRequires scripts/provisioning |
In hybriden Umgebungen bleiben beide Welten relevant: AD für klassische Infrastruktur, Entra ID für Cloud-Apps, Geräte und moderne Authentifizierung.In hybrid environments, both worlds remain relevant: AD for classic infrastructure, Entra ID for cloud apps, devices, and modern authentication.
Connect-MgGraph -Scopes "Organization.Read.All","Device.Read.All"
Get-MgDevice -Top 10 |
Select-Object DisplayName, TrustType, IsCompliantGET https://graph.microsoft.com/v1.0/devices?$select=displayName,trustType,isCompliant&$top=10
Authorization: Bearer <token>Entra SuiteEntra Suite
Microsoft Entra ist nicht nur ein einzelner Dienst, sondern eine Produktfamilie. Administratoren sollten die Suite-Komponenten verstehen, weil Lizenzierung, Architektur und Rollen häufig über Entra ID hinausreichen.Microsoft Entra is not just a single service but a product family. Administrators should understand the suite components because licensing, architecture, and roles often extend beyond Entra ID itself.
| KomponenteComponent | FokusFocus |
|---|---|
| Microsoft Entra IDMicrosoft Entra ID | Identitäts- und Zugriffsverwaltung, Authentifizierung, SSO, MFA.Identity and access management, authentication, SSO, MFA. |
| Microsoft Entra ID GovernanceMicrosoft Entra ID Governance | Access Reviews, Entitlements, Lifecycle Workflows, Separation of Duties.Access reviews, entitlements, lifecycle workflows, separation of duties. |
| Microsoft Entra External IDMicrosoft Entra External ID | B2B/B2C, Partner- und Kundenidentitäten.B2B/B2C, partner and customer identities. |
| Microsoft Entra Permissions ManagementMicrosoft Entra Permissions Management | CIEM für Azure, AWS und Google Cloud.CIEM for Azure, AWS, and Google Cloud. |
| Microsoft Entra Verified IDMicrosoft Entra Verified ID | Dezentrale Nachweise und verifizierbare Anmeldeinformationen.Decentralized credentials and verifiable credentials. |
| Microsoft Entra Workload IDMicrosoft Entra Workload ID | Identitäten für Apps, Dienste und Managed Identities.Identities for apps, services, and managed identities. |
| Microsoft Entra Internet AccessMicrosoft Entra Internet Access | Identity-centric Secure Web Gateway.Identity-centric secure web gateway. |
| Microsoft Entra Private AccessMicrosoft Entra Private Access | ZTNA für private Anwendungen statt klassischem VPN.ZTNA for private applications instead of classic VPN. |
Viele Projekte starten mit Entra ID P1/P2 und erweitern später auf Governance, Private Access oder Permissions Management. Die Suite lohnt sich vor allem bei Zero-Trust-Roadmaps mit mehreren Reifegraden.Many projects start with Entra ID P1/P2 and later extend to Governance, Private Access, or Permissions Management. The suite is especially valuable for zero-trust roadmaps with multiple maturity stages.
Connect-MgGraph -Scopes "Directory.Read.All"
Get-MgServicePrincipal -Filter "startsWith(displayName,'Microsoft Entra')" -ConsistencyLevel eventualGET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startsWith(displayName,'Microsoft Entra')
ConsistencyLevel: eventual
Authorization: Bearer <token>PowerShell erste SchrittePowerShell first steps
Für neue Administratoren empfiehlt sich Microsoft Graph PowerShell als Standardtool. Das ältere AzureAD-Modul ist funktional überholt und sollte nur noch in Legacy-Szenarien genutzt werden.For new administrators, Microsoft Graph PowerShell is the recommended default tool. The older AzureAD module is functionally outdated and should only be used in legacy scenarios.
Installieren Sie das Modul Microsoft.Graph pro Benutzer oder systemweit.Install the Microsoft.Graph module per user or system-wide.
Fordern Sie nur die Berechtigungen an, die Ihr aktueller Task benötigt.Request only the permissions required for the current task.
Kontrollieren Sie TenantId, Account und Scopes nach jeder Anmeldung.Verify TenantId, account, and scopes after every sign-in.
Beginnen Sie mit read-only Cmdlets, bevor Sie Änderungen automatisieren.Start with read-only cmdlets before you automate changes.
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All","Directory.Read.All"
Get-MgContextPOST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<app-id>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=<secret>&grant_type=client_credentialsWichtige URLsImportant URLs
Eine saubere Referenzseite sollte nicht nur Konzepte erklären, sondern auch auf die richtigen Admin- und Dokumentationsendpunkte verweisen. Das spart Zeit im täglichen Betrieb und bei Incident Response.A good reference page should not only explain concepts but also point to the right admin and documentation endpoints. That saves time during daily operations and incident response.
| RessourceResource | URLURL | EinsatzUse case |
|---|---|---|
| Entra Admin CenterEntra Admin Center | https://entra.microsoft.comhttps://entra.microsoft.com | Identitäten, Rollen, Apps, Governance.Identities, roles, apps, governance. |
| Azure PortalAzure Portal | https://portal.azure.comhttps://portal.azure.com | Ressourcen, Abonnements, Azure RBAC, teilweise Entra.Resources, subscriptions, Azure RBAC, some Entra. |
| Microsoft 365 Admin CenterMicrosoft 365 Admin Center | https://admin.microsoft.comhttps://admin.microsoft.com | Mandantenweite M365-Verwaltung.Tenant-wide Microsoft 365 administration. |
| Intune Admin CenterIntune Admin Center | https://intune.microsoft.comhttps://intune.microsoft.com | Geräte, Apps, Compliance, Richtlinien.Devices, apps, compliance, policies. |
| Graph ExplorerGraph Explorer | https://developer.microsoft.com/graph/graph-explorerhttps://developer.microsoft.com/graph/graph-explorer | API-Aufrufe testen.Test API calls. |
| Security PortalSecurity Portal | https://security.microsoft.comhttps://security.microsoft.com | Defender und Sicherheitsoperationen.Defender and security operations. |
| Compliance PortalCompliance Portal | https://compliance.microsoft.comhttps://compliance.microsoft.com | Purview, eDiscovery, DLP.Purview, eDiscovery, DLP. |
| My Sign-InsMy Sign-Ins | https://mysignins.microsoft.comhttps://mysignins.microsoft.com | Eigene Anmeldungen und Methoden prüfen.Review your own sign-ins and methods. |
| My AppsMy Apps | https://myapps.microsoft.comhttps://myapps.microsoft.com | SSO-App-Launcher für Benutzer.SSO app launcher for users. |
| Access PanelAccess Panel | https://myapplications.microsoft.comhttps://myapplications.microsoft.com | Alternative My Apps Oberfläche.Alternative My Apps experience. |
| Admin DokumentationAdmin documentation | https://learn.microsoft.com/entrahttps://learn.microsoft.com/entra | Produktdokumentation und Learn-Pfade.Product documentation and Learn paths. |
| PricingPricing | https://www.microsoft.com/security/business/microsoft-entra-pricinghttps://www.microsoft.com/security/business/microsoft-entra-pricing | Editionen und Suite-Optionen.Editions and suite options. |
Start-Process "https://entra.microsoft.com"
Start-Process "https://developer.microsoft.com/graph/graph-explorer"GET https://graph.microsoft.com/v1.0/organization
Authorization: Bearer <token>GitHub-Repositories für Entra-ID-EngineeringGitHub repositories for Entra ID engineering
Diese Repositories sparen Recherchezeit, weil sie offizielle Referenzimplementierungen, SDK-Quellen und reale Issue-Diskussionen bündeln. Für Level-500-Betrieb lohnt sich der Blick in Code, Releases, Samples und bekannte Probleme.These repositories eliminate search time because they bundle official reference implementations, SDK source, and real-world issue discussions. For level-500 operations, inspect the code, releases, samples, and known issues directly.
| RepositoryRepository | BeschreibungDescription | Typischer Use CaseTypical use case | StarsStars |
|---|---|---|---|
| microsoft/entra-id-samplesmicrosoft/entra-id-samples | Offizielle Microsoft-Beispiele für Workforce, External ID, Daemons, CAE, OBO und Geräte-Szenarien.Official Microsoft samples for workforce, External ID, daemons, CAE, OBO, and device scenarios. | Erste Referenz für moderne Authentifizierungsflüsse und einsatznahe Demo-Apps.First-stop reference for modern authentication flows and production-style demo apps. |  |
| microsoftgraph/msgraph-sdk-powershellmicrosoftgraph/msgraph-sdk-powershell | Quellcode, Module und Release-Historie des Microsoft Graph PowerShell SDK.Source, modules, and release history of the Microsoft Graph PowerShell SDK. | Relevant für Cmdlet-Verhalten, Breaking Changes und Issues im Automatisierungsbetrieb.Useful for cmdlet behavior, breaking changes, and automation troubleshooting. |  |
| AzureAD/microsoft-authentication-library-for-dotnetAzureAD/microsoft-authentication-library-for-dotnet | MSAL.NET für Desktop-, Web-, Daemon- und API-Szenarien mit Entra ID.MSAL.NET for desktop, web, daemon, and API scenarios with Entra ID. | Standardbibliothek für .NET-Apps mit OIDC, OAuth 2.0, CAE und Token-Cache.Primary library for .NET apps using OIDC, OAuth 2.0, CAE, and token cache patterns. |  |
| AzureAD/microsoft-authentication-library-for-jsAzureAD/microsoft-authentication-library-for-js | MSAL.js für SPA, Node.js und Browser-Authentifizierung mit PKCE.MSAL.js for SPA, Node.js, and browser authentication with PKCE. | Pflichtreferenz für React, Angular, Next.js und browserbasierte Tokenflüsse.Mandatory reference for React, Angular, Next.js, and browser-based token flows. |  |
| AzureAD/microsoft-authentication-library-for-pythonAzureAD/microsoft-authentication-library-for-python | MSAL Python für Automatisierung, Flask/FastAPI und Device Code Flows.MSAL Python for automation, Flask/FastAPI, and device code flows. | Ideal für Scripting, DevOps-Integrationen und Server-to-server-Anwendungen.Ideal for scripting, DevOps integrations, and server-to-server applications. |  |
| Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2 | ASP.NET Core Beispiel für OpenID Connect, Cookies, Token Acquisition und Graph-Aufrufe.ASP.NET Core sample for OpenID Connect, cookies, token acquisition, and Graph calls. | Zeigt klassische Enterprise-Webapp-Muster inklusive Sign-In, Consent und Downstream APIs.Shows classic enterprise web-app patterns including sign-in, consent, and downstream APIs. |  |
| Azure-Samples/ms-identity-python-webappAzure-Samples/ms-identity-python-webapp | Python-Webapp-Referenz mit MSAL, Session-Management und Microsoft Graph.Python web app reference using MSAL, session management, and Microsoft Graph. | Hilfreich für Flask-basierte Workforce-Apps und Proof-of-Concepts.Helpful for Flask-based workforce apps and proof-of-concepts. |  |
microsoft/entra-id-samplesmicrosoft/entra-id-samples
Offizielle Microsoft-Beispiele für Workforce, External ID, Daemons, CAE, OBO und Geräte-Szenarien.Official Microsoft samples for workforce, External ID, daemons, CAE, OBO, and device scenarios.
Repository-URL: https://github.com/microsoft/entra-id-samples. Typischer Einsatzzweck: Erste Referenz für moderne Authentifizierungsflüsse und einsatznahe Demo-Apps.Repository URL: https://github.com/microsoft/entra-id-samples. Typical use case: First-stop reference for modern authentication flows and production-style demo apps.
microsoftgraph/msgraph-sdk-powershellmicrosoftgraph/msgraph-sdk-powershell
Quellcode, Module und Release-Historie des Microsoft Graph PowerShell SDK.Source, modules, and release history of the Microsoft Graph PowerShell SDK.
Repository-URL: https://github.com/microsoftgraph/msgraph-sdk-powershell. Typischer Einsatzzweck: Relevant für Cmdlet-Verhalten, Breaking Changes und Issues im Automatisierungsbetrieb.Repository URL: https://github.com/microsoftgraph/msgraph-sdk-powershell. Typical use case: Useful for cmdlet behavior, breaking changes, and automation troubleshooting.
AzureAD/microsoft-authentication-library-for-dotnetAzureAD/microsoft-authentication-library-for-dotnet
MSAL.NET für Desktop-, Web-, Daemon- und API-Szenarien mit Entra ID.MSAL.NET for desktop, web, daemon, and API scenarios with Entra ID.
Repository-URL: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet. Typischer Einsatzzweck: Standardbibliothek für .NET-Apps mit OIDC, OAuth 2.0, CAE und Token-Cache.Repository URL: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet. Typical use case: Primary library for .NET apps using OIDC, OAuth 2.0, CAE, and token cache patterns.
AzureAD/microsoft-authentication-library-for-jsAzureAD/microsoft-authentication-library-for-js
MSAL.js für SPA, Node.js und Browser-Authentifizierung mit PKCE.MSAL.js for SPA, Node.js, and browser authentication with PKCE.
Repository-URL: https://github.com/AzureAD/microsoft-authentication-library-for-js. Typischer Einsatzzweck: Pflichtreferenz für React, Angular, Next.js und browserbasierte Tokenflüsse.Repository URL: https://github.com/AzureAD/microsoft-authentication-library-for-js. Typical use case: Mandatory reference for React, Angular, Next.js, and browser-based token flows.
AzureAD/microsoft-authentication-library-for-pythonAzureAD/microsoft-authentication-library-for-python
MSAL Python für Automatisierung, Flask/FastAPI und Device Code Flows.MSAL Python for automation, Flask/FastAPI, and device code flows.
Repository-URL: https://github.com/AzureAD/microsoft-authentication-library-for-python. Typischer Einsatzzweck: Ideal für Scripting, DevOps-Integrationen und Server-to-server-Anwendungen.Repository URL: https://github.com/AzureAD/microsoft-authentication-library-for-python. Typical use case: Ideal for scripting, DevOps integrations, and server-to-server applications.
Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
ASP.NET Core Beispiel für OpenID Connect, Cookies, Token Acquisition und Graph-Aufrufe.ASP.NET Core sample for OpenID Connect, cookies, token acquisition, and Graph calls.
Repository-URL: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2. Typischer Einsatzzweck: Zeigt klassische Enterprise-Webapp-Muster inklusive Sign-In, Consent und Downstream APIs.Repository URL: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2. Typical use case: Shows classic enterprise web-app patterns including sign-in, consent, and downstream APIs.
Azure-Samples/ms-identity-python-webappAzure-Samples/ms-identity-python-webapp
Python-Webapp-Referenz mit MSAL, Session-Management und Microsoft Graph.Python web app reference using MSAL, session management, and Microsoft Graph.
Repository-URL: https://github.com/Azure-Samples/ms-identity-python-webapp. Typischer Einsatzzweck: Hilfreich für Flask-basierte Workforce-Apps und Proof-of-Concepts.Repository URL: https://github.com/Azure-Samples/ms-identity-python-webapp. Typical use case: Helpful for Flask-based workforce apps and proof-of-concepts.
Entra ID REST API Endpunkte – KomplettreferenzEntra ID REST API endpoints – complete reference
Die folgende Tabelle konzentriert sich auf identitätsnahe Microsoft-Graph-Endpunkte, die Administratoren in Workforce-, Security-, Governance- und App-Szenarien regelmäßig benötigen. Methodik: jeweils die operative Methode, ein typischer Least-Privilege-Scope und der Hauptzweck des Endpunkts.The following table focuses on identity-oriented Microsoft Graph endpoints that administrators repeatedly use across workforce, security, governance, and application scenarios. Each entry shows the operational method, a typical least-privilege permission, and the endpoint’s primary purpose.
| EndpunktEndpoint | MethodenMethods | Typische BerechtigungenTypical permissions | BeschreibungDescription |
|---|---|---|---|
| /users/users | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | User.Read.All / User.ReadWrite.AllUser.Read.All / User.ReadWrite.All | Benutzerinventar, Anlage, Änderung und Deaktivierung.User inventory, creation, update, and disable operations. |
| /users/{id}/authentication/methods/users/{id}/authentication/methods | GETGET | UserAuthenticationMethod.Read.AllUserAuthenticationMethod.Read.All | Alle registrierten Authentifizierungsmethoden eines Benutzers.All registered authentication methods for a user. |
| /users/{id}/authentication/phoneMethods/users/{id}/authentication/phoneMethods | GET, POST, DELETEGET, POST, DELETE | UserAuthenticationMethod.ReadWrite.AllUserAuthenticationMethod.ReadWrite.All | Telefonmethoden auslesen, hinzufügen oder entfernen.Read, add, or remove phone methods. |
| /users/{id}/authentication/fido2Methods/users/{id}/authentication/fido2Methods | GET, DELETEGET, DELETE | UserAuthMethod-FIDO2.ReadWrite.AllUserAuthMethod-FIDO2.ReadWrite.All | FIDO2-Sicherheitsschlüssel verwalten.Manage FIDO2 security keys. |
| /users/{id}/authentication/microsoftAuthenticatorMethods/users/{id}/authentication/microsoftAuthenticatorMethods | GET, DELETEGET, DELETE | UserAuthenticationMethod.ReadWrite.AllUserAuthenticationMethod.ReadWrite.All | Microsoft Authenticator Registrierungen anzeigen oder zurücksetzen.View or reset Microsoft Authenticator registrations. |
| /users/{id}/licenseDetails/users/{id}/licenseDetails | GETGET | User.Read.AllUser.Read.All | Dienstpläne und Lizenzstatus pro Benutzer.Per-user service plans and license status. |
| /users/{id}/manager/users/{id}/manager | GET, PUT, DELETEGET, PUT, DELETE | User.Read.All / User.ReadWrite.AllUser.Read.All / User.ReadWrite.All | Managerbeziehung für Organigramme und Genehmigungen.Manager relationship for org charts and approvals. |
| /users/{id}/memberOf/users/{id}/memberOf | GETGET | Directory.Read.AllDirectory.Read.All | Direkte Gruppen- und Rollenmitgliedschaften.Direct group and role memberships. |
| /groups/groups | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Group.Read.All / Group.ReadWrite.AllGroup.Read.All / Group.ReadWrite.All | Sicherheits- und M365-Gruppen verwalten.Manage security and Microsoft 365 groups. |
| /groups/{id}/members/groups/{id}/members | GET, POST, DELETEGET, POST, DELETE | GroupMember.ReadWrite.AllGroupMember.ReadWrite.All | Mitglieder lesen, hinzufügen oder entfernen.Read, add, or remove members. |
| /groups/{id}/owners/groups/{id}/owners | GET, POST, DELETEGET, POST, DELETE | Group.ReadWrite.AllGroup.ReadWrite.All | Besitzerbeziehungen für Governance und Self-Service.Owner relationships for governance and self-service. |
| /groups/{id}/assignLicense/groups/{id}/assignLicense | POSTPOST | LicenseAssignment.ReadWrite.AllLicenseAssignment.ReadWrite.All | Gruppenbasierte Lizenzierung.Group-based licensing. |
| /groups/{id}/team/groups/{id}/team | GET, PUTGET, PUT | Group.ReadWrite.AllGroup.ReadWrite.All | Teams-fähige Konfiguration einer M365-Gruppe.Team-enabled configuration for a Microsoft 365 group. |
| /applications/applications | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Application.ReadWrite.AllApplication.ReadWrite.All | App-Registrierungen inklusive Redirect URIs, Secrets und Zertifikate.Application registrations including redirect URIs, secrets, and certificates. |
| /applications/{id}/owners/applications/{id}/owners | GET, POST, DELETEGET, POST, DELETE | Application.ReadWrite.AllApplication.ReadWrite.All | Eigentümer von App-Registrierungen verwalten.Manage application owners. |
| /servicePrincipals/servicePrincipals | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Application.Read.All / Application.ReadWrite.AllApplication.Read.All / Application.ReadWrite.All | Enterprise Apps, Zuweisungen, Rollen und SSO-Metadaten.Enterprise apps, assignments, roles, and SSO metadata. |
| /servicePrincipals/{id}/appRoleAssignedTo/servicePrincipals/{id}/appRoleAssignedTo | GET, POST, DELETEGET, POST, DELETE | AppRoleAssignment.ReadWrite.AllAppRoleAssignment.ReadWrite.All | Zuweisungen von App-Rollen an Benutzer, Gruppen oder SPNs.App role assignments to users, groups, or SPNs. |
| /servicePrincipals/{id}/owners/servicePrincipals/{id}/owners | GET, POST, DELETEGET, POST, DELETE | Application.ReadWrite.AllApplication.ReadWrite.All | Besitzer von Enterprise-Apps verwalten.Manage enterprise app owners. |
| /directoryRoles/directoryRoles | GETGET | RoleManagement.Read.DirectoryRoleManagement.Read.Directory | Aktivierte Rolleninstanzen im Tenant.Activated role instances in the tenant. |
| /directoryRoleTemplates/directoryRoleTemplates | GETGET | RoleManagement.Read.DirectoryRoleManagement.Read.Directory | Vorlagen/GUIDs der integrierten Rollen.Templates and GUIDs of built-in roles. |
| /domains/domains | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Domain.Read.All / Domain.ReadWrite.AllDomain.Read.All / Domain.ReadWrite.All | Verifizierte, föderierte und Standarddomänen.Verified, federated, and default domains. |
| /organization/organization | GET, PATCHGET, PATCH | Organization.Read.All / Organization.ReadWrite.AllOrganization.Read.All / Organization.ReadWrite.All | Mandanten-Metadaten, Branding und CompanyProfile.Tenant metadata, branding, and company profile. |
| /subscribedSkus/subscribedSkus | GETGET | Organization.Read.AllOrganization.Read.All | Lizenzinventar und verfügbare Einheiten.License inventory and available units. |
| /identity/conditionalAccess/policies/identity/conditionalAccess/policies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.Read.All / Policy.ReadWrite.ConditionalAccessPolicy.Read.All / Policy.ReadWrite.ConditionalAccess | Conditional-Access-Richtlinien verwalten.Manage Conditional Access policies. |
| /identity/conditionalAccess/namedLocations/identity/conditionalAccess/namedLocations | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.Read.All / Policy.ReadWrite.ConditionalAccessPolicy.Read.All / Policy.ReadWrite.ConditionalAccess | Vertrauenswürdige IPs und Länderstandorte.Trusted IP and country named locations. |
| /identity/conditionalAccess/authenticationStrength/policies/identity/conditionalAccess/authenticationStrength/policies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.Read.All / Policy.ReadWrite.ConditionalAccessPolicy.Read.All / Policy.ReadWrite.ConditionalAccess | Authentication Strengths und Passkey/MFA-Anforderungen.Authentication strengths and passkey/MFA requirements. |
| /identityProtection/riskyUsers/identityProtection/riskyUsers | GET, PATCHGET, PATCH | IdentityRiskyUser.Read.All / .ReadWrite.AllIdentityRiskyUser.Read.All / .ReadWrite.All | Risikobenutzer, Bestätigungen und Sanierung.Risky users, confirmations, and remediation. |
| /identityProtection/riskDetections/identityProtection/riskDetections | GETGET | IdentityRiskEvent.Read.AllIdentityRiskEvent.Read.All | Einzelne Risikoereignisse pro Benutzer oder Sitzung.Individual risk events per user or session. |
| /identityProtection/servicePrincipalRiskDetections/identityProtection/servicePrincipalRiskDetections | GETGET | IdentityRiskEvent.Read.AllIdentityRiskEvent.Read.All | Risikoerkennung für Workload-Identitäten.Risk detections for workload identities. |
| /identityGovernance/accessReviews/definitions/identityGovernance/accessReviews/definitions | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | AccessReview.Read.All / AccessReview.ReadWrite.AllAccessReview.Read.All / AccessReview.ReadWrite.All | Definitionen für Access Reviews.Definitions for access reviews. |
| /identityGovernance/accessReviews/instances/identityGovernance/accessReviews/instances | GETGET | AccessReview.Read.AllAccessReview.Read.All | Laufende und abgeschlossene Prüfungsinstanzen.Running and completed review instances. |
| /identityGovernance/entitlementManagement/accessPackages/identityGovernance/entitlementManagement/accessPackages | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | EntitlementManagement.ReadWrite.AllEntitlementManagement.ReadWrite.All | Access Packages und Kataloge.Access packages and catalogs. |
| /identityGovernance/entitlementManagement/catalogs/identityGovernance/entitlementManagement/catalogs | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | EntitlementManagement.ReadWrite.AllEntitlementManagement.ReadWrite.All | Kataloge für Governance-Ressourcen.Catalogs for governance resources. |
| /identityGovernance/lifecycleWorkflows/workflows/identityGovernance/lifecycleWorkflows/workflows | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | LifecycleWorkflows.ReadWrite.AllLifecycleWorkflows.ReadWrite.All | Lifecycle Workflows für Joiner-Mover-Leaver.Lifecycle workflows for joiner-mover-leaver processes. |
| /identityGovernance/lifecycleWorkflows/tasks/identityGovernance/lifecycleWorkflows/tasks | GETGET | LifecycleWorkflows.Read.AllLifecycleWorkflows.Read.All | Vordefinierte und benutzerdefinierte Workflow-Aufgaben.Built-in and custom workflow tasks. |
| /roleManagement/directory/roleDefinitions/roleManagement/directory/roleDefinitions | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | RoleManagement.Read.Directory / RoleManagement.ReadWrite.DirectoryRoleManagement.Read.Directory / RoleManagement.ReadWrite.Directory | Rollen- und Custom-Role-Definitionen.Role and custom role definitions. |
| /roleManagement/directory/roleAssignments/roleManagement/directory/roleAssignments | GET, POST, DELETEGET, POST, DELETE | RoleManagement.ReadWrite.DirectoryRoleManagement.ReadWrite.Directory | Direkte Rollenzuweisungen.Direct role assignments. |
| /roleManagement/directory/roleAssignmentScheduleInstances/roleManagement/directory/roleAssignmentScheduleInstances | GETGET | RoleManagement.Read.DirectoryRoleManagement.Read.Directory | Aktive PIM-Instanzen und zeitbasierte Zuweisungen.Active PIM instances and time-bound assignments. |
| /roleManagement/directory/roleEligibilityScheduleInstances/roleManagement/directory/roleEligibilityScheduleInstances | GETGET | RoleManagement.Read.DirectoryRoleManagement.Read.Directory | PIM-Elegibility-Instanzen.PIM eligibility instances. |
| /auditLogs/signIns/auditLogs/signIns | GETGET | AuditLog.Read.AllAuditLog.Read.All | Interaktive und nicht interaktive Anmeldungen.Interactive and non-interactive sign-ins. |
| /auditLogs/directoryAudits/auditLogs/directoryAudits | GETGET | AuditLog.Read.AllAuditLog.Read.All | Verzeichnisänderungen und Admin-Aktivitäten.Directory changes and admin activities. |
| /auditLogs/provisioning/auditLogs/provisioning | GETGET | AuditLog.Read.AllAuditLog.Read.All | SCIM- und Provisioning-Läufe.SCIM and provisioning runs. |
| /auditLogs/authenticationMethods/auditLogs/authenticationMethods | GETGET | AuditLog.Read.AllAuditLog.Read.All | Methodenbezogene Auditdaten sofern verfügbar.Authentication method-related audit data where available. |
| /reports/authenticationMethods/userRegistrationDetails/reports/authenticationMethods/userRegistrationDetails | GETGET | Reports.Read.AllReports.Read.All | MFA/SSPR-Registrierungsstatus pro Benutzer.Per-user MFA/SSPR registration status. |
| /reports/authenticationMethods/usersRegisteredByMethod/reports/authenticationMethods/usersRegisteredByMethod | GETGET | Reports.Read.AllReports.Read.All | Aggregierte Auswertung nach Methode.Aggregate registration counts by method. |
| /reports/getCredentialUserRegistrationCount/reports/getCredentialUserRegistrationCount | GETGET | Reports.Read.AllReports.Read.All | Zusammenfassung von Methodenregistrierungen im Tenant.Tenant-wide summary of credential registrations. |
| /policies/authenticationMethodsPolicy/policies/authenticationMethodsPolicy | GET, PATCHGET, PATCH | Policy.Read.All / Policy.ReadWrite.AuthenticationMethodPolicy.Read.All / Policy.ReadWrite.AuthenticationMethod | Globale Richtlinie für Authentifizierungsmethoden.Global authentication methods policy. |
| /policies/authenticationStrengthPolicies/policies/authenticationStrengthPolicies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.Read.All / Policy.ReadWrite.AuthenticationMethodPolicy.Read.All / Policy.ReadWrite.AuthenticationMethod | Klassische Policy-Endpunkte für Authentication Strengths.Legacy policy endpoints for authentication strengths. |
| /policies/authorizationPolicy/policies/authorizationPolicy | GET, PATCHGET, PATCH | Policy.Read.All / Policy.ReadWrite.AuthorizationPolicy.Read.All / Policy.ReadWrite.Authorization | Einladungen, Self-Service, Standardrechte und B2B-Schalter.Invitations, self-service, default permissions, and B2B switches. |
| /policies/claimsMappingPolicies/policies/claimsMappingPolicies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.ReadWrite.ApplicationConfigurationPolicy.ReadWrite.ApplicationConfiguration | Anspruchszuordnung für Tokens.Claims mapping for tokens. |
| /policies/homeRealmDiscoveryPolicies/policies/homeRealmDiscoveryPolicies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.ReadWrite.ApplicationConfigurationPolicy.ReadWrite.ApplicationConfiguration | HRD-Verhalten für Föderation und Benutzerflusssteuerung.Home realm discovery behavior for federation and flow routing. |
| /policies/tokenIssuancePolicies/policies/tokenIssuancePolicies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.ReadWrite.ApplicationConfigurationPolicy.ReadWrite.ApplicationConfiguration | Tokenerstellung, Claims und Lifetime-Resteinstellungen.Token issuance, claims, and remaining lifetime settings. |
| /policies/tokenLifetimePolicies/policies/tokenLifetimePolicies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.ReadWrite.ApplicationConfigurationPolicy.ReadWrite.ApplicationConfiguration | Legacy Token Lifetime Policies.Legacy token lifetime policies. |
| /policies/crossTenantAccessPolicy/policies/crossTenantAccessPolicy | GET, PATCHGET, PATCH | Policy.Read.All / Policy.ReadWrite.CrossTenantAccessPolicy.Read.All / Policy.ReadWrite.CrossTenantAccess | Standardregeln für B2B/B2B Direct Connect.Default rules for B2B and B2B Direct Connect. |
| /policies/crossTenantAccessPolicy/partners/policies/crossTenantAccessPolicy/partners | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.ReadWrite.CrossTenantAccessPolicy.ReadWrite.CrossTenantAccess | Partner-spezifische Cross-Tenant-Regeln.Partner-specific cross-tenant access rules. |
| /devices/devices | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Device.Read.All / Device.ReadWrite.AllDevice.Read.All / Device.ReadWrite.All | Geräteobjekte, Join-Status, Besitzer und Extension Attributes.Device objects, join state, owners, and extension attributes. |
| /devices/{id}/registeredOwners/devices/{id}/registeredOwners | GETGET | Directory.Read.AllDirectory.Read.All | Gerätebesitzer für Inventar und Support.Registered device owners for inventory and support. |
| /directory/deletedItems/microsoft.graph.user/directory/deletedItems/microsoft.graph.user | GETGET | User.Read.AllUser.Read.All | Gelöschte Benutzer zur Wiederherstellung prüfen.Inspect deleted users for recovery. |
| /directory/deletedItems/{id}/restore/directory/deletedItems/{id}/restore | POSTPOST | User.ReadWrite.AllUser.ReadWrite.All | Soft-deleted Benutzer, Gruppen oder Apps wiederherstellen.Restore soft-deleted users, groups, or apps. |
| /invitations/invitations | POSTPOST | User.Invite.AllUser.Invite.All | B2B-Einladungen mit Redirect und Gastkontoanlage.B2B invitations with redirect and guest object creation. |
| /identity/b2cUserFlows/identity/b2cUserFlows | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | IdentityUserFlow.ReadWrite.AllIdentityUserFlow.ReadWrite.All | User Flows für External ID / B2C-Szenarien.User flows for External ID / B2C scenarios. |
| /identity/authenticationEventListeners/identity/authenticationEventListeners | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | EventListener.ReadWrite.AllEventListener.ReadWrite.All | Authentication Events und Extensibility Hooks.Authentication events and extensibility hooks. |
| /identity/userFlowAttributes/identity/userFlowAttributes | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | IdentityUserFlow.ReadWrite.AllIdentityUserFlow.ReadWrite.All | Benutzerflussattribute für External ID.User flow attributes for External ID. |
| /policies/featureRolloutPolicies/policies/featureRolloutPolicies | GET, POST, PATCH, DELETEGET, POST, PATCH, DELETE | Policy.ReadWrite.FeatureRolloutPolicy.ReadWrite.FeatureRollout | Staged Rollout für Passwort-Hash-Sync, Seamless SSO oder MFA.Staged rollout for password hash sync, Seamless SSO, or MFA. |
Viele Endpunkte unterscheiden stark zwischen delegated und application permissions. Für Audits, Sign-ins und Identity Protection sind zusätzliche Rollen, Lizenzen oder Preview-Einschränkungen üblich.Many endpoints differ significantly between delegated and application permissions. Audits, sign-ins, and Identity Protection commonly require additional roles, licenses, or preview caveats.
Wichtige Audit-Events und Directory-AktivitätenImportant audit events and directory activities
Directory Audits sind der Primärbeleg für administrative Änderungen. Für jede Änderung sollten Sie neben der Aktivität auch actor, correlationId, modifiedProperties, result und targetResources auswerten.Directory audits are the primary evidence source for administrative changes. For each change, evaluate actor, correlationId, modifiedProperties, result, and targetResources in addition to the activity name.
| KategorieCategory | AktivitätActivity | Typisch protokollierte EigenschaftenCommonly logged properties |
|---|---|---|
| UserManagementUserManagement | Add userAdd user | Target, UPN, displayName, initiatedBy, resultTarget, UPN, displayName, initiatedBy, result |
| UserManagementUserManagement | Delete userDelete user | ObjectId, soft-delete state, actorObjectId, soft-delete state, actor |
| UserManagementUserManagement | Update userUpdate user | ModifiedProperties, old/new values, correlationIdModifiedProperties, old/new values, correlationId |
| UserManagementUserManagement | Change user passwordChange user password | Target user, actor, password policy contextTarget user, actor, password policy context |
| UserManagementUserManagement | Reset user passwordReset user password | Reset initiator, target, result reasonReset initiator, target, result reason |
| UserManagementUserManagement | Restore deleted userRestore deleted user | ObjectId, restored services, actorObjectId, restored services, actor |
| GroupManagementGroupManagement | Add groupAdd group | DisplayName, groupType, mailEnabled, securityEnabledDisplayName, groupType, mailEnabled, securityEnabled |
| GroupManagementGroupManagement | Delete groupDelete group | ObjectId, delete mode, actorObjectId, delete mode, actor |
| GroupManagementGroupManagement | Add memberAdd member | GroupId, memberId, memberTypeGroupId, memberId, memberType |
| GroupManagementGroupManagement | Remove memberRemove member | GroupId, memberId, actorGroupId, memberId, actor |
| ApplicationManagementApplicationManagement | Add applicationAdd application | AppId, redirectUris, createdByAppId, redirectUris, createdBy |
| ApplicationManagementApplicationManagement | Update applicationUpdate application | ModifiedProperties, secret or cert events, app rolesModifiedProperties, secret or cert events, app roles |
| ApplicationManagementApplicationManagement | Add service principalAdd service principal | ServicePrincipalId, appId, publisherServicePrincipalId, appId, publisher |
| RoleManagementRoleManagement | Add role assignmentAdd role assignment | RoleDefinitionId, principalId, scopeRoleDefinitionId, principalId, scope |
| RoleManagementRoleManagement | Remove role assignmentRemove role assignment | RoleDefinitionId, principalId, scopeRoleDefinitionId, principalId, scope |
| PolicyManagementPolicyManagement | Set conditional access policySet conditional access policy | PolicyState, included/excluded targets, conditionsPolicyState, included/excluded targets, conditions |
| PolicyManagementPolicyManagement | Delete conditional access policyDelete conditional access policy | PolicyId, actor, correlationIdPolicyId, actor, correlationId |
| AuthenticationAuthentication | User registered MFAUser registered MFA | Method type, registration channel, actor/userMethod type, registration channel, actor/user |
| AuthenticationAuthentication | User registered SSPRUser registered SSPR | Registration status, methods, actor/userRegistration status, methods, actor/user |
| ProvisioningManagementProvisioningManagement | Create provisioning jobCreate provisioning job | Service principal, mapping, source/targetService principal, mapping, source/target |
| DomainManagementDomainManagement | Verify domainVerify domain | Domain name, verification method, actorDomain name, verification method, actor |
Service Limits – Deep DiveService limits – deep dive
Die published limits aus Microsoft Learn sind nur die erste Ebene. Im Betrieb zählen zusätzlich Token-Overage, Dienstspezifika, alte Portalgrenzen und Latenz unter Last. Nutzen Sie die Tabelle deshalb als Design- und Betriebsreferenz, nicht nur als Verkaufslimit.Published limits from Microsoft Learn are only the first layer. Real operations are also constrained by token overage behavior, workload-specific limits, old portal caps, and latency under load. Use the table as both a design and operations reference, not merely as a commercial limit list.
| KategorieCategory | LimitLimit | BetriebshinweisOperational note |
|---|---|---|
| Verzeichnisobjekte (Free)Directory objects (Free) | 50.00050,000 | Ohne verifizierte Domäne; neue Tenants starten 2 Tage lang mit 600.Without a verified domain; new tenants start with a temporary 600-object quota for 2 days. |
| Verzeichnisobjekte (mit verifizierter Domäne)Directory objects (verified domain) | 300.000300,000 | Standarddienstgrenze laut Service Limits.Standard service limit according to Entra service limits. |
| Preis-/Lizenzgrenze laut Entra PricingPricing-tier reference limit | 500.000+500,000+ | Häufig als operative Planungsgröße genutzt; für mehr Support Case einplanen.Often used as a planning figure; engage Microsoft support for higher quotas. |
| Nichtadministrativer Benutzer: Ressourcen erstellenNon-admin resource creation | 250250 | Aktive und wiederherstellbare Objekte zählen gegen das Limit.Active and restorable objects count toward the limit. |
| Tenants pro BenutzerTenants per user | 500 Mitglied/Gast; 200 erstellbar500 member/guest; 200 creatable | Legacy-Tenant-Creation-Limit eingeschlossen.Includes the legacy tenant creation limit. |
| Lizenzbasierte Subscriptions pro TenantLicense-based subscriptions per tenant | 300300 | Commerce-Abos wie Microsoft 365 Subscriptions.Commerce subscriptions such as Microsoft 365 plans. |
| Benutzergruppen in Auth-/Autz-SzenarienUser groups in auth/authz scenarios | DienstabhängigService dependent | SharePoint 2.047, JWT 200, SAML 150, CA 4.096.SharePoint 2,047, JWT 200, SAML 150, CA 4,096. |
| Gruppen pro BenutzerGroups per user | Praktisch unbegrenzt; CA 4.096Practically unlimited; CA evaluates 4,096 | User prompt 7.000 als Betriebsrichtwert, dienstabhängig prüfen.Use 7,000 as an operational planning marker, but validate per workload. |
| Besitzer pro GruppeOwners per group | 100100 | Gilt für Sicherheits- und M365-Gruppen.Applies to security and Microsoft 365 groups. |
| Mitglieder pro Gruppe (zugewiesen)Members per group (assigned) | Kein allgemeines Graph-LimitNo general Graph limit | Dienstlimits für Tokens, SharePoint oder CA separat beachten.Observe service-specific limits for tokens, SharePoint, or CA separately. |
| Mitglieder pro dynamische Gruppe (Planungswert)Members per dynamic group (planning value) | 50.000+50,000+ | Massive Gruppen funktionieren, Rechenzeit und Latenz berücksichtigen.Large groups are supported, but account for evaluation time and latency. |
| Dynamische Gruppen + dynamische Administrative UnitsDynamic groups + dynamic administrative units | 15.000 kombiniert15,000 combined | Inklusive Entitlement-Management-Auto-Assignment.Includes entitlement management automatic assignment policies. |
| Rollenzuweisbare GruppenRole-assignable groups | 500500 | Limit pro Tenant.Per-tenant limit. |
| Gruppen pro Kerberos-TokenGroups per Kerberos token | 1.0101,010 | Spezifisch für Entra Kerberos.Specific to Entra Kerberos. |
| Verschachtelte Mitgliedschaften mit ZugriffsblockadeNested membership access block threshold | 2.0482,048 | Bei mehr Gruppen kann Zugriff blockiert werden.Access can be blocked beyond this membership count. |
| Domains pro TenantDomains per tenant | 5.000 verwaltet; 2.500 föderiert unterstützt5,000 managed; 2,500 federated supported | Für Performance bei Föderation möglichst bei 300 bleiben.For federated performance, keep closer to 300 if possible. |
| Administrative UnitsAdministrative units | 30 Mitgliedschaften je Objekt; 100 restricted management AUs30 memberships per object; 100 restricted management AUs | User prompt 5.000 als Design-Obergrenze nur organisatorisch verstehen.Treat the 5,000 figure as a design ambition, not a published hard service limit. |
| Custom RolesCustom roles | 100100 | Maximal 100 benutzerdefinierte Rollen pro Tenant.Maximum 100 custom roles per tenant. |
| Custom Role Assignments pro PrincipalCustom role assignments per principal | 150150 | Über alle Scopes betrachtet.Across all scopes. |
| Built-in Role Assignments je Principal auf Nicht-Tenant-ScopeBuilt-in role assignments per principal at non-tenant scope | 100100 | Tenant-scope ist nicht limitiert.Tenant scope has no equivalent limit. |
| Conditional Access PoliciesConditional Access policies | 195-240 je nach Doku-Stand195-240 depending on documentation snapshot | Microsoft dokumentiert aktuell 240; viele Feldleitfäden nennen 195 historische Praxisgrenze.Microsoft currently documents 240; many field guides still reference 195 historically. |
| Named Locations – IPNamed locations – IP | 195+195+ | Planungswert aus Portalpraxis; mit CA-Servicegrenze abstimmen.Operational planning value from portal practice; align with CA policy limits. |
| Named Locations – LänderNamed locations – country | 195+195+ | Für globale Policies frühzeitig konsolidieren.Consolidate early for global policies. |
| Terms of UseTerms of use | 4040 | Maximal 40 Terms pro Tenant.Maximum 40 terms of use per tenant. |
| Application OwnersApplication owners | 100100 | Maximal 100 Benutzer/SPNs als Besitzer pro App.Maximum 100 users/SPNs as owners on one app. |
| App Role Assignments pro PrincipalApp role assignments per principal | 1.5001,500 | Über alle Enterprise-Apps hinweg.Across all enterprise apps. |
| Password-based SSO Credentials pro BenutzerPassword-based SSO credentials per user | 4848 | Direkt zugewiesene Apps.Directly assigned apps. |
| Password-based SSO Credentials pro GruppePassword-based SSO credentials per group | 4848 | Gruppenobjekt mit gespeicherten Kennwörtern.Group object storing password SSO credentials. |
| Application Manifest EntriesApplication manifest entries | 1.2001,200 | Gesamtzahl der Einträge im Manifest.Total entries allowed in one app manifest. |
| App-Registrierungen pro BenutzerApp registrations per user | 250 ohne Sonderrolle250 without elevated role | Mit geeigneter Rolle/Custom Role praktisch unlimitiert.Effectively unlimited with the appropriate role or custom role. |
| App-Registrierungen pro TenantApp registrations per tenant | ObjektgrenzeObject limit | Free-Tenants stoßen faktisch früher an Ressourcenlimits.Free tenants hit the overall directory object limit sooner. |
| Service Principals pro TenantService principals per tenant | ObjektgrenzeObject limit | Keine separate harte Obergrenze veröffentlicht.No separate hard service limit published. |
| Schema Extension Values pro ObjektSchema extension values per object | 100100 | Über alle Apps und Typen hinweg.Across all apps and extension types. |
| String Extension LengthString extension length | 256 Zeichen256 characters | Für schema extensions vom Typ string.For string schema extensions. |
| Binary Extension SizeBinary extension size | 256 Byte256 bytes | Für schema extensions vom Typ binary.For binary schema extensions. |
| Reports – sicht-/downloadbare ZeilenReports visible/downloadable rows | 1.0001,000 | Mehr Daten werden abgeschnitten, API bevorzugen.Additional rows are truncated; prefer the API. |
| Application ProxyApplication Proxy | 500 TPS pro App / 750 TPS pro Tenant500 TPS per app / 750 TPS per tenant | 429 bei Throttling.429 returned when throttled. |
| B2B Invitations ohne Paid LicenseB2B invitations without paid licenses | 10/Tag in den ersten 30 Tagen, danach 100/Tag10/day for first 30 days, then 100/day | Workforce-Tenant ohne kostenpflichtige Lizenz.Workforce tenant without paid licensing. |
| B2B Invitations mit Paid LicenseB2B invitations with paid licenses | 200/Tag in den ersten 30 Tagen200/day in first 30 days | Danach allgemeine Servicequoten.Afterward, general service quotas apply. |
| Bulk Invitations per CSVBulk invitations per CSV | 50.000 (Praxisrichtwert)50,000 planning guideline | Große Imports in Batches und mit Retry designen.Design large imports in batches with retry logic. |
| Authentifizierungsmethoden pro Benutzer – TelefoneAuthentication methods per user – phones | 55 | Praxislimit für verschiedene SMS/Voice-Methoden.Operational limit for SMS and voice methods. |
| Authentifizierungsmethoden pro Benutzer – OATH HardwareAuthentication methods per user – OATH hardware | 55 | Vor allem für Break-Glass und Spezialfälle.Mostly for break-glass and specialist use cases. |
| Cross-tenant access partner objectCross-tenant access partner object | 4 KB4 KB | JSON-Größe pro Partnerbeziehung.JSON size per partner relationship object. |
Planen Sie bei Dynamic Groups, Conditional Access und Gruppenclaims nie direkt am Hard Limit. 60–70 Prozent der veröffentlichten Grenze sind meist die bessere Betriebszielgröße.For dynamic groups, Conditional Access, and group claims, never design directly against the hard limit. Sixty to seventy percent of the published cap is usually the better operational target.
Entra ID PowerShell Module – Deep DiveEntra ID PowerShell module – deep dive
Das Microsoft Graph PowerShell SDK ist modular. Für schnelle Ladezeiten, reproduzierbare Pipelines und minimale Scope-Anforderungen sollten produktive Skripte nur die tatsächlich benötigten Submodule importieren.The Microsoft Graph PowerShell SDK is modular. For fast load times, reproducible pipelines, and minimal scopes, production scripts should import only the submodules they actually need.
Microsoft.Graph.UsersMicrosoft.Graph.Users
Benutzer, Manager, Methoden und Sign-in-nahe Attribute.Users, managers, methods, and sign-in adjacent attributes.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Users -Scope CurrentUserInstall-Module Microsoft.Graph.Users -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Get-MgUser, New-MgUser, Update-MgUser, Remove-MgUser, Get-MgUserAuthenticationMethodGet-MgUser, New-MgUser, Update-MgUser, Remove-MgUser, Get-MgUserAuthenticationMethod |
| Häufiges MusterCommon pattern | Nutzerinventar, HR-Sync-Follow-up, Offboarding und MFA-Analysen.User inventory, HR follow-up, offboarding, and MFA analytics. |
Install-Module Microsoft.Graph.Users -Scope CurrentUser
Import-Module Microsoft.Graph.Users
Get-Command -Module Microsoft.Graph.Users | Select-Object -First 10 NameMicrosoft.Graph.GroupsMicrosoft.Graph.Groups
Gruppenobjekte, Besitzer, Mitglieder und Lizenzierung.Group objects, owners, members, and licensing.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Groups -Scope CurrentUserInstall-Module Microsoft.Graph.Groups -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Get-MgGroup, New-MgGroup, Get-MgGroupMember, New-MgGroupMemberByRef, Set-MgGroupLicenseGet-MgGroup, New-MgGroup, Get-MgGroupMember, New-MgGroupMemberByRef, Set-MgGroupLicense |
| Häufiges MusterCommon pattern | Gruppenlebenszyklus, dynamische Gruppen, gruppenbasierte Lizenzen.Group lifecycle, dynamic groups, and group-based licensing. |
Install-Module Microsoft.Graph.Groups -Scope CurrentUser
Import-Module Microsoft.Graph.Groups
Get-Command -Module Microsoft.Graph.Groups | Select-Object -First 10 NameMicrosoft.Graph.Identity.DirectoryManagementMicrosoft.Graph.Identity.DirectoryManagement
Domains, Directory Roles, Administrative Units und Organisation.Domains, directory roles, administrative units, and organization metadata.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUserInstall-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Get-MgDomain, Get-MgDirectoryRole, Get-MgAdministrativeUnit, Get-MgOrganizationGet-MgDomain, Get-MgDirectoryRole, Get-MgAdministrativeUnit, Get-MgOrganization |
| Häufiges MusterCommon pattern | Tenant-Metadaten, Domänen, Rollen und Scoped Administration.Tenant metadata, domains, roles, and scoped administration. |
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Get-Command -Module Microsoft.Graph.Identity.DirectoryManagement | Select-Object -First 10 NameMicrosoft.Graph.Identity.SignInsMicrosoft.Graph.Identity.SignIns
Sign-ins, Risk Detections, Risky Users und Auth Reports.Sign-ins, risk detections, risky users, and auth reports.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUserInstall-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Get-MgAuditLogSignIn, Get-MgRiskDetection, Get-MgRiskyUser, Get-MgReportAuthenticationMethodUserRegistrationDetailGet-MgAuditLogSignIn, Get-MgRiskDetection, Get-MgRiskyUser, Get-MgReportAuthenticationMethodUserRegistrationDetail |
| Häufiges MusterCommon pattern | SOC-Analysen, MFA-Adoption, Risk-Based Response.SOC analytics, MFA adoption, and risk-based response. |
Install-Module Microsoft.Graph.Identity.SignIns -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.SignIns
Get-Command -Module Microsoft.Graph.Identity.SignIns | Select-Object -First 10 NameMicrosoft.Graph.Identity.GovernanceMicrosoft.Graph.Identity.Governance
Access Reviews, Entitlement Management und Lifecycle Workflows.Access reviews, entitlement management, and lifecycle workflows.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Identity.Governance -Scope CurrentUserInstall-Module Microsoft.Graph.Identity.Governance -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Get-MgIdentityGovernanceAccessReviewDefinition, Get-MgEntitlementManagementAccessPackage, Get-MgIdentityGovernanceLifecycleWorkflowGet-MgIdentityGovernanceAccessReviewDefinition, Get-MgEntitlementManagementAccessPackage, Get-MgIdentityGovernanceLifecycleWorkflow |
| Häufiges MusterCommon pattern | JML-Automation, Rezertifizierung und Self-Service-Zugriffspakete.JML automation, recertification, and self-service access packages. |
Install-Module Microsoft.Graph.Identity.Governance -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.Governance
Get-Command -Module Microsoft.Graph.Identity.Governance | Select-Object -First 10 NameMicrosoft.Graph.ApplicationsMicrosoft.Graph.Applications
App-Registrierungen, Enterprise Apps, Secrets, Certificates und App Roles.App registrations, enterprise apps, secrets, certificates, and app roles.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Applications -Scope CurrentUserInstall-Module Microsoft.Graph.Applications -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Get-MgApplication, New-MgApplication, Get-MgServicePrincipal, Add-MgApplicationPassword, Add-MgServicePrincipalAppRoleAssignedToGet-MgApplication, New-MgApplication, Get-MgServicePrincipal, Add-MgApplicationPassword, Add-MgServicePrincipalAppRoleAssignedTo |
| Häufiges MusterCommon pattern | Identity Platform, SSO, Consent und Workload Identities.Identity platform, SSO, consent, and workload identities. |
Install-Module Microsoft.Graph.Applications -Scope CurrentUser
Import-Module Microsoft.Graph.Applications
Get-Command -Module Microsoft.Graph.Applications | Select-Object -First 10 NameMicrosoft.Graph.AuthenticationMicrosoft.Graph.Authentication
Verbindungsaufbau, Token-Akquise, Kontext und Profile.Connection, token acquisition, context, and profiles.
| AspektAspect | WertValue |
|---|---|
| InstallationInstallation | Install-Module Microsoft.Graph.Authentication -Scope CurrentUserInstall-Module Microsoft.Graph.Authentication -Scope CurrentUser |
| Wichtige CmdletsKey cmdlets | Connect-MgGraph, Get-MgContext, Disconnect-MgGraph, Select-MgProfileConnect-MgGraph, Get-MgContext, Disconnect-MgGraph, Select-MgProfile |
| Häufiges MusterCommon pattern | Saubere Scope-Modelle und Modulinitialisierung in Skripten.Clean scope models and module initialization in scripts. |
Install-Module Microsoft.Graph.Authentication -Scope CurrentUser
Import-Module Microsoft.Graph.Authentication
Get-Command -Module Microsoft.Graph.Authentication | Select-Object -First 10 NameInstall-Module Microsoft.Graph.Authentication,Microsoft.Graph.Users,Microsoft.Graph.Groups -Scope CurrentUser
Connect-MgGraph -Scopes "User.Read.All","Group.Read.All","AuditLog.Read.All"
Get-MgContext
Get-MgUser -Top 5 -Property DisplayName,UserPrincipalName
Get-MgGroup -Top 5 -Property DisplayName,GroupTypes