BenutzerverwaltungUser Management
Benutzerobjekte erstellen, verwalten, schützen und auswerten – inklusive Gastkonten, Lizenzen und Berichten.Create, manage, secure, and report on user objects—including guests, licenses, and reports.
Cloud + HybridCloud + hybrid
Behandelt cloud-only, synchronisierte und Gastkonten in einem Betriebsmodell.Covers cloud-only, synced, and guest accounts in one operating model.
AutomatisierungAutomation
Jeder Abschnitt enthält PowerShell- und Graph-Beispiele für Portal-unabhängige Prozesse.Every section includes PowerShell and Graph examples for portal-independent processes.
LifecycleLifecycle
Deckt Erstellung, Änderung, Sperrung, Löschung, Wiederherstellung und Reporting ab.Covers creation, modification, blocking, deletion, restore, and reporting.
BenutzertypenUser types
Administrativ sind zwei Dimensionen zentral: Mitglied vs. Gast und cloud-only vs. synchronisiert. Beide Achsen bestimmen, wo Attribute führend sind und welche Änderungen in der Cloud zulässig bleiben.Administratively, two dimensions matter most: member vs. guest and cloud-only vs. synchronized. Both axes determine which system is authoritative and which cloud changes remain allowed.
| TypType | BeschreibungDescription | Typische BesonderheitenTypical specifics |
|---|---|---|
| Member / Cloud-onlyMember / Cloud-only | Vollwertiger Benutzer, ausschließlich in Entra verwaltet.Full user managed only in Entra. | Alle Kernattribute direkt in der Cloud änderbar.All core attributes editable directly in the cloud. |
| Member / SyncedMember / Synced | Benutzer stammt aus lokalem AD.User originates from on-premises AD. | Viele Attribute sind on-premises führend.Many attributes are authoritative on-premises. |
| Guest / B2BGuest / B2B | Externer Benutzer mit Ressourcenzugriff.External user with resource access. | UserType=Guest, oft eingeschränkte Verzeichnisrechte.UserType=Guest, often reduced directory permissions. |
| External memberExternal member | Externer Identitätstyp mit Member-Semantik.External identity type with member semantics. | Selten, abhängig von Collaboration-Design.Less common, depends on collaboration design. |
PowerShellPowerShell
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -Top 20 -Property DisplayName,UserType,OnPremisesSyncEnabled |
Select-Object DisplayName, UserType, OnPremisesSyncEnabled
Graph APIGraph API
GET https://graph.microsoft.com/v1.0/users?$select=displayName,userType,onPremisesSyncEnabled&$top=20
Authorization: Bearer <token>Benutzer erstellenCreate user
Ein Benutzer kann über das Portal, Graph PowerShell oder direkt per Microsoft Graph erstellt werden. Für reproduzierbare Prozesse sind Skripte der bevorzugte Weg.A user can be created through the portal, Graph PowerShell, or directly via Microsoft Graph. For repeatable processes, scripts are the preferred method.
PortalpfadPortal path
Entra Admin Center > Identity > Users > All users > New user.Entra Admin Center > Identity > Users > All users > New user.
Erforderliche FelderRequired fields
Mindestens Display Name, UPN und Startkennwort müssen gesetzt werden.At minimum, set display name, UPN, and an initial password.
NutzungsstandortUsage location
Setzen Sie usageLocation frühzeitig, wenn Lizenzen zugewiesen werden sollen.Set usageLocation early when licenses must be assigned.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"
$passwordProfile = @{
Password = "Str0ng!TempP@ssw0rd"
ForceChangePasswordNextSignIn = $true
}
New-MgUser `
-DisplayName "Adele Vance" `
-GivenName "Adele" `
-Surname "Vance" `
-MailNickname "adele.vance" `
-UserPrincipalName "adele.vance@contoso.com" `
-AccountEnabled `
-UsageLocation "DE" `
-PasswordProfile $passwordProfile
Graph APIGraph API
POST https://graph.microsoft.com/v1.0/users
Content-Type: application/json
Authorization: Bearer <token>
{
"accountEnabled": true,
"displayName": "Adele Vance",
"givenName": "Adele",
"surname": "Vance",
"mailNickname": "adele.vance",
"userPrincipalName": "adele.vance@contoso.com",
"usageLocation": "DE",
"jobTitle": "Cloud Administrator",
"department": "IT",
"officeLocation": "Berlin",
"businessPhones": ["+49 30 5555 100"],
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "Str0ng!TempP@ssw0rd"
}
}BenutzerattributeUser attributes
Die folgende Tabelle fasst zentrale Standardattribute zusammen, die in Portalen, Lizenzierung, Dynamic Groups, Provisioning und Berichten regelmäßig benötigt werden.The following table summarizes key standard attributes that are regularly needed in portals, licensing, dynamic groups, provisioning, and reporting.
| AttributAttribute | DeutschGerman | Englisch / ZweckEnglish / purpose |
|---|---|---|
| displayNamedisplayName | AnzeigenameAnzeigename | Display nameDisplay name |
| givenNamegivenName | VornameVorname | Given nameGiven name |
| surnamesurname | NachnameNachname | SurnameSurname |
| userPrincipalNameuserPrincipalName | Anmeldename / UPNAnmeldename / UPN | Sign-in name / UPNSign-in name / UPN |
| mailmail | Primäre E-Mail-AdressePrimäre E-Mail-Adresse | Primary email addressPrimary email address |
| mailNicknamemailNickname | MailaliasMailalias | Mail aliasMail alias |
| jobTitlejobTitle | PositionPosition | Job titleJob title |
| departmentdepartment | AbteilungAbteilung | DepartmentDepartment |
| companyNamecompanyName | FirmaFirma | Company nameCompany name |
| officeLocationofficeLocation | BürostandortBürostandort | Office locationOffice location |
| usageLocationusageLocation | NutzungsstandortNutzungsstandort | Usage locationUsage location |
| accountEnabledaccountEnabled | Konto aktiviertKonto aktiviert | Account enabledAccount enabled |
| citycity | StadtStadt | CityCity |
| countrycountry | Land / RegionLand / Region | Country / regionCountry / region |
| statestate | Bundesland / RegionBundesland / Region | State / regionState / region |
| postalCodepostalCode | PostleitzahlPostleitzahl | Postal codePostal code |
| streetAddressstreetAddress | StraßeStraße | Street addressStreet address |
| mobilePhonemobilePhone | MobilnummerMobilnummer | Mobile phoneMobile phone |
| businessPhonesbusinessPhones | Geschäftliche TelefonnummernGeschäftliche Telefonnummern | Business phonesBusiness phones |
| employeeIdemployeeId | PersonalnummerPersonalnummer | Employee IDEmployee ID |
| employeeTypeemployeeType | MitarbeitertypMitarbeitertyp | Employee typeEmployee type |
| employeeHireDateemployeeHireDate | EintrittsdatumEintrittsdatum | Hire dateHire date |
| preferredLanguagepreferredLanguage | Bevorzugte SpracheBevorzugte Sprache | Preferred languagePreferred language |
| onPremisesSyncEnabledonPremisesSyncEnabled | Hybrid-Sync-StatusHybrid-Sync-Status | Hybrid sync statusHybrid sync status |
| onPremisesImmutableIdonPremisesImmutableId | Immutable IDImmutable ID | Immutable IDImmutable ID |
| onPremisesSamAccountNameonPremisesSamAccountName | sAMAccountNamesAMAccountName | sAMAccountNamesAMAccountName |
| onPremisesDomainNameonPremisesDomainName | Lokale AD-DomäneLokale AD-Domäne | On-premises AD domainOn-premises AD domain |
| creationTypecreationType | ErstellungstypErstellungstyp | Creation typeCreation type |
| userTypeuserType | Mitglied / GastMitglied / Gast | Member / GuestMember / Guest |
| identitiesidentities | AnmeldeidentitätenAnmeldeidentitäten | Sign-in identitiesSign-in identities |
| proxyAddressesproxyAddresses | Proxy-AdressenProxy-Adressen | Proxy addressesProxy addresses |
| passwordPoliciespasswordPolicies | KennwortrichtlinienKennwortrichtlinien | Password policiesPassword policies |
| signInActivitysignInActivity | AnmeldeaktivitätAnmeldeaktivität | Sign-in activitySign-in activity |
| managermanager | VorgesetzterVorgesetzter | ManagerManager |
| directReportsdirectReports | Direkte BerichteDirekte Berichte | Direct reportsDirect reports |
| otherMailsotherMails | Weitere E-Mail-AdressenWeitere E-Mail-Adressen | Other emailsOther emails |
| faxNumberfaxNumber | FaxnummerFaxnummer | Fax numberFax number |
| usageLocationusageLocation | LizenzregionLizenzregion | License regionLicense region |
⚠️ WarnungWarning
Bei synchronisierten Benutzern sind viele Attribute read-only in Entra ID. Prüfen Sie deshalb immer, ob die Quelle lokal oder cloudbasiert ist, bevor Sie PATCH-Operationen automatisieren.For synchronized users, many attributes are read-only in Entra ID. Always verify whether the source is on-premises or cloud-based before automating PATCH operations.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -UserId "adele.vance@contoso.com" `
-Property DisplayName,GivenName,Surname,Department,JobTitle,UsageLocation,EmployeeId,SignInActivity
Graph APIGraph API
GET https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com?$select=displayName,givenName,surname,department,jobTitle,usageLocation,employeeId,signInActivity
Authorization: Bearer <token>Benutzer bearbeitenEdit user
Änderungen an Benutzerobjekten erfolgen typischerweise per Update-MgUser oder HTTP PATCH. Im Skriptbetrieb empfiehlt sich eine kontrollierte Auswahl der zu ändernden Felder.Changes to user objects are typically made via Update-MgUser or HTTP PATCH. In scripted operations, explicitly target only the fields you want to change.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"
Update-MgUser -UserId "adele.vance@contoso.com" `
-JobTitle "Senior Cloud Administrator" `
-Department "Platform Engineering" `
-OfficeLocation "Munich" `
-MobilePhone "+49 171 5550100"
Graph APIGraph API
PATCH https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com
Content-Type: application/json
Authorization: Bearer <token>
{
"jobTitle": "Senior Cloud Administrator",
"department": "Platform Engineering",
"officeLocation": "Munich",
"mobilePhone": "+49 171 5550100"
}Löschen und WiederherstellenDelete and restore
Gelöschte Benutzer landen zunächst im Soft-Delete-Bereich und können bis zu 30 Tage wiederhergestellt werden. Danach ist nur noch eine Neuanlage möglich.Deleted users first enter the soft-delete area and can be restored for up to 30 days. After that, only recreation is possible.
| PhasePhase | VerhaltenBehavior | Admin-AktionAdmin action |
|---|---|---|
| AktivActive | Benutzer ist regulär vorhanden.User exists normally. | Reguläre Verwaltung.Regular management. |
| Soft deletedSoft deleted | Objekt unter deletedItems wiederherstellbar.Object is recoverable under deletedItems. | Restore oder permanent delete.Restore or permanently delete. |
| Permanent gelöschtPermanently deleted | Objekt ist nicht mehr wiederherstellbar.Object is no longer recoverable. | Benutzer neu anlegen.Recreate the user. |
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.AccessAsUser.All"
Remove-MgUser -UserId "adele.vance@contoso.com"
Get-MgDirectoryDeletedItemAsUser
Restore-MgDirectoryDeletedItem -DirectoryObjectId "<deleted-object-id>"
Graph APIGraph API
DELETE https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.user
POST https://graph.microsoft.com/v1.0/directory/deletedItems/<deleted-object-id>/restore
Authorization: Bearer <token>Anmeldung blockieren und Sitzungen widerrufenBlock sign-in and revoke sessions
Für Incident-Response-Szenarien sollte zwischen Deaktivierung des Kontos und Widerruf bestehender Refresh Tokens unterschieden werden. Beides wird häufig kombiniert.For incident response scenarios, distinguish between disabling the account and revoking existing refresh tokens. Both are often combined.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"
Update-MgUser -UserId "adele.vance@contoso.com" -AccountEnabled:$false
Revoke-MgUserSignInSession -UserId "adele.vance@contoso.com"
Graph APIGraph API
PATCH https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com
Content-Type: application/json
{ "accountEnabled": false }
POST https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com/revokeSignInSessions
Authorization: Bearer <token>Kennwort-Reset und SSPRPassword reset and SSPR
Administratoren können Kennwörter direkt zurücksetzen. Parallel dazu sollte Self-Service Password Reset (SSPR) so konfiguriert werden, dass Standardfälle ohne Helpdesk lösbar bleiben.Administrators can reset passwords directly. In parallel, Self-Service Password Reset (SSPR) should be configured so that standard cases can be solved without helpdesk involvement.
| BereichArea | PraxisPractice | HinweisNote |
|---|---|---|
| Admin ResetAdmin Reset | Temporäres Passwort + ForceChangePasswordNextSignIn.Temporary password + force change at next sign-in. | Für Service Desk Standard.Standard for service desk. |
| SSPR RegistrierungSSPR Registrierung | Methoden wie Authenticator, FIDO2, SMS oder Mail prüfen.Check methods such as Authenticator, FIDO2, SMS, or email. | Vom Tenant-Setup abhängig.Depends on tenant configuration. |
| Hybrid WritebackHybrid Writeback | Bei lokalem AD Kennwort-Writeback aktivieren.Enable password writeback for on-premises AD. | Benötigt passende Lizenzen und Connect-Konfiguration.Requires proper licensing and Connect configuration. |
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"
$passwordProfile = @{
Password = "N3w!TempP@ssw0rd"
ForceChangePasswordNextSignIn = $true
}
Update-MgUser -UserId "adele.vance@contoso.com" -PasswordProfile $passwordProfile
Graph APIGraph API
PATCH https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com
Content-Type: application/json
Authorization: Bearer <token>
{
"passwordProfile": {
"password": "N3w!TempP@ssw0rd",
"forceChangePasswordNextSignIn": true
}
}MassenoperationenBulk operations
Für größere Rollouts werden CSV-gesteuerte Massenprozesse verwendet. Das folgende PowerShell-Beispiel legt Benutzer an und protokolliert Fehler pro Zeile.For larger rollouts, CSV-driven bulk processes are used. The following PowerShell example creates users and logs errors per row.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"
$users = Import-Csv ".\new-users.csv"
$results = foreach ($u in $users) {
try {
$passwordProfile = @{
Password = $u.Password
ForceChangePasswordNextSignIn = $true
}
$created = New-MgUser -DisplayName $u.DisplayName -GivenName $u.GivenName -Surname $u.Surname -MailNickname $u.MailNickname -UserPrincipalName $u.UserPrincipalName -Department $u.Department -JobTitle $u.JobTitle -UsageLocation $u.UsageLocation -AccountEnabled -PasswordProfile $passwordProfile
[pscustomobject]@{ UserPrincipalName = $u.UserPrincipalName; Status = "Created"; Id = $created.Id; Error = $null }
} catch {
[pscustomobject]@{ UserPrincipalName = $u.UserPrincipalName; Status = "Failed"; Id = $null; Error = $_.Exception.Message }
}
}
$results | Export-Csv ".\new-users-results.csv" -NoTypeInformation -Encoding UTF8
Graph APIGraph API
POST https://graph.microsoft.com/v1.0/$batch
Content-Type: application/json
Authorization: Bearer <token>
{
"requests": [
{
"id": "1",
"method": "POST",
"url": "/users",
"headers": { "Content-Type": "application/json" },
"body": {
"accountEnabled": true,
"displayName": "User One",
"mailNickname": "user.one",
"userPrincipalName": "user.one@contoso.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "TempP@ssword1!"
}
}
}
]
}Gast einladenInvite guest
B2B-Gäste werden über Einladungen erstellt. Das Zielkonto kann Microsoft Account, fremdes Entra-ID-Konto oder je nach Richtlinie auch andere Identitätstypen sein.B2B guests are created through invitations. The target account can be a Microsoft account, another Entra ID account, or, depending on policy, other identity types.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.Invite.All"
New-MgInvitation `
-InvitedUserDisplayName "Partner User" `
-InvitedUserEmailAddress "partner.user@fabrikam.com" `
-InviteRedirectUrl "https://myapps.microsoft.com" `
-SendInvitationMessage
Graph APIGraph API
POST https://graph.microsoft.com/v1.0/invitations
Content-Type: application/json
Authorization: Bearer <token>
{
"invitedUserDisplayName": "Partner User",
"invitedUserEmailAddress": "partner.user@fabrikam.com",
"inviteRedirectUrl": "https://myapps.microsoft.com",
"sendInvitationMessage": true
}BenutzerlizenzenUser licenses
Direkte Lizenzzuweisungen sind für Ausnahmen geeignet. Für Standardfälle ist gruppenbasierte Lizenzierung klarer und revisionssicherer.Direct license assignments are suitable for exceptions. For standard cases, group-based licensing is clearer and easier to audit.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All","Organization.Read.All"
$sku = Get-MgSubscribedSku | Where-Object SkuPartNumber -eq "ENTERPRISEPACK"
Set-MgUserLicense -UserId "adele.vance@contoso.com" -AddLicenses @{SkuId = $sku.SkuId} -RemoveLicenses @()
Graph APIGraph API
POST https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com/assignLicense
Content-Type: application/json
Authorization: Bearer <token>
{
"addLicenses": [
{ "skuId": "6fd2c87f-b296-42f0-b197-1e91e994b900" }
],
"removeLicenses": []
}AnmeldeaktivitätSign-in activity
Zur Bewertung inaktiver Konten werden Sign-in Logs, signInActivity und Auditdaten kombiniert. Besonders für Dormant Accounts und Lizenzoptimierung ist das wichtig.To evaluate inactive accounts, combine sign-in logs, signInActivity, and audit data. This is especially important for dormant accounts and license optimization.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.Read.All","AuditLog.Read.All"
$cutoff = (Get-Date).AddDays(-90)
Get-MgUser -All -Property DisplayName,UserPrincipalName,SignInActivity |
Where-Object {
-not $_.SignInActivity.LastSignInDateTime -or
([datetime]$_.SignInActivity.LastSignInDateTime -lt $cutoff)
} |
Select-Object DisplayName, UserPrincipalName,
@{n='LastSignInDateTime';e={$_.SignInActivity.LastSignInDateTime}}
Graph APIGraph API
GET https://graph.microsoft.com/beta/users?$select=displayName,userPrincipalName,signInActivity
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=50
Authorization: Bearer <token>Manager und Direct ReportsManager and direct reports
Manager-Beziehungen werden für Organigramme, Genehmigungsflows, Governance und dynamische Logik genutzt. Die Zuordnung erfolgt als Navigationsbeziehung zwischen Benutzerobjekten.Manager relationships are used for org charts, approval flows, governance, and dynamic logic. The assignment is stored as a navigation relationship between user objects.
PowerShellPowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All"
Set-MgUserManagerByRef -UserId "adele.vance@contoso.com" -BodyParameter @{
"@odata.id" = "https://graph.microsoft.com/v1.0/users/<manager-object-id>"
}
Get-MgUserManager -UserId "adele.vance@contoso.com"
Get-MgUserDirectReport -UserId "<manager-object-id>"
Graph APIGraph API
PUT https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com/manager/$ref
Content-Type: application/json
Authorization: Bearer <token>
{
"@odata.id": "https://graph.microsoft.com/v1.0/users/<manager-object-id>"
}
GET https://graph.microsoft.com/v1.0/users/adele.vance@contoso.com/manager
GET https://graph.microsoft.com/v1.0/users/<manager-object-id>/directReportsErweiterte FilterAdvanced filtering
Bei großen Tenants sind $filter, $search, $count und ConsistencyLevel entscheidend. Nicht alle Eigenschaften unterstützen serverseitige Filterung in gleicher Weise.In large tenants, $filter, $search, $count, and ConsistencyLevel are critical. Not all properties support server-side filtering in the same way.
| MusterPattern | BeispielExample | HinweisNote |
|---|---|---|
| $filter$filter | department eq 'IT'department eq 'IT' | Für exakte und unterstützte Attribute.For exact matches on supported attributes. |
| $search$search | "displayName:Adele""displayName:Adele" | Benötigt ConsistencyLevel eventual.Requires ConsistencyLevel eventual. |
| $count$count | $count=true$count=true | Hilft bei Paging und Reports.Useful for paging and reports. |
| orderby + toporderby + top | $orderby=displayName&$top=50$orderby=displayName&$top=50 | Nur auf unterstützten Attributen verwenden.Use only on supported attributes. |
PowerShellPowerShell
Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -Filter "department eq 'IT'" -ConsistencyLevel eventual -CountVariable count `
-Search '"displayName:Adele"' -Top 25
$count
Graph APIGraph API
GET https://graph.microsoft.com/v1.0/users?$filter=department eq 'IT'&$search="displayName:Adele"&$count=true&$top=25
ConsistencyLevel: eventual
Authorization: Bearer <token>Komplette Benutzer-EigenschaftenreferenzComplete user properties reference
Die Tabelle kombiniert Standardfelder aus dem Graph user resource type mit verschachtelten Teilfeldern, Lizenzstatus-Subobjekten und Hybrid-spezifischen Erweiterungen. Für produktive Skripte sollte immer mit $select, ConsistencyLevel und klaren Read/Write-Grenzen gearbeitet werden.This table combines standard Graph user resource fields with nested subfields, license state objects, and hybrid-specific extensions. In production scripts, always use $select, ConsistencyLevel, and explicit read/write boundaries.
| EigenschaftProperty | TypType | Read/WriteRead/Write | BeschreibungDescription |
|---|---|---|---|
| aboutMeaboutMe | StringString | Lesen/SchreibenRead/Write | Freitextfeld für Selbstbeschreibung, Profile und Delve-ähnliche Szenarien.Freeform self-description field used in profile and people experiences. |
| accountEnabledaccountEnabled | BooleanBoolean | Lesen/SchreibenRead/Write | Steuert, ob sich das Konto anmelden darf.Controls whether the account can sign in. |
| ageGroupageGroup | EnumEnum | BedingtConditional | Altersklassifizierung für jugendschutzrelevante Szenarien.Age classification used in legal and youth-protection scenarios. |
| assignedLicensesassignedLicenses | CollectionCollection | Nur LesenRead-only | Liste zugewiesener Produkt-SKUs inklusive geerbter Gruppenlizenzen.List of assigned product SKUs including inherited group licensing. |
| assignedPlansassignedPlans | CollectionCollection | Nur LesenRead-only | Status einzelner Dienstpläne aus den zugewiesenen Lizenzen.Status of individual service plans from assigned licenses. |
| authorizationInfoauthorizationInfo | ComplexComplex | Nur LesenRead-only | Autorisierungsbezogene Metadaten, wenn von nachgelagerten Diensten bereitgestellt.Authorization-related metadata when exposed by downstream services. |
| birthdaybirthday | DateTimeOffsetDateTimeOffset | Lesen/SchreibenRead/Write | Geburtsdatum des Benutzers im ISO-Format.User birthday in ISO date-time format. |
| businessPhonesbusinessPhones | String[]String[] | Lesen/SchreibenRead/Write | Geschäftliche Telefonnummern; praktisch meist eine Nummer.Business phone numbers; effectively one number in most tenants. |
| citycity | StringString | Lesen/SchreibenRead/Write | Ort für Adressbuch, Filter und dynamische Regeln.City value used in address book, filters, and dynamic rules. |
| companyNamecompanyName | StringString | Lesen/SchreibenRead/Write | Unternehmen oder Herkunftsorganisation, vor allem bei Gästen nützlich.Company or source organization, especially useful for guests. |
| consentProvidedForMinorconsentProvidedForMinor | EnumEnum | BedingtConditional | Kennzeichnet, ob Zustimmung für Minderjährige vorliegt.Indicates whether consent for minors has been granted. |
| countrycountry | StringString | Lesen/SchreibenRead/Write | Land/Region, oft relevant für Compliance und Regeln.Country/region used in compliance logic and rules. |
| createdDateTimecreatedDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der Erstellung des Objekts in Entra ID.Timestamp when the object was created in Entra ID. |
| creationTypecreationType | StringString | Nur LesenRead-only | Zeigt an, ob das Konto normal, eingeladen, lokal oder per Self-Service erstellt wurde.Shows whether the account was created normally, by invitation, locally, or through self-service. |
| customSecurityAttributescustomSecurityAttributes | Open complexOpen complex | BedingtConditional | Benutzerdefinierte Sicherheitsattribute für feingranulare Governance und ABAC.Custom security attributes for fine-grained governance and ABAC scenarios. |
| deletedDateTimedeletedDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der Soft-Deletion.Timestamp of soft deletion. |
| departmentdepartment | StringString | Lesen/SchreibenRead/Write | Abteilung; Standardattribut für HR-gesteuerte Prozesse und Dynamic Groups.Department; standard attribute for HR-driven processes and dynamic groups. |
| displayNamedisplayName | StringString | Lesen/SchreibenRead/Write | Anzeigename in Portalen, Teams, Exchange und Suchergebnissen.Display name in portals, Teams, Exchange, and search results. |
| employeeHireDateemployeeHireDate | DateTimeOffsetDateTimeOffset | Lesen/SchreibenRead/Write | Einstellungsdatum für Lifecycle, Dynamic Rules und Workday-Integrationen.Hire date used in lifecycle, dynamic rules, and HR integrations. |
| employeeIdemployeeId | StringString | Lesen/SchreibenRead/Write | Personalnummer für HR-Matching und Regeln.Employee number used for HR matching and rules. |
| employeeLeaveDateTimeemployeeLeaveDateTime | DateTimeOffsetDateTimeOffset | Lesen/SchreibenRead/Write | Geplantes Austrittsdatum für Lifecycle-Automatisierung.Scheduled leave date used in lifecycle automation. |
| employeeOrgDataemployeeOrgData | ComplexComplex | Lesen/SchreibenRead/Write | Kostenstelle und Division aus HR- oder SAP-nahen Prozessen.Contains cost center and division values from HR-like processes. |
| employeeOrgData.costCenteremployeeOrgData.costCenter | StringString | Lesen/SchreibenRead/Write | Kostenstelle für Berichtswesen, Chargeback und Regeln.Cost center for reporting, chargeback, and rules. |
| employeeOrgData.divisionemployeeOrgData.division | StringString | Lesen/SchreibenRead/Write | Division oder Business Unit zur Segmentierung.Division or business unit used for segmentation. |
| employeeTypeemployeeType | StringString | Lesen/SchreibenRead/Write | Klassifizierung wie intern, extern, Praktikant oder Contractor.Classification such as employee, extern, intern, or contractor. |
| externalUserStateexternalUserState | StringString | Nur LesenRead-only | Einladungsstatus von B2B-Gästen.Invitation redemption state for B2B guests. |
| externalUserStateChangeDateTimeexternalUserStateChangeDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Wann sich der Gaststatus zuletzt geändert hat.Timestamp of the last external user state change. |
| faxNumberfaxNumber | StringString | Lesen/SchreibenRead/Write | Faxnummer für Legacy-Adressbücher oder Hybrid-Szenarien.Fax number for legacy address books or hybrid scenarios. |
| givenNamegivenName | StringString | Lesen/SchreibenRead/Write | Vorname des Benutzers.User first name. |
| hireDatehireDate | DateTimeOffsetDateTimeOffset | Lesen/SchreibenRead/Write | Älteres bzw. workloadspezifisches Einstellungsdatum; heute meist employeeHireDate bevorzugen.Older or workload-specific hire date; employeeHireDate is generally preferred. |
| idid | StringString | Nur LesenRead-only | Objekt-GUID des Benutzers und primärer API-Schlüssel.Object GUID of the user and primary API key. |
| identitiesidentities | CollectionCollection | BedingtConditional | Sign-in-Identitäten für externe Konten, B2C und alternative Anmeldenamen.Sign-in identities for external accounts, B2C, and alternate sign-in names. |
| identities.signInTypeidentities.signInType | StringString | BedingtConditional | Typ der Identität wie userPrincipalName, emailAddress oder federated.Identity type such as userPrincipalName, emailAddress, or federated. |
| identities.issueridentities.issuer | StringString | BedingtConditional | Aussteller/Identity Provider der Identität.Issuer or identity provider for the identity. |
| identities.issuerAssignedIdidentities.issuerAssignedId | StringString | BedingtConditional | Wert, den der Aussteller dieser Identität zuweist.Value assigned by the issuer for that identity. |
| imAddressesimAddresses | String[]String[] | Lesen/SchreibenRead/Write | Legacy-IM-Adressen, oft aus Skype/Teams-Historie.Legacy IM addresses, often from Skype/Teams history. |
| infoCatalogsinfoCatalogs | CollectionCollection | BedingtConditional | Spezialisierte Informationskataloge für branchenspezifische Integrationen.Specialized information catalogs for niche integrations. |
| isResourceAccountisResourceAccount | BooleanBoolean | Nur LesenRead-only | Kennzeichnet Workload- oder Sprachressourcenkonten.Indicates workload or voice resource accounts. |
| jobTitlejobTitle | StringString | Lesen/SchreibenRead/Write | Berufsbezeichnung für Adressbuch, Regeln und Berichte.Job title for address book, rules, and reports. |
| lastPasswordChangeDateTimelastPasswordChangeDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der letzten Kennwortänderung.Timestamp of the latest password change. |
| legalAgeGroupClassificationlegalAgeGroupClassification | StringString | Nur LesenRead-only | Abgeleitete rechtliche Altersklassifizierung.Derived legal age group classification. |
| licenseAssignmentStateslicenseAssignmentStates | CollectionCollection | Nur LesenRead-only | Zeigt je SKU, ob eine Lizenz direkt oder gruppenbasiert zugewiesen wurde.Shows for each SKU whether licensing is direct or inherited. |
| licenseAssignmentStates.assignedByGrouplicenseAssignmentStates.assignedByGroup | StringString | Nur LesenRead-only | Objekt-ID der Lizenzgruppe bei geerbter Zuweisung.Object ID of the licensing group when assignment is inherited. |
| licenseAssignmentStates.disabledPlanslicenseAssignmentStates.disabledPlans | CollectionCollection | Nur LesenRead-only | Dienstpläne, die innerhalb der SKU deaktiviert wurden.Service plans disabled inside the SKU. |
| licenseAssignmentStates.errorlicenseAssignmentStates.error | StringString | Nur LesenRead-only | Lizenzfehlercode für Konflikte oder fehlende Kapazität.Licensing error code for conflicts or lack of capacity. |
| licenseAssignmentStates.skuIdlicenseAssignmentStates.skuId | GuidGuid | Nur LesenRead-only | GUID der betroffenen Produktlizenz.GUID of the affected product license. |
| mailmail | StringString | BedingtConditional | Primäre E-Mail-Adresse; bei Hybridobjekten oft aus Exchange oder AD führend.Primary email address; often authoritative from Exchange or AD in hybrid identities. |
| mailboxSettingsmailboxSettings | ComplexComplex | Lesen/SchreibenRead/Write | Benutzerspezifische Mailbox- und Kalenderoptionen.User-specific mailbox and calendar settings. |
| mailboxSettings.archiveFoldermailboxSettings.archiveFolder | StringString | Lesen/SchreibenRead/Write | Archivordner-ID für Outlook/Exchange-Szenarien.Archive folder identifier for Outlook/Exchange scenarios. |
| mailboxSettings.automaticRepliesSettingmailboxSettings.automaticRepliesSetting | ComplexComplex | Lesen/SchreibenRead/Write | OOF/Abwesenheitsnotizen inklusive Zeitraum.Out-of-office settings including time range. |
| mailboxSettings.dateFormatmailboxSettings.dateFormat | StringString | Lesen/SchreibenRead/Write | Lokales Datumsformat.Localized date format. |
| mailboxSettings.languagemailboxSettings.language | ComplexComplex | Lesen/SchreibenRead/Write | Mailboxsprache und Gebietsschema.Mailbox language and locale. |
| mailboxSettings.timeFormatmailboxSettings.timeFormat | StringString | Lesen/SchreibenRead/Write | Lokales Uhrzeitformat.Localized time format. |
| mailboxSettings.timeZonemailboxSettings.timeZone | StringString | Lesen/SchreibenRead/Write | Zeitzone für Kalender und OOF.Time zone used for calendar and OOF processing. |
| mailNicknamemailNickname | StringString | Lesen/SchreibenRead/Write | Alias für Exchange-nahe Dienste und Legacy-Mailrouting.Alias used by Exchange-adjacent services and legacy mail routing. |
| mobilePhonemobilePhone | StringString | Lesen/SchreibenRead/Write | Mobilnummer; relevant für Adressbuch und Telefonie-Integrationen.Mobile phone number used in address books and telephony integrations. |
| mySitemySite | StringString | Nur LesenRead-only | Persönliche SharePoint- oder OneDrive-URL.Personal SharePoint or OneDrive URL. |
| officeLocationofficeLocation | StringString | Lesen/SchreibenRead/Write | Bürostandort für Find-Me, Address Book und Regeln.Office location for address book, rules, and find-me experiences. |
| onPremisesDistinguishedNameonPremisesDistinguishedName | StringString | Nur LesenRead-only | DN aus lokalem Active Directory.Distinguished name from on-premises Active Directory. |
| onPremisesDomainNameonPremisesDomainName | StringString | Nur LesenRead-only | Lokaler AD-Domänenname des synchronisierten Benutzers.On-premises AD domain name of the synced user. |
| onPremisesImmutableIdonPremisesImmutableId | StringString | BedingtConditional | Anchor für Föderation/Hard Match in Hybridumgebungen.Anchor used for federation and hard match in hybrid environments. |
| onPremisesLastSyncDateTimeonPremisesLastSyncDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der letzten erfolgreichen Synchronisation.Time of the latest successful synchronization. |
| onPremisesProvisioningErrorsonPremisesProvisioningErrors | CollectionCollection | Nur LesenRead-only | Fehlerliste für Sync- oder Provisioningprobleme.Collection of sync or provisioning errors. |
| onPremisesSamAccountNameonPremisesSamAccountName | StringString | Nur LesenRead-only | SAMAccountName aus lokalem AD.SAMAccountName from on-premises AD. |
| onPremisesSecurityIdentifieronPremisesSecurityIdentifier | StringString | Nur LesenRead-only | SID des lokalen Benutzerkontos.SID of the on-premises user account. |
| onPremisesSyncEnabledonPremisesSyncEnabled | BooleanBoolean | Nur LesenRead-only | Kennzeichnet synchronisierte Objekte.Indicates whether the object is synchronized from on-premises. |
| onPremisesUserPrincipalNameonPremisesUserPrincipalName | StringString | Nur LesenRead-only | Lokaler UPN des synchronisierten Benutzers.On-premises UPN of the synchronized user. |
| otherMailsotherMails | String[]String[] | Lesen/SchreibenRead/Write | Weitere SMTP-Adressen für Kontakt und Wiederherstellung.Additional SMTP addresses for contact and recovery. |
| passwordPoliciespasswordPolicies | StringString | Lesen/SchreibenRead/Write | Kennwortausnahmen wie DisablePasswordExpiration oder DisableStrongPassword.Password exceptions such as DisablePasswordExpiration or DisableStrongPassword. |
| passwordProfilepasswordProfile | ComplexComplex | Lesen/SchreibenRead/Write | Nur beim Erstellen oder Zurücksetzen nutzbares Kennwortobjekt.Password object used during create and reset operations. |
| passwordProfile.forceChangePasswordNextSignInpasswordProfile.forceChangePasswordNextSignIn | BooleanBoolean | Lesen/SchreibenRead/Write | Erzwingt Kennwortwechsel bei der nächsten Anmeldung.Forces password change at next sign-in. |
| passwordProfile.passwordpasswordProfile.password | StringString | Nur SchreibenWrite-only | Temporäres Initial- oder Resetkennwort.Temporary initial or reset password. |
| postalCodepostalCode | StringString | Lesen/SchreibenRead/Write | Postleitzahl des Benutzers.Postal code of the user. |
| preferredDataLocationpreferredDataLocation | StringString | Lesen/SchreibenRead/Write | Steuert Multi-Geo-Datenresidenz in kompatiblen Workloads.Controls multi-geo data residency in supported workloads. |
| preferredLanguagepreferredLanguage | StringString | Lesen/SchreibenRead/Write | Bevorzugte Sprache, z. B. de-DE oder en-US.Preferred language such as de-DE or en-US. |
| preferredNamepreferredName | StringString | Lesen/SchreibenRead/Write | Bevorzugter Rufname oder Anzeigename neben givenName.Preferred familiar name separate from givenName. |
| proxyAddressesproxyAddresses | String[]String[] | BedingtConditional | Primäre und sekundäre SMTP-/SIP-Adressen; in Hybridumgebungen oft nicht cloudführend.Primary and secondary SMTP/SIP addresses; often not cloud-authoritative in hybrid. |
| securityIdentifiersecurityIdentifier | StringString | Nur LesenRead-only | Windows-SID für Cloud-Objekte und Hybridbezüge.Windows SID for cloud objects and hybrid mappings. |
| showInAddressListshowInAddressList | BooleanBoolean | BedingtConditional | Steuert Sichtbarkeit im globalen Adressbuch; primär in M365/Exchange verwalten.Controls GAL visibility; primarily managed through M365/Exchange. |
| signInActivitysignInActivity | ComplexComplex | Nur LesenRead-only | Aggregierte letzte Anmeldeinformationen mit Lizenz- und Berechtigungsanforderungen.Aggregated last sign-in information with licensing and permission requirements. |
| signInActivity.lastSignInDateTimesignInActivity.lastSignInDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der letzten interaktiven Anmeldung.Timestamp of the last interactive sign-in. |
| signInActivity.lastNonInteractiveSignInDateTimesignInActivity.lastNonInteractiveSignInDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der letzten tokenbasierten oder dienstseitigen Anmeldung.Timestamp of the last non-interactive sign-in. |
| signInActivity.lastSuccessfulSignInDateTimesignInActivity.lastSuccessfulSignInDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt der letzten erfolgreichen Anmeldung, sofern verfügbar.Timestamp of the last successful sign-in when available. |
| signInSessionsValidFromDateTimesignInSessionsValidFromDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Alles vor diesem Zeitpunkt ausgestellte Sessions/Refresh Tokens ist ungültig.Sessions and refresh tokens issued before this timestamp are invalid. |
| statestate | StringString | Lesen/SchreibenRead/Write | Bundesland oder Region.State or province. |
| streetAddressstreetAddress | StringString | Lesen/SchreibenRead/Write | Straße und Hausnummer.Street address. |
| surnamesurname | StringString | Lesen/SchreibenRead/Write | Nachname des Benutzers.User surname. |
| usageLocationusageLocation | StringString | Lesen/SchreibenRead/Write | Zwei-Buchstaben-Ländercode für Lizenzzuweisungen.Two-letter country code required for license assignment. |
| userPrincipalNameuserPrincipalName | StringString | Lesen/SchreibenRead/Write | Primärer Anmeldename des Kontos.Primary sign-in name for the account. |
| userTypeuserType | StringString | Lesen/SchreibenRead/Write | Klassifiziert als Member oder Guest.Classifies the identity as Member or Guest. |
| onPremisesExtensionAttributes.extensionAttribute1onPremisesExtensionAttributes.extensionAttribute1 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 1; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 1; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute2onPremisesExtensionAttributes.extensionAttribute2 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 2; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 2; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute3onPremisesExtensionAttributes.extensionAttribute3 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 3; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 3; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute4onPremisesExtensionAttributes.extensionAttribute4 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 4; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 4; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute5onPremisesExtensionAttributes.extensionAttribute5 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 5; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 5; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute6onPremisesExtensionAttributes.extensionAttribute6 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 6; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 6; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute7onPremisesExtensionAttributes.extensionAttribute7 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 7; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 7; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute8onPremisesExtensionAttributes.extensionAttribute8 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 8; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 8; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute9onPremisesExtensionAttributes.extensionAttribute9 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 9; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 9; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute10onPremisesExtensionAttributes.extensionAttribute10 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 10; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 10; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute11onPremisesExtensionAttributes.extensionAttribute11 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 11; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 11; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute12onPremisesExtensionAttributes.extensionAttribute12 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 12; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 12; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute13onPremisesExtensionAttributes.extensionAttribute13 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 13; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 13; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute14onPremisesExtensionAttributes.extensionAttribute14 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 14; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 14; commonly used for ERP, dynamic groups, and legacy applications. |
| onPremisesExtensionAttributes.extensionAttribute15onPremisesExtensionAttributes.extensionAttribute15 | StringString | BedingtConditional | AD-Sync-Erweiterungsattribut 15; häufig für ERP, Dynamic Groups und Legacy-Anwendungen genutzt.AD sync extension attribute 15; commonly used for ERP, dynamic groups, and legacy applications. |
| accountEnabled (create requirement)accountEnabled (create requirement) | BooleanBoolean | Nur SchreibenWrite during create | Beim Erstellen verpflichtend, um aktive Konten zu provisionieren.Required during creation to provision an enabled account. |
| usageLocation (licensing prerequisite)usageLocation (licensing prerequisite) | StringString | Lesen/SchreibenRead/Write | Muss vor vielen SKU-Zuweisungen gesetzt werden.Must be set before many SKU assignments succeed. |
| mailboxSettings.userPurposemailboxSettings.userPurpose | StringString | Nur LesenRead-only | Mailboxrolle wie user, room oder equipment.Mailbox role such as user, room, or equipment. |
| authorizationInfo.certificateUserIdsauthorizationInfo.certificateUserIds | CollectionCollection | Nur LesenRead-only | Zertifikatsbezogene IDs für CBA-nahe Szenarien.Certificate-related identifiers for CBA-adjacent scenarios. |
| identities[]identities[] | CollectionCollection | BedingtConditional | Sammlung aller alternativen Identitäten.Collection of all alternate identities. |
| customSecurityAttributes.<set>.<attribute>customSecurityAttributes.<set>.<attribute> | Open typeOpen type | BedingtConditional | Konkreter Attributwert innerhalb eines benutzerdefinierten Attributsatzes.Concrete attribute value inside a custom security attribute set. |
| licenseAssignmentStates.statelicenseAssignmentStates.state | StringString | Nur LesenRead-only | Status wie Active, Error oder Disabled.Status such as Active, Error, or Disabled. |
| onPremisesProvisioningErrors.categoryonPremisesProvisioningErrors.category | StringString | Nur LesenRead-only | Fehlerkategorie des Provisioningproblems.Provisioning error category. |
| onPremisesProvisioningErrors.occurredDateTimeonPremisesProvisioningErrors.occurredDateTime | DateTimeOffsetDateTimeOffset | Nur LesenRead-only | Zeitpunkt des Fehlers.Timestamp of the error. |
| onPremisesProvisioningErrors.propertyCausingErroronPremisesProvisioningErrors.propertyCausingError | StringString | Nur LesenRead-only | Attribut, das den Fehler verursacht.Attribute that caused the issue. |
| mailboxSettings.workingHoursmailboxSettings.workingHours | ComplexComplex | Lesen/SchreibenRead/Write | Arbeitszeiten für Outlook und Buchungsszenarien.Working hours for Outlook and booking scenarios. |
| mailboxSettings.delegateMeetingMessageDeliveryOptionsmailboxSettings.delegateMeetingMessageDeliveryOptions | StringString | Lesen/SchreibenRead/Write | Steuert Zustellung bei Delegationsszenarien.Controls message delivery in delegation scenarios. |
| employeeOrgDataemployeeOrgData | ComplexComplex | Lesen/SchreibenRead/Write | Kann direkt aus HR-Systemen gepflegt werden.Can be populated directly from HR systems. |
| signInActivity.lastSignInRequestIdsignInActivity.lastSignInRequestId | StringString | Nur LesenRead-only | Korrelierende Request-ID der letzten Anmeldung.Correlating request ID of the last sign-in. |
| onPremisesExtensionAttributesonPremisesExtensionAttributes | ComplexComplex | BedingtConditional | Container für extensionAttribute1-15.Container object for extensionAttribute1-15. |
ℹ️ Hybrid-HinweisHybrid note
Bei synchronisierten Benutzern sind viele Felder technisch im Graph sichtbar, aber operativ nur on-premises führend. Das gilt besonders für proxyAddresses, mail, onPremises*-Felder und häufig auch für displayName-Änderungen abhängig vom Sync-Design.For synchronized users, many fields are visible in Graph but operationally authoritative only on-premises. This is especially true for proxyAddresses, mail, onPremises* fields, and often displayName changes depending on the sync design.
Custom Security AttributesCustom security attributes
Custom Security Attributes erweitern Entra ID um strukturierte, delegierbare Governance-Metadaten. Im Gegensatz zu frei verwendeten extension attributes sind sie rollenbasiert verwaltbar, filterbar und gezielt für ABAC-ähnliche Steuerung gedacht.Custom security attributes extend Entra ID with structured, delegable governance metadata. Unlike generic extension attributes, they are role-governed, filterable, and intended for ABAC-like control patterns.
| BausteinBuilding block | DetailsDetails |
|---|---|
| AttributsatzAttribute set | Container mit Governance- und Delegationsgrenze.Container object with governance and delegation boundary. |
| TypenTypes | String, Integer, Boolean und collectionspezifische Varianten je nach API-Stand.String, Integer, Boolean, and collection variants depending on API support. |
| BerechtigungenPermissions | Attribute Definition/Assignment Administrator oder passende App-Permissions.Attribute Definition/Assignment Administrator or equivalent app permissions. |
| FilterbarkeitFilterability | Fallabhängig; Filterwerte sind oft case-sensitive.Property support varies; filter values are often case-sensitive. |
| Governance-NutzenGovernance value | ABAC, Access Packages, app-spezifische Policy-Auswahl, Segmentierung.ABAC, access packages, app-specific policy selection, and segmentation. |
Empfohlener Ablauf: zuerst Attributsatz definieren, dann einzelne Attribute anlegen, schließlich Rollen für Definition und Zuweisung trennen. So bleiben zentrale Taxonomie und operative Nutzung voneinander entkoppelt.Recommended flow: define the attribute set first, then create individual attributes, and finally separate roles for definition and assignment. That keeps central taxonomy governance separate from operational usage.
PowerShell
Connect-MgGraph -Scopes "CustomSecAttributeDefinition.ReadWrite.All","CustomSecAttributeAssignment.ReadWrite.All"
$attributeSetBody = @{
id = "hr"
description = "HR master data"
maxAttributesPerSet = 25
}
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions" `
-Body @{
attributeSet = "hr"
name = "employmentCategory"
type = "String"
isCollection = $false
status = "Available"
usePreDefinedValuesOnly = $true
allowedValues = @(
@{ id = "employee"; isActive = $true },
@{ id = "contractor"; isActive = $true },
@{ id = "intern"; isActive = $true }
)
} | ConvertTo-Json -Depth 6
Graph API
PATCH https://graph.microsoft.com/v1.0/users/alice@contoso.com
Content-Type: application/json
{
"customSecurityAttributes": {
"hr": {
"@odata.type": "#Microsoft.DirectoryServices.CustomSecurityAttributeValue",
"employmentCategory": "contractor",
"privilegedProject": true
}
}
}Filterbeispiel: $filter=customSecurityAttributes/hr/employmentCategory eq 'contractor'. Beachten Sie, dass Filterwerte häufig case-sensitive sind und die aufrufende Identität spezielle Rollen oder App-Permissions benötigt.Filter example: $filter=customSecurityAttributes/hr/employmentCategory eq 'contractor'. Remember that filter values are often case-sensitive and the caller needs dedicated roles or app permissions.
Extension AttributesExtension attributes
Unter 'Erweiterungsattribute' werden in Entra meist vier unterschiedliche Mechanismen vermischt. Für saubere Architektur müssen Zweck, Lebensdauer, Filterbarkeit und Autoritätssystem vorab geklärt werden.In Entra, 'extension attributes' usually mixes four different mechanisms. Clean architecture requires deciding the purpose, lifecycle, filterability, and source of authority upfront.
| TypType | EinsatzUse |
|---|---|
| onPremisesExtensionAttributes 1-15onPremisesExtensionAttributes 1-15 | Aus lokalem Active Directory synchronisiert; ideal für bestehende HR-/ERP-Mappings.Synced from on-premises Active Directory; ideal for existing HR/ERP mappings. |
| Directory ExtensionsDirectory extensions | Durch App-Registrierung definierte feste Attribute auf Benutzer-/Gruppen-/Geräteobjekten.App-defined fixed attributes on user/group/device objects. |
| Schema ExtensionsSchema extensions | Mehrere Ressourcenobjekte, versionierbar und tenantübergreifend designbar.Support multiple resource types, versioning, and broader design patterns. |
| Open ExtensionsOpen extensions | Flexibler JSON-artiger Container pro Objekt für app-spezifische Metadaten.Flexible JSON-like container per object for app-specific metadata. |
ErstellungsmusterCreation patterns
Directory extensions werden über eine App-Registrierung eingeführt und erscheinen anschließend als extension_{AppId}_{Name}. Schema extensions sind stärker modelliert und für mehrere Ressourcentypen gedacht. Open extensions sind schnell, aber weniger governancefreundlich.Directory extensions are introduced through an app registration and surface as extension_{AppId}_{Name}. Schema extensions are more structured and target multiple resource types. Open extensions are fast, but less governance-friendly.
Graph API
POST https://graph.microsoft.com/v1.0/schemaExtensions
Content-Type: application/json
{
"id": "contosoHrProfile",
"description": "Contoso HR metadata",
"targetTypes": ["User"],
"properties": [
{ "name": "personnelArea", "type": "String" },
{ "name": "worksCouncilRelevant", "type": "Boolean" }
],
"status": "InDevelopment"
}User Lifecycle – CompleteUser lifecycle – complete
Level-500-Betrieb bedeutet, dass Onboarding, Transfer und Offboarding als kontrollierte, auditable Prozessketten verstanden werden. Der Benutzer ist nicht nur ein Objekt, sondern ein Bündel aus Identität, Lizenzen, Gruppen, Geräten, Datenzugriff und Compliance-Auflagen.Level-500 operations treat onboarding, transfer, and offboarding as controlled, auditable process chains. A user is not just an object, but a bundle of identity, licenses, groups, devices, data access, and compliance obligations.
New Hire / OnboardingNew hire / onboarding
- HR-Datensatz validieren: Name, UPN, Manager, usageLocation, employeeId.Validate HR record: name, UPN, manager, usageLocation, employeeId.
- Benutzerobjekt anlegen oder aus AD synchronisieren lassen.Create the user or let it synchronize from AD.
- Basisgruppen, Lizenzgruppen, Teams und Rollen zuweisen.Assign baseline groups, licensing groups, Teams, and roles.
- Authentication Methods Registration Campaign oder TAP vorbereiten.Prepare authentication methods registration campaign or TAP.
- Erstzugriff, Gerätebereitstellung und Conditional Access Exceptions prüfen.Validate first access, device rollout, and Conditional Access exceptions.
Department Transfer / MoverDepartment transfer / mover
- Department, manager, costCenter, division und Gruppenzugehörigkeit aktualisieren.Update department, manager, costCenter, division, and group membership.
- Lizenzstack gegen neue Persona und neue Datenresidenz prüfen.Validate the license stack against the new persona and data residency requirements.
- App-Rollen, Administrative Units und Access Packages rezertifizieren.Recertify app roles, administrative units, and access packages.
- Telefonie, shared mailbox access und Teams-Policies neu bewerten.Re-evaluate telephony, shared mailbox access, and Teams policies.
Offboarding / TerminationOffboarding / termination
- Konto deaktivieren und Sign-in Sessions sofort widerrufen.Disable the account and immediately revoke sign-in sessions.
- MFA-/FIDO-/Authenticator-Methoden dokumentieren oder zurücksetzen.Document or reset MFA, FIDO, and authenticator methods.
- Mailboxkonvertierung, Delegation, Litigation Hold und Aufbewahrung prüfen.Check mailbox conversion, delegation, litigation hold, and retention.
- Lizenzen entfernen, Gruppen bereinigen, Gerätebezug und Tokens sperren.Remove licenses, clean up groups, and block device-linked access tokens.
- Gast-/Partnerbeziehungen, Service Principals oder Ownerschaften auflösen.Remove guest/partner relationships, service principals, or ownership assignments.
PowerShell
Connect-MgGraph -Scopes `
"User.ReadWrite.All",`
"Directory.ReadWrite.All",`
"AuditLog.Read.All",`
"UserAuthenticationMethod.ReadWrite.All",`
"Group.ReadWrite.All",`
"Organization.Read.All"
$userId = "leaver@contoso.com"
$timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
$archivePath = ".\offboarding-$timestamp"
New-Item -ItemType Directory -Path $archivePath -Force | Out-Null
$user = Get-MgUser -UserId $userId -Property DisplayName,UserPrincipalName,AssignedLicenses,AccountEnabled
$groups = Get-MgUserMemberOf -UserId $userId -All
$methods = Get-MgUserAuthenticationMethod -UserId $userId
$licenseDetails = Get-MgUserLicenseDetail -UserId $userId
$user | ConvertTo-Json -Depth 5 | Set-Content "$archivePath\user.json"
$groups | ConvertTo-Json -Depth 5 | Set-Content "$archivePath\groups.json"
$methods | ConvertTo-Json -Depth 5 | Set-Content "$archivePath\auth-methods.json"
$licenseDetails | ConvertTo-Json -Depth 5 | Set-Content "$archivePath\licenses.json"
Update-MgUser -UserId $userId -AccountEnabled:$false
Revoke-MgUserSignInSession -UserId $userId
foreach ($method in $methods) {
if ($method.AdditionalProperties['@odata.type'] -like '*phoneAuthenticationMethod') {
Remove-MgUserAuthenticationPhoneMethod -UserId $userId -PhoneAuthenticationMethodId $method.Id
}
}
$removeLicenses = @($user.AssignedLicenses.SkuId)
if ($removeLicenses.Count -gt 0) {
Set-MgUserLicense -UserId $userId -AddLicenses @() -RemoveLicenses $removeLicenses
}
foreach ($group in $groups) {
if ($group.'@odata.type' -eq '#microsoft.graph.group') {
Remove-MgGroupMemberByRef -GroupId $group.Id -DirectoryObjectId $user.Id -ErrorAction SilentlyContinue
}
}
[pscustomobject]@{
User = $user.UserPrincipalName
Disabled = $true
SessionRevoked = $true
LicenseCountRemoved = $removeLicenses.Count
GroupMembershipsProcessed = $groups.Count
EvidencePath = (Resolve-Path $archivePath).Path
}Authentication Methods ManagementAuthentication methods management
Die Authentication Methods API ist die präziseste Stelle für MFA-Reset, Methodeninventar und Passkey-/Authenticator-Analysen. Kombiniert mit Reports erhalten Sie sowohl Objektstatus als auch Tenant-weite Registrierungstrends.The authentication methods API is the most precise place for MFA reset, method inventory, and passkey/authenticator analytics. Combined with reports, you get both object state and tenant-wide registration trends.
| MethodentypMethod type | HinweisNote |
|---|---|
| PhonePhone | SMS, Voice und Alternate Mobile; häufig erster Reset-Kandidat.SMS, voice, and alternate mobile; often the first reset target. |
| FIDO2FIDO2 | Hardwarebasierte phishing-resistente Anmeldung.Hardware-backed phishing-resistant sign-in. |
| Microsoft AuthenticatorMicrosoft Authenticator | Push, number matching, passwordless phone sign-in.Push, number matching, and passwordless phone sign-in. |
| Software OATHSoftware OATH | Legacy/air-gapped Szenarien und TOTP.Legacy or air-gapped TOTP scenarios. |
| Temporary Access PassTemporary Access Pass | Zeitlich begrenzter Bootstrap für passwortlose Methoden.Time-bound bootstrap for passwordless registration. |
Graph API
GET https://graph.microsoft.com/v1.0/users/{id}/authentication/methods
GET https://graph.microsoft.com/v1.0/users/{id}/authentication/phoneMethods
GET https://graph.microsoft.com/v1.0/users/{id}/authentication/fido2Methods
DELETE https://graph.microsoft.com/v1.0/users/{id}/authentication/microsoftAuthenticatorMethods/{methodId}
PowerShell
Connect-MgGraph -Scopes "UserAuthenticationMethod.Read.All","Reports.Read.All"
$registrationReport = Get-MgReportAuthenticationMethodUserRegistrationDetail -All |
Select-Object UserPrincipalName, IsMfaRegistered, IsSsprRegistered,
MethodsRegistered, IsPasswordlessCapable, DefaultMfaMethod
$registrationReport | Export-Csv ".\auth-registration-report.csv" -NoTypeInformation -Encoding UTF8Sign-in Log AnalysisSign-in log analysis
Sign-in Logs sind die zentrale Datenquelle für MFA-Adoption, Legacy Authentication, CA-Evaluierung, Workload-Identity-Monitoring und Incident Response. Die größte Fehlerquelle ist meist eine zu grobe Filterung oder das Mischen interaktiver und nicht interaktiver Daten in einem Bericht.Sign-in logs are the central data source for MFA adoption, legacy authentication, CA evaluation, workload identity monitoring, and incident response. The biggest source of mistakes is usually coarse filtering or mixing interactive and non-interactive data in the same report.
| FeldField | BedeutungMeaning |
|---|---|
| idid | Eindeutige Ereignis-ID.Unique sign-in event identifier. |
| createdDateTimecreatedDateTime | Zeitpunkt des Events.Event timestamp. |
| userDisplayNameuserDisplayName | Anzeigename des Benutzers.Display name of the user. |
| userPrincipalNameuserPrincipalName | UPN zum Zeitpunkt des Events.UPN at event time. |
| userIduserId | Objekt-ID des Benutzers.Object ID of the user. |
| appIdappId | Client-/Ressourcen-App-ID.Client/resource application ID. |
| appDisplayNameappDisplayName | Anzeigename der App.Display name of the app. |
| resourceDisplayNameresourceDisplayName | Zielressource oder API.Target resource or API. |
| clientAppUsedclientAppUsed | Browser, mobile, legacy auth usw.Browser, mobile, legacy auth, and similar classifications. |
| ipAddressipAddress | Öffentliche Quell-IP.Public source IP address. |
| correlationIdcorrelationId | Korrelations-ID für Troubleshooting.Correlation ID for troubleshooting. |
| conditionalAccessStatusconditionalAccessStatus | success, failure, notApplied, reportOnly.success, failure, notApplied, reportOnly. |
| appliedConditionalAccessPoliciesappliedConditionalAccessPolicies | Bewertete Richtlinien inklusive Ergebnis.Evaluated policies including result. |
| riskDetailriskDetail | Erkannter Risikoindikator.Detected risk indicator. |
| riskLevelAggregatedriskLevelAggregated | Aggregiertes Risiko des Sign-ins.Aggregated sign-in risk. |
| riskLevelDuringSignInriskLevelDuringSignIn | Risiko zum Anmeldezeitpunkt.Risk level during sign-in. |
| riskStateriskState | atRisk, remediated usw.atRisk, remediated, and similar states. |
| status.errorCodestatus.errorCode | Numerischer Fehlercode.Numeric error code. |
| status.failureReasonstatus.failureReason | Lesbare Fehlerursache.Human-readable failure reason. |
| deviceDetaildeviceDetail | DeviceId, OS, Browser, Trust Type.DeviceId, OS, browser, and trust type. |
| locationlocation | Land, Bundesland, Stadt, Geo-Koordinaten sofern aufgelöst.Country, state, city, and geocoordinates when available. |
| authenticationRequirementauthenticationRequirement | singleFactorAuthentication oder multiFactorAuthentication.singleFactorAuthentication or multiFactorAuthentication. |
| authenticationProcessingDetailsauthenticationProcessingDetails | Pipeline-Details zu MFA, token issuance und CA.Pipeline details around MFA, token issuance, and CA. |
| networkLocationDetailsnetworkLocationDetails | Named Locations und Trusted-Network-Kontext.Named locations and trusted network context. |
| homeTenantIdhomeTenantId | Home-Tenant des Benutzers.User’s home tenant. |
| resourceTenantIdresourceTenantId | Tenant der Zielressource.Tenant of the target resource. |
| isInteractiveisInteractive | Interaktiv vs. token-/dienstbasiert.Interactive versus token/service based. |
| tokenIssuerTypetokenIssuerType | AzureAD, ADFederationServices oder externe Issuer.AzureAD, ADFS, or external issuer. |
| servicePrincipalIdservicePrincipalId | Bei Workload-Identitäten die SPN-ID.Service principal ID for workload identities. |
| crossTenantAccessTypecrossTenantAccessType | B2B, B2BDirectConnect, passthrough etc.B2B, B2BDirectConnect, passthrough, and similar modes. |
FilterbeispieleFilter examples
| SzenarioScenario | $filter$filter | NutzenValue |
|---|---|---|
| Nach BenutzerBy user | userPrincipalName eq 'alice@contoso.com'userPrincipalName eq 'alice@contoso.com' | Zielt auf eine Person oder ein Break-Glass-Konto.Targets one person or a break-glass account. |
| Nach AppBy app | appDisplayName eq 'Office 365 Exchange Online'appDisplayName eq 'Office 365 Exchange Online' | Zeigt App-spezifische Loginmuster.Shows app-specific login patterns. |
| Nur FehlerFailures only | status/errorCode ne 0status/errorCode ne 0 | Fokus auf gescheiterte Anmeldungen.Focuses on failed sign-ins. |
| CA blockiertBlocked by CA | conditionalAccessStatus eq 'failure'conditionalAccessStatus eq 'failure' | Zeigt Richtlinien, die aktiv blockiert haben.Shows policies that actively blocked access. |
| Mit RisikoAt risk | riskLevelAggregated ne 'none'riskLevelAggregated ne 'none' | Identifiziert riskante Sessions.Identifies risky sessions. |
| Nicht interaktivNon-interactive | isInteractive eq falseisInteractive eq false | Für Legacy Apps, Token Refresh und Dienste.For legacy apps, token refreshes, and services. |
| Service PrincipalService principal | servicePrincipalId ne nullservicePrincipalId ne null | Workload-Identitäten gesondert untersuchen.Inspect workload identities separately. |
PowerShell
Connect-MgGraph -Scopes "AuditLog.Read.All"
$since = (Get-Date).AddDays(-7).ToString("s") + "Z"
$uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge $since&$top=1000"
$results = @()
do {
$page = Invoke-MgGraphRequest -Method GET -Uri $uri
$results += $page.value | Select-Object createdDateTime,userPrincipalName,appDisplayName,
ipAddress,conditionalAccessStatus,riskLevelAggregated,
isInteractive,@{n='FailureReason';e={$_.status.failureReason}}
$uri = $page.'@odata.nextLink'
} while ($uri)
$results | Export-Csv ".\signin-export.csv" -NoTypeInformation -Encoding UTF8
$results |
Group-Object conditionalAccessStatus |
Sort-Object Count -Descending