편집

다음을 통해 공유


Get user

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Retrieve the properties and relationships of user object.

This operation returns by default only a subset of the more commonly used properties for each user. These default properties are noted in the Properties section. To get properties that are not returned by default, do a GET operation for the user and specify the properties in a $select OData query option. Because the user resource supports extensions, you can also use the GET operation to get custom properties and extension data in a user instance.

Customers through Microsoft Entra ID for customers can also use this API operation to retrieve their details.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) User.Read User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) User.Read User.ReadWrite
Application User.Read.All User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

Note

  • Calling the /me endpoint requires a signed-in user and therefore a delegated permission. Application permissions aren't supported when using the /me endpoint.
  • The User.Read permission allows the app to read the profile, and discover relationships such as the group membership, reports, and manager of the signed-in user only.

Permissions for specific scenarios

  • To read the employeeLeaveDateTime property:
    • In delegated scenarios, the signed-in user needs at least one of the following Microsoft Entra roles: Lifecycle Workflows Administrator (least privilege), Global Reader; the app must be granted the User-LifeCycleInfo.Read.All delegated permission.
    • In app-only scenarios with Microsoft Graph permissions, the app must be granted the User-LifeCycleInfo.Read.All permission.
  • To read the customSecurityAttributes property:
    • In delegated scenarios, the signed-in user must be assigned the Attribute Assignment Administrator role and the app granted the CustomSecAttributeAssignment.Read.All permission.
    • In app-only scenarios with Microsoft Graph permissions, the app must be granted the CustomSecAttributeAssignment.Read.All permission.
  • User-Mail.ReadWrite.All is the least privileged permission to read and write the otherMails property; also allows to read some identifier-related properties on the user object.
  • User-PasswordProfile.ReadWrite.All is the least privileged permission to read and write password reset-related properties; also allows to read some identifier-related properties on the user object.
  • User-Phone.ReadWrite.All is the least privileged permission to read and write the businessPhones and mobilePhone properties; also allows to read some identifier-related properties on the user object.
  • User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions to read and write the accountEnabled property.

HTTP request

For a specific user:

GET /me
GET /users/{id | userPrincipalName}

Tip

  • When the userPrincipalName begins with a $ character, the GET request URL syntax /users/$x@y.com fails with a 400 Bad Request error code. The request fails because the URL violates the OData URL convention, which expects only system query options to be prefixed with a $ character. Remove the slash (/) after /users and enclose the userPrincipalName in parentheses and single quotes, as follows: /users('$x@y.com'). For example, /users('$AdeleVance@contoso.com').
  • To query a B2B user using the userPrincipalName, encode the hash (#) character. That is, replace the # symbol with %23. For example, /users/AdeleVance_adatum.com%23EXT%23@contoso.com.

For the signed-in user:

GET /me

Optional query parameters

This method supports the $select OData query parameter to retrieve specific user properties, including those not returned by default. Extension properties also support query parameters as follows:

Extension type Comments
onPremisesExtensionAttributes 1-15 Returned only with $select.
Schema extensions Returned only with $select.
Open extensions Returned only through the Get open extension operation.
Directory extensions Returned only with $select.

Request headers

Header Value
Authorization Bearer {token}. Required. Learn more about authentication and authorization.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a 200 OK response code and user object in the response body. It returns the default properties unless you use $select to specify specific properties. This method returns 202 Accepted when the request has been processed successfully but the server requires more time to complete related background operations.

If a user with the ID doesn't exist, this method returns a 404 Not Found error code.

Example

Example 1: Get the properties of the signed-in user

Request

GET https://graph.microsoft.com/beta/me
Response

The following example shows the response. Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
   "displayName": "Adele Vance",
   "givenName": "Adele",
   "jobTitle": "Retail Manager",
   "mail": "AdeleV@contoso.com",
   "mobilePhone": "+1 425 555 0109",
   "officeLocation": "18/2111",
   "preferredLanguage": "en-US",
   "surname": "Vance",
   "userPrincipalName": "AdeleV@contoso.com",
   "id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}

Example 2: Get the properties of the specified user

Request

The following example shows a request.

GET https://graph.microsoft.com/beta/users/{id}

Response

The following example shows the response.

HTTP/1.1 200 OK
Content-type: application/json

{
      "displayName": "Adele Vance",
      "givenName": "Adele",
      "jobTitle": "Retail Manager",
      "mail": "AdeleV@contoso.com",
      "mobilePhone": "+1 425 555 0109",
      "officeLocation": "18/2111",
      "preferredLanguage": "en-US",
      "surname": "Vance",
      "userPrincipalName": "AdeleV@contoso.com",
      "id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}

Example 3: Use $select to retrieve specific properties of a user

To retrieve specific properties, use the OData $select query parameter. For example, to return displayName, givenName, postalCode, and identities, add the following query expression to your query $select=displayName,givenName,postalCode,identities

Request

GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,givenName,postalCode,identities

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(displayName,givenName,postalCode,identities)/$entity",
    "displayName": "Adele Vance",
    "givenName": "Adele",
    "postalCode": "98004",
    "identities": [
        {
            "signInType": "userPrincipalName",
            "issuer": "contoso.com",
            "issuerAssignedId": "AdeleV@contoso.com"
        }
    ]
}

Example 4: Get the custom security attribute assignments for a user

The following example shows how to get the custom security attribute assignments for a user.

Attribute #1

  • Attribute set: Engineering
  • Attribute: Project
  • Attribute data type: Collection of Strings
  • Attribute value: ["Baker","Cascade"]

Attribute #2

  • Attribute set: Engineering
  • Attribute: CostCenter
  • Attribute data type: Collection of Integers
  • Attribute value: [1001]

Attribute #3

  • Attribute set: Engineering
  • Attribute: Certification
  • Attribute data type: Boolean
  • Attribute value: true

Attribute #4

  • Attribute set: Marketing
  • Attribute: EmployeeId
  • Attribute data type: String
  • Attribute value: "QN26904"

To get custom security attribute assignments, the calling principal must be assigned the Attribute Assignment Reader or Attribute Assignment Administrator role and must be granted the CustomSecAttributeAssignment.Read.All or CustomSecAttributeAssignment.ReadWrite.All permission.

For more examples of custom security attribute assignments, see Examples: Assign, update, list, or remove custom security attribute assignments using the Microsoft Graph API.

Request

GET https://graph.microsoft.com/beta/users/{id}?$select=customSecurityAttributes

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(customSecurityAttributes)/$entity",
    "customSecurityAttributes": {
        "Marketing": {
            "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
            "EmployeeId": "QN26904"
        },
        "Engineering": {
            "@odata.type": "#microsoft.graph.customSecurityAttributeValue",
            "Project@odata.type": "#Collection(String)",
            "Project": [
                "Baker",
                "Cascade"
            ],
            "CostCenter@odata.type": "#Collection(Int32)",
            "CostCenter": [
                1001
            ],
            "Certification": true
        }
    }
}

If there are no custom security attributes assigned to the user or if the calling principal does not have access, the following block shows the response:

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(customSecurityAttributes)/$entity",
    "customSecurityAttributes": null
}

Example 5: Get the value of a schema extension for a user

In this example, the ID of the schema extension is ext55gb1l09_msLearnCourses.

Request

GET https://graph.microsoft.com/beta/users/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e?$select=ext55gb1l09_msLearnCourses

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users(ext55gb1l09_msLearnCourses)/$entity",
    "ext55gb1l09_msLearnCourses": {
        "@odata.type": "#microsoft.graph.ComplexExtensionValue",
        "courseType": "Developer",
        "courseName": "Introduction to Microsoft Graph",
        "courseId": 1
    }
}