| title | List users |
|---|---|
| description | Retrieve a list of user objects. |
| author | yyuank |
| ms.reviewer | iamut |
| ms.localizationpriority | high |
| ms.subservice | entra-users |
| doc_type | apiPageType |
| ms.date | 5/16/2025 |
Namespace: microsoft.graph
Retrieve a list of user objects.
Note: This request might have replication delays for users that were recently created, updated, or deleted.
[!INCLUDE national-cloud-support]
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Guests can't call this API. For more information about the permissions for member and guests, see What are the default user permissions in Microsoft Entra ID?
- User-Mail.ReadWrite.All is the least privileged permission to read and write the otherMails property; also allows to read some identifier-related properties on the user object.
- User-PasswordProfile.ReadWrite.All is the least privileged permission to read and write password reset-related properties; also allows to read some identifier-related properties on the user object.
- User-Phone.ReadWrite.All is the least privileged permission to read and write the businessPhones and mobilePhone properties; also allows to read some identifier-related properties on the user object.
- User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions to read and write the accountEnabled property.
GET /usersThis method supports the $count, $expand, $filter, $orderby, $search, $select, and $top OData query parameters to help customize the response. $skip isn't supported. The default and maximum page sizes are 100 and 999 user objects respectively, except when you specify $select=signInActivity or $filter=signInActivity. When signInActivity is selected or filtered on, the maximum page size is 500. Some queries are supported only when you use the ConsistencyLevel header set to eventual and $count. For more information, see Advanced query capabilities on directory objects. The $count and $search parameters are currently not available in Azure AD B2C tenants.
By default, only a limited set of properties are returned (businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, and userPrincipalName).To return an alternative property set, specify the desired set of user properties using the OData $select query parameter. For example, to return displayName, givenName, and postalCode, add the following to your query $select=displayName,givenName,postalCode.
Extension properties also support query parameters as follows:
| Extension type | Comments |
|---|---|
| onPremisesExtensionAttributes 1-15 | Returned only with $select. Supports $filter (eq, ne, and eq on null values). |
| Schema extensions | Returned only with $select. Supports $filter (eq, ne, and eq on null values). |
| Open extensions | Returned only with $expand, that is, users?$expand=extensions. |
| Directory extensions | Returned only with $select. Supports $filter (eq, ne, and eq on null values). |
Certain properties can't be returned within a user collection. The following properties are only supported when retrieving a single user: aboutMe, birthday, hireDate, interests, mySite, pastProjects, preferredName, responsibilities, schools, skills, mailboxSettings.
The following properties aren't supported in personal Microsoft accounts and will be null: aboutMe, birthday, interests, mySite, pastProjects, preferredName, responsibilities, schools, skills, streetAddress.
| Header | Value |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| ConsistencyLevel | eventual. This header and $count are required when using $search, or in specific usage of $filter. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects. |
Don't supply a request body for this method.
If successful, this method returns a 200 OK response code and collection of user objects in the response body. If a large user collection is returned, you can use paging in your app.
Attempting to use $select on the /users collection to retrieve properties that can't be returned within a user collection (for example, the request ../users?$select=aboutMe) returns a 501 Not Implemented error code.
The following example shows a request.
GET https://graph.microsoft.com/v1.0/users
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"value": [
{
"businessPhones": [],
"displayName": "Conf Room Adams",
"givenName": null,
"jobTitle": null,
"mail": "Adams@contoso.com",
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": "Adams@contoso.com",
"id": "6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0"
},
{
"businessPhones": [
"425-555-0100"
],
"displayName": "MOD Administrator",
"givenName": "MOD",
"jobTitle": null,
"mail": null,
"mobilePhone": "425-555-0101",
"officeLocation": null,
"preferredLanguage": "en-US",
"surname": "Administrator",
"userPrincipalName": "admin@contoso.com",
"id": "4562bcc8-c436-4f95-b7c0-4f8ce89dca5e"
}
]
}The following example shows a request.
Note: When filtering for an issuerAssignedId, you must supply both issuer and issuerAssignedId. However, the issuer value will be ignored in certain scenarios. For more information on filtering on identities, see objectIdentity resource type
GET https://graph.microsoft.com/v1.0/users?$select=displayName,id&$filter=identities/any(c:c/issuerAssignedId eq 'j.smith@yahoo.com' and c/issuer eq 'My B2C tenant')
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"value": [
{
"displayName": "John Smith",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd"
}
]
}The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $count is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
Note: The
$countand$searchquery parameters are currently not available in Azure AD B2C tenants.
GET https://graph.microsoft.com/v1.0/users/$count
ConsistencyLevel: eventual
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 200 OK
Content-type: text/plain
893Example 4: Use $filter and $top to get one user with a display name that starts with 'a' including a count of returned objects
The following example shows a request. This request requires the ConsistencyLevel header set to eventual and the $count=true query string because the request has both the $orderby and $filter query parameters. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
Note: The
$countand$searchquery parameters are currently not available in Azure AD B2C tenants.
GET https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'a')&$orderby=displayName&$count=true&$top=1
ConsistencyLevel: eventual
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users",
"@odata.count":1,
"value":[
{
"displayName":"a",
"mail":"a@contoso.com",
"mailNickname":"a_contoso.com#EXT#",
"userPrincipalName":"a_contoso.com#EXT#@contoso.com"
}
]
}Example 5: Use $filter to get all users with a mail that ends with 'a@contoso.com', including a count of returned objects, with the results ordered by userPrincipalName
The following example shows a request. This request requires the ConsistencyLevel header set to eventual and the $count=true query string because the request has both the $orderby and $filter query parameters, and also uses the endsWith operator. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
Note: The
$countand$searchquery parameters are currently not available in Azure AD B2C tenants.
GET https://graph.microsoft.com/v1.0/users?$filter=endswith(mail,'a@contoso.com')&$orderby=userPrincipalName&$count=true
ConsistencyLevel: eventual
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"@odata.count": 1,
"value": [
{
"displayName": "Grady Archie",
"givenName": "Grady",
"jobTitle": "Designer",
"mail": "GradyA@contoso.com",
"userPrincipalName": "GradyA@contoso.com",
"id": "e8b753b5-4117-464e-9a08-713e1ff266b3"
}
]
}Example 6: Use $search to get users with display names that contain the letters 'wa' including a count of returned objects
The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $search is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
Note: The
$countand$searchquery parameters are currently not available in Azure AD B2C tenants.
GET https://graph.microsoft.com/v1.0/users?$search="displayName:wa"&$orderby=displayName&$count=true
ConsistencyLevel: eventual
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users",
"@odata.count":7,
"value":[
{
"displayName":"Oscar Ward",
"givenName":"Oscar",
"mail":"oscarward@contoso.com",
"userPrincipalName":"oscarward@contoso.com"
}
]
}Example 7: Use $search to get users with display names that contain the letters 'wa' or the letters 'ad' including a count of returned objects
The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $search is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
Note: The
$countand$searchquery parameters are currently not available in Azure AD B2C tenants.
GET https://graph.microsoft.com/v1.0/users?$search="displayName:wa" OR "displayName:ad"&$orderbydisplayName&$count=true
ConsistencyLevel: eventual
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#users",
"@odata.count":7,
"value":[
{
"displayName":"Oscar Ward",
"givenName":"Oscar",
"mail":"oscarward@contoso.com",
"userPrincipalName":"oscarward@contoso.com"
},
{
"displayName":"contosoAdmin1",
"givenName":"Contoso Administrator",
"mail":"'contosoadmin1@fabrikam.com",
"userPrincipalName":"contosoadmin1_fabrikam.com#EXT#@contoso.com"
}
]
}The following example shows a request. The userPrincipalName value for guest (B2B collaboration) users always contains the "#EXT#" identifier. For example, the userPrincipalName of a user in their home tenant is AdeleV@adatum.com. When you invite the user to collaborate in your tenant, contoso.com, their userPrincipalName in your tenant is "AdeleV_adatum.com#EXT#@contoso.com".
This request requires the ConsistencyLevel header set to eventual and the $count=true query string because the request includes the endsWith operator. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
NOTE: You must encode the reserved character "#" in the userPrincipalName value as "%23" in the request URL. For more information, see Encoding special characters.
GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,mail,identities&$filter=endsWith(userPrincipalName,'%23EXT%23@contoso.com')&$count=true
ConsistencyLevel: eventual
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,mail,identities)",
"@odata.count": 2,
"value": [
{
"id": "39807bd1-3dde-48f3-8165-81ddd4e46de0",
"displayName": "Adele Vance",
"mail": "AdeleV@adatum.com",
"identities": [
{
"signInType": "userPrincipalName",
"issuer": "contoso.com",
"issuerAssignedId": "AdeleV_adatum.com#EXT#@cntoso.com"
}
]
}
]
}The following example shows a request.
GET https://graph.microsoft.com/v1.0/users?$select=id,mail,assignedLicenses&$filter=assignedLicenses/any(u:u/skuId eq cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46)
The following example shows the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,mail,assignedLicenses)",
"value": [
{
"id": "cb4954e8-467f-4a6d-a8c8-28b9034fadbc",
"mail": "admin@contoso.com",
"assignedLicenses": [
{
"disabledPlans": [],
"skuId": "cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46"
}
]
},
{
"id": "81a133c2-bdf2-4e67-8755-7264366b04ee",
"mail": "DebraB@contoso.com",
"assignedLicenses": [
{
"disabledPlans": [],
"skuId": "cbdc14ab-d96c-4c30-b9f4-6ada7cdc1d46"
}
]
}
]
}In this example, the ID of the schema extension is ext55gb1l09_msLearnCourses.
GET https://graph.microsoft.com/v1.0/users?$select=ext55gb1l09_msLearnCourses
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
In the following response, the schema extension property ext55gb1l09_msLearnCourses is unassigned in two of the user objects.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(ext55gb1l09_msLearnCourses)",
"value": [
{},
{
"ext55gb1l09_msLearnCourses": {
"@odata.type": "#microsoft.graph.ComplexExtensionValue",
"courseType": "Developer",
"courseName": "Introduction to Microsoft Graph",
"courseId": 1
}
},
{}
]
}Note: You can also apply
$filteron the schema extension property to retrieve objects where a property in the collection matches a specified value. The syntax is/users?$filter={schemaPropertyID}/{propertyName} eq 'value'. For example,GET /users?$select=ext55gb1l09_msLearnCourses&$filter=ext55gb1l09_msLearnCourses/courseType eq 'Developer'. Theeqandnotoperators are supported.
The following example shows a request.
Note
- Details for the signInActivity property require a Microsoft Entra ID P1 or P2 license and the
AuditLog.Read.Allpermission. - When you specify
$select=signInActivityor$filter=signInActivitywhen listing users, the maximum page size for$topis 500. Requests with$topset higher than 500 return pages with up to 500 users. The signInActivity property supports$filter(eq,ne,not,ge,le) but not with any other filterable properties.
GET https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,signInActivity
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName,signInActivity)",
"value": [
{
"displayName": "Adele Vance",
"userPrincipalName": "AdeleV@contoso.com",
"id": "1aecaf40-dc3a-461f-88a8-d06994e12898",
"signInActivity": {
"lastSignInDateTime": "2021-06-17T16:41:33Z",
"lastSignInRequestId": "d4d31c40-4c36-4775-ad59-7d1e6a171f00",
"lastNonInteractiveSignInDateTime": "0001-01-01T00:00:00Z",
"lastNonInteractiveSignInRequestId": "",
"lastSuccessfulSignInDateTime": "",
"lastSuccessfulSignInRequestId": ""
}
},
{
"displayName": "Alex Wilber",
"userPrincipalName": "AlexW@contoso.com",
"id": "f0662ee5-84b1-43d6-8338-769cce1bc141",
"signInActivity": {
"lastSignInDateTime": "2021-07-29T15:53:27Z",
"lastSignInRequestId": "f3149ee1-e347-4181-b45b-99a1f82b1c00",
"lastNonInteractiveSignInDateTime": "2021-07-29T17:53:42Z",
"lastNonInteractiveSignInRequestId": "868efa6a-b2e9-40e9-9b1c-0aaea5b50200",
"lastSuccessfulSignInDateTime": "",
"lastSuccessfulSignInRequestId": ""
}
}
]
}The following example shows a request. This request requires the ConsistencyLevel header set to eventual because $count is in the request. For more information about the use of ConsistencyLevel and $count, see Advanced query capabilities on directory objects.
GET https://graph.microsoft.com/v1.0/users?$filter=otherMails/any(x:endswith(x,'.edu'))&$count=true
ConsistencyLevel: eventual
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"@odata.count": 2,
"value": [
{
"displayName": "Isaiah Langer",
"mail": "isaiahl@fineartschool.edu",
"id": "0012cd20-3890-409e-9db3-afc3055ebe22"
},
{
"displayName": "Adele Vance",
"mail": "adelev@bellowscollege.edu",
"id": "0012cd20-3890-409e-9db3-afc3055ebe22"
}
]
}The following example shows how to list all users whose management is restricted.
The following example shows a request.
GET https://graph.microsoft.com/v1.0/users?$filter=isManagementRestricted eq true&$select=displayName,userPrincipalName
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName)",
"value": [
{
"displayName": "Adele",
"userPrincipalName": "Adele@contoso.com"
},
{
"displayName": "Bob",
"userPrincipalName": "Bob@contoso.com"
}
]
}