Log in to the Microsoft Entra Admin center.
Last updated on
Feb 25, 2025
Introduction
Microsoft Graph API enables developers to integrate and automate tasks across Microsoft services like Microsoft Entra, Exchange Online, SharePoint, and Teams. The API provides access to a wide range of resources, such as users, groups, files, and messages, using RESTful web services.
The Microsoft Graph API in ColdFusion allows integration for creating and managing a user store on Microsoft Entra ID. A user store acts as a repository for profile data such as names, profile pictures, and other user details. It supports CRUD (Create, Read, Update, Delete) operations to handle user sign-ups, profile updates, and user data maintenance.
The focus is on managing user identities within Microsoft Entra ID (formerly Azure Active Directory), a core component of Identity and Access Management (IAM). While Microsoft Entra ID provides features like group and application management, ColdFusion provides user management—a critical functionality universally supported by all IAM systems. With ColdFusion, use the Microsoft Graph API to have complete control over user management in Microsoft Entra ID, including tenant and directory management.
ColdFusion applications commonly use the cfldap tag to interact with LDAP (Lightweight Directory Access Protocol) directories. While this is effective for traditional directories, Microsoft Entra ID is not a traditional Active Directory. It is a cloud-based IAM service that does not inherently support LDAP protocols. Therefore, ColdFusion introduces the user store APIs of Microsoft Entra through Microsoft Graph APIs to support user management in the cloud.
Get started
Install the package
Install the msgraph package using the ColdFusion Package Manager.
Create application
-
-
Navigate to Microsoft Entra ID > App Registrations > New Registration.
-
Provide an application name, select supported account types, and configure the redirect URI. See Register an application with the Microsoft identity platform for more information.
-
After registering the app, note the Application (Client) ID and Directory (Tenant) ID.
Register application
-
Assign API permissions under API Permissions in your app registration. Include permissions like User.Read, User.ReadWrite, or Directory.ReadWrite depending on the operations.
-
Use the Grant admin consent option to approve the permissions.
-
Generate a client secret under Certificates & Secrets for authentication.
Generate access and refresh tokens
- Access tokens are used for authentication and need to be generated to perform API operations.
- Refresh tokens have a longer lifespan and can be used to generate new access tokens.
ColdFusion functions
GetMSGraphServiceClient
Creates an instance of a client object that communicates with the Graph API service. This client simplifies making authenticated API requests to the Microsoft Graph endpoints. It also configures the client with an authentication provider (or example, access tokens) to authorize requests to Microsoft Graph.
Syntax
getMSGraphServiceClient({access_token = "add your token here"})
getMSGraphServiceClient({access_token = "add your token here"})
getMSGraphServiceClient({access_token = "add your token here"})
GetOauthAccessToken
Allows you to easily integrate third-party OAuth 2 authentication providers in your application, like cfoauth.
Returns
A struct with access_token, refresh_token, and the expiry time.
Syntax
getOauthAccessToken(type,clientID,scope [, state] [, authendpoint] [, accesstokenendpoint], granttype, secretkey [, urlparams])
getOauthAccessToken(type,clientID,scope [, state] [, authendpoint] [, accesstokenendpoint], granttype, secretkey [, urlparams])
getOauthAccessToken(type,clientID,scope [, state] [, authendpoint] [, accesstokenendpoint], granttype, secretkey [, urlparams])
Parameters
| Parameter | Required/Optional | Description |
| type | required | Either the type or endpoints for auth and token server should be specified. |
| clientid | required | Ahe Application (client) ID that the registration portal assigned the app. Also referred to as appId in the Microsoft Graph application and service principal object. |
| scope | required | A comma-separated list of scopes that you want the user to consent to. |
| state | optional | The state variable is used to pass back any information to your web application after the authentication and redirection are completed. Any value passed to this attribute is returned to the web application after authentication. This is useful for CSRF (Cross-site request forgery) protection. You can use ColdFusion’s security-related CSRF functions for this attribute. |
| authendpoint | Optional |
Default:
If type is not specified, this will be used as end point URL to be invoked for user authentication. |
| accesstokenendpoint | Optional |
If type is not specified this will be used as end point URL to be invoked for app authentication. |
| granttype | required | Default is authorization_code, but also supports client_credentials and refresh_token |
| secretkey | required | The client secret that you created in the app registration portal for your app. ColdFusion will also support the certificate credentials, where the arguments are the pkcs12 format file path and password. |
| urlparams | optional | Extra options will be passed as URL query strings to the endpoint. |
Example
<cfscript>
cred = {
type:"microsoft",
tenant:"tenant-id",
clientid:"client-id",
scope:"offline_access user.read mail.read",
secretkey:"secret-key"
};
writeDump(getOauthAccessToken(cred));
</cfscript>
<cfscript>
cred = {
type:"microsoft",
tenant:"tenant-id",
clientid:"client-id",
scope:"offline_access user.read mail.read",
secretkey:"secret-key"
};
writeDump(getOauthAccessToken(cred));
</cfscript>
<cfscript>
cred = {
type:"microsoft",
tenant:"tenant-id",
clientid:"client-id",
scope:"offline_access user.read mail.read",
secretkey:"secret-key"
};
writeDump(getOauthAccessToken(cred));
</cfscript>
User management APIs
List users
Lists all users in the organization's Microsoft Entra ID. This operation requires the "user.read.all" permission. The method returns an array of structs where each struct represents a user.
Permissions
| Permission Type | Permissions (from least to most privileged) |
| Delegated(work or school account) | User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
| Application | User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
<cfscript>
// list users
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
usersInTheTenant = graphServiceClient.listUsers();
writeOutput(ArrayLen(usersInTheTenant.value));
</cfscript>
<cfscript>
// list users
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
usersInTheTenant = graphServiceClient.listUsers();
writeOutput(ArrayLen(usersInTheTenant.value));
</cfscript>
<cfscript>
// list users
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
usersInTheTenant = graphServiceClient.listUsers();
writeOutput(ArrayLen(usersInTheTenant.value));
</cfscript>
Example- conditional search
<cfscript>
res1 = graphServiceClient.listUsers({
search: "displayName: John"
})
writeDump(#res1#);
</cfscript>
<cfscript>
res1 = graphServiceClient.listUsers({
search: "displayName: John"
})
writeDump(#res1#);
</cfscript>
<cfscript>
res1 = graphServiceClient.listUsers({
search: "displayName: John"
})
writeDump(#res1#);
</cfscript>
The script returns all users whose names start with John*.
Example- Use top=-1 to retrieve all users.
By default, only 100 users are listed. If you want to return all users, use top=-1.
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
//top=-1 should get all the users.
allUser = graphServiceClient.listUsers({top = -1});
writeDump(allUser)
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
//top=-1 should get all the users.
allUser = graphServiceClient.listUsers({top = -1});
writeDump(allUser)
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
//top=-1 should get all the users.
allUser = graphServiceClient.listUsers({top = -1});
writeDump(allUser)
</cfscript>
Create user
Create user programatically in Entra ID. This operation requires "user.readwrite.all" or "directory.readwrite.all" permissions. The method returns the id of the created user.
Permissions
| Permission Type |
Permissions (from least to most privileged) |
| Delegated (work or school account) | User.ReadWrite.All, Directory.ReadWrite.All |
| Application | User.ReadWrite.All, Directory.ReadWrite.All |
Required parameters:
Parameter |
Type |
Description |
accountEnabled |
Boolean |
true if the account is enabled; otherwise, false. |
displayName |
String |
The name to display in the address book for the user. |
mailNickname |
String |
alias for the user |
userPrincipalName |
String |
The user principal name (someuser@contoso.com). It's an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. |
passwordProfile |
Struct |
The password profile for the user. |
Optional parameters:
| Parameter | Type | Description |
| ageGroup | String | Sets the age group of the user. Allowed values: null, Minor, notAdult, Adult notAdult: The user is from a country that has statutory regulations (such as the United States, United Kingdom, European Union or South Korea) and user's age is more than the upper limit of kid age (as per country) and less than lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as notAdult in regulated countries. |
| birthday | Date | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
| businessPhones | String Array | The telephone numbers for the user. |
| city | String | The city in which the user is located. |
| companyName | String | The name of the company that the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters. |
| consentProvidedForMinor | String | Sets whether consent has been obtained for minors. Allowed values:null, Granted, Denied and NotRequired. |
| country | String | The country/region in which the user is located. |
| department | String | The name for the department in which the user works. |
| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. |
| employeeType | String | Captures enterprise worker type. Returned on only select parameter. |
| givenName | String | The given name (first name) of the user. |
| employeeHireDate | Date | The hire date of the user. |
| employeeLeaveDateTime | Date | The date and time when the user left or will leave the organization. |
| employeeOrgData | Struct | Represents organization data (for example, division and costCenter) associated with a user. { division: "string", costCenter: "string" } |
| interests | String Array | A list for the user to describe their interests. |
| jobTitle | String | The user's job title. |
| String | The SMTP address for the user, for example, jeff@contoso.com. Changes to this property also update the user's proxyAddresses collection to include the value as an SMTP address. For Azure AD B2C accounts, this property can be updated up to only 10 times with unique SMTP addresses. Can't be updated to null. | |
| mobilePhone | String | The primary cellular telephone number for the user. |
| mySite | String | The URL for the user's personal site. |
| officeLocation | String | The office location in the user's place of business. |
| onPremisesExtensionAttributes | Struct with 15 extension atrribute values | Contains extensionAttributes 1-15 for the user. The individual extension attributes aren't selectable or filterable. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. These extension attributes are also known as Exchange custom attributes 1-15. |
| onPremisesImmutableId | String | This property is used to associate an on-premises Entra ID user account to their Microsoft Entra user object. This property must be specified when creating a new user account in the Graph if you're using a federated domain for the user's userPrincipalName (UPN) property. Important: The $ and _ characters can't be used when specifying this property. |
| otherMails | Array of String | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. |
| PasswordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two can be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. |
| passwordProfile | Struct | The password profile for the user. |
| pastProjects | Array of String | A list for the user to enumerate their past projects. |
| postalCode | String | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. |
| prefferedLanguage | String | The preferred language for the user. Should follow ISO 639-1 Code; for example, en-US. |
| responsibilities | Array of String | A list for the user to enumerate their responsibilities. |
| schools | Array of String | A list for the user to enumerate the schools they attended. |
| skills | String Array | A list for the user to enumerate their skills. |
| state | String | The state or province in the user's address. |
| streetAddress | String | The street address of the user's place of business. |
| surname | String | The user's surname (family name or last name). |
| usageLocation | String | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB. Not nullable. |
| userType | String | A string value that can be used to classify user types in your directory. |
| Parameter | Type | Required | Description |
| password | String | Yes | The password for the user. This property is required when a user is created. It can be updated, but the user will be required to change the password on the next sign-in. The password must satisfy minimum requirements as specified by the user's passwordPolicies property. By default, a strong password is required. |
| forceChangePasswordNextSignIn | Boolean | No | true if the user must change their password on the next sign-in; otherwise false |
Example
<cfscript>
// create user
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
aUser = {accountEnabled = true, displayName = "John Adams", mailNickName = "JohnA",
userPrincipalName = "JAD@example.com"}
graphServiceClient.createUser(aUser);
</cfscript>
<cfscript>
// create user
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
aUser = {accountEnabled = true, displayName = "John Adams", mailNickName = "JohnA",
userPrincipalName = "JAD@example.com"}
graphServiceClient.createUser(aUser);
</cfscript>
<cfscript>
// create user
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
aUser = {accountEnabled = true, displayName = "John Adams", mailNickName = "JohnA",
userPrincipalName = "JAD@example.com"}
graphServiceClient.createUser(aUser);
</cfscript>
Get user
The method retrieves information about the logged-in user or a specific user if an ID is provided. The method, if successful, returns the default properties unless you use select to specify specific properties.
Example- get user by ID
<cfscript>
//get specific user info based on the id
userInfoBasedOnID = graphServiceClient.getUser("user-id");
writeDump(var=#userInfoBasedOnID#, format="text");
</cfscript>
<cfscript>
//get specific user info based on the id
userInfoBasedOnID = graphServiceClient.getUser("user-id");
writeDump(var=#userInfoBasedOnID#, format="text");
</cfscript>
<cfscript>
//get specific user info based on the id
userInfoBasedOnID = graphServiceClient.getUser("user-id");
writeDump(var=#userInfoBasedOnID#, format="text");
</cfscript>
Example- get signed in user
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
loggedInUser = graphServiceClient.getUser();
writeDump(#loggedInUser#);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
loggedInUser = graphServiceClient.getUser();
writeDump(#loggedInUser#);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
loggedInUser = graphServiceClient.getUser();
writeDump(#loggedInUser#);
</cfscript>
Update user
The method modifies user information, such as updating a mobile number, name, hobby, or address. This operation requires appropriate privileges and permissions.
Permissions
| Permission Type | Permissions (from least to most privileged) |
| Delegated (work or school account) | User.ReadWrite, User.ManageIdentities.All, User.EnableDisableAccount.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Application | User.ManageIdentities.All, User.EnableDisableAccount.All, User.ReadWrite.All, Directory.ReadWrite.All |
Parameters
| Parameter | Type | Description |
| accountEnabled | Boolean | true if the account is enabled; otherwise, false. This property is required when a user is created. Apart from a global administrator, a privileged authentication administrator assigned the Directory.AccessAsUser.All delegated permission can update the accountEnabled status of all administrators in the tenant. |
| ageGroup | String | Sets the age group of the user. Allowed values: null, Minor, notAdult, Adult notAdult: The user is from a country that has statutory regulations (such as the United States, United Kingdom, European Union or South Korea) and user's age is more than the upper limit of kid age (as per country) and less than lower limit of adult age (as stipulated based on country or region). So basically, teenagers are considered as notAdult in regulated countries. |
| birthday | Date | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. |
| businessPhones | String Array | The telephone numbers for the user. |
| city | String | The city in which the user is located. |
| companyName | String | The name of the company that the user is associated. This property can be useful for describing the company that an external user comes from. The maximum length is 64 characters. |
| consentProvidedForMinor | String | Sets whether consent has been obtained for minors. Allowed values:null, Granted, Denied and NotRequired. |
| country | String | The country/region in which the user is located. |
| department | String | The name for the department in which the user works. |
| displayName | String | The name displayed in the address book for the user. This is usually the combination of the user's first name, middle initial, and last name. This property is required when a user is created and it can't be cleared during updates. |
| employeeId | String | The employee identifier assigned to the user by the organization. The maximum length is 16 characters. |
| employeeType | String | Captures enterprise worker type. Returned on only select parameter. |
| givenName | String | The given name (first name) of the user. |
| employeeHireDate | Date | The hire date of the user. |
| employeeLeaveDateTime | Date | The date and time when the user left or will leave the organization. |
| employeeOrgData | Struct | Represents organization data (for example, division and costCenter) associated with a user. { division: "string", costCenter: "string" } |
| interests | String Array | A list for the user to describe their interests. |
| jobTitle | String | The user's job title. |
| String | The SMTP address for the user, for example, jeff@contoso.com. Changes to this property also update the user's proxyAddresses collection to include the value as an SMTP address. For Azure AD B2C accounts, this property can be updated up to only 10 times with unique SMTP addresses. Can't be updated to null. | |
| mailNickName | String | The mail alias for the user. This property must be specified when a user is created. |
| mobilePhone | String | The primary cellular telephone number for the user. |
| mySite | String | The URL for the user's personal site. |
| officeLocation | String | The office location in the user's place of business. |
| onPremisesExtensionAttributes | Struct with 15 extension atrribute values | Contains extensionAttributes 1-15 for the user. The individual extension attributes aren't selectable or filterable. For an onPremisesSyncEnabled user, the source of authority for this set of properties is the on-premises and is read-only. These extension attributes are also known as Exchange custom attributes 1-15. |
| onPremisesImmutableId | String | This property is used to associate an on-premises Entra ID user account to their Microsoft Entra user object. This property must be specified when creating a new user account in the Graph if you're using a federated domain for the user's userPrincipalName (UPN) property. Important: The $ and _ characters can't be used when specifying this property. |
| otherMails | Array of String | A list of additional email addresses for the user; for example: ["bob@contoso.com", "Robert@fabrikam.com"]. |
| PasswordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being DisableStrongPassword, which allows weaker passwords than the default policy to be specified. DisablePasswordExpiration can also be specified. The two can be specified together; for example: DisablePasswordExpiration, DisableStrongPassword. |
| passwordProfile | Struct | The password profile for the user. |
| pastProjects | Array of String | A list for the user to enumerate their past projects. |
| postalCode | String | The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code. |
| prefferedLanguage | String | The preferred language for the user. Should follow ISO 639-1 Code; for example, en-US. |
| responsibilities | Array of String | A list for the user to enumerate their responsibilities. |
| schools | Array of String | A list for the user to enumerate the schools they attended. |
| skills | String Array | A list for the user to enumerate their skills. |
| state | String | The state or province in the user's address. |
| streetAddress | String | The street address of the user's place of business. |
| surname | String | The user's surname (family name or last name). |
| usageLocation | String | A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: US, JP, and GB. Not nullable. |
| userPrincipalName | String | The user principal name (UPN) of the user. The UPN is an Internet-style sign-in name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains. The verified domains for the tenant can be accessed from the verifiedDomains property of organization. NOTE: This property can't contain accent characters. Only the following characters are allowed A - Z, a - z, 0 - 9, ' . - _ ! # ^ ~. For the complete list of allowed characters, see username policies. |
| userType | String | A string value that can be used to classify user types in your directory. |
Example- Update properties of a specified user
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update properties of the specified user
details = {
businessPhones : ["+1 425 555 0109"],
officeLocation : "SF",
streetAddress: "USA"
}
graphServiceClient.updateUser("user-id", details);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update properties of the specified user
details = {
businessPhones : ["+1 425 555 0109"],
officeLocation : "SF",
streetAddress: "USA"
}
graphServiceClient.updateUser("user-id", details);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update properties of the specified user
details = {
businessPhones : ["+1 425 555 0109"],
officeLocation : "SF",
streetAddress: "USA"
}
graphServiceClient.updateUser("user-id", details);
</cfscript>
Example- update properties of a signed-in user
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update properties of the signed-in user
details = {
businessPhones : ["+1 425 555 0109"],
officeLocation : "18/2111"
}
graphServiceClient.updateUser(details);
<cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update properties of the signed-in user
details = {
businessPhones : ["+1 425 555 0109"],
officeLocation : "18/2111"
}
graphServiceClient.updateUser(details);
<cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update properties of the signed-in user
details = {
businessPhones : ["+1 425 555 0109"],
officeLocation : "18/2111"
}
graphServiceClient.updateUser(details);
<cfscript>
Delete user
The method allows you to delete users. This operation requires high-level administrative privileges.
Permissions
| Permission Type | Permissions (from least to most privileged) |
| Delegated (work or school account) | User.ReadWrite.All |
| Application | User.ReadWrite.All |
Parameters
All parameters are required
| Parameter | Type | Description |
| userID | String | The user ID of the user to be deleted. |
Example
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
graphServiceClient.deleteUser(userId);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
graphServiceClient.deleteUser(userId);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
graphServiceClient.deleteUser(userId);
</cfscript>
Revoke sign in sessions
The revokeSignInSessions method invalidates all active authentication tokens (refresh tokens) for a specific user. This action is intended to immediately revoke a user’s ability to access resources using their existing tokens.
Typically, this operation is performed (by the user or an administrator) if the user has a lost or stolen device. This operation prevents access to the organization's data through applications on the device by requiring the user to sign in again to all applications that they have previously consented to, independent of the device.
Example
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
graphServiceClient.revokeSignInSessions("user-id");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
graphServiceClient.revokeSignInSessions("user-id");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
graphServiceClient.revokeSignInSessions("user-id");
</cfscript>
Change password
Allows the user to update their password. Any user can update their password without being assigned an administrator role.
| Parameter | Type | Description |
| currentPassword | String | Your current password. |
| newPassword | String | Your new password. |
Example
<cfscript>
passwordChange = {
currentPassword: "ColdFusion$123",
newPassword : "ColdFusion$1234"
}
res = graphServiceClient.changePassword(passwordChange);
</cfscript>
<cfscript>
passwordChange = {
currentPassword: "ColdFusion$123",
newPassword : "ColdFusion$1234"
}
res = graphServiceClient.changePassword(passwordChange);
</cfscript>
<cfscript>
passwordChange = {
currentPassword: "ColdFusion$123",
newPassword : "ColdFusion$1234"
}
res = graphServiceClient.changePassword(passwordChange);
</cfscript>
Get users delta
The delta token is used to track changes in Entra ID from a specific point in time. It helps in identifying what changes have occurred since the last retrieval. The token enables applications to discover newly created, updated, or deleted entities without performing a full read of the target resource with every request. It makes use of delta token to track the necessary changes.
Example
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
users = graphServiceClient.getUsersDelta();
while(structKeyExists(users, "skiptoken")){
users = graphServiceClient.getUsersDelta({
skiptoken: users.skiptoken
});}
deltaToken = users.deltatoken;
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
users = graphServiceClient.getUsersDelta();
while(structKeyExists(users, "skiptoken")){
users = graphServiceClient.getUsersDelta({
skiptoken: users.skiptoken
});}
deltaToken = users.deltatoken;
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
users = graphServiceClient.getUsersDelta();
while(structKeyExists(users, "skiptoken")){
users = graphServiceClient.getUsersDelta({
skiptoken: users.skiptoken
});}
deltaToken = users.deltatoken;
</cfscript>
- skipToken: skipToken allows you to skip a specific set of results in the users collection, ensuring that subsequent responses start from the appropriate point. If there are further changes to be tracked in the same user collection, you get the skip token rather than a delta token.
- deltaToken: A deltaToken is a unique identifier returned in response to a delta query. It allows you to retrieve only the changes made to a specific data set since your last request, allowing you to track incremental updates without re-fetching the entire data set.
Get profile photo
Retrieves the user’s profile photo as a ColdFusion image object and its metadata. See the Get profilePhoto docs from Microsoft for more information.
Example
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//get profile photo of a given userid
myImage=graphServiceClient.getProfilePhoto("user-id");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//get profile photo of a given userid
myImage=graphServiceClient.getProfilePhoto("user-id");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//get profile photo of a given userid
myImage=graphServiceClient.getProfilePhoto("user-id");
</cfscript>
Update profile photo
Updates the user's profile photo by uploading a new image. See the Update profilePhoto docs from Microsoft for more information.
Example
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update profile photo of a given userid
srcPath = expandPath("./" & "myProfile.jpg");
myImage = ImageNew("#srcPath#");
graphServiceClient.updateProfilePhoto("user-id",myImage);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update profile photo of a given userid
srcPath = expandPath("./" & "myProfile.jpg");
myImage = ImageNew("#srcPath#");
graphServiceClient.updateProfilePhoto("user-id",myImage);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//Update profile photo of a given userid
srcPath = expandPath("./" & "myProfile.jpg");
myImage = ImageNew("#srcPath#");
graphServiceClient.updateProfilePhoto("user-id",myImage);
</cfscript>
Delete profile photo
Deletes the user's profile photo. See the Delete profilePhoto docs from Microsoft for more information.
Example
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//delete profile photo of a given userid
graphServiceClient.deleteProfilePhoto("user-id");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//delete profile photo of a given userid
graphServiceClient.deleteProfilePhoto("user-id");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#accessToken#"});
//delete profile photo of a given userid
graphServiceClient.deleteProfilePhoto("user-id");
</cfscript>
Filter responses
Filters in Microsoft Graph API are used to narrow down the responses returned by a query. They allow you to specify criteria that the returned data must meet, making it easier to find specific information within large datasets. In the results, skipToken allows you to skip the set of results returned in the current call, ensuring the subsequent responses start from the appropriate point.
Microsoft Graph supports optional query parameters that you can use to specify and control the amount of data returned in a response. The support for the exact query parameters varies from one API operation to another. All the query parameters are accepted in a struct as an extra argument to action API of the call, i.e., get, create, update, and more.
| Name | Type | Description |
| filter | String | Use the filter query parameter to retrieve just a subset of a collection. |
| orderby | Array of String | Use the orderby query parameter to specify the sort order of the items returned from Microsoft Graph. |
| search | String | Use the search query parameter to restrict the results of a request to match a search criterion. |
| select | Array of String | Use the select query parameter to return a set of properties that are different than the default set for an individual resource or a collection of resources. |
| top | number | Use the top query parameter to specify the number of items to be included in the result. |
Filters in user management operations within Microsoft Graph API are essential for efficiently managing and retrieving user data. They allow you to specify criteria that the returned data must meet, making it easier to find specific information within large datasets.
Here are some ways in which you can use filters using ColdFusion and MS Graph APIs:
orderby
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
orderby: ["displayName desc"]});
writeDump(var=#res#);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
orderby: ["displayName desc"]});
writeDump(var=#res#);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
orderby: ["displayName desc"]});
writeDump(var=#res#);
</cfscript>
select
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
select: ["displayName", "mail"]});
writeDump(var=#res#);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
select: ["displayName", "mail"]});
writeDump(var=#res#);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
select: ["displayName", "mail"]});
writeDump(var=#res#);
</cfscript>
top n users
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({top = 2})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({top = 2})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({top = 2})
writeDump(res);
</cfscript>
Equality operators
Not equal- ne
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName ne (Company)",
select: ["givenName","companyName"]
});
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName ne (Company)",
select: ["givenName","companyName"]
});
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName ne (Company)",
select: ["givenName","companyName"]
});
writeDump(res);
</cfscript>
Equal- eq
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName eq ('Adobe')"
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName eq ('Adobe')"
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName eq ('Adobe')"
});
writeDump(var=#res.value#, format="text");
</cfscript>
Not- not
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "not(startswith(mail, 'A'))",
select: ["givenName","mail"]
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "not(startswith(mail, 'A'))",
select: ["givenName","mail"]
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "not(startswith(mail, 'A'))",
select: ["givenName","mail"]
});
writeDump(var=#res.value#, format="text");
</cfscript>
In- in
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName in ('Adobe')"
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName in ('Adobe')"
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName in ('Adobe')"
});
writeDump(var=#res.value#, format="text");
</cfscript>
Less than or equal- le
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "createdDateTime le 2025-01-11T00:00:00Z"
})
writeDump(var=#res#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "createdDateTime le 2025-01-11T00:00:00Z"
})
writeDump(var=#res#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "createdDateTime le 2025-01-11T00:00:00Z"
})
writeDump(var=#res#, format="text");
</cfscript>
Greater than or equal- ge
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "createdDateTime ge 2024-12-11T00:00:00Z"
})
writeDump(var=#res#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "createdDateTime ge 2024-12-11T00:00:00Z"
})
writeDump(var=#res#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "createdDateTime ge 2024-12-11T00:00:00Z"
})
writeDump(var=#res#, format="text");
</cfscript>
Lambda operators
Any (any)
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "businessPhones/any(p:startswith(p, '765'))"
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "businessPhones/any(p:startswith(p, '765'))"
});
writeDump(var=#res.value#, format="text");
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "businessPhones/any(p:startswith(p, '765'))"
});
writeDump(var=#res.value#, format="text");
</cfscript>
Conditional operators
And (and)
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName ne null and NOT(companyName eq 'Microsoft')"
})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName ne null and NOT(companyName eq 'Microsoft')"
})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "companyName ne null and NOT(companyName eq 'Microsoft')"
})
writeDump(res);
</cfscript>
Functions
Starts with – startswith
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "startswith(mail,'alex')"
})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "startswith(mail,'alex')"
})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "startswith(mail,'alex')"
})
writeDump(res);
</cfscript>
Ends with- endswith
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "endswith(mail,'@hotmail.com')"
})
writeDump(res);
res = graphServiceClient.listUsers({
filter: "endswith(userPrincipalName,'onmicrosoft.com')"
})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "endswith(mail,'@hotmail.com')"
})
writeDump(res);
res = graphServiceClient.listUsers({
filter: "endswith(userPrincipalName,'onmicrosoft.com')"
})
writeDump(res);
</cfscript>
<cfscript>
graphServiceClient = getMSGraphServiceClient({access_token = "#request.accessToken#"});
res = graphServiceClient.listUsers({
filter: "endswith(mail,'@hotmail.com')"
})
writeDump(res);
res = graphServiceClient.listUsers({
filter: "endswith(userPrincipalName,'onmicrosoft.com')"
})
writeDump(res);
</cfscript>
