REST API to manage users on Sharepoint


As a follow-up question to <a href="https://stackoverflow.com/questions/41828688/rest-api-to-manage-users-on-skype-for-business" rel="nofollow">REST API to manage users on skype for business</a>, I would like to understand how the <a href="https://msdn.microsoft.com/en-us/library/office/dn531432.aspx#bk_User" rel="nofollow">Sharepoint Server User API</a> differs from <a href="https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/user" rel="nofollow">MS Graph API for Users</a>. The Graph documentation indicates that we could use it to manage Sharepoint users the same way we would Office 365 users. However, there are standalone Sharepoint installations (like versions e.g. 2007, 2010, etc.,) which don't fall under Office 365 plans.

The Graph API Docs linked above says the User resource represents an "Azure AD user account". However, the Sharepoint User doc says it represents a "user in Microsoft SharePoint Foundation." Are these users entirely different from each other?

All we're looking to do is manage users for our clients some of whom have subscriptions to Office 365 and some who just use standalone Sharepoint setup. We are not bothered about application specific features like Accessing the sharepoint files, sites or even managing Word documents, Excel sheets, etc., So, does the Graph API support managing users in such cases as well?


<strong>That API is only for SharePoint 2013+</strong>

The user management REST API linked in your question is specifically for SharePoint 2013, and presumably works in SharePoint 2016 as well. This is regardless of whether the SharePoint environment is on premises or in the cloud.

Office 365 is currently a subset of SharePoint 2013/2016 in terms features and functionality.

Note that SharePoint 2007 and 2010 will not have this API.

<strong>SharePoint users and Azure AD accounts are not synonymous</strong>

Consider that SharePoint and AD can exist independently of each other.

SharePoint does not <em>need</em> to use Azure Active Directory for authentication. It can use a traditional on-premises or cloud-hosted Active Directory, or theoretically (starting with version 2010) can use any claims-based authentication provider aside from Active Directory.

SharePoint 2007 and 2010 could also support simple forms based authentication as well as custom authentication providers, but as noted previously, neither of those versions of SharePoint expose the REST API in question.

<strong>AD = Authentication; SharePoint User = Authorization</strong>

Azure AD is a claim provider. A claim provider is used for <strong>authentication</strong>; when you log on to SharePoint, SharePoint relies on Active Directory to determine that you are who you say you are. A user's SharePoint account is used for <strong>authorization</strong>; the SharePoint account is granted access to content within SharePoint on a site by site basis.

<strong>Information in AD vs information in SharePoint</strong>

When using Azure AD for authentication, there are usually some areas of overlap between the data in SharePoint and the data in AD.

SharePoint's user profile service is usually set up to synchronize data from Active Directory to SharePoint, so that AD serves as the master data set for things like user display name and title. However, not all information is necessarily sync'd from AD to SharePoint, and additional information can be tacked on to SharePoint user profiles.

<strong>Group Membership in AD vs Group Membership in SharePoint</strong>

In Azure AD, a user can be a member of multiple groups. Groups can include both Active Directory groups (which can be nested) and Office 365 (SharePoint) groups (which cannot be nested).

A SharePoint user can only be a member of SharePoint groups, since SharePoint does not keep track of membership of Active Directory groups. That said, a user may have access to content in SharePoint indirectly due to an Active Directory group having been granted access.

<strong>AD User Scope vs SharePoint User Scope</strong>

Unless you're working directly with the user profile service, when you work with SharePoint users programmatically, they need to be retrieved from a specific site in SharePoint. This is because each site collection has its own set of groups which cannot be used on other site collections within the SharePoint farm, so group membership is tracked only on a site-by-site basis.

Note that this means that a user's lookup ID number (which is different from their login name) may vary between site collections. This also means that a user's collection of groups will vary depending on the site from which the user object was retrieved.

An Azure AD user has no such silos.


  • Add Plugin DLL in MVC 4 Website after publish
  • Edit VSTS Wiki page via VSTS API
  • How to copy a Shape to another worksheet (not as a picture)?
  • Copy and Paste Entire Row
  • youtube video insert “onBehalfOfContentOwner” parameter value
  • Unable to save a query as a view table
  • Process.StartTime Access Denied
  • How do I manage org and space users in bluemix using cf command line?
  • Giving security priviliege to a scheduler in Java EE 6
  • Capturing HTML Text Input Key press after key has been applied?
  • How to update powerpivot pivot table filter via cell reference?
  • How to make a user wait with Laravel
  • Where in the relevant specification is it documented that some comments in a SQL script are, in fact
  • Reading XML into Datatable gives incorrect DateTime when the time has Time Zone info
  • Creating UDF with VSTO in Excel
  • Generating anchors with PyYAML.dump()?
  • 'doc_del_count' bigger than 'doc_count' on CouchDB
  • c# winform DrawToBitmap offscreen
  • calculating number of bytes of each row in an image
  • VBA Dir function not working on Excel 2010
  • Outlook to Excel hyperlink issue
  • Why isn't my “Fizz Buzz” test in R working?
  • Command line installation of Code Signing certificates, .p12 files, and mobileprovisions
  • crash in __tcf_0
  • Get Currently Active User in Android
  • C# Excel interop - how to test if interop object is still working and performing a task?
  • Changing Jupyter Notebook start up folder by modifying “start in” not working any more
  • For loop with if condition on multiple R functions
  • jQuery: How to AJAXify WordPress Search?
  • Eclipse MTJ doesn't see Java ME SDK 3.0 devices
  • Authentication in Play! and RestEasy
  • Mysql - How to search for 26 records that each begins with the letter of the alphabet?
  • Declaring variable dynamically in VB.net
  • Hardware Accelerated Image Scaling in windows using C++
  • Content-Length header not returned from Pylons response
  • Join two tables and save into third-sql
  • Can I make an Android app that runs a web view in Chrome 39?
  • Timeout for blocking function call, i.e., how to stop waiting for user input after X seconds?
  • PHP: When would you need the self:: keyword?
  • How to include full .NET prerequisite for Wix Burn installer