nodoc | undocumented Microsoft portal APIs

20Published specs

1,941Modeled operations

20Standardized nav specs

852Remaining placeholders

12Access models

20Checked-in collections

Coverage

Every published spec has a matching checked-in Postman collection and is grouped below by portal family.

Security portal

4 published APIs

Defender

594 opsFoundational

Security operations coverage across alerts, incidents, case management, hunting, multi-tenant management, cloud apps, investigation pivots, endpoint, identity, vulnerability, configuration, and exposure workflows.

Quality: standardized nav · complete metadata · 457 placeholders · 8 response examples

Auth: Portal session cookie (sccauth)
Base URL: https://security.microsoft.com/apiproxy
Collection: postman/collections/defender.collection.json
OpenAPI: specifications/nodoc-defender-xdr/specification/openapi.yml

Alerts, incidents, case management, and AutoIR coverage
Advanced hunting, custom detections, and live response
Cloud Apps discovery, App Governance policies, entity resolution, and device/file-page pivots
Multi-tenant tenant groups, assignments, and wrapped case, hunting, identity, and configuration reads
Threat Analytics detail pivots, Attack simulation training, XSPM connectors, and Sentinel graph/data lake routes

Browse spec OpenAPI source Download collection

Purview

124 opsFoundational

Compliance, governance, DLP, insider risk, information protection, and Purview for AI coverage from the Purview portal proxy surface.

Quality: standardized nav · complete metadata · 109 placeholders · 4 response examples

Auth: Portal session cookie (sccauth)
Base URL: https://purview.microsoft.com/apiproxy
Collection: postman/collections/purview.collection.json
OpenAPI: specifications/nodoc-purview/specification/openapi.yml

Purview for AI, DSPM for AI, oversharing assessments, and agent observability
Information Protection settings, DLP devices, insider risk settings, and Exchange-backed admin commands
Compliance exports, billing/license usage, and shared Purview backend prefixes

Browse spec OpenAPI source Download collection

Purview Portal

8 opsGrowing

Same-origin Purview bootstrap, token minting, role evaluation, audit settings, and label-activity analytics used directly by the portal UX.

Quality: standardized nav · complete metadata · no placeholders · 2 response examples

Auth: Portal session cookie (sccauth) + same-origin portal context
Base URL: https://purview.microsoft.com/api/
Collection: postman/collections/purview-portal.collection.json
OpenAPI: specifications/nodoc-purview-portal/specification/openapi.yml

Portal-issued downstream token minting via /api/Auth/getToken
Role cache and batch role-evaluation helpers used during startup
Admin audit settings, user picker lookups, and label activity charts

Browse spec OpenAPI source Download collection

Security Copilot

32 opsGrowing

Security Copilot portal coverage for bootstrap and preference reads, workspace provisioning and policy resolution, session and promptbook inventory, agent and builder discovery, and Security Store catalog flows.

Quality: standardized nav · complete metadata · no placeholders · 1 response examples

Auth: Portal bearer tokens + workspace context
Base URL: https://api.securitycopilot.microsoft.com
Collection: postman/collections/security-copilot.collection.json
OpenAPI: specifications/nodoc-security-copilot/specification/openapi.yml

Portal bootstrap and workspace-preference helpers across api.securitycopilot.microsoft.com
Security Platform provisioning, policy, session, promptbook, agent, and skillset reads across global and regional control planes
Security Store client configuration and catalog search, plus a safe what-if capture for the create-capacity flow

Browse spec OpenAPI source Download collection

Admin portal

1 published API

M365 Admin

280 opsFoundational

Tenant settings, Copilot controls, reports, user and group management, app settings, and admin shell surfaces.

Quality: standardized nav · complete metadata · 204 placeholders · 9 response examples

Auth: Portal session cookie + custom admin headers
Base URL: https://admin.cloud.microsoft
Collection: postman/collections/m365-admin.collection.json
OpenAPI: specifications/nodoc-m365-admin/specification/openapi.yml

Copilot, agent, and security settings
User, group, tenant, and billing operations
Custom portal header requirements modeled in-spec

Browse spec OpenAPI source Download collection

Exchange admin center

1 published API

Exchange

61 opsGrowing

Same-origin Exchange admin center beta coverage for shell bootstrap, preferences, mail flow, recipients, migration, public folders, and report widgets.

Quality: standardized nav · complete metadata · no placeholders · 2 response examples

Auth: Portal session cookie + same-origin x-requested-with
Base URL: https://admin.exchange.microsoft.com/beta
Collection: postman/collections/exchange-beta.collection.json
OpenAPI: specifications/nodoc-exchange-beta/specification/openapi.yml

Shell, tenant, profile, and preference routes used across the Exchange portal
Accepted domains, connectors, transport rules, alert policies, and mail flow reports
Recipient, role group, migration, and public folder inventory surfaces

Browse spec OpenAPI source Download collection

SharePoint admin center

1 published API

SharePoint

41 opsGrowing

Tenant bootstrap, site inventory, site-detail blades, storage quota, migration helpers, and settings workflows from the SharePoint admin center same-origin /_api surface.

Quality: standardized nav · complete metadata · 1 placeholders · 1 response examples

Auth: Portal session cookie (FedAuth) + SharePoint form digest
Base URL: https://{tenant}-admin.sharepoint.com
Collection: postman/collections/sharepoint-admin.collection.json
OpenAPI: specifications/nodoc-sharepoint-admin/specification/openapi.yml

Tenant admin bootstrap and multigeo discovery
Site inventory, site-detail membership/settings helpers, deletion checks, and CSV export coverage
Storage quota, migration-center, OneDrive policy, branding, and internal tenant settings coverage

Browse spec OpenAPI source Download collection

Teams admin center

1 published API

Teams

99 opsAdvanced

Exhaustive Teams admin center coverage spanning left-nav routes, list/detail drill-ins, report interactions, records-backed policy and telephony surfaces, Frontline orchestration, devices, CQD data, app catalog detail pages, monetization, and planning helpers.

Quality: standardized nav · complete metadata · 4 placeholders · 4 response examples

Auth: Portal bearer token + same-origin portal context
Base URL: https://admin.teams.microsoft.com
Collection: postman/collections/teams.collection.json
OpenAPI: specifications/nodoc-teams/specification/openapi.yml

Deep crawl covered same-origin nav routes plus safe list/detail and report drill-ins
Distinct Teams families now include policy configs, telephony, user analytics, Frontline, devices, CQD data, and add-on licensing
Feature- and tenant-gated surfaces such as Silent Tests, hierarchy operations, and inactive Teams insights are called out explicitly

Browse spec OpenAPI source Download collection

Viva

1 published API

Viva Engage

5 opsAdvanced

Authenticated Viva Engage admin coverage now documents the same-origin persisted GraphQL contract, the bearer-backed token helper observed behind engage.cloud.microsoft/main/admin, and the transient Yammer-era realtime relay chain bootstrapped from RealtimeConnectionSettingsClients, together with direct-route captures for segmentation and external-network admin pages.

Quality: standardized nav · complete metadata · no placeholders · 4 response examples

Auth: MSAL PKCE bearer token + same-origin GraphQL
Base URL: https://engage.cloud.microsoft
Collection: postman/collections/viva-engage.collection.json
OpenAPI: specifications/nodoc-viva-engage/specification/openapi.yml

Same-origin /graphql admin endpoint documented from authenticated landing and direct-route captures, including RealtimeConnectionSettingsClients returning relay base URLs
Direct-route captures resolved /main/admin/segmentation, /main/admin/external-networks-settings, and /main/admin/setup-external-network
Cross-host GET /api/v1/oauth2/aad_access_token plus transient *.rt.yammer.com/cometd/handshake, /cometd/, and /cometd/connect relay endpoints documented from the live admin session
Live capture confirmed bearer auth on GraphQL and token-helper requests, while realtime relay auth moved into redacted Bayeux payload fields without cookie headers

Browse spec OpenAPI source Download collection

M365 Apps admin center

3 published APIs

M365 Apps Config

23 opsAdvanced

Cloud Update, servicing profiles, policy management, device configuration, rollout metadata, and portal bootstrap state from the M365 Apps admin center.

Quality: standardized nav · complete metadata · no placeholders · 5 response examples

Auth: Portal bearer token + diagnostic headers
Base URL: https://config.office.com
Collection: postman/collections/m365-apps-config.collection.json
OpenAPI: specifications/nodoc-m365-apps-config/specification/openapi.yml

Servicing profiles, tenant rules, and exclusion windows
Policy settings catalog and Office Customization Tool save flows
Browser bearer tokens with portal diagnostic headers modeled in-spec

Browse spec OpenAPI source Download collection

M365 Apps Services

9 opsGrowing

Shared M365 Apps service coverage for onboarding state, feature availability, release catalogs, component sharding, and OneDrive Sync health.

Quality: standardized nav · complete metadata · no placeholders · 1 response examples

Auth: Portal bearer token + diagnostic headers
Base URL: https://clients.config.office.net
Collection: postman/collections/m365-apps-services.collection.json
OpenAPI: specifications/nodoc-m365-apps-services/specification/openapi.yml

Eligibility and feature provisioning state
Release catalogs, setup state, and component mappings
Shared services host used across Cloud Update, Device Configuration, and OneDrive Sync

Browse spec OpenAPI source Download collection

M365 Apps Inventory

27 opsGrowing

Device inventory, build currency, add-ins, setup state, and security update status from the M365 Apps admin center inventory surface.

Quality: standardized nav · complete metadata · no placeholders · 1 response examples

Auth: Portal bearer token + diagnostic headers
Base URL: https://query.inventory.insights.office.net
Collection: postman/collections/m365-apps-inventory.collection.json
OpenAPI: specifications/nodoc-m365-apps-inventory/specification/openapi.yml

Device/build inventory with OData-style query support
Add-ins, languages, Office applications, and onboarding state
Setup and security-currency write flows captured from portal saves

Browse spec OpenAPI source Download collection

Intune admin center

2 published APIs

Intune Autopatch

53 opsAdvanced

Windows Autopatch tenant state, roles, groups, messages, support, and reporting surfaces from the Intune admin center.

Quality: standardized nav · complete metadata · 2 placeholders · 4 response examples

Auth: Portal bearer token + x-ms portal headers
Base URL: https://services.autopatch.microsoft.com
Collection: postman/collections/intune-autopatch.collection.json
OpenAPI: specifications/nodoc-intune-autopatch/specification/openapi.yml

Tenant resolution, feature enablement, and admin actions
Autopatch roles, permissions, scope tags, and role assignments
Messages, support flows, and quality/feature update reporting summaries, details, distinct filters, and export helpers

Browse spec OpenAPI source Download collection

Intune Portal

5 opsAdvanced

Same-origin Intune admin center experimentation and persistent portal settings storage used across tenant administration blades.

Quality: standardized nav · complete metadata · 1 placeholders · 3 response examples

Auth: Portal bearer token + same-origin portal context
Base URL: https://intune.microsoft.com/api
Collection: postman/collections/intune-portal.collection.json
OpenAPI: specifications/nodoc-intune-portal/specification/openapi.yml

Extension flighting for Intune, PIM, and Azure Monitor blades
Persistent storage namespace reads via Settings/Select
Portal settings writes via Settings/Update

Browse spec OpenAPI source Download collection

Power Platform admin center

1 published API

Power Platform

244 opsGrowing

Exhaustive admin-center coverage across Business App Platform, analytics, licensing, Dataverse CRM, Power Pages portal infrastructure, tenant governance, notifications, and internal portal helpers used by the Power Platform admin center.

Quality: standardized nav · complete metadata · 1 placeholders · 1 response examples

Auth: Portal bearer tokens + service-specific audiences
Base URL: https://api.bap.microsoft.com
Collection: postman/collections/power-platform.collection.json
OpenAPI: specifications/nodoc-power-platform/specification/openapi.yml

Nine backend families spanning Business App Platform, admin analytics, config analytics, licensing, tenant API, notifications, admin portal, Dynamics CRM, and Power Pages portal infrastructure
Same-origin crawl coverage from left-nav, list/detail drill-ins, read-only pivots, and safe report interactions across manage, security, monitor, deployment, licensing, and support blades
Tenant-dependent no-data, feature-limited, missing-link, and permission-limited surfaces called out from the live crawl

Browse spec OpenAPI source Download collection

Entra portal

5 published APIs

Entra IAM

286 opsFoundational

Deep IAM coverage spanning users, groups, applications, policies, directories, MFA, and related admin workflows.

Quality: standardized nav · complete metadata · 73 placeholders · 14 response examples

Auth: Delegated OAuth2 + X-Ms-Client-Request-Id
Base URL: https://main.iam.ad.ext.azure.com/api
Collection: postman/collections/entra-iam.collection.json
OpenAPI: specifications/nodoc-ibiza-iam/specification/openapi.yml

Delegated-only Azure AD OAuth2 flow documented in-spec
Azure Portal and Azure CLI pre-consent guidance included
Largest modeled surface in the repository

Browse spec OpenAPI source Download collection

Entra PIM

16 opsAdvanced

Privileged Identity Management role assignments, requests, permissions, and role-setting workflows.

Quality: standardized nav · complete metadata · no placeholders · 3 response examples

Auth: Azure AD bearer token
Base URL: https://api.azrbac.mspim.azure.com
Collection: postman/collections/entra-pim.collection.json
OpenAPI: specifications/nodoc-entra-pim/specification/openapi.yml

Entra roles, Azure resource roles, and group-based PIM
Role activation, assignment, and removal requests
Feature- and permission-gated surfaces called out in descriptions

Browse spec OpenAPI source Download collection

Entra IGA

11 opsAdvanced

Legacy Identity Governance administration coverage for entitlement management, guest billing, connected organizations, and governance settings.

Quality: standardized nav · complete metadata · no placeholders · 3 response examples

Auth: Azure AD bearer token
Base URL: https://elm.iga.azure.com
Collection: postman/collections/entra-iga.collection.json
OpenAPI: specifications/nodoc-entra-iga/specification/openapi.yml

Legacy/non-Graph governance surfaces observed in the portal
Entitlement management, billing, and governance admin endpoints
License-gated behavior noted in descriptions

Browse spec OpenAPI source Download collection

Entra IDGov

17 opsAdvanced

Access Reviews and approval workflow coverage including providers, requests, decisions, and feature flags.

Quality: standardized nav · complete metadata · no placeholders · 4 response examples

Auth: Azure AD bearer token
Base URL: https://api.accessreviews.identitygovernance.azure.com
Collection: postman/collections/entra-idgov.collection.json
OpenAPI: specifications/nodoc-entra-idgov/specification/openapi.yml

Provider-based routing guidance documented
Access review instances and configuration surfaces
Partner settings and feature-flag endpoints included

Browse spec OpenAPI source Download collection

Entra B2C

6 opsAdvanced

External ID / B2C admin flows, user journeys, tenant information, and initialization-related endpoints.

Quality: standardized nav · complete metadata · no placeholders · 3 response examples

Auth: Azure AD bearer token + tenantId query context
Base URL: https://main.b2cadmin.ext.azure.com
Collection: postman/collections/entra-b2c.collection.json
OpenAPI: specifications/nodoc-entra-b2c/specification/openapi.yml

User flow and custom policy surfaces
Required tenantId context documented
Feature-gated behavior described for non-B2C tenants

Browse spec OpenAPI source Download collection

Access models

The main usability difference between portals is how you obtain and preserve auth context.

Portal session cookies

Defender and Purview rely on the portal's sccauth cookie and an authenticated browser session.

Portals: Defender, Purview

Portal session + same-origin XHR

Exchange uses the authenticated Exchange admin center browser session with .AspNetCore.Cookies and same-origin x-requested-with: XMLHttpRequest requests.

Portals: Exchange

Portal session + same-origin context

Purview Portal uses the same sccauth browser session, but its same-origin /api/ calls also depend on portal bootstrap state and are where Purview mints downstream bearer tokens.

Portals: Purview Portal

Portal session + custom headers

M365 Admin requires AjaxSessionKey plus portal routing and hosting headers extracted from the admin shell.

Portals: M365 Admin

Portal session + SharePoint digest

SharePoint uses the tenant's -admin.sharepoint.com browser session together with same-origin SharePoint headers such as x-requestdigest, SdkVersion, and odata-version on POST requests.

Portals: SharePoint

Portal bearer tokens + regional discovery

Teams admin center uses browser-acquired bearer tokens across multiple Teams and Office service hosts, plus same-origin portal context for /api/log and resolver calls that map the tenant to regional backends.

Portals: Teams

MSAL PKCE bearer token + same-origin GraphQL

Viva Engage admin uses a browser-acquired bearer token from the Engage MSAL PKCE flow with the Yammer user_impersonation scope, then calls same-origin persisted GraphQL on engage.cloud.microsoft, a bearer-backed token helper on api.engage.cloud.microsoft, and a transient *.rt.yammer.com Bayeux relay chain whose auth material is carried in the handshake body rather than in Authorization or cookie headers. No cookie header was observed on the authenticated admin API requests captured for this pass.

Portals: Viva Engage

Portal bearer tokens + diagnostic headers

M365 Apps uses browser-obtained bearer tokens together with diagnostic headers such as x-api-name, x-correlationid, x-manageoffice-client-sid, and x-requested-with.

Portals: M365 Apps Config, M365 Apps Services, M365 Apps Inventory

Portal bearer tokens + service-specific audiences

Power Platform reuses browser-obtained bearer tokens from the admin center, but different backends expect different audiences plus portal context headers such as correlation IDs, session IDs, tenant IDs, and app identifiers.

Portals: Power Platform

Portal bearer tokens

Intune Portal and Intune Autopatch use browser-obtained bearer tokens plus same-origin cookies or portal headers from the authenticated Intune session.

Portals: Intune Portal, Intune Autopatch

Delegated OAuth2

Entra IAM uses the ADIbizaUX resource with delegated user auth only and typically needs X-Ms-Client-Request-Id.

Portals: Entra IAM

Azure AD bearer tokens

Entra PIM, IGA, IDGov, and B2C use Azure AD bearer tokens, with tenant- or feature-specific constraints on top.

Portals: Entra PIM, Entra IGA, Entra IDGov, Entra B2C

Safe usage defaults

If you are new to these APIs, start conservative and validate from the portal outward.

These are undocumented Microsoft portal APIs and may change without notice.

Prefer browser traffic inspection, spec review, and GET-only validation before attempting writes.

Use a non-production tenant for any endpoint that could create, modify, or delete configuration or identity state.

If you need to map POST/PATCH/DELETE behavior safely, observe portal traffic and request bodies without replaying them until you understand the side effects.

Read launch guidance View checked-in collections