Skip to main content

OpenAPI + Postman for internal portal APIs

Documenting undocumented Microsoft portal APIs

Browse 8 portal-backed specs covering Defender XDR, M365 Admin, Purview, and Entra surfaces, with checked-in Postman collections and launch-focused guidance on auth, headers, and safe usage.

Getting StartedPostman WorkspaceGitHub Repo
Use with care. These APIs are undocumented, unsupported by Microsoft, and may change without notice. Validate with read-only requests first and use non-production tenants for any write testing.
8Published specs
871Modeled operations
4Access models
8Checked-in collections

Coverage

Every published spec has a matching checked-in Postman collection and a live Scalar page in this site.

Security portal

Defender

261 ops

Security operations coverage across alerts, incidents, hunting, endpoint, identity, vulnerability, and exposure workflows.

Auth
Portal session cookie (`sccauth`)
Base URL
https://security.microsoft.com/apiproxy
Collection
postman/collections/defender.collection.json
  • Alerts, incidents, and action center coverage
  • Advanced hunting, custom detections, and live response
  • Endpoint, identity, XSPM, and TVM portal surfaces
Browse specDownload collection
Admin portal

M365 Admin

215 ops

Tenant settings, Copilot controls, reports, user and group management, app settings, and admin shell surfaces.

Auth
Portal session cookie + custom admin headers
Base URL
https://admin.cloud.microsoft
Collection
postman/collections/m365-admin.collection.json
  • Copilot, agent, and security settings
  • User, group, tenant, and billing operations
  • Custom portal header requirements modeled in-spec
Browse specDownload collection
Security portal

Purview

74 ops

Compliance, governance, eDiscovery, audit, insider risk, and shared data-service coverage from the Purview portal.

Auth
Portal session cookie (`sccauth`)
Base URL
https://purview.microsoft.com/apiproxy
Collection
postman/collections/purview.collection.json
  • Data infrastructure, governance, and compliance manager
  • eDiscovery, audit, DLP devices, and insider risk
  • Shared backend prefixes called out alongside Defender
Browse specDownload collection
Entra portal

Entra IAM

277 ops

Deep IAM coverage spanning users, groups, applications, policies, directories, MFA, and related admin workflows.

Auth
Delegated OAuth2 + `X-Ms-Client-Request-Id`
Base URL
https://main.iam.ad.ext.azure.com/api
Collection
postman/collections/entra-iam.collection.json
  • Delegated-only Azure AD OAuth2 flow documented in-spec
  • Azure Portal and Azure CLI pre-consent guidance included
  • Largest modeled surface in the repository
Browse specDownload collection
Entra portal

Entra PIM

14 ops

Privileged Identity Management role assignments, requests, permissions, and role-setting workflows.

Auth
Azure AD bearer token
Base URL
https://api.azrbac.mspim.azure.com
Collection
postman/collections/entra-pim.collection.json
  • Entra roles, Azure resource roles, and group-based PIM
  • Role activation, assignment, and removal requests
  • Feature- and permission-gated surfaces called out in descriptions
Browse specDownload collection
Entra portal

Entra IGA

14 ops

Identity Governance administration coverage for entitlement management, guest billing, settings, and lifecycle workflows.

Auth
Azure AD bearer token
Base URL
https://elm.iga.azure.com
Collection
postman/collections/entra-iga.collection.json
  • Non-Graph governance surfaces observed in the portal
  • OData query parameters modeled for list endpoints
  • License-gated behavior noted in descriptions
Browse specDownload collection
Entra portal

Entra IDGov

11 ops

Access Reviews and approval workflow coverage including providers, requests, decisions, and feature flags.

Auth
Azure AD bearer token
Base URL
https://api.accessreviews.identitygovernance.azure.com
Collection
postman/collections/entra-idgov.collection.json
  • Provider-based routing guidance documented
  • Access review instances and configuration surfaces
  • Partner settings and feature-flag endpoints included
Browse specDownload collection
Entra portal

Entra B2C

5 ops

External ID / B2C admin flows, user journeys, tenant information, and initialization-related endpoints.

Auth
Azure AD bearer token + `tenantId` query context
Base URL
https://main.b2cadmin.ext.azure.com
Collection
postman/collections/entra-b2c.collection.json
  • User flow and custom policy surfaces
  • Required `tenantId` context documented
  • Feature-gated behavior described for non-B2C tenants
Browse specDownload collection

Access models

The main usability difference between portals is how you obtain and preserve auth context.

Portal session cookies

Defender and Purview rely on the portal's `sccauth` cookie and an authenticated browser session.

Portals: Defender, Purview

Portal session + custom headers

M365 Admin requires `AjaxSessionKey` plus portal routing and hosting headers extracted from the admin shell.

Portals: M365 Admin

Delegated OAuth2

Entra IAM uses the ADIbizaUX resource with delegated user auth only and typically needs `X-Ms-Client-Request-Id`.

Portals: Entra IAM

Azure AD bearer tokens

Entra PIM, IGA, IDGov, and B2C use Azure AD bearer tokens, with tenant- or feature-specific constraints on top.

Portals: Entra PIM, Entra IGA, Entra IDGov, Entra B2C

Safe usage defaults

If you are new to these APIs, start conservative and validate from the portal outward.

These are undocumented Microsoft portal APIs and may change without notice.
Prefer browser traffic inspection, spec review, and GET-only validation before attempting writes.
Use a non-production tenant for any endpoint that could create, modify, or delete configuration or identity state.
If you need to map POST/PATCH/DELETE behavior safely, observe portal traffic and request bodies without replaying them until you understand the side effects.
Read launch guidanceView checked-in collections