generated: '2026-07-15' method: generated source: openapi/azure-ad-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 14 by_action_class: connected: 10 acting: 4 by_consequence: read: 10 write: 4 human_in_the_loop_required: 0 operations: - path: /me method: get operationId: getMe x-agentic-access: action-class: connected consequence: read subject: optional scope: - User.Read token: max-ttl: 3600 audit: none - path: /me/photo/$value method: get operationId: getMyPhoto x-agentic-access: action-class: connected consequence: read subject: optional scope: - User.Read token: max-ttl: 3600 audit: none - path: /users method: get operationId: listUsers x-agentic-access: action-class: connected consequence: read subject: optional scope: - User.Read.All token: max-ttl: 3600 audit: none - path: /users method: post operationId: createUser x-agentic-access: action-class: acting consequence: write subject: required scope: - User.ReadWrite.All audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id} method: get operationId: getUser x-agentic-access: action-class: connected consequence: read subject: optional scope: - User.Read.All token: max-ttl: 3600 audit: none - path: /users/{id} method: patch operationId: updateUser x-agentic-access: action-class: acting consequence: write subject: required scope: - User.ReadWrite.All audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id} method: delete operationId: deleteUser x-agentic-access: action-class: acting consequence: write subject: required scope: - User.ReadWrite.All audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/manager method: get operationId: getUserManager x-agentic-access: action-class: connected consequence: read subject: optional scope: - User.Read.All token: max-ttl: 3600 audit: none - path: /users/{id}/directReports method: get operationId: listDirectReports x-agentic-access: action-class: connected consequence: read subject: optional scope: - User.Read.All token: max-ttl: 3600 audit: none - path: /groups method: get operationId: listGroups x-agentic-access: action-class: connected consequence: read subject: optional scope: - Group.Read.All token: max-ttl: 3600 audit: none - path: /groups method: post operationId: createGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - Group.ReadWrite.All audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /groups/{id} method: get operationId: getGroup x-agentic-access: action-class: connected consequence: read subject: optional scope: - Group.Read.All token: max-ttl: 3600 audit: none - path: /applications method: get operationId: listApplications x-agentic-access: action-class: connected consequence: read subject: optional scope: - Application.Read.All token: max-ttl: 3600 audit: none - path: /directoryRoles method: get operationId: listDirectoryRoles x-agentic-access: action-class: connected consequence: read subject: optional scope: - Directory.Read.All token: max-ttl: 3600 audit: none