Merge pull request #28875 from microsoftgraph/main

Merge to publish.

Author: Danipocket

api-reference/beta/api/accessreviewhistorydefinition-list-instances.md

@@ -126,4 +126,4 @@ Content-Type: application/json
         }
     ]
 }
-```
+```

api-reference/beta/api/filestoragecontainer-patch-permissions.md

@@ -0,0 +1,235 @@
+---
+title: "Upsert permissions"
+description: "Upsert (create or update) up to 10 permissions on a fileStorageContainer in a single request."
+author: "RushwantKoppolu"
+ms.localizationpriority: medium
+ms.subservice: "onedrive"
+doc_type: apiPageType
+ms.date: 05/11/2026
+---
+
+# Upsert permissions
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Upsert (create or update) up to 10 [permission](../resources/permission.md) objects on a [fileStorageContainer](../resources/filestoragecontainer.md) in a single request. Delta patch allows the caller to perform multiple operations (create, update) on multiple permissions with a single request.
+
+> [!IMPORTANT]
+> Permissions added to a [fileStorageContainer](../resources/filestoragecontainer.md) apply to all its [driveItem](../resources/driveitem.md) objects, regardless of any unique or restrictive permissions applied to those items.
+
+[!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "permissions", "name": "filestoragecontainer_patch_permissions" } -->
+[!INCLUDE [permissions-table](../includes/permissions/filestoragecontainer-patch-permissions-permissions.md)]
+
+[!INCLUDE [app-permissions](../includes/sharepoint-embedded-app-permissions.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+```HTTP
+PATCH /storage/fileStorage/containers/{containerId}/permissions
+```
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+|Content-Type|application/json. Required.|
+
+## Request body
+
+In the request body, supply a JSON object with the following properties.
+
+|Name|Type|Description|
+|:---|:---|:---|
+|@context|String|OData annotation that identifies the payload type. Must be set to `#$delta` to signal a delta patch operation. Required.|
+|value|[permission](../resources/permission.md) collection|A collection of up to 10 **permission** objects to process. Required.|
+
+Each entry in the **value** collection represents one operation on a [permission](../resources/permission.md). The presence of the **id** property determines how the entry is interpreted. Include the ID of an existing permission to update it, or omit the ID to create a new permission.
+
+Each entry supports the following properties and annotations:
+
+|Name|Type|Description|
+|:---|:---|:---|
+|id|String|The ID of the existing permission. When the ID is present, the item is treated as an update. When the ID is omitted, the item is treated as a create operation. Optional.|
+|grantedToV2|[sharePointIdentitySet](../resources/sharepointidentityset.md)|For user-type permissions, specify the details of the user for this permission. Required for create operations. Don't specify for update operations.|
+|roles|String collection|The type of permission to grant. The possible values are: `reader`, `writer`, `manager`, `owner`. Required for both create and update operations.|
+|@microsoft.graph.conflictBehavior|String|An annotation parameter that controls behavior when the target identity is already a member of the container with a different role. Possible values are: `fail`, `replace`. The default value is `fail`. Applies only to create operations. Optional.|
+
+The **@microsoft.graph.conflictBehavior** annotation is per item. The default value `fail` causes the item to fail with a per-item `409 Conflict` response code. The value `replace` replaces the existing role for the identity with the role specified in the item, and the item succeeds. Any other value causes the item to fail with a per-item `400 Bad Request` response code.
+
+Update items must not include properties other than ID and roles. The **roles** property is required. Items that violate either rule fail with a per-item `400 Bad Request` response code.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [permission](../resources/permission.md) objects in the response body. Permissions that are processed successfully include a **permission** object. Failed items include a **@Core.DataModificationException** annotation with error details.
+
+This API might also return the following error response codes for the entire request:
+
+|HTTP code|Description|
+|:---|:---|
+|400|Bad request.|
+|401|Request lacks valid authentication credentials.|
+|403|Provided authentication credentials are valid but insufficient to perform requested operation. Example scenarios: The calling app doesn't have permission to manage permissions for containers of this type, or the calling user has no permissions on this container instance, or their role doesn't allow container permission management.|
+|404|Container doesn't exist.|
+|423|Container is locked. For example, the container is archived.|
+
+## Examples
+
+### Request
+
+The following example shows a single delta patch request that mixes create and update items in one call. Items without an ID are treated as create operations; items with an ID are treated as update operations. Items that fail are reported inline with a **@Core.DataModificationException** annotation. The remaining items still succeed.
+
+<!-- {
+  "blockType": "request",
+  "name": "patch_permissions_beta"
+}
+-->
+```http
+PATCH https://graph.microsoft.com/beta/storage/fileStorage/containers/b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z/permissions
+Content-Type: application/json
+
+{
+  "@context": "#$delta",
+  "value": [
+    {
+      "roles": ["reader"],
+      "grantedToV2": {
+        "user": {
+          "userPrincipalName": "alex@contoso.com"
+        }
+      }
+    },
+    {
+      "@microsoft.graph.conflictBehavior": "replace",
+      "roles": ["writer"],
+      "grantedToV2": {
+        "user": {
+          "userPrincipalName": "kate@contoso.com"
+        }
+      }
+    },
+    {
+      "roles": ["owner"],
+      "grantedToV2": {
+        "user": {
+          "userPrincipalName": "mike@contoso.com"
+        }
+      }
+    },
+    {
+      "id": "X2k6MCMuZnxtZW1iZXJzaGlwfGFsZXhAY29udG9zby5jb20",
+      "roles": ["manager"]
+    },
+    {
+      "id": "X2k6MCMuZnxtZW1iZXJzaGlwfG5vdGFmb3VuZEBjb250b3NvLmNvbQ",
+      "roles": ["manager"]
+    }
+  ]
+}
+```
+
+### Response
+
+The following example shows the response. The first two create operations succeed. The second operation replaces the existing role for the target user. The third create operation fails because the identity is already a member of the container with a different role. The first update operation succeeds. The second update operation fails because no permission with that ID exists.
+
+>**Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "Collection(microsoft.graph.permission)"
+}
+-->
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "@odata.context": "https://graph.microsoft.com/beta/$metadata#storage/fileStorage/containers('b%21ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z')/permissions/$delta",
+  "value": [
+    {
+      "id": "X2k6MCMuZnxtZW1iZXJzaGlwfGFsZXhAY29udG9zby5jb20",
+      "roles": [
+        "reader"
+      ],
+      "grantedToV2": {
+        "user": {
+          "displayName": "Alex Wilson",
+          "id": "1a2b3c4d-1111-2222-3333-444455556666",
+          "userPrincipalName": "alex@contoso.com"
+        }
+      }
+    },
+    {
+      "id": "X2k6MCMuZnxtZW1iZXJzaGlwfGthdGVAY29udG9zby5jb20",
+      "roles": [
+        "writer"
+      ],
+      "grantedToV2": {
+        "user": {
+          "displayName": "Kate Brown",
+          "id": "2b3c4d5e-2222-3333-4444-555566667777",
+          "userPrincipalName": "kate@contoso.com"
+        }
+      }
+    },
+    {
+      "@Core.DataModificationException": {
+        "@odata.type": "#Org.OData.Core.V1.DataModificationExceptionType",
+        "failedOperation": "Create",
+        "responseCode": 409,
+        "info": {
+          "code": "Conflict",
+          "message": "Conflict: this identity is a [Reader] member of the container and cannot be added to the [Owner] role."
+        }
+      },
+      "id": "00000000-0000-0000-0000-000000000000",
+      "roles": [
+        "owner"
+      ],
+      "grantedToV2": {
+        "user": {
+          "userPrincipalName": "mike@contoso.com"
+        }
+      }
+    },
+    {
+      "id": "X2k6MCMuZnxtZW1iZXJzaGlwfGFsZXhAY29udG9zby5jb20",
+      "roles": [
+        "manager"
+      ],
+      "grantedToV2": {
+        "user": {
+          "displayName": "Alex Wilson",
+          "id": "1a2b3c4d-1111-2222-3333-444455556666",
+          "userPrincipalName": "alex@contoso.com"
+        }
+      }
+    },
+    {
+      "@Core.DataModificationException": {
+        "@odata.type": "#Org.OData.Core.V1.DataModificationExceptionType",
+        "failedOperation": "Update",
+        "responseCode": 404,
+        "info": {
+          "code": "NotFound",
+          "message": "Item not found."
+        }
+      },
+      "id": "X2k6MCMuZnxtZW1iZXJzaGlwfG5vdGFmb3VuZEBjb250b3NvLmNvbQ"
+    }
+  ]
+}
+```

api-reference/beta/api/group-list.md

@@ -19,6 +19,9 @@ List all the [groups](../resources/group.md) available in an organization, exclu
 
 This operation returns by default only a subset of the more commonly used properties for each group. These _default_ properties are noted in the [Properties](../resources/group.md#properties) section. To get properties that are _not_ returned by default, do a [GET operation](group-get.md) for the group and specify the properties in a `$select` OData query option. The **hasMembersWithLicenseErrors** and **isArchived** properties are an exception and are not returned in the `$select` query.
 
+> [!NOTE]
+> This request might have replication delays for groups that were recently created, updated, or deleted. Recently created or updated groups might not appear in results immediately, and recently deleted groups might still appear in results briefly. Retry the request after a brief delay. For more information, see [Designing for Eventual Consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
+
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 
 ## Permissions

api-reference/beta/api/group-post-members.md

@@ -17,6 +17,14 @@ Namespace: microsoft.graph
 
 Add a member to a security or Microsoft 365 [group](../resources/group.md). When using the API to add multiple members in one request, you can add up to only 20 members. 
 
+> [!NOTE]
+> This request might have replication delays for groups that were recently created. When a group is created, it can take a short time for the object to fully replicate across Microsoft Entra ID directory replicas. During this window, requests to add members to the group might return a `400 Bad Request` error with the message: *"The source resource object or one of the objects being referenced do not exist."*
+>
+> To mitigate this behavior:
+> - **Retry after a brief delay** — wait a few seconds and retry the request. The delay is typically brief.
+>
+> For more information, see [Designing for Eventual Consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
+
 [!INCLUDE [groups-allowed-member-types](../../../concepts/includes/groups-allowed-member-types.md)]
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
@@ -80,7 +88,7 @@ When using the `PATCH /groups/{group-id}` syntax, supply a JSON object that cont
 
 ## Response
 
-If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist. It returns `403 Unauthorized` in one of the following scenarios:
+If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group, is unsupported as a group member, or when the group was recently created and hasn't fully replicated (error message: *"The source resource object or one of the objects being referenced do not exist."* — retry after a brief delay). It returns a `404 Not Found` response code when the object being added doesn't exist. It returns `403 Forbidden` in one of the following scenarios:
 - You're attempting to add a member to a [group that can't be managed through Microsoft Graph](../resources/groups-overview.md#types-of-groups-supported-in-microsoft-graph). This API supports only security and Microsoft 365 groups.
 - You're attempting to add a member you don't have permissions to add. Refer to the preceding [Permissions](#permissions) section for the permissions required to add different member types.
 - You're attempting to add a member to a role-assignable group and you don't have the required permissions.

api-reference/beta/api/group-update.md

@@ -17,6 +17,14 @@ Namespace: microsoft.graph
 
 Update the properties of a [group](../resources/group.md) object.
 
+> [!NOTE]
+> When you use `members@odata.bind` to add members via `PATCH`, this request might have replication delays for groups that were recently created. It can take a short time for the group object to fully replicate across Microsoft Entra ID directory replicas. During this window, requests to add members to the group might return a `400 Bad Request` error with the message: *"The source resource object or one of the objects being referenced do not exist."*
+>
+> To mitigate this behavior:
+> - **Retry after a brief delay** — wait a few seconds and retry the request. The delay is typically brief.
+>
+> For more information, see [Designing for Eventual Consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
+
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 
 ## Permissions
@@ -81,6 +89,12 @@ Use this API to manage the [directory, schema, and open extensions](/graph/exten
 
 If successful, this method returns a `204 No Content` response code—except a `200 OK` response code when updating the following properties: **allowExternalSenders**, **autoSubscribeNewMembers**, **hideFromAddressLists**, **hideFromOutlookClients**, **isSubscribedByMail**, **unseenCount**, **welcomeMessageEnabled**.
 
+### Errors
+
+| Status code | Error code | Error message | Description |
+|-------------|------------|---------------|-------------|
+| `400 Bad Request` | `Request_BadRequest` | "The source resource object or one of the objects being referenced do not exist." | The group was recently created and hasn't fully replicated across all directory replicas. This error is specific to link-write operations (adding members via `members@odata.bind`). Retry the request after a brief delay. |
+
 ## Examples
 
 ### Example 1: Update display name and description of a group

api-reference/beta/api/oauth2permissiongrant-get.md

@@ -19,7 +19,7 @@ Retrieve the properties of a single delegated permission grant represented by an
 An **oAuth2PermissionGrant** represents delegated permissions which have been granted for a client application to access an API on behalf of a signed-in user.
 
 > [!NOTE]
-> This request might have replication delays for delegated permission grants that were recently created, updated, or deleted.
+> This request might have replication delays for delegated permission grants that were recently created, updated, or deleted. Learn more in [Designing for eventual consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
 
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]

api-reference/beta/api/oauth2permissiongrant-list.md

@@ -17,7 +17,7 @@ Namespace: microsoft.graph
 Retrieve a list of [oAuth2PermissionGrant](../resources/oauth2permissiongrant.md) objects, representing delegated permissions which have been granted for client applications to access APIs on behalf of signed-in users.
 
 > [!NOTE]
-> This request might have replication delays for delegated permission grants that were recently created, updated, or deleted. This delay will be minimized if a filter on `clientId` is specified.
+> This request might have replication delays for delegated permission grants that were recently created, updated, or deleted. This delay will be minimized if a filter on `clientId` is specified. Learn more in [Designing for eventual consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 

api-reference/beta/api/rbacapplication-list-transitiveroleassignments.md

@@ -20,7 +20,7 @@ Get the list of direct and transitive [unifiedRoleAssignment](../resources/unifi
 For more information, see [Use Microsoft Entra groups to manage role assignments](/azure/active-directory/roles/groups-concept).
 
 > [!NOTE]
-> This request might have replication delays for role assignments that were recently created, updated, or deleted.
+> This request might have replication delays for role assignments that were recently created, updated, or deleted. Learn more in [Designing for eventual consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 

api-reference/beta/api/serviceprincipal-list-approleassignedto.md

@@ -18,7 +18,7 @@ Retrieve all clients (users, groups, or client service principals) that have an
 
 For example, if the resource service principal is the service principal for the Microsoft Graph API, this API returns all service principals that have been granted any app-only permissions to Microsoft Graph. If the resource service principal is an application with app roles granted to users and groups, this API returns all the users and groups assigned app roles for this application.
 
->**Note** This request might have replication delays for app role assignments that were recently granted or removed.
+>**Note** This request might have replication delays for app role assignments that were recently granted or removed. Learn more in [Designing for eventual consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 

api-reference/beta/api/serviceprincipal-list-approleassignments.md

@@ -19,7 +19,7 @@ Retrieve the list of [appRoleAssignment](../resources/approleassignment.md) that
 App roles that are assigned to service principals are also known as [application permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types). Application permissions can be granted directly by creating app role assignments, or through a [consent experience](/azure/active-directory/develop/application-consent-experience).
 
 
->**Note** This request might have replication delays for app role assignments that were recently granted or removed.
+>**Note** This request might have replication delays for app role assignments that were recently granted or removed. Learn more in [Designing for eventual consistency for Microsoft Entra](https://devblogs.microsoft.com/identity/designing-for-eventual-consistency-for-microsoft-entra/).
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]