Table of Contents
What is the additionalProperties Property and What is Its Purpose?
Experienced PowerShell developers who are accustomed to working with modules like the Exchange Online management module or old AzureAD module often express surprise when they see how Microsoft Graph PowerShell SDK cmdlets return objects. Anyone who’s used to getting objects full of nice well-formed properties might be confused when they discover that cmdlets like Get-MgUserMemberOf and Get-MgGroupMember only return a couple of properties, including the identifiers (GUIDs) for matching objects. The immediate conclusion might be that the identifiers are necessary to retrieve the full set of object properties with a separate call. In fact, the cmdlets usually return additional information for objects in a property aptly named additionalProperties.
This behavior naturally creates the question why does the Microsoft Graph PowerShell SDK use the additionalProperties property to hold so much valuable information? The reason lies in the way that the AutoRest process generates Graph SDK cmdlets from the OpenAPI descriptions for Graph APIs.
AutoRest and OpenAPI Descriptions
Microsoft uses a process called AutoRest to convert the OpenAPI specifications for Graph APIs into the modules and cmdlets that form the Microsoft Graph PowerShell SDK (AutoRest is also used to create other SDKs).
When AutoRest runs to create a new version of the Microsoft Graph PowerShell SDK, it checks the output that each cmdlet should produce. However, many of the output properties for Graph queries are dynamic and cannot be converted by AutoRest into strongly-typed PowerShell properties. AutoRest works around this problem by making cmdlets generate normal PowerShell properties for Graph properties of a known type and capturing anything that isn’t a known typed property (like an array or string) in a catch-all PowerShell dictionary called additionalProperties. This implementation is in line with the OpenAPI rules for handling data that is not explicitly defined in the schema.
For example, the Get-MgDirectoryDeletedItem cmdlet fetches details of soft-deleted Entra ID objects. The only strongly-typed properties defined for the cmdlet are Id and DeletedDateTime, which is why we see these properties when the cmdlet is run to fetch details of a soft-deleted group:
Get-MgDirectoryDeletedItem -DirectoryObjectId $GroupId Id DeletedDateTime -- --------------- bfa786a7-2394-495b-9e9e-a8b52c9ee3be 07/03/2026 12:38:30
Most of the properties describing the deleted group is in additionalProperties:
(Get-MgDirectoryDeletedItem -DirectoryObjectId $GroupId).additionalProperties
Key Value
--- -----
@odata.context https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity
@odata.type #microsoft.graph.group
createdDateTime 2021-11-01T17:52:57Z
creationOptions {}
description Case studies
displayName Customer Case Studies
expirationDateTime 2027-08-22T08:07:44Z
However, if you run the Get-MgDirectoryDeletedGroup cmdlet instead of Get-MgDirectoryDeletedItem, more properties are returned. As discussed below, this is because Get-MgDirectoryDeletedItem can process many different types of soft-deleted Entra ID objects, so the set of properties it outputs are those common to all objects. By comparison, Get-MgDirectoryDeletedGroup only handles soft-deleted groups, so the set of strongly-typed properties is larger:
Get-MgDirectoryDeletedGroup | Format-Table DisplayName, Description, Id DisplayName Description Id ----------- ----------- -- Azure AD Testers People who do early testing of Azure AD features 36fcfd60-9ad8-48ed-8c3c-ef36fc5d0c94
The additionalProperties Hash Table
A PowerShell dictionary is a hash table composed of key value pairs, so the value of a property in the dictionary can be accessed by referencing its name (the key). Be careful with casing. Sometimes it matters and sometimes it doesn’t. It’s safest to use the casing used by the cmdlet when it outputs values held in additionalProperties:
(Get-MgDirectoryDeletedItem -DirectoryObjectId $GroupId).additionalProperties.displayName Customer Case Studies
Similar output is seen in many other Graph SDK cmdlets. For example, here’s the output from Get-MgGroupMember:
Get-MgGroupMember -GroupId $GroupId Id DeletedDateTime -- --------------- 5b52fba5-349e-4624-88cd-d790883fe4c4 a221d10f-e0cf-4a1d-b6a2-4e844670f118 7bfd3f83-be63-4a5a-bbf8-c821e2836920 70ba4f9f-c357-4f08-a746-5d4d03794e3d
To see the display names for the group members, fetch the information from additionalProperties:
(Get-MgGroupMember -GroupId $GroupId).additionalProperties.displayName Ken Bowers Chris Bishop Alain Charnier Marty King
A common requirement for scripts is to create a comma-separated string from properties for report output. The details returned for a group by the Get-MgGroup cmdlet don’t include its owners. To fetch the display names of the group owners, run the Get-MgGroupOwner cmdlet like this:
$Group = (Get-MgGroup -Filter "displayName eq 'Ultra Fans'")
[array]$Owners = Get-MgGroupOwner -GroupId $Group.Id | Select-Object
-ExpandProperty additionalProperties
$OwnersOutput = $Owners.displayName -join ", "
Write-Host ("The owners of the {0} group are {1}" -f $Group.displayName, $OwnersOutput)
You’ll find many examples of using the information held in the additionalProperties hash table in scripts in the Office 365 for IT Pros GitHub repository. For example, the script to replace group owners with PowerShell uses the property in conjunction with the Get-MgUserOwnedObject cmdlet to determine the set of Microsoft 365 groups owned by an account.
When Microsoft Graph PowerShell SDK Cmdlets Generate the additionalProperties Property
AdditionalProperties are encountered most often when:
- A cmdlet can return multiple object types: For instance, the membership of an administrative unit can include user accounts, devices, and groups. The different object types can be distinguished in additionalProperties by the value of the odata.type key. This is the situation when the Get-MgDirectoryDeletedItem cmdlet is used as described above.
- A cmdlet is requested to output a property that is not common to all the object types retrieved by a cmdlet. For example, the City property is available for user objects, but not for groups, so if you include City in the set of properties retrieved by Get-MgGroupMember, the output for the City property is in additionalProperties (but only for user objects).
- A cmdlet expands a navigation property. For example, a user account has a Manager property which points (navigates) to the user account for the user’s Manager. By default, the Manager property is not in the set fetched by the Get-MgUser cmdlet. However, if the Get-MgUser cmdlet includes the ExpandProperty parameter to expand the Manager property, the cmdlet outputs the Manager property with additionalProperties containing details of the manager’s account (Figure 1).
Solving an AutoRest Problem
In summary, the additionalProperties property solves a problem for AutoRest with Graph properties which AutoRest can’t figure out how to deal with. The solution works, even if stuffing the properties and their values into the additionalProperties hash table seems a little strange when first encountered. It’s another of the little foibles that make the Microsoft Graph PowerShell SDK so “interesting” to work with.
Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.