REST API overview
Adaxes REST API makes it possible to interact with Adaxes over HTTP. It enables you to perform operations in your directory, Exchange, Microsoft 365, and benefit from Adaxes functionality, like business rules or property patterns. For example, you can send a request to create a user account, and Adaxes will work through the entire user provisioning process, based on the automated workflows you have configured.
Installation
To start using Adaxes REST API, you need to install the REST API component. The base URL for your REST API is determined during the installation and consists of the DNS host name of the computer where the component is installed, and the IIS virtual directory name specified during the installation. For example:
https://host.domain.com/restApi
Configuration
REST API will work out-of-the-box after installing it. Configuring REST API primarily means disabling certain API features for security reasons or otherwise. For example, you can disallow user deletion via REST API, or disallow executing a specific custom command. Here is a list of settings you can configure:
- Restrict access to REST API
- Restrict allowed operations and custom commands
- Restrict access to directory objects
- Configure brute force protection
- Specify property for object display names
Load balancing
If you have multiple instances of Adaxes service that share common configuration, the REST API will take advantage of the load balancing and fault tolerance mechanism of Adaxes. A REST API client (e.g. your custom application) is not bound to a single Adaxes service. If the client stops sending requests for several minutes, Adaxes will reevaluate which service should handle new requests, based on its load balancing algorithm. If the currently used service becomes unresponsive, the requests will be automatically redirected to the next available service that shares common configuration. One more thing to note — if REST API component and an instance of Adaxes service are installed on the same computer, requests will always be processed by the local service instance if it is available.
Authentication
To authenticate to Adaxes REST API you need an access token. A token can be generated using the New-AdmAccountToken cmdlet from the Adaxes PowerShell module.
Include this token in the Adm-Authorization HTTP header in every request to the API. For example:
curl --header "Adm-Authorization: <token-value>" \
--get -X GET 'https://host.example.com/restApi/api/directoryObjects' \
--data-urlencode 'directoryobject=CN=John Smith,CN=Users,DC=example,DC=com' \
When you authenticate with an access token, all operations are performed on behalf of the account for which the token was issued. Consequently, all actions are logged in the Adaxes general log as if they were performed by that account.
The token inherits all permissions granted to the account via security roles. If the account's permissions are modified, the token's permissions are updated automatically to reflect these changes.
To view or delete existing tokens, use the Get-AdmAccountToken and Remove-AdmAccountToken cmdlets. The validity of a token is also tied to the status of the associated account. If the account is disabled, expired, or locked out, any tokens issued for it will be rejected by the REST API until the account is restored to an active state.
We recommend creating a dedicated service account to use with the REST API and, optionally, restricting authentication of all other accounts.
Legacy authentication (Adaxes 2025.1 and older)
For details on how to authenticate to REST API in Adaxes 2025.1 and older, see Authentication (legacy).
Requests
The ~ symbol represents your REST API base URL in all requests referenced in this documentation. The complete URL for each request varies depending on the endpoint of the resource you need to access. The following table lists all available requests and corresponding endpoints:
| Request | Method | Endpoint |
|---|---|---|
| Get directory object | GET | ~/api/directoryObjects |
| Create directory object | POST | ~/api/directoryObjects |
| Update directory object | PATCH | ~/api/directoryObjects |
| Move directory object | POST | ~/api/directoryObjects/move |
| Delete directory object | DELETE | ~/api/directoryObjects |
| Search directory | POST | ~/api/directoryObjects/search |
| Get group members | GET | ~/api/directoryObjects/groupMembers |
| Add group member | POST | ~/api/directoryObjects/groupMembers |
| Remove group member | DELETE | ~/api/directoryObjects/groupMembers |
| Enable account | POST | ~/api/directoryObjects/account/enable |
| Disable account | POST | ~/api/directoryObjects/account/disable |
| Unlock account | POST | ~/api/directoryObjects/account/unlock |
| Reset user password | POST | ~/api/directoryObjects/resetPassword |
| Change user password | POST | ~/api/directoryObjects/changePassword |
| Generate password | POST | ~/api/directoryObjects/passwordUtils/generate |
| Get multifactor authentication status | POST | ~/api/directoryObjects/resetMfa/getStatus |
| Reset multifactor authentication | POST | ~/api/directoryObjects/resetMfa |
| Reset computer | POST | ~/api/directoryObjects/reset |
| Execute custom command | POST | ~/api/directoryObjects/customCommand/execute |
| Get business unit members | GET | ~/api/directoryObjects/businessUnitMembers |
| Get Exchange recipient information | GET | ~/api/directoryObjects/exchange/recipientInfo |
| Create Exchange mailbox | POST | ~/api/directoryObjects/exchange/mailbox |
| Delete Exchange mailbox | DELETE | ~/api/directoryObjects/exchange/mailbox |
| Send email | POST | ~/api/directoryObjects/sendMail |
| Send SMS | POST | ~/api/directoryObjects/sendSMS |