DelegatedAdminRelationship.ReadWrite.All

Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the DelegatedAdminRelationship.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	cc13eba4-8cd8-44c6-b4d4-f93237adce58	885f682f-a990-4bad-a642-36736a74b0c7
DisplayText	Manage Delegated Admin relationships with customers	Manage Delegated Admin relationships with customers
Description	Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user.	Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}
	DELETE /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments/{delegatedAdminAccessAssignmentId}
	GET /tenantRelationships/delegatedAdminCustomers
	GET /tenantRelationships/delegatedAdminCustomers/{delegatedAdminCustomerId}
	GET /tenantRelationships/delegatedAdminCustomers/{delegatedAdminCustomerId}/serviceManagementDetails
	GET /tenantRelationships/delegatedAdminRelationships
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments/{delegatedAdminAccessAssignmentId}
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/operations
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/operations/{delegatedAdminRelationshipOperationId}
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/requests
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/requests/{delegatedAdminRelationshipRequestId}
	PATCH /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}
	PATCH /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments/{delegatedAdminAccessAssignmentId}
	POST /tenantRelationships/delegatedAdminRelationships
	POST /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments
	POST /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/requests

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}
	DELETE /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments/{delegatedAdminAccessAssignmentId}
	GET /tenantRelationships/delegatedAdminCustomers
	GET /tenantRelationships/delegatedAdminCustomers/{delegatedAdminCustomerId}
	GET /tenantRelationships/delegatedAdminCustomers/{delegatedAdminCustomerId}/serviceManagementDetails
	GET /tenantRelationships/delegatedAdminRelationships
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments/{delegatedAdminAccessAssignmentId}
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/operations
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/operations/{delegatedAdminRelationshipOperationId}
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/requests
	GET /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/requests/{delegatedAdminRelationshipRequestId}
	PATCH /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}
	PATCH /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments/{delegatedAdminAccessAssignmentId}
	POST /tenantRelationships/delegatedAdminRelationships
	POST /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/accessAssignments
	POST /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}/requests

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgTenantRelationshipDelegatedAdminCustomer
	Get-MgTenantRelationshipDelegatedAdminCustomerServiceManagementDetail
	Get-MgTenantRelationshipDelegatedAdminRelationship
	Get-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment
	Get-MgTenantRelationshipDelegatedAdminRelationshipOperation
	Get-MgTenantRelationshipDelegatedAdminRelationshipRequest
	New-MgTenantRelationshipDelegatedAdminRelationship
	New-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment
	New-MgTenantRelationshipDelegatedAdminRelationshipRequest
	Remove-MgTenantRelationshipDelegatedAdminRelationship
	Remove-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment
	Update-MgTenantRelationshipDelegatedAdminRelationship
	Update-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaTenantRelationshipDelegatedAdminCustomer
	Get-MgBetaTenantRelationshipDelegatedAdminCustomerServiceManagementDetail
	Get-MgBetaTenantRelationshipDelegatedAdminRelationship
	Get-MgBetaTenantRelationshipDelegatedAdminRelationshipAccessAssignment
	Get-MgBetaTenantRelationshipDelegatedAdminRelationshipOperation
	Get-MgBetaTenantRelationshipDelegatedAdminRelationshipRequest
	New-MgBetaTenantRelationshipDelegatedAdminRelationship
	New-MgBetaTenantRelationshipDelegatedAdminRelationshipAccessAssignment
	New-MgBetaTenantRelationshipDelegatedAdminRelationshipRequest
	Remove-MgBetaTenantRelationshipDelegatedAdminRelationship
	Remove-MgBetaTenantRelationshipDelegatedAdminRelationshipAccessAssignment
	Update-MgBetaTenantRelationshipDelegatedAdminRelationship
	Update-MgBetaTenantRelationshipDelegatedAdminRelationshipAccessAssignment

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: delegatedAdminAccessAssignment

Property	Type	Description
accessContainer	delegatedAdminAccessContainer	The access container through which members are assigned access. For example, a security group.
accessDetails	delegatedAdminAccessDetails	The access details containing the identifiers of the administrative roles that the partner is assigned in the customer tenant.
createdDateTime	DateTimeOffset	The date and time in ISO 8601 format and in UTC time when the access assignment was created. Read-only.
id	String	The unique identifier of the access assignment. Read-only. Inherited from entity.
lastModifiedDateTime	DateTimeOffset	The date and time in ISO 8601 and in UTC time when this access assignment was last modified. Read-only.
status	delegatedAdminAccessAssignmentStatus	The status of the access assignment. Read-only. The possible values are: `pending`, `active`, `deleting`, `deleted`, `error`, `unknownFutureValue`.

Graph reference: delegatedAdminAccessContainer

Property	Type	Description
accessContainerId	String	The identifier of the access container (for example, a security group). For "securityGroup" access containers, this must be a valid ID of a Microsoft Entra security group in the Microsoft partner's tenant.
accessContainerType	delegatedAdminAccessContainerType	The type of access container (for example, security group) that will be assigned one or more roles through a delegated admin relationship. The possible values are: `securityGroup`, `unknownFutureValue`.

Graph reference: delegatedAdminAccessDetails

Property	Type	Description
unifiedRoles	unifiedRole collection	The directory roles that the Microsoft partner is assigned in the customer tenant.

Graph reference: delegatedAdminCustomer

Property	Type	Description
displayName	String	The Microsoft Entra ID display name of the customer tenant. Read-only. Supports `$orderby`.
id	String	The Microsoft Entra ID-assigned unique identifier of the customer. Read-only. Inherited from entity.
tenantId	String	The Microsoft Entra ID-assigned tenant ID of the customer. Read-only.

Graph reference: delegatedAdminRelationship

Property	Type	Description
accessDetails	delegatedAdminAccessDetails	The access details that contain the identifiers of the administrative roles that the partner admin is requesting in the customer tenant.
activatedDateTime	DateTimeOffset	The date and time in ISO 8601 format and in UTC time when the relationship became active. Read-only.
autoExtendDuration	Duration	The duration by which the validity of the relationship is automatically extended, denoted in ISO 8601 format. Supported values are: `P0D`, `PT0S`, `P180D`. The default value is `PT0S`. `PT0S` indicates that the relationship expires when the endDateTime is reached and it isn't automatically extended.
createdDateTime	DateTimeOffset	The date and time in ISO 8601 format and in UTC time when the relationship was created. Read-only.
customer	delegatedAdminRelationshipCustomerParticipant	The display name and unique identifier of the customer of the relationship. This is configured either by the partner at the time the relationship is created or by the system after the customer approves the relationship. Can't be changed by the customer.
displayName	String	The display name of the relationship used for ease of identification. Must be unique across all delegated admin relationships of the partner and is set by the partner only when the relationship is in the `created` status and can't be changed by the customer. Maximum length is 50 characters.
duration	Duration	The duration of the relationship in ISO 8601 format. Must be a value between `P1D` and `P2Y` inclusive. This is set by the partner only when the relationship is in the `created` status and can't be changed by the customer.
endDateTime	DateTimeOffset	The date and time in ISO 8601 format and in UTC time when the status of relationship changes to either `terminated` or `expired`. Calculated as `endDateTime = activatedDateTime + duration`. Read-only.
id	String	The unique identifier of the relationship. Read-only. Inherited from entity.
lastModifiedDateTime	DateTimeOffset	The date and time in ISO 8601 format and in UTC time when the relationship was last modified. Read-only.
status	delegatedAdminRelationshipStatus	The status of the relationship. Read Only. The possible values are: `activating`, `active`, `approvalPending`, `approved`, `created`, `expired`, `expiring`, `terminated`, `terminating`, `terminationRequested`, `unknownFutureValue`. Supports `$orderby`.

Graph reference: delegatedAdminRelationshipCustomerParticipant

Property	Type	Description
displayName	String	The display name of the customer tenant as set by Microsoft Entra ID. Read-only
tenantId	String	The Microsoft Entra ID-assigned tenant ID of the customer tenant.

Graph reference: delegatedAdminRelationshipOperation

Property	Type	Description
createdDateTime	DateTimeOffset	The time in ISO 8601 format and in UTC time when the long-running operation was created. Read-only.
data	String	The data (payload) for the operation. Read-only.
id	String	The unique identifier of the delegated admin long-running operation. Read-only. Inherited from entity.
lastModifiedDateTime	DateTimeOffset	The time in ISO 8601 format and in UTC time when the long-running operation was last modified. Read-only.
operationType	delegatedAdminRelationshipOperationType	The type of long-running operation. The possible values are: `delegatedAdminAccessAssignmentUpdate`, `unknownFutureValue`,`delegatedAdminRelationshipUpdate`. Read-only. You must use the `Prefer: include-unknown-enum-members` request header to get the following value from this evolvable enum: `delegatedAdminRelationshipUpdate`.
status	longRunningOperationStatus	The status of the operation. Read-only. The possible values are: `notStarted`, `running`, `succeeded`, `failed`, `unknownFutureValue`. Read-only. Supports `$orderby`.

Graph reference: delegatedAdminRelationshipRequest

Property	Type	Description
action	delegatedAdminRelationshipRequestAction	The action to be performed on the delegated admin relationship. The possible values are: `lockForApproval`, `approve`, `terminate`, `unknownFutureValue`, `reject`. Note that you must use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this evolvable enum: `reject`. For a partner to finalize a relationship in the `created` status, set the action to `lockForApproval`. For a partner to terminate a relationship in the `active` status, set the action to `terminate`. For an indirect reseller to approve a relationship created by an indirect provider in the `approvalPending` status, set the action to `approve`. For an indirect reseller to reject a relationship created by an indirect provider in the `approvalPending` status, set the action to `reject`.
createdDateTime	DateTimeOffset	The date and time in ISO 8601 format and in UTC time when the relationship request was created. Read-only.
id	String	The unique identifier of the relationship request. Read-only. Inherited from entity.
lastModifiedDateTime	DateTimeOffset	The date and time in ISO 8601 format and UTC time when this relationship request was last modified. Read-only.
status	delegatedAdminRelationshipRequestStatus	The status of the request. Read-only. The possible values are: `created`, `pending`, `succeeded`, `failed`, `unknownFutureValue`.

Graph reference: delegatedAdminServiceManagementDetail

Property	Type	Description
id	String	The identifier of a managed service. Read-only.
serviceManagementUrl	String	The URL of the management portal for the managed service. Read-only.
serviceName	String	The name of a managed service. Read-only.

Graph reference: resellerDelegatedAdminRelationship

Property	Type	Description
accessDetails	delegatedAdminAccessDetails	The access details that contain the identifiers of the administrative roles that the partner administrator requests in the customer tenant. Inherited from delegatedAdminRelationship.
activatedDateTime	DateTimeOffset	The date and time when the relationship was activated. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from delegatedAdminRelationship.
autoExtendDuration	Duration	The duration by which the validity of the relationship is automatically extended, denoted in ISO 8601 format. Supported values are: `P0D`, `PT0S`, `P180D`. The default value is `PT0S`. `PT0S` indicates that the relationship expires when the endDateTime is reached and it isn't automatically extended. Inherited from delegatedAdminRelationship.
createdDateTime	DateTimeOffset	The date and time when the relationship was created. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from delegatedAdminRelationship.
customer	delegatedAdminRelationshipCustomerParticipant	The display name and unique identifier of the customer of the relationship. This is configured either by the partner at the time the relationship is created or by the system after the customer approves the relationship. Cannot be changed by the customer. Inherited from delegatedAdminRelationship.
displayName	String	The display name of the relationship used for ease of identification. Must be unique across all delegated admin relationships of the partner. This is set by the partner only when the relationship is in the `created` status and cannot be changed by the customer. Inherited from delegatedAdminRelationship.
duration	Duration	The duration of the relationship in ISO 8601 format. Must be a value between `P1D` and `P2Y` inclusive. This is set by the partner only when the relationship is in the `created` status and cannot be changed by the customer. Inherited from delegatedAdminRelationship.
endDateTime	DateTimeOffset	The date and time when the status of the relationship changes to either `terminated` or `expired`. Calculated as `endDateTime = activatedDateTime + duration`. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from delegatedAdminRelationship.
id	String	The unique identifier of the relationship. Read-only. Inherited from delegatedAdminRelationship.
indirectProviderTenantId	String	The tenant ID of the indirect provider partner who created the relationship for the indirect reseller partner.
isPartnerConsentPending	Boolean	Indicates the indirect reseller partner consent status. `true` indicates that the partner has yet to review the relationship; `false` indicates that the partner has already provided consent by approving or rejecting the relationship.
lastModifiedDateTime	DateTimeOffset	The date and time when the relationship was last modified. Read-only. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from delegatedAdminRelationship.
status	delegatedAdminRelationshipStatus	The status of the relationship. Read-only. The possible values are: `activating`, `active`, `approvalPending`, `approved`, `created`, `expired`, `expiring`, `terminated`, `terminating`, `terminationRequested`, `unknownFutureValue`. Supports `$orderBy`. Inherited from delegatedAdminRelationship.

Table of Contents

DelegatedAdminRelationship.ReadWrite.All

Graph Methods

Resources