DeviceManagementRBAC.Read.All
Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
| Ver |
Type |
Method |
| V1 |
A,D |
GET /deviceManagement |
| V1 |
A,D |
GET /deviceManagement/getAssignedRoleDetails |
| V1 |
|
GET /deviceManagement/getAssignedRoleIdsForLoggedInUser |
| V1 |
A,D |
GET /deviceManagement/getEffectivePermissions |
| V1 |
|
GET /deviceManagement/getRoleScopeTagsByIds |
| V1 |
|
GET /deviceManagement/getRoleScopeTagsByResource |
| V1 |
A,D |
GET /deviceManagement/operationApprovalPolicies |
| V1 |
A,D |
GET /deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId} |
| V1 |
A,D |
GET /deviceManagement/operationApprovalPolicies/getApprovableOperations |
| V1 |
A,D |
GET /deviceManagement/operationApprovalPolicies/getOperationsAllowedApproval |
| V1 |
A,D |
GET /deviceManagement/operationApprovalPolicies/getOperationsRequiringApproval |
| V1 |
A,D |
GET /deviceManagement/operationApprovalRequests |
| V1 |
A,D |
GET /deviceManagement/operationApprovalRequests/{operationApprovalRequestId} |
| V1 |
A,D |
GET /deviceManagement/operationApprovalRequests/getMyRequestById |
| V1 |
A,D |
GET /deviceManagement/operationApprovalRequests/getMyRequests |
| V1 |
A,D |
GET /deviceManagement/resourceOperations |
| V1 |
A,D |
GET /deviceManagement/resourceOperations/{resourceOperationId} |
| V1 |
A,D |
GET /deviceManagement/resourceOperations/{resourceOperationId}/getScopesForUser |
| V1 |
A,D |
GET /deviceManagement/roleAssignments |
| V1 |
A,D |
GET /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId} |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId} |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId} |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId} |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId} |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/hasCustomRoleScopeTag |
| V1 |
A,D |
GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition |
| V1 |
A,D |
GET /deviceManagement/roleScopeTags |
| V1 |
A,D |
GET /deviceManagement/roleScopeTags/{roleScopeTagId} |
| V1 |
A,D |
GET /deviceManagement/roleScopeTags/hasCustomRoleScopeTag |
| V1 |
A,D |
GET /deviceManagement/scopedForResource |
| V1 |
A,D |
GET /roleManagement |
| V1 |
A,D |
GET /roleManagement/cloudPc/roleAssignments |
| V1 |
A,D |
GET /roleManagement/cloudPC/roleAssignments/{id} |
| V1 |
A,D |
GET /roleManagement/cloudPC/roleDefinitions |
| V1 |
A,D |
GET /roleManagement/cloudPC/roleDefinitions/{id} |
| V1 |
A,D |
GET /roleManagement/deviceManagement |
| V1 |
A,D |
POST /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}/approve |
| V1 |
A,D |
POST /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}/cancelApproval |
| V1 |
A,D |
POST /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}/reject |
| V1 |
A,D |
POST /deviceManagement/operationApprovalRequests/cancelMyRequest |
| V1 |
A,D |
POST /deviceManagement/operationApprovalRequests/getRequestStatus |
| V1 |
A,D |
POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/getRoleScopeTagsById |
| V1 |
A,D |
POST /deviceManagement/roleScopeTags/getRoleScopeTagsById |
Delegate Permission
|
|
| Id |
49f0cc30-024c-4dfd-ab3e-82e137ee5431 |
| Consent Type |
Admin |
| Display String |
Read Microsoft Intune RBAC settings |
| Description |
Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. |
Application Permission
|
|
| Id |
58ca0d9a-1575-47e1-a3cb-007ef2e4583b |
| Display String |
Read Microsoft Intune RBAC settings |
| Description |
Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. |
Resources
| Property |
Type |
Description |
| roleDefinitionIds |
String collection |
Role Definition IDs for the specifc Role Definitions assigned to a user. This property is read-only. |
| roleAssignmentIds |
String collection |
Role Assignment IDs for the specifc Role Assignments assigned to a user. This property is read-only. |
| Property |
Type |
Description |
| id |
String |
Key of the entity. This is read-only and automatically generated. Inherited from roleAssignment |
| displayName |
String |
The display or friendly name of the role Assignment. Inherited from roleAssignment |
| description |
String |
Description of the Role Assignment. Inherited from roleAssignment |
| resourceScopes |
String collection |
List of ids of role scope member security groups. These are IDs from Azure Active Directory. Inherited from roleAssignment |
| members |
String collection |
The list of ids of role member security groups. These are IDs from Azure Active Directory. |
| Property |
Type |
Description |
| id |
String |
Key of the entity. This is read-only and automatically generated. Inherited from roleDefinition |
| displayName |
String |
Display Name of the Role definition. Inherited from roleDefinition |
| description |
String |
Description of the Role definition. Inherited from roleDefinition |
| rolePermissions |
rolePermission collection |
List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. Inherited from roleDefinition |
| isBuiltIn |
Boolean |
Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. Inherited from roleDefinition |
| Property |
Type |
Description |
| id |
String |
Not yet documented |
| Property |
Type |
Description |
| id |
String |
The ID of the OperationApprovalPolicy. This property is read-only. |
| displayName |
String |
The display name of this OperationApprovalPolicy |
| description |
String |
The description of this OperationApprovalPolicy |
| lastModifiedDateTime |
DateTimeOffset |
The last modified date and time of this OperationApprovalPolicy. This property is read-only. |
| policyType |
operationApprovalPolicyType |
The policy type for this OperationApprovalPolicy. Possible values are: deviceActions, deviceWipe, deviceRetire, deviceRetireNonCompliant, deviceDelete, deviceLock, deviceErase, deviceDisableActivationLock, windowsEnrollment, compliancePolicies, configurationPolicies, appProtectionPolicies, policySets, filters, endpointSecurity, apps, scripts, roles, deviceResetPasscode, unknownFutureValue. |
| approverGroupIds |
String collection |
The group IDs for the approvers for this OperationApprovalPolicy |
| Property |
Type |
Description |
| policyType |
operationApprovalPolicyType |
The policy type for this OperationApprovalPolicy. This property is read-only. Possible values are: deviceActions, deviceWipe, deviceRetire, deviceRetireNonCompliant, deviceDelete, deviceLock, deviceErase, deviceDisableActivationLock, windowsEnrollment, compliancePolicies, configurationPolicies, appProtectionPolicies, policySets, filters, endpointSecurity, apps, scripts, roles, deviceResetPasscode, unknownFutureValue. |
| policyPlatform |
operationApprovalPolicyPlatform |
The applicable platform(s) for this OperationApprovalPolicy. This property is read-only. Possible values are: notApplicable, androidDeviceAdministrator, androidEnterprise, iOSiPadOS, macOS, windows10AndLater, windows81AndLater, windows10X. |
| Property |
Type |
Description |
| id |
String |
The ID of the Entity |
| requestDateTime |
DateTimeOffset |
The DateTime of the request. This property is read-only. |
| expirationDateTime |
DateTimeOffset |
The DateTime at which actions upon the request are no longer permitted. This property is read-only. |
| lastModifiedDateTime |
DateTimeOffset |
Last modified DateTime. This property is read-only. |
| requestor |
identitySet |
The identity of the requestor. This property is read-only. |
| approver |
identitySet |
The identity of the approver. This property is read-only. |
| status |
operationApprovalRequestStatus |
The current approval request status. This property is read-only. Possible values are: unknown, needsApproval, approved, rejected, cancelled, completed, expired, unknownFutureValue. |
| requestJustification |
String |
The request justification. This property is read-only. |
| approvalJustification |
String |
The justification for the approval of the request. This property is read-only. |
| operationApprovalPolicies |
String |
The operational approval policies used in the request. This property is read-only. |
| Property |
Type |
Description |
| requestId |
String |
The ID of the OperationApprovalRequest for this Entity. This property is read-only. |
| requestExpirationDateTime |
DateTimeOffset |
The DateTime at which actions upon the request are no longer permitted. This property is read-only. |
| requestStatus |
operationApprovalRequestStatus |
The current approval request status. This property is read-only. Possible values are: unknown, needsApproval, approved, rejected, cancelled, completed, expired, unknownFutureValue. |
| entityLocked |
Boolean |
The status of the Entity in regard to changes, whether further requests are allowed or the Entity is locked. This property is read-only. |
| Property |
Type |
Description |
| id |
String |
Not yet documented |
| Property |
Type |
Description |
| id |
String |
Key of the Resource Operation. Read-only, automatically generated. |
| resourceName |
String |
Name of the Resource this operation is performed on. |
| actionName |
String |
Type of action this operation is going to perform. The actionName should be concise and limited to as few words as possible. |
| description |
String |
Description of the resource operation. The description is used in mouse-over text for the operation when shown in the Azure Portal. |
| Property |
Type |
Description |
| id |
String |
Key of the entity. This is read-only and automatically generated. |
| displayName |
String |
The display or friendly name of the role Assignment. |
| description |
String |
Description of the Role Assignment. |
| resourceScopes |
String collection |
List of ids of role scope member security groups. These are IDs from Azure Active Directory. |
| Property |
Type |
Description |
| id |
String |
Key of the entity. This is read-only and automatically generated. |
| displayName |
String |
Display Name of the Role definition. |
| description |
String |
Description of the Role definition. |
| rolePermissions |
rolePermission collection |
List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. |
| isBuiltIn |
Boolean |
Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. |
| Property |
Type |
Description |
| id |
String |
Not yet documented |
| Property |
Type |
Description |
| resourceActions |
resourceAction collection |
Resource Actions each containing a set of allowed and not allowed permissions. |
| Property |
Type |
Description |
| id |
String |
Key of the entity. This is read-only and automatically generated. This property is read-only. |
| displayName |
String |
The display or friendly name of the Role Scope Tag. |
| description |
String |
Description of the Role Scope Tag. |
| isBuiltIn |
Boolean |
Description of the Role Scope Tag. This property is read-only. |
| Property |
Type |
Description |
| id |
String |
Key of the entity. This property is read-only. |
| target |
deviceAndAppManagementAssignmentTarget |
The auto-assignment target for the specific Role Scope Tag. |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, in). |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, in). |
| id |
String |
The unique identifier for the role assignment. Key, not nullable, Read-only. Inherited from entity. |
| roleDefinitionId |
String |
Identifier of the role definition the assignment is for. Read only. Supports $filter (eq, in). |
| principalId |
String |
Identifier of the principal to which the assignment is granted. Supports $filter (eq, in). |
| Property |
Type |
Description |
| appScopeIds |
String collection |
Ids of the app specific scopes when the assignment scopes are app specific. The scopes of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. App scopes are scopes that are defined and understood by this application only. |
| description |
String |
Description of the role assignment. |
| directoryScopeIds |
String collection |
Ids of the directory objects representing the scopes of the assignment. The scopes of an assignment determine the set of resources for which the principals have been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. App scopes are scopes that are defined and understood by this application only. |
| displayName |
String |
Name of the role assignment. Required. |
| id |
String |
The unique identifier for the unifiedRoleAssignmentMultiple. Key, not nullable, Read-only. |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition the assignment is for. |
| principalIds |
String collection |
Identifiers of the principals to which the assignment is granted. Supports $filter (any operator only). |
| Property |
Type |
Description |
| description |
String |
The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true. |
| displayName |
String |
The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in). |
| id |
String |
The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, in). |
| isBuiltIn |
Boolean |
Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. Read-only. Supports $filter (eq, in). |
| isEnabled |
Boolean |
Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. |
| resourceScopes |
String collection |
List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment. |
| rolePermissions |
unifiedRolePermission collection |
List of permissions included in the role. Read-only when isBuiltIn is true. Required. |
| templateId |
String |
Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories. |
| version |
String |
Indicates version of the role definition. Read-only when **i |