DeviceManagementRBAC.Read.All

Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the DeviceManagementRBAC.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	58ca0d9a-1575-47e1-a3cb-007ef2e4583b	49f0cc30-024c-4dfd-ab3e-82e137ee5431
DisplayText	Read Microsoft Intune RBAC settings	Read Microsoft Intune RBAC settings
Description	Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.	Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /deviceManagement
	GET /deviceManagement/getEffectivePermissions
	GET /deviceManagement/resourceOperations
	GET /deviceManagement/resourceOperations/{resourceOperationId}
	GET /deviceManagement/roleAssignments
	GET /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	GET /deviceManagement/roleDefinitions
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /deviceManagement
	GET /deviceManagement/getAssignedRoleDetails
	GET /deviceManagement/getAssignedRoleIdsForLoggedInUser
	GET /deviceManagement/getEffectivePermissions
	GET /deviceManagement/getRoleScopeTagsByIds
	GET /deviceManagement/getRoleScopeTagsByResource
	GET /deviceManagement/operationApprovalPolicies
	GET /deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}
	GET /deviceManagement/operationApprovalPolicies/getApprovableOperations
	GET /deviceManagement/operationApprovalPolicies/getOperationsRequiringApproval
	GET /deviceManagement/operationApprovalPolicies/retrieveApprovableOperations
	GET /deviceManagement/operationApprovalPolicies/retrieveOperationsRequiringApproval
	GET /deviceManagement/operationApprovalRequests
	GET /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}
	GET /deviceManagement/operationApprovalRequests/retrieveMyRequestById
	GET /deviceManagement/operationApprovalRequests/retrieveMyRequests
	GET /deviceManagement/resourceOperations
	GET /deviceManagement/resourceOperations/{resourceOperationId}
	GET /deviceManagement/resourceOperations/{resourceOperationId}/getScopesForUser
	GET /deviceManagement/retrieveUserRoleDetail
	GET /deviceManagement/roleAssignments
	GET /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	GET /deviceManagement/roleDefinitions
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/hasCustomRoleScopeTag
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	GET /deviceManagement/roleScopeTags
	GET /deviceManagement/roleScopeTags/{roleScopeTagId}
	GET /deviceManagement/roleScopeTags/hasCustomRoleScopeTag
	GET /deviceManagement/scopedForResource
	GET /roleManagement
	GET /roleManagement/cloudPc/roleAssignments
	GET /roleManagement/cloudPC/roleAssignments/{id}
	GET /roleManagement/cloudPC/roleDefinitions
	GET /roleManagement/cloudPC/roleDefinitions/{id}
	GET /roleManagement/deviceManagement
	POST /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}/approve
	POST /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}/cancelApproval
	POST /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}/reject
	POST /deviceManagement/operationApprovalRequests/cancelMyRequest
	POST /deviceManagement/operationApprovalRequests/retrieveRequestStatus
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/getRoleScopeTagsById
	POST /deviceManagement/roleScopeTags/getRoleScopeTagsById

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgDeviceManagement
	Get-MgDeviceManagementEffectivePermission
	Get-MgDeviceManagementResourceOperation
	Get-MgDeviceManagementRoleAssignment
	Get-MgDeviceManagementRoleDefinition
	Get-MgDeviceManagementRoleDefinitionRoleAssignment

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Approve-MgBetaDeviceManagementOperationApprovalRequest
	Get-MgBetaDeviceManagement
	Get-MgBetaDeviceManagementAssignedRoleDetail
	Get-MgBetaDeviceManagementEffectivePermission
	Get-MgBetaDeviceManagementOperationApprovalPolicyApprovableOperation
	Get-MgBetaDeviceManagementOperationApprovalPolicyOperationRequiringApproval
	Get-MgBetaDeviceManagementOperationApprovalRequestMyRequest
	Get-MgBetaDeviceManagementOperationApprovalRequestStatus
	Get-MgBetaDeviceManagementResourceOperation
	Get-MgBetaDeviceManagementRoleAssignment
	Get-MgBetaDeviceManagementRoleDefinition
	Get-MgBetaDeviceManagementRoleDefinitionRoleAssignment
	Get-MgBetaDeviceManagementRoleDefinitionRoleAssignmentRoleDefinition
	Get-MgBetaDeviceManagementRoleScopeTag
	Get-MgBetaDeviceManagementRoleScopeTagRoleScopeTagById
	Get-MgBetaRoleManagement
	Get-MgBetaRoleManagementCloudPcRoleAssignment
	Get-MgBetaRoleManagementDeviceManagement
	Get-MgBetaRoleManagementDirectoryRoleDefinition
	Get-MgBetaRoleManagementExchangeRoleDefinition
	Invoke-MgBetaCustomDeviceManagementRoleScopeTag
	Invoke-MgBetaRejectDeviceManagementOperationApprovalRequest
	Stop-MgBetaDeviceManagementOperationApprovalRequestApproval
	Stop-MgBetaDeviceManagementOperationApprovalRequestMyRequest

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: deviceAndAppManagementAssignedRoleDetail

Property	Type	Description
roleDefinitions	deviceAndAppManagementAssignedRoleDefinition collection	A collection of RoleDefinitions represents the various administrative roles that define permissions and access levels within Microsoft Intune. Each RoleDefinition outlines a set of permissions that determine the actions an admin or user can perform in the Intune environment. These permissions can include actions like reading or writing to specific resources, managing device configurations, deploying policies, or handling user data. RoleDefinitions are critical for enforcing role-based access control (RBAC), ensuring that administrators can only interact with the features and data relevant to their responsibilities. RoleDefinitions in Intune can either be built-in roles provided by Microsoft or custom roles created by an organization to tailor access based on specific needs. These definitions are referenced when assigning roles to users or groups, effectively controlling the scope of their administrative privileges. The collection of RoleDefinitions is managed through the Intune console or the Graph API, allowing for scalable role management across large environments. This property is read-only.
permissions	String collection	The list of permissions assigned to a specific user based on their associated role definitions. Each permission defines the specific actions the user can perform on Intune resources, such as managing devices, applications, or configurations. Some possible values are: Microsoft.Intune/MobileApps/Read, Microsoft.Intune/DeviceConfigurations/Write, Microsoft.Intune/ManagedDevices/Retire, and Microsoft.Intune/DeviceCompliancePolicies/Assign. This Permissions property provides a comprehensive view of the user's effective access rights, ensuring that they can only perform actions relevant to their assigned roles. This property is read-only.

Graph reference: deviceAndAppManagementAssignedRoleDetails

Property	Type	Description
roleDefinitionIds	String collection	Role Definition IDs for the specifc Role Definitions assigned to a user. This property is read-only.
roleAssignmentIds	String collection	Role Assignment IDs for the specifc Role Assignments assigned to a user. This property is read-only.

Graph reference: deviceAndAppManagementRoleAssignment

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated. Inherited from roleAssignment
displayName	String	The display or friendly name of the role Assignment. Inherited from roleAssignment
description	String	Description of the Role Assignment. Inherited from roleAssignment
resourceScopes	String collection	List of ids of role scope member security groups. These are IDs from Azure Active Directory. Inherited from roleAssignment
members	String collection	The list of ids of role member security groups. These are IDs from Azure Active Directory.

Graph reference: deviceAndAppManagementRoleDefinition

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated. Inherited from roleDefinition
displayName	String	Display Name of the Role definition. Inherited from roleDefinition
description	String	Description of the Role definition. Inherited from roleDefinition
rolePermissions	rolePermission collection	List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. Inherited from roleDefinition
isBuiltIn	Boolean	Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. Inherited from roleDefinition

Property	Type	Description
id	String	Not yet documented

Graph reference: operationApprovalPolicy

Property	Type	Description
id	String	The unique identifier of the policy. This ID is assigned at when the policy is created. Read-only. This property is read-only.
displayName	String	Indicates the display name of the policy. Maximum length of the display name is 128 characters. This property is required when the policy is created, and is defined by the IT Admins to identify the policy.
description	String	Indicates the description of the policy. Maximum length of the description is 1024 characters. This property is not required, but can be used by the IT Admin to describe the policy.
lastModifiedDateTime	DateTimeOffset	Indicates the last DateTime that the policy was modified. The value cannot be modified and is automatically populated whenever values in the request are updated. For example, when the 'policyType' property changes from `apps` to `scripts`. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
policyType	operationApprovalPolicyType	The policy type for the OperationApprovalPolicy. Possible values are: `unknown`, `app`, `script`, `operationApprovalPolicy`. Possible values are: `unknown`, `deviceAction`, `deviceWipe`, `deviceRetire`, `deviceRetireNonCompliant`, `deviceDelete`, `deviceLock`, `deviceErase`, `deviceDisableActivationLock`, `windowsEnrollment`, `compliancePolicy`, `configurationPolicy`, `appProtectionPolicy`, `policySet`, `filter`, `endpointSecurityPolicy`, `app`, `script`, `role`, `deviceResetPasscode`, `customOrganizationalMessage`, `unknownFutureValue`, `operationApprovalPolicy`.
policyPlatform	operationApprovalPolicyPlatform	Indicates the applicable platform for the policy. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`. Default value is `notApplicable`. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`, `unknownFutureValue`.
policySet	operationApprovalPolicySet	Indicates areas of the Intune UX that could support MAA UX for the current logged in IT Admin. This property is required, and is defined by the IT Admins in order to correctly show the expected experience.
approverGroupIds	String collection	The Microsoft Entra ID (Azure AD) security group IDs for the approvers for the policy. This property is required when the policy is created, and is defined by the IT Admins to define the possible approvers for the policy.

Graph reference: operationApprovalPolicySet

Property	Type	Description
policyType	operationApprovalPolicyType	The policy type for the OperationApprovalPolicy. This property is required when the policy set is created, and uniquely identifies areas of the Intune UX that could support MAA when used in conjection with the `policyPlatform` property. Possible values are: `unknown`, `app`, `script`, `operationApprovalPolicy`. Read-only. This property is read-only. Possible values are: `unknown`, `deviceAction`, `deviceWipe`, `deviceRetire`, `deviceRetireNonCompliant`, `deviceDelete`, `deviceLock`, `deviceErase`, `deviceDisableActivationLock`, `windowsEnrollment`, `compliancePolicy`, `configurationPolicy`, `appProtectionPolicy`, `policySet`, `filter`, `endpointSecurityPolicy`, `app`, `script`, `role`, `deviceResetPasscode`, `customOrganizationalMessage`, `unknownFutureValue`, `operationApprovalPolicy`.
policyPlatform	operationApprovalPolicyPlatform	The applicable platform(s) for the OperationApprovalPolicy. This property is required when the policy set is created, and uniquely identifies the platform(s) that could support MAA when used in conjection with the `policyType` property. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`. Read-only. This property is read-only. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`, `unknownFutureValue`.

Graph reference: operationApprovalRequest

Property	Type	Description
id	String	The unique identifier of the request. This ID is assigned at when the request is created. Read-only.
requestDateTime	DateTimeOffset	Indicates the DateTime that the request was made. The value cannot be modified and is automatically populated when the request is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
expirationDateTime	DateTimeOffset	Indicates the DateTime when any action on the approval request is no longer permitted. The value cannot be modified and is automatically populated when the request is created using expiration offset values defined in the service controllers. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
lastModifiedDateTime	DateTimeOffset	Indicates the last DateTime that the request was modified. The value cannot be modified and is automatically populated whenever values in the request are updated. For example, when the 'status' property changes from `needsApproval` to `approved`. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
requestor	identitySet	The identity of the requestor as an Identity Set. Optionally contains the application ID, the device ID and the User ID. See information about this type here: https://learn.microsoft.com/graph/api/resources/identityset?view=graph-rest-1.0. Read-only. This property is read-only.
approver	identitySet	The identity of the approver as an Identity Set. Optionally contains the application ID, the device ID and the User ID. See information about this type here: https://learn.microsoft.com/graph/api/resources/identityset?view=graph-rest-1.0. Read-only. This property is read-only.
status	operationApprovalRequestStatus	The current approval status of the request. Possible values are: `unknown`, `needsApproval`, `approved`, `rejected`, `cancelled`, `completed`, `expired`. Default value is `unknown`. Read-only. This property is read-only. Possible values are: `unknown`, `needsApproval`, `approved`, `rejected`, `cancelled`, `completed`, `expired`, `unknownFutureValue`.
requestJustification	String	Indicates the justification for creating the request. Maximum length of justification is 1024 characters. For example: 'Needed for Feb 2023 application baseline updates.' Read-only. This property is read-only.
approvalJustification	String	Indicates the justification for approving or rejecting the request. Maximum length of justification is 1024 characters. For example: 'Approved per Change 23423 - needed for Feb 2023 application baseline updates.' Read-only. This property is read-only.
requiredOperationApprovalPolicyTypes	operationApprovalPolicyType collection	Indicates the approval policy types required by the request in order for the request to be approved or rejected. Read-only. This property is read-only.

Graph reference: operationApprovalRequestEntityStatus

Property	Type	Description
requestId	String	The unique identifier of the OperationApprovalRequest. This property cannot be modified and is required when the entity status is created. Read-only. This property is read-only.
requestExpirationDateTime	DateTimeOffset	Indicates the DateTime when any action on the OperationApprovalRequest is no longer permitted. The value cannot be modified and is automatically populated when the request is created using expiration offset values defined in the service controllers. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
requestStatus	operationApprovalRequestStatus	The current approval status of the OperationApprovalRequest. Possible values are: `unknown`, `needsApproval`, `approved`, `rejected`, `cancelled`, `completed`, `expired`. Default value is `unknown`. Read-only. This property is read-only. Possible values are: `unknown`, `needsApproval`, `approved`, `rejected`, `cancelled`, `completed`, `expired`, `unknownFutureValue`.
entityLocked	Boolean	The status of the Entity connected to the OperationApprovalRequest in regard to changes, whether further requests are allowed or if the Entity is locked. When `true`, a lock is present on the Entity and no approval requests can be currently made for it. When `false`, the Entity is not locked and approval requests are allowed. Default value is `false`. Read-only. This property is read-only.

Graph reference: resourceOperation

Property	Type	Description
id	String	Key of the Resource Operation. Read-only, automatically generated.
resourceName	String	Name of the Resource this operation is performed on.
actionName	String	Type of action this operation is going to perform. The actionName should be concise and limited to as few words as possible.
description	String	Description of the resource operation. The description is used in mouse-over text for the operation when shown in the Azure Portal.

Graph reference: roleAssignment

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated.
displayName	String	The display or friendly name of the role Assignment.
description	String	Description of the Role Assignment.
resourceScopes	String collection	List of ids of role scope member security groups. These are IDs from Azure Active Directory.

Graph reference: roleDefinition

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated.
displayName	String	Display Name of the Role definition.
description	String	Description of the Role definition.
rolePermissions	rolePermission collection	List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission.
isBuiltIn	Boolean	Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition.

Property	Type	Description
id	String

Property	Type	Description
resourceActions	resourceAction collection	Resource Actions each containing a set of allowed and not allowed permissions.

Graph reference: roleScopeTag

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated. This property is read-only.
displayName	String	The display or friendly name of the Role Scope Tag.
description	String	Description of the Role Scope Tag.
isBuiltIn	Boolean	Description of the Role Scope Tag. This property is read-only.

Graph reference: roleScopeTagAutoAssignment

Property	Type	Description
id	String	Key of the entity. This property is read-only.
target	deviceAndAppManagementAssignmentTarget	The auto-assignment target for the specific Role Scope Tag.

Graph reference: unifiedRoleAssignment

Property	Type	Description
appScopeId	String	Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, `/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997`. Supports `$filter` (`eq`, `in`). For example, `/roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'`.
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports `$filter` (`eq`, `in`).
id	String	The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only.
principalId	String	Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports `$filter` (`eq`, `in`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports `$filter` (`eq`, `in`).

Graph reference: unifiedRoleAssignmentMultiple

Property	Type	Description
appScopeIds	String collection	Ids of the app specific scopes when the assignment scopes are app specific. The scopes of an assignment determine the set of resources for which the principal has access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. App scopes are scopes that are defined and understood by this application only.
description	String	Description of the role assignment.
directoryScopeIds	String collection	Ids of the directory objects that represent the scopes of the assignment. The scopes of an assignment determine the set of resources for which the principals have been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. App scopes are scopes that are defined and understood by this application only.
displayName	String	Name of the role assignment. Required.
id	String	The unique identifier for the unifiedRoleAssignmentMultiple object. Key, not nullable, Read-only.
principalIds	String collection	Identifiers of the principals to which the assignment is granted. Supports `$filter` (`any` operator only).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition the assignment is for.

Graph reference: unifiedRoleDefinition

Property	Type	Description
description	String	The description for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`.
displayName	String	The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`. Required. Supports $filter (`eq`, `in`).
id	String	The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (`eq`, `in`).
isBuiltIn	Boolean	Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (`eq`, `in`).
isEnabled	Boolean	Flag indicating whether the role is enabled for assignment. If `false` the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes	String collection	List of the scopes or permissions the role definition applies to. Currently only `/` is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions	unifiedRolePermission collection	List of permissions included in the role. Read-only when isBuiltIn is `true`. Required.
templateId	String	Custom template identifier that can be set when isBuiltIn is `false` but is read-only when isBuiltIn is `true`. This identifier is typically used if one needs an identifier to be the same across different directories.
version	String	Indicates version of the role definition. Read-only when **i

Table of Contents

DeviceManagementRBAC.Read.All

Graph Methods

Resources