DeviceManagementRBAC.ReadWrite.All

Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the DeviceManagementRBAC.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	e330c4f0-4170-414e-a55a-2f022ec2b57b	0c5e8a55-87a6-4556-93ab-adc52c4d862d
DisplayText	Read and write Microsoft Intune RBAC settings	Read and write Microsoft Intune RBAC settings
Description	Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.	Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /deviceManagement/resourceOperations/{resourceOperationId}
	DELETE /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	GET /deviceManagement
	GET /deviceManagement/getEffectivePermissions
	GET /deviceManagement/resourceOperations
	GET /deviceManagement/resourceOperations/{resourceOperationId}
	GET /deviceManagement/roleAssignments
	GET /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	GET /deviceManagement/roleDefinitions
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	PATCH /deviceManagement
	PATCH /deviceManagement/resourceOperations/{resourceOperationId}
	PATCH /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	POST /deviceManagement/resourceOperations
	POST /deviceManagement/roleAssignments
	POST /deviceManagement/roleDefinitions
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}
	DELETE /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}
	DELETE /deviceManagement/resourceOperations/{resourceOperationId}
	DELETE /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}
	DELETE /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	DELETE /deviceManagement/roleScopeTags/{roleScopeTagId}
	DELETE /roleManagement/cloudPC/roleAssignments/{id}
	DELETE /roleManagement/deviceManagement/roleDefinitions/{id}
	GET /deviceManagement
	GET /deviceManagement/getAssignedRoleDetails
	GET /deviceManagement/getAssignedRoleIdsForLoggedInUser
	GET /deviceManagement/getEffectivePermissions
	GET /deviceManagement/getRoleScopeTagsByIds
	GET /deviceManagement/getRoleScopeTagsByResource
	GET /deviceManagement/operationApprovalPolicies
	GET /deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}
	GET /deviceManagement/operationApprovalPolicies/getApprovableOperations
	GET /deviceManagement/operationApprovalPolicies/getOperationsRequiringApproval
	GET /deviceManagement/operationApprovalRequests
	GET /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}
	GET /deviceManagement/resourceOperations
	GET /deviceManagement/resourceOperations/{resourceOperationId}
	GET /deviceManagement/resourceOperations/{resourceOperationId}/getScopesForUser
	GET /deviceManagement/roleAssignments
	GET /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	GET /deviceManagement/roleDefinitions
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/hasCustomRoleScopeTag
	GET /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	GET /deviceManagement/roleScopeTags
	GET /deviceManagement/roleScopeTags/{roleScopeTagId}
	GET /deviceManagement/roleScopeTags/hasCustomRoleScopeTag
	GET /deviceManagement/scopedForResource
	GET /roleManagement
	GET /roleManagement/cloudPc/roleAssignments
	GET /roleManagement/cloudPC/roleAssignments/{id}
	GET /roleManagement/cloudPC/roleDefinitions
	GET /roleManagement/cloudPC/roleDefinitions/{id}
	GET /roleManagement/deviceManagement
	PATCH /deviceManagement
	PATCH /deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}
	PATCH /deviceManagement/operationApprovalRequests/{operationApprovalRequestId}
	PATCH /deviceManagement/resourceOperations/{resourceOperationId}
	PATCH /deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}
	PATCH /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition
	PATCH /deviceManagement/roleScopeTags/{roleScopeTagId}
	PATCH /roleManagement
	PATCH /roleManagement/cloudPC/roleAssignments/{id}
	PATCH /roleManagement/deviceManagement
	PATCH /roleManagement/deviceManagement/roleDefinitions/{id}
	POST /deviceManagement/operationApprovalPolicies
	POST /deviceManagement/operationApprovalRequests
	POST /deviceManagement/resourceOperations
	POST /deviceManagement/roleAssignments
	POST /deviceManagement/roleDefinitions
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assign
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments
	POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/getRoleScopeTagsById
	POST /deviceManagement/roleScopeTags
	POST /deviceManagement/roleScopeTags/{roleScopeTagId}/assign
	POST /deviceManagement/roleScopeTags/getRoleScopeTagsById
	POST /roleManagement/cloudPC/roleAssignments
	POST /roleManagement/deviceManagement/roleDefinitions

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgDeviceManagement
	Get-MgDeviceManagementEffectivePermission
	Get-MgDeviceManagementResourceOperation
	Get-MgDeviceManagementRoleAssignment
	Get-MgDeviceManagementRoleDefinition
	Get-MgDeviceManagementRoleDefinitionRoleAssignment
	New-MgDeviceManagementResourceOperation
	New-MgDeviceManagementRoleAssignment
	New-MgDeviceManagementRoleDefinition
	New-MgDeviceManagementRoleDefinitionRoleAssignment
	Remove-MgDeviceManagementResourceOperation
	Remove-MgDeviceManagementRoleAssignment
	Remove-MgDeviceManagementRoleDefinition
	Remove-MgDeviceManagementRoleDefinitionRoleAssignment
	Update-MgDeviceManagement
	Update-MgDeviceManagementResourceOperation
	Update-MgDeviceManagementRoleAssignment
	Update-MgDeviceManagementRoleDefinition
	Update-MgDeviceManagementRoleDefinitionRoleAssignment

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaDeviceManagement
	Get-MgBetaDeviceManagementAssignedRoleDetail
	Get-MgBetaDeviceManagementEffectivePermission
	Get-MgBetaDeviceManagementResourceOperation
	Get-MgBetaDeviceManagementRoleAssignment
	Get-MgBetaDeviceManagementRoleDefinition
	Get-MgBetaDeviceManagementRoleDefinitionRoleAssignment
	Get-MgBetaDeviceManagementRoleDefinitionRoleAssignmentRoleDefinition
	Get-MgBetaDeviceManagementRoleScopeTag
	Get-MgBetaDeviceManagementRoleScopeTagRoleScopeTagById
	Get-MgBetaRoleManagement
	Get-MgBetaRoleManagementCloudPcRoleAssignment
	Get-MgBetaRoleManagementDeviceManagement
	Get-MgBetaRoleManagementDirectoryRoleDefinition
	Get-MgBetaRoleManagementExchangeRoleDefinition
	Invoke-MgBetaCustomDeviceManagementRoleScopeTag
	New-MgBetaDeviceManagementResourceOperation
	New-MgBetaDeviceManagementRoleAssignment
	New-MgBetaDeviceManagementRoleDefinition
	New-MgBetaDeviceManagementRoleDefinitionRoleAssignment
	New-MgBetaDeviceManagementRoleScopeTag
	New-MgBetaRoleManagementCloudPcRoleAssignment
	New-MgBetaRoleManagementCloudPcRoleDefinition
	Remove-MgBetaDeviceManagementResourceOperation
	Remove-MgBetaDeviceManagementRoleAssignment
	Remove-MgBetaDeviceManagementRoleDefinition
	Remove-MgBetaDeviceManagementRoleDefinitionRoleAssignment
	Remove-MgBetaDeviceManagementRoleScopeTag
	Remove-MgBetaRoleManagementCloudPcRoleAssignment
	Remove-MgBetaRoleManagementCloudPcRoleDefinition
	Set-MgBetaDeviceManagementRoleScopeTag
	Update-MgBetaDeviceManagement
	Update-MgBetaDeviceManagementResourceOperation
	Update-MgBetaDeviceManagementRoleAssignment
	Update-MgBetaDeviceManagementRoleDefinition
	Update-MgBetaDeviceManagementRoleDefinitionRoleAssignment
	Update-MgBetaDeviceManagementRoleScopeTag
	Update-MgBetaRoleManagement
	Update-MgBetaRoleManagementCloudPcRoleAssignment
	Update-MgBetaRoleManagementCloudPcRoleDefinition
	Update-MgBetaRoleManagementDeviceManagement

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: deviceAndAppManagementAssignedRoleDetails

Property	Type	Description
roleDefinitionIds	String collection	Role Definition IDs for the specifc Role Definitions assigned to a user. This property is read-only.
roleAssignmentIds	String collection	Role Assignment IDs for the specifc Role Assignments assigned to a user. This property is read-only.

Graph reference: deviceAndAppManagementRoleAssignment

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated. Inherited from roleAssignment
displayName	String	The display or friendly name of the role Assignment. Inherited from roleAssignment
description	String	Description of the Role Assignment. Inherited from roleAssignment
resourceScopes	String collection	List of ids of role scope member security groups. These are IDs from Azure Active Directory. Inherited from roleAssignment
members	String collection	The list of ids of role member security groups. These are IDs from Azure Active Directory.

Graph reference: deviceAndAppManagementRoleDefinition

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated. Inherited from roleDefinition
displayName	String	Display Name of the Role definition. Inherited from roleDefinition
description	String	Description of the Role definition. Inherited from roleDefinition
rolePermissions	rolePermission collection	List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. Inherited from roleDefinition
isBuiltIn	Boolean	Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. Inherited from roleDefinition

Property	Type	Description
id	String	Not yet documented

Graph reference: identitySet

Property	Type	Description
application	identity	The Identity of the Application. This property is read-only.
device	identity	The Identity of the Device. This property is read-only.
user	identity	The Identity of the User. This property is read-only.

Graph reference: operationApprovalPolicy

Property	Type	Description
id	String	The unique identifier of the policy. This ID is assigned at when the policy is created. Read-only. This property is read-only.
displayName	String	Indicates the display name of the policy. Maximum length of the display name is 128 characters. This property is required when the policy is created, and is defined by the IT Admins to identify the policy.
description	String	Indicates the description of the policy. Maximum length of the description is 1024 characters. This property is not required, but can be used by the IT Admin to describe the policy.
lastModifiedDateTime	DateTimeOffset	Indicates the last DateTime that the policy was modified. The value cannot be modified and is automatically populated whenever values in the request are updated. For example, when the 'policyType' property changes from `apps` to `scripts`. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
policyType	operationApprovalPolicyType	The policy type for the OperationApprovalPolicy. Possible values are: `unknown`, `app`, `script`, `operationApprovalPolicy`. Possible values are: `unknown`, `deviceAction`, `deviceWipe`, `deviceRetire`, `deviceRetireNonCompliant`, `deviceDelete`, `deviceLock`, `deviceErase`, `deviceDisableActivationLock`, `windowsEnrollment`, `compliancePolicy`, `configurationPolicy`, `appProtectionPolicy`, `policySet`, `filter`, `endpointSecurityPolicy`, `app`, `script`, `role`, `deviceResetPasscode`, `customOrganizationalMessage`, `unknownFutureValue`, `operationApprovalPolicy`.
policyPlatform	operationApprovalPolicyPlatform	Indicates the applicable platform for the policy. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`. Default value is `notApplicable`. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`, `unknownFutureValue`.
policySet	operationApprovalPolicySet	Indicates areas of the Intune UX that could support MAA UX for the current logged in IT Admin. This property is required, and is defined by the IT Admins in order to correctly show the expected experience.
approverGroupIds	String collection	The Microsoft Entra ID (Azure AD) security group IDs for the approvers for the policy. This property is required when the policy is created, and is defined by the IT Admins to define the possible approvers for the policy.

Graph reference: operationApprovalPolicySet

Property	Type	Description
policyType	operationApprovalPolicyType	The policy type for the OperationApprovalPolicy. This property is required when the policy set is created, and uniquely identifies areas of the Intune UX that could support MAA when used in conjection with the `policyPlatform` property. Possible values are: `unknown`, `app`, `script`, `operationApprovalPolicy`. Read-only. This property is read-only. Possible values are: `unknown`, `deviceAction`, `deviceWipe`, `deviceRetire`, `deviceRetireNonCompliant`, `deviceDelete`, `deviceLock`, `deviceErase`, `deviceDisableActivationLock`, `windowsEnrollment`, `compliancePolicy`, `configurationPolicy`, `appProtectionPolicy`, `policySet`, `filter`, `endpointSecurityPolicy`, `app`, `script`, `role`, `deviceResetPasscode`, `customOrganizationalMessage`, `unknownFutureValue`, `operationApprovalPolicy`.
policyPlatform	operationApprovalPolicyPlatform	The applicable platform(s) for the OperationApprovalPolicy. This property is required when the policy set is created, and uniquely identifies the platform(s) that could support MAA when used in conjection with the `policyType` property. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`. Read-only. This property is read-only. Possible values are: `notApplicable`, `androidDeviceAdministrator`, `androidEnterprise`, `iOSiPadOS`, `macOS`, `windows10AndLater`, `windows81AndLater`, `windows10X`, `unknownFutureValue`.

Graph reference: operationApprovalRequest

Property	Type	Description
id	String	The unique identifier of the request. This ID is assigned at when the request is created. Read-only.
requestDateTime	DateTimeOffset	Indicates the DateTime that the request was made. The value cannot be modified and is automatically populated when the request is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
expirationDateTime	DateTimeOffset	Indicates the DateTime when any action on the approval request is no longer permitted. The value cannot be modified and is automatically populated when the request is created using expiration offset values defined in the service controllers. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
lastModifiedDateTime	DateTimeOffset	Indicates the last DateTime that the request was modified. The value cannot be modified and is automatically populated whenever values in the request are updated. For example, when the 'status' property changes from `needsApproval` to `approved`. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'. Returned by default. Read-only. This property is read-only.
requestor	identitySet	The identity of the requestor as an Identity Set. Optionally contains the application ID, the device ID and the User ID. See information about this type here: https://learn.microsoft.com/graph/api/resources/identityset?view=graph-rest-1.0. Read-only. This property is read-only.
approver	identitySet	The identity of the approver as an Identity Set. Optionally contains the application ID, the device ID and the User ID. See information about this type here: https://learn.microsoft.com/graph/api/resources/identityset?view=graph-rest-1.0. Read-only. This property is read-only.
status	operationApprovalRequestStatus	The current approval status of the request. Possible values are: `unknown`, `needsApproval`, `approved`, `rejected`, `cancelled`, `completed`, `expired`. Default value is `unknown`. Read-only. This property is read-only. Possible values are: `unknown`, `needsApproval`, `approved`, `rejected`, `cancelled`, `completed`, `expired`, `unknownFutureValue`.
requestJustification	String	Indicates the justification for creating the request. Maximum length of justification is 1024 characters. For example: 'Needed for Feb 2023 application baseline updates.' Read-only. This property is read-only.
approvalJustification	String	Indicates the justification for approving or rejecting the request. Maximum length of justification is 1024 characters. For example: 'Approved per Change 23423 - needed for Feb 2023 application baseline updates.' Read-only. This property is read-only.
requiredOperationApprovalPolicyTypes	operationApprovalPolicyType collection	Indicates the approval policy types required by the request in order for the request to be approved or rejected. Read-only. This property is read-only.

Graph reference: resourceOperation

Property	Type	Description
id	String	Key of the Resource Operation. Read-only, automatically generated.
resourceName	String	Name of the Resource this operation is performed on.
actionName	String	Type of action this operation is going to perform. The actionName should be concise and limited to as few words as possible.
description	String	Description of the resource operation. The description is used in mouse-over text for the operation when shown in the Azure Portal.

Graph reference: roleAssignment

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated.
displayName	String	The display or friendly name of the role Assignment.
description	String	Description of the Role Assignment.
resourceScopes	String collection	List of ids of role scope member security groups. These are IDs from Azure Active Directory.

Graph reference: roleDefinition

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated.
displayName	String	Display Name of the Role definition.
description	String	Description of the Role definition.
rolePermissions	rolePermission collection	List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission.
isBuiltIn	Boolean	Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition.

Property	Type	Description
id	String

Property	Type	Description
resourceActions	resourceAction collection	Resource Actions each containing a set of allowed and not allowed permissions.

Graph reference: roleScopeTag

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated. This property is read-only.
displayName	String	The display or friendly name of the Role Scope Tag.
description	String	Description of the Role Scope Tag.
isBuiltIn	Boolean	Description of the Role Scope Tag. This property is read-only.

Graph reference: roleScopeTagAutoAssignment

Property	Type	Description
id	String	Key of the entity. This property is read-only.
target	deviceAndAppManagementAssignmentTarget	The auto-assignment target for the specific Role Scope Tag.

Graph reference: unifiedRoleAssignment

Property	Type	Description
appScopeId	String	Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, `/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997`. Supports `$filter` (`eq`, `in`). For example, `/roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'`.
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports `$filter` (`eq`, `in`).
id	String	The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only.
principalId	String	Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports `$filter` (`eq`, `in`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports `$filter` (`eq`, `in`).

Graph reference: unifiedRoleAssignmentMultiple

Property	Type	Description
appScopeIds	String collection	Ids of the app specific scopes when the assignment scopes are app specific. The scopes of an assignment determine the set of resources for which the principal has access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. App scopes are scopes that are defined and understood by this application only.
description	String	Description of the role assignment.
directoryScopeIds	String collection	Ids of the directory objects that represent the scopes of the assignment. The scopes of an assignment determine the set of resources for which the principals have been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. App scopes are scopes that are defined and understood by this application only.
displayName	String	Name of the role assignment. Required.
id	String	The unique identifier for the unifiedRoleAssignmentMultiple object. Key, not nullable, Read-only.
principalIds	String collection	Identifiers of the principals to which the assignment is granted. Supports `$filter` (`any` operator only).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition the assignment is for.

Graph reference: unifiedRoleDefinition

Property	Type	Description
description	String	The description for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`.
displayName	String	The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`. Required. Supports $filter (`eq`, `in`).
id	String	The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (`eq`, `in`).
isBuiltIn	Boolean	Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (`eq`, `in`).
isEnabled	Boolean	Flag indicating whether the role is enabled for assignment. If `false` the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes	String collection	List of the scopes or permissions the role definition applies to. Currently only `/` is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions	unifiedRolePermission collection	List of permissions included in the role. Read-only when isBuiltIn is `true`. Required.
templateId	String	Custom template identifier that can be set when isBuiltIn is `false` but is read-only when isBuiltIn is `true`. This identifier is typically used if one needs an identifier to be the same across different directories.
version	String	Indicates version of the role definition. Read-only when **i

Graph reference: unifiedRolePermission

Property	Type	Description
allowedResourceActions	String collection	Set of tasks that can be performed on a resource. Required.
condition	String	Optional constraints that must be met for the permission to be effective. Not supported for custom roles.
excludedResourceActions	String collection	Set of tasks that may not be performed on a resource. Not yet supported.

Table of Contents

DeviceManagementRBAC.ReadWrite.All

Graph Methods

Resources