Table of Contents

EntitlementManagement.ReadWrite.All

Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the EntitlementManagement.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 9acd699f-1e81-4958-b001-93b1d2506e19 ae7a573d-81d7-432b-ad44-4ed5c9d89038
DisplayText Read and write all entitlement management resources Read and write entitlement management resources
Description Allows the app to read and write access packages and related entitlement management resources without a signed-in user. Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
DELETE /identityGovernance/entitlementManagement/accessPackages/{accessPackageId}
DELETE /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages/{id}/$ref
DELETE /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups/{id}/$ref
DELETE /identityGovernance/entitlementManagement/accessPackages/{id}/resourceRoleScopes/{id}
DELETE /identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}
DELETE /identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}
DELETE /identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}
DELETE /identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{customAccessPackageWorkflowExtensionId}
DELETE /identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}
DELETE /identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}/externalSponsors/{id}/$ref
DELETE /identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}/internalSponsors/{id}/$ref
DELETE /roleManagement/directory/roleAssignments/{id}
GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}
GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages
GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}
GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/filterByCurrentUser(on='approver')
GET /identityGovernance/entitlementManagement/accessPackages
GET /identityGovernance/entitlementManagement/accessPackages/{accessPackageId}
GET /identityGovernance/entitlementManagement/accessPackages/{id}?$expand=resourceRoleScopes($expand=role,scope)
GET /identityGovernance/entitlementManagement/accessPackages/{id}/accessPackagesIncompatibleWith
GET /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages
GET /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups
GET /identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')
GET /identityGovernance/entitlementManagement/assignmentPolicies
GET /identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}
GET /identityGovernance/entitlementManagement/assignmentRequests
GET /identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}
GET /identityGovernance/entitlementManagement/assignmentRequests/filterByCurrentUser(on='parameterValue')
GET /identityGovernance/entitlementManagement/assignments
GET /identityGovernance/entitlementManagement/assignments/{accessPackageAssignmentId}
GET /identityGovernance/entitlementManagement/assignments/additionalAccess(accessPackageId='parameterValue',incompatibleAccessPackageId='parameterValue')
GET /identityGovernance/entitlementManagement/assignments/filterByCurrentUser(on='parameterValue')
GET /identityGovernance/entitlementManagement/catalogs
GET /identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}
GET /identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions
GET /identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{accessPackageCustomWorkflowExtensionId}
GET /identityGovernance/entitlementManagement/catalogs/{catalogId}/resourceRoles?$filter=(originSystem+eq+%27{originSystemType}%27+and+resource/id+eq+%27{resourceId}%27)&$expand=resource
GET /identityGovernance/entitlementManagement/catalogs/{id}/resources
GET /identityGovernance/entitlementManagement/connectedOrganizations
GET /identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}
GET /identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors
GET /identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors
GET /identityGovernance/entitlementManagement/resourceRequests
GET /identityGovernance/entitlementManagement/settings
GET /roleManagement/directory/roleAssignments
GET /roleManagement/directory/roleAssignments/{id}
GET /roleManagement/directory/roleDefinitions
GET /roleManagement/directory/roleDefinitions/{id}
GET identityGovernance/entitlementManagement/resourceEnvironments?$filter=originSystem eq 'SharePointOnline'
PATCH /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}
PATCH /identityGovernance/entitlementManagement/accessPackages/{accessPackageId}
PATCH /identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}
PATCH /identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}
PATCH /identityGovernance/entitlementManagement/settings
POST /identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/refresh
POST /identityGovernance/entitlementManagement/accessPackages
POST /identityGovernance/entitlementManagement/accessPackages/{accessPackageId}/getApplicablePolicyRequirements
POST /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages/$ref
POST /identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups/$ref
POST /identityGovernance/entitlementManagement/accessPackages/{id}/resourceRoleScopes
POST /identityGovernance/entitlementManagement/assignmentPolicies
POST /identityGovernance/entitlementManagement/assignmentRequests
POST /identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}/cancel
POST /identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}/resume
POST /identityGovernance/entitlementManagement/assignmentRequests/{id}/reprocess
POST /identityGovernance/entitlementManagement/assignments/{id}/reprocess
POST /identityGovernance/entitlementManagement/catalogs
POST /identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions
POST /identityGovernance/entitlementManagement/connectedOrganizations
POST /identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors/$ref
POST /identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors/$ref
POST /identityGovernance/entitlementManagement/resourceRequests
POST /roleManagement/directory/roleAssignments
PUT /identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}
PUT /identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{customAccessPackageWorkflowExtensionId}

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: accessPackage

Property Type Description
createdDateTime DateTimeOffset The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
description String The description of the access package.
displayName String Required. The display name of the access package. Supports $filter (eq, contains).
id String Read-only.
isHidden Boolean Indicates whether the access package is hidden from the requestor.
modifiedDateTime DateTimeOffset The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.