PrivilegedAccess.Read.AzureAD
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
|
|
| Id |
b3a539c9-59cb-4ad5-825a-041ddbdc2bdb |
| Consent Type |
Admin |
| Display String |
Read privileged access to Azure AD |
| Description |
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user. |
Application Permission
|
|
| Id |
4cdc2547-9148-4295-8d11-be0db1391d6b |
| Display String |
Read privileged access to Azure AD roles |
| Description |
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. |
Resources
| Property |
Type |
Description |
| id |
String |
The id of the resource. It is in GUID format. |
| externalId |
String |
The external id of the resource, representing its original id in the external system. For example, a subscription resource's external id can be "/subscriptions/c14ae696-5e0c-4e5d-88cc-bef6637737ac". |
| type |
String |
Required. Resource type. For example, for Azure resources, the type could be "Subscription", "ResourceGroup", "Microsoft.Sql/server", etc. |
| displayName |
String |
The display name of the resource. |
| status |
String |
The status of a given resource. For example, it could represent whether the resource is locked or not (values: Active/Locked). Note: This property may be extended in the future to support more scenarios. |
| registeredDateTime |
DateTimeOffset |
Represents the date time when the resource is registered in PIM. |
| registeredRoot |
String |
The externalId of the resource's root scope that is registered in PIM. The root scope can be the parent, grandparent, or higher ancestor resources. |
| roleAssignmentCount |
Int32 |
Optional. The number of role assignments for the given resource. To get the property, please explictly use $select=roleAssignmentCount in the query. |
| roleDefinitionCount |
Int32 |
Optional. The number of role definitions for the given resource. To get the property, please explictly use $select=roleDefinitionCount in the query. |
| permissions |
governancePermission |
Optional. It represents the status of the requestor's access to the resource.To get the property, please explictly use $select=permissions in the query. |
| Property |
Type |
Description |
| id |
String |
The ID of the role assignment. It is in GUID format. |
| resourceId |
String |
Required. The ID of the resource which the role assignment is associated with. |
| roleDefinitionId |
String |
Required. The ID of the role definition which the role assignment is associated with. |
| subjectId |
String |
Required. The ID of the subject which the role assignment is associated with. |
| linkedEligibleRoleAssignmentId |
String |
If this is an active assignment and created due to activation on an eligible assignment, it represents the ID of that eligible assignment; Otherwise, the value is null. |
| externalId |
String |
The external ID the resource that is used to identify the role assignment in the provider. |
| startDateTime |
DateTimeOffset |
The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| endDateTime |
DateTimeOffset |
For a non-permanent role assignment, this is the time when the role assignment will be expired. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| assignmentState |
String |
The state of the assignment. The value can be Eligible for eligible assignment or Active if it is directly assigned Active by administrators, or activated on an eligible assignment by the users. |
| memberType |
String |
The type of member. The value can be: Inherited (if the role assignment is inherited from a parent resource scope), Group (if the role assignment is not inherited, but comes from the membership of a group assignment), or User (if the role assignment is neither inherited nor from a group assignment). |
| Property |
Type |
Description |
| id |
String |
The identifier of the role assignment request. |
| resourceId |
String |
Required. The unique identifier of the Azure resource that is associated with the role assignment request. Azure resources can include subscriptions, resource groups, virtual machines, and SQL databases. |
| roleDefinitionId |
String |
Required. The identifier of the Azure role definition that the role assignment request is associated with. |
| subjectId |
String |
Required. The unique identifier of the principal or subject that the role assignment request is associated with. Principals can be users, groups, or service principals. |
| type |
String |
Required. Representing the type of the operation on the role assignment. The possible values are: AdminAdd , UserAdd , AdminUpdate , AdminRemove , UserRemove , UserExtend , AdminExtend , UserRenew , AdminRenew. |
| assignmentState |
String |
Required. The state of the assignment. The possible values are: Eligible (for eligible assignment), Active (if it is directly assigned), Active (by administrators, or activated on an eligible assignment by the users). |
| requestedDateTime |
DateTimeOffset |
Read-only. The request create time. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| schedule |
governanceSchedule |
The schedule object of the role assignment request. |
| reason |
String |
A message provided by users and administrators when create the request about why it is needed. |
| status |
governanceRoleAssignmentRequestStatus |
The status of the role assignment request. |
| linkedEligibleRoleAssignmentId |
String |
If this is a request for role activation, it represents the id of the eligible assignment being referred; Otherwise, the value is null. |
| Property |
Type |
Description |
| id |
String |
The id of the role definition. |
| resourceId |
String |
Required. The id of the resource associated with the role definition. |
| externalId |
String |
The external id of the role definition. |
| displayName |
String |
The display name of the role definition. |
| templateId |
String |
|
| Property |
Type |
Description |
| id |
String |
The id of the roleSetting. |
| resourceId |
String |
Required. The id of the resource that the role setting is associated with. |
| roleDefinitionId |
String |
Required. The id of the role definition that the role setting is associated with. |
| isDefault |
Boolean |
Read-only. Indicate if the roleSetting is a default roleSetting |
| lastUpdatedDateTime |
DateTimeOffset |
Read-only. The time when the role setting was last updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
| lastUpdatedBy |
String |
Read-only. The display name of the administrator who last updated the roleSetting. |
| adminEligibleSettings |
governanceRuleSetting collection |
The rule settings that are evaluated when an administrator tries to add an eligible role assignment. |
| adminMemberSettings |
governanceRuleSetting collection |
The rule settings that are evaluated when an administrator tries to add a direct member role assignment. |
| userEligibleSettings |
governanceRuleSetting collection |
The rule settings that are evaluated when a user tries to add an eligible role assignment. The setting is not supported for now. |
| userMemberSettings |
governanceRuleSetting collection |
The rule settings that are evaluated when a user tries to activate his role assignment. |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. |
| createdDateTime |
DateTimeOffset |
When the schedule was created. |
| createdUsing |
String |
Identifier of the object through which this schedule was created. |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. |
| id |
String |
The unique identifier for the schedule object. Inherited from entity. |
| modifiedDateTime |
DateTimeOffset |
When the schedule was last modified. |
| principalId |
String |
Identifier of the principal that has been granted the role assignment or eligibility. |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for. |
| status |
String |
The status of the role assignment or eligibility request. |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. |
| id |
String |
The unique identifier for the schedule object. Inherited from entity. |
| principalId |
String |
Identifier of the principal that has been granted the role assignment or that's eligible for a role. |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for. |