Show / Hide Table of Contents

PrivilegedAccess.Read.AzureAD

Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A GET /privilegedAccess/azureResources/resources
V1 A GET /privilegedAccess/azureResources/resources/{id}
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments/{id}
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions/{id}
V1 A GET /privilegedAccess/azureResources/resources//roleSettings
V1 A GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleAssignmentRequests/{id}
V1 A GET /privilegedAccess/azureResources/roleAssignments?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleAssignments/{id}?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleAssignments/export?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleDefinitions?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleDefinitions/{id}?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleSettings?$filter=resourceId+eq+''
V1 A GET /privilegedAccess/azureResources/roleSettings/{id}
V1 A GET /roleManagement/directory/roleScheduleInstances
V1 A GET /roleManagement/directory/roleSchedules

Delegate Permission

Id b3a539c9-59cb-4ad5-825a-041ddbdc2bdb
Consent Type Admin
Display String Read privileged access to Azure AD
Description Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user.

Application Permission

Id 4cdc2547-9148-4295-8d11-be0db1391d6b
Display String Read privileged access to Azure AD roles
Description Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.

Resources

governanceResource

Property Type Description
id String The id of the resource. It is in GUID format.
externalId String The external id of the resource, representing its original id in the external system. For example, a subscription resource's external id can be "/subscriptions/c14ae696-5e0c-4e5d-88cc-bef6637737ac".
type String Required. Resource type. For example, for Azure resources, the type could be "Subscription", "ResourceGroup", "Microsoft.Sql/server", etc.
displayName String The display name of the resource.
status String The status of a given resource. For example, it could represent whether the resource is locked or not (values: Active/Locked). Note: This property may be extended in the future to support more scenarios.
registeredDateTime DateTimeOffset Represents the date time when the resource is registered in PIM.
registeredRoot String The externalId of the resource's root scope that is registered in PIM. The root scope can be the parent, grandparent, or higher ancestor resources.
roleAssignmentCount Int32 Optional. The number of role assignments for the given resource. To get the property, please explictly use $select=roleAssignmentCount in the query.
roleDefinitionCount Int32 Optional. The number of role definitions for the given resource. To get the property, please explictly use $select=roleDefinitionCount in the query.
permissions governancePermission Optional. It represents the status of the requestor's access to the resource.To get the property, please explictly use $select=permissions in the query.

governanceRoleAssignment

Property Type Description
id String The ID of the role assignment. It is in GUID format.
resourceId String Required. The ID of the resource which the role assignment is associated with.
roleDefinitionId String Required. The ID of the role definition which the role assignment is associated with.
subjectId String Required. The ID of the subject which the role assignment is associated with.
linkedEligibleRoleAssignmentId String If this is an active assignment and created due to activation on an eligible assignment, it represents the ID of that eligible assignment; Otherwise, the value is null.
externalId String The external ID the resource that is used to identify the role assignment in the provider.
startDateTime DateTimeOffset The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
endDateTime DateTimeOffset For a non-permanent role assignment, this is the time when the role assignment will be expired. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
assignmentState String The state of the assignment. The value can be Eligible for eligible assignment or Active if it is directly assigned Active by administrators, or activated on an eligible assignment by the users.
memberType String The type of member. The value can be: Inherited (if the role assignment is inherited from a parent resource scope), Group (if the role assignment is not inherited, but comes from the membership of a group assignment), or User (if the role assignment is neither inherited nor from a group assignment).

governanceRoleAssignmentRequest

Property Type Description
id String The identifier of the role assignment request.
resourceId String Required. The unique identifier of the Azure resource that is associated with the role assignment request. Azure resources can include subscriptions, resource groups, virtual machines, and SQL databases.
roleDefinitionId String Required. The identifier of the Azure role definition that the role assignment request is associated with.
subjectId String Required. The unique identifier of the principal or subject that the role assignment request is associated with. Principals can be users, groups, or service principals.
type String Required. Representing the type of the operation on the role assignment. The possible values are: AdminAdd , UserAdd , AdminUpdate , AdminRemove , UserRemove , UserExtend , AdminExtend , UserRenew , AdminRenew.
assignmentState String Required. The state of the assignment. The possible values are: Eligible (for eligible assignment), Active (if it is directly assigned), Active (by administrators, or activated on an eligible assignment by the users).
requestedDateTime DateTimeOffset Read-only. The request create time. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
schedule governanceSchedule The schedule object of the role assignment request.
reason String A message provided by users and administrators when create the request about why it is needed.
status governanceRoleAssignmentRequestStatus The status of the role assignment request.
linkedEligibleRoleAssignmentId String If this is a request for role activation, it represents the id of the eligible assignment being referred; Otherwise, the value is null.

governanceRoleDefinition

Property Type Description
id String The id of the role definition.
resourceId String Required. The id of the resource associated with the role definition.
externalId String The external id of the role definition.
displayName String The display name of the role definition.
templateId String

governanceRoleSetting

Property Type Description
id String The id of the roleSetting.
resourceId String Required. The id of the resource that the role setting is associated with.
roleDefinitionId String Required. The id of the role definition that the role setting is associated with.
isDefault Boolean Read-only. Indicate if the roleSetting is a default roleSetting
lastUpdatedDateTime DateTimeOffset Read-only. The time when the role setting was last updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
lastUpdatedBy String Read-only. The display name of the administrator who last updated the roleSetting.
adminEligibleSettings governanceRuleSetting collection The rule settings that are evaluated when an administrator tries to add an eligible role assignment.
adminMemberSettings governanceRuleSetting collection The rule settings that are evaluated when an administrator tries to add a direct member role assignment.
userEligibleSettings governanceRuleSetting collection The rule settings that are evaluated when a user tries to add an eligible role assignment. The setting is not supported for now.
userMemberSettings governanceRuleSetting collection The rule settings that are evaluated when a user tries to activate his role assignment.

unifiedRoleScheduleBase

Property Type Description
appScopeId String Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.
createdDateTime DateTimeOffset When the schedule was created.
createdUsing String Identifier of the object through which this schedule was created.
directoryScopeId String Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.
id String The unique identifier for the schedule object. Inherited from entity.
modifiedDateTime DateTimeOffset When the schedule was last modified.
principalId String Identifier of the principal that has been granted the role assignment or eligibility.
roleDefinitionId String Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.
status String The status of the role assignment or eligibility request.

unifiedRoleScheduleInstanceBase

Property Type Description
appScopeId String Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.
directoryScopeId String Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.
id String The unique identifier for the schedule object. Inherited from entity.
principalId String Identifier of the principal that has been granted the role assignment or that's eligible for a role.
roleDefinitionId String Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.
In This Article
Back to top Created by merill | Submit feedback