Show / Hide Table of Contents

PrivilegedAccess.Read.AzureADGroup

Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A GET /privilegedAccess/azureResources/resources
V1 A GET /privilegedAccess/azureResources/resources/{id}
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments/{id}
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions
V1 A GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions/{id}
V1 A GET /privilegedAccess/azureResources/resources//roleSettings
V1 A GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleAssignmentRequests/{id}
V1 A GET /privilegedAccess/azureResources/roleAssignments?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleAssignments/{id}?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleAssignments/export?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleDefinitions?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleDefinitions/{id}?$filter=resourceId+eq+'{resourceId}'
V1 A GET /privilegedAccess/azureResources/roleSettings?$filter=resourceId+eq+''
V1 A GET /privilegedAccess/azureResources/roleSettings/{id}

Delegate Permission

Id d329c81c-20ad-4772-abf9-3f6fdb7e5988
Consent Type Admin
Display String Read privileged access to Azure AD groups
Description Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.

Application Permission

Id 01e37dc9-c035-40bd-b438-b2879c4870a6
Display String Read privileged access to Azure AD groups
Description Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user.

Resources

governanceResource

Property Type Description
id String The id of the resource. It is in GUID format.
externalId String The external id of the resource, representing its original id in the external system. For example, a subscription resource's external id can be "/subscriptions/c14ae696-5e0c-4e5d-88cc-bef6637737ac".
type String Required. Resource type. For example, for Azure resources, the type could be "Subscription", "ResourceGroup", "Microsoft.Sql/server", etc.
displayName String The display name of the resource.
status String The status of a given resource. For example, it could represent whether the resource is locked or not (values: Active/Locked). Note: This property may be extended in the future to support more scenarios.
registeredDateTime DateTimeOffset Represents the date time when the resource is registered in PIM.
registeredRoot String The externalId of the resource's root scope that is registered in PIM. The root scope can be the parent, grandparent, or higher ancestor resources.
roleAssignmentCount Int32 Optional. The number of role assignments for the given resource. To get the property, please explictly use $select=roleAssignmentCount in the query.
roleDefinitionCount Int32 Optional. The number of role definitions for the given resource. To get the property, please explictly use $select=roleDefinitionCount in the query.
permissions governancePermission Optional. It represents the status of the requestor's access to the resource.To get the property, please explictly use $select=permissions in the query.

governanceRoleAssignment

Property Type Description
id String The ID of the role assignment. It is in GUID format.
resourceId String Required. The ID of the resource which the role assignment is associated with.
roleDefinitionId String Required. The ID of the role definition which the role assignment is associated with.
subjectId String Required. The ID of the subject which the role assignment is associated with.
linkedEligibleRoleAssignmentId String If this is an active assignment and created due to activation on an eligible assignment, it represents the ID of that eligible assignment; Otherwise, the value is null.
externalId String The external ID the resource that is used to identify the role assignment in the provider.
startDateTime DateTimeOffset The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
endDateTime DateTimeOffset For a non-permanent role assignment, this is the time when the role assignment will be expired. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
assignmentState String The state of the assignment. The value can be Eligible for eligible assignment or Active if it is directly assigned Active by administrators, or activated on an eligible assignment by the users.
memberType String The type of member. The value can be: Inherited (if the role assignment is inherited from a parent resource scope), Group (if the role assignment is not inherited, but comes from the membership of a group assignment), or User (if the role assignment is neither inherited nor from a group assignment).

governanceRoleAssignmentRequest

Property Type Description
id String The identifier of the role assignment request.
resourceId String Required. The unique identifier of the Azure resource that is associated with the role assignment request. Azure resources can include subscriptions, resource groups, virtual machines, and SQL databases.
roleDefinitionId String Required. The identifier of the Azure role definition that the role assignment request is associated with.
subjectId String Required. The unique identifier of the principal or subject that the role assignment request is associated with. Principals can be users, groups, or service principals.
type String Required. Representing the type of the operation on the role assignment. The possible values are: AdminAdd , UserAdd , AdminUpdate , AdminRemove , UserRemove , UserExtend , AdminExtend , UserRenew , AdminRenew.
assignmentState String Required. The state of the assignment. The possible values are: Eligible (for eligible assignment), Active (if it is directly assigned), Active (by administrators, or activated on an eligible assignment by the users).
requestedDateTime DateTimeOffset Read-only. The request create time. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
schedule governanceSchedule The schedule object of the role assignment request.
reason String A message provided by users and administrators when create the request about why it is needed.
status governanceRoleAssignmentRequestStatus The status of the role assignment request.
linkedEligibleRoleAssignmentId String If this is a request for role activation, it represents the id of the eligible assignment being referred; Otherwise, the value is null.

governanceRoleDefinition

Property Type Description
id String The id of the role definition.
resourceId String Required. The id of the resource associated with the role definition.
externalId String The external id of the role definition.
displayName String The display name of the role definition.
templateId String

governanceRoleSetting

Property Type Description
id String The id of the roleSetting.
resourceId String Required. The id of the resource that the role setting is associated with.
roleDefinitionId String Required. The id of the role definition that the role setting is associated with.
isDefault Boolean Read-only. Indicate if the roleSetting is a default roleSetting
lastUpdatedDateTime DateTimeOffset Read-only. The time when the role setting was last updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z
lastUpdatedBy String Read-only. The display name of the administrator who last updated the roleSetting.
adminEligibleSettings governanceRuleSetting collection The rule settings that are evaluated when an administrator tries to add an eligible role assignment.
adminMemberSettings governanceRuleSetting collection The rule settings that are evaluated when an administrator tries to add a direct member role assignment.
userEligibleSettings governanceRuleSetting collection The rule settings that are evaluated when a user tries to add an eligible role assignment. The setting is not supported for now.
userMemberSettings governanceRuleSetting collection The rule settings that are evaluated when a user tries to activate his role assignment.
In This Article
Back to top Created by merill | Submit feedback