Table of Contents

PrivilegedAccess.ReadWrite.AzureAD

Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the PrivilegedAccess.ReadWrite.AzureAD permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 854d9ab1-6657-4ec8-be45-823027bcd009 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37
DisplayText Read and write privileged access to Azure AD roles Read and write privileged access to Azure AD
Description Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: governanceResource

Property Type Description
id String The id of the resource. It is in GUID format.
externalId String The external id of the resource, representing its original id in the external system. For example, a subscription resource's external id can be "/subscriptions/c14ae696-5e0c-4e5d-88cc-bef6637737ac".
type String Required. Resource type. For example, for Azure resources, the type could be "Subscription", "ResourceGroup", "Microsoft.Sql/server", etc.
displayName String The display name of the resource.
status String The status of a given resource. For example, it could represent whether the resource is locked or not (values: Active/Locked). Note: This property may be extended in the future to support more scenarios.
registeredDateTime DateTimeOffset Represents the date time when the resource is registered in PIM.
registeredRoot String The externalId of the resource's root scope that is registered in PIM. The root scope can be the parent, grandparent, or higher ancestor resources.
roleAssignmentCount Int32 Optional. The number of role assignments for the given resource. To get the property, explicitly use $select=roleAssignmentCount in the query.
roleDefinitionCount Int32 Optional. The number of role definitions for the given resource. To get the property, explicitly use $select=roleDefinitionCount in the query.
permissions governancePermission Optional. It represents the status of the requestor's access to the resource. To get the property, explicitly use $select=permissions in the query.