PrivilegedAccess.ReadWrite.AzureAD
Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
PrivilegedAccess.ReadWrite.AzureAD
permission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReport
command. See How To: Run a quick OAuth app audit of your tenant
Category | Application | Delegated |
---|---|---|
Identifier | 854d9ab1-6657-4ec8-be45-823027bcd009 | 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37 |
DisplayText | Read and write privileged access to Azure AD roles | Read and write privileged access to Azure AD |
Description | Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. | Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users. |
AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
Methods |
---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
Methods | |
---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
Commands |
---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
Commands | |
---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- governanceResource
- governanceRoleAssignment
- governanceRoleAssignmentRequest
- governanceRoleDefinition
- governanceRoleSetting
- governanceRuleSetting
- governanceSchedule
- group
- unifiedRoleScheduleBase
- unifiedRoleScheduleInstanceBase
Graph reference: governanceResource
Property | Type | Description |
---|---|---|
id | String | The id of the resource. It is in GUID format. |
externalId | String | The external id of the resource, representing its original id in the external system. For example, a subscription resource's external id can be "/subscriptions/c14ae696-5e0c-4e5d-88cc-bef6637737ac". |
type | String | Required. Resource type. For example, for Azure resources, the type could be "Subscription", "ResourceGroup", "Microsoft.Sql/server", etc. |
displayName | String | The display name of the resource. |
status | String | The status of a given resource. For example, it could represent whether the resource is locked or not (values: Active /Locked ). Note: This property may be extended in the future to support more scenarios. |
registeredDateTime | DateTimeOffset | Represents the date time when the resource is registered in PIM. |
registeredRoot | String | The externalId of the resource's root scope that is registered in PIM. The root scope can be the parent, grandparent, or higher ancestor resources. |
roleAssignmentCount | Int32 | Optional. The number of role assignments for the given resource. To get the property, explicitly use $select=roleAssignmentCount in the query. |
roleDefinitionCount | Int32 | Optional. The number of role definitions for the given resource. To get the property, explicitly use $select=roleDefinitionCount in the query. |
permissions | governancePermission | Optional. It represents the status of the requestor's access to the resource. To get the property, explicitly use $select=permissions in the query. |
Graph reference: governanceRoleAssignment
Property | Type | Description |
---|---|---|
id | String | The ID of the role assignment. It is in GUID format. |
resourceId | String | Required. The ID of the resource that the role assignment is associated with. |
roleDefinitionId | String | Required. The ID of the role definition that the role assignment is associated with. |
subjectId | String | Required. The ID of the subject that the role assignment is associated with. |
linkedEligibleRoleAssignmentId | String | If this is an active assignment and created due to activation on an eligible assignment , it represents the ID of that eligible assignment ; Otherwise, the value is null . |
externalId | String | The external ID the resource that is used to identify the role assignment in the provider. |
startDateTime | DateTimeOffset | The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
endDateTime | DateTimeOffset | For a non-permanent role assignment, this is the time when the role assignment is expired. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
assignmentState | String | The state of the assignment. The value can be Eligible for eligible assignment or Active if it's directly assigned Active by administrators, or activated on an eligible assignment by the users. |
memberType | String | The type of member. The value can be: Inherited (if the role assignment is inherited from a parent resource scope), Group (if the role assignment isn't inherited, but comes from the membership of a group assignment), or User (if the role assignment isn't inherited or from a group assignment). |
Graph reference: governanceRoleAssignmentRequest
Property | Type | Description |
---|---|---|
id | String | The identifier of the role assignment request. |
resourceId | String | Required. The unique identifier of the Azure resource that is associated with the role assignment request. Azure resources can include subscriptions, resource groups, virtual machines, and SQL databases. |
roleDefinitionId | String | Required. The identifier of the Azure role definition that the role assignment request is associated with. |
subjectId | String | Required. The unique identifier of the principal or subject that the role assignment request is associated with. Principals can be users, groups, or service principals. |
type | String | Required. Representing the type of the operation on the role assignment. The possible values are: AdminAdd , UserAdd , AdminUpdate , AdminRemove , UserRemove , UserExtend , AdminExtend , UserRenew , AdminRenew . |
assignmentState | String | Required. The state of the assignment. The possible values are: Eligible (for eligible assignment), Active (if it is directly assigned), Active (by administrators, or activated on an eligible assignment by the users). |
requestedDateTime | DateTimeOffset | Read-only. The request create time. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
schedule | governanceSchedule | The schedule object of the role assignment request. |
reason | String | A message provided by users and administrators when create the request about why it is needed. |
status | governanceRoleAssignmentRequestStatus | The status of the role assignment request. |
linkedEligibleRoleAssignmentId | String | If this is a request for role activation, it represents the id of the eligible assignment being referred; Otherwise, the value is null . |
Graph reference: governanceRoleDefinition
Property | Type | Description |
---|---|---|
id | String | The ID of the role definition. |
resourceId | String | Required. The ID of the resource associated with the role definition. |
externalId | String | The external ID of the role definition. |
displayName | String | The display name of the role definition. |
templateId | String | The unique identifier for the template. |
Graph reference: governanceRoleSetting
Property | Type | Description |
---|---|---|
id | String | The id of the roleSetting. |
resourceId | String | Required. The id of the resource that the role setting is associated with. |
roleDefinitionId | String | Required. The id of the role definition that the role setting is associated with. |
isDefault | Boolean | Read-only. Indicate if the roleSetting is a default roleSetting |
lastUpdatedDateTime | DateTimeOffset | Read-only. The time when the role setting was last updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
lastUpdatedBy | String | Read-only. The display name of the administrator who last updated the roleSetting. |
adminEligibleSettings | governanceRuleSetting collection | The rule settings that are evaluated when an administrator tries to add an eligible role assignment. |
adminMemberSettings | governanceRuleSetting collection | The rule settings that are evaluated when an administrator tries to add a direct member role assignment. |
userEligibleSettings | governanceRuleSetting collection | The rule settings that are evaluated when a user tries to add an eligible role assignment. The setting is not supported for now. |
userMemberSettings | governanceRuleSetting collection | The rule settings that are evaluated when a user tries to activate his role assignment. |
Graph reference: governanceRuleSetting
Property | Type | Description |
---|---|---|
ruleIdentifier | String | The id of the rule. For example, ExpirationRule and MfaRule . |
setting | String | The settings of the rule. The value is a JSON string with a list of pairs in the format of Parameter_Name:Parameter_Value. For example, {"permanentAssignment":false,"maximumGrantPeriodInMinutes":129600} |
Graph reference: governanceSchedule
Property | Type | Description |
---|---|---|
startDateTime | DateTimeOffset | The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z |
endDateTime | DateTimeOffset | The end time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . Note: if the value is null , it indicates a permanent assignment. |
type | String | The role assignment schedule type. Only Once is supported for now. |
duration | Duration | The duration of a role assignment. It is in format of a TimeSpan. |
Graph reference: group
Property | Type | Description |
---|---|---|
allowExternalSenders | Boolean | Indicates if people external to the organization can send messages to the group. The default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
assignedLabels | assignedLabel collection | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on $select . This property can be updated only in delegated scenarios where the caller requires both the Microsoft Graph permission and a supported administrator role. |
assignedLicenses | assignedLicense collection | The licenses that are assigned to the group. Returned only on $select . Supports $filter (eq ).Read-only. |
autoSubscribeNewMembers | Boolean | Indicates if new members added to the group are autosubscribed to receive email notifications. You can set this property in a PATCH request for the group; don't set it in the initial POST request that creates the group. Default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
classification | String | Describes a classification for the group (such as low, medium, or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. Returned by default. Supports $filter (eq , ne , not , ge , le , startsWith ). |
createdDateTime | DateTimeOffset | Timestamp of when the group was created. The value can't be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Read-only. |
deletedDateTime | DateTimeOffset | For some Microsoft Entra objects (user, group, application), if the object is deleted, it's first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null . If the object is restored, this property is updated to null . Inherited from directoryObject. |
description | String | An optional description for the group. Returned by default. Supports $filter (eq , ne , not , ge , le , startsWith ) and $search . |
displayName | String | The display name for the group. This property is required when a group is created and can't be cleared during updates. Maximum length is 256 characters. Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values), $search , and $orderby . |
expirationDateTime | DateTimeOffset | Timestamp of when the group is set to expire. It's null for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Supports $filter (eq , ne , not , ge , le , in ). Read-only. |
groupTypes | String collection | Specifies the group type and its membership. If the collection contains Unified , the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview.If the collection includes DynamicMembership , the group has dynamic membership; otherwise, membership is static. Returned by default. Supports $filter (eq , not ). |
hasMembersWithLicenseErrors | Boolean | Indicates whether there are members in this group that have license errors from its group-based license assignment. This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. Supports $filter (eq ). |
hideFromAddressLists | Boolean | True if the group isn't displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. The default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
hideFromOutlookClients | Boolean | True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is false . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
id | String | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq , ne , not , in ). |
isArchived | Boolean | When a group is associated with a team, this property determines whether the team is in read-only mode. To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs. |
isAssignableToRole | Boolean | Indicates whether this group can be assigned to a Microsoft Entra role. Optional. This property can only be set while creating the group and is immutable. If set to true , the securityEnabled property must also be set to true , visibility must be Hidden , and the group can't be a dynamic group (that is, groupTypes can't contain DynamicMembership ). Only callers with at least the Privileged Role Administrator role can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Microsoft Entra role assignments Using this feature requires a Microsoft Entra ID P1 license. Returned by default. Supports $filter (eq , ne , not ). |
isSubscribedByMail | Boolean | Indicates whether the signed-in user is subscribed to receive email conversations. The default value is true . Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
licenseProcessingState | String | Indicates the status of the group license assignment to all group members. The default value is false . Read-only. Possible values: QueuedForProcessing , ProcessingInProgress , and ProcessingComplete .Returned only on $select . Read-only. |
String | The SMTP address for the group, for example, "[email protected]". Returned by default. Read-only. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values). |
|
mailEnabled | Boolean | Specifies whether the group is mail-enabled. Required. Returned by default. Supports $filter (eq , ne , not ). |
mailNickname | String | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following characters: @ () \ [] " ; : <> , SPACE . Required. Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values). |
membershipRule | String | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership ). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq , ne , not , ge , le , startsWith ). |
membershipRuleProcessingState | String | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused . Returned by default. Supports $filter (eq , ne , not , in ). |
onPremisesDomainName | String | Contains the on-premises domain FQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Read-only. |
onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the group was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Read-only. Supports $filter (eq , ne , not , ge , le , in ). |
onPremisesNetBiosName | String | Contains the on-premises netBios name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Read-only. |
onPremisesProvisioningErrors | onPremisesProvisioningError collection | Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports $filter (eq , not ). |
onPremisesSamAccountName | String | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith ). Read-only. |
onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud. Read-only. Returned by default. Supports $filter (eq including on null values). |
onPremisesSyncEnabled | Boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never synced from an on-premises directory (default). Returned by default. Read-only. Supports $filter (eq , ne , not , in , and eq on null values). |
preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling app must be granted the Directory.ReadWrite.All permission and the user be assigned at least one of the following Microsoft Entra roles:
For more information about this property, see OneDrive Online Multi-Geo. Nullable. Returned by default. |
preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example, en-US . Returned by default. Supports $filter (eq , ne , not , ge , le , in , startsWith , and eq on null values). |
proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: [email protected]", "smtp: [email protected]"] . The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports $filter (eq , not , ge , le , startsWith , endsWith , /$count eq 0 , /$count ne 0 ). |
renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This value can't be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is 2014-01-01T00:00:00Z . Returned by default. Supports $filter (eq , ne , not , ge , le , in ). Read-only. |
securityEnabled | Boolean | Specifies whether the group is a security group. Required. Returned by default. Supports $filter (eq , ne , not , in ). |
securityIdentifier | String | Security identifier of the group, used in Windows scenarios. Read-only. Returned by default. |
serviceProvisioningErrors | serviceProvisioningError collection | Errors published by a federated service describing a nontransient, service-specific error regarding the properties or link from a group object. Supports $filter (eq , not , for isResolved and serviceInstance). |
theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal , Purple , Green , Blue , Pink , Orange , or Red . Returned by default. |
uniqueName | String | The unique identifier that can be assigned to a group and used as an alternate key. Immutable. Read-only. |
unseenCount | Int32 | Count of conversations that received new posts since the signed-in user last visited the group. Returned only on $select . Supported only on the Get group API (GET /groups/{ID} ). |
visibility | String | Specifies the group join policy and group content visibility for groups. Possible values are: Private , Public , or HiddenMembership . HiddenMembership can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value isn't specified during group creation on Microsoft Graph, a security group is created as Private by default, and the Microsoft 365 group is Public . Groups assignable to roles are always Private . To learn more, see group visibility options. Returned by default. Nullable. |
Graph reference: unifiedRoleScheduleBase
Property | Type | Description |
---|---|---|
appScopeId | String | Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. |
createdDateTime | DateTimeOffset | When the schedule was created. |
createdUsing | String | Identifier of the object through which this schedule was created. |
directoryScopeId | String | Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. |
id | String | The unique identifier for the schedule object. Inherited from entity. |
modifiedDateTime | DateTimeOffset | When the schedule was last modified. |
principalId | String | Identifier of the principal that has been granted the role assignment or eligibility. |
roleDefinitionId | String | Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for. |
status | String | The status of the role assignment or eligibility request. |
Graph reference: unifiedRoleScheduleInstanceBase
Property | Type | Description |
---|---|---|
appScopeId | String | Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. |
directoryScopeId | String | Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. |
id | String | The unique identifier for the schedule object. Inherited from entity. |
principalId | String | Identifier of the principal that has been granted the role assignment or that's eligible for a role. |
roleDefinitionId | String | Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for. |