PrivilegedAccess.ReadWrite.AzureResources

Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the PrivilegedAccess.ReadWrite.AzureResources permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	6f9d5abc-2db6-400b-a267-7de22a40fb87	a84a9652-ffd3-496e-a991-22ba5529156a
DisplayText	Read and write privileged access to Azure resources	Read and write privileged access to Azure resources
Description	Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user.	Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /privilegedAccess/azureResources/resources
	GET /privilegedAccess/azureResources/resources/{id}
	GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests
	GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments
	GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments/{id}
	GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions
	GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions/{id}
	GET /privilegedAccess/azureResources/resources/{resourceId}/roleSettings
	GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}'
	GET /privilegedAccess/azureResources/roleAssignmentRequests/{id}
	GET /privilegedAccess/azureResources/roleAssignments?$filter=resourceId+eq+'{resourceId}'
	GET /privilegedAccess/azureResources/roleAssignments/{id}?$filter=resourceId+eq+'{resourceId}'
	GET /privilegedAccess/azureResources/roleAssignments/export?$filter=resourceId+eq+'{resourceId}'
	GET /privilegedAccess/azureResources/roleDefinitions?$filter=resourceId+eq+'{resourceId}'
	GET /privilegedAccess/azureResources/roleDefinitions/{id}?$filter=resourceId+eq+'{resourceId}'
	GET /privilegedAccess/azureResources/roleSettings?$filter=resourceId+eq+''
	GET /privilegedAccess/azureResources/roleSettings/{id}
	PATCH /privilegedAccess/azureResources/roleSettings/{id}
	POST /privilegedAccess/azureResources/resources/register
	POST /privilegedAccess/azureResources/roleAssignmentRequests
	POST /privilegedAccess/azureResources/roleAssignmentRequests/{id}/cancel
	POST /privilegedAccess/azureResources/roleAssignmentRequests/{id}/updateRequest

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPrivilegedAccessResource
	Get-MgBetaPrivilegedAccessRoleSetting
	New-MgBetaPrivilegedAccessRoleAssignmentRequest
	Stop-MgBetaPrivilegedAccessRoleAssignmentRequest
	Update-MgBetaPrivilegedAccessRoleSetting

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: governanceResource

Property	Type	Description
id	String	The id of the resource. It is in GUID format.
externalId	String	The external id of the resource, representing its original id in the external system. For example, a subscription resource's external id can be "/subscriptions/c14ae696-5e0c-4e5d-88cc-bef6637737ac".
type	String	Required. Resource type. For example, for Azure resources, the type could be "Subscription", "ResourceGroup", "Microsoft.Sql/server", etc.
displayName	String	The display name of the resource.
status	String	The status of a given resource. For example, it could represent whether the resource is locked or not (values: `Active`/`Locked`). Note: This property may be extended in the future to support more scenarios.
registeredDateTime	DateTimeOffset	Represents the date time when the resource is registered in PIM.
registeredRoot	String	The externalId of the resource's root scope that is registered in PIM. The root scope can be the parent, grandparent, or higher ancestor resources.
roleAssignmentCount	Int32	Optional. The number of role assignments for the given resource. To get the property, explicitly use `$select=roleAssignmentCount` in the query.
roleDefinitionCount	Int32	Optional. The number of role definitions for the given resource. To get the property, explicitly use `$select=roleDefinitionCount` in the query.
permissions	governancePermission	Optional. It represents the status of the requestor's access to the resource. To get the property, explicitly use `$select=permissions` in the query.

Graph reference: governanceRoleAssignment

Property	Type	Description
id	String	The ID of the role assignment. It is in GUID format.
resourceId	String	Required. The ID of the resource that the role assignment is associated with.
roleDefinitionId	String	Required. The ID of the role definition that the role assignment is associated with.
subjectId	String	Required. The ID of the subject that the role assignment is associated with.
linkedEligibleRoleAssignmentId	String	If this is an `active assignment` and created due to activation on an `eligible assignment`, it represents the ID of that `eligible assignment`; Otherwise, the value is `null`.
externalId	String	The external ID the resource that is used to identify the role assignment in the provider.
startDateTime	DateTimeOffset	The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`
endDateTime	DateTimeOffset	For a non-permanent role assignment, this is the time when the role assignment is expired. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`
assignmentState	String	The state of the assignment. The value can be `Eligible` for eligible assignment or `Active` if it's directly assigned `Active` by administrators, or activated on an eligible assignment by the users.
memberType	String	The type of member. The value can be: `Inherited` (if the role assignment is inherited from a parent resource scope), `Group` (if the role assignment isn't inherited, but comes from the membership of a group assignment), or `User` (if the role assignment isn't inherited or from a group assignment).

Graph reference: governanceRoleAssignmentRequest

Property	Type	Description
id	String	The identifier of the role assignment request.
resourceId	String	Required. The unique identifier of the Azure resource that is associated with the role assignment request. Azure resources can include subscriptions, resource groups, virtual machines, and SQL databases.
roleDefinitionId	String	Required. The identifier of the Azure role definition that the role assignment request is associated with.
subjectId	String	Required. The unique identifier of the principal or subject that the role assignment request is associated with. Principals can be users, groups, or service principals.
type	String	Required. Representing the type of the operation on the role assignment. The possible values are: `AdminAdd` , `UserAdd` , `AdminUpdate` , `AdminRemove` , `UserRemove` , `UserExtend` , `AdminExtend` , `UserRenew` , `AdminRenew`.
assignmentState	String	Required. The state of the assignment. The possible values are: `Eligible` (for eligible assignment), `Active` (if it is directly assigned), `Active` (by administrators, or activated on an eligible assignment by the users).
requestedDateTime	DateTimeOffset	Read-only. The request create time. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`
schedule	governanceSchedule	The schedule object of the role assignment request.
reason	String	A message provided by users and administrators when create the request about why it is needed.
status	governanceRoleAssignmentRequestStatus	The status of the role assignment request.
linkedEligibleRoleAssignmentId	String	If this is a request for role activation, it represents the id of the `eligible assignment` being referred; Otherwise, the value is `null`.

Graph reference: governanceRoleDefinition

Property	Type	Description
id	String	The ID of the role definition.
resourceId	String	Required. The ID of the resource associated with the role definition.
externalId	String	The external ID of the role definition.
displayName	String	The display name of the role definition.
templateId	String	The unique identifier for the template.

Graph reference: governanceRoleSetting

Property	Type	Description
id	String	The id of the roleSetting.
resourceId	String	Required. The id of the resource that the role setting is associated with.
roleDefinitionId	String	Required. The id of the role definition that the role setting is associated with.
isDefault	Boolean	Read-only. Indicate if the roleSetting is a default roleSetting
lastUpdatedDateTime	DateTimeOffset	Read-only. The time when the role setting was last updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`
lastUpdatedBy	String	Read-only. The display name of the administrator who last updated the roleSetting.
adminEligibleSettings	governanceRuleSetting collection	The rule settings that are evaluated when an administrator tries to add an eligible role assignment.
adminMemberSettings	governanceRuleSetting collection	The rule settings that are evaluated when an administrator tries to add a direct member role assignment.
userEligibleSettings	governanceRuleSetting collection	The rule settings that are evaluated when a user tries to add an eligible role assignment. The setting is not supported for now.
userMemberSettings	governanceRuleSetting collection	The rule settings that are evaluated when a user tries to activate his role assignment.

Graph reference: governanceRuleSetting

Property	Type	Description
ruleIdentifier	String	The id of the rule. For example, `ExpirationRule` and `MfaRule`.
setting	String	The settings of the rule. The value is a JSON string with a list of pairs in the format of Parameter_Name:Parameter_Value. For example, `{"permanentAssignment":false,"maximumGrantPeriodInMinutes":129600}`

Graph reference: governanceSchedule

Property	Type	Description
startDateTime	DateTimeOffset	The start time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`
endDateTime	DateTimeOffset	The end time of the role assignment. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Note: if the value is `null`, it indicates a permanent assignment.
type	String	The role assignment schedule type. Only `Once` is supported for now.
duration	Duration	The duration of a role assignment. It is in format of a TimeSpan.

Graph reference: group

Property	Type	Description
allowExternalSenders	Boolean	Indicates if people external to the organization can send messages to the group. The default value is `false`. Returned only on `$select`. Supported only on the Get group API (`GET /groups/{ID}`).
assignedLabels	assignedLabel collection	The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on `$select`. This property can be updated only in delegated scenarios where the caller requires both the Microsoft Graph permission and a supported administrator role.
assignedLicenses	assignedLicense collection	The licenses that are assigned to the group. Returned only on `$select`. Supports `$filter` (`eq`).Read-only.
autoSubscribeNewMembers	Boolean	Indicates if new members added to the group are autosubscribed to receive email notifications. You can set this property in a PATCH request for the group; don't set it in the initial POST request that creates the group. Default value is `false`. Returned only on `$select`. Supported only on the Get group API (`GET /groups/{ID}`).
classification	String	Describes a classification for the group (such as low, medium, or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`).
createdDateTime	DateTimeOffset	Timestamp of when the group was created. The value can't be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is `2014-01-01T00:00:00Z`. Returned by default. Read-only.
deletedDateTime	DateTimeOffset	For some Microsoft Entra objects (user, group, application), if the object is deleted, it's first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is `null`. If the object is restored, this property is updated to `null`. Inherited from directoryObject.
description	String	An optional description for the group. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`) and `$search`.
displayName	String	The display name for the group. This property is required when a group is created and can't be cleared during updates. Maximum length is 256 characters. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values), `$search`, and `$orderby`.
expirationDateTime	DateTimeOffset	Timestamp of when the group is set to expire. It's `null` for security groups, but for Microsoft 365 groups, it represents when the group is set to expire as defined in the groupLifecyclePolicy. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is `2014-01-01T00:00:00Z`. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). Read-only.
groupTypes	String collection	Specifies the group type and its membership. If the collection contains `Unified`, the group is a Microsoft 365 group; otherwise, it's either a security group or a distribution group. For details, see groups overview. If the collection includes `DynamicMembership`, the group has dynamic membership; otherwise, membership is static. Returned by default. Supports `$filter` (`eq`, `not`).
hasMembersWithLicenseErrors	Boolean	Indicates whether there are members in this group that have license errors from its group-based license assignment. This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. Supports `$filter` (`eq`).
hideFromAddressLists	Boolean	True if the group isn't displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. The default value is `false`. Returned only on `$select`. Supported only on the Get group API (`GET /groups/{ID}`).
hideFromOutlookClients	Boolean	True if the group isn't displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. The default value is `false`. Returned only on `$select`. Supported only on the Get group API (`GET /groups/{ID}`).
id	String	The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only. Supports `$filter` (`eq`, `ne`, `not`, `in`).
isArchived	Boolean	When a group is associated with a team, this property determines whether the team is in read-only mode. To read this property, use the `/group/{groupId}/team` endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs.
isAssignableToRole	Boolean	Indicates whether this group can be assigned to a Microsoft Entra role. Optional. This property can only be set while creating the group and is immutable. If set to `true`, the securityEnabled property must also be set to `true`, visibility must be `Hidden`, and the group can't be a dynamic group (that is, groupTypes can't contain `DynamicMembership`). Only callers with at least the Privileged Role Administrator role can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Microsoft Entra role assignments Using this feature requires a Microsoft Entra ID P1 license. Returned by default. Supports `$filter` (`eq`, `ne`, `not`).
isSubscribedByMail	Boolean	Indicates whether the signed-in user is subscribed to receive email conversations. The default value is `true`. Returned only on `$select`. Supported only on the Get group API (`GET /groups/{ID}`).
licenseProcessingState	String	Indicates the status of the group license assignment to all group members. The default value is `false`. Read-only. Possible values: `QueuedForProcessing`, `ProcessingInProgress`, and `ProcessingComplete`. Returned only on `$select`. Read-only.
mail	String	The SMTP address for the group, for example, "[email protected]". Returned by default. Read-only. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).
mailEnabled	Boolean	Specifies whether the group is mail-enabled. Required. Returned by default. Supports `$filter` (`eq`, `ne`, `not`).
mailNickname	String	The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following characters: `@ () \ [] " ; : <> , SPACE`. Required. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).
membershipRule	String	The rule that determines members for this group if the group is a dynamic group (groupTypes contains `DynamicMembership`). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`).
membershipRuleProcessingState	String	Indicates whether the dynamic membership processing is on or paused. Possible values are `On` or `Paused`. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `in`).
onPremisesDomainName	String	Contains the on-premises domain FQDN, also called dnsDomainName synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Read-only.
onPremisesLastSyncDateTime	DateTimeOffset	Indicates the last time at which the group was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on January 1, 2014 is `2014-01-01T00:00:00Z`. Returned by default. Read-only. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`).
onPremisesNetBiosName	String	Contains the on-premises netBios name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Read-only.
onPremisesProvisioningErrors	onPremisesProvisioningError collection	Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports `$filter` (`eq`, `not`).
onPremisesSamAccountName	String	Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers synchronizing their on-premises directory to Microsoft Entra ID via Microsoft Entra Connect. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`). Read-only.
onPremisesSecurityIdentifier	String	Contains the on-premises security identifier (SID) for the group synchronized from on-premises to the cloud. Read-only. Returned by default. Supports `$filter` (`eq` including on `null` values).
onPremisesSyncEnabled	Boolean	`true` if this group is synced from an on-premises directory; `false` if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never synced from an on-premises directory (default). Returned by default. Read-only. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values).
preferredDataLocation	String	The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling app must be granted the Directory.ReadWrite.All permission and the user be assigned at least one of the following Microsoft Entra roles: User Account Administrator Directory Writer Exchange Administrator SharePoint Administrator For more information about this property, see OneDrive Online Multi-Geo. Nullable. Returned by default.
preferredLanguage	String	The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example, `en-US`. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values).
proxyAddresses	String collection	Email addresses for the group that direct to the same group mailbox. For example: `["SMTP: [email protected]", "smtp: [email protected]"]`. The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, `endsWith`, `/$count eq 0`, `/$count ne 0`).
renewedDateTime	DateTimeOffset	Timestamp of when the group was last renewed. This value can't be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on January 1, 2014 is `2014-01-01T00:00:00Z`. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). Read-only.
securityEnabled	Boolean	Specifies whether the group is a security group. Required. Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `in`).
securityIdentifier	String	Security identifier of the group, used in Windows scenarios. Read-only. Returned by default.
serviceProvisioningErrors	serviceProvisioningError collection	Errors published by a federated service describing a nontransient, service-specific error regarding the properties or link from a group object. Supports `$filter` (`eq`, `not`, for isResolved and serviceInstance).
theme	string	Specifies a Microsoft 365 group's color theme. Possible values are `Teal`, `Purple`, `Green`, `Blue`, `Pink`, `Orange`, or `Red`. Returned by default.
uniqueName	String	The unique identifier that can be assigned to a group and used as an alternate key. Immutable. Read-only.
unseenCount	Int32	Count of conversations that received new posts since the signed-in user last visited the group. Returned only on `$select`. Supported only on the Get group API (`GET /groups/{ID}`).
visibility	String	Specifies the group join policy and group content visibility for groups. Possible values are: `Private`, `Public`, or `HiddenMembership`. `HiddenMembership` can be set only for Microsoft 365 groups when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation. If visibility value isn't specified during group creation on Microsoft Graph, a security group is created as `Private` by default, and the Microsoft 365 group is `Public`. Groups assignable to roles are always `Private`. To learn more, see group visibility options. Returned by default. Nullable.

Table of Contents

PrivilegedAccess.ReadWrite.AzureResources

Graph Methods

Resources