PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	41202f2c-f7ab-45be-b001-85c9728b9d69	06dbc45d-6708-4ef0-a797-f797ee68bf4b
DisplayText	Read, create, and delete assignment schedules for access to Azure AD groups	Read, create, and delete assignment schedules for access to Azure AD groups
Description	Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, without a signed-in user.	Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/filterByCurrentUser(on='approver')
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances?$filter=groupId eq '{groupId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances?$filter=principalId eq '{principalId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances/{privilegedAccessGroupAssignmentScheduleInstanceId}
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances/filterByCurrentUser(on=parameterValue)
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests?$filter=groupId eq '{groupId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests?$filter=principalId eq '{principalId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/{privilegedAccessGroupAssignmentScheduleRequestId}
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/filterByCurrentUser(on='parameterValue')
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules?$filter=groupId eq '{groupId}'
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules?$filter=principalId eq '{principalId}'
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules/{privilegedAccessGroupAssignmentScheduleId}
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules/filterByCurrentUser(on='parameterValue')
	PATCH /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}
	POST /identityGovernance/privilegedAccess/group/assignmentScheduleRequests
	POST /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/{privilegedAccessGroupAssignmentScheduleRequestId}/cancel

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps/{id}
	GET /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/filterByCurrentUser(on='approver')
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances?$filter=groupId eq '{groupId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances?$filter=principalId eq '{principalId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances/{privilegedAccessGroupAssignmentScheduleInstanceId}
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleInstances/filterByCurrentUser(on=parameterValue)
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests?$filter=groupId eq '{groupId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests?$filter=principalId eq '{principalId}'
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/{privilegedAccessGroupAssignmentScheduleRequestId}
	GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/filterByCurrentUser(on='parameterValue')
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules?$filter=groupId eq '{groupId}'
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules?$filter=principalId eq '{principalId}'
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules/{privilegedAccessGroupAssignmentScheduleId}
	GET /identityGovernance/privilegedAccess/group/assignmentSchedules/filterByCurrentUser(on='parameterValue')
	PATCH /identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps/{id}
	POST /identityGovernance/privilegedAccess/group/assignmentScheduleRequests
	POST /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/{privilegedAccessGroupAssignmentScheduleRequestId}/cancel

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgEntitlementManagementAccessPackageAssignmentApprovalStage
	Get-MgIdentityGovernancePrivilegedAccessGroupAssignmentSchedule
	Get-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance
	Get-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
	Invoke-MgFilterIdentityGovernancePrivilegedAccessGroupAssignmentApprovalByCurrentUser
	Invoke-MgFilterIdentityGovernancePrivilegedAccessGroupAssignmentScheduleByCurrentUser
	Invoke-MgFilterIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstanceByCurrentUser
	Invoke-MgFilterIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequestByCurrentUser
	New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
	Stop-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
	Update-MgEntitlementManagementAccessPackageAssignmentApprovalStage

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaIdentityGovernancePrivilegedAccessGroupAssignmentSchedule
	Get-MgBetaIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance
	Get-MgBetaIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
	Invoke-MgBetaFilterIdentityGovernancePrivilegedAccessGroupAssignmentApprovalByCurrentUser
	Invoke-MgBetaFilterIdentityGovernancePrivilegedAccessGroupAssignmentScheduleByCurrentUser
	Invoke-MgBetaFilterIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstanceByCurrentUser
	Invoke-MgBetaFilterIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequestByCurrentUser
	New-MgBetaIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
	Stop-MgBetaIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
	Update-MgBetaEntitlementManagementAccessPackageAssignmentApprovalStep

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: accessPackageAssignmentRequest

Property	Type	Description
answers	accessPackageAnswer collection	Answers provided by the requestor to accessPackageQuestions asked of them at the time of request.
completedDateTime	DateTimeOffset	The date of the end of processing, either successful or failure, of a request. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.
customExtensionCalloutInstances	customExtensionCalloutInstance collection	Information about all the custom extension calls that were made during the access package assignment workflow.
createdDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Supports `$filter`.
id	String	Read-only.
requestType	accessPackageRequestType	The type of the request. The possible values are: `notSpecified`, `userAdd`, `UserExtend`, `userUpdate`, `userRemove`, `adminAdd`, `adminUpdate`, `adminRemove`, `systemAdd`, `systemUpdate`, `systemRemove`, `onBehalfAdd` (not supported), `unknownFutureValue`. Requests from the user have a requestType of `userAdd`, `userUpdate`, or `userRemove`. This property can't be changed once set.
schedule	entitlementManagementSchedule	The range of dates that access is to be assigned to the requestor. This property can't be changed once set, but a new schedule for an assignment can be included in another `userUpdate` or `UserExtend` or `adminUpdate` assignment request.
state	accessPackageRequestState	The state of the request. The possible values are: `submitted`, `pendingApproval`, `delivering`, `delivered`, `deliveryFailed`, `denied`, `scheduled`, `canceled`, `partiallyDelivered`, `unknownFutureValue`. Read-only. Supports `$filter` (`eq`).
status	String	More information on the request processing status. Read-only.

Graph reference: approval

Property	Type	Description
id	String	Identifier of the approval decision. In PIM for groups, it's the same identifier as the identifier of the assignment schedule request.

Graph reference: approvalStage

Property	Type	Description
assignedToMe	Boolean	Indicates whether the stage is assigned to the calling user to review. Read-only.
displayName	String	The label provided by the policy creator to identify an approval stage. Read-only.
id	String	The identifier of the stage associated with an approval object. Read-only.
justification	String	The justification associated with the approval stage decision.
reviewResult	String	The result of this approval record. Possible values include: `NotReviewed`, `Approved`, `Denied`.
reviewedBy	identity	The identifier of the reviewer. `00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Read-only.
reviewedDateTime	DateTimeOffset	The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.
status	String	The stage status. Possible values: `InProgress`, `Initializing`, `Completed`, `Expired`. Read-only.

Graph reference: approvalStep

Property	Type	Description
assignedToMe	Boolean	Indicates whether the step is assigned to the calling user to review. Read-only.
displayName	String	The label provided by the policy creator to identify an approval step. Read-only.
id	String	The identifier of the step associated with an approval object. Read-only.
justification	String	The justification associated with the approval step decision.
reviewResult	String	The result of this approval record. Possible values include: `NotReviewed`, `Approved`, `Denied`.
reviewedBy	userIdentity collection	The identifier of the reviewer. `00000000-0000-0000-0000-000000000000` if the assigned reviewer hasn't reviewed. Read-only.
reviewedDateTime	DateTimeOffset	The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.
status	String	The step status. Possible values: `InProgress`, `Initializing`, `Completed`, `Expired`. Read-only.

Graph reference: privilegedAccessGroupAssignmentSchedule

Property	Type	Description
accessId	privilegedAccessGroupRelationships	The identifier of the membership or ownership assignment to the group that is governed through PIM. Required. The possible values are: `owner`, `member`, `unknownFutureValue`. Supports `$filter` (`eq`).
assignmentType	privilegedAccessGroupAssignmentType	Indicates whether the membership or ownership assignment for the principal is granted through activation or direct assignment. Required. The possible values are: `assigned`, `activated`, `unknownFutureValue`. Supports `$filter` (`eq`).
createdDateTime	DateTimeOffset	When the schedule was created. Optional.
createdUsing	String	The identifier of the access assignment or eligibility request that created this schedule. Optional. Supports `$filter` (`eq`, `ne`, and on `null` values).
groupId	String	The identifier of the group representing the scope of the membership or ownership assignment through PIM for groups. Required. Supports `$filter` (`eq`).
id	String	The identifier of the schedule. Required. Inherited from entity. Supports `$filter` (`eq`, `ne`).
memberType	privilegedAccessGroupMemberType	Indicates whether the assignment is derived from a direct group assignment or through a transitive assignment. The possible values are: `direct`, `group`, `unknownFutureValue`. Supports `$filter` (`eq`).
modifiedDateTime	DateTimeOffset	When the schedule was last modified. Optional.
principalId	String	The identifier of the principal whose membership or ownership assignment is granted through PIM for groups. Required. Supports `$filter` (`eq`).
scheduleInfo	requestSchedule	Represents the period of the access assignment or eligibility. The scheduleInfo can represent a single occurrence or multiple recurring instances. Required.
status	String	The status of the access assignment or eligibility request. The possible values are: `Canceled`, `Denied`, `Failed`, `Granted`, `PendingAdminDecision`, `PendingApproval`, `PendingProvisioning`, `PendingScheduleCreation`, `Provisioned`, `Revoked`, and `ScheduleCreated`. Not nullable. Optional. Supports `$filter` (`eq`, `ne`).

Graph reference: privilegedAccessGroupAssignmentScheduleInstance

Property	Type	Description
accessId	privilegedAccessGroupRelationships	The identifier of the membership or ownership assignment relationship to the group. Required. The possible values are: `owner`, `member`, `unknownFutureValue`. Supports `$filter` (`eq`).
assignmentScheduleId	String	The identifier of the privilegedAccessGroupAssignmentSchedule from which this instance was created. Required. Supports `$filter` (`eq`, `ne`).
assignmentType	privilegedAccessGroupAssignmentType	Indicates whether the membership or ownership assignment is granted through activation of an eligibility or through direct assignment. Required. The possible values are: `assigned`, `activated`, `unknownFutureValue`. Supports `$filter` (`eq`).
endDateTime	DateTimeOffset	When the schedule instance ends. Required.
groupId	String	The identifier of the group representing the scope of the membership or ownership assignment through PIM for groups. Optional. Supports `$filter` (`eq`).
id	String	The identifier of the access assignment schedule instance. Required. Inherited from entity. Supports `$filter` (`eq`, `ne`).
memberType	privilegedAccessGroupMemberType	Indicates whether the assignment is derived from a group assignment. It can further imply whether the caller can manage the assignment schedule. Required. The possible values are: `direct`, `group`, `unknownFutureValue`. Supports `$filter` (`eq`).
principalId	String	The identifier of the principal whose membership or ownership assignment to the group is managed through PIM for groups. Required. Supports `$filter` (`eq`).
startDateTime	DateTimeOffset	When this instance starts. Required.

Graph reference: privilegedAccessGroupAssignmentScheduleRequest

Property	Type	Description
accessId	privilegedAccessGroupRelationships	The identifier of a membership or ownership assignment relationship to the group. Required. The possible values are: `owner`, `member`, `unknownFutureValue`.
action	String	Represents the type of operation on the group membership or ownership assignment request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`. `adminAssign`: For administrators to assign group membership or ownership to principals. `adminRemove`: For administrators to remove principals from group membership or ownership. `adminUpdate`: For administrators to change existing group membership or ownership assignments. `adminExtend`: For administrators to extend expiring assignments. `adminRenew`: For administrators to renew expired assignments. `selfActivate`: For principals to activate their assignments. `selfDeactivate`: For principals to deactivate their active assignments.
approvalId	String	The identifier of the approval of the request. Inherited from request.
completedDateTime	DateTimeOffset	The request completion date time. Inherited from request.
createdBy	identitySet	The principal that created this request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`, and on `null` values).
createdDateTime	DateTimeOffset	The request creation date time. Inherited from request. Read-only.
customData	String	Free text field to define any custom data for the request. Not used. Inherited from request.
groupId	String	The identifier of the group representing the scope of the membership or ownership assignment through PIM for groups. Required.
id	String	The unique identifier for the privilegedAccessGroupAssignmentScheduleRequest object. Key, not nullable, Read-only. Inherited from entity. Supports `$filter` (`eq`, `ne`).
isValidationOnly	Boolean	Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.
justification	String	A message provided by users and administrators when they create the privilegedAccessGroupAssignmentScheduleRequest object.
principalId	String	The identifier of the principal whose membership or ownership assignment to the group is managed through PIM for groups. Supports `$filter` (`eq`, `ne`).
scheduleInfo	requestSchedule	The period of the group membership or ownership assignment. Recurring schedules are currently unsupported.
status	String	The status of the group membership or ownership assignment request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`).
targetScheduleId	String	The identifier of the schedule that's created from the membership or ownership assignment request. Supports `$filter` (`eq`, `ne`).
ticketInfo	ticketInfo	Ticket details linked to the group membership or ownership assignment request including details of the ticket number and ticket system.

Graph reference: requestSchedule

Property	Type	Description
expiration	expirationPattern	When the eligible or active assignment expires.
recurrence	patternedRecurrence	The frequency of the eligible or active assignment. This property is currently unsupported in PIM.
startDateTime	DateTimeOffset	When the eligible or active assignment becomes active.

Property	Type	Description
ticketNumber	String	The ticket number.
ticketSystem	String	The description of the ticket system.

Graph reference: unifiedRoleAssignmentScheduleRequest

Property	Type	Description
action	String	Represents the type of the operation on the role assignment request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. `adminAssign`: For administrators to assign roles to principals. `adminRemove`: For administrators to remove principals from roles. `adminUpdate`: For administrators to change existing role assignments. `adminExtend`: For administrators to extend expiring assignments. `adminRenew`: For administrators to renew expired assignments. `selfActivate`: For principals to activate their assignments. `selfDeactivate`: For principals to deactivate their active assignments. `selfExtend`: For principals to request to extend their expiring assignments. `selfRenew`: For principals to request to renew their expired assignments.
approvalId	String	The identifier of the approval of the request. Inherited from request.
appScopeId	String	Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).
completedDateTime	DateTimeOffset	The request completion date time. Inherited from request.
createdBy	identitySet	The principal that created this request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`, and on `null` values).
createdDateTime	DateTimeOffset	The request creation date time. Inherited from request. Read-only.
customData	String	Free text field to define any custom data for the request. Not used. Inherited from request.
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).
id	String	The unique identifier for the unifiedRoleAssignmentScheduleRequest object. Key, not nullable, Read-only. Inherited from entity. Supports `$filter` (`eq`, `ne`).
isValidationOnly	Boolean	Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.
justification	String	A message provided by users and administrators when create they create the unifiedRoleAssignmentScheduleRequest object.
principalId	String	Identifier of the principal that has been granted the assignment. Can be a user, role-assignable group, or a service principal. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).
scheduleInfo	requestSchedule	The period of the role assignment. Recurring schedules are currently unsupported.
status	String	The status of the role assignment request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`).
targetScheduleId	String	Identifier of the schedule object that's linked to the assignment request. Supports `$filter` (`eq`, `ne`).
ticketInfo	ticketInfo	Ticket details linked to the role assignment request including details of the ticket number and ticket system.

Table of Contents

PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

Graph Methods

Resources