PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup
Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
PrivilegedEligibilitySchedule.ReadWrite.AzureADGrouppermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 618b6020-bca8-4de6-99f6-ef445fa4d857 | ba974594-d163-484e-ba39-c330d5897667 |
| DisplayText | Read, create, and delete eligibility schedules for access to Azure AD groups | Read, create, and delete eligibility schedules for access to Azure AD groups |
| Description | Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, without a signed-in user. | Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- privilegedAccessGroupEligibilitySchedule
- privilegedAccessGroupEligibilityScheduleInstance
- privilegedAccessGroupEligibilityScheduleRequest
- requestSchedule
- ticketInfo
Graph reference: privilegedAccessGroupEligibilitySchedule
| Property | Type | Description |
|---|---|---|
| accessId | privilegedAccessGroupRelationships | The identifier of the membership or ownership eligibility to the group that is governed by PIM. Required. The possible values are: owner, member. Supports $filter (eq). |
| createdDateTime | DateTimeOffset | When the schedule was created. Optional. Inherited from privilegedAccessSchedule. |
| createdUsing | String | The identifier of the access assignment or eligibility request that creates this schedule. Optional. Inherited from privilegedAccessSchedule. Supports $filter (eq, ne, and on null values). |
| groupId | String | The identifier of the group representing the scope of the membership or ownership eligibility through PIM for groups. Required. Supports $filter (eq). |
| id | String | The identifier of the schedule. Required. Inherited from entity. Supports $filter (eq, ne). |
| memberType | privilegedAccessGroupMemberType | Indicates whether the assignment is derived from a group assignment. It can further imply whether the caller can manage the schedule. Required. The possible values are: direct, group, unknownFutureValue. Supports $filter (eq). |
| modifiedDateTime | DateTimeOffset | When the schedule was last modified. Optional. Inherited from privilegedAccessSchedule. |
| principalId | String | The identifier of the principal whose membership or ownership eligibility is granted through PIM for groups. Required. Supports $filter (eq). |
| scheduleInfo | requestSchedule | Represents the period of the access assignment or eligibility. The scheduleInfo can represent a single occurrence or multiple recurring instances. Required. Inherited from privilegedAccessSchedule. |
| status | String | The status of the access assignment or eligibility request. The possible values are: Canceled, Denied, Failed, Granted, PendingAdminDecision, PendingApproval, PendingProvisioning, PendingScheduleCreation, Provisioned, Revoked, and ScheduleCreated. Not nullable. Optional. Inherited from privilegedAccessSchedule. Supports $filter (eq, ne). |