RecordsManagement.ReadWrite.All

Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RecordsManagement.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	eb158f57-df43-4751-8b21-b8932adb3d34	f2833d75-a4e6-40ab-86d4-6dfe73c97605
DisplayText	Read and write Records Management configuration, labels and policies	Read and write Records Management configuration, labels, and policies
Description	Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user.	Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /security/labels/authorities/{authorityTemplateId}/$ref
	DELETE /security/labels/categories/{categoryTemplateId}/$ref
	DELETE /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}/$ref
	DELETE /security/labels/citations/{citationTemplateId}/$ref
	DELETE /security/labels/departments/{departmentTemplateId}/$ref
	DELETE /security/labels/filePlanReferences/{filePlanReferenceTemplateId}/$ref
	DELETE /security/labels/retentionLabels/{retentionLabelId}
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate/$ref
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate/$ref
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate/$ref
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate/$ref
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate/$ref
	DELETE /security/labels/retentionLabels/{retentionLabelId}/eventType/$ref
	DELETE /security/triggers/retentionEvents/{retentionEventId}
	DELETE /security/triggers/retentionEvents/{retentionEventId}/retentionEventType/$ref
	DELETE /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}/$ref
	GET /security/labels/authorities
	GET /security/labels/authorities/{authorityTemplateId}
	GET /security/labels/categories
	GET /security/labels/categories/{categoryTemplateId}
	GET /security/labels/categories/{categoryTemplateId}/subcategories
	GET /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}
	GET /security/labels/citations
	GET /security/labels/citations/{citationTemplateId}
	GET /security/labels/departments
	GET /security/labels/departments/{departmentTemplateId}
	GET /security/labels/filePlanReferences
	GET /security/labels/filePlanReferences/{filePlanReferenceTemplateId}
	GET /security/labels/retentionLabels
	GET /security/labels/retentionLabels/{retentionLabelId}
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/eventType
	GET /security/triggers/retentionEvents
	GET /security/triggers/retentionEvents/{retentionEventId}
	GET /security/triggers/retentionEvents/{retentionEventId}/labels/{retentionLabelId}
	GET /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
	GET /security/triggerTypes/retentionEventTypes
	GET /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
	PATCH /security/labels/retentionLabels/{retentionLabelId}
	PATCH /security/labels/retentionLabels/{retentionLabelId}/eventType
	PATCH /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
	PATCH /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
	POST /security/labels/authorities
	POST /security/labels/categories
	POST /security/labels/categories/{categoryTemplateId}/subcategories
	POST /security/labels/citations
	POST /security/labels/departments
	POST /security/labels/filePlanReferences
	POST /security/labels/retentionLabels
	POST /security/triggers/retentionEvents
	POST /security/triggerTypes/retentionEventTypes

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /security/labels/authorities/{authorityTemplateId}
	DELETE /security/labels/categories/{categoryTemplateId}
	DELETE /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}/$ref
	DELETE /security/labels/citations/{citationTemplateId}
	DELETE /security/labels/departments/{departmentTemplateId}
	DELETE /security/labels/filePlanReferences/{filePlanReferenceTemplateId}
	DELETE /security/labels/retentionLabels/{retentionLabelId}
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate
	DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate
	DELETE /security/labels/retentionLabels/{retentionLabelId}/eventType/$ref
	DELETE /security/triggers/retentionEvents/{retentionEventId}
	DELETE /security/triggers/retentionEvents/{retentionEventId}/retentionEventType/$ref
	DELETE /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}/$ref
	GET /security/labels/authorities
	GET /security/labels/authorities/{authorityTemplateId}
	GET /security/labels/categories
	GET /security/labels/categories/{categoryTemplateId}
	GET /security/labels/categories/{categoryTemplateId}/subcategories
	GET /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}
	GET /security/labels/citations
	GET /security/labels/citations/{citationTemplateId}
	GET /security/labels/departments
	GET /security/labels/departments/{departmentTemplateId}
	GET /security/labels/filePlanReferences
	GET /security/labels/filePlanReferences/{filePlanReferenceTemplateId}
	GET /security/labels/retentionLabels
	GET /security/labels/retentionLabels/{retentionLabelId}
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate
	GET /security/labels/retentionLabels/{retentionLabelId}/eventType
	GET /security/triggers/retentionEvents
	GET /security/triggers/retentionEvents/{retentionEventId}
	GET /security/triggers/retentionEvents/{retentionEventId}/labels/{retentionLabelId}
	GET /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
	GET /security/triggerTypes/retentionEventTypes
	GET /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
	PATCH /security/labels/retentionLabels/{retentionLabelId}
	PATCH /security/labels/retentionLabels/{retentionLabelId}/eventType
	PATCH /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
	PATCH /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
	POST /security/labels/authorities
	POST /security/labels/categories
	POST /security/labels/categories/{categoryTemplateId}/subcategories
	POST /security/labels/citations
	POST /security/labels/departments
	POST /security/labels/filePlanReferences
	POST /security/labels/retentionLabels
	POST /security/triggers/retentionEvents
	POST /security/triggerTypes/retentionEventTypes

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgSecurityLabelAuthority
	Get-MgSecurityLabelCategory
	Get-MgSecurityLabelCategorySubcategory
	Get-MgSecurityLabelCitation
	Get-MgSecurityLabelDepartment
	Get-MgSecurityLabelFilePlanReference
	Get-MgSecurityLabelRetentionLabel
	Get-MgSecurityTriggerRetentionEvent
	Get-MgSecurityTriggerTypeRetentionEventType
	New-MgSecurityLabelAuthority
	New-MgSecurityLabelCategory
	New-MgSecurityLabelCategorySubcategory
	New-MgSecurityLabelCitation
	New-MgSecurityLabelDepartment
	New-MgSecurityLabelFilePlanReference
	New-MgSecurityLabelRetentionLabel
	New-MgSecurityTriggerRetentionEvent
	New-MgSecurityTriggerTypeRetentionEventType
	Remove-MgSecurityLabelAuthority
	Remove-MgSecurityLabelCategory
	Remove-MgSecurityLabelCategorySubcategory
	Remove-MgSecurityLabelCitation
	Remove-MgSecurityLabelDepartment
	Remove-MgSecurityLabelFilePlanReference
	Remove-MgSecurityLabelRetentionLabel
	Remove-MgSecurityTriggerRetentionEvent
	Remove-MgSecurityTriggerTypeRetentionEventType
	Update-MgBetaSecurityLabelRetentionLabel
	Update-MgSecurityTriggerTypeRetentionEventType

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaSecurityLabelAuthority
	Get-MgBetaSecurityLabelCategory
	Get-MgBetaSecurityLabelCategorySubcategory
	Get-MgBetaSecurityLabelCitation
	Get-MgBetaSecurityLabelDepartment
	Get-MgBetaSecurityLabelFilePlanReference
	Get-MgBetaSecurityLabelRetentionLabel
	Get-MgBetaSecurityTriggerRetentionEvent
	Get-MgBetaSecurityTriggerTypeRetentionEventType
	New-MgBetaSecurityLabelAuthority
	New-MgBetaSecurityLabelCategory
	New-MgBetaSecurityLabelCategorySubcategory
	New-MgBetaSecurityLabelCitation
	New-MgBetaSecurityLabelDepartment
	New-MgBetaSecurityLabelFilePlanReference
	New-MgBetaSecurityLabelRetentionLabel
	New-MgBetaSecurityTriggerRetentionEvent
	New-MgBetaSecurityTriggerTypeRetentionEventType
	Remove-MgBetaSecurityLabelAuthority
	Remove-MgBetaSecurityLabelCategory
	Remove-MgBetaSecurityLabelCategorySubcategory
	Remove-MgBetaSecurityLabelCitation
	Remove-MgBetaSecurityLabelDepartment
	Remove-MgBetaSecurityLabelFilePlanReference
	Remove-MgBetaSecurityLabelRetentionLabel
	Remove-MgBetaSecurityTriggerRetentionEvent
	Remove-MgBetaSecurityTriggerTypeRetentionEventType
	Update-MgBetaSecurityLabelRetentionLabel
	Update-MgBetaSecurityTriggerTypeRetentionEventType

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: authorityTemplate

Property	Type	Description
createdBy	microsoft.graph.identitySet	Represents the user who created the authority descriptor. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
createdDateTime	DateTimeOffset	Represents the date and time in which the authority descriptor is created. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
displayName	String	Unique string that defines an authority name. Inherited from microsoft.graph.security.filePlanDescriptorTemplate.
id	String	Unique ID of the authority. Inherited from microsoft.graph.entity. Read-only.

Graph reference: categoryTemplate

Property	Type	Description
createdBy	microsoft.graph.identitySet	Represents the user who created the category descriptor. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
createdDateTime	DateTimeOffset	Represents the date and time in which the category descriptor is created. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
displayName	String	Unique string that defines a category name. Inherited from microsoft.graph.security.filePlanDescriptorTemplate.
id	String	Unique ID of the category. Inherited from microsoft.graph.entity. Read-only.

Graph reference: citationTemplate

Property	Type	Description
citationJurisdiction	String	Represents the jurisdiction or agency that published the citation.
citationUrl	String	Represents the URL to the published citation.
createdBy	microsoft.graph.identitySet	Represents the user who created the citation descriptor. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
createdDateTime	DateTimeOffset	Represents the date and time in which the citation descriptor is created. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
displayName	String	Unique string that defines a citation name. Inherited from microsoft.graph.security.filePlanDescriptorTemplate.
id	String	Unique ID of the citation. Inherited from microsoft.graph.entity. Read-only.

Graph reference: departmentTemplate

Property	Type	Description
createdBy	microsoft.graph.identitySet	Represents the user who created the department descriptor. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
createdDateTime	DateTimeOffset	Represents the date and time in which the department descriptor is created. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
displayName	String	Unique string that defines a department name. Inherited from microsoft.graph.security.filePlanDescriptorTemplate.
id	String	Unique ID of the department. Inherited from microsoft.graph.entity. Read-only.

Graph reference: dispositionReviewStage

Property	Type	Description
id	String	Unique ID for each stage.
name	String	Name representing each stage within a collection.
reviewersEmailAddresses	String collection	A collection of reviewers at each stage.
stageNumber	String	The unique sequence number for each stage of the disposition review.

Graph reference: eventQuery

Property	Type	Description
queryType	microsoft.graph.security.queryType	Represents the type of query associated with an event. 'files' for SPO and ODB and 'messages' for EXO.The possible values are: `files`, `messages`, `unknownFutureValue`.
query	String	Represents unique identification for the query. 'Asset ID' for SharePoint Online and OneDrive for Business, 'keywords' for Exchange Online.

Graph reference: filePlanDescriptor

Property	Type	Description
authority	microsoft.graph.security.filePlanAuthority	Represents the file plan descriptor of type authority applied to a particular retention label.
appliedCategory	microsoft.graph.security.filePlanAppliedCategory	Represents the file plan descriptor of type category applied to a particular retention label.
citation	microsoft.graph.security.filePlanCitation	Represents the file plan descriptor of type citation applied to a particular retention label.
department	microsoft.graph.security.filePlanDepartment	Represents the file plan descriptor of type department applied to a particular retention label.
filePlanReference	microsoft.graph.security.filePlanReference	Represents the file plan descriptor of type filePlanReference applied to a particular retention label.

Graph reference: filePlanReferenceTemplate

Property	Type	Description
createdBy	microsoft.graph.identitySet	Represents the user who created the file plan reference descriptor. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
createdDateTime	DateTimeOffset	Represents the date and time in which the filePlanReference descriptor is created. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
displayName	String	Unique string that defines a filePlanReference name. Inherited from microsoft.graph.security.filePlanDescriptorTemplate.
id	String	Unique ID of the filePlanReference. Inherited from microsoft.graph.entity. Read-only.

Graph reference: retentionEvent

Property	Type	Description
createdBy	microsoft.graph.identitySet	The user who created the retentionEvent.
createdDateTime	DateTimeOffset	The date time when the retentionEvent was created.
description	String	Optional information about the event.
displayName	String	Name of the event.
eventPropagationResults	microsoft.graph.security.eventPropagationResult collection	Represents the success status of a created event and additional information.
eventQueries	microsoft.graph.security.eventQuery collection	Represents the workload (SharePoint Online, OneDrive for Business, Exchange Online) and identification information associated with a retention event.
eventStatus	microsoft.graph.security.retentionEventStatus	Status of event propogation to the scoped locations after the event has been created.
eventTriggerDateTime	DateTimeOffset	Optional time when the event should be triggered.
id	String	Represents the unique ID of the user who created the retentionEvent. entity.
lastModifiedBy	microsoft.graph.identitySet	The user who last modified the retentionEvent.
lastModifiedDateTime	DateTimeOffset	The latest date time when the retentionEvent was modified.
lastStatusUpdateDateTime	DateTimeOffset	Last time the status of the event was updated.

Graph reference: retentionEventType

Property	Type	Description
createdBy	microsoft.graph.identitySet	The user who created the retentionEventType.
createdDateTime	DateTimeOffset	The date time when the retentionEventType was created.
description	String	Optional information about the event type.
displayName	String	Name of the event type.
id	String	Represents the unique ID of the user who created the retentionEventType. entity.
lastModifiedBy	microsoft.graph.identitySet	The user who last modified the retentionEventType.
lastModifiedDateTime	DateTimeOffset	The latest date time when the retentionEventType was modified.

Graph reference: retentionLabel

Property	Type	Description
actionAfterRetentionPeriod	microsoft.graph.security.actionAfterRetentionPeriod	Specifies the action to take on the labeled document after the period specified by the retentionDuration property expires. The possible values are: `none`, `delete`, `startDispositionReview`, `unknownFutureValue`.
behaviorDuringRetentionPeriod	microsoft.graph.security.behaviorDuringRetentionPeriod	Specifies how the behavior of a document with this label should be during the retention period. The possible values are: `doNotRetain`, `retain`, `retainAsRecord`, `retainAsRegulatoryRecord`, `unknownFutureValue`.
createdBy	microsoft.graph.identitySet	Represents the user who created the retentionLabel.
createdDateTime	DateTimeOffset	Represents the date and time in which the retentionLabel is created.
descriptionForAdmins	String	Provides label information for the admin. Optional.
descriptionForUsers	String	Provides the label information for the user. Optional.
displayName	String	Unique string that defines a label name.
id	String	Unique ID of the retentionLabel.
isInUse	Boolean	Specifies whether the label is currently being used.
lastModifiedBy	microsoft.graph.identitySet	The user who last modified the retentionLabel.
lastModifiedDateTime	DateTimeOffset	The latest date time when the retentionLabel was modified.
retentionDuration	microsoft.graph.security.retentionDuration	Specifies the number of days to retain the content.
retentionTrigger	microsoft.graph.security.retentionTrigger	Specifies whether the retention duration is calculated from the content creation date, labeled date, or last modification date. The possible values are: `dateLabeled`, `dateCreated`, `dateModified`, `dateOfEvent`, `unknownFutureValue`.
defaultRecordBehavior	microsoft.graph.security.defaultRecordBehavior	Specifies the locked or unlocked state of a record label when it is created.The possible values are: `startLocked`, `startUnlocked`, `unknownFutureValue`.
labelToBeApplied	String	Specifies the replacement label to be applied automatically after the retention period of the current label ends.

Graph reference: subcategoryTemplate

Property	Type	Description
createdBy	microsoft.graph.identitySet	Represents the user who created the subcategory descriptor. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
createdDateTime	DateTimeOffset	Represents the date and time in which the subcategory descriptor is created. Inherited from microsoft.graph.security.filePlanDescriptorTemplate. Read-only.
displayName	String	Unique string that defines a subcategory name. Inherited from microsoft.graph.security.filePlanDescriptorTemplate.
id	String	Unique ID of the subcategory. Inherited from microsoft.graph.entity. Read-only.

Table of Contents

RecordsManagement.ReadWrite.All

Graph Methods

Resources