RoleAssignmentSchedule.Remove.Directory

Allows the app to delete the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleAssignmentSchedule.Remove.Directory permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	d3495511-98b7-4df3-b317-4e35c19f6129	f71cd05c-3fdb-4568-aef2-e1cf62ee20d4
DisplayText	Delete all active role assignments of your company's directory	Delete all active role assignments for your company's directory
Description	Delete all active privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user.	Allows the app to delete the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	POST /roleManagement/directory/roleAssignmentScheduleRequests

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	POST /roleManagement/directory/roleAssignmentScheduleRequests

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	New-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: requestSchedule

Property	Type	Description
expiration	expirationPattern	When the eligible or active assignment expires.
recurrence	patternedRecurrence	The frequency of the eligible or active assignment. This property is currently unsupported in PIM.
startDateTime	DateTimeOffset	When the eligible or active assignment becomes active.

Property	Type	Description
ticketNumber	String	The ticket number.
ticketSystem	String	The description of the ticket system.

Graph reference: unifiedRoleAssignmentScheduleRequest

Property	Type	Description
action	String	Represents the type of the operation on the role assignment request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. `adminAssign`: For administrators to assign roles to principals. `adminRemove`: For administrators to remove principals from roles. `adminUpdate`: For administrators to change existing role assignments. `adminExtend`: For administrators to extend expiring assignments. `adminRenew`: For administrators to renew expired assignments. `selfActivate`: For principals to activate their assignments. `selfDeactivate`: For principals to deactivate their active assignments. `selfExtend`: For principals to request to extend their expiring assignments. `selfRenew`: For principals to request to renew their expired assignments.
approvalId	String	The identifier of the approval of the request. Inherited from request.
appScopeId	String	Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).
completedDateTime	DateTimeOffset	The request completion date time. Inherited from request.
createdBy	identitySet	The principal that created this request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`, and on `null` values).
createdDateTime	DateTimeOffset	The request creation date time. Inherited from request. Read-only.
customData	String	Free text field to define any custom data for the request. Not used. Inherited from request.
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).
id	String	The unique identifier for the unifiedRoleAssignmentScheduleRequest object. Key, not nullable, Read-only. Inherited from entity. Supports `$filter` (`eq`, `ne`).
isValidationOnly	Boolean	Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.
justification	String	A message provided by users and administrators when create they create the unifiedRoleAssignmentScheduleRequest object.
principalId	String	Identifier of the principal that has been granted the assignment. Can be a user, role-assignable group, or a service principal. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).
scheduleInfo	requestSchedule	The period of the role assignment. Recurring schedules are currently unsupported.
status	String	The status of the role assignment request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`).
targetScheduleId	String	Identifier of the schedule object that's linked to the assignment request. Supports `$filter` (`eq`, `ne`).
ticketInfo	ticketInfo	Ticket details linked to the role assignment request including details of the ticket number and ticket system.

Graph reference: unifiedRoleDefinition

Property	Type	Description
description	String	The description for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`.
displayName	String	The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`. Required. Supports $filter (`eq`, `in`).
id	String	The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (`eq`, `in`).
isBuiltIn	Boolean	Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (`eq`, `in`).
isEnabled	Boolean	Flag indicating whether the role is enabled for assignment. If `false` the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes	String collection	List of the scopes or permissions the role definition applies to. Currently only `/` is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions	unifiedRolePermission collection	List of permissions included in the role. Read-only when isBuiltIn is `true`. Required.
templateId	String	Custom template identifier that can be set when isBuiltIn is `false` but is read-only when isBuiltIn is `true`. This identifier is typically used if one needs an identifier to be the same across different directories.
version	String	Indicates version of the role definition. Read-only when **i

Table of Contents

RoleAssignmentSchedule.Remove.Directory

Graph Methods

Resources