RoleManagement.Read.All
Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
| Ver |
Type |
Method |
| V1 |
A,D |
GET /policies/roleManagementPolicies?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType' |
| V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId} |
| V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules |
| V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules |
| V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId} |
| V1 |
A,D |
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType' |
| V1 |
A,D |
GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId} |
| V1 |
A,D |
GET /roleManagement/cloudPC/roleDefinitions |
| V1 |
A,D |
GET /roleManagement/cloudPC/roleDefinitions/{id} |
| V1 |
A,D |
GET /roleManagement/directory/resourceNamespaces |
| V1 |
A,D |
GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId} |
| V1 |
A,D |
GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions |
| V1 |
A,D |
GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions/{unifiedRbacResourceActionId} |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleInstances |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstanceId} |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstancesId} |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on='principal') |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on=parameterValue) |
| V1 |
D |
GET /roleManagement/directory/roleAssignmentScheduleRequests |
| V1 |
D |
GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId} |
| V1 |
D |
GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestsId} |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='parameterValue') |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='principal') |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentSchedules |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentScheduleId} |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentSchedulesId} |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='parameterValue') |
| V1 |
A,D |
GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='principal') |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilityScheduleInstances |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstanceId} |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstancesId} |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='parameterValue') |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='principal') |
| V1 |
D |
GET /roleManagement/directory/roleEligibilityScheduleRequests |
| V1 |
D |
GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId} |
| V1 |
D |
GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestsId} |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilityScheduleRequests/filterByCurrentUser(on='parameterValue') |
| V1 |
A,D |
GET /roleManagement/directory/RoleEligibilityScheduleRequests/filterByCurrentUser(on='principal') |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilitySchedules |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilityScheduleId} |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilitySchedulesId} |
| V1 |
A,D |
GET /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='parameterValue') |
| V1 |
A,D |
GET roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal') |
Delegate Permission
|
|
| Id |
48fec646-b2ba-4019-8681-8eb31435aded |
| Consent Type |
Admin |
| Display String |
Read role management data for all RBAC providers |
| Description |
Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments. |
Application Permission
|
|
| Id |
c7fbd983-d9aa-4fa7-84b8-17382c103bc4 |
| Display String |
Read role management data for all RBAC providers |
| Description |
Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments. |
Resources
| Property |
Type |
Description |
| actionVerb |
String |
HTTP method for the action, such as DELETE, GET, PATCH, POST, PUT, or null. Supports $filter (eq) but not for null values. |
| description |
String |
Description for the action. Supports $filter (eq). |
| id |
String |
Unique identifier for an action within the resource namespace, such as microsoft.insights-programs-update-patch. Cannot include slash character (/). Case insensitive. Required. Supports $filter (eq). |
| name |
String |
Name for the action within the resource namespace, such as microsoft.insights/programs/update. Can include slash character (/). Case insensitive. Required. Supports $filter (eq). |
| resourceScopeId |
String |
Not implemented. |
| Property |
Type |
Description |
| id |
String |
Unique identifier of the resource namespace that defines permissions, such as microsoft.aad.b2c. Required. |
| name |
String |
Name of the resource namespace. Typically, the same name as the **i |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, in). |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, in). |
| id |
String |
The unique identifier for the role assignment. Key, not nullable, Read-only. Inherited from entity. |
| roleDefinitionId |
String |
Identifier of the role definition the assignment is for. Read only. Supports $filter (eq, in). |
| principalId |
String |
Identifier of the principal to which the assignment is granted. Supports $filter (eq, in). |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values). Inherited from unifiedRoleScheduleBase. |
| assignmentType |
String |
Type of the assignment which can either be Assigned or Activated. Supports $filter (eq, ne). |
| createdDateTime |
DateTimeOffset |
When the schedule was created. Inherited from unifiedRoleScheduleBase. |
| createdUsing |
String |
Identifier of the unifiedRoleAssignmentScheduleRequest object through which this schedule was created. Nullable. Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne, and on null values). |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values). Inherited from unifiedRoleScheduleBase. |
| id |
String |
The unique identifier for the unifiedRoleAssignmentScheduleRequest object. Supports $filter (eq). Inherited from entity. |
| memberType |
String |
How the assignments is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne). |
| modifiedDateTime |
DateTimeOffset |
When the schedule was last modified. Inherited from unifiedRoleScheduleBase. |
| principalId |
String |
Identifier of the principal that has been granted the role assignment. Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne). |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne). |
| scheduleInfo |
requestSchedule |
The period of the role assignment. It can represent a single occurrence or multiple recurrences. |
| status |
String |
The status of the **u |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values). Inherited from unifiedRoleScheduleInstanceBase. |
| assignmentType |
String |
Type of the assignment which can either be Assigned or Activated. Supports $filter (eq, ne). |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values). Inherited from unifiedRoleScheduleInstanceBase. |
| endDateTime |
DateTimeOffset |
The end date of the schedule instance. |
| id |
String |
The unique identifier for the unifiedRoleAssignmentScheduleInstance object. Inherited from entity. |
| memberType |
String |
How the assignments is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne). |
| principalId |
String |
Identifier of the principal that has been granted the role assignment. Inherited from unifiedRoleScheduleInstanceBase. Supports $filter (eq, ne). |
| roleAssignmentOriginId |
String |
The identifier of the role assignment in Azure AD. Supports $filter (eq, ne). |
| roleAssignmentScheduleId |
String |
The identifier of the unifiedRoleAssignmentSchedule object from which this instance was created. Supports $filter (eq, ne). |
| roleDefinitionId |
String |
The identifier of the unifiedRoleDefinition object that is being assigned to the principal. Inherited from unifiedRoleScheduleInstanceBase. Supports $filter (eq, ne). |
| startDateTime |
DateTimeOffset |
When this instance starts. |
| Property |
Type |
Description |
| action |
String |
Represents the type of the operation on the role assignment request. The possible values are: adminAssign, adminUpdate, adminRemove, selfActivate, selfDeactivate, adminExtend, adminRenew, selfExtend, selfRenew, unknownFutureValue.
adminAssign: For administrators to assign roles to principals.adminRemove: For administrators to remove principals from roles.-
adminUpdate: For administrators to change existing role assignments. adminExtend: For administrators to extend expiring assignments.adminRenew: For administrators to renew expired assignments.selfActivate: For principals to activate their assignments.selfDeactivate: For principals to deactivate their active assignments.selfExtend: For principals to request to extend their expiring assignments.selfRenew: For principals to request to renew their expired assignments.
|
| approvalId |
String |
The identifier of the approval of the request. Inherited from request. |
| appScopeId |
String |
Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values). |
| completedDateTime |
DateTimeOffset |
The request completion date time. Inherited from request. |
| createdBy |
identitySet |
The principal that created this request. Inherited from request. Read-only. Supports $filter (eq, ne, and on null values). |
| createdDateTime |
DateTimeOffset |
The request creation date time. Inherited from request. Read-only. |
| customData |
String |
Free text field to define any custom data for the request. Not used. Inherited from request. |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values). |
| id |
String |
The unique identifier for the unifiedRoleAssignmentScheduleRequest object. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, ne). |
| isValidationOnly |
Boolean |
Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request. |
| justification |
String |
A message provided by users and administrators when create they create the unifiedRoleAssignmentScheduleRequest object. |
| principalId |
String |
Identifier of the principal that has been granted the assignment. Can be a user, role-assignable group, or a service principal. Supports $filter (eq, ne). |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports $filter (eq, ne). |
| scheduleInfo |
requestSchedule |
The period of the role assignment. Recurring schedules are currently unsupported. |
| status |
String |
The status of the role assignment request. Inherited from request. Read-only. Supports $filter (eq, ne). |
| targetScheduleId |
String |
Identifier of the schedule object that's linked to the assignment request. Supports $filter (eq, ne). |
| ticketInfo |
ticketInfo |
Ticket details linked to the role assignment request including details of the ticket number and ticket system. |
| Property |
Type |
Description |
| description |
String |
The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true. |
| displayName |
String |
The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in). |
| id |
String |
The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, in). |
| isBuiltIn |
Boolean |
Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. Read-only. Supports $filter (eq, in). |
| isEnabled |
Boolean |
Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. |
| resourceScopes |
String collection |
List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment. |
| rolePermissions |
unifiedRolePermission collection |
List of permissions included in the role. Read-only when isBuiltIn is true. Required. |
| templateId |
String |
Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories. |
| version |
String |
Indicates version of the role definition. Read-only when **i |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne, and on null values). |
| createdDateTime |
DateTimeOffset |
When the schedule was created. Inherited from unifiedRoleScheduleBase. |
| createdUsing |
String |
Identifier of the object through which this schedule was created. Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne, and on null values). |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne, and on null values). |
| id |
String |
The unique identifier for the schedule object. Inherited from entity. Supports $filter (eq). |
| memberType |
String |
How the role eligibility is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleEligibilitySchedule can be managed by the caller. Supports $filter (eq, ne). |
| modifiedDateTime |
DateTimeOffset |
When the schedule was last modified. Inherited from unifiedRoleScheduleBase. |
| principalId |
String |
Identifier of the principal that is eligible for a role.Inherited from unifiedRoleScheduleBase. Supports $filter (eq, ne). |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that a principal is eligible for. Inherited from unifiedRoleScheduleBase. |
| scheduleInfo |
requestSchedule |
The period of the role eligibility. |
| status |
String |
The status of the role eligibility request. Inherited from unifiedRoleScheduleBase. The possible values are: Canceled, Denied, Failed, Granted, PendingAdminDecision, PendingApproval, PendingProvisioning, PendingScheduleCreation, Provisioned, Revoked, and ScheduleCreated. Not nullable. Supports $filter (eq, ne). |
| Property |
Type |
Description |
| appScopeId |
String |
Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of the role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Inherited from unifiedRoleScheduleInstanceBase. Supports $filter (eq, ne, and on null values). |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the role eligibility. The scope of the role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Inherited from unifiedRoleScheduleInstanceBase. Supports $filter (eq, ne, and on null values). |
| endDateTime |
DateTimeOffset |
The end date of the schedule instance. |
| id |
String |
The unique identifier for the schedule object. Inherited from entity. |
| memberType |
String |
How the role eligibility is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleEligibilitySchedule can be managed by the caller. Supports $filter (eq, ne). |
| principalId |
String |
Identifier of the principal that's eligible for a role. Inherited from unifiedRoleScheduleInstanceBase. Supports $filter (eq, ne). |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that the principal is eligible for. Inherited from unifiedRoleScheduleInstanceBase. Supports $filter (eq, ne). |
| roleEligibilityScheduleId |
String |
The identifier of the unifiedRoleEligibilitySchedule object from which this instance was created. Supports $filter (eq, ne). |
| startDateTime |
DateTimeOffset |
When this instance starts. |
| Property |
Type |
Description |
| action |
unifiedRoleScheduleRequestActions |
Represents the type of operation on the role eligibility request. The possible values are: adminAssign, adminUpdate, adminRemove, selfActivate, selfDeactivate, adminExtend, adminRenew, selfExtend, selfRenew, unknownFutureValue.
adminAssign: For administrators to assign eligible roles to principals.adminRemove: For administrators to remove eligible roles from principals.-
adminUpdate: For administrators to change existing role eligibilities. adminExtend: For administrators to extend expiring role eligibilities.adminRenew: For administrators to renew expired eligibilities.selfActivate: For users to activate their assignments.selfDeactivate: For users to deactivate their active assignments.selfExtend: For users to request to extend their expiring assignments.selfRenew: For users to request to renew their expired assignments.
|
| approvalId |
String |
The identifier of the approval of the request. Inherited from request. |
| appScopeId |
String |
Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values). |
| completedDateTime |
DateTimeOffset |
The request completion date time. Inherited from request. |
| createdBy |
identitySet |
The principal that created this request. Inherited from request. |
| createdDateTime |
DateTimeOffset |
The request creation date time. Inherited from request. |
| customData |
String |
Free text field to define any custom data for the request. Not used. Inherited from request. |
| directoryScopeId |
String |
Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values). |
| id |
String |
The unique identifier for the unifiedRoleEligibilityScheduleRequest object. Key, not nullable, Read-only. Inherited from entity. |
| isValidationOnly |
Boolean |
Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request. |
| justification |
String |
A message provided by users and administrators when create they create the unifiedRoleEligibilityScheduleRequest object. |
| principalId |
String |
Identifier of the principal that has been granted the role eligibility. Can be a user or a role-assignable group. You can grant only active assignments service principals.Supports $filter (eq, ne). |
| roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports $filter (eq, ne). |
| scheduleInfo |
requestSchedule |
The period of the role eligibility. Recurring schedules are currently unsupported. |
| status |
String |
The status of the role eligibility request. Inherited from request. Read-only. Supports $filter (eq, ne). |
| targetScheduleId |
String |
Identifier of the schedule object that's linked to the eligibility request. Supports $filter (eq, ne). |
| ticketInfo |
ticketInfo |
Ticket details linked to the role eligibility request including details of the ticket number and ticket system. Optional. |
| Property |
Type |
Description |
| description |
String |
Description for the policy. |
| displayName |
String |
Display name for the policy. |
| id |
String |
Unique identifier for the policy. |
| isOrganizationDefault |
Boolean |
This can only be set to true for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to / and scopeType to Directory. Supports $filter (eq, ne). |
| lastModifiedBy |
identity |
The identity who last modified the role setting. |
| lastModifiedDateTime |
DateTimeOffset |
The time when the role setting was last modified. |
| scopeId |
String |
The identifier of the scope where the policy is created. Can be / for the tenant or a group ID. Required. |
| scopeType |
String |
The type of the scope where the policy is created. One of Directory, DirectoryRole. Required. |
| Property |
Type |
Description |
| id |
String |
Identifier for the rule. Inherited from entity. |
| setting |
approvalSettings |
The settings for approval of the role assignment. |
| target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq, ne). |
| Property |
Type |
Description |
| id |
String |
Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore. |
| policyId |
String |
The id of the policy. Inherited from entity. |
| roleDefinitionId |
String |
The identifier of the role definition object where the policy applies. If not specified, the policy applies to all roles. Supports $filter (eq). |
| scopeId |
String |
The identifier of the scope where the policy is assigned. Can be / for the tenant or a group ID. Required. |
| scopeType |
String |
The type of the scope where the policy is assigned. One of Directory, DirectoryRole. Required. |
| Property |
Type |
Description |
| claimValue |
String |
The value of the authentication context claim. |
| id |
String |
Identifier for the rule. Inherited from entity. |
| isEnabled |
Boolean |
Whether this rule is enabled. |
| target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq, ne). |
| Property |
Type |
Description |
| enabledRules |
String collection |
The collection of rules that are enabled for this policy rule. For example, MultiFactorAuthentication, Ticketing, and Justification. |
| id |
String |
Identifier for the rule. Inherited from entity. |
| target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq, ne). |
| Property |
Type |
Description |
| id |
String |
Identifier for the rule. Inherited from entity. |
| isExpirationRequired |
Boolean |
Indicates whether expiration is required or if it's a permanently active assignment or eligibility. |
| maximumDuration |
Duration |
The maximum duration allowed for eligibility or assignment which is not permanent. Required when isExpirationRequired is true. |
| target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq, ne). |
| Property |
Type |
Description |
| id |
String |
Identifier for the rule. Inherited from entity. |
| isDefaultRecipientsEnabled |
Boolean |
Indicates whether a default recipient will receive the notification email. |
| notificationLevel |
String |
The level of notification. The possible values are None, Critical, All. |
| notificationRecipients |
String collection |
The list of recipients of the email notifications. |
| notificationType |
String |
The type of notification. Only Email is supported. |
| recipientType |
String |
The type of recipient of the notification. The possible values are Requestor, Approver, Admin. |
| target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq, ne). |
| Property |
Type |
Description |
| id |
String |
Identifier for the rule. Inherited from entity. Read-only. |
| target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports $filter (eq, ne). |