RoleManagement.Read.All

Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagement.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	c7fbd983-d9aa-4fa7-84b8-17382c103bc4	48fec646-b2ba-4019-8681-8eb31435aded
DisplayText	Read role management data for all RBAC providers	Read role management data for all RBAC providers
Description	Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments.	Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
	GET /roleManagement/directory/roleAssignments
	GET /roleManagement/directory/roleAssignments/{id}
	GET /roleManagement/directory/roleAssignmentScheduleInstances
	GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstanceId}
	GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on=parameterValue)
	GET /roleManagement/directory/roleAssignmentScheduleRequests
	GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId}
	GET /roleManagement/directory/roleAssignmentSchedules
	GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentScheduleId}
	GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='parameterValue')
	GET /roleManagement/directory/roleEligibilityScheduleInstances
	GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstanceId}
	GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='parameterValue')
	GET /roleManagement/directory/roleEligibilityScheduleRequests
	GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}
	GET /roleManagement/directory/roleEligibilitySchedules
	GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilityScheduleId}
	GET /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='parameterValue')

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
	GET /roleManagement/cloudPC/roleDefinitions
	GET /roleManagement/cloudPC/roleDefinitions/{id}
	GET /roleManagement/directory/resourceNamespaces
	GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}
	GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions
	GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions/{unifiedRbacResourceActionId}
	GET /roleManagement/directory/roleAssignments
	GET /roleManagement/directory/roleAssignments/{id}
	GET /roleManagement/directory/roleAssignmentScheduleInstances
	GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstancesId}
	GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on='principal')
	GET /roleManagement/directory/roleAssignmentScheduleRequests
	GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestsId}
	GET /roleManagement/directory/roleAssignmentSchedules
	GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentSchedulesId}
	GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='principal')
	GET /roleManagement/directory/roleEligibilityScheduleInstances
	GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstancesId}
	GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='principal')
	GET /roleManagement/directory/roleEligibilityScheduleRequests
	GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestsId}
	GET /roleManagement/directory/roleEligibilitySchedules
	GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilitySchedulesId}
	GET /roleManagement/exchange/customAppScopes
	GET /roleManagement/exchange/customAppScopes/{id}
	GET roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyRoleManagementPolicyAssignment
	Get-MgPolicyRoleManagementPolicy
	Get-MgPolicyRoleManagementPolicyAssignment
	Get-MgPolicyRoleManagementPolicyRule
	Get-MgRoleManagementDirectoryRoleAssignment
	Get-MgRoleManagementDirectoryRoleAssignmentSchedule
	Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance
	Get-MgRoleManagementDirectoryRoleAssignmentScheduleRequest
	Get-MgRoleManagementDirectoryRoleEligibilitySchedule
	Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance
	Get-MgRoleManagementDirectoryRoleEligibilityScheduleRequest
	Get-MgRoleManagementEntitlementManagementRoleAssignment
	Invoke-MgFilterRoleManagementDirectoryRoleAssignmentScheduleByCurrentUser
	Invoke-MgFilterRoleManagementDirectoryRoleAssignmentScheduleInstanceByCurrentUser
	Invoke-MgFilterRoleManagementDirectoryRoleEligibilityScheduleByCurrentUser
	Invoke-MgFilterRoleManagementDirectoryRoleEligibilityScheduleInstanceByCurrentUser

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyRoleManagementPolicy
	Get-MgBetaPolicyRoleManagementPolicyAssignment
	Get-MgBetaPolicyRoleManagementPolicyEffectiveRule
	Get-MgBetaPolicyRoleManagementPolicyRule
	Get-MgBetaRoleManagementDirectoryResourceNamespace
	Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction
	Get-MgBetaRoleManagementDirectoryRoleAssignment
	Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule
	Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleInstance
	Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest
	Get-MgBetaRoleManagementDirectoryRoleDefinition
	Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule
	Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance
	Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest
	Get-MgBetaRoleManagementExchangeCustomAppScope
	Get-MgBetaRoleManagementExchangeRoleAssignment
	Get-MgBetaRoleManagementExchangeRoleDefinition
	Invoke-MgBetaFilterRoleManagementDirectoryRoleAssignmentScheduleByCurrentUser
	Invoke-MgBetaFilterRoleManagementDirectoryRoleAssignmentScheduleInstanceByCurrentUser
	Invoke-MgBetaFilterRoleManagementDirectoryRoleEligibilityScheduleByCurrentUser
	Invoke-MgBetaFilterRoleManagementDirectoryRoleEligibilityScheduleInstanceByCurrentUser

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: customAppScope

Property	Type	Description
customAttributes	customAppScopeAttributesDictionary	An open dictionary type that holds workload-specific properties for the scope object.
displayName	String	The display name of the app-specific resource represented by the app scope. Provided for display purposes since the appScopeId is often an immutable, non-human-readable ID. Read-only. Inherited from appScope.
id	String	The unique identifier of an app-specific container or resource that represents the scope of the assignment. Usually the immutable ID of the resource. The scope of an assignment determines the set of resources for which the principal has been granted access. Required. Inherited from appScope.
type	String	The type of app-specific resource represented by the app scope. Provided for display purposes, so a user interface can convey to the user the kind of app-specific resource represented by the app scope. Read-only. Inherited from appScope.

Graph reference: unifiedRbacResourceAction

Property	Type	Description
actionVerb	String	HTTP method for the action, such as `DELETE`, `GET`, `PATCH`, `POST`, `PUT`, or `null`. Supports `$filter` (`eq`) but not for `null` values.
description	String	Description for the action. Supports `$filter` (`eq`).
id	String	Unique identifier for an action within the resource namespace, such as `microsoft.insights-programs-update-patch`. can't include slash character (`/`). Case insensitive. Required. Supports `$filter` (`eq`).
isPrivileged	Boolean	Flag indicating if the action is a sensitive resource action. Applies only for actions in the `microsoft.directory` resource namespace. Read-only. Supports `$filter` (`eq`).
name	String	Name for the action within the resource namespace, such as `microsoft.insights/programs/update`. Can include slash character (`/`). Case insensitive. Required. Supports `$filter` (`eq`).
resourceScopeId	String	Not implemented.

Graph reference: unifiedRbacResourceNamespace

Property	Type	Description
id	String	Unique identifier of the resource namespace that defines permissions, such as `microsoft.aad.b2c`. Required.
name	String	Name of the resource namespace. Typically, the same name as the **i

Graph reference: unifiedRoleAssignment

Property	Type	Description
appScopeId	String	Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, `/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997`. Supports `$filter` (`eq`, `in`). For example, `/roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'`.
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports `$filter` (`eq`, `in`).
id	String	The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only.
principalId	String	Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports `$filter` (`eq`, `in`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports `$filter` (`eq`, `in`).

Graph reference: unifiedRoleAssignmentSchedule

Property	Type	Description
appScopeId	String	Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from unifiedRoleScheduleBase.
assignmentType	String	The type of the assignment that can either be `Assigned` or `Activated`. Supports `$filter` (`eq`, `ne`).
createdDateTime	DateTimeOffset	When the schedule was created. Inherited from unifiedRoleScheduleBase.
createdUsing	String	Identifier of the unifiedRoleAssignmentScheduleRequest object through which this schedule was created. Nullable. Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`, and on `null` values).
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from unifiedRoleScheduleBase.
id	String	The unique identifier for the unifiedRoleAssignmentScheduleRequest object. Supports `$filter` (`eq`). Inherited from entity.
memberType	String	How the assignment is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports `$filter` (`eq`, `ne`).
modifiedDateTime	DateTimeOffset	When the schedule was last modified. Inherited from unifiedRoleScheduleBase.
principalId	String	Identifier of the principal that has been granted the role assignment. Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`).
scheduleInfo	requestSchedule	The period of the role assignment. It can represent a single occurrence or multiple recurrences.
status	String	The status of the **u

Graph reference: unifiedRoleAssignmentScheduleInstance

Property	Type	Description
appScopeId	String	Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from unifiedRoleScheduleInstanceBase.
assignmentType	String	The type of the assignment that can either be `Assigned` or `Activated`. Supports `$filter` (`eq`, `ne`).
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from unifiedRoleScheduleInstanceBase.
endDateTime	DateTimeOffset	The end date of the schedule instance.
id	String	The unique identifier for the unifiedRoleAssignmentScheduleInstance object. Inherited from entity.
memberType	String	How the assignment is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports `$filter` (`eq`, `ne`).
principalId	String	Identifier of the principal that has been granted the role assignment. Inherited from unifiedRoleScheduleInstanceBase. Supports `$filter` (`eq`, `ne`).
roleAssignmentOriginId	String	The identifier of the role assignment in Microsoft Entra. Supports `$filter` (`eq`, `ne`).
roleAssignmentScheduleId	String	The identifier of the unifiedRoleAssignmentSchedule object from which this instance was created. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	The identifier of the unifiedRoleDefinition object that is being assigned to the principal. Inherited from unifiedRoleScheduleInstanceBase. Supports `$filter` (`eq`, `ne`).
startDateTime	DateTimeOffset	When this instance starts.

Graph reference: unifiedRoleAssignmentScheduleRequest

Property	Type	Description
action	String	Represents the type of the operation on the role assignment request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. `adminAssign`: For administrators to assign roles to principals. `adminRemove`: For administrators to remove principals from roles. `adminUpdate`: For administrators to change existing role assignments. `adminExtend`: For administrators to extend expiring assignments. `adminRenew`: For administrators to renew expired assignments. `selfActivate`: For principals to activate their assignments. `selfDeactivate`: For principals to deactivate their active assignments. `selfExtend`: For principals to request to extend their expiring assignments. `selfRenew`: For principals to request to renew their expired assignments.
approvalId	String	The identifier of the approval of the request. Inherited from request.
appScopeId	String	Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).
completedDateTime	DateTimeOffset	The request completion date time. Inherited from request.
createdBy	identitySet	The principal that created this request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`, and on `null` values).
createdDateTime	DateTimeOffset	The request creation date time. Inherited from request. Read-only.
customData	String	Free text field to define any custom data for the request. Not used. Inherited from request.
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).
id	String	The unique identifier for the unifiedRoleAssignmentScheduleRequest object. Key, not nullable, Read-only. Inherited from entity. Supports `$filter` (`eq`, `ne`).
isValidationOnly	Boolean	Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.
justification	String	A message provided by users and administrators when create they create the unifiedRoleAssignmentScheduleRequest object.
principalId	String	Identifier of the principal that has been granted the assignment. Can be a user, role-assignable group, or a service principal. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).
scheduleInfo	requestSchedule	The period of the role assignment. Recurring schedules are currently unsupported.
status	String	The status of the role assignment request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`).
targetScheduleId	String	Identifier of the schedule object that's linked to the assignment request. Supports `$filter` (`eq`, `ne`).
ticketInfo	ticketInfo	Ticket details linked to the role assignment request including details of the ticket number and ticket system.

Graph reference: unifiedRoleDefinition

Property	Type	Description
description	String	The description for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`.
displayName	String	The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`. Required. Supports $filter (`eq`, `in`).
id	String	The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (`eq`, `in`).
isBuiltIn	Boolean	Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (`eq`, `in`).
isEnabled	Boolean	Flag indicating whether the role is enabled for assignment. If `false` the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes	String collection	List of the scopes or permissions the role definition applies to. Currently only `/` is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions	unifiedRolePermission collection	List of permissions included in the role. Read-only when isBuiltIn is `true`. Required.
templateId	String	Custom template identifier that can be set when isBuiltIn is `false` but is read-only when isBuiltIn is `true`. This identifier is typically used if one needs an identifier to be the same across different directories.
version	String	Indicates version of the role definition. Read-only when **i

Graph reference: unifiedRoleEligibilitySchedule

Property	Type	Description
appScopeId	String	Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`, and on `null` values).
createdDateTime	DateTimeOffset	When the schedule was created. Inherited from unifiedRoleScheduleBase.
createdUsing	String	Identifier of the object through which this schedule was created. Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`, and on `null` values).
directoryScopeId	String	Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`, and on `null` values).
id	String	The unique identifier for the schedule object. Inherited from entity. Supports `$filter` (`eq`).
memberType	String	How the role eligibility is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the unifiedRoleEligibilitySchedule can be managed by the caller. Supports `$filter` (`eq`, `ne`).
modifiedDateTime	DateTimeOffset	When the schedule was last modified. Inherited from unifiedRoleScheduleBase.
principalId	String	Identifier of the principal that is eligible for a role.Inherited from unifiedRoleScheduleBase. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that a principal is eligible for. Inherited from unifiedRoleScheduleBase.
scheduleInfo	requestSchedule	The period of the role eligibility.
status	String	The status of the role eligibility request. Inherited from unifiedRoleScheduleBase. The possible values are: `Canceled`, `Denied`, `Failed`, `Granted`, `PendingAdminDecision`, `PendingApproval`, `PendingProvisioning`, `PendingScheduleCreation`, `Provisioned`, `Revoked`, and `ScheduleCreated`. Not nullable. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleEligibilityScheduleInstance

Property	Type	Description
appScopeId	String	Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of the role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Inherited from unifiedRoleScheduleInstanceBase. Supports `$filter` (`eq`, `ne`, and on `null` values).
directoryScopeId	String	Identifier of the directory object representing the scope of the role eligibility. The scope of the role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Inherited from unifiedRoleScheduleInstanceBase. Supports `$filter` (`eq`, `ne`, and on `null` values).
endDateTime	DateTimeOffset	The end date of the schedule instance.
id	String	The unique identifier for the schedule object. Inherited from entity.
memberType	String	How the role eligibility is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the unifiedRoleEligibilitySchedule can be managed by the caller. Supports `$filter` (`eq`, `ne`).
principalId	String	Identifier of the principal that's eligible for a role. Inherited from unifiedRoleScheduleInstanceBase. Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that the principal is eligible for. Inherited from unifiedRoleScheduleInstanceBase. Supports `$filter` (`eq`, `ne`).
roleEligibilityScheduleId	String	The identifier of the unifiedRoleEligibilitySchedule object from which this instance was created. Supports `$filter` (`eq`, `ne`).
startDateTime	DateTimeOffset	When this instance starts.

Graph reference: unifiedRoleEligibilityScheduleRequest

Property	Type	Description
action	unifiedRoleScheduleRequestActions	Represents the type of operation on the role eligibility request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. `adminAssign`: For administrators to assign eligible roles to principals. `adminRemove`: For administrators to remove eligible roles from principals. `adminUpdate`: For administrators to change existing role eligibilities. `adminExtend`: For administrators to extend expiring role eligibilities. `adminRenew`: For administrators to renew expired eligibilities. `selfActivate`: For users to activate their assignments. `selfDeactivate`: For users to deactivate their active assignments. `selfExtend`: For users to request to extend their expiring assignments. `selfRenew`: For users to request to renew their expired assignments.
approvalId	String	The identifier of the approval of the request. Inherited from request.
appScopeId	String	Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).
completedDateTime	DateTimeOffset	The request completion date time. Inherited from request.
createdBy	identitySet	The principal that created this request. Inherited from request.
createdDateTime	DateTimeOffset	The request creation date time. Inherited from request.
customData	String	Free text field to define any custom data for the request. Not used. Inherited from request.
directoryScopeId	String	Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).
id	String	The unique identifier for the unifiedRoleEligibilityScheduleRequest object. Key, not nullable, Read-only. Inherited from entity.
isValidationOnly	Boolean	Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.
justification	String	A message provided by users and administrators when create they create the unifiedRoleEligibilityScheduleRequest object.
principalId	String	Identifier of the principal that has been granted the role eligibility. Can be a user or a role-assignable group. You can grant only active assignments service principals.Supports `$filter` (`eq`, `ne`).
roleDefinitionId	String	Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).
scheduleInfo	requestSchedule	The period of the role eligibility. Recurring schedules are currently unsupported.
status	String	The status of the role eligibility request. Inherited from request. Read-only. Supports `$filter` (`eq`, `ne`).
targetScheduleId	String	Identifier of the schedule object that's linked to the eligibility request. Supports `$filter` (`eq`, `ne`).
ticketInfo	ticketInfo	Ticket details linked to the role eligibility request including details of the ticket number and ticket system. Optional.

Graph reference: unifiedRoleManagementPolicy

Property	Type	Description
description	String	Description for the policy.
displayName	String	Display name for the policy.
id	String	Unique identifier for the policy.
isOrganizationDefault	Boolean	This can only be set to `true` for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to `/` and scopeType to `Directory`. Supports `$filter` (`eq`, `ne`).
lastModifiedBy	identity	The identity who last modified the role setting.
lastModifiedDateTime	DateTimeOffset	The time when the role setting was last modified.
scopeId	String	The identifier of the scope where the policy is created. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is created. One of `Directory`, `DirectoryRole`, `Group`. Required.

Graph reference: unifiedRoleManagementPolicyApprovalRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
setting	approvalSettings	The settings for approval of the role assignment.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyAssignment

Property	Type	Description
id	String	Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore.
policyId	String	The id of the policy. Inherited from entity.
roleDefinitionId	String	For Microsoft Entra roles policy, it's the identifier of the role definition object where the policy applies. For PIM for groups membership and ownership, it's either `member` or `owner`. Supports $filter (`eq`).
scopeId	String	The identifier of the scope where the policy is assigned. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is assigned. One of `Directory`, `DirectoryRole`, `Group`. Required.

Graph reference: unifiedRoleManagementPolicyAuthenticationContextRule

Property	Type	Description
claimValue	String	The value of the authentication context claim.
id	String	Identifier for the rule. Inherited from entity.
isEnabled	Boolean	Determines whether this rule is enabled.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that the enablement rule targets. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyEnablementRule

Property	Type	Description
enabledRules	String collection	The collection of rules that are enabled for this policy rule. For example, `MultiFactorAuthentication`, `Ticketing`, and `Justification`.
id	String	Identifier for the rule. Inherited from entity.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyExpirationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isExpirationRequired	Boolean	Indicates whether expiration is required or if it's a permanently active assignment or eligibility.
maximumDuration	Duration	The maximum duration allowed for eligibility or assignment that isn't permanent. Required when isExpirationRequired is `true`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyNotificationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isDefaultRecipientsEnabled	Boolean	Indicates whether a default recipient will receive the notification email.
notificationLevel	String	The level of notification. The possible values are `None`, `Critical`, `All`.
notificationRecipients	String collection	The list of recipients of the email notifications.
notificationType	String	The type of notification. Only `Email` is supported.
recipientType	String	The type of recipient of the notification. The possible values are `Requestor`, `Approver`, `Admin`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity. Read-only.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports `$filter` (`eq`, `ne`).

Table of Contents

RoleManagement.Read.All

Graph Methods

Resources