Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading M365 Defender role definitions and role assignments.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagement.Read.Defender permission.
If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant
Category
Application
Delegated
Identifier
4d6e30d1-e64e-4ae7-bf9d-c706cc928cef
dd689728-6eb8-4deb-bd38-2924a935f3de
DisplayText
Read M365 Defender RBAC configuration
Read M365 Defender RBAC configuration
Description
Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user.
Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading M365 Defender role definitions and role assignments.
An open dictionary type that holds workload-specific properties for the scope object.
displayName
String
The display name of the app-specific resource represented by the app scope. Provided for display purposes since the appScopeId is often an immutable, non-human-readable ID. Read-only. Inherited from appScope.
id
String
The unique identifier of an app-specific container or resource that represents the scope of the assignment. Usually the immutable ID of the resource. The scope of an assignment determines the set of resources for which the principal has been granted access. Required. Inherited from appScope.
type
String
The type of app-specific resource represented by the app scope. Provided for display purposes, so a user interface can convey to the user the kind of app-specific resource represented by the app scope. Read-only. Inherited from appScope.
Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example, /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'.
directoryScopeId
String
Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in).
id
String
The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only.
principalId
String
Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in).
roleDefinitionId
String
Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in).
Ids of the app specific scopes when the assignment scopes are app specific. The scopes of an assignment determine the set of resources for which the principal has access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. App scopes are scopes that are defined and understood by this application only.
description
String
Description of the role assignment.
directoryScopeIds
String collection
Ids of the directory objects that represent the scopes of the assignment. The scopes of an assignment determine the set of resources for which the principals have been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. App scopes are scopes that are defined and understood by this application only.
displayName
String
Name of the role assignment. Required.
id
String
The unique identifier for the unifiedRoleAssignmentMultiple object. Key, not nullable, Read-only.
principalIds
String collection
Identifiers of the principals to which the assignment is granted. Supports $filter (any operator only).
roleDefinitionId
String
Identifier of the unifiedRoleDefinition the assignment is for.
The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
displayName
String
The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in).
id
String
The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, in).
isBuiltIn
Boolean
Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (eq, in).
isEnabled
Boolean
Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes
String collection
List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions
unifiedRolePermission collection
List of permissions included in the role. Read-only when isBuiltIn is true. Required.
templateId
String
Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.
version
String
Indicates version of the role definition. Read-only when **i