Show / Hide Table of Contents

RoleManagement.Read.Exchange

Allows the app to read the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 D GET /roleManagement/cloudPC/roleDefinitions
V1 D GET /roleManagement/cloudPC/roleDefinitions/{id}
V1 D GET /roleManagement/directory/roleAssignments?$filter=principalId eq '{principal id}'
V1 D GET /roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{roleDefinition id}'
V1 D GET /roleManagement/directory/roleAssignments/{id}

Delegate Permission

Id 3bc15058-7858-4141-b24f-ae43b4e80b52
Consent Type Admin
Display String Read Exchange Online RBAC configuration
Description Allows the app to read the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.

Application Permission

Id c769435f-f061-4d0b-8ff1-3d39870e5f85
Display String Read Exchange Online RBAC configuration
Description Allows the app to read the role-based access control (RBAC) configuration for your organization's Exchange Online service, without a signed-in user. This includes reading Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.

Resources

unifiedRoleAssignment

Property Type Description
appScopeId String Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, in).
directoryScopeId String Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, in).
id String The unique identifier for the role assignment. Key, not nullable, Read-only. Inherited from entity.
roleDefinitionId String Identifier of the role definition the assignment is for. Read only. Supports $filter (eq, in).
principalId String Identifier of the principal to which the assignment is granted. Supports $filter (eq, in).

unifiedRoleDefinition

Property Type Description
description String The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
displayName String The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in).
id String The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq, in).
isBuiltIn Boolean Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. Read-only. Supports $filter (eq, in).
isEnabled Boolean Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes String collection List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions unifiedRolePermission collection List of permissions included in the role. Read-only when isBuiltIn is true. Required.
templateId String Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.
version String Indicates version of the role definition. Read-only when **i
In This Article
Back to top Created by merill | Submit feedback