RoleManagement.ReadWrite.Directory
Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Ver |
Type |
Method |
V1 |
A,D |
DELETE /roleManagement/directory/roleAssignments/{id} |
V1 |
A,D |
GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' |
V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId} |
V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules |
V1 |
A,D |
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId} |
V1 |
A,D |
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' |
V1 |
A,D |
GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId} |
V1 |
A,D |
GET /roleManagement/cloudPC/roleDefinitions |
V1 |
A,D |
GET /roleManagement/cloudPC/roleDefinitions/{id} |
V1 |
A,D |
GET /roleManagement/directory/roleAssignments |
V1 |
A,D |
GET /roleManagement/directory/roleAssignments/{id} |
V1 |
A,D |
GET /roleManagement/directory/roleDefinitions |
V1 |
A,D |
GET /roleManagement/directory/roleDefinitions/{id} |
V1 |
A,D |
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId} |
V1 |
A,D |
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId} |
V1 |
A,D |
POST /roleManagement/directory/roleAssignments |
Delegate Permission
|
|
Id |
d01b97e9-cbc0-49fe-810a-750afd5527a3 |
Consent Type |
Admin |
Display String |
Read and write directory RBAC settings |
Description |
Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
Application Permission
|
|
Id |
9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 |
Display String |
Read and write all directory RBAC settings |
Description |
Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
Resources
Property |
Type |
Description |
approvalMode |
String |
One of SingleStage , Serial , Parallel , NoApproval (default). NoApproval is used when isApprovalRequired is false . |
approvalStages |
unifiedApprovalStage collection |
If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required. |
isApprovalRequired |
Boolean |
Indicates whether approval is required for requests in this policy. |
isApprovalRequiredForExtension |
Boolean |
Indicates whether approval is required for a user to extend their assignment. |
isRequestorJustificationRequired |
Boolean |
Indicates whether the requestor is required to supply a justification in their request. |
Property |
Type |
Description |
deletedDateTime |
DateTimeOffset |
Date and time when this object was deleted. Always null when the object hasn't been deleted. |
id |
String |
The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde . The value of the **i |
Property |
Type |
Description |
appScopeId |
String |
Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog, for example /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997 . Supports $filter (eq , in ). For example /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}' . |
directoryScopeId |
String |
Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq , in ). |
id |
String |
The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only. |
principalId |
String |
Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq , in ). |
roleDefinitionId |
String |
Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq , in ). |
Property |
Type |
Description |
description |
String |
The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true . |
displayName |
String |
The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true . Required. Supports $filter (eq , in ). |
id |
String |
The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (eq , in ). |
isBuiltIn |
Boolean |
Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (eq , in ). |
isEnabled |
Boolean |
Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. |
resourceScopes |
String collection |
List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment. |
rolePermissions |
unifiedRolePermission collection |
List of permissions included in the role. Read-only when isBuiltIn is true . Required. |
templateId |
String |
Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true . This identifier is typically used if one needs an identifier to be the same across different directories. |
version |
String |
Indicates version of the role definition. Read-only when **i |
Property |
Type |
Description |
description |
String |
Description for the policy. |
displayName |
String |
Display name for the policy. |
id |
String |
Unique identifier for the policy. |
isOrganizationDefault |
Boolean |
This can only be set to true for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to / and scopeType to Directory . Supports $filter (eq , ne ). |
lastModifiedBy |
identity |
The identity who last modified the role setting. |
lastModifiedDateTime |
DateTimeOffset |
The time when the role setting was last modified. |
scopeId |
String |
The identifier of the scope where the policy is created. Can be / for the tenant or a group ID. Required. |
scopeType |
String |
The type of the scope where the policy is created. One of Directory , DirectoryRole , Group . Required. |
Property |
Type |
Description |
id |
String |
Identifier for the rule. Inherited from entity. |
setting |
approvalSettings |
The settings for approval of the role assignment. |
target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq , ne ). |
Property |
Type |
Description |
id |
String |
Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore. |
policyId |
String |
The id of the policy. Inherited from entity. |
roleDefinitionId |
String |
For Microsoft Entra roles policy, it's the identifier of the role definition object where the policy applies. For PIM for groups membership and ownership, it's either member or owner . Supports $filter (eq ). |
scopeId |
String |
The identifier of the scope where the policy is assigned. Can be / for the tenant or a group ID. Required. |
scopeType |
String |
The type of the scope where the policy is assigned. One of Directory , DirectoryRole , Group . Required. |
Property |
Type |
Description |
claimValue |
String |
The value of the authentication context claim. |
id |
String |
Identifier for the rule. Inherited from entity. |
isEnabled |
Boolean |
Determines whether this rule is enabled. |
target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that the enablement rule targets. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq , ne ). |
Property |
Type |
Description |
enabledRules |
String collection |
The collection of rules that are enabled for this policy rule. For example, MultiFactorAuthentication , Ticketing , and Justification . |
id |
String |
Identifier for the rule. Inherited from entity. |
target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq , ne ). |
Property |
Type |
Description |
id |
String |
Identifier for the rule. Inherited from entity. |
isExpirationRequired |
Boolean |
Indicates whether expiration is required or if it's a permanently active assignment or eligibility. |
maximumDuration |
Duration |
The maximum duration allowed for eligibility or assignment that isn't permanent. Required when isExpirationRequired is true . |
target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq , ne ). |
Property |
Type |
Description |
id |
String |
Identifier for the rule. Inherited from entity. |
isDefaultRecipientsEnabled |
Boolean |
Indicates whether a default recipient will receive the notification email. |
notificationLevel |
String |
The level of notification. The possible values are None , Critical , All . |
notificationRecipients |
String collection |
The list of recipients of the email notifications. |
notificationType |
String |
The type of notification. Only Email is supported. |
recipientType |
String |
The type of recipient of the notification. The possible values are Requestor , Approver , Admin . |
target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports $filter (eq , ne ). |
Property |
Type |
Description |
id |
String |
Identifier for the rule. Inherited from entity. Read-only. |
target |
unifiedRoleManagementPolicyRuleTarget |
Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports $filter (eq , ne ). |
Property |
Type |
Description |
caller |
String |
The type of caller that's the target of the policy rule. Allowed values are: None , Admin , EndUser . |
enforcedSettings |
String collection |
The list of role settings that are enforced and cannot be overridden by child scopes. Use All for all settings. |
inheritableSettings |
String collection |
The list of role settings that can be inherited by child scopes. Use All for all settings. |
level |
String |
The role assignment type that's the target of policy rule. Allowed values are: Eligibility , Assignment . |
operations |
String collection |
The role management operations that are the target of the policy rule. Allowed values are: All , Activate , Deactivate , Assign , Update , Remove , Extend , Renew . |