RoleManagement.ReadWrite.Exchange

Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver	Type	Method
V1	D	DELETE /roleManagement/directory/roleAssignments/{id}
V1	D	GET /roleManagement/cloudPC/roleDefinitions
V1	D	GET /roleManagement/cloudPC/roleDefinitions/{id}
V1	D	GET /roleManagement/directory/roleAssignments?$filter=principalId eq '{principal id}'
V1	D	GET /roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{roleDefinition id}'
V1	D	GET /roleManagement/directory/roleAssignments/{id}
V1	D	POST /roleManagement/directory/roleAssignments

Delegate Permission


Id	c1499fe0-52b1-4b22-bed2-7a244e0e879f
Consent Type	Admin
Display String	Read and write Exchange Online RBAC configuration
Description	Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.

Application Permission


Id	025d3225-3f02-4882-b4c0-cd5b541a4e80
Display String	Read and write Exchange Online RBAC configuration
Description	Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, without a signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.

Resources

appScope

Property	Type	Description
displayName	string	Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable id. Read-only.
id	string	Identifier of an app-specific container or resource representing the scope of the assignment. Usually the immutable id of the resource. The scope of an assignment determines the set of resources for which the principal has been granted access. Required.
type	String	Describes the type of app-specific resource represented by the app scope. Provided for display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read-only.

unifiedRoleAssignment

Property	Type	Description
appScopeId	String	Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or directoryScopeId is required. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (`eq`, `in`).
directoryScopeId	String	Identifier of the directory object representing the scope of the assignment. Either this property or appScopeId is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (`eq`, `in`).
id	String	The unique identifier for the role assignment. Key, not nullable, Read-only. Inherited from entity.
roleDefinitionId	String	Identifier of the role definition the assignment is for. Read only. Supports $filter (`eq`, `in`).
principalId	String	Identifier of the principal to which the assignment is granted. Supports $filter (`eq`, `in`).

unifiedRoleDefinition

Property	Type	Description
description	String	The description for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`.
displayName	String	The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is `true`. Required. Supports $filter (`eq`, `in`).
id	String	The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from entity. Supports $filter (`eq`, `in`).
isBuiltIn	Boolean	Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. Read-only. Supports $filter (`eq`, `in`).
isEnabled	Boolean	Flag indicating whether the role is enabled for assignment. If `false` the role is not available for assignment. Read-only when isBuiltIn is true.
resourceScopes	String collection	List of the scopes or permissions the role definition applies to. Currently only `/` is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
rolePermissions	unifiedRolePermission collection	List of permissions included in the role. Read-only when isBuiltIn is `true`. Required.
templateId	String	Custom template identifier that can be set when isBuiltIn is `false` but is read-only when isBuiltIn is `true`. This identifier is typically used if one needs an identifier to be the same across different directories.
version	String	Indicates version of the role definition. Read-only when **i