RoleManagement.ReadWrite.Exchange
Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
RoleManagement.ReadWrite.Exchange
permission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReport
command. See How To: Run a quick OAuth app audit of your tenant
Category | Application | Delegated |
---|---|---|
Identifier | 025d3225-3f02-4882-b4c0-cd5b541a4e80 | c1499fe0-52b1-4b22-bed2-7a244e0e879f |
DisplayText | Read and write Exchange Online RBAC configuration | Read and write Exchange Online RBAC configuration |
Description | Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, without a signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies. | Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies. |
AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
Methods |
---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: customAppScope
Property | Type | Description |
---|---|---|
customAttributes | customAppScopeAttributesDictionary | An open dictionary type that holds workload-specific properties for the scope object. |
displayName | String | The display name of the app-specific resource represented by the app scope. Provided for display purposes since the appScopeId is often an immutable, non-human-readable ID. Read-only. Inherited from appScope. |
id | String | The unique identifier of an app-specific container or resource that represents the scope of the assignment. Usually the immutable ID of the resource. The scope of an assignment determines the set of resources for which the principal has been granted access. Required. Inherited from appScope. |
type | String | The type of app-specific resource represented by the app scope. Provided for display purposes, so a user interface can convey to the user the kind of app-specific resource represented by the app scope. Read-only. Inherited from appScope. |