Table of Contents

RoleManagementAlert.ReadWrite.Directory

Allows the app to read and manage the role-based access control (RBAC) alerts for your company's directory, on behalf of the signed-in user. This includes managing alert settings, initiating alert scans, dismissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagementAlert.ReadWrite.Directory permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 11059518-d6a6-4851-98ed-509268489c4a 435644c6-a5b1-40bf-8f52-fe8e5b53e19c
DisplayText Read all alert data, configure alerts, and take actions on all alerts for your company's directory Read all alert data, configure alerts, and take actions on all alerts for your company's directory
Description Allows the app to read and manage all role-based access control (RBAC) alerts for your company's directory, without a signed-in user. This includes managing alert settings, initiating alert scans, dismissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. Allows the app to read and manage the role-based access control (RBAC) alerts for your company's directory, on behalf of the signed-in user. This includes managing alert settings, initiating alert scans, dismissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: invalidLicenseAlertConfiguration

Property Type Description
alertDefinitionId String The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
id String The identifier of the alert configuration. Inherited from entity.
isEnabled Boolean true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId String The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType String The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.