Allows the app to read and manage the role-based access control (RBAC) alerts for your company's directory, on behalf of the signed-in user. This includes managing alert settings, initiating alert scans, dismissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagementAlert.ReadWrite.Directory permission.
If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant
Category
Application
Delegated
Identifier
11059518-d6a6-4851-98ed-509268489c4a
435644c6-a5b1-40bf-8f52-fe8e5b53e19c
DisplayText
Read all alert data, configure alerts, and take actions on all alerts for your company's directory
Read all alert data, configure alerts, and take actions on all alerts for your company's directory
Description
Allows the app to read and manage all role-based access control (RBAC) alerts for your company's directory, without a signed-in user. This includes managing alert settings, initiating alert scans, dismissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.
Allows the app to read and manage the role-based access control (RBAC) alerts for your company's directory, on behalf of the signed-in user. This includes managing alert settings, initiating alert scans, dismissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
The identifier for the alert incident. For example, it could be a role assignment ID if the incident represents a role assignment. Inherited from entity. Supports $filter (eq, ne).
tenantLicenseStatus
String
Status of the tenant's Microsoft Entra ID P2 license.
The start time of the operation. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
id
String
The unique identifier of the operation.
lastActionDateTime
DateTimeOffset
The time of the last action in the operation. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
resourceLocation
String
URI of the resource that the operation is performed on.
status
longRunningOperationStatus
The status of the operation. The possible values are: notStarted, running, succeeded, failed, unknownFutureValue.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
The identifier for an alert incident. For example, it could be a role assignment ID if the incident represents a role assignment. Inherited from entity. Supports $filter (eq, ne).
roleDisplayName
String
The name of the Microsoft Entra ID directory role.
roleTemplateId
String
The globally unique identifier for a directory role.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
duration
Duration
The number of days without activation to look back on from current timestamp.
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
Display name of the subject that the incident applies to.
assigneeId
String
The identifier of the subject that the incident applies to.
assigneeUserPrincipalName
String
User principal name of the subject that the incident applies to. Applies to user principals only.
id
String
The identifier for an alert incident. For example, it could be a role assignment ID if the incident represents a role assignment. Inherited from entity. Supports $filter (eq, ne).
lastActivationDateTime
DateTimeOffset
Date and time of the last activation of the eligible assignment.
roleDefinitionId
String
The identifier for the directory role definition that's in scope of this incident.
roleDisplayName
String
The display name for the directory role.
roleTemplateId
String
The globally unique identifier for the directory role.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
sequentialActivationCounterThreshold
Int32
The minimum number of activations within the timeIntervalBetweenActivations period to trigger an alert.
timeIntervalBetweenActivations
Duration
Time interval between activations to trigger an alert.
The length of sequential activation of the same role.
assigneeDisplayName
String
Display name of the subject that the incident applies to.
assigneeId
String
The identifier of the subject that the incident applies to.
assigneeUserPrincipalName
String
User principal name of the subject that the incident applies to. Applies to user principals.
id
String
The identifier for an alert incident. For example, it could be a role assignment id if the incident represents a role assignment Inherited from entity. Supports $filter (eq, ne).
roleDefinitionId
String
The identifier for the directory role definition that's in scope of this incident.
roleDisplayName
String
The display name for the directory role.
roleTemplateId
String
The globally unique identifier for the directory role.
sequenceEndDateTime
DateTimeOffset
End date time of the sequential activation event.
sequenceStartDateTime
DateTimeOffset
Start date time of the sequential activation event.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
duration
Duration
The number of days to look back from current timestamp within which the account hasn't signed in.
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
Display name of the subject that the incident applies to.
assigneeId
String
The identifier of the subject that the incident applies to.
assigneeUserPrincipalName
String
User principal name of the subject that the incident applies to. Applies to user principals.
assignmentCreatedDateTime
DateTimeOffset
Date and time of assignment creation.
id
String
The identifier for an alert incident. For example, it could be a role assignment id if the incident represents a role assignment Inherited from entity. Supports $filter (eq, ne).
lastSignInDateTime
DateTimeOffset
Date and time of last sign in.
roleDefinitionId
String
The identifier for the directory role definition that's in scope of this incident.
roleDisplayName
String
The display name for the directory role.
roleTemplateId
String
The globally unique identifier for the directory role.
The identifier of an alert definition. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
globalAdminCountThreshold
Int32
The threshold for the number of accounts assigned the Global Administrator role in the tenant. Triggers an alert if the number of global administrators in the tenant reaches or crosses this threshold value.
id
String
The identifier of the alert configuration. Inherited from entity.
isEnabled
Boolean
true if the alert is enabled. Setting it to false disables PIM scanning the tenant to identify instances that trigger this alert. Inherited from unifiedRoleManagementAlertConfiguration.
percentageOfGlobalAdminsOutOfRolesThreshold
Int32
Threshold of the percentage of global administrators out of all the role assignments in the tenant. Triggers an alert if the percentage in the tenant reaches or crosses this threshold value.
scopeId
String
The identifier of the scope to which the alert is related. Only / is supported to represent the tenant scope. Inherited from unifiedRoleManagementAlertConfiguration. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles. Inherited from unifiedRoleManagementAlertConfiguration.
Display name of the subject that the incident applies to.
assigneeId
String
The identifier of the subject that the incident applies to.
assigneeUserPrincipalName
String
User principal name of the subject that the incident applies to. Applies to user principals.
id
String
The identifier for the alert incident. For example, it could be a role assignment ID if the incident represents a role assignment. Inherited from entity. Supports $filter (eq, ne).
The friendly display name that renders in Privileged Identity Management (PIM) alerts in the Microsoft Entra admin center.
howToPrevent
String
Long-form text that indicates the ways to prevent the alert from being triggered in your tenant.
id
String
The identifier of the alert definition. Inherited from entity.
isConfigurable
Boolean
true if the alert configuration can be customized in the tenant, and false otherwise. For example, the number and percentage thresholds of the 'There are too many global administrators' alert can be configured by users, while the 'This organization doesn't have Microsoft Entra ID P2' can't be configured, because the criteria are restricted.
isRemediatable
Boolean
true if the alert can be remediated, and false otherwise.
mitigationSteps
String
The methods to mitigate the alert when it's triggered in the tenant. For example, to mitigate the 'There are too many global administrators', you could remove redundant privileged role assignments.
scopeId
String
The identifier of the scope where the alert is related. / is the only supported one for the tenant. Supports $filter (eq, ne).
scopeType
String
The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles.
securityImpact
String
Security impact of the alert. For example, it could be information leaks or unauthorized access.
severityLevel
alertSeverity
Severity level of the alert. The possible values are: unknown, informational, low, medium, high, unknownFutureValue.