RoleManagementPolicy.Read.AzureADGroup

Allows the app to read policies in Privileged Identity Management for Groups, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagementPolicy.Read.AzureADGroup permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	69e67828-780e-47fd-b28c-7b27d14864e6	7e26fdff-9cb1-4e56-bede-211fe0e420e8
DisplayText	Read all policies in PIM for Groups	Read all policies in PIM for Groups
Description	Allows the app to read policies in Privileged Identity Management for Groups, without a signed-in user.	Allows the app to read policies in Privileged Identity Management for Groups, on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyRoleManagementPolicyAssignment
	Get-MgPolicyRoleManagementPolicy
	Get-MgPolicyRoleManagementPolicyAssignment
	Get-MgPolicyRoleManagementPolicyRule

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyRoleManagementPolicy
	Get-MgBetaPolicyRoleManagementPolicyAssignment
	Get-MgBetaPolicyRoleManagementPolicyRule

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: unifiedRoleManagementPolicy

Property	Type	Description
description	String	Description for the policy.
displayName	String	Display name for the policy.
id	String	Unique identifier for the policy.
isOrganizationDefault	Boolean	This can only be set to `true` for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to `/` and scopeType to `Directory`. Supports `$filter` (`eq`, `ne`).
lastModifiedBy	identity	The identity who last modified the role setting.
lastModifiedDateTime	DateTimeOffset	The time when the role setting was last modified.
scopeId	String	The identifier of the scope where the policy is created. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is created. One of `Directory`, `DirectoryRole`, `Group`. Required.

Graph reference: unifiedRoleManagementPolicyApprovalRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
setting	approvalSettings	The settings for approval of the role assignment.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyAssignment

Property	Type	Description
id	String	Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore.
policyId	String	The id of the policy. Inherited from entity.
roleDefinitionId	String	For Microsoft Entra roles policy, it's the identifier of the role definition object where the policy applies. For PIM for groups membership and ownership, it's either `member` or `owner`. Supports $filter (`eq`).
scopeId	String	The identifier of the scope where the policy is assigned. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is assigned. One of `Directory`, `DirectoryRole`, `Group`. Required.

Graph reference: unifiedRoleManagementPolicyAuthenticationContextRule

Property	Type	Description
claimValue	String	The value of the authentication context claim.
id	String	Identifier for the rule. Inherited from entity.
isEnabled	Boolean	Determines whether this rule is enabled.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that the enablement rule targets. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyEnablementRule

Property	Type	Description
enabledRules	String collection	The collection of rules that are enabled for this policy rule. For example, `MultiFactorAuthentication`, `Ticketing`, and `Justification`.
id	String	Identifier for the rule. Inherited from entity.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyExpirationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isExpirationRequired	Boolean	Indicates whether expiration is required or if it's a permanently active assignment or eligibility.
maximumDuration	Duration	The maximum duration allowed for eligibility or assignment that isn't permanent. Required when isExpirationRequired is `true`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyNotificationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isDefaultRecipientsEnabled	Boolean	Indicates whether a default recipient will receive the notification email.
notificationLevel	String	The level of notification. The possible values are `None`, `Critical`, `All`.
notificationRecipients	String collection	The list of recipients of the email notifications.
notificationType	String	The type of notification. Only `Email` is supported.
recipientType	String	The type of recipient of the notification. The possible values are `Requestor`, `Approver`, `Admin`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity. Read-only.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports `$filter` (`eq`, `ne`).

Table of Contents

RoleManagementPolicy.Read.AzureADGroup

Graph Methods

Resources