Show / Hide Table of Contents

RoleManagementPolicy.ReadWrite.AzureADGroup

Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, on behalf of the signed-in user.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver	Type	Method
V1	A,D	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
V1	A,D	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
V1	A,D	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
V1	A,D	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
V1	A,D	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
V1	A,D	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
V1	A,D	PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
V1	A,D	PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}

Delegate Permission


Id	0da165c7-3f15-4236-b733-c0b0f6abe41d
Consent Type	Admin
Display String	Read, update, and delete all policies in PIM for Groups
Description	Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, on behalf of the signed-in user.

Application Permission


Id	b38dcc4d-a239-4ed6-aa84-6c65b284f97c
Display String	Read, update, and delete all policies in PIM for Groups
Description	Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, without a signed-in user.

Resources

approvalSettings

Property	Type	Description
approvalMode	String	One of `SingleStage`, `Serial`, `Parallel`, `NoApproval` (default). `NoApproval` is used when `isApprovalRequired` is `false`.
approvalStages	unifiedApprovalStage collection	If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required.
isApprovalRequired	Boolean	Indicates whether approval is required for requests in this policy.
isApprovalRequiredForExtension	Boolean	Indicates whether approval is required for a user to extend their assignment.
isRequestorJustificationRequired	Boolean	Indicates whether the requestor is required to supply a justification in their request.

unifiedRoleManagementPolicy

Property	Type	Description
description	String	Description for the policy.
displayName	String	Display name for the policy.
id	String	Unique identifier for the policy.
isOrganizationDefault	Boolean	This can only be set to `true` for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to `/` and scopeType to `Directory`. Supports `$filter` (`eq`, `ne`).
lastModifiedBy	identity	The identity who last modified the role setting.
lastModifiedDateTime	DateTimeOffset	The time when the role setting was last modified.
scopeId	String	The identifier of the scope where the policy is created. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is created. One of `Directory`, `DirectoryRole`. Required.

unifiedRoleManagementPolicyApprovalRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
setting	approvalSettings	The settings for approval of the role assignment.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

unifiedRoleManagementPolicyAssignment

Property	Type	Description
id	String	Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore.
policyId	String	The id of the policy. Inherited from entity.
roleDefinitionId	String	The identifier of the role definition object where the policy applies. If not specified, the policy applies to all roles. Supports $filter (`eq`).
scopeId	String	The identifier of the scope where the policy is assigned. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is assigned. One of `Directory`, `DirectoryRole`. Required.

unifiedRoleManagementPolicyAuthenticationContextRule

Property	Type	Description
claimValue	String	The value of the authentication context claim.
id	String	Identifier for the rule. Inherited from entity.
isEnabled	Boolean	Whether this rule is enabled.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

unifiedRoleManagementPolicyEnablementRule

Property	Type	Description
enabledRules	String collection	The collection of rules that are enabled for this policy rule. For example, `MultiFactorAuthentication`, `Ticketing`, and `Justification`.
id	String	Identifier for the rule. Inherited from entity.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

unifiedRoleManagementPolicyExpirationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isExpirationRequired	Boolean	Indicates whether expiration is required or if it's a permanently active assignment or eligibility.
maximumDuration	Duration	The maximum duration allowed for eligibility or assignment which is not permanent. Required when isExpirationRequired is `true`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

unifiedRoleManagementPolicyNotificationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isDefaultRecipientsEnabled	Boolean	Indicates whether a default recipient will receive the notification email.
notificationLevel	String	The level of notification. The possible values are `None`, `Critical`, `All`.
notificationRecipients	String collection	The list of recipients of the email notifications.
notificationType	String	The type of notification. Only `Email` is supported.
recipientType	String	The type of recipient of the notification. The possible values are `Requestor`, `Approver`, `Admin`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

unifiedRoleManagementPolicyRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity. Read-only.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports `$filter` (`eq`, `ne`).

unifiedRoleManagementPolicyRuleTarget

Property	Type	Description
caller	String	The type of caller that's the target of the policy rule. Allowed values are: `None`, `Admin`, `EndUser`.
enforcedSettings	String collection	The list of role settings that are enforced and cannot be overridden by child scopes. Use `All` for all settings.
inheritableSettings	String collection	The list of role settings that can be inherited by child scopes. Use `All` for all settings.
level	String	The role assignment type that's the target of policy rule. Allowed values are: `Eligibility`, `Assignment`.
operations	String collection	The role management operations that are the target of the policy rule. Allowed values are: `All`, `Activate`, `Deactivate`, `Assign`, `Update`, `Remove`, `Extend`, `Renew`.