RoleManagementPolicy.ReadWrite.AzureADGroup

Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagementPolicy.ReadWrite.AzureADGroup permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	b38dcc4d-a239-4ed6-aa84-6c65b284f97c	0da165c7-3f15-4236-b733-c0b0f6abe41d
DisplayText	Read, update, and delete all policies in PIM for Groups	Read, update, and delete all policies in PIM for Groups
Description	Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, without a signed-in user.	Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
	PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
	GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
	GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
	GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
	PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
	PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyRoleManagementPolicyAssignment
	Get-MgPolicyRoleManagementPolicy
	Get-MgPolicyRoleManagementPolicyAssignment
	Get-MgPolicyRoleManagementPolicyRule
	Update-MgPolicyRoleManagementPolicy
	Update-MgPolicyRoleManagementPolicyRule

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyRoleManagementPolicy
	Get-MgBetaPolicyRoleManagementPolicyAssignment
	Get-MgBetaPolicyRoleManagementPolicyRule
	Update-MgBetaPolicyRoleManagementPolicy
	Update-MgBetaPolicyRoleManagementPolicyRule

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: approvalSettings

Property	Type	Description
approvalMode	String	One of `SingleStage`, `Serial`, `Parallel`, `NoApproval` (default). `NoApproval` is used when `isApprovalRequired` is `false`.
approvalStages	unifiedApprovalStage collection	If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required.
isApprovalRequired	Boolean	Indicates whether approval is required for requests in this policy.
isApprovalRequiredForExtension	Boolean	Indicates whether approval is required for a user to extend their assignment.
isRequestorJustificationRequired	Boolean	Indicates whether the requestor is required to supply a justification in their request.

Graph reference: unifiedRoleManagementPolicy

Property	Type	Description
description	String	Description for the policy.
displayName	String	Display name for the policy.
id	String	Unique identifier for the policy.
isOrganizationDefault	Boolean	This can only be set to `true` for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to `/` and scopeType to `Directory`. Supports `$filter` (`eq`, `ne`).
lastModifiedBy	identity	The identity who last modified the role setting.
lastModifiedDateTime	DateTimeOffset	The time when the role setting was last modified.
scopeId	String	The identifier of the scope where the policy is created. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is created. One of `Directory`, `DirectoryRole`, `Group`. Required.

Graph reference: unifiedRoleManagementPolicyApprovalRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
setting	approvalSettings	The settings for approval of the role assignment.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyAssignment

Property	Type	Description
id	String	Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore.
policyId	String	The id of the policy. Inherited from entity.
roleDefinitionId	String	For Microsoft Entra roles policy, it's the identifier of the role definition object where the policy applies. For PIM for groups membership and ownership, it's either `member` or `owner`. Supports $filter (`eq`).
scopeId	String	The identifier of the scope where the policy is assigned. Can be `/` for the tenant or a group ID. Required.
scopeType	String	The type of the scope where the policy is assigned. One of `Directory`, `DirectoryRole`, `Group`. Required.

Graph reference: unifiedRoleManagementPolicyAuthenticationContextRule

Property	Type	Description
claimValue	String	The value of the authentication context claim.
id	String	Identifier for the rule. Inherited from entity.
isEnabled	Boolean	Determines whether this rule is enabled.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that the enablement rule targets. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyEnablementRule

Property	Type	Description
enabledRules	String collection	The collection of rules that are enabled for this policy rule. For example, `MultiFactorAuthentication`, `Ticketing`, and `Justification`.
id	String	Identifier for the rule. Inherited from entity.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyExpirationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isExpirationRequired	Boolean	Indicates whether expiration is required or if it's a permanently active assignment or eligibility.
maximumDuration	Duration	The maximum duration allowed for eligibility or assignment that isn't permanent. Required when isExpirationRequired is `true`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyNotificationRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity.
isDefaultRecipientsEnabled	Boolean	Indicates whether a default recipient will receive the notification email.
notificationLevel	String	The level of notification. The possible values are `None`, `Critical`, `All`.
notificationRecipients	String collection	The list of recipients of the email notifications.
notificationType	String	The type of notification. Only `Email` is supported.
recipientType	String	The type of recipient of the notification. The possible values are `Requestor`, `Approver`, `Admin`.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from unifiedRoleManagementPolicyRule. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyRule

Property	Type	Description
id	String	Identifier for the rule. Inherited from entity. Read-only.
target	unifiedRoleManagementPolicyRuleTarget	Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports `$filter` (`eq`, `ne`).

Graph reference: unifiedRoleManagementPolicyRuleTarget

Property	Type	Description
caller	String	The type of caller that's the target of the policy rule. Allowed values are: `None`, `Admin`, `EndUser`.
enforcedSettings	String collection	The list of role settings that are enforced and cannot be overridden by child scopes. Use `All` for all settings.
inheritableSettings	String collection	The list of role settings that can be inherited by child scopes. Use `All` for all settings.
level	String	The role assignment type that's the target of policy rule. Allowed values are: `Eligibility`, `Assignment`.
operations	String collection	The role management operations that are the target of the policy rule. Allowed values are: `All`, `Activate`, `Deactivate`, `Assign`, `Update`, `Remove`, `Extend`, `Renew`.

Table of Contents

RoleManagementPolicy.ReadWrite.AzureADGroup

Graph Methods

Resources