Table of Contents

RoleManagementPolicy.ReadWrite.Directory

Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the RoleManagementPolicy.ReadWrite.Directory permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad 1ff1be21-34eb-448c-9ac9-ce1f506b2a68
DisplayText Read, update, and delete all policies for privileged role assignments of your company's directory Read, update, and delete all policies for privileged role assignments of your company's directory
Description Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user. Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: approvalSettings

Property Type Description
approvalMode String One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false.
approvalStages unifiedApprovalStage collection If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required.
isApprovalRequired Boolean Indicates whether approval is required for requests in this policy.
isApprovalRequiredForExtension Boolean Indicates whether approval is required for a user to extend their assignment.
isRequestorJustificationRequired Boolean Indicates whether the requestor is required to supply a justification in their request.