Updates from: 04/30/2022 01:24:54
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Accesspackageassignment Additionalaccess https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/accesspackageassignment-additionalaccess.md
+
+ Title: "accessPackageAssignment: additionalAccess"
+description: "Retrieve a list of accessPackageAssignment objects indicating potential separation of duties conflicts or access to incompatible access packages."
+ms.localizationpriority: medium
+++
+# accessPackageAssignment: additionalAccess
+Namespace: microsoft.graph
++
+In [Azure AD Entitlement Management](../resources/entitlementmanagement-overview.md), retrieve a collection of [accessPackageAssignment](../resources/accesspackageassignment.md) objects that indicate a target user has an assignment to a specified access package and also an assignment to another, potentially incompatible, access package. This can be used to prepare to configure the incompatible access packages for a specific access package.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|Not supported.|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/entitlementManagement/accessPackageAssignments/additionalAccess(accessPackageId='parameterValue',incompatibleAccessPackageId='parameterValue')
+```
+
+## Function parameters
+The following table shows the parameters that must be supplied with this function. The two access package IDs must be distinct.
+
+|Parameter|Type|Description|
+|:|:|:|
+| accessPackageId | String | Indicates the ID of an access package for which the caller would like to retrieve the assignments. Required. |
+| incompatibleAccessPackageId | String | The specific incompatible access package for which the caller would like to retrieve only those assignments where the user also has an assignment to this incompatible access package. Required. |
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [accessPackageAssignment](../resources/accesspackageassignment.md) objects in the response body.
+
+When a result set spans multiple pages, Microsoft Graph returns that page with an `@odata.nextLink` property in the response that contains a URL to the next page of results. If that property is present, continue making additional requests with the `@odata.nextLink` URL in each response, until all the results are returned. For more information, see [paging Microsoft Graph data in your app](/graph/paging).
+
+## Examples
+
+The following example gets the access package assignments for users who have assignments to both access packages.
+
+### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "accesspackageassignment_additionalaccess"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignments/additionalAccess(accessPackageId='2506aef1-3929-4d24-a61e-7c8b83d95e6f',incompatibleAccessPackageId='d5d99728-8c0b-4ede-83d2-cf9b0e8dabfb')?$expand=target
+```
+
+### Response
+> **Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.accessPackageAssignment)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.accessPackageAssignment",
+ "id": "a61f7889-ae61-4e97-a4dc-e4fa525f5b33",
+ "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
+ "accessPackageId": "2506aef1-3929-4d24-a61e-7c8b83d95e6f",
+ "assignmentPolicyId": "07c7c99d-6cf3-4527-bd05-5fc2ac8e96e7",
+ "targetId": "cdbdf152-82ce-479c-b5b8-df90f561d5c7",
+ "target": {
+ "id": "ebaf071e-c647-42c6-b86f-fbe3625b4b63",
+ "objectId": "cdbdf152-82ce-479c-b5b8-df90f561d5c7",
+ "displayName": "user1"
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.accessPackageAssignment",
+ "id": "a7284263-8233-44de-8095-0ee3ff5a1716",
+ "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
+ "accessPackageId": "2506aef1-3929-4d24-a61e-7c8b83d95e6f",
+ "assignmentPolicyId": "07c7c99d-6cf3-4527-bd05-5fc2ac8e96e7",
+ "targetId": "79a8f0b6-61dc-41db-b49e-470c278e05b6",
+ "target": {
+ "id": "9865b0f8-868f-42c6-a49b-3067eb4b2da1",
+ "objectId": "79a8f0b6-61dc-41db-b49e-470c278e05b6",
+ "displayName": "user2"
+ }
+ }
+ ]
+}
+
+```
+
v1.0 Application List Extensionproperty https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/application-list-extensionproperty.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Retrieve the list of [extensionProperty](../resources/extensionproperty.md) objects on an application.
+Retrieve the list of [extensionProperty](../resources/extensionproperty.md) objects on an [application](../resources/application.md).
## Permissions
v1.0 Externalconnectors Connectionoperation Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-connectionoperation-get.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors External Post Connections https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-external-post-connections.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-delete.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-get.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-list.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection Post Groups https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-post-groups.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
-| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection Post Schema https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-post-schema.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection Put Items https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-put-items.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | | Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
v1.0 Externalconnectors Externalconnection Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalconnection-update.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalgroup Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalgroup-delete.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
-| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalgroup Post Members https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalgroup-post-members.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
-| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalgroupmember Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalgroupmember-delete.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
-| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalitem Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalitem-delete.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | | Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
v1.0 Externalconnectors Externalitem Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalitem-get.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.Read.All, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.Read.All, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalitem Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-externalitem-update.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | | Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
v1.0 Externalconnectors Schema Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-schema-get.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Schema Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/externalconnectors-schema-update.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
+| Delegated (work or school account) | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+| Application | ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All |
## HTTP request
v1.0 Participant Invite https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/participant-invite.md
Content-Type: application/json
>**Note:** With a "completed" status, you can expect to receive notifications on how your original peer-to-peer call has been terminated and deleted.
-### Example 4: Invite one PSTN participant to an existing group call
+### Example 4: Invite one PSTN participant to an existing call
This call requires an application instance with a PSTN number assigned. For details, see [Assign a phone number to your bot](/graph/cloud-communications-phone-number#assign-a-phone-number-to-your-bot). > **Note:** Phone ID is the phone number in E.164 format.
v1.0 Serviceprincipal Post Serviceprincipals https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/serviceprincipal-post-serviceprincipals.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.ReadWrite.All |
+> [!IMPORTANT]
+> The following additional requirements must be met for an app to create a service principal:
+> + If the backing application is registered in the calling app's home tenant, the calling app must be the owner of the backing application.
+> + If the backing application is registered in another Azure AD tenant, the calling app must be assigned the `Cloud Application Administrator` or `Application Administrator` role.
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
v1.0 Accesspackageassignment https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/accesspackageassignment.md
In [Azure AD Entitlement Management](entitlementmanagement-overview.md), an acce
| [List accessPackageAssignments](../api/entitlementmanagement-list-accesspackageassignments.md) | [accessPackageAssignment](accesspackageassignment.md) collection | Retrieve a list of **accessPackageAssignment** objects. | |[filterByCurrentUser](../api/accesspackageassignment-filterbycurrentuser.md)|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects filtered on the signed-in user.| | [reprocess](../api/accesspackageassignment-reprocess.md) | None | Automatically reevaluate and enforce a userΓÇÖs assignments for a specific access package.|
+| [additionalAccess](../api/accesspackageassignment-additionalaccess.md) [accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects for users who have assignments to incompatible access packages.|
> [!NOTE] > To create or remove an access package assignment for a user, use the [create an accessPackageAssignmentRequest](../api/entitlementmanagement-post-accesspackageassignmentrequests.md)
v1.0 Entitlementmanagement Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/entitlementmanagement-overview.md
The following table lists the methods that you can use to interact with entitlem
|[cancel](../api/accesspackageassignmentrequest-cancel.md)|[accessPackageAssignmentRequest](../resources/accesspackageassignmentrequest.md) collection|Cancel an **accessPackageAssignmentRequest** object that is in a cancellable state: `accepted`, `pendingApproval`, `pendingNotBefore`, `pendingApprovalEscalated`.| | [List accessPackageAssignments](../api/entitlementmanagement-list-accesspackageassignments.md) | [accessPackageAssignment](accesspackageassignment.md) collection | Retrieve a list of **accessPackageAssignment** objects. | |[FilterByCurrentUser](../api/accesspackageassignment-filterbycurrentuser.md)|[accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects filtered on the signed-in user.|
+| [reprocess](../api/accesspackageassignment-reprocess.md) | None | Automatically reevaluate and enforce a userΓÇÖs assignments for a specific access package.|
+| [additionalAccess](../api/accesspackageassignment-additionalaccess.md) [accessPackageAssignment](../resources/accesspackageassignment.md) collection|Retrieve the list of **accessPackageAssignment** objects for users who have assignments to incompatible access packages.|
| [List accessPackageAssignmentResourceRoles](../api/entitlementmanagement-list-accesspackageassignmentresourceroles.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) collection | Retrieve a list of **accessPackageAssignmentResourceRole** objects. | | [Get accessPackageAssignmentResourceRole](../api/accesspackageassignmentresourcerole-get.md) | [accessPackageAssignmentResourceRole](accesspackageassignmentresourcerole.md) | Retrieve a **accessPackageAssignmentResourceRole** object. | | [List accessPackageCatalogs](../api/entitlementmanagement-list-accesspackagecatalogs.md) | [accessPackageCatalog](accesspackagecatalog.md) collection | Retrieve a list of **accessPackageCatalogs** objects. |
v1.0 Report https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/report.md
The following table shows the availability for each API across all cloud deploym
| [Microsoft 365 apps usage](/graph/api/resources/microsoft-365-apps-usage-report?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ₧û | Γ₧û | Γ₧û | | [Microsoft 365 browser usage](/graph/api/resources/microsoft-365-browser-usage-report?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ₧û | Γ₧û | Γ₧û | | [Microsoft 365 groups activity](/graph/api/resources/office-365-groups-activity-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ₧û | Γ£ö | Γ₧û |
-| [Microsoft Teams device usage](/graph/api/resources/microsoft-teams-device-usage-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ₧û | Γ₧û | Γ₧û |
-| [Microsoft Teams team usage](/graph/api/resources/microsoft-teams-team-usage-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ₧û | Γ₧û | Γ₧û |
-| [Microsoft Teams user activity](/graph/api/resources/microsoft-teams-user-activity-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ₧û | Γ₧û | Γ₧û |
+| [Microsoft Teams device usage](/graph/api/resources/microsoft-teams-device-usage-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ£ö | Γ₧û | Γ₧û |
+| [Microsoft Teams team usage](/graph/api/resources/microsoft-teams-team-usage-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ£ö | Γ₧û | Γ₧û |
+| [Microsoft Teams user activity](/graph/api/resources/microsoft-teams-user-activity-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ£ö | Γ₧û | Γ₧û |
| [Outlook activity](/graph/api/resources/email-activity-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ£ö | Γ£ö | Γ₧û | | [Outlook app usage](/graph/api/resources/email-app-usage-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ£ö | Γ£ö | Γ₧û | | [Outlook mailbox usage](/graph/api/resources/mailbox-usage-reports?view=graph-rest-beta&preserve-view=true) | Γ£ö | Γ£ö | Γ£ö | Γ₧û |
v1.0 Application List Extensionproperty https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/application-list-extensionproperty.md
doc_type: "apiPageType"
Namespace: microsoft.graph
-Retrieve the list of [extensionProperty](../resources/extensionproperty.md) objects on an application.
+Retrieve the list of [extensionProperty](../resources/extensionproperty.md) objects on an [application](../resources/application.md).
## Permissions
v1.0 Externalconnectors Connectionoperation Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-connectionoperation-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy |
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors External Post Connections https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-external-post-connections.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors Externalconnection Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalconnection-delete.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors Externalconnection Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalconnection-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors Externalconnection List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalconnection-list.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors Externalconnection Post Groups https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalconnection-post-groups.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalconnection Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalconnection-update.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported. |
-| Delegated (personal Microsoft account) | Not supported. |
-| Application | ExternalConnection.ReadWrite.OwnedBy |
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
+|Delegated (personal Microsoft account)|Not applicable|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors Externalgroup Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalgroup-delete.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All|
-
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalgroup Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalgroup-get.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.Read.All, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All|
-
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.Read.All, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalgroup Post Members https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalgroup-post-members.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalgroup Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalgroup-update.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalitem Create https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalitem-create.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
-|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalitem Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalitem-delete.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
-|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All|
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalitem Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalitem-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
-|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.Read.All, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.Read.All, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Externalitem Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-externalitem-update.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
-|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All|
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Delegated (personal Microsoft account) | Not supported |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Identity Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-identity-delete.md
One of the following permissions is required to call this API. To learn more, in
| Permission type | Permissions (from least to most privileged) | |:|:--|
-| Delegated (work or school account) | Not supported |
+| Delegated (work or school account) | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported |
-| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
+| Application | ExternalItem.ReadWrite.OwnedBy, ExternalItem.ReadWrite.All |
## HTTP request
v1.0 Externalconnectors Schema Create https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-schema-create.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Externalconnectors Schema Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/externalconnectors-schema-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|Not applicable|
+|Delegated (work or school account)|ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
|Delegated (personal Microsoft account)|Not applicable|
-|Application| ExternalConnection.ReadWrite.OwnedBy|
+|Application| ExternalConnection.ReadWrite.OwnedBy, ExternalConnection.Read.All, ExternalConnection.ReadWrite.All|
## HTTP request
v1.0 Participant Invite https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/participant-invite.md
Content-Type: application/json
>**Note:** With a "completed" status, you can expect to receive notifications on how your original peer-to-peer call has been terminated and deleted.
-### Example 4: Invite one PSTN participant to an existing group call
+### Example 4: Invite one PSTN participant to an existing call
This call requires an application instance with a PSTN number assigned. For details, see [Assign a phone number to your bot](/graph/cloud-communications-phone-number#assign-a-phone-number-to-your-bot). > **Note:** Phone ID is the phone number in E.164 format.
v1.0 Policyroot List Rolemanagementpolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/policyroot-list-rolemanagementpolicies.md
+
+ Title: "List roleManagementPolicies"
+description: "Get role management policies and their details."
+
+ms.localizationpriority: medium
++
+# List roleManagementPolicies
+Namespace: microsoft.graph
+
+Get role management policies and their details.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/roleManagementPolicies?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType'
+```
+
+## Query parameters
+This method requires the `$filter` (`eq`) query parameter to scope the request to a **scopeId** and a **scopeType**. You can also use the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) objects in the response body.
+
+## Examples
+
+### Example 1: Retrieve the role management policies that apply to Azure AD roles
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedrolemanagementpolicy"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicy)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies",
+ "value": [
+ {
+ "id": "DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "displayName": "DirectoryRole",
+ "description": "DirectoryRole",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ }
+ },
+ {
+ "id": "DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_23b16f1a-1f8d-4891-93b1-21244cdf6115",
+ "displayName": "DirectoryRole",
+ "description": "DirectoryRole",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ }
+ }
+ ]
+}
+```
v1.0 Policyroot List Rolemanagementpolicyassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/policyroot-list-rolemanagementpolicyassignments.md
+
+ Title: "List roleManagementPolicyAssignments"
+description: "Get the details of all role management policy assignments."
+
+ms.localizationpriority: medium
++
+# List roleManagementPolicyAssignments
+Namespace: microsoft.graph
+
+Get the details of all role management policy assignments.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType'
+```
+
+## Optional query parameters
+This method requires the `$filter` (`eq`) query parameter to scope the request to a **scopeId** and a **scopeType**. You can also filter by the **roleDefinitionId** or use the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects in the response body.
+
+## Examples
+
+### Example 1: Retrieve the role management policy assignments
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedrolemanagementpolicyassignment"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'Directory'
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicyAssignment)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicyAssignments",
+ "value": [
+ {
+ "id": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448_62e90394-69f5-4237-9190-012177145e10",
+ "policyId": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10"
+ },
+ {
+ "id": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_23b16f1a-1f8d-4891-93b1-21244cdf6115_2af84b1e-32c8-42b7-82bc-daa82404023b",
+ "policyId": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_23b16f1a-1f8d-4891-93b1-21244cdf6115",
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "roleDefinitionId": "2af84b1e-32c8-42b7-82bc-daa82404023b"
+ }
+ ]
+}
+```
++
+### Example 2: Retrieve the role management policy assignments for an Azure AD role and expand the policy and its associated rules
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedrolemanagementpolicyassignment_expand_all_relationships"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&$expand=policy($expand=rules)
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicy)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicyAssignments(policy(rules()))",
+ "value": [
+ {
+ "id": "DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448_62e90394-69f5-4237-9190-012177145e10",
+ "policyId": "DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "policy": {
+ "id": "DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "displayName": "DirectoryRole",
+ "description": "DirectoryRole",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ },
+ "rules": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Eligibility",
+ "isExpirationRequired": false,
+ "maximumDuration": "P365D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Eligibility",
+ "enabledRules": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Assignment",
+ "isExpirationRequired": false,
+ "maximumDuration": "P180D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Assignment",
+ "enabledRules": [
+ "Justification"
+ ],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_EndUser_Assignment",
+ "isExpirationRequired": true,
+ "maximumDuration": "PT8H",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_EndUser_Assignment",
+ "enabledRules": [
+ "MultiFactorAuthentication",
+ "Justification"
+ ],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "id": "Approval_EndUser_Assignment",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ },
+ "setting": {
+ "isApprovalRequired": false,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "SingleStage",
+ "approvalStages": [
+ {
+ "approvalStageTimeOutInDays": 1,
+ "isApproverJustificationRequired": true,
+ "escalationTimeInMinutes": 0,
+ "isEscalationEnabled": false,
+ "primaryApprovers": [],
+ "escalationApprovers": []
+ }
+ ]
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "id": "AuthenticationContext_EndUser_Assignment",
+ "isEnabled": false,
+ "claimValue": null,
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
+```
v1.0 Rbacapplication List Roleassignmentscheduleinstances https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-list-roleassignmentscheduleinstances.md
+
+ Title: "List roleAssignmentScheduleInstances"
+description: "Get the instances of active role assignments in your tenant."
+
+ms.localizationpriority: medium
++
+# List roleAssignmentScheduleInstances
+Namespace: microsoft.graph
+
+Get the instances of active role assignments in your tenant. The active assignments include those made through [assignments and activation requests](rbacapplication-post-roleassignmentschedulerequests.md), and directly through the [role assignments API](../resources/unifiedroleassignment.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleInstances
+```
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) objects in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentscheduleinstance"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleInstances
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleInstance)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleInstances",
+ "value": [
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEAWz5Gtet_xOv8wxvTtTpfg-1",
+ "principalId": "6be4b305-b75e-4efc-bfcc-31bd3b53a5f8",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": null,
+ "endDateTime": null,
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "roleAssignmentOriginId": "lAPpYvVpN0KRkAEhdxReEAWz5Gtet_xOv8wxvTtTpfg-1",
+ "roleAssignmentScheduleId": "lAPpYvVpN0KRkAEhdxReEAWz5Gtet_xOv8wxvTtTpfg-1"
+ },
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEBLS8lac5ONCgpgBiOW-8JQ-1",
+ "principalId": "56f2d212-e49c-42e3-8298-0188e5bef094",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": null,
+ "endDateTime": null,
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "roleAssignmentOriginId": "lAPpYvVpN0KRkAEhdxReEBLS8lac5ONCgpgBiOW-8JQ-1",
+ "roleAssignmentScheduleId": "lAPpYvVpN0KRkAEhdxReEBLS8lac5ONCgpgBiOW-8JQ-1"
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleassignmentschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-list-roleassignmentschedulerequests.md
+
+ Title: "List roleAssignmentScheduleRequests"
+description: "In PIM, retrieve the requests for active role assignments to principals made through the unifiedRoleAssignmentScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# List roleAssignmentScheduleRequests
+Namespace: microsoft.graph
+
+In PIM, retrieve the requests for active role assignments to principals. The active assignments include those made through [assignments and activation requests](rbacapplication-post-roleassignmentschedulerequests.md), and directly through the [role assignments API](../resources/unifiedroleassignment.md). The role assignments can be permanently active with or without an expiry date, or temporarily active after user activation of eligible assignments.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+| :- | : |
+| Delegated (work or school account) | RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported |
+| Application | RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleRequests
+```
+
+## Optional query parameters
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) objects in the response body.
+
+## Examples
+
+### Example 1: Retrieve role assignment requests
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentschedulerequest"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
+ "value": [
+ {
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-11T11:50:05.95Z",
+ "completedDateTime": "2022-04-11T11:50:06Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "justification": "Assign Groups Admin to IT Helpdesk group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:05.9999343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ }
+ ]
+}
+```
++
+### Example 2: Retrieve specified properties of role assignment requests and expand the relationships
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentschedulerequest_expand_relationships"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests?$select=principalId,action,roleDefinitionId&$expand=roleDefinition,activatedUsing,principal,targetSchedule
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests(principalId,action,roleDefinitionId,roleDefinition(),activatedUsing(),principal(),targetSchedule())",
+ "value": [
+ {
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "action": "adminAssign",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "roleDefinition": {
+ "id": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "description": "",
+ "displayName": "Groups Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "version": null,
+ "resourceScopes": [],
+ "rolePermissions": []
+ },
+ "activatedUsing": null,
+ "principal": {
+ "@odata.type": "#microsoft.graph.user",
+ "id": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "displayName": "Conf Room Adams",
+ "userPrincipalName": "Adams@Contoso.com",
+ "mail": "Adams@Contoso.com",
+ "businessPhones": [],
+ "givenName": null,
+ "jobTitle": null,
+ "mobilePhone": null,
+ "officeLocation": null,
+ "preferredLanguage": null,
+ "surname": null
+ },
+ "targetSchedule": {
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "createdDateTime": "2022-04-11T11:50:05.95Z",
+ "modifiedDateTime": "2022-04-11T11:50:05.95Z",
+ "status": "Provisioned",
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:05.9999343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ }
+ }
+ ]
+}
+```
v1.0 Rbacapplication List Roleassignmentschedules https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-list-roleassignmentschedules.md
+
+ Title: "List roleAssignmentSchedules"
+description: "Get the schedules for active role assignment operations."
+
+ms.localizationpriority: medium
++
+# List roleAssignmentSchedules
+Namespace: microsoft.graph
+
+Get the schedules for active role assignment operations.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentSchedules
+```
+
+## Optional query parameters
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) objects in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentschedule"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSchedules
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentSchedule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentSchedules",
+ "value": [
+ {
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "createdDateTime": "2022-04-11T11:50:06.343Z",
+ "modifiedDateTime": null,
+ "status": "Provisioned",
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:06.343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ },
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEAWz5Gtet_xOv8wxvTtTpfg-1",
+ "principalId": "6be4b305-b75e-4efc-bfcc-31bd3b53a5f8",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": null,
+ "createdDateTime": null,
+ "modifiedDateTime": null,
+ "status": "Provisioned",
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T17:11:50.8825697Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleeligibilityscheduleinstances https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-list-roleeligibilityscheduleinstances.md
+
+ Title: "List roleEligibilityScheduleInstances"
+description: "Get the instances of role eligibilities."
+
+ms.localizationpriority: medium
++
+# List roleEligibilityScheduleInstances
+Namespace: microsoft.graph
+
+Get the instances of role eligibilities.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleInstances
+```
+
+## Optional query parameters
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) objects in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleeligibilityscheduleinstance"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleInstances
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilityScheduleInstance)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleInstances",
+ "value": [
+ {
+ "id": "8MYkhImhnkm70CbBdTyW1BbHHAdHgZdDpbqyEFlRzAs-1-e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": "2022-04-12T14:44:50.287Z",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "memberType": "Direct",
+ "roleEligibilityScheduleId": "77f71919-62f3-4d0c-9f88-0a0391b665cd"
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleeligibilityschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-list-roleeligibilityschedulerequests.md
+
+ Title: "List roleEligibilityScheduleRequests"
+description: "In PIM, retrieve the requests for role eligibilities for principals made through the unifiedRoleEligibilityScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# List roleEligibilityScheduleRequests
+Namespace: microsoft.graph
+
+In PIM, retrieve the requests for role eligibilities for principals made through the unifiedRoleEligibilityScheduleRequest object.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleRequests
+```
+
+## Optional query parameters
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) objects in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleeligibilityschedulerequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilityScheduleRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests",
+ "value": [
+ {
+ "id": "50877283-9d40-433c-bab8-7986dc10458a",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-12T09:05:41.807Z",
+ "completedDateTime": "2022-04-12T09:05:41.853Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "50877283-9d40-433c-bab8-7986dc10458a",
+ "justification": "Assign Attribute Assignment Admin eligibility to restricted user",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-12T09:05:41.8532931Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ },
+ {
+ "id": "f341269e-c926-41fa-a905-cef3b01b2a67",
+ "status": "Revoked",
+ "createdDateTime": "2022-04-12T09:12:18.187Z",
+ "completedDateTime": null,
+ "approvalId": null,
+ "customData": null,
+ "action": "adminRemove",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": null,
+ "justification": null,
+ "scheduleInfo": null,
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleeligibilityschedules https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-list-roleeligibilityschedules.md
+
+ Title: "List roleEligibilitySchedules"
+description: "Get the schedules for role eligibility operations."
+
+ms.localizationpriority: medium
++
+# List roleEligibilitySchedules
+Namespace: microsoft.graph
+++
+Get the unifiedRoleEligibilitySchedule resources from the roleEligibilitySchedules navigation property.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilitySchedules
+```
+
+## Optional query parameters
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) objects in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleeligibilityschedule"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilitySchedule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilitySchedules",
+ "value": [
+ {
+ "id": "77f71919-62f3-4d0c-9f88-0a0391b665cd",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "77f71919-62f3-4d0c-9f88-0a0391b665cd",
+ "createdDateTime": "2022-04-12T14:44:50.287Z",
+ "modifiedDateTime": "0001-01-01T08:00:00Z",
+ "status": "Provisioned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-12T14:44:50.287Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "duration": null
+ }
+ }
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication Post Roleassignmentschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-post-roleassignmentschedulerequests.md
+
+ Title: "Create unifiedRoleAssignmentScheduleRequest"
+description: "In PIM, request for an active and persistent role assignment through the unifiedRoleAssignmentScheduleRequest object. Use this API to activate eligible roles."
+
+ms.localizationpriority: medium
++
+# Create unifiedRoleAssignmentScheduleRequest
+Namespace: microsoft.graph
+
+In PIM, carry out the following operations through the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object:
++ Request active and persistent role assignments for a principal, with or without expiry dates.++ Activate, deactivate, extend, or renew an eligible role assignment for a principal.+
+To call this API to update, renew, and extend assignments for yourself, you must have multi-factor authentication (MFA) enforced, and running the query in a session in which they were challenged for MFA. See [Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events](/azure/active-directory/authentication/howto-mfa-userstates).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleAssignmentSchedule.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /roleManagement/directory/roleAssignmentScheduleRequests
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+In the request body, supply a JSON representation of the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.
+
+You can specify the following properties when creating an **unifiedRoleAssignmentScheduleRequest**.
+
+|Property|Type|Description|
+|:|:|:|
+|action|unifiedRoleScheduleRequestActions|Represents the type of the operation on the role assignment request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. <br/><ul><li>`adminAssign`: For administrators to assign roles to users or groups.</li><li>`adminRemove`: For administrators to remove users or groups from roles.</li><li> `adminUpdate`: For administrators to change existing role assignments.</li><li>`adminExtend`: For administrators to extend expiring assignments.</li><li>`adminRenew`: For administrators to renew expired assignments.</li><li>`selfActivate`: For users to activate their assignments.</li><li>`selfDeactivate`: For users to deactivate their active assignments.</li><li>`selfExtend`: For users to request to extend their expiring assignments.</li><li>`selfRenew`: For users to request to renew their expired assignments.</li></ul>|
+|customData|String|Free text field to define any custom data for the request. Optional.|
+|principalId|String|Identifier of the principal that has been granted the assignment. Required.|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is being assigned. Required.|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Either **directoryScopeId** or **appScopeId** is required.|
+|appScopeId|String|Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Either **directoryScopeId** or **appScopeId** is required.|
+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleAssignmentScheduleRequest** object. Optional.|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role assignment request. Recurring schedules are currently unsupported. Required.|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role assignment request including details of the ticket number and ticket system. Optional.|
+++
+## Response
+
+If successful, this method returns a `201 Created` response code and an [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object in the response body.
+
+## Examples
+
+### Example 1: Admin assigning a directory role to a principal
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignmentschedulerequest_from_"
+}
+-->
+```msgraph-interactive
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
+Content-Type: application/json
+
+{
+ "action": "adminAssign",
+ "justification": "Assign Groups Admin to IT Helpdesk group",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-10T00:00:00Z",
+ "expiration": {
+ "type": "NoExpiration"
+ }
+ }
+}
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest"
+}
+-->
+```http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-11T11:50:03.9014347Z",
+ "completedDateTime": "2022-04-11T11:50:05.9999343Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "justification": "Assign Groups Admin to IT Helpdesk group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:05.9999343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
+
+### Example 2: User activating their eligible role
+
+#### Request
+
+In the following request, a user identified by **principalId** `071cc716-8147-4397-a5ba-b2105951cc0b` activates their own *eligible role* to an Azure AD role identified by ID `8424c6f0-a189-499e-bbd0-26c1753c96d4`. The scope of their role is all directory objects in the tenant and the assignment is for five hours. To run this request, the calling user must have multi-factor authentication (MFA) enforced, and running the query in a session in which they were challenged for MFA.
+
+To retrieve the details of their eligibility requests and identify the eligibility to activate, the user will call the [unifiedRoleEligibilitySchedule: filterByCurrentUser](unifiedroleeligibilityschedule-filterbycurrentuser.md) API.
+
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignmentschedulerequest_from_unifiedroleassignmentschedulerequests_selfActivate"
+}
+-->
+```msgraph-interactive
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/
+Content-Type: application/json
+
+{
+ "action": "selfActivate",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "justification": "I need access to the Attribute Administrator role to manage attributes to be assigned to restricted AUs",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-14T00:00:00.000Z",
+ "expiration": {
+ "type": "AfterDuration",
+ "duration": "PT5H"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": "CONTOSO:Normal-67890",
+ "ticketSystem": "MS Project"
+ }
+}
+```
+++
+#### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
+ "id": "911bab8a-6912-4de2-9dc0-2648ede7dd6d",
+ "status": "Granted",
+ "createdDateTime": "2022-04-13T08:52:32.6485851Z",
+ "completedDateTime": "2022-04-14T00:00:00Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "selfActivate",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "911bab8a-6912-4de2-9dc0-2648ede7dd6d",
+ "justification": "I need access to the Attribute Administrator role to manage attributes to be assigned to restricted AUs",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "071cc716-8147-4397-a5ba-b2105951cc0b"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-14T00:00:00Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDuration",
+ "endDateTime": null,
+ "duration": "PT5H"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": "CONTOSO:Normal-67890",
+ "ticketSystem": "MS Project"
+ }
+}
+```
v1.0 Rbacapplication Post Roleeligibilityschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-post-roleeligibilityschedulerequests.md
+
+ Title: "Create unifiedRoleEligibilityScheduleRequest"
+description: "In PIM, request for a role eligibility for a principal through the unifiedRoleEligibilityScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# Create unifiedRoleEligibilityScheduleRequest
+Namespace: microsoft.graph
+
+In PIM, request for a role eligibility for a principal through the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object. This operation allows both admins and eligible users to add, revoke, or extend eligible assignments.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleAssignmentSchedule.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /roleManagement/directory/roleEligibilityScheduleRequests
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+In the request body, supply a JSON representation of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.
+
+You can specify the following properties when creating an **unifiedRoleEligibilityScheduleRequest**.
+
+|Property|Type|Description|
+|:|:|:|
+|action|unifiedRoleScheduleRequestActions|Represents the type of operation on the role eligibility request.The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. <br/><ul><li>`adminAssign`: For administrators to assign eligible roles to principals.</li><li>`adminRemove`: For administrators to remove eligible roles from principals.</li><li> `adminUpdate`: For administrators to change existing role eligibilities.</li><li>`adminExtend`: For administrators to extend expiring role eligibilities.</li><li>`adminRenew`: For administrators to renew expired eligibilities.</li><li>`selfActivate`: For users to activate their assignments.</li><li>`selfDeactivate`: For users to deactivate their active assignments.</li><li>`selfExtend`: For users to request to extend their expiring assignments.</li><li>`SelfRenew`: For users to request to renew their expired assignments.</li></ul>|
+|appScopeId|String|Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Either **directoryScopeId** or **appScopeId** is required.|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the role eligibility. The scope of an role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Either **directoryScopeId** or **appScopeId** is required.|
+|isValidationOnly|Boolean|Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request. Optional.|
+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleEligibilityScheduleRequest** object. Optional when **action** is `adminRemove`.|
+|principalId|String|Identifier of the principal that has been granted the role eligibility. Required.|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is being assigned to the principal. Required.|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role eligibility. Recurring schedules are currently unsupported. Optional when **action** is `adminRemove`.|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role eligibility request including details of the ticket number and ticket system. Optional|
++
+## Response
+
+If successful, this method returns a `201 Created` response code and an [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object in the response body.
+
+## Examples
+
+### Example 1: Admin to assign a role eligibility schedule request
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleeligibilityschedulerequest_from_"
+}
+-->
+``` http
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
+Content-Type: application/json
+
+{
+ "action": "adminAssign",
+ "justification": "Assign Attribute Assignment Admin eligibility to restricted user",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-10T00:00:00Z",
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2024-04-10T00:00:00Z"
+ }
+ }
+}
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
+ "id": "50877283-9d40-433c-bab8-7986dc10458a",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-12T09:05:39.7594064Z",
+ "completedDateTime": "2022-04-12T09:05:41.8532931Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "50877283-9d40-433c-bab8-7986dc10458a",
+ "justification": "Assign Attribute Assignment Admin eligibility to restricted user",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-12T09:05:41.8532931Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
+
+### Example 2: Admin to remove an existing role eligibility schedule request
+
+In the following request, the admin creates a request to revoke the eligibility of a principal with ID `071cc716-8147-4397-a5ba-b2105951cc0b` to a role with ID `8424c6f0-a189-499e-bbd0-26c1753c96d4`.
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleeligibilityschedulerequest_from_unifiedroleeligibilityschedulerequests_adminRemove"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests
+Content-Type: application/json
+
+{
+ "action": "adminRemove",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b"
+}
+```
++
+#### Response
+
+The following is an example of the response. The response object shows a previous role eligibility for a principal is `Revoked`. The principal will no longer see their previously eligible role.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
+ "id": "f341269e-c926-41fa-a905-cef3b01b2a67",
+ "status": "Revoked",
+ "createdDateTime": "2022-04-12T09:12:15.6859992Z",
+ "completedDateTime": null,
+ "approvalId": null,
+ "customData": null,
+ "action": "adminRemove",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": null,
+ "justification": null,
+ "scheduleInfo": null,
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
v1.0 Serviceprincipal Post Serviceprincipals https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/serviceprincipal-post-serviceprincipals.md
One of the following permissions is required to call this API. To learn more, in
|Delegated (personal Microsoft account) | Not supported. | |Application | Application.ReadWrite.OwnedBy, Application.ReadWrite.All |
+> [!IMPORTANT]
+> The following additional requirements must be met for an app to create a service principal:
+> + If the backing application is registered in the calling app's home tenant, the calling app must be the owner of the backing application.
+> + If the backing application is registered in another Azure AD tenant, the calling app must be assigned the `Cloud Application Administrator` or `Application Administrator` role.
+ ## HTTP request <!-- { "blockType": "ignored" } --> ```http
POST /servicePrincipals
| Content-Type | application/json. Required. | ## Request body
-In the request body, supply a JSON representation of a [servicePrincipal](../resources/serviceprincipal.md) object. The request body must contain **appId**.
+In the request body, supply a JSON representation of a [servicePrincipal](../resources/serviceprincipal.md) object. The request body must contain **appId**.
## Response
v1.0 Unifiedroleassignmentschedule Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentschedule-filterbycurrentuser.md
+
+ Title: "unifiedRoleAssignmentSchedule: filterByCurrentUser"
+description: "Retrieve the schedules for active role assignment operations for which the signed-in user is the principal."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentSchedule: filterByCurrentUser
+Namespace: microsoft.graph
+
+Retrieve the schedules for active role assignment operations for which the signed-in user is the principal.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='parameterValue')
+```
+
+## Function parameters
+In the request URL, provide the following query parameters with values.
+The following table shows the parameters that can be used with this function.
+
+|Parameter|Type|Description|
+|:|:|:|
+|on|roleAssignmentScheduleFilterByCurrentUserOptions| The possible values are `principal`, `unknownFutureValue`.|
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
++
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleassignmentschedulethis.filterbycurrentuser"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='principal')
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentSchedule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleAssignmentSchedule)",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignmentSchedule",
+ "id": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1",
+ "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": null,
+ "createdDateTime": null,
+ "modifiedDateTime": null,
+ "status": "Provisioned",
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T19:31:50.5613964Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleassignmentschedule Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentschedule-get.md
+
+ Title: "Get unifiedRoleAssignmentSchedule"
+description: "Retrieve the schedule for an active role assignment operation."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleAssignmentSchedule
+Namespace: microsoft.graph
+
+Retrieve the schedule for an active role assignment operation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentScheduleId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleassignmentschedule"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSchedules/95c690fb-3eb3-4942-a03f-4524aed6f31e
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentSchedule"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentSchedules/$entity",
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "createdDateTime": "2022-04-11T11:50:06.343Z",
+ "modifiedDateTime": null,
+ "status": "Provisioned",
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:06.343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+}
+```
+
v1.0 Unifiedroleassignmentscheduleinstance Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentscheduleinstance-filterbycurrentuser.md
+
+ Title: "unifiedRoleAssignmentScheduleInstance: filterByCurrentUser"
+description: "Get the instances of active role assignments for the calling principal."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentScheduleInstance: filterByCurrentUser
+Namespace: microsoft.graph
+
+Get the instances of active role assignments for the calling principal.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on=parameterValue)
+```
+
+## Function parameters
+In the request URL, provide the following query parameters with values.
+The following table shows the parameters that can be used with this function.
+
+|Parameter|Type|Description|
+|:|:|:|
+|on|roleAssignmentScheduleInstanceFilterByCurrentUserOptions|The possible values are `principal`, `unknownFutureValue`.|
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleassignmentscheduleinstancethis.filterbycurrentuser"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on='principal')
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleInstance)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleAssignmentScheduleInstance)",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignmentScheduleInstance",
+ "id": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1",
+ "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": null,
+ "endDateTime": null,
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "roleAssignmentOriginId": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1",
+ "roleAssignmentScheduleId": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1"
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleassignmentscheduleinstance Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentscheduleinstance-get.md
+
+ Title: "Get unifiedRoleAssignmentScheduleInstance"
+description: "Get the instance of an active role assignment."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleAssignmentScheduleInstance
+Namespace: microsoft.graph
+
+Get the instance of an active role assignment.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstanceId}
+```
+
+## Optional query parameters
+
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleassignmentscheduleinstance"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleInstances/lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleInstance"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleInstances/$entity",
+ "id": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1",
+ "principalId": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": null,
+ "endDateTime": null,
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "roleAssignmentOriginId": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1",
+ "roleAssignmentScheduleId": "lAPpYvVpN0KRkAEhdxReEJ2SvT9WjGJEhR4OuaezoqU-1"
+}
+```
+
v1.0 Unifiedroleassignmentschedulerequest Cancel https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentschedulerequest-cancel.md
+
+ Title: "unifiedRoleAssignmentScheduleRequest: cancel"
+description: "Immediately cancel a unifiedRoleAssignmentScheduleRequest object whose status is Granted."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentScheduleRequest: cancel
+Namespace: microsoft.graph
+
+Immediately cancel a [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object that is in a `Granted` status, and have the system automatically delete the canceled request after 30 days. After calling this action, the **status** of the canceled **unifiedRoleAssignmentScheduleRequest** changes to `Canceled`.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId}/cancel
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this action returns a `204 No Content` response code. Attempting to cancel a request that is not in a cancelable state, for example, a **unifiedRoleAssignmentScheduleRequest** object whose **status** is `Provisioned` or `Failed`, returns a `400 Bad Request` error code.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleassignmentschedulerequestthis.cancel"
+}
+-->
+```msgraph-interactive
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/95c690fb-3eb3-4942-a03f-4524aed6f31e/cancel
+```
++
+### Response
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
v1.0 Unifiedroleassignmentschedulerequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md
+
+ Title: "unifiedRoleAssignmentScheduleRequest: filterByCurrentUser"
+description: "In PIM, retrieve the requests for active role assignments for a particular principal. The principal can be the creator or approver of the unifiedRoleAssignmentScheduleRequest object, or they can be the target of the assignment."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentScheduleRequest: filterByCurrentUser
+Namespace: microsoft.graph
+
+In PIM, retrieve the requests for active role assignments for a particular principal. The principal can be the creator or approver of the **unifiedRoleAssignmentScheduleRequest** object, or they can be the target of the assignment.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='parameterValue')
+```
+
+## Function parameters
+In the request URL, provide the following query parameters with values.
+The following table shows the parameters that are required with this function.
+
+|Parameter|Type|Description|
+|:|:|:|
+|on|roleAssignmentScheduleRequestFilterByCurrentUserOptions| The possible values are `principal`, `createdBy`, `approver`, `unknownFutureValue`. Only `principal` and `approver` are currently supported.|
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
++
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleassignmentschedulerequestthis.filterbycurrentuser"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='principal')
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
+ "value": [
+ {
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-11T11:50:05.95Z",
+ "completedDateTime": "2022-04-11T11:50:06Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "justification": "Assign Groups Admin to IT Helpdesk group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:05.9999343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleassignmentschedulerequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentschedulerequest-get.md
+
+ Title: "Get unifiedRoleAssignmentScheduleRequest"
+description: "In PIM, read the details of a request for an active and persistent role assignment made through the unifiedRoleAssignmentScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleAssignmentScheduleRequest
+Namespace: microsoft.graph
+
+In PIM, read the details of a request for an active and persistent role assignment made through the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleassignmentschedulerequest"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/95c690fb-3eb3-4942-a03f-4524aed6f31e
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-11T11:50:05.95Z",
+ "completedDateTime": "2022-04-11T11:50:06Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "justification": "Assign Groups Admin to IT Helpdesk group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:05.9999343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
+
+### Example 2: Retrieve specified properties of a role assignment request and expand the relationships
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleassignmentschedulerequest_expand_relationships"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/95c690fb-3eb3-4942-a03f-4524aed6f31e?$select=principalId,action,roleDefinitionId&$expand=roleDefinition,activatedUsing,principal,targetSchedule
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests(principalId,action,roleDefinitionId,roleDefinition(),activatedUsing(),principal(),targetSchedule())/$entity",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "action": "adminAssign",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "roleDefinition": {
+ "id": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "description": "",
+ "displayName": "Groups Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "version": null,
+ "resourceScopes": [],
+ "rolePermissions": []
+ },
+ "activatedUsing": null,
+ "principal": {
+ "@odata.type": "#microsoft.graph.user",
+ "id": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "displayName": "Conf Room Adams",
+ "userPrincipalName": "Adams@Contoso.com",
+ "mail": "Adams@Contoso.com",
+ "businessPhones": [],
+ "givenName": null,
+ "jobTitle": null,
+ "mobilePhone": null,
+ "officeLocation": null,
+ "preferredLanguage": null,
+ "surname": null
+ },
+ "targetSchedule": {
+ "id": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "95c690fb-3eb3-4942-a03f-4524aed6f31e",
+ "createdDateTime": "2022-04-11T11:50:05.95Z",
+ "modifiedDateTime": "2022-04-11T11:50:05.95Z",
+ "status": "Provisioned",
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-11T11:50:05.9999343Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ }
+}
+```
v1.0 Unifiedroleeligibilityschedule Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityschedule-filterbycurrentuser.md
+
+ Title: "unifiedRoleEligibilitySchedule: filterByCurrentUser"
+description: "Retrieve the schedules for role eligibilities for which the signed-in user is the principal."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilitySchedule: filterByCurrentUser
+Namespace: microsoft.graph
+
+Retrieve the schedules for role eligibilities for which the signed-in user is the principal.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='parameterValue')
+```
+
+## Function parameters
+In the request URL, provide the following query parameters with values.
+The following table shows the parameters that can be used with this function.
+
+|Parameter|Type|Description|
+|:|:|:|
+|on|roleAssignmentScheduleFilterByCurrentUserOptions| The possible values are `principal`, `unknownFutureValue`.|
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
++
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleeligibilityschedulethis.filterbycurrentuser"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilitySchedule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleEligibilitySchedule)",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilitySchedule",
+ "id": "77f71919-62f3-4d0c-9f88-0a0391b665cd",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "77f71919-62f3-4d0c-9f88-0a0391b665cd",
+ "createdDateTime": "2022-04-12T14:44:50.287Z",
+ "modifiedDateTime": "0001-01-01T08:00:00Z",
+ "status": "Provisioned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-04-12T14:44:50.287Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "duration": null
+ }
+ }
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleeligibilityschedule Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityschedule-get.md
+
+ Title: "Get unifiedRoleEligibilitySchedule"
+description: "Retrieve the schedule for a role eligibility operation."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleEligibilitySchedule
+Namespace: microsoft.graph
+
+Retrieve the schedule for a role eligibility operation.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilityScheduleId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleeligibilityschedule"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules/1f06eafc-7532-429b-abf1-ab5a5f4a7052
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilitySchedule"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilitySchedules/$entity",
+ "id": "1f06eafc-7532-429b-abf1-ab5a5f4a7052",
+ "principalId": "b2af90c6-279b-41f7-8e79-2f55d07af928",
+ "roleDefinitionId": "75934031-6c7e-415a-99d7-48dbd49e875e",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "1f06eafc-7532-429b-abf1-ab5a5f4a7052",
+ "createdDateTime": "2022-02-18T20:41:37.163Z",
+ "modifiedDateTime": null,
+ "status": "Provisioned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2022-02-18T20:41:37.163Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+}
+```
+
v1.0 Unifiedroleeligibilityscheduleinstance Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityscheduleinstance-filterbycurrentuser.md
+
+ Title: "unifiedRoleEligibilityScheduleInstance: filterByCurrentUser"
+description: "Get the instances of eligible roles for the calling principal."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilityScheduleInstance: filterByCurrentUser
+Namespace: microsoft.graph
+
+Get the instances of eligible roles for the calling principal.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='parameterValue')
+```
+
+## Function parameters
+In the request URL, provide the following query parameters with values.
+The following table shows the parameters that can be used with this function.
+
+|Parameter|Type|Description|
+|:|:|:|
+|on|roleEligibilityScheduleInstanceFilterByCurrentUserOptions|The possible values are `principal`, `unknownFutureValue`.|
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleeligibilityscheduleinstancethis.filterbycurrentuser"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='principal')
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilityScheduleInstance)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleEligibilityScheduleInstance)",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilityScheduleInstance",
+ "id": "8MYkhImhnkm70CbBdTyW1BbHHAdHgZdDpbqyEFlRzAs-1-e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": "2022-04-12T14:44:50.287Z",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "memberType": "Direct",
+ "roleEligibilityScheduleId": "77f71919-62f3-4d0c-9f88-0a0391b665cd"
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleeligibilityscheduleinstance Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityscheduleinstance-get.md
+
+ Title: "Get unifiedRoleEligibilityScheduleInstance"
+description: "Get the instance of a role eligibility."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleEligibilityScheduleInstance
+Namespace: microsoft.graph
+
+Get the instance of a role eligibility.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstanceId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleeligibilityscheduleinstance"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleInstances/8MYkhImhnkm70CbBdTyW1BbHHAdHgZdDpbqyEFlRzAs-1-e
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleInstance"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleInstances/$entity",
+ "id": "8MYkhImhnkm70CbBdTyW1BbHHAdHgZdDpbqyEFlRzAs-1-e",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": "2022-04-12T14:44:50.287Z",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "memberType": "Direct",
+ "roleEligibilityScheduleId": "77f71919-62f3-4d0c-9f88-0a0391b665cd"
+}
+```
+
v1.0 Unifiedroleeligibilityschedulerequest Cancel https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityschedulerequest-cancel.md
+
+ Title: "unifiedRoleEligibilityScheduleRequest: cancel"
+description: "Immediately cancel a unifiedRoleEligibilityScheduleRequest object whose status is Granted."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilityScheduleRequest: cancel
+Namespace: microsoft.graph
+
+Immediately cancel a unifiedRoleEligibilityScheduleRequest object whose status is `Granted` and have the system automatically delete the cancelled request after 30 days. After calling this action, the **status** of the cancelled **unifiedRoleEligibilityScheduleRequest** changes to `Revoked`.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}/cancel
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this action returns a `204 No Content` response code. Attempting to cancel a request that is not in a cancelable state, for example, a unifiedRoleEligibilityScheduleRequest object whose **status** is `Provisioned` or `Failed`, returns a `400 Bad Request` error code.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleeligibilityschedulerequestthis.cancel"
+}
+-->
+``` http
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests/532bef1f-c677-4564-aa6f-811444a4f018/cancel
+```
++
+### Response
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
v1.0 Unifiedroleeligibilityschedulerequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md
+
+ Title: "unifiedRoleEligibilityScheduleRequest: filterByCurrentUser"
+description: "In PIM, retrieve the requests for role eligibilities for a particular principal. The principal can be the creator or approver of the unifiedRoleEligibilityScheduleRequest object, or they can be the target of the role eligibility."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilityScheduleRequest: filterByCurrentUser
+Namespace: microsoft.graph
+
+In PIM, retrieve the requests for role eligibilities for a particular principal. The principal can be the creator or approver of the **unifiedRoleEligibilityScheduleRequest** object, or they can be the target of the role eligibility.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleRequests/filterByCurrentUser(on='parameterValue')
+```
+
+## Function parameters
+In the request URL, provide the following query parameters with values.
+The following table shows the parameters that can be used with this function.
+
+|Parameter|Type|Description|
+|:|:|:|
+|on|roleEligibilityScheduleRequestFilterByCurrentUserOptions|The possible values are `principal`, `createdBy`, `approver`, `unknownFutureValue`. Only `principal` and `approver` are currently supported.|
+
+## Optional query parameters
+
+This method supports the `$select`, `$filter`, and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this function returns a `200 OK` response code and a [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "unifiedroleeligibilityschedulerequestthis.filterbycurrentuser"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests/filterByCurrentUser(on='principal')
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilityScheduleRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleEligibilityScheduleRequest)",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilityScheduleRequest",
+ "id": "50877283-9d40-433c-bab8-7986dc10458a",
+ "status": "Provisioned",
+ "createdDateTime": "2022-04-12T09:05:41.807Z",
+ "completedDateTime": "2022-04-12T09:05:41.853Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "adminAssign",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "50877283-9d40-433c-bab8-7986dc10458a",
+ "justification": "Assign Attribute Assignment Admin eligibility to restricted user",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2022-04-12T09:05:41.8532931Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2024-04-10T00:00:00Z",
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilityScheduleRequest",
+ "id": "f341269e-c926-41fa-a905-cef3b01b2a67",
+ "status": "Revoked",
+ "createdDateTime": "2022-04-12T09:12:18.187Z",
+ "completedDateTime": null,
+ "approvalId": null,
+ "customData": null,
+ "action": "adminRemove",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": null,
+ "justification": null,
+ "scheduleInfo": null,
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleeligibilityschedulerequest Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityschedulerequest-get.md
+
+ Title: "Get unifiedRoleEligibilityScheduleRequest"
+description: "In PIM, read the details of a request for a role eligibility request made through the unifiedRoleEligibilityScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleEligibilityScheduleRequest
+Namespace: microsoft.graph
+
+In PIM, read the details of a request for for a role eligibility request made through the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. All supported relationships can be expanded. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleeligibilityschedulerequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests/f341269e-c926-41fa-a905-cef3b01b2a67
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
+ "id": "f341269e-c926-41fa-a905-cef3b01b2a67",
+ "status": "Revoked",
+ "createdDateTime": "2022-04-12T09:12:18.187Z",
+ "completedDateTime": null,
+ "approvalId": null,
+ "customData": null,
+ "action": "adminRemove",
+ "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
+ "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": null,
+ "justification": null,
+ "scheduleInfo": null,
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
+
v1.0 Unifiedrolemanagementpolicy Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicy-get.md
+
+ Title: "Get unifiedRoleManagementPolicy"
+description: "Retrieve the details of a role management policy."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleManagementPolicy
+Namespace: microsoft.graph
+
+Retrieve the details of a role management policy.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. You can also specify the wildcard value `*` to expand all supported relationships, that is, `?$expand=*`. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) object in the response body.
+
+## Examples
+
+### Example 1: Retrieve the details of a role management policy
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedrolemanagementpolicy"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicy"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies/$entity",
+ "id": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "displayName": "Directory",
+ "description": "Directory",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ }
+}
+```
++
+### Example 2: Retrieve the details of a role management policy and expand the relationships
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedrolemanagementpolicy_expandrelationships"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448?$expand=effectiveRules,rules
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicy"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies(effectiveRules(),rules())/$entity",
+ "id": "DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "displayName": "DirectoryRole",
+ "description": "DirectoryRole",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ },
+ "effectiveRules@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies('DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448')/effectiveRules",
+ "effectiveRules": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Eligibility",
+ "isExpirationRequired": false,
+ "maximumDuration": "P365D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Eligibility",
+ "enabledRules": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Assignment",
+ "isExpirationRequired": false,
+ "maximumDuration": "P180D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Assignment",
+ "enabledRules": [
+ "Justification"
+ ],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_EndUser_Assignment",
+ "isExpirationRequired": true,
+ "maximumDuration": "PT8H",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_EndUser_Assignment",
+ "enabledRules": [
+ "MultiFactorAuthentication",
+ "Justification"
+ ],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "id": "Approval_EndUser_Assignment",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ },
+ "setting": {
+ "isApprovalRequired": false,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "SingleStage",
+ "approvalStages": [
+ {
+ "approvalStageTimeOutInDays": 1,
+ "isApproverJustificationRequired": true,
+ "escalationTimeInMinutes": 0,
+ "isEscalationEnabled": false,
+ "primaryApprovers": [],
+ "escalationApprovers": []
+ }
+ ]
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "id": "AuthenticationContext_EndUser_Assignment",
+ "isEnabled": false,
+ "claimValue": null,
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ }
+ ],
+ "rules@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies('DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448')/rules",
+ "rules": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Eligibility",
+ "isExpirationRequired": false,
+ "maximumDuration": "P365D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Eligibility",
+ "enabledRules": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Assignment",
+ "isExpirationRequired": false,
+ "maximumDuration": "P180D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Assignment",
+ "enabledRules": [
+ "Justification"
+ ],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_EndUser_Assignment",
+ "isExpirationRequired": true,
+ "maximumDuration": "PT8H",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_EndUser_Assignment",
+ "enabledRules": [
+ "MultiFactorAuthentication",
+ "Justification"
+ ],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "id": "Approval_EndUser_Assignment",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ },
+ "setting": {
+ "isApprovalRequired": false,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "SingleStage",
+ "approvalStages": [
+ {
+ "approvalStageTimeOutInDays": 1,
+ "isApproverJustificationRequired": true,
+ "escalationTimeInMinutes": 0,
+ "isEscalationEnabled": false,
+ "primaryApprovers": [],
+ "escalationApprovers": []
+ }
+ ]
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "id": "AuthenticationContext_EndUser_Assignment",
+ "isEnabled": false,
+ "claimValue": null,
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ }
+ ]
+}
+```
v1.0 Unifiedrolemanagementpolicy List Rules https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicy-list-rules.md
+
+ Title: "List rules (for a role management policy)"
+description: "Get the rules defined for a role management policy."
+
+ms.localizationpriority: medium
++
+# List rules (for a role management policy)
+Namespace: microsoft.graph
+
+Get the rules defined for a role management policy. The rules are a collection of following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
++ [unifiedRoleManagementPolicyApprovalRule](../resources/unifiedrolemanagementpolicyapprovalrule.md)++ [unifiedRoleManagementPolicyAuthenticationContextRule](../resources/unifiedrolemanagementpolicyauthenticationcontextrule.md)++ [unifiedRoleManagementPolicyEnablementRule](../resources/unifiedrolemanagementpolicyenablementrule.md)++ [unifiedRoleManagementPolicyExpirationRule](../resources/unifiedrolemanagementpolicyexpirationrule.md)++ [unifiedRoleManagementPolicyNotificationRule](../resources/unifiedrolemanagementpolicynotificationrule.md)+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
+```
+
+## Optional query parameters
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) objects in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedrolemanagementpolicyrule"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicyRule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies('DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448')/rules",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Eligibility",
+ "isExpirationRequired": false,
+ "maximumDuration": "P365D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Eligibility",
+ "enabledRules": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Assignment",
+ "isExpirationRequired": false,
+ "maximumDuration": "P180D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Assignment",
+ "enabledRules": [
+ "Justification"
+ ],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_EndUser_Assignment",
+ "isExpirationRequired": true,
+ "maximumDuration": "PT8H",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_EndUser_Assignment",
+ "enabledRules": [
+ "MultiFactorAuthentication",
+ "Justification"
+ ],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "id": "Approval_EndUser_Assignment",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ },
+ "setting": {
+ "isApprovalRequired": false,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "SingleStage",
+ "approvalStages": [
+ {
+ "approvalStageTimeOutInDays": 1,
+ "isApproverJustificationRequired": true,
+ "escalationTimeInMinutes": 0,
+ "isEscalationEnabled": false,
+ "primaryApprovers": [],
+ "escalationApprovers": []
+ }
+ ]
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "id": "AuthenticationContext_EndUser_Assignment",
+ "isEnabled": false,
+ "claimValue": null,
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ }
+ ]
+}
+```
+
v1.0 Unifiedrolemanagementpolicyassignment Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicyassignment-get.md
+
+ Title: "Get unifiedRoleManagementPolicyAssignment"
+description: "Get the details of a role management policy assignment and the associated policy."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleManagementPolicyAssignment
+Namespace: microsoft.graph
+
+Get the details of a role management policy assignment and the associated policy.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
+```
+
+## Optional query parameters
+This method supports the `$select` and `$expand` OData query parameters to help customize the response. You can also specify the wildcard value `*` to expand all supported relationships, that is, `?$expand=*`. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) object in the response body.
+
+## Examples
+
+### Example 1: Retrieve a role management policy assignment
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedrolemanagementpolicyassignment"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments/Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448_62e90394-69f5-4237-9190-012177145e10
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyAssignment"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicyAssignments/$entity",
+ "id": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448_62e90394-69f5-4237-9190-012177145e10",
+ "policyId": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10"
+}
+```
++
+### Example 2: Retrieve a role management policy assignment and expand the policy and its associated rules
+
+#### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedrolemanagementpolicyassignment_expand_all_relationships"
+}
+-->
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments/Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448_62e90394-69f5-4237-9190-012177145e10?$expand=policy($expand=rules)
+```
++
+#### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyAssignment"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicyAssignments(policy(rules()))/$entity",
+ "id": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448_62e90394-69f5-4237-9190-012177145e10",
+ "policyId": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "policy": {
+ "id": "Directory_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448",
+ "displayName": "Directory",
+ "description": "Directory",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ },
+ "rules": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Eligibility",
+ "isExpirationRequired": false,
+ "maximumDuration": "P365D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Eligibility",
+ "enabledRules": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Eligibility",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Assignment",
+ "isExpirationRequired": false,
+ "maximumDuration": "P180D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_Admin_Assignment",
+ "enabledRules": [
+ "Justification"
+ ],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_Admin_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_EndUser_Assignment",
+ "isExpirationRequired": true,
+ "maximumDuration": "PT8H",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "Enablement_EndUser_Assignment",
+ "enabledRules": [
+ "MultiFactorAuthentication",
+ "Justification"
+ ],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "id": "Approval_EndUser_Assignment",
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ },
+ "setting": {
+ "isApprovalRequired": false,
+ "isApprovalRequiredForExtension": false,
+ "isRequestorJustificationRequired": true,
+ "approvalMode": "SingleStage",
+ "approvalStages": [
+ {
+ "approvalStageTimeOutInDays": 1,
+ "isApproverJustificationRequired": true,
+ "escalationTimeInMinutes": 0,
+ "isEscalationEnabled": false,
+ "primaryApprovers": [],
+ "escalationApprovers": []
+ }
+ ]
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "id": "AuthenticationContext_EndUser_Assignment",
+ "isEnabled": false,
+ "claimValue": null,
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Admin_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Admin",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Requestor_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Requestor",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ },
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "Notification_Approver_EndUser_Assignment",
+ "notificationType": "Email",
+ "recipientType": "Approver",
+ "notificationLevel": "All",
+ "isDefaultRecipientsEnabled": true,
+ "notificationRecipients": [],
+ "target": {
+ "caller": "EndUser",
+ "operations": [
+ "all"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+ }
+ ]
+ }
+}
+```
v1.0 Unifiedrolemanagementpolicyrule Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicyrule-get.md
+
+ Title: "Get unifiedRoleManagementPolicyRule"
+description: "Retrieve a rule defined for a role management policy."
+
+ms.localizationpriority: medium
++
+# Get unifiedRoleManagementPolicyRule
+Namespace: microsoft.graph
+
+Retrieve a rule defined for a role management policy. The rule can be one of the following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
++ [unifiedRoleManagementPolicyApprovalRule](../resources/unifiedrolemanagementpolicyapprovalrule.md)++ [unifiedRoleManagementPolicyAuthenticationContextRule](../resources/unifiedrolemanagementpolicyauthenticationcontextrule.md)++ [unifiedRoleManagementPolicyEnablementRule](../resources/unifiedrolemanagementpolicyenablementrule.md)++ [unifiedRoleManagementPolicyExpirationRule](../resources/unifiedrolemanagementpolicyexpirationrule.md)++ [unifiedRoleManagementPolicyNotificationRule](../resources/unifiedrolemanagementpolicynotificationrule.md)+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
+```
+
+## Optional query parameters
+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and an [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object in the response body.
+
+## Examples
+
+### Request
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedrolemanagementpolicyrule"
+}
+-->
+``` http
+GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules/Expiration_Admin_Eligibility
+```
++
+### Response
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRule"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies('DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448')/rules/$entity",
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_Admin_Eligibility",
+ "isExpirationRequired": false,
+ "maximumDuration": "P365D",
+ "target": {
+ "caller": "Admin",
+ "operations": [
+ "all"
+ ],
+ "level": "Eligibility",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+}
+```
+
v1.0 Unifiedrolemanagementpolicyrule Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicyrule-update.md
+
+ Title: "Update unifiedRoleManagementPolicyRule"
+description: "Update a rule defined for a role management policy."
+
+ms.localizationpriority: medium
++
+# Update unifiedRoleManagementPolicyRule
+Namespace: microsoft.graph
+
+Update a rule defined for a role management policy. The rule can be one of the following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
++ [unifiedRoleManagementPolicyApprovalRule](../resources/unifiedrolemanagementpolicyapprovalrule.md)++ [unifiedRoleManagementPolicyAuthenticationContextRule](../resources/unifiedrolemanagementpolicyauthenticationcontextrule.md)++ [unifiedRoleManagementPolicyEnablementRule](../resources/unifiedrolemanagementpolicyenablementrule.md)++ [unifiedRoleManagementPolicyExpirationRule](../resources/unifiedrolemanagementpolicyexpirationrule.md)++ [unifiedRoleManagementPolicyNotificationRule](../resources/unifiedrolemanagementpolicynotificationrule.md)+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported.|
+|Application|Not supported.|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
++
+|Property|Type|Description|
+|:|:|:|
+|claimValue|String|The value of the authentication context claim. <br/><br/>Can be updated for the **unifiedRoleManagementPolicyAuthenticationContextRule** rule type.|
+|enabledRules|String collection|The collection of rules that are enabled for this policy rule. For example, `MultiFactorAuthentication`, `Ticketing`, and `Justification`.<br/><br/>Can be updated for the **unifiedRoleManagementPolicyEnablementRule** rule type.|
+|isDefaultRecipientsEnabled|Boolean|Indicates whether a default recipient will receive the notification email.<br/><br/>Can be updated for the **unifiedRoleManagementPolicyNotificationRule** rule type.|
+|isEnabled|Boolean| Whether this rule is enabled. <br/><br/>Can be updated for the **unifiedRoleManagementPolicyAuthenticationContextRule** rule type.|
+|isExpirationRequired|Boolean|Indicates whether expiration is required or if it's a permanently active assignment or eligibility. <br/><br/>Can be updated for the **unifiedRoleManagementPolicyExpirationRule** rule type.|
+|maximumDuration|Duration| The maximum duration allowed for eligibility or assignment which is not permanent. Required when **isExpirationRequired** is `true`. <br/><br/>Can be updated for the **unifiedRoleManagementPolicyExpirationRule** rule type. |
+|notificationLevel|String|The level of notification. The possible values are `None`, `Critical`, `All`.<br/><br/>Can be updated for the **unifiedRoleManagementPolicyNotificationRule** rule type.|
+|notificationRecipients|String collection|The list of recipients of the email notifications.<br/><br/>Can be updated for the **unifiedRoleManagementPolicyNotificationRule** rule type.|
+|notificationType|String|The type of notification. Only `Email` is supported.<br/><br/>Can be updated for the **unifiedRoleManagementPolicyNotificationRule** rule type.|
+|recipientType|String|The type of recipient of the notification. The possible values are `Requestor`, `Approver`, `Admin`.<br/>Can be updated for the **unifiedRoleManagementPolicyNotificationRule** rule type.|
+|setting|[approvalSettings](../resources/approvalsettings.md)|The settings for approval of the role assignment. <br/><br/>Can be updated for the **unifiedRoleManagementPolicyApprovalRule** rule type.|
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)|Defines details of the scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. <br/><br/> Can be updated for all rule types.|
+
+>**Note:** The `@odata.type` property with a value of the specific rule type must be included in the body. For example, `"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"`.
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+The following example updates a role management policy rule of type **unifiedRoleManagementPolicyExpirationRule** and with ID is `Expiration_EndUser_Assignment`.
+<!-- {
+ "blockType": "request",
+ "name": "update_unifiedrolemanagementpolicyrule"
+}
+-->
+``` http
+PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9/rules/Expiration_EndUser_Assignment
+Content-Type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "Expiration_EndUser_Assignment",
+ "isExpirationRequired": true,
+ "maximumDuration": "PT1H45M",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget",
+ "caller": "EndUser",
+ "operations": [
+ "All"
+ ],
+ "level": "Assignment",
+ "inheritableSettings": [],
+ "enforcedSettings": []
+ }
+}
+```
++
+### Response
+<!-- {
+ "blockType": "response",
+ "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
v1.0 Link Validation Config.Json https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/config/link-validation-config.json a/api-reference/v1.0/config/link-validation-config.json
"/openspecs", "/powershell", "/previous-versions",
+ "/rest",
+ "/security",
"/skypeforbusiness", "/sharepoint", "/universal-print",
v1.0 Approvalsettings https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/approvalsettings.md
+
+ Title: "approvalSettings resource type"
+description: "The settings for approval as defined in a role management policy rule."
+
+ms.localizationpriority: medium
++
+# approvalSettings resource type
+
+Namespace: microsoft.graph
+
+The settings for approval as defined in a role management policy rule.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|approvalMode|String|One of `SingleStage`, `Serial`, `Parallel`, `NoApproval` (default). `NoApproval` is used when `isApprovalRequired` is `false`.|
+|approvalStages|[unifiedApprovalStage](../resources/unifiedapprovalstage.md) collection|If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required.|
+|isApprovalRequired|Boolean|Indicates whether approval is required for requests in this policy.|
+|isApprovalRequiredForExtension|Boolean|Indicates whether approval is required for a user to extend their assignment.|
+|isRequestorJustificationRequired|Boolean|Indicates whether the requestor is required to supply a justification in their request.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.approvalSettings"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.approvalSettings",
+ "isApprovalRequired": "Boolean",
+ "isApprovalRequiredForExtension": "Boolean",
+ "isRequestorJustificationRequired": "Boolean",
+ "approvalMode": "String",
+ "approvalStages": [
+ {
+ "@odata.type": "microsoft.graph.unifiedApprovalStage"
+ }
+ ]
+}
+```
+
v1.0 Enums https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/enums.md
doc_type: enumPageType
Namespace: microsoft.graph
+### expirationPatternType values
+
+|Member|
+|:|
+|notSpecified|
+|noExpiration|
+|afterDateTime|
+|afterDuration|
+
+### recurrencePatternType values
+
+|Member|
+|:|
+|daily|
+|weekly|
+|absoluteMonthly|
+|relativeMonthly|
+|absoluteYearly|
+|relativeYearly|
+
+### roleAssignmentScheduleFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|principal|
+|unknownFutureValue|
+
+### roleAssignmentScheduleInstanceFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|principal|
+|unknownFutureValue|
+
+### roleAssignmentScheduleRequestFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|principal|
+|createdBy|
+|approver|
+|unknownFutureValue|
+
+### roleEligibilityScheduleFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|principal|
+|unknownFutureValue|
+
+### roleEligibilityScheduleInstanceFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|principal|
+|unknownFutureValue|
+
+### roleEligibilityScheduleRequestFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|principal|
+|createdBy|
+|approver|
+|unknownFutureValue|
+
+### unifiedRoleManagementPolicyRuleTargetOperations values
+
+|Member|
+|:|
+|all|
+|activate|
+|deactivate|
+|assign|
+|update|
+|remove|
+|extend|
+|renew|
+|unknownFutureValue|
+
+### unifiedRoleScheduleRequestActions values
+
+|Member|
+|:|
+|adminAssign|
+|adminUpdate|
+|adminRemove|
+|selfActivate|
+|selfDeactivate|
+|adminExtend|
+|adminRenew|
+|selfExtend|
+|selfRenew|
+|unknownFutureValue|
+
+### approvalFilterByCurrentUserOptions values
+
+|Member|
+|:|
+|target|
+|createdBy|
+|approver|
+|unknownFutureValue|
+ ### accessReviewExpirationBehavior values |Member|
v1.0 Expirationpattern https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/expirationpattern.md
Title: "expirationPattern resource type"
-description: "The expiration pattern in a request schedule can be included in an access package assignment request and is present in an access package assignment."
+description: "The expiration pattern defines when a request or assignment expires."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: resourcePageType
Namespace: microsoft.graph
-In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of an [entitlementManagementSchedule](entitlementmanagementschedule.md) indicates when the access package assignment should expire.
+In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of an [entitlementManagementSchedule](entitlementmanagementschedule.md) indicates when the access package assignment should expire.
+
+In PIM, use this resource to define when a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) or [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) object expires.
## Properties |Property|Type|Description|
v1.0 Patternedrecurrence https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/patternedrecurrence.md
doc_type: resourcePageType
Namespace: microsoft.graph
-The recurrence pattern and range. This shared object is used to define the recurrence of [access reviews](accessreviewscheduledefinition.md), [calendar events](event.md), and [access package assignments](accesspackageassignment.md) in Azure AD.
+The recurrence pattern and range. This shared object is used to define the recurrence of the following objects:
++ [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) objects in Azure AD access reviews APIs++ [event](event.md) objects in the calendar API++ [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) and [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) objects in PIM++ [accessPackageAssignment](accesspackageassignment.md) objects in Azure AD entitlement management. ## Properties | Property | Type |Description|
v1.0 Policyroot https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/policyroot.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Resource type exposing navigation properties for the policies singleton.
+Resource type exposing navigation properties for the policies singleton. Inherits from [entity](../resources/entity.md).
## Methods None ## Properties
-None
+|Property|Type|Description|
+|:|:|:|
+|id|String|Unique identifier of the policy. Inherited from [entity](../resources/entity.md).|
## Relationships | Relationship | Type | Description | |:|:-|:|
-| authenticationMethodsPolicy | [authenticationMethodsPolicy](authenticationmethodspolicy.md) | The authentication methods and the users that are allowed to use them to sign in and perform multi-factor authentication (MFA) in Azure Active Directory (Azure AD). |
-| authenticationFlowsPolicy | [authenticationFlowsPolicy](authenticationflowspolicy.md) | The policy configuration of the self-service sign-up experience of external users. |
| activityBasedTimeoutPolicies | [activityBasedTimeoutPolicy](activitybasedtimeoutpolicy.md) collection | The policy that controls the idle time out for web sessions for applications. |
+| adminConsentRequestPolicy | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) | The policy by which consent requests are created and managed for the entire tenant. |
+| authenticationFlowsPolicy | [authenticationFlowsPolicy](authenticationflowspolicy.md) | The policy configuration of the self-service sign-up experience of external users. |
+| authenticationMethodsPolicy | [authenticationMethodsPolicy](authenticationmethodspolicy.md) | The authentication methods and the users that are allowed to use them to sign in and perform multi-factor authentication (MFA) in Azure Active Directory (Azure AD). |
| authorizationPolicy | [authorizationPolicy](authorizationpolicy.md) collection | The policy that controls Azure AD authorization settings. | | claimsMappingPolicies | [claimsMappingPolicy](claimsmappingpolicy.md) collection | The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. |
+| conditionalAccessPolicies | [conditionalAccessPolicy](conditionalaccesspolicy.md) | The custom rules that define an access scenario. |
+| featureRolloutPolicies | [featureRolloutPolicy](featurerolloutpolicy.md) collection | The feature rollout policy associated with a directory object. |
| homeRealmDiscoveryPolicies | [homeRealmDiscoveryPolicy](homerealmdiscoverypolicy.md) collection | The policy to control Azure AD authentication behavior for federated users. |
+| identitySecurityDefaultsEnforcementPolicy | [identitySecurityDefaultsEnforcementPolicy](identitysecuritydefaultsenforcementpolicy.md) | The policy that represents the security defaults that protect against common attacks. |
| permissionGrantPolicies | [permissionGrantPolicy](permissiongrantpolicy.md) collection | The policy that specifies the conditions under which consent can be granted. |
+|roleManagementPolicies|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection| Specifies the various policies associated with scopes and roles. |
+|roleManagementPolicyAssignments|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection| The assignment of a role management policy to a role definition object. |
| tokenIssuancePolicies | [tokenIssuancePolicy](tokenissuancepolicy.md) collection | The policy that specifies the characteristics of SAML tokens issued by Azure AD. | | tokenLifetimePolicies | [tokenLifetimePolicy](tokenlifetimepolicy.md) collection | The policy that controls the lifetime of a JWT access token, an ID token, or a SAML 1.1/2.0 token issued by Azure AD. |
-| featureRolloutPolicies | [featureRolloutPolicy](featurerolloutpolicy.md) collection | The feature rollout policy associated with a directory object. |
-| adminConsentRequestPolicy | [adminConsentRequestPolicy](adminconsentrequestpolicy.md) | The policy by which consent requests are created and managed for the entire tenant. |
-| conditionalAccessPolicies | [conditionalAccessPolicy](conditionalaccesspolicy.md) | The custom rules that define an access scenario. |
-| identitySecurityDefaultsEnforcementPolicy | [identitySecurityDefaultsEnforcementPolicy](identitysecuritydefaultsenforcementpolicy.md) | The policy that represents the security defaults that protect against common attacks. |
## JSON representation
The following is a JSON representation of the resource.
--> ``` json {
- "@odata.type": "#microsoft.graph.policyRoot"
+ "@odata.type": "#microsoft.graph.policyRoot",
+ "id": "String (identifier)"
} ```
v1.0 Privilegedidentitymanagementv3 Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/privilegedidentitymanagementv3-overview.md
+
+ Title: "Overview of role management through the privileged identity management (PIM) API"
+description: "Privileged Identity Management (PIM) is a feature of Azure AD Identity Governance that enables you to manage, control, and monitor access to important resources in your organization."
+
+ms.localizationpriority: medium
++
+# Overview of role management through the privileged identity management (PIM) API
+
+Namespace: microsoft.graph
+
+Privileged Identity Management (PIM) is a feature of [Azure AD Identity Governance](/azure/active-directory/governance/identity-governance-overview) that enables you to manage, control, and monitor access to important resources in your organization. This access is enabled through privileged roles and role-based access control (RBAC) and can be granted to users, groups, or service principals. The resources can be in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
+
+The Microsoft Graph PIM API for role management allows you to govern privileged access and limit excessive access. This article introduces the governance capabilities of PIM APIs in Microsoft Graph.
+
+> [!NOTE]
+> To manage Azure resource roles use the [Azure Resource Manager (ARM) APIs for PIM](/rest/api/authorization/privileged-role-eligibility-rest-sample).
+
+## PIM API for managing role assignments
+
+PIM allows you to manage active role assignments by creating permanent assignments or temporary assignments. Use the [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) resource type and it's related methods to manage role assignments.
+
+The following table lists scenarios for using PIM to manage role assignments and the APIs to call:
+
+|Scenarios |API |
+|||
+|An administrator creates and assigns to a principal a permanent role assignment <br/> An administrator assigns to a principal a temporary role | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|An administrator renews, updates, extends, or removes role assignments | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|An administrator queries all role assignments and their details | [List roleAssignmentScheduleRequests](../api/rbacapplication-list-roleassignmentschedulerequests.md) |
+|An administrator queries a role assignment and its details | [Get unifiedRoleAssignmentScheduleRequest](../api/unifiedroleassignmentschedulerequest-get.md) |
+|A principal queries their role assignments and the details | [unifiedRoleAssignmentScheduleRequest: filterByCurrentUser](../api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md) |
+|A principal performs just-in-time and time-bound activation of their *eligible* role assignment | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|A principal cancels a role assignment request they created | [unifiedRoleAssignmentScheduleRequest: cancel](../api/unifiedroleassignmentschedulerequest-cancel.md) |
+|A principal that has activated their eligible role assignment deactivates it when they no longer need access | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|A principal deactivates, extends, or renews their role assignment. | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+
+## PIM API for managing role eligibilities
+
+Your principals may not require permanent role assignments because they may not require the privileges granted through the privileged role all the time. In this case, PIM also allows you to create role eligibilities and assign them to the principals. With role eligibilities, the principal activates the role when they need to perform privileged tasks. The activation is always time-bound for a maximum of 8 hours. The role eligibility can also be a permanent eligibility or a temporary eligibility.
+
+Use the [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) resource type and it's related methods to manage role eligibilities.
+
+The following table lists scenarios for using PIM to manage role eligibilities and the APIs to call:
+
+|Scenarios |API |
+|||
+|An administrator creates and assigns to a principal an eligible role <br/> An administrator assigns a temporary role eligibility to a principal | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
+|An administrator renews, updates, extends, or removes role eligibilities | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
+|An administrator queries all role eligibilities and their details | [List roleEligibilityScheduleRequests](../api/rbacapplication-list-roleeligibilityschedulerequests.md) |
+|An administrator queries a role eligibility and its details | [Get unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-get.md) |
+|An administrator cancels a role eligibility request they created | [unifiedRoleEligibilityScheduleRequest: cancel](../api/unifiedroleeligibilityschedulerequest-cancel.md) |
+|A principal queries their role eligibilities and the details | [unifiedRoleEligibilityScheduleRequest: filterByCurrentUser](../api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md) |
+|A principal deactivates, extends, or renews their role eligibility. | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
++
+## Role settings and PIM
+
+Each Azure AD role defines settings or rules. Such settings include whether multifactor authentication (MFA), justification, or approval is required to activate an eligible role. Or whether you can create permanent assignments or eligibilities for principals to the role. These role-specific settings will determine the settings you can apply while creating or managing role assignments and eligibilities through PIM. In Microsoft Graph, these role settings are exposed through the [unifiedRoleManagementPolicy resource type](unifiedrolemanagementpolicy.md) and related methods.
+
+For example, assume that by default, a role doesn't allow permanent active assignments and defines a maximum of 15 days for active assignments. Attempting to create a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) object without expiry date will return a `400 Bad Request` response code for violation of the expiration rule.
+
+Use the [unifiedRoleManagementPolicyAssignment](unifiedrolemanagementpolicyassignment.md) resource type and its related methods to retrieve the rules that apply to each Azure AD role. Then use the [Update unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-update.md) API to update the default rules or settings that are applied to a policy that's assigned to a specific Azure AD role.
+
+For more information about role settings, see [Configure Azure AD role settings in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings).
+
+## PIM and identity security with Zero Trust
+
+PIM APIs support organizations to adopt a Zero Trust approach to secure the identities in their organization. For more information about Zero Trust, see [Securing identity with Zero Trust](/security/zero-trust/deploy/identity).
+
+## Permissions and privileges
+
+To call the [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) and [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) APIs with admin actions, the calling user must:
++ Have a *Global Administrator* or *Privileged Role Administrator* role++ Be granted one of the following permissions:
+ + RoleAssignmentSchedule.ReadWrite.Directory
+ + RoleEligibilitySchedule.ReadWrite.Directory
+ + RoleManagement.ReadWrite.Directory
+
+The principal must also be assigned the appropriate permissions to retrieve their role assignments and eligibilities, or call the [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) and [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) APIs with user actions.
+
+For more information about permissions to call PIM APIs, see the [Microsoft Graph permissions reference: Role management permissions](/graph/permissions-reference#role-management-permissions).
+
+## Licensing
+
+The PIM API requires an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](/azure/active-directory/privileged-identity-management/subscription-requirements).
+
+## Next Steps
+++ [unifiedRoleAssignmentScheduleRequest resource type](unifiedroleassignmentschedulerequest.md)++ [unifiedRoleEligibilityScheduleRequest resource type](unifiedroleeligibilityschedulerequest.md)++ You can also set up access reviews of role assignments and eligibilities that are managed through PIM. For more information, see [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles)+
+## See also
+++ [What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)++ [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles)
v1.0 Rbacapplication https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/rbacapplication.md
Namespace: microsoft.graph
Role management container for unified role definitions and role assignments for Microsoft 365 role-based access control (RBAC) providers. The role assignments support only a single principal and a single scope. Currently **directory** and **entitlementManagement** are the two RBAC providers supported.
+Inherits from [entity](../resources/entity.md).
+ ## Methods None ## Properties
-None
+|Property|Type|Description|
+|:|:|:|
+|id|String|Unique identifier of the object. Inherited from [entity](../resources/entity.md).|
## Relationships |Relationship|Type|Description| |:|:|:| |roleAssignments|[unifiedRoleAssignment](../resources/unifiedroleassignment.md) collection| Resource to grant access to users or groups. |
+|roleAssignmentScheduleInstances|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection| Instances for active role assignments. |
+|roleAssignmentScheduleRequests|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection| Requests for active role assignments to principals through PIM. |
+|roleAssignmentSchedules|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection|Schedules for active role assignment operations.|
|roleDefinitions|[unifiedRoleDefinition](../resources/unifiedroledefinition.md) collection| Resource representing the roles allowed by RBAC providers and the permissions assigned to the roles. |
+|roleEligibilityScheduleInstances|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Instances for role eligibility requests.|
+|roleEligibilityScheduleRequests|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection| Requests for role eligibilities for principals through PIM.|
+|roleEligibilitySchedules|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Schedules for role eligibility operations. |
## JSON representation The following is a JSON representation of the resource. <!-- { "blockType": "resource",
+ "keyProperty": "id",
"@odata.type": "microsoft.graph.rbacApplication",
+ "baseType": "microsoft.graph.entity",
"openType": false } --> ``` json {
- "@odata.type": "#microsoft.graph.rbacApplication"
+ "@odata.type": "#microsoft.graph.rbacApplication",
+ "id": "String (identifier)"
} ```
v1.0 Request https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/request.md
+
+ Title: "request resource type"
+description: "Represents the details of a request in PIM or userConsentRequests"
+
+ms.localizationpriority: medium
++
+# request resource type
+
+Namespace: microsoft.graph
+
+Represents the details of a request in [PIM](privilegedidentitymanagementv3-overview.md) or [user consent request](userconsentrequest.md) APIs.
+
+Inherits from [entity](../resources/entity.md).
+
+## Methods
+
+None.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|approvalId|String| The identifier of the approval of the request. |
+|completedDateTime|DateTimeOffset| The request completion date time. |
+|createdBy|[identitySet](../resources/identityset.md)|The principal that created the request.|
+|createdDateTime|DateTimeOffset|The request creation date time.|
+|customData|String|Free text field to define any custom data for the request. Not used.|
+|id|String|The unique identifier for the request object. Inherited from [entity](../resources/entity.md).|
+|status|String| The status of the request. Not nullable. The possible values are: `Canceled`, `Denied`, `Failed`, `Granted`, `PendingAdminDecision`, `PendingApproval`, `PendingProvisioning`, `PendingScheduleCreation`, `Provisioned`, `Revoked`, and `ScheduleCreated`. Not nullable. |
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.request",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.request",
+ "id": "String (identifier)",
+ "status": "String",
+ "completedDateTime": "String (timestamp)",
+ "createdDateTime": "String (timestamp)",
+ "approvalId": "String",
+ "customData": "String",
+ "createdBy": {
+ "@odata.type": "microsoft.graph.identitySet"
+ }
+}
+```
+
v1.0 Requestschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/requestschedule.md
+
+ Title: "requestSchedule resource type"
+description: "In PIM, use this resource to define the schedule for when the principal will have an eligible or active role."
+
+ms.localizationpriority: medium
++
+# requestSchedule resource type
+
+Namespace: microsoft.graph
+
+In PIM, use this resource to define the schedule for when the principal will have an eligible or active role assignment.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|expiration|[expirationPattern](../resources/expirationpattern.md)|When the eligible or active assignment expires.|
+|recurrence|[patternedRecurrence](../resources/patternedrecurrence.md)|The frequency of the eligible or active assignment. This property is currently unsupported in PIM.|
+|startDateTime|DateTimeOffset|When the eligible or active assignment becomes active.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.requestSchedule"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.requestSchedule",
+ "startDateTime": "String (timestamp)",
+ "expiration": {
+ "@odata.type": "microsoft.graph.expirationPattern"
+ },
+ "recurrence": {
+ "@odata.type": "microsoft.graph.patternedRecurrence"
+ }
+}
+```
+
v1.0 Subjectset https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/subjectset.md
doc_type: resourcePageType
Namespace: microsoft.graph
+A shared object that is used in entitlement management access package assignment policies and role management policies.
+++ In entitlement management, used in the request, approval, and assignment review settings of an access package assignment policy.++ In role management policies, used in the approval settings that are defined in rules for role management policies.+
+This is an abstract base type that's inherited by the following derived types:
++ [singleUser](singleuser.md)++ [singleServicePrincipal](singleserviceprincipal.md)++ [groupMembers](groupmembers.md)++ [connectedOrganizationMembers](connectedorganizationmembers.md)++ [requestorManager](requestormanager.md)++ [internalSponsors](internalsponsors.md)++ [externalSponsors](externalsponsors.md)++ [targetManager](targetmanager.md)++ [targetApplicationOwners](targetapplicationowners.md)+
-Used in the request, approval, and assignment review settings of an access package assignment policy. The abstract base type for the [singleUser](singleuser.md), [singleServicePrincipal](singleserviceprincipal.md), [groupMembers](groupmembers.md), [connectedOrganizationMembers](connectedorganizationmembers.md), [requestorManager](requestormanager.md), [internalSponsors](internalsponsors.md), [externalSponsors](externalsponsors.md), [targetManager](targetmanager.md) and [targetApplicationOwners](targetapplicationowners.md) types.
## Properties None.
v1.0 Ticketinfo https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/ticketinfo.md
+
+ Title: "ticketInfo resource type"
+description: "Represents ticket information related to role assignment and eligibility requests."
+
+ms.localizationpriority: medium
++
+# ticketInfo resource type
+
+Namespace: microsoft.graph
+
+Represents ticket information related to role assignment and eligibility requests. Use this object to define ticket parameters for a role assignment or eligibility request is initiated by another request made in an external system.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|ticketNumber|String|The ticket number.|
+|ticketSystem|String|The description of the ticket system.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.ticketInfo"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.ticketInfo",
+ "ticketNumber": "String",
+ "ticketSystem": "String"
+}
+```
+
v1.0 Unifiedapprovalstage https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedapprovalstage.md
+
+ Title: "unifiedApprovalStage resource type"
+description: "Defines the settings of the approval stages in a unifiedRoleManagementPolicyApprovalRule object."
+
+ms.localizationpriority: medium
++
+# unifiedApprovalStage resource type
+
+Namespace: microsoft.graph
+
+Defines the settings of the approval stages in a [unifiedRoleManagementPolicyApprovalRule](unifiedrolemanagementpolicyapprovalrule.md) object. Specifies the primary and escalation approvers of each stage and whether approvals and escalations are required.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|approvalStageTimeOutInDays|Int32| The number of days that a request can be pending a response before it is automatically denied. |
+|escalationApprovers|[subjectSet](../resources/subjectset.md) collection| The escalation approvers for this stage when the primary approvers don't respond.|
+|escalationTimeInMinutes|Int32|The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers.|
+|isApproverJustificationRequired|Boolean| Indicates whether the approver must provide justification for their reponse.|
+|isEscalationEnabled|Boolean| Indicates whether escalation if enabled.|
+|primaryApprovers|[subjectSet](../resources/subjectset.md) collection| The primary approvers of this stage.|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.unifiedApprovalStage"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedApprovalStage",
+ "approvalStageTimeOutInDays": "Integer",
+ "isApproverJustificationRequired": "Boolean",
+ "escalationTimeInMinutes": "Integer",
+ "primaryApprovers": [
+ {
+ "@odata.type": "microsoft.graph.singleUser"
+ }
+ ],
+ "isEscalationEnabled": "Boolean",
+ "escalationApprovers": [
+ {
+ "@odata.type": "microsoft.graph.singleUser"
+ }
+ ]
+}
+```
+
v1.0 Unifiedroleassignmentschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleassignmentschedule.md
+
+ Title: "unifiedRoleAssignmentSchedule resource type"
+description: "Represents a schedule for an active role assignment in your tenant."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentSchedule resource type
+
+Namespace: microsoft.graph
+
+Represents a schedule for an active role assignment in your tenant and is used to instantiate a [unifiedRoleAssignmentScheduleInstance](unifiedroleassignmentscheduleinstance.md). The active assignment may have been made through [PIM assignments and activation requests](../api/rbacapplication-post-roleassignmentschedulerequests.md), or directly through the [role assignments API](../resources/unifiedroleassignment.md).
+
+Inherits from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleAssignmentSchedules](../api/rbacapplication-list-roleassignmentschedules.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection|Get the schedules for active role assignment operations.|
+|[Get unifiedRoleAssignmentSchedule](../api/unifiedroleassignmentschedule-get.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md)|Retrieve the schedule for an active role assignment operation.|
+|[filterByCurrentUser](../api/unifiedroleassignmentschedule-filterbycurrentuser.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection|Retrieve the schedules for active role assignment operations for which the signed-in user is the principal.|
++
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|appScopeId|String|Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|assignmentType|String|Type of the assignment which can either be `Assigned` or `Activated`. Supports `$filter` (`eq`, `ne`).|
+|createdDateTime|DateTimeOffset|When the schedule was created. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|createdUsing|String|Identifier of the **unifiedRoleAssignmentScheduleRequest** object through which this schedule was created. Nullable. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|id|String|The unique identifier for the **unifiedRoleAssignmentScheduleRequest** object. Supports `$filter` (`eq`). Inherited from [entity](../resources/entity.md).|
+|memberType|String|How the assignments is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the **unifiedRoleAssignmentSchedule** can be managed by the caller. Supports `$filter` (`eq`, `ne`).|
+|modifiedDateTime|DateTimeOffset|When the schedule was last modified. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|principalId|String|Identifier of the principal that has been granted the role assignment. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`).|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`).|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role assignment. It can represent a single occurrence or multiple recurrences.|
+|status|String|The status of the **unifiedRoleAssignmentScheduleRequest** object. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). The possible values are: `Canceled`, `Denied`, `Failed`, `Granted`, `PendingAdminDecision`, `PendingApproval`, `PendingProvisioning`, `PendingScheduleCreation`, `Provisioned`, `Revoked`, and `ScheduleCreated`. Not nullable. Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|activatedUsing|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|If the request is from an eligible administrator to activate a role, this parameter will show the related eligible assignment for that activation. Otherwise, it is `null`. Supports `$expand`.|
+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the assignment is scoped to an app. Nullable. Supports `$expand`.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the assignment. Read-only. Supports `$expand`.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role assignment through the request. Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the roleDefinition object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentSchedule",
+ "baseType": "microsoft.graph.unifiedRoleScheduleBase",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignmentSchedule",
+ "id": "String (identifier)",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "createdUsing": "String",
+ "createdDateTime": "String (timestamp)",
+ "modifiedDateTime": "String (timestamp)",
+ "status": "String",
+ "scheduleInfo": {
+ "@odata.type": "microsoft.graph.requestSchedule"
+ },
+ "assignmentType": "String",
+ "memberType": "String"
+}
+```
+
v1.0 Unifiedroleassignmentscheduleinstance https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleassignmentscheduleinstance.md
+
+ Title: "unifiedRoleAssignmentScheduleInstance resource type"
+description: "Represents the instance for an active role assignment in your tenant."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentScheduleInstance resource type
+
+Namespace: microsoft.graph
+
+Represents the instance for an active role assignment in your tenant. The active assignment may have been made through [PIM assignments and activation requests](../api/rbacapplication-post-roleassignmentschedulerequests.md), or directly through the [role assignments API](../resources/unifiedroleassignment.md).
+
+Inherits from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleAssignmentScheduleInstances](../api/rbacapplication-list-roleassignmentscheduleinstances.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection|Get the instances of active role assignments.|
+|[Get unifiedRoleAssignmentScheduleInstance](../api/unifiedroleassignmentscheduleinstance-get.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md)|Get the instance of an active role assignment.|
+|[filterByCurrentUser](../api/unifiedroleassignmentscheduleinstance-filterbycurrentuser.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection|Get the instances of active role assignments for the calling principal.|
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|appScopeId|String|Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md).|
+|assignmentType|String|Type of the assignment which can either be `Assigned` or `Activated`. Supports `$filter` (`eq`, `ne`).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values). Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md).|
+|endDateTime|DateTimeOffset| The end date of the schedule instance.|
+|id|String|The unique identifier for the **unifiedRoleAssignmentScheduleInstance** object. Inherited from [entity](../resources/entity.md).|
+|memberType|String|How the assignments is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the **unifiedRoleAssignmentSchedule** can be managed by the caller. Supports `$filter` (`eq`, `ne`).|
+|principalId|String|Identifier of the principal that has been granted the role assignment. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`). |
+|roleAssignmentOriginId|String|The identifier of the role assignment in Azure AD.|
+|roleAssignmentScheduleId|String|The identifier of the **unifiedRoleAssignmentSchedule** object from which this instance was created.|
+|roleDefinitionId|String|The identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`).|
+|startDateTime|DateTimeOffset|When this instance starts.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|activatedUsing|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md)|If the request is from an eligible administrator to activate a role, this parameter will show the related eligible assignment for that activation. Otherwise, it is `null`. Supports `$expand`.|
+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the assignment is scoped to an app. Nullable. Supports `$expand`.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the assignment. Read-only. Supports `$expand`.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role assignment through the request. Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the roleDefinition object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleInstance",
+ "baseType": "microsoft.graph.unifiedRoleScheduleInstanceBase",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignmentScheduleInstance",
+ "id": "String (identifier)",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "startDateTime": "String (timestamp)",
+ "endDateTime": "String (timestamp)",
+ "assignmentType": "String",
+ "memberType": "String",
+ "roleAssignmentOriginId": "String",
+ "roleAssignmentScheduleId": "String"
+}
+```
+
v1.0 Unifiedroleassignmentschedulerequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleassignmentschedulerequest.md
+
+ Title: "unifiedRoleAssignmentScheduleRequest resource type"
+description: "Represents a request for an active role assignment to a principal through PIM. The role assignment can be permanently active with or without an expiry date, or temporarily active after activation of an eligible assignment."
+
+ms.localizationpriority: medium
++
+# unifiedRoleAssignmentScheduleRequest resource type
+
+Namespace: microsoft.graph
+
+Represents a request for an active role assignment to a principal through PIM. The role assignment can be permanently active with or without an expiry date, or temporarily active after activation of an eligible assignment. Inherits from [request](../resources/request.md).
+
+For more information about PIM scenarios you can define through the **unifiedRoleAssignmentScheduleRequest** resource type, see [Overview of role management through the privileged identity management (PIM) API](privilegedidentitymanagementv3-overview.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleAssignmentScheduleRequests](../api/rbacapplication-list-roleassignmentschedulerequests.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection| Retrieve the requests for active role assignments made through the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.|
+|[Create unifiedRoleAssignmentScheduleRequest](../api/rbacapplication-post-roleassignmentschedulerequests.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md)|Create a request for an active and persistent role assignment or activate, deactivate, extend, or renew an eligible role assignment.|
+|[Get unifiedRoleAssignmentScheduleRequest](../api/unifiedroleassignmentschedulerequest-get.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md)|Retrieve a request for an active role assignment made through the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.|
+|[cancel](../api/unifiedroleassignmentschedulerequest-cancel.md)|None| Cancel a request for an active role assignment. |
+|[filterByCurrentUser](../api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection| Retrieve the requests for active role assignments for a particular principal.|
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|action|unifiedRoleScheduleRequestActions|Represents the type of the operation on the role assignment request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. <br/><ul><li>`adminAssign`: For administrators to assign roles to principals.</li><li>`adminRemove`: For administrators to remove principals from roles.</li><li> `adminUpdate`: For administrators to change existing role assignments.</li><li>`adminExtend`: For administrators to extend expiring assignments.</li><li>`adminRenew`: For administrators to renew expired assignments.</li><li>`selfActivate`: For principals to activate their assignments.</li><li>`selfDeactivate`: For principals to deactivate their active assignments.</li><li>`selfExtend`: For principals to request to extend their expiring assignments.</li><li>`selfRenew`: For principals to request to renew their expired assignments.</li></ul>|
+|approvalId|String|The identifier of the approval of the request. Inherited from [request](../resources/request.md).|
+|appScopeId|String|Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|completedDateTime|DateTimeOffset|The request completion date time. Inherited from [request](../resources/request.md).|
+|createdBy|[identitySet](../resources/identityset.md)|The principal that created this request. Inherited from [request](../resources/request.md). Read-only. Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|createdDateTime|DateTimeOffset|The request creation date time. Inherited from [request](../resources/request.md). Read-only.|
+|customData|String|Free text field to define any custom data for the request. Not used. Inherited from [request](../resources/request.md).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|id|String|The unique identifier for the **unifiedRoleAssignmentScheduleRequest** object. Key, not nullable, Read-only. Inherited from [entity](../resources/entity.md). Supports `$filter` (`eq`, `ne`).|
+|isValidationOnly|Boolean|Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.|
+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleAssignmentScheduleRequest** object.|
+|principalId|String|Identifier of the principal that has been granted the assignment. Supports `$filter` (`eq`, `ne`).|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role assignment. Recurring schedules are currently unsupported.|
+|status|String|The status of the role assignment request. Inherited from [request](../resources/request.md). Read-only. Supports `$filter` (`eq`, `ne`).|
+|targetScheduleId|String|Identifier of the schedule object that's linked to the assignment request. Supports `$filter` (`eq`, `ne`).|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role assignment request including details of the ticket number and ticket system.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|activatedUsing|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|If the request is from an eligible administrator to activate a role, this parameter will show the related eligible assignment for that activation. Otherwise, it's `null`. Supports `$expand`.|
+|appScope|[appScope](../resources/appscope.md)| Read-only property with details of the app-specific scope when the assignment is scoped to an app. Nullable. Supports `$expand`.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the assignment. Read-only. Supports `$expand`.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role assignment through the request. Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)| Detailed information for the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|
+|targetSchedule|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md)|The schedule for an eligible role assignment that is referenced through the **targetScheduleId** property. Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest",
+ "baseType": "microsoft.graph.request",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignmentScheduleRequest",
+ "id": "String (identifier)",
+ "status": "String",
+ "completedDateTime": "String (timestamp)",
+ "createdDateTime": "String (timestamp)",
+ "approvalId": "String",
+ "customData": "String",
+ "createdBy": {
+ "@odata.type": "microsoft.graph.identitySet"
+ },
+ "action": "String",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "isValidationOnly": "Boolean",
+ "targetScheduleId": "String",
+ "justification": "String",
+ "scheduleInfo": {
+ "@odata.type": "microsoft.graph.requestSchedule"
+ },
+ "ticketInfo": {
+ "@odata.type": "microsoft.graph.ticketInfo"
+ }
+}
+```
+
v1.0 Unifiedroleeligibilityschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleeligibilityschedule.md
+
+ Title: "unifiedRoleEligibilitySchedule resource type"
+description: "Represents a schedule for a role eligibility in your tenant."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilitySchedule resource type
+
+Namespace: microsoft.graph
+
+Represents a schedule for a role eligibility in your tenant and is used to instantiate a [unifiedRoleEligibilityScheduleInstance](unifiedroleeligibilityscheduleinstance.md).
++
+Inherits from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleEligibilitySchedules](../api/rbacapplication-list-roleeligibilityschedules.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Get the schedules for role eligibility operations.|
+|[Get unifiedRoleEligibilitySchedule](../api/unifiedroleeligibilityschedule-get.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|Retrieve the schedule for a role eligibility operation.|
+|[filterByCurrentUser](../api/unifiedroleeligibilityschedule-filterbycurrentuser.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Retrieve the schedules for role eligibilities for which the signed-in user is the principal.|
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|appScopeId|String|Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|createdDateTime|DateTimeOffset|When the schedule was created. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|createdUsing|String|Identifier of the object through which this schedule was created. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|id|String|The unique identifier for the schedule object. Inherited from [entity](../resources/entity.md). Supports `$filter` (`eq`).|
+|memberType|String|How the role eligibility is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the **unifiedRoleEligibilitySchedule** can be managed by the caller. Supports `$filter` (`eq`, `ne`).|
+|modifiedDateTime|DateTimeOffset|When the schedule was last modified. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|principalId|String|Identifier of the principal that is eligible for a role.Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`).|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that a principal is eligible for. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md).|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role eligibility.|
+|status|String|The status of the role eligibility request. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). The possible values are: `Canceled`, `Denied`, `Failed`, `Granted`, `PendingAdminDecision`, `PendingApproval`, `PendingProvisioning`, `PendingScheduleCreation`, `Provisioned`, `Revoked`, and `ScheduleCreated`. Not nullable. Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the role eligibility is scoped to an app. Nullable. Supports `$expand`.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the role eligibility. Read-only. Supports `$expand`.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's eligible for a role through the request. Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the roleDefinition object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilitySchedule",
+ "baseType": "microsoft.graph.unifiedRoleScheduleBase",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilitySchedule",
+ "id": "String (identifier)",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "createdUsing": "String",
+ "createdDateTime": "String (timestamp)",
+ "modifiedDateTime": "String (timestamp)",
+ "status": "String",
+ "scheduleInfo": {
+ "@odata.type": "microsoft.graph.requestSchedule"
+ },
+ "memberType": "String"
+}
+```
+
v1.0 Unifiedroleeligibilityscheduleinstance https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleeligibilityscheduleinstance.md
+
+ Title: "unifiedRoleEligibilityScheduleInstance resource type"
+description: "Represents the instance for a role eligibility in your tenant."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilityScheduleInstance resource type
+
+Namespace: microsoft.graph
+
+Represents the instance for a role eligibility in your tenant.
+
+Inherits from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleEligibilityScheduleInstances](../api/rbacapplication-list-roleeligibilityscheduleinstances.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Get the instances of role eligibilities.|
+|[Get unifiedRoleEligibilityScheduleInstance](../api/unifiedroleeligibilityscheduleinstance-get.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md)|Get the instance of a role eligibility.|
+|[filterByCurrentUser](../api/unifiedroleeligibilityscheduleinstance-filterbycurrentuser.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Get the instances of eligible roles for the calling principal.|
++
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|appScopeId|String|Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of the role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the role eligibility. The scope of the role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|endDateTime|DateTimeOffset|The end date of the schedule instance.|
+|id|String|The unique identifier for the schedule object. Inherited from [entity](../resources/entity.md).|
+|memberType|String|How the role eligibility is inherited. It can either be `Inherited`, `Direct`, or `Group`. It can further imply whether the **unifiedRoleEligibilitySchedule** can be managed by the caller. Supports `$filter` (`eq`, `ne`).|
+|principalId|String|Identifier of the principal that's eligible for a role. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`). |
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that the principal is eligible for. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`).|
+|roleEligibilityScheduleId|String|The identifier of the **unifiedRoleEligibilitySchedule** object from which this instance was created.|
+|startDateTime|DateTimeOffset|When this instance starts.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the role eligibility is scoped to an app. Nullable. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the role eligibility. Read-only. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role eligibility through the request. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the roleDefinition object that is referenced through the **roleDefinitionId** property. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleInstance",
+ "baseType": "microsoft.graph.unifiedRoleScheduleInstanceBase",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilityScheduleInstance",
+ "id": "String (identifier)",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "startDateTime": "String (timestamp)",
+ "endDateTime": "String (timestamp)",
+ "memberType": "String",
+ "roleEligibilityScheduleId": "String"
+}
+```
+
v1.0 Unifiedroleeligibilityschedulerequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleeligibilityschedulerequest.md
+
+ Title: "unifiedRoleEligibilityScheduleRequest resource type"
+description: "Represents a request for a role eligibility for a principal through PIM. The role eligibility can be permanently eligible without an expiry date or temporarily eligible with an expiry date."
+
+ms.localizationpriority: medium
++
+# unifiedRoleEligibilityScheduleRequest resource type
+
+Namespace: microsoft.graph
+
+Represents a request for a role eligibility for a principal through PIM. The role eligibility can be permanently eligible without an expiry date or temporarily eligible with an expiry date. Inherits from [request](../resources/request.md).
+
+For more information about PIM scenarios you can define through the **unifiedRoleEligibilityScheduleRequest** resource type, see [Overview of role management through the privileged identity management (PIM) API](privilegedidentitymanagementv3-overview.md).
+
+> [!NOTE]
+> To activate an eligible role assignment, use the [Create unifiedRoleAssignmentScheduleRequest](../api/rbacapplication-post-roleassignmentschedulerequests.md) API.
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleEligibilityScheduleRequests](../api/rbacapplication-list-roleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|Retrieve the requests for role eligibilities for principals made through the unifiedRoleEligibilityScheduleRequest object.|
+|[Create unifiedRoleEligibilityScheduleRequest](../api/rbacapplication-post-roleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Request for a role eligibility for a principal through the unifiedRoleEligibilityScheduleRequest object.|
+|[Get unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-get.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Read the details of a request for a role eligibility request made through the unifiedRoleEligibilityScheduleRequest object.|
+|[filterByCurrentUser](../api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|In PIM, retrieve the requests for role eligibilities for a particular principal. The principal can be the creator or approver of the unifiedRoleEligibilityScheduleRequest object, or they can be the target of the role eligibility.|
+|[cancel](../api/unifiedroleeligibilityschedulerequest-cancel.md)|None|Immediately cancel a **unifiedRoleEligibilityScheduleRequest** object whose status is `Granted` and have the system automatically delete the canceled request after 30 days.|
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|action|unifiedRoleScheduleRequestActions|Represents the type of operation on the role eligibility request. The possible values are: `adminAssign`, `adminUpdate`, `adminRemove`, `selfActivate`, `selfDeactivate`, `adminExtend`, `adminRenew`, `selfExtend`, `selfRenew`, `unknownFutureValue`. <br/><ul><li>`adminAssign`: For administrators to assign eligible roles to principals.</li><li>`adminRemove`: For administrators to remove eligible roles from principals.</li><li> `adminUpdate`: For administrators to change existing role eligibilities.</li><li>`adminExtend`: For administrators to extend expiring role eligibilities.</li><li>`adminRenew`: For administrators to renew expired eligibilities.</li><li>`selfActivate`: For users to activate their assignments.</li><li>`selfDeactivate`: For users to deactivate their active assignments.</li><li>`selfExtend`: For users to request to extend their expiring assignments.</li><li>`selfRenew`: For users to request to renew their expired assignments.</li></ul>|
+|approvalId|String|The identifier of the approval of the request. Inherited from [request](../resources/request.md).|
+|appScopeId|String|Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|completedDateTime|DateTimeOffset|The request completion date time. Inherited from [request](../resources/request.md).|
+|createdBy|[identitySet](../resources/identityset.md)|The principal that created this request. Inherited from [request](../resources/request.md).|
+|createdDateTime|DateTimeOffset|The request creation date time. Inherited from [request](../resources/request.md).|
+|customData|String|Free text field to define any custom data for the request. Not used. Inherited from [request](../resources/request.md).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).|
+|id|String|The unique identifier for the **unifiedRoleEligibilityScheduleRequest** object. Key, not nullable, Read-only. Inherited from [entity](../resources/entity.md).|
+|isValidationOnly|Boolean|Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.|
+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleEligibilityScheduleRequest** object.|
+|principalId|String|Identifier of the principal that has been granted the role eligibility. Supports `$filter` (`eq`, `ne`).|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role eligibility. Recurring schedules are currently unsupported.|
+|status|String|The status of the role eligibility request. Inherited from [request](../resources/request.md). Read-only. Supports `$filter` (`eq`, `ne`).|
+|targetScheduleId|String|Identifier of the schedule object that's linked to the eligibility request. Supports `$filter` (`eq`, `ne`).|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role eligibility request including details of the ticket number and ticket system. Optional.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|appScope|[appScope](../resources/appscope.md)| Read-only property with details of the app-specific scope when the role eligibility is scoped to an app. Nullable. Supports `$expand`.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the role eligibility. Read-only. Supports `$expand`.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role eligibility through the request. Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)| Detailed information for the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|
+|targetSchedule|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|The schedule for a role eligibility that is referenced through the **targetScheduleId** property. Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleRequest",
+ "baseType": "microsoft.graph.request",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilityScheduleRequest",
+ "id": "String (identifier)",
+ "status": "String",
+ "completedDateTime": "String (timestamp)",
+ "createdDateTime": "String (timestamp)",
+ "approvalId": "String",
+ "customData": "String",
+ "createdBy": {
+ "@odata.type": "microsoft.graph.identitySet"
+ },
+ "action": "String",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "isValidationOnly": "Boolean",
+ "targetScheduleId": "String",
+ "justification": "String",
+ "scheduleInfo": {
+ "@odata.type": "microsoft.graph.requestSchedule"
+ },
+ "ticketInfo": {
+ "@odata.type": "microsoft.graph.ticketInfo"
+ }
+}
+```
+
v1.0 Unifiedrolemanagementpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicy.md
+
+ Title: "unifiedRoleManagementPolicy resource type"
+description: "Specifies the various policies associated with scopes and roles."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicy resource type
+
+Namespace: microsoft.graph
+
+Specifies the various policies associated with scopes and roles. For policies that apply to Azure RBAC, use the [Azure REST PIM API for role management policies](/rest/api/authorization/role-management-policies).
+
+Currently, all policies and associated rules are read-only.
+
+Inherits from [entity](../resources/entity.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleManagementPolicies](../api/policyroot-list-rolemanagementpolicies.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection|Get role management policies and their details.|
+|[Get unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicy-get.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md)|Retrieve the details of a role management policy.|
+|[List rules](../api/unifiedrolemanagementpolicy-list-rules.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection|Get the rules defined for a role management policy.|
+|[Get unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-get.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md)|Retrieve a rule defined for a role management policy.|
++
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+|description|String|Description for the policy.|
+|displayName|String|Display name for the policy.|
+|id|String|Unique identifier for the policy.|
+|isOrganizationDefault|Boolean|This can only be set to `true` for a single tenant-wide policy which will apply to all scopes and roles. Set the scopeId to `/` and scopeType to `Directory`. Supports `$filter` (`eq`, `ne`).|
+|lastModifiedBy|[identity](../resources/identity.md)|The identity who last modified the role setting.|
+|lastModifiedDateTime|DateTimeOffset|The time when the role setting was last modified.|
+|scopeId|String|The identifier of the scope where the policy is created. Can be `/` for the tenant or a group ID. Required.|
+|scopeType|String|The type of the scope where the policy is created. One of `Directory`, `DirectoryRole`. Required.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|effectiveRules|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection| The list of effective rules like approval rules and expiration rules evaluated based on inherited referenced rules. For example, if there is a tenant-wide policy to enforce enabling an approval rule, the effective rule will be to enable approval even if the policy has a rule to disable approval. Supports `$expand`.|
+|rules|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection|The collection of rules like approval rules and expiration rules. Supports `$expand`.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicy",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicy",
+ "id": "String (identifier)",
+ "displayName": "String",
+ "description": "String",
+ "isOrganizationDefault": "Boolean",
+ "scopeId": "String",
+ "scopeType": "String",
+ "lastModifiedDateTime": "String (timestamp)",
+ "lastModifiedBy": {
+ "@odata.type": "microsoft.graph.identity"
+ }
+}
+```
+
v1.0 Unifiedrolemanagementpolicyapprovalrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyapprovalrule.md
+
+ Title: "unifiedRoleManagementPolicyApprovalRule resource type"
+description: "A type derived from the unifiedRoleManagementPolicyRule resource type that defines rules for approving a role assignment."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyApprovalRule resource type
+
+Namespace: microsoft.graph
+
+A type derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) resource type that defines rules for approving a role assignment.
+
+## Methods
+
+None.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|id|String|Identifier for the rule. Inherited from [entity](../resources/entity.md).|
+|setting|[approvalSettings](../resources/approvalsettings.md)|The settings for approval of the role assignment.|
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)|Defines details of the scope that's targeted by the approval rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md). Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "baseType": "microsoft.graph.unifiedRoleManagementPolicyRule",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
+ "id": "String (identifier)",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+ },
+ "setting": {
+ "@odata.type": "microsoft.graph.approvalSettings"
+ }
+}
+```
+
v1.0 Unifiedrolemanagementpolicyassignment https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyassignment.md
+
+ Title: "unifiedRoleManagementPolicyAssignment resource type"
+description: "The assignment of a role management policy to a role definition object."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyAssignment resource type
+
+Namespace: microsoft.graph
+
+The assignment of a role management policy to a [role definition](../resources/unifiedroledefinition.md) object.
+
+Inherits from [entity](../resources/entity.md).
+
+## Methods
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleManagementPolicyAssignments](../api/policyroot-list-rolemanagementpolicyassignments.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection|Get a list of the [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects and their properties.|
+|[Get unifiedRoleManagementPolicyAssignment](../api/unifiedrolemanagementpolicyassignment-get.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md)|Read the properties and relationships of an [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) object.|
+
+<!--
+|[Create unifiedRoleManagementPolicyAssignment](../api/policyroot-post-rolemanagementpolicyassignments.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md)|Create a new [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) object.|
+|[Update unifiedRoleManagementPolicyAssignment](../api/unifiedrolemanagementpolicyassignment-update.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md)|Update the properties of an [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) object.|
+|[Delete unifiedRoleManagementPolicyAssignment](../api/unifiedrolemanagementpolicyassignment-delete.md)|None|Deletes an [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) object.|
+|[List unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicyassignment-list-policy.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection|Get the unifiedRoleManagementPolicy resources from the policy navigation property.|
+|[Add unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicyassignment-post-policy.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md)|Add policy by posting to the policy collection.|
+-->
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+|id|String|Unique identifier for the policy assignment. The ID is typically a concatenation of the **unifiedRoleManagementPolicy** ID and the **roleDefinitionId** separated by an underscore.|
+|policyId|String|The id of the policy. Inherited from [entity](../resources/entity.md).|
+|roleDefinitionId|String|The identifier of the [role definition](unifiedroledefinition.md) object where the policy applies. If not specified, the policy applies to all roles. Supports $filter (`eq`).|
+|scopeId|String|The identifier of the scope where the policy is assigned. Can be `/` for the tenant or a group ID. Required.|
+|scopeType|String|The type of the scope where the policy is assigned. One of `Directory`, `DirectoryRole`. Required.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|policy|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md)| The policy that's associated with a policy assignment. Supports `$expand` and a nested `$expand` of the **rules** and **effectiveRules** relationships for the policy.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyAssignment",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAssignment",
+ "id": "String (identifier)",
+ "policyId": "String",
+ "scopeId": "String",
+ "scopeType": "String",
+ "roleDefinitionId": "String"
+}
+```
+
v1.0 Unifiedrolemanagementpolicyauthenticationcontextrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyauthenticationcontextrule.md
+
+ Title: "unifiedRoleManagementPolicyAuthenticationContextRule resource type"
+description: "A type derived from the unifiedRoleManagementPolicyRule resource type that defines the authentication context rule for the conditional access policy associated with a role management policy."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyAuthenticationContextRule resource type
+
+Namespace: microsoft.graph
+
+A type derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) resource type that defines the authentication context rule for the conditional access policy associated with a role management policy.
+
+## Methods
+
+None.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|claimValue|String|The value of the authentication context claim.|
+|id|String|Identifier for the rule. Inherited from [entity](../resources/entity.md).|
+|isEnabled|Boolean| Whether this rule is enabled.|
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)|Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md). Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "baseType": "microsoft.graph.unifiedRoleManagementPolicyRule",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
+ "id": "String (identifier)",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+ },
+ "isEnabled": "Boolean",
+ "claimValue": "String"
+}
+```
+
v1.0 Unifiedrolemanagementpolicyenablementrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyenablementrule.md
+
+ Title: "unifiedRoleManagementPolicyEnablementRule resource type"
+description: "A type derived from the unifiedRoleManagementPolicyRule resource type that defines the rules to enable the assignment, for example, enable MFA, justification on assignments or ticketing information."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyEnablementRule resource type
+
+Namespace: microsoft.graph
+
+A type derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) resource type that defines the rules to enable the assignment, for example, enable MFA, justification on assignments or ticketing information.
+
+## Methods
+
+None.
++
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|enabledRules|String collection|The collection of rules that are enabled for this policy rule. For example, `MultiFactorAuthentication`, `Ticketing`, and `Justification`.|
+|id|String|Identifier for the rule. Inherited from [entity](../resources/entity.md).|
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)|Defines details of the scope that's targeted by the enablement rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md). Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "baseType": "microsoft.graph.unifiedRoleManagementPolicyRule",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
+ "id": "String (identifier)",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+ },
+ "enabledRules": [
+ "String"
+ ]
+}
+```
+
v1.0 Unifiedrolemanagementpolicyexpirationrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyexpirationrule.md
+
+ Title: "unifiedRoleManagementPolicyExpirationRule resource type"
+description: "A type derived from the unifiedRoleManagementPolicyRule resource type that defines the maximum duration a role can be assigned to a principal (either through direct assignment or through activation of eligibility).."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyExpirationRule resource type
+
+Namespace: microsoft.graph
+
+A type derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) resource type that defines the maximum duration a role can be assigned to a principal (either through direct assignment or through activation of eligibility).
+
+## Methods
+
+None.
++
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|id|String|Identifier for the rule. Inherited from [entity](../resources/entity.md).|
+|isExpirationRequired|Boolean|Indicates whether expiration is required or if it's a permanently active assignment or eligibility. |
+|maximumDuration|Duration| The maximum duration allowed for eligibility or assignment which is not permanent. Required when **isExpirationRequired** is `true`. |
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)|Defines details of the scope that's targeted by the expiration rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md). Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "baseType": "microsoft.graph.unifiedRoleManagementPolicyRule",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
+ "id": "String (identifier)",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+ },
+ "isExpirationRequired": "Boolean",
+ "maximumDuration": "String (duration)"
+}
+```
+
v1.0 Unifiedrolemanagementpolicynotificationrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicynotificationrule.md
+
+ Title: "unifiedRoleManagementPolicyNotificationRule resource type"
+description: "A type derived from the unifiedRoleManagementPolicyRule resource type that defines the email notification rules for role assignments, activations, and approvals."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyNotificationRule resource type
+
+Namespace: microsoft.graph
+
+A type derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) resource type that defines the email notification rules for role assignments, activations, and approvals.
+
+Inherits from [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md).
+
+## Methods
+
+None.
++
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|id|String|Identifier for the rule. Inherited from [entity](../resources/entity.md).|
+|isDefaultRecipientsEnabled|Boolean|Indicates whether a default recipient will receive the notification email.|
+|notificationLevel|String|The level of notification. The possible values are `None`, `Critical`, `All`.|
+|notificationRecipients|String collection|The list of recipients of the email notifications.|
+|notificationType|String|The type of notification. Only `Email` is supported.|
+|recipientType|String|The type of recipient of the notification. The possible values are `Requestor`, `Approver`, `Admin`.|
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)|Defines details of the scope that's targeted by the notification rule. The details can include the principal type, the role assignment type, and actions affecting a role. Inherited from [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md). Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "baseType": "microsoft.graph.unifiedRoleManagementPolicyRule",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
+ "id": "String (identifier)",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+ },
+ "notificationType": "String",
+ "recipientType": "String",
+ "notificationLevel": "String",
+ "isDefaultRecipientsEnabled": "Boolean",
+ "notificationRecipients": [
+ "String"
+ ]
+}
+```
+
v1.0 Unifiedrolemanagementpolicyrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyrule.md
+
+ Title: "unifiedRoleManagementPolicyRule resource type"
+description: "An abstract type that defines the rules associated with role management policies."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyRule resource type
+
+Namespace: microsoft.graph
++
+An abstract type that defines the rules associated with role management policies. This abstract type is inherited by the following resources that define the various types of rules and their settings associated with role management policies.
++ [unifiedRoleManagementPolicyApprovalRule](unifiedrolemanagementpolicyapprovalrule.md)++ [unifiedRoleManagementPolicyAuthenticationContextRule](unifiedrolemanagementpolicyauthenticationcontextrule.md)++ [unifiedRoleManagementPolicyEnablementRule](unifiedrolemanagementpolicyenablementrule.md)++ [unifiedRoleManagementPolicyExpirationRule](unifiedrolemanagementpolicyexpirationrule.md)++ [unifiedRoleManagementPolicyNotificationRule](unifiedrolemanagementpolicynotificationrule.md)++
+Inherits from [entity](../resources/entity.md).
+
+## Methods
+
+None.
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|id|String|Identifier for the rule. Inherited from [entity](../resources/entity.md). Read-only.|
+|target|[unifiedRoleManagementPolicyRuleTarget](../resources/unifiedrolemanagementpolicyruletarget.md)| **Not implemented.** Defines details of scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role. Supports `$filter` (`eq`, `ne`).|
+
+## Relationships
+None.
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRule",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyRule",
+ "id": "String (identifier)",
+ "target": {
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+ }
+}
+```
+
v1.0 Unifiedrolemanagementpolicyruletarget https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyruletarget.md
+
+ Title: "unifiedRoleManagementPolicyRuleTarget resource type"
+description: "Defines details of the scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role."
+
+ms.localizationpriority: medium
++
+# unifiedRoleManagementPolicyRuleTarget resource type
+
+Namespace: microsoft.graph
+
+Defines details of the scope that's targeted by role management policy rule. The details can include the principal type, the role assignment type, and actions affecting a role.
+
+## Properties
+
+|Property|Type|Description|
+|:|:|:|
+|caller|String|The type of caller that's the target of the policy rule. Allowed values are: `None`, `Admin`, `EndUser`.|
+|enforcedSettings|String collection|The list of role settings that are enforced and cannot be overridden by child scopes. Use `All` for all settings.|
+|inheritableSettings|String collection|The list of role settings that can be inherited by child scopes. Use `All` for all settings.|
+|level|String|The role assignment type that's the target of policy rule. Allowed values are: `Eligibility`, `Assignment`. |
+|operations|String collection|The role management operations that are the target of the policy rule. Allowed values are: `All`, `Activate`, `Deactivate`, `Assign`, `Update`, `Remove`, `Extend`, `Renew`.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|targetObjects|[directoryObject](../resources/directoryobject.md) collection| The collection of users, groups, and service principals that are in scope of the policy. If not specified, all objects are in scope of the policy.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyRuleTarget",
+ "caller": "String",
+ "operations": [
+ "String"
+ ],
+ "level": "String",
+ "inheritableSettings": [
+ "String"
+ ],
+ "enforcedSettings": [
+ "String"
+ ]
+}
+```
+
v1.0 Unifiedroleschedulebase https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedroleschedulebase.md
+
+ Title: "unifiedRoleScheduleBase resource type"
+description: "A template that exposes properties and relationships used in unifiedRoleAssignmentSchedule and unifiedRoleEligibilitySchedule resource types."
+
+ms.localizationpriority: medium
++
+# unifiedRoleScheduleBase resource type
+
+Namespace: microsoft.graph
+
+A template that exposes properties and relationships used in [unifiedRoleAssignmentSchedule](unifiedroleassignmentschedule.md) and [unifiedRoleEligibilitySchedule](unifiedroleeligibilityschedule.md) resource types.
++
+Inherits from [entity](../resources/entity.md).
+
+## Methods
+
+None.
+
+<!--
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleScheduleBases](../api/unifiedroleschedulebase-list.md)|[unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md) collection|Get a list of the [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md) objects and their properties.|
+|[Get unifiedRoleScheduleBase](../api/unifiedroleschedulebase-get.md)|[unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md)|Read the properties and relationships of an [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md) object.|
+|[Update unifiedRoleScheduleBase](../api/unifiedroleschedulebase-update.md)|[unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md)|Update the properties of an [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md) object.|
+|[Delete unifiedRoleScheduleBase](../api/unifiedroleschedulebase-delete.md)|None|Deletes an [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md) object.|
+|[List appScope](../api/unifiedroleschedulebase-list-appscope.md)|[appScope](../resources/appscope.md) collection|Get the appScope resources from the appScope navigation property.|
+|[Add appScope](../api/unifiedroleschedulebase-post-appscope.md)|[appScope](../resources/appscope.md)|Add appScope by posting to the appScope collection.|
+|[List directoryScope](../api/unifiedroleschedulebase-list-directoryscope.md)|[directoryObject](../resources/directoryobject.md) collection|Get the directoryObject resources from the directoryScope navigation property.|
+|[Add directoryScope](../api/unifiedroleschedulebase-post-directoryscope.md)|[directoryObject](../resources/directoryobject.md)|Add directoryScope by posting to the directoryScope collection.|
+|[List principal](../api/unifiedroleschedulebase-list-principal.md)|[directoryObject](../resources/directoryobject.md) collection|Get the directoryObject resources from the principal navigation property.|
+|[Add principal](../api/unifiedroleschedulebase-post-principal.md)|[directoryObject](../resources/directoryobject.md)|Add principal by posting to the principal collection.|
+|[List unifiedRoleDefinition](../api/unifiedroleschedulebase-list-roledefinition.md)|[unifiedRoleDefinition](../resources/unifiedroledefinition.md) collection|Get the unifiedRoleDefinition resources from the roleDefinition navigation property.|
+|[Add unifiedRoleDefinition](../api/unifiedroleschedulebase-post-roledefinition.md)|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Add roleDefinition by posting to the roleDefinition collection.|
+
+-->
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|appScopeId|String|Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units.|
+|createdDateTime|DateTimeOffset|When the schedule was created.|
+|createdUsing|String|Identifier of the object through which this schedule was created.|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only.|
+|id|String|The unique identifier for the schedule object. Inherited from [entity](../resources/entity.md).|
+|modifiedDateTime|DateTimeOffset|When the schedule was last modified.|
+|principalId|String|Identifier of the principal that has been granted the role assignment or eligibility.|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal or that a principal is eligible for.|
+|status|String|The status of the role assignment or eligibility request.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the role eligibility or assignment is scoped to an app. Nullable.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the role eligibility or assignment. Read-only.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role assignment or that's eligible for a role through the request.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the roleDefinition object that is referenced through the **roleDefinitionId** property.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleScheduleBase",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleScheduleBase",
+ "id": "String (identifier)",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String",
+ "createdUsing": "String",
+ "createdDateTime": "String (timestamp)",
+ "modifiedDateTime": "String (timestamp)",
+ "status": "String"
+}
+```
+
v1.0 Unifiedrolescheduleinstancebase https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolescheduleinstancebase.md
+
+ Title: "unifiedRoleScheduleInstanceBase resource type"
+description: "A template that exposes properties and relationships used in unifiedRoleAssignmentScheduleInstance and unifiedRoleEligibilityScheduleInstance resource types."
+
+ms.localizationpriority: medium
++
+# unifiedRoleScheduleInstanceBase resource type
+
+Namespace: microsoft.graph
+
+A template that exposes properties and relationships used in [unifiedRoleAssignmentScheduleInstance](unifiedroleassignmentscheduleinstance.md) and [unifiedRoleEligibilityScheduleInstance](unifiedroleeligibilityscheduleinstance.md) resource types.
++
+Inherits from [entity](../resources/entity.md).
+
+## Methods
+
+None.
+
+<!--
+|Method|Return type|Description|
+|:|:|:|
+|[List unifiedRoleScheduleInstanceBases](../api/unifiedrolescheduleinstancebase-list.md)|[unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md) collection|Get a list of the [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md) objects and their properties.|
+|[Get unifiedRoleScheduleInstanceBase](../api/unifiedrolescheduleinstancebase-get.md)|[unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md)|Read the properties and relationships of an [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md) object.|
+|[Update unifiedRoleScheduleInstanceBase](../api/unifiedrolescheduleinstancebase-update.md)|[unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md)|Update the properties of an [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md) object.|
+|[Delete unifiedRoleScheduleInstanceBase](../api/unifiedrolescheduleinstancebase-delete.md)|None|Deletes an [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md) object.|
+|[List appScope](../api/unifiedrolescheduleinstancebase-list-appscope.md)|[appScope](../resources/appscope.md) collection|Get the appScope resources from the appScope navigation property.|
+|[Add appScope](../api/unifiedrolescheduleinstancebase-post-appscope.md)|[appScope](../resources/appscope.md)|Add appScope by posting to the appScope collection.|
+|[List directoryScope](../api/unifiedrolescheduleinstancebase-list-directoryscope.md)|[directoryObject](../resources/directoryobject.md) collection|Get the directoryObject resources from the directoryScope navigation property.|
+|[Add directoryScope](../api/unifiedrolescheduleinstancebase-post-directoryscope.md)|[directoryObject](../resources/directoryobject.md)|Add directoryScope by posting to the directoryScope collection.|
+|[List principal](../api/unifiedrolescheduleinstancebase-list-principal.md)|[directoryObject](../resources/directoryobject.md) collection|Get the directoryObject resources from the principal navigation property.|
+|[Add principal](../api/unifiedrolescheduleinstancebase-post-principal.md)|[directoryObject](../resources/directoryobject.md)|Add principal by posting to the principal collection.|
+|[List unifiedRoleDefinition](../api/unifiedrolescheduleinstancebase-list-roledefinition.md)|[unifiedRoleDefinition](../resources/unifiedroledefinition.md) collection|Get the unifiedRoleDefinition resources from the roleDefinition navigation property.|
+|[Add unifiedRoleDefinition](../api/unifiedrolescheduleinstancebase-post-roledefinition.md)|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Add roleDefinition by posting to the roleDefinition collection.|
+-->
+
+## Properties
+|Property|Type|Description|
+|:|:|:|
+|appScopeId|String|Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units.|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only.|
+|id|String|The unique identifier for the schedule object. Inherited from [entity](../resources/entity.md).|
+|principalId|String|Identifier of the principal that has been granted the role assignment or that's eligible for a role.|
+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal or that the principal is eligible for.|
+
+## Relationships
+|Relationship|Type|Description|
+|:|:|:|
+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the assignment or role eligibility is scoped to an app. Nullable.|
+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the assignment or role eligibility. Read-only.|
+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role assignment or role eligibility through the request.|
+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the roleDefinition object that is referenced through the **roleDefinitionId** property.|
+
+## JSON representation
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleScheduleInstanceBase",
+ "baseType": "microsoft.graph.entity",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleScheduleInstanceBase",
+ "id": "String (identifier)",
+ "principalId": "String",
+ "roleDefinitionId": "String",
+ "directoryScopeId": "String",
+ "appScopeId": "String"
+}
+```
+
v1.0 Toc.Yml https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/toc.yml a/api-reference/v1.0/toc.yml
items:
- name: Get href: api/unifiedroleassignment-get.md - name: Delete
- href: api/unifiedroleassignment-delete.md
+ href: api/unifiedroleassignment-delete.md
+ - name: Privileged identity management
+ items:
+ - name: Overview
+ displayName: Privileged identity management, PIM
+ href: resources/privilegedidentitymanagementv3-overview.md
+ - name: Role assignments
+ items:
+ - name: Schedule requests
+ href: resources/unifiedroleassignmentschedulerequest.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleassignmentschedulerequests.md
+ - name: Create
+ href: api/rbacapplication-post-roleassignmentschedulerequests.md
+ - name: Get
+ href: api/unifiedroleassignmentschedulerequest-get.md
+ - name: Cancel
+ href: api/unifiedroleassignmentschedulerequest-cancel.md
+ - name: Filter by current user
+ href: api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md
+ - name: Schedules
+ href: resources/unifiedroleassignmentschedule.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleassignmentschedules.md
+ - name: Get
+ href: api/unifiedroleassignmentschedule-get.md
+ - name: Filter by current user
+ href: api/unifiedroleassignmentschedule-filterbycurrentuser.md
+ - name: Schedule instances
+ href: resources/unifiedroleassignmentscheduleinstance.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleassignmentscheduleinstances.md
+ - name: Get
+ href: api/unifiedroleassignmentscheduleinstance-get.md
+ - name: Filter by current user
+ href: api/unifiedroleassignmentscheduleinstance-filterbycurrentuser.md
+ - name: Role eligibility
+ items:
+ - name: Schedule requests
+ href: resources/unifiedroleeligibilityschedulerequest.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleeligibilityschedulerequests.md
+ - name: Create
+ href: api/rbacapplication-post-roleeligibilityschedulerequests.md
+ - name: Get
+ href: api/unifiedroleeligibilityschedulerequest-get.md
+ - name: Cancel
+ href: api/unifiedroleeligibilityschedulerequest-cancel.md
+ - name: Filter by current user
+ href: api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md
+ - name: Schedules
+ href: resources/unifiedroleeligibilityschedule.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleeligibilityschedules.md
+ - name: Get
+ href: api/unifiedroleeligibilityschedule-get.md
+ - name: Filter by current user
+ href: api/unifiedroleeligibilityschedule-filterbycurrentuser.md
+ - name: Schedule instances
+ href: resources/unifiedroleeligibilityscheduleinstance.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleeligibilityscheduleinstances.md
+ - name: Get
+ href: api/unifiedroleeligibilityscheduleinstance-get.md
+ - name: Filter by current user
+ href: api/unifiedroleeligibilityscheduleinstance-filterbycurrentuser.md
+ - name: Role management policies
+ items:
+ - name: Policies and rules
+ displayName: role management policies, Azure AD role settings
+ href: resources/unifiedrolemanagementpolicy.md
+ items:
+ - name: List
+ href: api/policyroot-list-rolemanagementpolicies.md
+ - name: Get
+ href: api/unifiedrolemanagementpolicy-get.md
+ - name: List rules
+ href: api/unifiedrolemanagementpolicy-list-rules.md
+ - name: Get rule
+ href: api/unifiedrolemanagementpolicyrule-get.md
+ - name: Update rule
+ href: api/unifiedrolemanagementpolicyrule-update.md
+ - name: Policy assignments
+ displayName: role managemement policy assignments
+ href: resources/unifiedrolemanagementpolicyassignment.md
+ items:
+ - name: List
+ href: api/policyroot-list-rolemanagementpolicyassignments.md
+ - name: Get
+ href: api/unifiedrolemanagementpolicyassignment-get.md
- name: Identity and sign-in items: - name: Authentication methods