Updates from: 05/18/2022 01:19:34
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Policyroot List Rolemanagementpolicies https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/policyroot-list-rolemanagementpolicies.md
Title: "List roleManagementPolicies"
-description: "Get the unifiedRoleManagementPolicy resources from the roleManagementPolicies navigation property."
+ Title: "List unifiedRoleManagementPolicies"
+description: "Get a list of the unifiedRoleManagementPolicy objects and their properties."
ms.localizationpriority: medium ms.prod: "governance" doc_type: apiPageType
-# List roleManagementPolicies
+# List unifiedRoleManagementPolicies
Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] -
-Get the unifiedRoleManagementPolicy resources from the roleManagementPolicies navigation property.
-
+Get a list of the [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) objects and their properties. This API only applies to Azure AD roles. To retrieve policies that apply to Azure RBAC, use the [Azure REST PIM API for role management policies](/rest/api/authorization/role-management-policies/list-for-scope).
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). |Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|PrivilegedAccess.ReadWrite.AzureAD|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
|Delegated (personal Microsoft account)|Not supported|
-|Application|PrivilegedAccess.Read.AzureAD|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
## HTTP request
One of the following permissions is required to call this API. To learn more, in
} --> ``` http
-GET /policies/roleManagementPolicies
+GET /policies/roleManagementPolicies?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType'
``` ## Optional query parameters
If successful, this method returns a `200 OK` response code and a collection of
### Request
+The following example retrieves policies that are scoped to the tenant and apply to directory roles.
+ # [HTTP](#tab/http) <!-- { "blockType": "request",
If successful, this method returns a `200 OK` response code and a collection of
} --> ``` http
-GET https://graph.microsoft.com/beta/policies/roleManagementPolicies
+GET https://graph.microsoft.com/beta/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
``` # [C#](#tab/csharp) [!INCLUDE [sample-code](../includes/snippets/csharp/list-unifiedrolemanagementpolicy-csharp-snippets.md)]
HTTP/1.1 200 OK
Content-Type: application/json {
- "value": [
- {
- "id": "f93a5c37-5c37-f93a-375c-3af9375c3af9",
- "displayName": "Policy1",
- "description": "A policy for all privileged administrators",
- "isOrganizationDefault": true,
- "scopeId": "f93a5c37-5c37-f93a-375c-3af9375c3af9",
- "scopeType": "subscriptions",
- "lastModifiedDateTime": "2021-03-17T02:54:27.167+00:00",
- "lastModifiedBy": {
- "@odata.type": "microsoft.graph.identity"
- }
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/roleManagementPolicies",
+ "value": [
+ {
+ "id": "DirectoryRole_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9",
+ "displayName": "DirectoryRole",
+ "description": "DirectoryRole",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ }
+ },
+ {
+ "id": "DirectoryRole_84841066-274d-4ec0-a5c1-276be684bdd3_da83a66c-eb51-44ae-98d8-3da5f924f90a",
+ "displayName": "DirectoryRole",
+ "description": "DirectoryRole",
+ "isOrganizationDefault": false,
+ "scopeId": "/",
+ "scopeType": "DirectoryRole",
+ "lastModifiedDateTime": null,
+ "lastModifiedBy": {
+ "displayName": null,
+ "id": null
+ }
+ }
+ ]
} ```
v1.0 Policyroot List Rolemanagementpolicyassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/policyroot-list-rolemanagementpolicyassignments.md
Title: "List roleManagementPolicyAssignments"
-description: "Get the unifiedRoleManagementPolicyAssignment resources from the roleManagementPolicyAssignments navigation property."
+description: "Get a list of the unifiedRoleManagementPolicyAssignment objects and their properties."
ms.localizationpriority: medium ms.prod: "governance"
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Get the unifiedRoleManagementPolicyAssignment resources from the roleManagementPolicyAssignments navigation property.
+Get a list of the [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects and their properties.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). |Permission type|Permissions (from least to most privileged)| |:|:|
-|Delegated (work or school account)|PrivilegedAccess.ReadWrite.AzureAD|
+|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
|Delegated (personal Microsoft account)|Not supported|
-|Application|PrivilegedAccess.Read.AzureAD|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
## HTTP request
One of the following permissions is required to call this API. To learn more, in
} --> ``` http
-GET /policies/roleManagementPolicyAssignments
+GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType'
``` ## Optional query parameters
If successful, this method returns a `200 OK` response code and a collection of
} --> ``` http
-GET https://graph.microsoft.com/beta/policies/roleManagementPolicyAssignments
+GET https://graph.microsoft.com/beta/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'Directory'
``` # [C#](#tab/csharp) [!INCLUDE [sample-code](../includes/snippets/csharp/list-unifiedrolemanagementpolicyassignment-csharp-snippets.md)]
GET https://graph.microsoft.com/beta/policies/roleManagementPolicyAssignments
<!-- { "blockType": "response", "truncated": true,
- "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyAssignment"
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicyAssignment)"
} --> ``` http
HTTP/1.1 200 OK
Content-Type: application/json {
- "value": [
- {
- "id": "d6e4112f-112f-d6e4-2f11-e4d62f11e4d6",
- "policyId": "d6e4112f-112f-d6e4-2f11-e4d62f11e4d6",
- "scopeId": "d6e4112f-112f-d6e4-2f11-e4d62f11e4d6",
- "scopeType": "subscription",
- "roleDefinitionId": "d6e4112f-112f-d6e4-2f11-e4d62f11e4d6"
- }
- ]
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/roleManagementPolicyAssignments",
+ "value": [
+ {
+ "id": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9_fe930be7-5e62-47db-91af-98c3a49a38b1",
+ "policyId": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9",
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1"
+ },
+ {
+ "id": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_da83a66c-eb51-44ae-98d8-3da5f924f90a_0526716b-113d-4c15-b2c8-68e3c22b9f80",
+ "policyId": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_da83a66c-eb51-44ae-98d8-3da5f924f90a",
+ "scopeId": "/",
+ "scopeType": "Directory",
+ "roleDefinitionId": "0526716b-113d-4c15-b2c8-68e3c22b9f80"
+ }
+ ]
} ```
v1.0 Rbacapplication List Roleassignmentscheduleinstances https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-roleassignmentscheduleinstances.md
+
+ Title: "List roleAssignmentScheduleInstances"
+description: "Get a list of the unifiedRoleAssignmentScheduleInstance objects and their properties."
+
+ms.localizationpriority: medium
++
+# List roleAssignmentScheduleInstances
+Namespace: microsoft.graph
++
+Get a list of the [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentScheduleInstances
+```
+
+## Optional query parameters
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentscheduleinstance"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleInstances
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleInstance)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleInstances",
+ "value": [
+ {
+ "id": "4-PYiFWPHkqVOpuYmLiHa_8KmpPnrkhHmG41_UYRbUY-1",
+ "principalId": "939a0aff-aee7-4748-986e-35fd46116d46",
+ "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": null,
+ "endDateTime": null,
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "roleAssignmentOriginId": "4-PYiFWPHkqVOpuYmLiHa_8KmpPnrkhHmG41_UYRbUY-1",
+ "roleAssignmentScheduleId": "4-PYiFWPHkqVOpuYmLiHa_8KmpPnrkhHmG41_UYRbUY-1"
+ },
+ {
+ "id": "4-PYiFWPHkqVOpuYmLiHa0VbFrscFfZMmRHNcYiRKEg-1",
+ "principalId": "bb165b45-151c-4cf6-9911-cd7188912848",
+ "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": null,
+ "endDateTime": null,
+ "assignmentType": "Assigned",
+ "memberType": "Direct",
+ "roleAssignmentOriginId": "4-PYiFWPHkqVOpuYmLiHa0VbFrscFfZMmRHNcYiRKEg-1",
+ "roleAssignmentScheduleId": "4-PYiFWPHkqVOpuYmLiHa0VbFrscFfZMmRHNcYiRKEg-1"
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleassignmentschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-roleassignmentschedulerequests.md
+
+ Title: "List roleAssignmentScheduleRequests"
+description: "Get a list of the unifiedRoleAssignmentScheduleRequest objects and their properties."
+
+ms.localizationpriority: medium
++
+# List roleAssignmentScheduleRequests
+
+Namespace: microsoft.graph
++
+Get a list of the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) objects and their properties.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+| :- | : |
+| Delegated (work or school account) | RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported |
+| Application | RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+
+```http
+GET /roleManagement/directory/roleAssignmentScheduleRequests
+```
+
+## Optional query parameters
+
+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name | Description |
+| : | : |
+| Authorization | Bearer {token}. Required. |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) objects in the response body.
+
+## Examples
+
+### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentschedulerequest"
+}
+-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
++++
+### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentScheduleRequest)"
+}
+-->
+
+```http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
+ "value": [
+ {
+ "id": "b5a22921-656a-4429-9c4e-59a5f576614d",
+ "status": "Provisioned",
+ "createdDateTime": "2021-07-27T09:18:42.737Z",
+ "completedDateTime": "2021-07-27T09:18:42.78Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "AdminAssign",
+ "principalId": "5659e4d9-9ab6-4678-9f1b-72322d469e9b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "b5a22921-656a-4429-9c4e-59a5f576614d",
+ "justification": "Assign User Admin to IT Helpdesk (User) group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2021-07-27T09:18:42.7811184Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ }
+ ]
+}
+```
v1.0 Rbacapplication List Roleassignmentschedules https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-roleassignmentschedules.md
+
+ Title: "List roleAssignmentSchedules"
+description: "Get a list of the unifiedRoleAssignmentSchedule objects and their properties."
+
+ms.localizationpriority: medium
++
+# List roleAssignmentSchedules
+Namespace: microsoft.graph
++
+Get a list of the [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleAssignmentSchedule.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleAssignmentSchedules
+```
+
+## Optional query parameters
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleassignmentschedule"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentSchedules
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+### Response
+
+The following is an example of the response.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleAssignmentSchedule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(unifiedRoleEligibilitySchedule)",
+ "value": [
+ {
+ "@odata.type": "#microsoft.graph.unifiedRoleEligibilitySchedule",
+ "id": "3dc04956-5e79-4e84-a2fc-4c168bb30a5f",
+ "principalId": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/administrativeUnits/dc626e71-4837-40eb-be4a-bc29d88a1178",
+ "appScopeId": null,
+ "createdUsing": "3dc04956-5e79-4e84-a2fc-4c168bb30a5f",
+ "createdDateTime": "2021-07-27T14:03:04.4Z",
+ "modifiedDateTime": "0001-01-01T08:00:00Z",
+ "status": "Provisioned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2021-07-27T14:03:04.4Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleeligibilityscheduleinstances https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-roleeligibilityscheduleinstances.md
+
+ Title: "List roleEligibilityScheduleInstances"
+description: "Get a list of the unifiedRoleEligibilityScheduleInstance objects and their properties."
+
+ms.localizationpriority: medium
++
+# List roleEligibilityScheduleInstancess
+Namespace: microsoft.graph
++
+Get a list of the [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleInstances
+```
+
+## Optional query parameters
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleeligibilityscheduleinstance"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleInstances
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilityScheduleInstance)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleEligibilityScheduleInstances",
+ "value": [
+ {
+ "id": "UafX_Qu2SkSYTAJlL-j6HCssmvzcHW1IohFf6Mp3-h9xbmLcN0jrQL5KvCnYihF4-2-e",
+ "principalId": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/administrativeUnits/dc626e71-4837-40eb-be4a-bc29d88a1178",
+ "appScopeId": null,
+ "startDateTime": "2021-07-27T14:03:04.4Z",
+ "endDateTime": null,
+ "memberType": "Direct",
+ "roleEligibilityScheduleId": "3dc04956-5e79-4e84-a2fc-4c168bb30a5f"
+ },
+ {
+ "id": "UafX_Qu2SkSYTAJlL-j6HLFkgTmWUd1JraI2S0n5myc-1-e",
+ "principalId": "398164b1-5196-49dd-ada2-364b49f99b27",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "startDateTime": "2021-07-27T13:51:08.43Z",
+ "endDateTime": null,
+ "memberType": "Direct",
+ "roleEligibilityScheduleId": "313af44a-07c9-43a7-9970-5072a6b5591f"
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication List Roleeligibilityschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-roleeligibilityschedulerequests.md
+
+ Title: "List roleEligibilityScheduleRequests"
+description: "Get a list of the unifiedRoleEligibilityScheduleRequest objects and their properties."
+
+ms.localizationpriority: medium
++
+# List roleEligibilityScheduleRequests
+Namespace: microsoft.graph
++
+Get a list of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilityScheduleRequests
+```
+
+## Optional query parameters
+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleeligibilityschedulerequest"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilityScheduleRequest)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleEligibilityScheduleRequests",
+ "value": [
+ {
+ "id": "19757c21-7844-4478-b4b6-68aed0cd2d52",
+ "status": "Provisioned",
+ "createdDateTime": "2021-07-13T19:17:33.373Z",
+ "completedDateTime": "2021-07-13T19:17:33.427Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "AdminAssign",
+ "principalId": "5659e4d9-9ab6-4678-9f1b-72322d469e9b",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "19757c21-7844-4478-b4b6-68aed0cd2d52",
+ "justification": null,
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2021-07-13T19:17:33.4258055Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2022-07-13T19:16:02.506Z",
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+ }
+ ]
+}
+
+```
+
v1.0 Rbacapplication List Roleeligibilityschedules https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-list-roleeligibilityschedules.md
+
+ Title: "List roleEligibilitySchedules"
+description: "Get a list of the unifiedRoleEligibilitySchedule objects and their properties."
+
+ms.localizationpriority: medium
++
+# List roleEligibilitySchedules
+Namespace: microsoft.graph
++
+Get a list of the [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) objects and their properties.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.ReadWrite.Directory |
+|Delegated (personal Microsoft account)|Not supported|
+|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+GET /roleManagement/directory/roleEligibilitySchedules
+```
+
+## Optional query parameters
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+
+## Request body
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) objects in the response body.
+
+## Examples
+
+### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "list_unifiedroleeligibilityschedule"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilitySchedules
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "Collection(microsoft.graph.unifiedRoleEligibilitySchedule)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleEligibilitySchedules",
+ "value": [
+ {
+ "id": "313af44a-07c9-43a7-9970-5072a6b5591f",
+ "principalId": "398164b1-5196-49dd-ada2-364b49f99b27",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "createdUsing": "313af44a-07c9-43a7-9970-5072a6b5591f",
+ "createdDateTime": "2021-07-27T13:51:08.43Z",
+ "modifiedDateTime": "0001-01-01T08:00:00Z",
+ "status": "Provisioned",
+ "memberType": "Direct",
+ "scheduleInfo": {
+ "startDateTime": "2021-07-27T13:51:08.43Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ }
+ }
+ ]
+}
+```
+
v1.0 Rbacapplication Post Roleassignmentschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-post-roleassignmentschedulerequests.md
+
+ Title: "Create roleAssignmentScheduleRequests"
+description: "Create a new unifiedRoleAssignmentScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# Create roleAssignmentScheduleRequests
+Namespace: microsoft.graph
++
+Create a new [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object. This operation allows both admins and users to add, remove, extend, or renew assignments. To run this request, the calling user must have multi-factor authentication (MFA) enforced, and running the query in a session in which they were challenged for MFA. See [Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events](/azure/active-directory/authentication/howto-mfa-userstates).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleAssignmentSchedule.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|Not supported|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /roleManagement/directory/roleAssignmentScheduleRequests
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+In the request body, supply a JSON representation of the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.
+
+The following table shows the properties that are required when you create the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md).
+
+|Property|Type|Description|
+|:|:|:|
+|id|String|The unique identifier for the unifiedRoleAssignmentScheduleRequest. Key, not nullable, Read-only.|
+|action|String|Represents the type of the operation on the role assignment. The possible values are: <ul><li>`AdminAssign`: For administrators to assign roles to users or groups.</li><li>`AdminRemove`: For administrators to remove users or groups from roles.</li><li> `AdminUpdate`: For administrators to change existing role assignments.</li><li>`AdminExtend`: For administrators to extend expiring assignments.</li><li>`AdminRenew`: For administrators to renew expired assignments.</li><li>`SelfActivate`: For users to activate their assignments.</li><li>`SelfDeactivate`: For users to deactivate their active assignments.</li><li>`SelfExtend`: For users to request to extend their expiring assignments.</li><li>`SelfRenew`: For users to request to renew their expired assignments.</li></ul>
+|principalId|String|Identifier of the principal to which the assignment is being granted to.|
+|roleDefinitionId|String|Identifier of the unifiedRoleDefinition the assignment is for. Read only.|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. |
+|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units.|
+|isValidationOnly|Boolean|Specifies whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.|
+|targetScheduleId|String|ID of the schedule object attached to the assignment.|
+|justification|String|A message provided by users and administrators when create the request about why it is needed.|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The schedule object of the role assignment request.|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|The ticketInfo object attached to the role assignment request which includes details of the ticket number and ticket system.|
+
+## Response
+
+If successful, this method returns a `201 Created` response code and an [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object in the response body.
+
+When the calling user was not challenged for multi-factor authentication during their sign in session, a request with the SelfActivate action fails and returns a `400 Bad request` response code.
+
+## Examples
+
+### Example 1: Admin assigning a directory role to a principal
+
+#### Request
+
+In the following request, the admin creates a request to assign a role identified by `fdd7a751-b60b-444a-984c-02652fe8fa1c` to a principal identified by **id** `07706ff1-46c7-4847-ae33-3003830675a1`. The scope of their role is all directory objects in the tenant and the assignment is permanent, that is, it doesn't expire.
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignmentschedulerequest_from_unifiedroleassignmentschedulerequests"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests/
+Content-Type: application/json
+
+{
+ "action": "AdminAssign",
+ "justification": "Assign User Admin to IT Helpdesk (User) group",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "principalId": "07706ff1-46c7-4847-ae33-3003830675a1",
+ "scheduleInfo": {
+ "startDateTime": "2021-07-01T00:00:00Z",
+ "expiration": {
+ "type": "NoExpiration"
+ }
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+#### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
+ "id": "b5a22921-656a-4429-9c4e-59a5f576614d",
+ "status": "Provisioned",
+ "createdDateTime": "2021-07-27T09:18:40.2029365Z",
+ "completedDateTime": "2021-07-27T09:18:42.7811184Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "AdminAssign",
+ "principalId": "07706ff1-46c7-4847-ae33-3003830675a1",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "b5a22921-656a-4429-9c4e-59a5f576614d",
+ "justification": "Assign User Admin to IT Helpdesk (User) group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2021-07-27T09:18:42.7811184Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "noExpiration",
+ "endDateTime": null,
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
+
+### Example 2: User activating their eligible role
+
+#### Request
+
+In the following request, a user identified by **principalId** `c6ad1942-4afa-47f8-8d48-afb5d8d69d2f` activates their own eligible role identified by `9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3`. The scope of their role is all directory objects in the tenant and the assignment is for five hours. To run this request, the calling user must have multi-factor authentication (MFA) enforced, and running the query in a session in which they were challenged for MFA.
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignmentschedulerequest_from_unifiedroleassignmentschedulerequests_SelfActivate"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests/
+Content-Type: application/json
+
+{
+ "action": "SelfActivate",
+ "principalId": "c6ad1942-4afa-47f8-8d48-afb5d8d69d2f",
+ "roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
+ "directoryScopeId": "/",
+ "justification": "Need to update app roles for selected apps.",
+ "scheduleInfo": {
+ "startDateTime": "2021-08-17T17:40:00.000Z",
+ "expiration": {
+ "type": "AfterDuration",
+ "duration": "PT5H"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": "CONTOSO:Normal-67890",
+ "ticketSystem": "MS Project"
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+#### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignmentScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
+ "id": "163daf73-8746-4996-87de-ab71dc624bf9",
+ "status": "Granted",
+ "createdDateTime": "2021-08-17T17:39:36.7040696Z",
+ "completedDateTime": "2021-08-17T17:40:00Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "SelfActivate",
+ "principalId": "c6ad1942-4afa-47f8-8d48-afb5d8d69d2f",
+ "roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "163daf73-8746-4996-87de-ab71dc624bf9",
+ "justification": "Need to update app roles for selected apps.",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "c6ad1942-4afa-47f8-8d48-afb5d8d69d2f"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2021-08-17T17:40:00Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDuration",
+ "endDateTime": null,
+ "duration": "PT5H"
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": "CONTOSO:Normal-67890",
+ "ticketSystem": "MS Project"
+ }
+}
+```
v1.0 Rbacapplication Post Roleeligibilityschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/rbacapplication-post-roleeligibilityschedulerequests.md
+
+ Title: "Create roleEligibilityScheduleRequests"
+description: "Create a new unifiedRoleEligibilityScheduleRequest object."
+
+ms.localizationpriority: medium
++
+# Create roleEligibilityScheduleRequests
+Namespace: microsoft.graph
++
+Create a new [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object. This operation allows both admins and eligible users to add, revoke, or extend eligible assignments.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type|Permissions (from least to most privileged)|
+|:|:|
+|Delegated (work or school account)|RoleEligibilitySchedule.ReadWrite.Directory|
+|Delegated (personal Microsoft account)|Not supported|
+|Application|Not supported|
+
+## HTTP request
+
+<!-- {
+ "blockType": "ignored"
+}
+-->
+``` http
+POST /roleManagement/directory/roleEligibilityScheduleRequests
+```
+
+## Request headers
+|Name|Description|
+|:|:|
+|Authorization|Bearer {token}. Required.|
+|Content-Type|application/json. Required.|
+
+## Request body
+In the request body, supply a JSON representation of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.
+
+The following table shows the optional and required properties when you create the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md).
+
+|Property|Type|Description|
+|:|:|:|
+|action|String|Represents the type of the operation on the role eligibility assignment. The possible values are: <ul><li>`AdminAssign`: For administrators to assign role eligibility to users or groups to roles.</li><li>`AdminExtend`: For administrators to extend expiring assignments.</li><li>`AdminUpdate`: For administrators to change existing role assignments.</li><li>`AdminRenew`: For administrators to renew expired assignments.</li><li>`AdminRemove`: For administrators to remove users or groups from eligible roles.</li><li>`UserAdd`: For users to activate their eligible assignments.</li><li>`UserExtend`: For users to request to extend their expiring eligible assignments.</li><li>`UserRemove`: For users to deactivate their active eligible assignments.</li><li>`UserRenew`: For users to request to renew their expired eligible assignments.</li></ul>|
+|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units or all users.|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only.|
+|isValidationOnly|Boolean|A boolean that determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.|
+|justification|String|A message provided by users and administrators when create the request about why it is needed. Optional when **action** is `AdminRemove`.|
+|principalId|String|Identifier of the principal to which the assignment is being granted to. For example, a user or a group. For groups, they must be assignable to roles, that is, the **isAssignableToRole** of the group property set to `true`.|
+|roleDefinitionId|String|Identifier of the unifiedRoleDefinition the assignment is for. Required. Read only.|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The schedule object of the role assignment request. This property is not required when the **action** is `AdminRemove`.|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|The ticketInfo object attached to the role assignment request which includes details of the ticket number and ticket system. Optional.|
+++
+## Response
+
+If successful, this method returns a `201 Created` response code and an [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object in the response body.
+
+## Examples
+
+### Example 1: Admin to assign a role eligibility schedule request
+
+In the following request, the admin creates a request to assign eligibility of a role identified by `fdd7a751-b60b-444a-984c-02652fe8fa1c` to a principal identified by **id** `07706ff1-46c7-4847-ae33-3003830675a1`. The scope of the eligibility is all directory objects in the tenant until June 30, 2022 at midnight UTC time.
+
+#### Request
+
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleeligibilityschedulerequest_from_unifiedroleeligibilityschedulerequests"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests
+Content-Type: application/json
+
+{
+ "action": "AdminAssign",
+ "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "principalId": "07706ff1-46c7-4847-ae33-3003830675a1",
+ "scheduleInfo": {
+ "startDateTime": "2021-07-01T00:00:00Z",
+ "expiration": {
+ "endDateTime": "2022-06-30T00:00:00Z",
+ "type": "AfterDateTime"
+ }
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
+++++
+#### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
+ "id": "672c03bf-226a-42ec-a8b7-3bfab96064a1",
+ "status": "Provisioned",
+ "createdDateTime": "2021-07-26T18:08:03.1299669Z",
+ "completedDateTime": "2021-07-26T18:08:06.2081758Z",
+ "approvalId": null,
+ "customData": null,
+ "action": "AdminAssign",
+ "principalId": "07706ff1-46c7-4847-ae33-3003830675a1",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": "672c03bf-226a-42ec-a8b7-3bfab96064a1",
+ "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2021-07-26T18:08:06.2081758Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2022-06-30T00:00:00Z",
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
+
+### Example 2: Admin to remove an existing role eligibility schedule request
+
+In the following request, the admin creates a request to revoke the eligibility of a role identified by `fdd7a751-b60b-444a-984c-02652fe8fa1c` to a principal identified by **id** `07706ff1-46c7-4847-ae33-3003830675a1`.
+
+#### Request
++
+# [HTTP](#tab/http)
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleeligibilityschedulerequest_from_unifiedroleeligibilityschedulerequests_AdminRemove"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests
+Content-Type: application/json
+
+{
+ "action": "AdminRemove",
+ "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "principalId": "07706ff1-46c7-4847-ae33-3003830675a1",
+ "scheduleInfo": {
+ "startDateTime": "2021-07-26T18:08:06.2081758Z",
+ "expiration": {
+ "endDateTime": "2022-06-30T00:00:00Z",
+ "type": "AfterDateTime"
+ }
+ }
+}
+```
+# [C#](#tab/csharp)
+
+# [JavaScript](#tab/javascript)
+
+# [Objective-C](#tab/objc)
+
+# [Java](#tab/java)
+
+# [Go](#tab/go)
+
+# [PowerShell](#tab/powershell)
++++++
+#### Response
+
+The following is an example of the response. The request returns a response object that shows the status of previously eligible assignment changes as `Revoked`. The principal will no longer see their previously eligible role.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleEligibilityScheduleRequest"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
+ "id": "7f88a144-f9a9-4f8c-9623-39c321ae93c2",
+ "status": "Revoked",
+ "createdDateTime": "2021-08-06T17:59:12.4263499Z",
+ "completedDateTime": null,
+ "approvalId": null,
+ "customData": null,
+ "action": "AdminRemove",
+ "principalId": "07706ff1-46c7-4847-ae33-3003830675a1",
+ "roleDefinitionId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "directoryScopeId": "/",
+ "appScopeId": null,
+ "isValidationOnly": false,
+ "targetScheduleId": null,
+ "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",
+ "createdBy": {
+ "application": null,
+ "device": null,
+ "user": {
+ "displayName": null,
+ "id": "fc9a2c2b-1ddc-486d-a211-5fe8ca77fa1f"
+ }
+ },
+ "scheduleInfo": {
+ "startDateTime": "2021-07-26T18:08:06.2081758Z",
+ "recurrence": null,
+ "expiration": {
+ "type": "afterDateTime",
+ "endDateTime": "2022-06-30T00:00:00Z",
+ "duration": null
+ }
+ },
+ "ticketInfo": {
+ "ticketNumber": null,
+ "ticketSystem": null
+ }
+}
+```
v1.0 Unifiedrolemanagementpolicy List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/unifiedrolemanagementpolicy-list.md
- Title: "List unifiedRoleManagementPolicies"
-description: "Get a list of the unifiedRoleManagementPolicy objects and their properties."
-
-doc_type: apiPageType
--
-# List unifiedRoleManagementPolicies
-Namespace: microsoft.graph
--
-Get a list of the [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) objects and their properties. This API only applies to Azure AD roles. To retrieve policies that apply to Azure RBAC, use the [Azure REST PIM API for role management policies](/rest/api/authorization/role-management-policies/list-for-scope).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-
-|Permission type|Permissions (from least to most privileged)|
-|:|:|
-|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
-|Delegated (personal Microsoft account)|Not supported|
-|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
-
-## HTTP request
-
-<!-- {
- "blockType": "ignored"
-}
>
-``` http
-GET /policies/roleManagementPolicies?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType'
-```
-
-## Optional query parameters
-This method supports all of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
-
-## Request headers
-|Name|Description|
-|:|:|
-|Authorization|Bearer {token}. Required.|
-
-## Request body
-Do not supply a request body for this method.
-
-## Response
-
-If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) objects in the response body.
-
-## Examples
-
-### Request
-
-The following example retrieves policies that are scoped to the tenant and apply to directory roles.
-
-# [HTTP](#tab/http)
-<!-- {
- "blockType": "request",
- "name": "list_unifiedrolemanagementpolicy"
-}
>
-``` http
-GET https://graph.microsoft.com/beta/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
-
-# [PowerShell](#tab/powershell)
-----
-### Response
-**Note:** The response object shown here might be shortened for readability.
-<!-- {
- "blockType": "response",
- "truncated": true,
- "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicy)"
-}
>
-``` http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/roleManagementPolicies",
- "value": [
- {
- "id": "DirectoryRole_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9",
- "displayName": "DirectoryRole",
- "description": "DirectoryRole",
- "isOrganizationDefault": false,
- "scopeId": "/",
- "scopeType": "DirectoryRole",
- "lastModifiedDateTime": null,
- "lastModifiedBy": {
- "displayName": null,
- "id": null
- }
- },
- {
- "id": "DirectoryRole_84841066-274d-4ec0-a5c1-276be684bdd3_da83a66c-eb51-44ae-98d8-3da5f924f90a",
- "displayName": "DirectoryRole",
- "description": "DirectoryRole",
- "isOrganizationDefault": false,
- "scopeId": "/",
- "scopeType": "DirectoryRole",
- "lastModifiedDateTime": null,
- "lastModifiedBy": {
- "displayName": null,
- "id": null
- }
- }
- ]
-}
-```
-
v1.0 Unifiedrolemanagementpolicyassignment List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/unifiedrolemanagementpolicyassignment-list.md
- Title: "List unifiedRoleManagementPolicyAssignments"
-description: "Get a list of the unifiedRoleManagementPolicyAssignment objects and their properties."
-
-doc_type: apiPageType
--
-# List unifiedRoleManagementPolicyAssignments
-Namespace: microsoft.graph
--
-Get a list of the [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects and their properties.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-
-|Permission type|Permissions (from least to most privileged)|
-|:|:|
-|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
-|Delegated (personal Microsoft account)|Not supported|
-|Application|RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory|
-
-## HTTP request
-
-<!-- {
- "blockType": "ignored"
-}
>
-``` http
-GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq 'scopeId' and scopeType eq 'scopeType'
-```
-
-## Optional query parameters
-This method supports all of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
-
-## Request headers
-|Name|Description|
-|:|:|
-|Authorization|Bearer {token}. Required.|
-
-## Request body
-Do not supply a request body for this method.
-
-## Response
-
-If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects in the response body.
-
-## Examples
-
-### Request
-
-# [HTTP](#tab/http)
-<!-- {
- "blockType": "request",
- "name": "list_unifiedrolemanagementpolicyassignment"
-}
>
-``` http
-GET https://graph.microsoft.com/beta/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'Directory'
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
-
-# [PowerShell](#tab/powershell)
-----
-### Response
-**Note:** The response object shown here might be shortened for readability.
-<!-- {
- "blockType": "response",
- "truncated": true,
- "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicyAssignment)"
-}
>
-``` http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/roleManagementPolicyAssignments",
- "value": [
- {
- "id": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9_fe930be7-5e62-47db-91af-98c3a49a38b1",
- "policyId": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_200ec19a-09e7-4e7a-9515-cf1ee64b96f9",
- "scopeId": "/",
- "scopeType": "Directory",
- "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1"
- },
- {
- "id": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_da83a66c-eb51-44ae-98d8-3da5f924f90a_0526716b-113d-4c15-b2c8-68e3c22b9f80",
- "policyId": "Directory_84841066-274d-4ec0-a5c1-276be684bdd3_da83a66c-eb51-44ae-98d8-3da5f924f90a",
- "scopeId": "/",
- "scopeType": "Directory",
- "roleDefinitionId": "0526716b-113d-4c15-b2c8-68e3c22b9f80"
- }
- ]
-}
-```
-
v1.0 Unifiedrolemanagementpolicyrule List https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/unifiedrolemanagementpolicyrule-list.md
- Title: "List unifiedRoleManagementPolicyRules"
-description: "Get a list of the unifiedRoleManagementPolicyRule objects and their properties."
-
-doc_type: apiPageType
--
-# List unifiedRoleManagementPolicyRules
-Namespace: microsoft.graph
-
-Get a list of the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) objects and their properties.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-
-|Permission type|Permissions (from least to most privileged)|
-|:|:|
-|Delegated (work or school account)|RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory|
-|Delegated (personal Microsoft account)|Not supported|
-|Application|RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagement.ReadWrite.Directory|
-
-## HTTP request
-
-<!-- {
- "blockType": "ignored"
-}
>
-``` http
-GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
-GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules
-```
-
-## Optional query parameters
-This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
-
-## Request headers
-|Name|Description|
-|:|:|
-|Authorization|Bearer {token}. Required.|
-
-## Request body
-Do not supply a request body for this method.
-
-## Response
-
-If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) objects in the response body.
-
-## Examples
-
-### Request
-
-# [HTTP](#tab/http)
-<!-- {
- "blockType": "request",
- "name": "list_unifiedrolemanagementpolicyrule"
-}
>
-``` http
-GET https://graph.microsoft.com/beta/policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-# [Go](#tab/go)
-
-# [PowerShell](#tab/powershell)
-----
-### Response
-**Note:** The response object shown here might be shortened for readability.
-<!-- {
- "blockType": "response",
- "truncated": true,
- "@odata.type": "Collection(microsoft.graph.unifiedRoleManagementPolicyRule)"
-}
>
-``` http
-HTTP/1.1 200 OK
-Content-Type: application/json
-
-{
- "value": [
- {
- "id": "ba9cc2d6-c2d6-ba9c-d6c2-9cbad6c29cba",
- "target": {
- "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
- }
- }
- ]
-}
-```
-
v1.0 User Post Messages https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/api/user-post-messages.md
When using JSON format, you can:
When using MIME format: - Provide the applicable [Internet message headers](https://tools.ietf.org/html/rfc2076) and the [MIME content](https://tools.ietf.org/html/rfc2045), all encoded in **base64** format in the request body.-- Add any attachments and S/MIME properties to the MIME content.
+- \* Add any attachments and S/MIME properties to the MIME content.
By default, this operation saves the draft in the Drafts folder.
By default, this operation saves the draft in the Drafts folder.
Alternatively, [send a new message](../api/user-sendmail.md) in a single action, or create a draft [to forward](../api/message-createforward.md), [to reply](../api/message-createreply.md) or [to reply-all](../api/message-createreplyall.md) to an existing message.
+>\* **Note:** S/MIME message payloads are currently limited to 4 MB. Submission attempts that exceed this limit will result in an`HTTP 413 Request Entity Too Large` error response.
+ ## Permissions One of the following permissions are required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Application https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/application.md
This resource supports using [delta query](/graph/delta-query-overview) to track
|calls |[call](call.md) collection |Read-only. Nullable.| |connectorGroup|[connectorGroup](connectorgroup.md)| The connectorGroup the application is using with Azure AD Application Proxy. Nullable.| |createdOnBehalfOf|[directoryObject](directoryobject.md)| Read-only.|
-|extensionProperties|[extensionProperty](extensionproperty.md) collection| Read-only. Nullable.|
-|federatedIdentityCredentials|[federatedIdentityCredential](federatedidentitycredential.md) collection |Federated identities for applications. This object can only be retrieved on a single GET request (`GET /applications/{id}/federatedIdentityCredentials`).|
+|extensionProperties|[extensionProperty](extensionproperty.md) collection| Read-only. Nullable. Supports `$expand` and `$filter` (`eq` when counting empty collections).|
+|federatedIdentityCredentials|[federatedIdentityCredential](federatedidentitycredential.md) collection |Federated identities for applications. Supports `$expand` and `$filter` (`eq` when counting empty collections).|
|onlineMeetings |[onlineMeeting](onlinemeeting.md) collection|Read-only. Nullable.| |owners|[directoryObject](directoryobject.md) collection|Directory objects that are owners of the application. Read-only. Nullable. Supports `$expand`.| |tokenLifetimePolicies|[tokenLifetimePolicy](tokenLifetimePolicy.md) collection|The tokenLifetimePolicies assigned to this application. Supports `$expand`.|
v1.0 Device https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/device.md
This resource lets you add your own data to custom properties using [extensions]
|onPremisesSyncEnabled|Boolean|`true` if this object is synced from an on-premises directory; `false` if this object was originally synced from an on-premises directory but is no longer synced; `null` if this object has never been synced from an on-premises directory (default). Read-only. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | |operatingSystem|String| The type of operating system on the device. Required. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`, and `eq` on `null` values). | |operatingSystemVersion|String| Operating system version of the device. Required. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`, and `eq` on `null` values). |
-|physicalIds|String collection| For internal use only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+|physicalIds|String collection| For internal use only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, and counting empty collections). |
|profileType|String|The profile type of the device. Possible values: `RegisteredDevice` (default), `SecureVM`, `Printer`, `Shared`, `IoT`.| |registrationDateTime|DateTimeOffset|Date and time of when the device was registered. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.|
-|systemLabels|String collection| List of labels applied to the device by the system. |
+|systemLabels|String collection| List of labels applied to the device by the system. Supports `$filter` (`eq` when counting empty collections). |
|hostnames|String collection| List of hostNames for the device.| |trustType|String| Type of trust for the joined device. Read-only. Possible values: `Workplace` (indicates *bring your own personal devices*), `AzureAd` (Cloud only joined devices), `ServerAd` (on-premises domain joined devices joined to Azure AD). For more details, see [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction) | |name| String | Friendly name of a device. Only returned if user signs in with a Microsoft account as part of Project Rome. |
v1.0 Group https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/group.md
This resource supports:
| onPremisesSyncEnabled | Boolean | `true` if this group is synced from an on-premises directory; `false` if this group was originally synced from an on-premises directory but is no longer synced; **null** if this object has never been synced from an on-premises directory (default). <br><br>Returned by default. Read-only. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | | preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling user must be assigned one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference): <br><ul><li> Global Administrator <li> User Account Administrator <li>Directory Writer <li> Exchange Administrator <li> SharePoint Administrator </ul><br/> For more information about this property, see [OneDrive Online Multi-Geo](/sharepoint/dev/solution-guidance/multigeo-introduction). <br><br>Nullable. Returned by default. | | preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example `en-US`. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). |
-| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. The **any** operator is required for filter expressions on multi-valued properties. <br><br>Returned by default. Read-only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. The **any** operator is required for filter expressions on multi-valued properties. <br><br>Returned by default. Read-only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, `endsWith`, and counting empty collections). |
| renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the [renew service action](../api/grouplifecyclepolicy-renewgroup.md). The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). Read-only. | | resourceBehaviorOptions | String collection | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeNewGroupMembers`, `WelcomeEmailDisabled`. For more information, see [Set Microsoft 365 group behaviors and provisioning options](/graph/group-set-options). | | resourceProvisioningOptions | String collection | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is `Team`. For more information, see [Set Microsoft 365 group behaviors and provisioning options](/graph/group-set-options). <br><br>Returned by default. Supports `$filter` (`eq`, `not`, `startsWith`. |
v1.0 Opentypeextension https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/opentypeextension.md
Open extensions (formerly known as Office 365 data extensions) provide an easy w
Open extensions are represented by the **openTypeExtension** resource. Any open extension added to a resource shows up in the **extensions** navigation property, which is derived from the [extension](extension.md) abstract type. Each extension has an **extensionName** property which is the only pre-defined, writable property for all extensions, along with your custom data. One way to help make sure extension names are unique is to use a reverse domain name system (DNS)
-format that is dependent on _your own domain_, for example, `Com.Contoso.ContactInfo`. Do not use the Microsoft domain (`Com.Microsoft` or `Com.OnMicrosoft`) in an extension name.
+format that is dependent on _your own domain_, for example, `com.contoso.ContactInfo`. **Do not use** the Microsoft domain (`com.microsoft` or `com.onmicrosoft`) in an extension name.
Open extension example: [Add custom data to users using open extensions](/graph/extensibility-open-users)
-Open extensions are supported by the following resources in the corresponding versions - general availability (GA: /v1.0 and /beta) or preview (/beta).
+Open extensions are supported by the following resources in the corresponding versions - general availability (/v1.0) or preview (/beta).
| Resource | Version | ||-|
-| [Administrative unit](administrativeunit.md) | GA |
-| [Calendar event](event.md) | GA |
+| [Administrative unit](administrativeunit.md) | GA |
+| [Calendar event](event.md) \* | GA |
| Group [calendar event](event.md) | GA | | Group conversation thread [post](post.md) | GA | | [Device](device.md) | GA |
Open extensions are supported by the following resources in the corresponding ve
| [Organization](organization.md) | GA | | [Personal contact](contact.md) | GA | | [User](user.md) | GA |
-| [Task](basetask.md) | GA |
-| [Task list](basetasklist.md) | GA |
+| [Task](basetask.md) | GA |
+| [Task list](basetasklist.md) | GA |
+
+>\* **Note:** Due to an existing service limitation, delegates cannot create open extension-appended events in shared mailbox calendars. Attempts to do so will result in an `ErrorAccessDenied` response.
## Outlook-specific considerations
v1.0 Orgcontact https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/orgcontact.md
This resource supports using [delta query](/graph/delta-query-overview) to track
| onPremisesProvisioningErrors | [onPremisesProvisioningError](onpremisesprovisioningerror.md) collection | List of any synchronization provisioning errors for this organizational contact. Supports `$filter` (`eq`, `not`). | | onPremisesSyncEnabled | Boolean | **true** if this object is synced from an on-premises directory; **false** if this object was originally synced from an on-premises directory but is no longer synced and now mastered in Exchange; **null** if this object has never been synced from an on-premises directory (default). <br/> <br/>Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | | phones | [phone](phone.md) collection | List of phones for this organizational contact. Phone types can be mobile, business, and businessFax. Only one of each type can ever be present in the collection. Supports `$filter` (`eq`, `ne`, `not`, `in`). |
-| proxyAddresses | String collection | For example: "SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com". The **any** operator is required for filter expressions on multi-valued properties. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+| proxyAddresses | String collection | For example: "SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com". The **any** operator is required for filter expressions on multi-valued properties. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, and counting empty collections). |
| surname | String | Last name for this organizational contact. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values) | ## Relationships
v1.0 Privilegedidentitymanagement Root https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/privilegedidentitymanagement-root.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)] >[!CAUTION]
->The Privileged Identity Management (PIM) API for **Azure AD roles** is deprecated and stopped returning data on May 31, 2021. Use the [role management](/graph/api/resources/rolemanagement?view=graph-rest-beta&preserve-view=true) API and see the [migration guidance below](#migrate-from-pim-v2-to-pim-v3-apis).
+>The Privileged Identity Management (PIM) API for **Azure AD roles** is deprecated and stopped returning data on May 31, 2021. Use the [role management](/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-beta&preserve-view=true) API and see the [migration guidance below](#migrate-from-pim-v2-to-pim-v3-apis).
> >The Privileged Identity Management (PIM) API for **Azure resources** will be deprecated soon. Use the new [Azure REST PIM API for Azure resources](/rest/api/authorization/role-eligibility-schedule-requests). To migrate, see the migration guidance below.
v1.0 Privilegedidentitymanagementv3 Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/privilegedidentitymanagementv3-overview.md
+
+ Title: "Overview of role management through the privileged identity management (PIM) API"
+description: "Privileged Identity Management (PIM) is a feature of Azure AD Identity Governance that enables you to manage, control, and monitor access to important resources in your organization."
+
+ms.localizationpriority: medium
++
+# Overview of role management through the privileged identity management (PIM) API
+
+Privileged Identity Management (PIM) is a feature of [Azure AD Identity Governance](/azure/active-directory/governance/identity-governance-overview) that enables you to manage, control, and monitor access to important resources in your organization. This access is enabled through privileged roles and role-based access control (RBAC) and can be granted to users, groups, or service principals. The resources can be in Azure AD, Azure, and other Microsoft cloud services such as Microsoft 365 or Microsoft Intune.
+
+The Microsoft Graph PIM API for role management allows you to govern privileged access and limit excessive access. This article introduces the governance capabilities of PIM APIs in Microsoft Graph.
+
+> [!NOTE]
+> To manage Azure resource roles use the [Azure Resource Manager (ARM) APIs for PIM](/rest/api/authorization/privileged-role-eligibility-rest-sample).
+
+## PIM API for managing role assignments
+
+PIM allows you to manage active role assignments by creating permanent assignments or temporary assignments. Use the [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) resource type and its related methods to manage role assignments.
+
+The following table lists scenarios for using PIM to manage role assignments and the APIs to call.
+
+|Scenarios |API |
+|||
+|An administrator creates and assigns to a principal a permanent role assignment <br/> An administrator assigns to a principal a temporary role | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|An administrator renews, updates, extends, or removes role assignments | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|An administrator queries all role assignments and their details | [List roleAssignmentScheduleRequests](../api/rbacapplication-list-roleassignmentschedulerequests.md) |
+|An administrator queries a role assignment and its details | [Get unifiedRoleAssignmentScheduleRequest](../api/unifiedroleassignmentschedulerequest-get.md) |
+|A principal queries their role assignments and the details | [unifiedRoleAssignmentScheduleRequest: filterByCurrentUser](../api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md) |
+|A principal performs just-in-time and time-bound activation of their *eligible* role assignment | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|A principal cancels a role assignment request they created | [unifiedRoleAssignmentScheduleRequest: cancel](../api/unifiedroleassignmentschedulerequest-cancel.md) |
+|A principal that has activated their eligible role assignment deactivates it when they no longer need access | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|A principal deactivates, extends, or renews their own role assignment. | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+
+## PIM API for managing role eligibilities
+
+Your principals may not require permanent role assignments because they may not require the privileges granted through the privileged role all the time. In this case, PIM also allows you to create role eligibilities and assign them to the principals. With role eligibilities, the principal activates the role when they need to perform privileged tasks. The activation is always time-bound for a maximum of 8 hours. The role eligibility can also be a permanent eligibility or a temporary eligibility.
+
+Use the [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) resource type and its related methods to manage role eligibilities.
+
+The following table lists scenarios for using PIM to manage role eligibilities and the APIs to call.
+
+|Scenarios |API |
+|||
+|An administrator creates and assigns to a principal an eligible role <br/> An administrator assigns a temporary role eligibility to a principal | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
+|An administrator renews, updates, extends, or removes role eligibilities | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
+|An administrator queries all role eligibilities and their details | [List roleEligibilityScheduleRequests](../api/rbacapplication-list-roleeligibilityschedulerequests.md) |
+|An administrator queries a role eligibility and its details | [Get unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-get.md) |
+|An administrator cancels a role eligibility request they created | [unifiedRoleEligibilityScheduleRequest: cancel](../api/unifiedroleeligibilityschedulerequest-cancel.md) |
+|A principal queries their role eligibilities and the details | [unifiedRoleEligibilityScheduleRequest: filterByCurrentUser](../api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md) |
+|A principal deactivates, extends, or renews their own role eligibility. | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
++
+## Role settings and PIM
+
+Each Azure AD role defines settings or rules. Such settings include whether multifactor authentication (MFA), justification, or approval is required to activate an eligible role, or whether you can create permanent assignments or eligibilities for principals to the role. These role-specific settings will determine the settings you can apply while creating or managing role assignments and eligibilities through PIM. In Microsoft Graph, these role settings are managed through the [unifiedRoleManagementPolicy](unifiedrolemanagementpolicy.md) and the [unifiedRoleManagementPolicyAssignment](unifiedrolemanagementpolicyassignment.md) resource types and their related methods.
+
+For example, assume that by default, a role doesn't allow permanent active assignments and defines a maximum of 15 days for active assignments. Attempting to create a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) object without expiry date will return a `400 Bad Request` response code for violation of the expiration rule.
+
+The following table lists scenarios for using PIM to manage Azure AD role settings or rules and the APIs to call.
+
+|Scenarios |API |
+|||
+|Retrieve role management policies and associated rules or settings | [List unifiedRoleManagementPolicies](../api/policyroot-list-rolemanagementpolicies.md) |
+|Retrieve a role management policy and its associated rules or settings | [Get unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicy-get.md) |
+|Retrieve the rules or settings defined for role management policy | [List rules](../api/unifiedrolemanagementpolicy-list-rules.md) |
+|Retrieve a rule or settings defined for a role management policy | [Get unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-get.md) |
+|Update a rule or setting defined for a role management policy|[Update unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-get.md)|
+|Get the details of all role management policy assignments including the policies and rules or settings associated with the Azure AD roles | [List unifiedRoleManagementPolicyAssignments](../api/policyroot-list-rolemanagementpolicyassignments.md) |
+|Get the details of a role management policy assignment including the policy and rules or settings associated with the Azure AD role | [Get unifiedRoleManagementPolicyAssignment](../api/unifiedrolemanagementpolicyassignment-get.md) |
+
+For more information about role settings, see [Configure Azure AD role settings in Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings).
+
+## PIM and identity security with Zero Trust
+
+PIM APIs support organizations to adopt a Zero Trust approach to secure the identities in their organization. For more information about Zero Trust, see [Securing identity with Zero Trust](/security/zero-trust/deploy/identity).
+
+## Permissions and privileges
+
+To call the [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) and [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) APIs with admin actions, the calling user must:
++ Have a *Global Administrator* or *Privileged Role Administrator* role++ Be granted one of the following permissions:
+ + RoleAssignmentSchedule.ReadWrite.Directory
+ + RoleEligibilitySchedule.ReadWrite.Directory
+ + RoleManagement.ReadWrite.Directory
+
+The principal must also be assigned the appropriate permissions to retrieve their role assignments and eligibilities, or call the [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) and [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) APIs with user actions.
+
+For more information about permissions to call PIM APIs, see the [Microsoft Graph permissions reference: Role management permissions](/graph/permissions-reference#role-management-permissions).
+
+## Licensing
+
+The PIM API requires an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](/azure/active-directory/privileged-identity-management/subscription-requirements).
+
+## See also
+++ [What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)++ [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles)++ You can also set up access reviews of role assignments and eligibilities that are managed through PIM. For more information, see [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles).
v1.0 Unifiedroleassignmentschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedroleassignmentschedule.md
Inherits from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md)
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleAssignmentSchedules](../api/unifiedroleassignmentschedule-list.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection|Get a list of the [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) objects and their properties.|
+|[List unifiedRoleAssignmentSchedules](../api/rbacapplication-list-roleassignmentschedules.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection|Get a list of the [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) objects and their properties.|
|[Get unifiedRoleAssignmentSchedule](../api/unifiedroleassignmentschedule-get.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md)|Read the properties and relationships of an [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) object.| |[filterByCurrentUser](../api/unifiedroleassignmentschedule-filterbycurrentuser.md)|[unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) collection|Get a list of the [unifiedRoleAssignmentSchedule](../resources/unifiedroleassignmentschedule.md) objects and their properties granted to a particular user.|
v1.0 Unifiedroleassignmentscheduleinstance https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedroleassignmentscheduleinstance.md
Inherits from [unifiedRoleScheduleInstanceBase](../resources/unifiedroleschedule
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleAssignmentScheduleInstances](../api/unifiedroleassignmentscheduleinstance-list.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection|Get a list of the [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) objects and their properties.|
+|[List unifiedRoleAssignmentScheduleInstances](../api/rbacapplication-list-roleassignmentscheduleinstances.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection|Get a list of the [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) objects and their properties.|
|[Get unifiedRoleAssignmentScheduleInstance](../api/unifiedroleassignmentscheduleinstance-get.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md)|Read the properties and relationships of an [unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) object.| |[filterByCurrentUser](../api/unifiedroleassignmentscheduleinstance-filterbycurrentuser.md)|[unifiedRoleAssignmentScheduleInstance](../resources/unifiedroleassignmentscheduleinstance.md) collection|Get a list of the [unifiedRoleAssignmentScheduleInstance](../resources/unifiedRoleAssignmentScheduleInstance.md) objects and their properties granted to a particular user.|
v1.0 Unifiedroleassignmentschedulerequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedroleassignmentschedulerequest.md
Inherits from [request](request.md).
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleAssignmentScheduleRequests](../api/unifiedroleassignmentschedulerequest-list.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection|Get a list of the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) objects and their properties.|
-|[Create unifiedRoleAssignmentScheduleRequest](../api/unifiedroleassignmentschedulerequest-post-unifiedroleassignmentschedulerequests.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md)|Create a new [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.|
+|[List unifiedRoleAssignmentScheduleRequests](../api/rbacapplication-list-roleassignmentschedulerequests.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection|Get a list of the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) objects and their properties.|
+|[Create unifiedRoleAssignmentScheduleRequest](../api/rbacapplication-post-roleassignmentschedulerequests.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md)|Create a new [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.|
|[Get unifiedRoleAssignmentScheduleRequest](../api/unifiedroleassignmentschedulerequest-get.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md)|Read the properties and relationships of an [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object.| |[filterByCurrentUser](../api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md)|[unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) collection|Get a list of the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) objects and their properties that are related to a particular user.| |[cancel](../api/unifiedroleassignmentschedulerequest-cancel.md)|None|Cancels a [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) immediately and marks it for deletion in 30 days|
v1.0 Unifiedroleeligibilityschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedroleeligibilityschedule.md
Inherits from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md)
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleEligibilitySchedules](../api/unifiedroleeligibilityschedule-list.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Get a list of the [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) objects and their properties.|
+|[List unifiedRoleEligibilitySchedules](../api/rbacapplication-list-roleeligibilityschedules.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Get a list of the [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) objects and their properties.|
|[Get unifiedRoleEligibilitySchedule](../api/unifiedroleeligibilityschedule-get.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|Read the properties and relationships of an [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) object.| |[filterByCurrentUser](../api/unifiedroleeligibilityschedule-filterbycurrentuser.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Get a list of the [unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) objects and their properties granted to a particular user.|
v1.0 Unifiedroleeligibilityscheduleinstance https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedroleeligibilityscheduleinstance.md
Inherits from [unifiedRoleScheduleInstanceBase](../resources/unifiedroleschedule
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleEligibilityScheduleInstances](../api/unifiedroleeligibilityscheduleinstance-list.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Get a list of the [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) objects and their properties.|
+|[List unifiedRoleEligibilityScheduleInstances](../api/rbacapplication-list-roleeligibilityscheduleinstances.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Get a list of the [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) objects and their properties.|
|[Get unifiedRoleEligibilityScheduleInstance](../api/unifiedroleeligibilityscheduleinstance-get.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md)|Read the properties and relationships of an [unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) object.| |[filterByCurrentUser](../api/unifiedroleeligibilityscheduleinstance-filterbycurrentuser.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Get a list of the [unifiedRoleEligibilityInstance](../resources/unifiedroleeligibilityscheduleinstance.md) objects and their properties granted to a particular user.|
v1.0 Unifiedroleeligibilityschedulerequest https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedroleeligibilityschedulerequest.md
Inherits from [request](request.md).
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleEligibilityScheduleRequests](../api/unifiedroleeligibilityschedulerequest-list.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|Get a list of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) objects and their properties.|
-|[Create unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-post-unifiedroleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Create a new [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.|
+|[List unifiedRoleEligibilityScheduleRequests](../api/rbacapplication-list-roleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|Get a list of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) objects and their properties.|
+|[Create unifiedRoleEligibilityScheduleRequest](../api/rbacapplication-post-roleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Create a new [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.|
|[Get unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-get.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Read the properties and relationships of an [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.| |[filterByCurrentUser](../api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|Get a list of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) objects and their properties that are related to a particular user.| |[cancel](../api/unifiedroleeligibilityschedulerequest-cancel.md)|None|Cancels a [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) immediately and marks it for deletion in 30 days|
v1.0 Unifiedrolemanagementpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedrolemanagementpolicy.md
A unifiedRoleManagementPolicy specifies the various policies associated with a A
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleManagementPolicies](../api/unifiedrolemanagementpolicy-list.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection|Get a list of the [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) objects and their properties.|
+|[List unifiedRoleManagementPolicies](../api/policyroot-list-rolemanagementpolicies.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) collection|Get a list of the [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) objects and their properties.|
|[Get unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicy-get.md)|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md)|Read the properties and relationships of an [unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md) object given the scope.| |[List rules](../api/unifiedrolemanagementpolicy-list-rules.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection|Get the unifiedRoleManagementPolicyRule resources from the rules navigation property.| |[Get rules](../api/unifiedrolemanagementpolicyrule-get.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection|Get the rules for a unifiedRoleManagementPolicyRule object.|
v1.0 Unifiedrolemanagementpolicyassignment https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedrolemanagementpolicyassignment.md
A unifiedRoleManagementPolicyAssignment assigns the policy to a specific scope a
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleManagementPolicyAssignments](../api/unifiedrolemanagementpolicyassignment-list.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection|Get a list of the [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects and their properties.|
+|[List unifiedRoleManagementPolicyAssignments](../api/policyroot-list-rolemanagementpolicyassignments.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection|Get a list of the [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) objects and their properties.|
|[Get unifiedRoleManagementPolicyAssignment](../api/unifiedrolemanagementpolicyassignment-get.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md)|Read the properties and relationships of an [unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) object.| ## Properties
v1.0 Unifiedrolemanagementpolicyrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/unifiedrolemanagementpolicyrule.md
A unifiedRoleManagementPolicyRule specifies the rule associated with a role mana
## Methods |Method|Return type|Description| |:|:|:|
-|[List unifiedRoleManagementPolicyRules](../api/unifiedrolemanagementpolicyrule-list.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection|Get a list of the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) objects and their properties.|
+|[List unifiedRoleManagementPolicyRules](../api/unifiedrolemanagementpolicy-list-rules.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) collection|Get a list of the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) objects and their properties.|
|[Get unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-get.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md)|Read the properties and relationships of an [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object.| |[Update unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-update.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md)|Update the properties of an [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object.|
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/beta/resources/user.md
This resource supports:
| aboutMe | String | A freeform text entry field for the user to describe themselves. <br><br>Returned only on `$select`. | | accountEnabled | Boolean | `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). | | ageGroup | [ageGroup](#agegroup-values) | Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Supports `$filter` (`eq`, `ne`, `not`, and `in`). |
-| assignedLicenses | [assignedLicense](assignedlicense.md) collection | The licenses that are assigned to the user, including inherited (group-based) licenses. <br><br>Not nullable. Supports `$filter` (`eq` and `not`). |
+| assignedLicenses | [assignedLicense](assignedlicense.md) collection | The licenses that are assigned to the user, including inherited (group-based) licenses. <br><br>Not nullable. Supports `$filter` (`eq`, `not`, and counting empty collections). |
| assignedPlans | [assignedPlan](assignedplan.md) collection | The plans that are assigned to the user. Read-only. Not nullable.<br><br>Supports `$filter` (`eq` and `not`). | | birthday | DateTimeOffset | The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z` <br><br>Returned only on `$select`. | | businessPhones | String collection | The telephone numbers for the user. Only one number can be set for this property. <br><br>Read-only for users synced from on-premises directory. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`).|
This resource supports:
| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Read-only. Supports `$filter` (`eq` including on `null` values). | | onPremisesSyncEnabled | Boolean | `true` if this object is synced from an on-premises directory; `false` if this object was originally synced from an on-premises directory but is no longer synced; `null` if this object has never been synced from an on-premises directory (default). Read-only. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | | onPremisesUserPrincipalName | String | Contains the on-premises `userPrincipalName` synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Read-only. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`). |
-| otherMails | String collection | A list of additional email addresses for the user; for example: `["bob@contoso.com", "Robert@fabrikam.com"]`.<br>NOTE: This property cannot contain accent characters.<br><br>Supports `$filter` (`eq`, `not`, `ge`, `le`, `in`, `startsWith`). |
+| otherMails | String collection | A list of additional email addresses for the user; for example: `["bob@contoso.com", "Robert@fabrikam.com"]`.<br>NOTE: This property cannot contain accent characters.<br><br>Supports `$filter` (`eq`, `not`, `ge`, `le`, `in`, `startsWith`, and counting empty collections). |
| passwordPolicies | String | Specifies password policies for the user. This value is an enumeration with one possible value being `DisableStrongPassword`, which allows weaker passwords than the default policy to be specified. `DisablePasswordExpiration` can also be specified. The two may be specified together; for example: `DisablePasswordExpiration, DisableStrongPassword`. For more information on the default password policies, see [Azure AD pasword policies](/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts). <br><br>Supports `$filter` (`ne`, `not`, and `eq` on `null` values).| | passwordProfile | [passwordProfile](passwordprofile.md) | Specifies the password profile for the user. The profile contains the user's password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the **passwordPolicies** property. By default, a strong password is required. **NOTE:** For Azure B2C tenants, the **forceChangePasswordNextSignIn** property should be set to `false` and instead use custom policies and user flows to force password reset at first logon. See [Force password reset at first logon](https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon). <br><br>Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values).| | pastProjects | String collection | A list for the user to enumerate their past projects. <br><br>Returned only on `$select`. |
This resource supports:
| preferredLanguage | String | The preferred language for the user. Should follow ISO 639-1 Code; for example `en-US`. <br><br>Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). | | preferredName | String | The preferred name for the user. <br><br>Returned only on `$select`. | | provisionedPlans | [provisionedPlan](provisionedplan.md) collection | The plans that are provisioned for the user. Read-only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`).|
-| proxyAddresses | String collection | For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. Changes to the **mail** property will also update this collection to include the value as an SMTP address. For more information, see [mail and proxyAddresses properties](#mail-and-proxyaddresses-properties). The proxy address prefixed with `SMTP` (capitalized) is the primary proxy address while those prefixed with `smtp` are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. Read-only in Microsoft Graph; you can update this property only through the [Microsoft 365 admin center](/exchange/recipients-in-exchange-online/manage-user-mailboxes/add-or-remove-email-addresses). Not nullable. <br><br>Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+| proxyAddresses | String collection | For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. Changes to the **mail** property will also update this collection to include the value as an SMTP address. For more information, see [mail and proxyAddresses properties](#mail-and-proxyaddresses-properties). The proxy address prefixed with `SMTP` (capitalized) is the primary proxy address while those prefixed with `smtp` are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. Read-only in Microsoft Graph; you can update this property only through the [Microsoft 365 admin center](/exchange/recipients-in-exchange-online/manage-user-mailboxes/add-or-remove-email-addresses). Not nullable. <br><br>Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, `endsWith`, and counting empty collections). |
| refreshTokensValidFromDateTime | DateTimeOffset | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. Read-only. Use [invalidateAllRefreshTokens](../api/user-invalidateallrefreshtokens.md) to reset.| | responsibilities | String collection | A list for the user to enumerate their responsibilities. <br><br>Returned only on `$select`. | | schools | String collection | A list for the user to enumerate the schools they have attended. <br><br>Returned only on `$select`. |
v1.0 Rbacapplication Post Roleassignmentschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-post-roleassignmentschedulerequests.md
Title: "Create unifiedRoleAssignmentScheduleRequest"
+ Title: "Create roleAssignmentScheduleRequests"
description: "In PIM, request for an active and persistent role assignment through the unifiedRoleAssignmentScheduleRequest object. Use this API to activate eligible roles." ms.localizationpriority: medium
ms.prod: "governance"
doc_type: apiPageType
-# Create unifiedRoleAssignmentScheduleRequest
+# Create roleAssignmentScheduleRequests
Namespace: microsoft.graph In PIM, carry out the following operations through the [unifiedRoleAssignmentScheduleRequest](../resources/unifiedroleassignmentschedulerequest.md) object:
You can specify the following properties when creating an **unifiedRoleAssignmen
|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is being assigned. Required.| |directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Either **directoryScopeId** or **appScopeId** is required.| |appScopeId|String|Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Either **directoryScopeId** or **appScopeId** is required.|
-|justification|String|A message provided by users and administrators when create they create the **unifiedRoleAssignmentScheduleRequest** object. Optional.|
-|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role assignment request. Recurring schedules are currently unsupported. Required.|
+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleAssignmentScheduleRequest** object. Optional. Whether this property is required or optional is also dependent on the [settings for the Azure AD role](../api/unifiedrolemanagementpolicy-list-rules.md).|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role assignment request. Required. The period of assignment is dependent on the [settings of the Azure AD role](../api/unifiedrolemanagementpolicy-list-rules.md).|
|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role assignment request including details of the ticket number and ticket system. Optional.|
If successful, this method returns a `201 Created` response code and an [unified
### Example 1: Admin assigning a directory role to a principal
+In the following request, the admin creates a request to assign a role identified by `fdd7a751-b60b-444a-984c-02652fe8fa1c` to a principal identified by ID `071cc716-8147-4397-a5ba-b2105951cc0b`. The scope of their role is all directory objects in the tenant and the assignment is permanent.
+ #### Request # [HTTP](#tab/http)
v1.0 Rbacapplication Post Roleeligibilityschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/rbacapplication-post-roleeligibilityschedulerequests.md
Title: "Create unifiedRoleEligibilityScheduleRequest"
+ Title: "Create roleEligibilityScheduleRequest"
description: "In PIM, request for a role eligibility for a principal through the unifiedRoleEligibilityScheduleRequest object." ms.localizationpriority: medium
ms.prod: "governance"
doc_type: apiPageType
-# Create unifiedRoleEligibilityScheduleRequest
+# Create roleEligibilityScheduleRequest
Namespace: microsoft.graph In PIM, request for a role eligibility for a principal through the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object. This operation allows both admins and eligible users to add, revoke, or extend eligible assignments.
You can specify the following properties when creating an **unifiedRoleEligibili
|appScopeId|String|Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Either **directoryScopeId** or **appScopeId** is required.| |directoryScopeId|String|Identifier of the directory object representing the scope of the role eligibility. The scope of an role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Either **directoryScopeId** or **appScopeId** is required.| |isValidationOnly|Boolean|Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request. Optional.|
-|justification|String|A message provided by users and administrators when create they create the **unifiedRoleEligibilityScheduleRequest** object. Optional when **action** is `adminRemove`.|
+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleEligibilityScheduleRequest** object. Optional when **action** is `adminRemove`. Whether this property is required or optional is also dependent on the [settings for the Azure AD role](../api/unifiedrolemanagementpolicy-list-rules.md).|
|principalId|String|Identifier of the principal that has been granted the role eligibility. Required.| |roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is being assigned to the principal. Required.|
-|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role eligibility. Recurring schedules are currently unsupported. Optional when **action** is `adminRemove`.|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role eligibility. Optional when **action** is `adminRemove`. The period of eligibility is dependent on the [settings of the Azure AD role](../api/unifiedrolemanagementpolicy-list-rules.md).|
|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role eligibility request including details of the ticket number and ticket system. Optional|
v1.0 Unifiedroleassignmentschedulerequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleassignmentschedulerequest-filterbycurrentuser.md
Namespace: microsoft.graph
In PIM, retrieve the requests for active role assignments for a particular principal. The principal can be the creator or approver of the **unifiedRoleAssignmentScheduleRequest** object, or they can be the target of the assignment.
+> [!NOTE]
+> This API doesn't return active role assignments through group memberships.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Unifiedroleeligibilityschedulerequest Filterbycurrentuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md
Namespace: microsoft.graph
In PIM, retrieve the requests for role eligibilities for a particular principal. The principal can be the creator or approver of the **unifiedRoleEligibilityScheduleRequest** object, or they can be the target of the role eligibility.
+> [!NOTE]
+> This API doesn't return eligible role assignments through group memberships.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Unifiedrolemanagementpolicy List Rules https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicy-list-rules.md
Title: "List rules (for a role management policy)"
-description: "Get the rules defined for a role management policy."
+description: "Get the rules or settings defined for a role management policy."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: apiPageType
# List rules (for a role management policy) Namespace: microsoft.graph
-Get the rules defined for a role management policy. The rules are a collection of following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
+Get the rules or settings defined for a role management policy. The rules are a collection of following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
+ [unifiedRoleManagementPolicyApprovalRule](../resources/unifiedrolemanagementpolicyapprovalrule.md) + [unifiedRoleManagementPolicyAuthenticationContextRule](../resources/unifiedrolemanagementpolicyauthenticationcontextrule.md) + [unifiedRoleManagementPolicyEnablementRule](../resources/unifiedrolemanagementpolicyenablementrule.md)
v1.0 Unifiedrolemanagementpolicyrule Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/unifiedrolemanagementpolicyrule-get.md
Title: "Get unifiedRoleManagementPolicyRule"
-description: "Retrieve a rule defined for a role management policy."
+description: "Retrieve a rule or settings defined for a role management policy."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: apiPageType
# Get unifiedRoleManagementPolicyRule Namespace: microsoft.graph
-Retrieve a rule defined for a role management policy. The rule can be one of the following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
+Retrieve a rule or settings defined for a role management policy. The rule can be one of the following types that are derived from the [unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md) object:
+ [unifiedRoleManagementPolicyApprovalRule](../resources/unifiedrolemanagementpolicyapprovalrule.md) + [unifiedRoleManagementPolicyAuthenticationContextRule](../resources/unifiedrolemanagementpolicyauthenticationcontextrule.md) + [unifiedRoleManagementPolicyEnablementRule](../resources/unifiedrolemanagementpolicyenablementrule.md)
v1.0 User Post Messages https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/api/user-post-messages.md
When using JSON format, you can:
When using MIME format: - Provide the applicable [Internet message headers](https://tools.ietf.org/html/rfc2076) and the [MIME content](https://tools.ietf.org/html/rfc2045), all encoded in **base64** format in the request body.-- Add any attachments and S/MIME properties to the MIME content.
+- \* Add any attachments and S/MIME properties to the MIME content.
By default, this operation saves the draft in the Drafts folder.
By default, this operation saves the draft in the Drafts folder.
Alternatively, [send a new message](../api/user-sendmail.md) in a single operation, or create a draft to [forward](../api/message-createforward.md), [reply](../api/message-createreply.md) and [reply-all](../api/message-createreplyall.md) to an existing message.
+>\* **Note:** S/MIME message payloads are currently limited to 4 MB. Submission attempts that exceed this limit will result in an`HTTP 413 Request Entity Too Large` error response.
+ ## Permissions One of the following permissions are required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
v1.0 Application https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/application.md
This resource supports using [delta query](/graph/delta-query-overview) to track
| Relationship | Type | Description | |:|:--|:-| |createdOnBehalfOf|[directoryObject](directoryobject.md)| Read-only.|
-|extensionProperties|[extensionProperty](extensionproperty.md) collection| Read-only. Nullable.|
+|extensionProperties|[extensionProperty](extensionproperty.md) collection| Read-only. Nullable. Supports `$expand` and `$filter` (`eq` when counting empty collections).|
|owners|[directoryObject](directoryobject.md) collection|Directory objects that are owners of the application. Read-only. Nullable. Supports `$expand`.| ## JSON representation
v1.0 Device https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/device.md
This resource lets you add your own data to custom properties using [extensions]
|onPremisesSyncEnabled|Boolean|`true` if this object is synced from an on-premises directory; `false` if this object was originally synced from an on-premises directory but is no longer synced; `null` if this object has never been synced from an on-premises directory (default). Read-only. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | |operatingSystem|String| The type of operating system on the device. Required. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`, and `eq` on `null` values). | |operatingSystemVersion|String|The version of the operating system on the device. Required. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `startsWith`, and `eq` on `null` values). |
-|physicalIds|String collection| For internal use only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+|physicalIds|String collection| For internal use only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, and counting empty collections). |
|profileType|deviceProfileType|The profile type of the device. Possible values: `RegisteredDevice` (default), `SecureVM`, `Printer`, `Shared`, `IoT`.|
-|systemLabels|String collection| List of labels applied to the device by the system. |
+|systemLabels|String collection| List of labels applied to the device by the system. Supports `$filter` (`eq` when counting empty collections). |
|trustType|String| Type of trust for the joined device. Read-only. Possible values: `Workplace` (indicates *bring your own personal devices*), `AzureAd` (Cloud only joined devices), `ServerAd` (on-premises domain joined devices joined to Azure AD). For more details, see [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction) | ## Relationships
v1.0 Expirationpattern https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/expirationpattern.md
Namespace: microsoft.graph
In [Azure AD entitlement management](entitlementmanagement-overview.md), an access package assignment request is created by a user who wants to obtain an access package assignment. This request can include a schedule for when the user would like to have an assignment. An access package assignment that results from such a request also has a schedule. The expiration field of an [entitlementManagementSchedule](entitlementmanagementschedule.md) indicates when the access package assignment should expire.
-In PIM, use this resource to define when a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) or [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) object expires.
+In PIM, use this resource to define when a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) or [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) object expires. The settings allowed for this object are dependent on the [settings for the Azure AD role](../api/unifiedrolemanagementpolicy-list-rules.md). For example, if the settings of the Azure AD role specifies that permanent eligible assignments aren't allowed, specifying `noExpiration` for the **type** property returns an error.
## Properties |Property|Type|Description|
v1.0 Group https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/group.md
This resource supports:
| onPremisesSyncEnabled | Boolean | `true` if this group is synced from an on-premises directory; `false` if this group was originally synced from an on-premises directory but is no longer synced; **null** if this object has never been synced from an on-premises directory (default). <br><br>Returned by default. Read-only. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | | preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling user must be assigned one of the following [Azure AD roles](/azure/active-directory/roles/permissions-reference): <br><ul><li> Global Administrator <li> User Account Administrator <li>Directory Writer <li> Exchange Administrator <li> SharePoint Administrator </ul><br/> For more information about this property, see [OneDrive Online Multi-Geo](/sharepoint/dev/solution-guidance/multigeo-introduction). <br><br>Nullable. Returned by default. | | preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example `en-US`. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). |
-| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. The **any** operator is required to filter expressions on multi-valued properties. <br><br>Returned by default. Read-only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. The **any** operator is required to filter expressions on multi-valued properties. <br><br>Returned by default. Read-only. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, `endsWith`, and counting empty collections). |
| renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the [renew service action](../api/group-renew.md). The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`). Read-only. | | resourceBehaviorOptions | String collection | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeNewGroupMembers`, `WelcomeEmailDisabled`. For more information, see [Set Microsoft 365 group behaviors and provisioning options](/graph/group-set-options). | | resourceProvisioningOptions | String collection | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is `Team`. For more information, see [Set Microsoft 365 group behaviors and provisioning options](/graph/group-set-options). |
v1.0 Opentypeextension https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/opentypeextension.md
Open extensions (formerly known as Office 365 data extensions) provide an easy w
Open extensions are represented by the **openTypeExtension** resource. Any open extension added to a resource shows up in the **extensions** navigation property, which is derived from the [extension](extension.md) abstract type. Each extension has an **extensionName** property which is the only pre-defined, writable property for all extensions, along with your custom data.
-One way to help make sure extension names are unique is to use a reverse domain name system (DNS) format that is dependent on _your own domain_, for example, `Com.Contoso.ContactInfo`. Do not use the Microsoft domain (`Com.Microsoft` or `Com.OnMicrosoft`) in an extension name.
+One way to help make sure extension names are unique is to use a reverse domain name system (DNS) format that is dependent on _your own domain_, for example, `com.contoso.ContactInfo`. **Do not use** the Microsoft domains (`com.microsoft` or `com.onmicrosoft`) in an extension name.
Open extension example: [Add custom data to users using open extensions](/graph/extensibility-open-users)
-Open extensions are supported by the following resources in the corresponding versions - general availability (GA: /v1.0 and /beta) or preview (/beta).
+Open extensions are supported by the following resources in the corresponding versions - general availability (/v1.0) or preview (/beta).
|Resource |Version | |:|:-| | [Administrative unit](/graph/api/resources/administrativeunit) | GA |
-| [Calendar event](event.md) | GA |
+| [Calendar event](event.md) \* | GA |
| Group [calendar event](event.md) | GA | | Group conversation thread [post](post.md) | GA | | [device](device.md) | GA |
Open extensions are supported by the following resources in the corresponding ve
| [Task](todotask.md) | GA | | [Task list](todotasklist.md) | GA |
+>\* **Note:** Due to an existing service limitation, delegates cannot create open extension-appended events in shared mailbox calendars. Attempts to do so will result in an `ErrorAccessDenied` response.
+ ## Outlook-specific considerations Each open extension present on an Outlook resource (event, message, or personal contact) is stored in a [MAPI named property](/office/client-developer/outlook/mapi/mapi-named-properties). When you create open extensions for Outlook, consider that MAPI named properties are a finite resource in a user's mailbox. When a user's named property quota is exhausted, you can't create any more named properties for that user. This can result in unexpected behavior from clients that rely on named properties to function.
v1.0 Orgcontact https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/orgcontact.md
This resource supports using [delta query](/graph/delta-query-overview) to track
| onPremisesProvisioningErrors | [onPremisesProvisioningError](onpremisesprovisioningerror.md) collection | List of any synchronization provisioning errors for this organizational contact. Supports `$filter` (`eq`, `not`). | | onPremisesSyncEnabled | Boolean | `true` if this object is synced from an on-premises directory; `false` if this object was originally synced from an on-premises directory but is no longer synced and now mastered in Exchange; `null` if this object has never been synced from an on-premises directory (default). <br/> <br/> Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values). | | phones | [phone](phone.md) collection | List of phones for this organizational contact. Phone types can be mobile, business, and businessFax. Only one of each type can ever be present in the collection. |
-| proxyAddresses | String collection | For example: "SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com". The **any** operator is required for filter expressions on multi-valued properties. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`). |
+| proxyAddresses | String collection | For example: "SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com". The **any** operator is required for filter expressions on multi-valued properties. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, and counting empty collections). |
| surname | String | Last name for this organizational contact. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values). | ## Relationships
v1.0 Privilegedidentitymanagementv3 Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/privilegedidentitymanagementv3-overview.md
doc_type: resourcePageType
# Overview of role management through the privileged identity management (PIM) API
-Namespace: microsoft.graph
-
-Privileged Identity Management (PIM) is a feature of [Azure AD Identity Governance](/azure/active-directory/governance/identity-governance-overview) that enables you to manage, control, and monitor access to important resources in your organization. This access is enabled through privileged roles and role-based access control (RBAC) and can be granted to users, groups, or service principals. The resources can be in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
+Privileged Identity Management (PIM) is a feature of [Azure AD Identity Governance](/azure/active-directory/governance/identity-governance-overview) that enables you to manage, control, and monitor access to important resources in your organization. This access is enabled through privileged roles and role-based access control (RBAC) and can be granted to users, groups, or service principals. The resources can be in Azure AD, Azure, and other Microsoft cloud services such as Microsoft 365 or Microsoft Intune.
The Microsoft Graph PIM API for role management allows you to govern privileged access and limit excessive access. This article introduces the governance capabilities of PIM APIs in Microsoft Graph.
The Microsoft Graph PIM API for role management allows you to govern privileged
## PIM API for managing role assignments
-PIM allows you to manage active role assignments by creating permanent assignments or temporary assignments. Use the [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) resource type and it's related methods to manage role assignments.
+PIM allows you to manage active role assignments by creating permanent assignments or temporary assignments. Use the [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) resource type and its related methods to manage role assignments.
-The following table lists scenarios for using PIM to manage role assignments and the APIs to call:
+The following table lists scenarios for using PIM to manage role assignments and the APIs to call.
|Scenarios |API | |||
The following table lists scenarios for using PIM to manage role assignments and
|A principal performs just-in-time and time-bound activation of their *eligible* role assignment | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) | |A principal cancels a role assignment request they created | [unifiedRoleAssignmentScheduleRequest: cancel](../api/unifiedroleassignmentschedulerequest-cancel.md) | |A principal that has activated their eligible role assignment deactivates it when they no longer need access | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
-|A principal deactivates, extends, or renews their role assignment. | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
+|A principal deactivates, extends, or renews their own role assignment. | [Create roleAssignmentScheduleRequests](../api/rbacapplication-post-roleassignmentschedulerequests.md) |
## PIM API for managing role eligibilities Your principals may not require permanent role assignments because they may not require the privileges granted through the privileged role all the time. In this case, PIM also allows you to create role eligibilities and assign them to the principals. With role eligibilities, the principal activates the role when they need to perform privileged tasks. The activation is always time-bound for a maximum of 8 hours. The role eligibility can also be a permanent eligibility or a temporary eligibility.
-Use the [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) resource type and it's related methods to manage role eligibilities.
+Use the [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) resource type and its related methods to manage role eligibilities.
-The following table lists scenarios for using PIM to manage role eligibilities and the APIs to call:
+The following table lists scenarios for using PIM to manage role eligibilities and the APIs to call.
|Scenarios |API | |||
The following table lists scenarios for using PIM to manage role eligibilities a
|An administrator queries a role eligibility and its details | [Get unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-get.md) | |An administrator cancels a role eligibility request they created | [unifiedRoleEligibilityScheduleRequest: cancel](../api/unifiedroleeligibilityschedulerequest-cancel.md) | |A principal queries their role eligibilities and the details | [unifiedRoleEligibilityScheduleRequest: filterByCurrentUser](../api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md) |
-|A principal deactivates, extends, or renews their role eligibility. | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
+|A principal deactivates, extends, or renews their own role eligibility. | [Create roleEligibilityScheduleRequests](../api/rbacapplication-post-roleeligibilityschedulerequests.md) |
## Role settings and PIM
-Each Azure AD role defines settings or rules. Such settings include whether multifactor authentication (MFA), justification, or approval is required to activate an eligible role. Or whether you can create permanent assignments or eligibilities for principals to the role. These role-specific settings will determine the settings you can apply while creating or managing role assignments and eligibilities through PIM. In Microsoft Graph, these role settings are managed through the [unifiedRoleManagementPolicy](unifiedrolemanagementpolicy.md) and the [unifiedRoleManagementPolicyAssignment](unifiedrolemanagementpolicyassignment.md) resource types and their related methods.
+Each Azure AD role defines settings or rules. Such settings include whether multifactor authentication (MFA), justification, or approval is required to activate an eligible role, or whether you can create permanent assignments or eligibilities for principals to the role. These role-specific settings will determine the settings you can apply while creating or managing role assignments and eligibilities through PIM. In Microsoft Graph, these role settings are managed through the [unifiedRoleManagementPolicy](unifiedrolemanagementpolicy.md) and the [unifiedRoleManagementPolicyAssignment](unifiedrolemanagementpolicyassignment.md) resource types and their related methods.
For example, assume that by default, a role doesn't allow permanent active assignments and defines a maximum of 15 days for active assignments. Attempting to create a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) object without expiry date will return a `400 Bad Request` response code for violation of the expiration rule.
-The following table lists scenarios for using PIM to manage Azure AD role settings or rules and the APIs to call:
+The following table lists scenarios for using PIM to manage Azure AD role settings or rules and the APIs to call.
|Scenarios |API | ||| |Retrieve role management policies and associated rules or settings | [List unifiedRoleManagementPolicies](../api/policyroot-list-rolemanagementpolicies.md) |
-|Retrieve a role management policy and it's associated rules or settings | [Get unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicy-get.md) |
+|Retrieve a role management policy and its associated rules or settings | [Get unifiedRoleManagementPolicy](../api/unifiedrolemanagementpolicy-get.md) |
|Retrieve the rules or settings defined for role management policy | [List rules](../api/unifiedrolemanagementpolicy-list-rules.md) | |Retrieve a rule or settings defined for a role management policy | [Get unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-get.md) | |Update a rule or setting defined for a role management policy|[Update unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-get.md)|
For more information about permissions to call PIM APIs, see the [Microsoft Grap
The PIM API requires an Azure AD Premium P2 license. For more information, see [License requirements to use Privileged Identity Management](/azure/active-directory/privileged-identity-management/subscription-requirements).
-## Next Steps
-
-+ [unifiedRoleAssignmentScheduleRequest resource type](unifiedroleassignmentschedulerequest.md)
-+ [unifiedRoleEligibilityScheduleRequest resource type](unifiedroleeligibilityschedulerequest.md)
-+ You can also set up access reviews of role assignments and eligibilities that are managed through PIM. For more information, see [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles)
- ## See also + [What is Azure AD Privileged Identity Management?](/azure/active-directory/privileged-identity-management/pim-configure)
-+ [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles)
++ [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles)++ You can also set up access reviews of role assignments and eligibilities that are managed through PIM. For more information, see [Tutorial: Use the Privileged Identity Management (PIM) API to assign Azure AD roles](/graph/tutorial-assign-azureadroles).
v1.0 Requestschedule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/requestschedule.md
doc_type: resourcePageType
Namespace: microsoft.graph
-In PIM, use this resource to define the schedule for when the principal will have an eligible or active role assignment.
+In PIM when creating or updating a [unifiedRoleAssignmentScheduleRequest](unifiedroleassignmentschedulerequest.md) or [unifiedRoleEligibilityScheduleRequest](unifiedroleeligibilityschedulerequest.md) object, use this resource to define the schedule for when the principal will have an eligible or active role assignment. The settings allowed for this object are dependent on the [settings for the Azure AD role](../api/unifiedrolemanagementpolicy-list-rules.md).
## Properties |Property|Type|Description|
v1.0 Unifiedrolemanagementpolicyrule https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/unifiedrolemanagementpolicyrule.md
Title: "unifiedRoleManagementPolicyRule resource type"
-description: "An abstract type that defines the rules associated with role management policies."
+description: "An abstract type that defines the rules or settings associated with role management policies."
ms.localizationpriority: medium ms.prod: "governance"
doc_type: resourcePageType
Namespace: microsoft.graph
-An abstract type that defines the rules associated with role management policies. This abstract type is inherited by the following resources that define the various types of rules and their settings associated with role management policies.
+An abstract type that defines the rules or settings associated with role management policies. This abstract type is inherited by the following resources that define the various types of rules and their settings associated with role management policies.
+ [unifiedRoleManagementPolicyApprovalRule](unifiedrolemanagementpolicyapprovalrule.md) + [unifiedRoleManagementPolicyAuthenticationContextRule](unifiedrolemanagementpolicyauthenticationcontextrule.md) + [unifiedRoleManagementPolicyEnablementRule](unifiedrolemanagementpolicyenablementrule.md)
v1.0 User https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/resources/user.md
This resource supports:
|aboutMe|String|A freeform text entry field for the user to describe themselves. Returned only on `$select`.| |accountEnabled|Boolean| `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`). | |ageGroup|[ageGroup](#agegroup-values)|Sets the age group of the user. Allowed values: `null`, `Minor`, `NotAdult` and `Adult`. Refer to the [legal age group property definitions](#legal-age-group-property-definitions) for further information. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, and `in`).|
-|assignedLicenses|[assignedLicense](assignedlicense.md) collection|The licenses that are assigned to the user, including inherited (group-based) licenses. Not nullable. Returned only on `$select`. Supports `$filter` (`eq` and `not`). |
+|assignedLicenses|[assignedLicense](assignedlicense.md) collection|The licenses that are assigned to the user, including inherited (group-based) licenses. Not nullable. Returned only on `$select`. Supports `$filter` (`eq`, `not`, and counting empty collections). |
|assignedPlans|[assignedPlan](assignedplan.md) collection|The plans that are assigned to the user. Read-only. Not nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq` and `not`). | |birthday|DateTimeOffset|The birthday of the user. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. <br><br>Returned only on `$select`.| |businessPhones|String collection|The telephone numbers for the user. NOTE: Although this is a string collection, only one number can be set for this property. Read-only for users synced from on-premises directory. <br><br>Returned by default. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`).|
This resource supports:
|onPremisesSecurityIdentifier|String|Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. Read-only. <br><br>Returned only on `$select`. Supports `$filter` (`eq` including on `null` values). | |onPremisesSyncEnabled|Boolean| `true` if this object is synced from an on-premises directory; `false` if this object was originally synced from an on-premises directory but is no longer synced; `null` if this object has never been synced from an on-premises directory (default). Read-only. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values).| |onPremisesUserPrincipalName|String| Contains the on-premises `userPrincipalName` synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Read-only. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`).|
-|otherMails|String collection| A list of additional email addresses for the user; for example: `["bob@contoso.com", "Robert@fabrikam.com"]`. <br>NOTE: This property cannot contain accent characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `not`, `ge`, `le`, `in`, `startsWith`).|
+|otherMails|String collection| A list of additional email addresses for the user; for example: `["bob@contoso.com", "Robert@fabrikam.com"]`. <br>NOTE: This property cannot contain accent characters. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `not`, `ge`, `le`, `in`, `startsWith`, and counting empty collections).|
|passwordPolicies|String|Specifies password policies for the user. This value is an enumeration with one possible value being `DisableStrongPassword`, which allows weaker passwords than the default policy to be specified. `DisablePasswordExpiration` can also be specified. The two may be specified together; for example: `DisablePasswordExpiration, DisableStrongPassword`. <br><br>Returned only on `$select`. For more information on the default password policies, see [Azure AD pasword policies](/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts). Supports `$filter` (`ne`, `not`, and `eq` on `null` values).| |passwordProfile|[passwordProfile](passwordprofile.md)|Specifies the password profile for the user. The profile contains the userΓÇÖs password. This property is required when a user is created. The password in the profile must satisfy minimum requirements as specified by the **passwordPolicies** property. By default, a strong password is required. **NOTE:** For Azure B2C tenants, the **forceChangePasswordNextSignIn** property should be set to `false` and instead use custom policies and user flows to force password reset at first logon. See [Force password reset at first logon](https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-first-logon).<br><br>Returned only on `$select`. Supports `$filter` (`eq`, `ne`, `not`, `in`, and `eq` on `null` values).| |pastProjects|String collection|A list for the user to enumerate their past projects. <br><br>Returned only on `$select`.|
This resource supports:
|preferredLanguage|String|The preferred language for the user. Should follow ISO 639-1 Code; for example `en-US`. <br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`, `ge`, `le`, `in`, `startsWith`, and `eq` on `null` values)| |preferredName|String|The preferred name for the user. <br><br>Returned only on `$select`.| |provisionedPlans|[provisionedPlan](provisionedplan.md) collection|The plans that are provisioned for the user. Read-only. Not nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `not`, `ge`, `le`).|
-|proxyAddresses|String collection|For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. Changes to the **mail** property will also update this collection to include the value as an SMTP address. For more information, see [mail and proxyAddresses properties](#mail-and-proxyaddresses-properties). The proxy address prefixed with `SMTP` (capitalized) is the primary proxy address while those prefixed with `smtp` are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. Read-only in Microsoft Graph; you can update this property only through the [Microsoft 365 admin center](/exchange/recipients-in-exchange-online/manage-user-mailboxes/add-or-remove-email-addresses). Not nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`).|
+|proxyAddresses|String collection|For example: `["SMTP: bob@contoso.com", "smtp: bob@sales.contoso.com"]`. Changes to the **mail** property will also update this collection to include the value as an SMTP address. For more information, see [mail and proxyAddresses properties](#mail-and-proxyaddresses-properties). The proxy address prefixed with `SMTP` (capitalized) is the primary proxy address while those prefixed with `smtp` are the secondary proxy addresses. For Azure AD B2C accounts, this property has a limit of ten unique addresses. Read-only in Microsoft Graph; you can update this property only through the [Microsoft 365 admin center](/exchange/recipients-in-exchange-online/manage-user-mailboxes/add-or-remove-email-addresses). Not nullable. <br><br>Returned only on `$select`. Supports `$filter` (`eq`, `not`, `ge`, `le`, `startsWith`, `endsWith`, and counting empty collections).|
|refreshTokensValidFromDateTime|DateTimeOffset|Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid, and applications will get an error when using an invalid refresh or sessions token to acquire a delegated access token (to access APIs such as Microsoft Graph). If this happens, the application will need to acquire a new refresh token by making a request to the authorize endpoint. <br><br>Returned only on `$select`. Read-only. | |responsibilities|String collection|A list for the user to enumerate their responsibilities. <br><br>Returned only on `$select`.| |schools|String collection|A list for the user to enumerate the schools they have attended. <br><br>Returned only on `$select`.|
v1.0 Toc.Yml https://github.com/microsoftgraph/microsoft-graph-docs/commits/main/api-reference/v1.0/toc.yml a/api-reference/v1.0/toc.yml
items:
- name: Delete href: api/unifiedroleassignment-delete.md - name: Privileged identity management
+ displayName: Privileged identity management, PIM
+ href: resources/privilegedidentitymanagementv3-overview.md
items:
- - name: Overview
- displayName: Privileged identity management, PIM
- href: resources/privilegedidentitymanagementv3-overview.md
- name: Role assignments items: - name: Schedule requests