+> [!CAUTION]

+>

+> Assigning the `presenter` or `coorganizer` role to users who are not registered in Azure Active Directory is not currently supported. For details, see [Known issues](/graph/concepts/known-issues.md#presenter-role-assigned-to-non-aad-users) for more details.

+### Request

+The following is an example of a request.

+### Response

+The following is an example of the response.

+ {

+ "name": "NewUnifiedGroupWritebackDefault",

+ "value": "false"

+ },

+ {

+ "name": "NewUnifiedGroupWritebackDefault",

+ "value": "false"

+ },

+Get the details of all role management policy assignments including the policies and rules associated with the Azure AD roles.

+This method requires the `$filter` (`eq`) query parameter to scope the request to a **scopeId** and a **scopeType**. You can also filter by the **roleDefinitionId** or use the `$select` and `$expand` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).

+Get the details of a role management policy assignment including the policy and rules associated with the Azure AD role.

+This method supports the `$select` and `$expand` OData query parameters to help customize the response. You can also specify the wildcard value `*` to expand all supported relationships, that is, `?$expand=*`. For general information, see [OData query parameters](/graph/query-parameters).

+| writebackConfiguration | [groupWritebackConfiguration](groupwritebackconfiguration.md) | Specifies whether or not a group is configured to write back group object properties to on-premise Active Directory. These properties are used when group writeback is configured in the [Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-group-writeback-v2) sync client.| |

+ Title: "groupWritebackConfiguration resource type"

+description: "Indicates whether writeback of cloud groups to on-premise Active Directory is enabled and the target group type for the on-premise group."

+ms.localizationpriority: medium

+# groupWritebackConfiguration resource type

+Namespace: microsoft.graph

+Indicates whether writeback of cloud groups to on-premise Active Directory is enabled and the target group type for the on-premise group.

+ By default, all Azure AD security groups are not writeback enabled. For Microsoft 365 groups, the default settings that are defined by the properties of this resource can be overwritten by the `NewUnifiedgroupWritebackDefault` [directory setting object](directorysetting.md).

+Inherits from [writebackConfiguration](../resources/writebackconfiguration.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|isEnabled|Boolean|Indicates whether writeback of cloud groups to on-premise Active Directory is enabled. Nullable. Default value is `true` for Microsoft 365 groups and `false` for security groups. Inherited from [writebackConfiguration](../resources/writebackconfiguration.md).|

+|onPremisesGroupType|String|Indicates the target on-premise group type the cloud object will be written back as. Nullable. The possible values are: `universalDistributionGroup`, `universalSecurityGroup`, `universalMailEnabledSecurityGroup`. <br>+ If the cloud group is a unified (Microsoft 365) group, this property can be one of the following: `universalDistributionGroup`, `universalSecurityGroup`, `universalMailEnabledSecurityGroup`. <br> + Azure AD security groups can be written back as `universalSecurityGroup`. <br> + If **isEnabled** or the `NewUnifiedGroupWritebackDefault` [group setting](directorysetting.md) is `true` but this property is not explicitly configured: <br> &nbsp; &nbsp; + Microsoft 365 groups will be written back as `universalDistributionGroup` by default <br> &nbsp; &nbsp; + Security groups will be written back as `universalSecurityGroup` by default|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.groupWritebackConfiguration"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.groupWritebackConfiguration",

+ "isEnabled": "Boolean",

+ "onPremisesGroupType": "String"

+}

+```

+>The Privileged Identity Management (PIM) API for **Azure AD roles** is deprecated and stopped returning data on May 31, 2021. Use the [role management API for privileged identity management](/graph/api/resources/privilegedidentitymanagementv3-overview) and see the [migration guidance below](#migrate-from-pim-v2-to-pim-v3-apis).

+Represents a schedule for a role eligibility in your tenant and is used to instantiate a [unifiedRoleEligibilityScheduleInstance](unifiedroleeligibilityscheduleinstance.md).

+|[List unifiedRoleEligibilitySchedules](../api/rbacapplication-list-roleeligibilityschedules.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Get the schedules for role eligibility operations.|

+|[Get unifiedRoleEligibilitySchedule](../api/unifiedroleeligibilityschedule-get.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|Retrieve the schedule for a role eligibility operation.|

+|[filterByCurrentUser](../api/unifiedroleeligibilityschedule-filterbycurrentuser.md)|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md) collection|Retrieve the schedules for role eligibilities for which the signed-in user is the principal.|

+|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|createdUsing|String|Identifier of the roleEligibilityScheduleRequest that created this schedule. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|id|String|The unique identifier for the unifiedRoleEligibilitySchedule. Key, not nullable, Read-only. Inherited from [unifiedRoleScheduleBase](../resources/unifiedroleschedulebase.md). Supports `$filter` (`eq`).|

+|memberType|String|Membership type of the eligible assignment. It can either be `Inherited`, `Direct`, or `Group`. Supports `$filter` (`eq`).|

+Represents the instance for a role eligibility in your tenant.

+|[List unifiedRoleEligibilityScheduleInstances](../api/rbacapplication-list-roleeligibilityscheduleinstances.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|GGet the instances of role eligibilities.|

+|[Get unifiedRoleEligibilityScheduleInstance](../api/unifiedroleeligibilityscheduleinstance-get.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md)|Get the instance of a role eligibility.|

+|[filterByCurrentUser](../api/unifiedroleeligibilityscheduleinstance-filterbycurrentuser.md)|[unifiedRoleEligibilityScheduleInstance](../resources/unifiedroleeligibilityscheduleinstance.md) collection|Get the instances of eligible roles for the calling principal.|

+|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app specific scope when the assignment scope is app specific. Containment entity. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|

+|directoryScope|[directoryObject](../resources/directoryobject.md)|Property referencing the directory object that is the scope of the assignment. Provided so that callers can get the directory object using `$expand` at the same time as getting the eligible role assignments. Read-only. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|

+|principal|[directoryObject](../resources/directoryobject.md)|Property referencing the principal that is getting an eligible role assignment through the request. Provided so that callers can get the principal using `$expand` at the same time as getting the eligible role assignments. Read-only. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|

+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Property indicating the roleDefinition the assignment is for. Provided so that callers can get the role definition using `$expand` at the same time as getting the eligible role assignments. roleDefinition.Id will be auto expanded. Inherited from [unifiedRoleScheduleInstanceBase](../resources/unifiedrolescheduleinstancebase.md). Supports `$expand`.|

+Represents a request for a role eligibility for a principal through PIM. The role eligibility can be permanently eligible without an expiry date or temporarily eligible with an expiry date. Inherits from [request](../resources/request.md).

+For more information about PIM scenarios you can define through the **unifiedRoleEligibilityScheduleRequest** resource type, see [Overview of role management through the privileged identity management (PIM) API](privilegedidentitymanagementv3-overview.md).

+|[List unifiedRoleEligibilityScheduleRequests](../api/rbacapplication-list-roleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|Retrieve the requests for role eligibilities for principals made through the unifiedRoleEligibilityScheduleRequest object.|

+|[Create unifiedRoleEligibilityScheduleRequest](../api/rbacapplication-post-roleeligibilityschedulerequests.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Request for a role eligibility for a principal through the unifiedRoleEligibilityScheduleRequest object.|

+|[Get unifiedRoleEligibilityScheduleRequest](../api/unifiedroleeligibilityschedulerequest-get.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md)|Read the details of a request for a role eligibility request made through the unifiedRoleEligibilityScheduleRequest object.|

+|[filterByCurrentUser](../api/unifiedroleeligibilityschedulerequest-filterbycurrentuser.md)|[unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) collection|In PIM, retrieve the requests for role eligibilities for a particular principal. The principal can be the creator or approver of the unifiedRoleEligibilityScheduleRequest object, or they can be the target of the role eligibility.|

+|[cancel](../api/unifiedroleeligibilityschedulerequest-cancel.md)|None|Immediately cancel a **unifiedRoleEligibilityScheduleRequest** object whose status is `Granted` and have the system automatically delete the canceled request after 30 days.|

+|action|String|Represents the type of operation on the role eligibility request. The possible values are: <br/><ul><li>`AdminAssign`: For administrators to assign eligible roles to principals.</li><li>`AdminRemove`: For administrators to remove eligible roles from principals.</li><li> `AdminUpdate`: For administrators to change existing role eligibilities.</li><li>`AdminExtend`: For administrators to extend expiring role eligibilities.</li><li>`AdminRenew`: For administrators to renew expired eligibilities.</li><li>`UserAdd`: For users to activate their eligible assignments.</li><li>`UserRemove`: For users to deactivate their active eligible assignments.</li><li>`UserExtend`: For users to request to extend their expiring eligible assignments.</li><li>`UserRenew`: For users to request to renew their expired eligible assignments.</li></ul>|

+|approvalId|String|The identifier of the approval of the request. Inherited from [request](../resources/request.md).|

+|appScopeId|String|Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|completedDateTime|DateTimeOffset|The request completion date time. Inherited from [request](../resources/request.md).|

+|createdBy|[identitySet](../resources/identityset.md)|The principal that created this request. Inherited from [request](../resources/request.md).|

+|createdDateTime|DateTimeOffset|The request creation date time. Inherited from [request](../resources/request.md).|

+|customData|String|Free text field to define any custom data for the request. Not used. Inherited from [request](../resources/request.md).|

+|directoryScopeId|String|Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Supports `$filter` (`eq`, `ne`, and on `null` values).|

+|id|String|The unique identifier for the **unifiedRoleEligibilityScheduleRequest** object. Key, not nullable, Read-only. Inherited from [entity](../resources/entity.md).|

+|isValidationOnly|Boolean|Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.|

+|justification|String|A message provided by users and administrators when create they create the **unifiedRoleEligibilityScheduleRequest** object.|

+|principalId|String|Identifier of the principal that has been granted the role eligibility. Supports `$filter` (`eq`, `ne`).|

+|roleDefinitionId|String|Identifier of the [unifiedRoleDefinition](unifiedroledefinition.md) object that is being assigned to the principal. Supports `$filter` (`eq`, `ne`).|

+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The period of the role eligibility. Recurring schedules are currently unsupported.|

+|status|String|The status of the role eligibility request. Inherited from [request](../resources/request.md). Read-only. Supports `$filter` (`eq`, `ne`).|

+|targetScheduleId|String|Identifier of the schedule object that's linked to the eligibility request. Supports `$filter` (`eq`, `ne`).|

+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|Ticket details linked to the role eligibility request including details of the ticket number and ticket system. Optional.|

+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the role eligibility is scoped to an app. Nullable. Supports `$expand`.|

+|directoryScope|[directoryObject](../resources/directoryobject.md)|The directory object that is the scope of the role eligibility. Read-only. Supports `$expand`.|

+|principal|[directoryObject](../resources/directoryobject.md)|The principal that's getting a role eligibility through the request. Supports `$expand`.|

+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|

+|targetSchedule|[unifiedRoleEligibilitySchedule](../resources/unifiedroleeligibilityschedule.md)|The schedule for a role eligibility that is referenced through the **targetScheduleId** property. Supports `$expand`.|

+|[Update unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-update.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md)|Update a rule defined for a role management policy.|

+Namespace: microsoft.graph

+The assignment of a role management policy to a [role definition](../resources/unifiedroledefinition.md) object.

+Inherits from [entity](../resources/entity.md).

+|[List unifiedRoleManagementPolicyAssignments](../api/policyroot-list-rolemanagementpolicyassignments.md)|[unifiedRoleManagementPolicyAssignment](../resources/unifiedrolemanagementpolicyassignment.md) collection|Get the details of all role management policy assignments including the policies and rules associated with the Azure AD role.|

+|id|String|Unique identifier for the policy assignment. The ID is typically a concatenation of the unifiedRoleManagementPolicy ID and the roleDefinitionId separated by an underscore.|

+|policyId|String|The id of the policy. Inherited from [entity](../resources/entity.md).|

+|roleDefinitionId|String|The identifier of the [role definition](unifiedroledefinition.md) object where the policy applies. If not specified, the policy applies to all roles. Supports $filter (`eq`).|

+|scopeId|String|The identifier of the scope where the policy is assigned. Can be `/` for the tenant or a group ID. Required.|

+|scopeType|String|The type of the scope where the policy is assigned. One of `Directory`, `DirectoryRole`. Required.|

+|policy|[unifiedRoleManagementPolicy](../resources/unifiedrolemanagementpolicy.md)|The policy that's associated with a policy assignment. Supports $expand and a nested $expand of the rules and effectiveRules relationships for the policy.|

+ Title: "writebackConfiguration resource type"

+description: "Represents a writeback state on Azure AD cloud groups (Microsoft 365 and security groups)."

+ms.localizationpriority: medium

+# writebackConfiguration resource type

+Namespace: microsoft.graph

+Represents a writeback state on Azure AD cloud groups (Microsoft 365 and security groups).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|isEnabled|Boolean|Indicates whether writeback of cloud groups to on-premise Active Directory is enabled. Default value is `true` for Microsoft 365 groups and `false` for security groups.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.writebackConfiguration"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.writebackConfiguration",

+ "isEnabled": "Boolean"

+}

+```

+> [!CAUTION]

+>

+> Assigning the `presenter` or `coorganizer` role to users who are not registered in Azure Active Directory is not currently supported. For details, see [Known issues](/graph/concepts/known-issues.md#presenter-role-assigned-to-non-aad-users) for more details.

+### Request

+The following is an example of a request.

+### Response

+The following is an example of the response.

+|appScope|[appScope](../resources/appscope.md)|Read-only property with details of the app-specific scope when the role eligibility is scoped to an app. Nullable. Supports `$expand`.|

+|roleDefinition|[unifiedRoleDefinition](../resources/unifiedroledefinition.md)|Detailed information for the [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object that is referenced through the **roleDefinitionId** property. Supports `$expand`.|

+|[Update unifiedRoleManagementPolicyRule](../api/unifiedrolemanagementpolicyrule-update.md)|[unifiedRoleManagementPolicyRule](../resources/unifiedrolemanagementpolicyrule.md)|Update a rule defined for a role management policy.|