Updates from: 07/08/2021 03:19:52
Service Microsoft Docs article Related commit history on GitHub Change details
beta Rbacapplication List Roleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/rbacapplication-list-roleassignments.md
Namespace: microsoft.graph
Get a list of [unifiedRoleAssignment](../resources/unifiedroleassignment.md) objects for the provider.
+The following RBAC providers are currently supported:
+- directory (Azure AD)
+- entitlement management (Azure AD)
+ ## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
-|Permission type | Permissions (from least to most privileged) |
-|:--|:|
-|Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All |
-|Delegated (personal Microsoft account) | Not supported. |
-|Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+Depending on the RBAC provider and the permission type (delegated or application) that is needed, choose from the following table the least privileged permission required to call this API. To learn more, including [taking caution](/graph/auth/auth-concepts#best-practices-for-requesting-permissions) before choosing more privileged permissions, search for the following permissions in [Permissions](/graph/permissions-reference).
+
+|Supported provider | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
+|:--|:|:|:|
+| Directory | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All | Not supported.| RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+| Entitlement management | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All | Not supported. | Not supported. |
## HTTP request
+To list role assignments for a directory provider:
+ <!-- { "blockType": "ignored" } --> ```http
GET /roleManagement/directory/roleAssignments?$filter=principalId eq '{principal
GET /roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{roleDefinition id}' ```
+To list role assignments for the entitlement management provider:
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/entitlementManagement/roleAssignments?$filter=principalId eq '{principal id}'
+
+GET /roleManagement/entitlementManagement/roleAssignments?$filter=roleDefinitionId eq '{roleDefinition id}'
+```
+ ## Query parameters This operation requires the `$filter` query parameter. You can filter on the `roleDefinitionId` or `principalId` properties. The `roleDefinitionId` property can be either a role object ID or a role template object ID. The `$expand` query parameter is also supported on **principal**. For general information, see [OData query parameters](/graph/query-parameters).
beta Rbacapplication List Roledefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/rbacapplication-list-roledefinitions.md
The following RBAC providers are currently supported:
- cloud PC - device management (Intune) - directory (Azure AD)
+- entitlement management (Azure AD)
[!INCLUDE [cloudpc-api-preview](../../includes/cloudpc-api-preview.md)]
Depending on the RBAC provider and the permission type (delegated or application
| Cloud PC | CloudPC.Read.All, CloudPC.ReadWrite.All | Not supported. | CloudPC.Read.All, CloudPC.ReadWrite.All | | Device management | DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All | Not supported. | DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All | | Directory | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All | Not supported.| RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+| Entitlement management | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All | Not supported. | Not supported. |
## HTTP request
To list role definitions for a directory provider:
GET /roleManagement/directory/roleDefinitions ```
+To list role definitions for the entitlement management provider:
+<!-- { "blockType": "ignored" } -->
+```http
+GET /roleManagement/entitlementManagement/roleDefinitions
+```
+ ## Optional query parameters This method supports `$filter` query parameter on `id`, `displayName`, and `isBuiltIn` properties. For general information, see [OData query parameters](/graph/query-parameters).
Content-type: application/json
} ```
+### Example 3: List role definitions for the entitlement management provider
+
+#### Request
+
+The following is an example of the request.
+
+<!-- {
+ "blockType": "request",
+ "name": "get_roledefinitions_entitlementmanagement"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/beta/roleManagement/entitlementManagement/roleDefinitions
+```
+
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "name": "get_roledefinitions_entitlementmanagement",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/entitlementManagement/roleDefinitions",
+ "value": [
+ {
+ "id": "ae79f266-94d4-4dab-b730-feca7e132178",
+ "displayName": "Catalog owner",
+ "description": "Catalog owner",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "ae79f266-94d4-4dab-b730-feca7e132178",
+ "version": "1.0",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.entitlementManagement/allEntities/allTasks"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "44272f93-9762-48e8-af59-1b5351b1d6b3",
+ "displayName": "Catalog reader",
+ "description": "Catalog reader",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "44272f93-9762-48e8-af59-1b5351b1d6b3",
+ "version": "1.0",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.entitlementManagement/allEntities/Read"
+ ]
+ }
+ ]
+ }
+ ]
+}
+```
+ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC -->
beta Rbacapplication Post Roleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/rbacapplication-post-roleassignments.md
Create a new [unifiedRoleAssignment](../resources/unifiedroleassignment.md) obje
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+Depending on the RBAC provider and the permission type (delegated or application) that is needed, choose from the following table the least privileged permission required to call this API. To learn more, including [taking caution](/graph/auth/auth-concepts#best-practices-for-requesting-permissions) before choosing more privileged permissions, search for the following permissions in [Permissions](/graph/permissions-reference).
-| Permission type | Permissions (from least to most privileged) |
-|:|:--|
-| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
-| Delegated (personal Microsoft account) | Not supported. |
-| Application | RoleManagement.ReadWrite.Directory |
+|Supported provider | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
+|:--|:|:|:|
+| Directory | RoleManagement.ReadWrite.Directory | Not supported.| RoleManagement.ReadWrite.Directory |
+| Entitlement management | EntitlementManagement.ReadWrite.All | Not supported. | Not supported. |
## HTTP request
+Create a role assignment for the directory provider:
+ <!-- { "blockType": "ignored" } --> ```http POST /roleManagement/directory/roleAssignments ```
+Create a role assignment for the entitlement management provider:
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /roleManagement/entitlementManagement/roleAssignments
+```
++ ## Request headers | Name | Description |
beta Unifiedroleassignment Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/unifiedroleassignment-delete.md
Delete a [unifiedRoleAssignment](../resources/unifiedRoleAssignment.md) object.
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+Depending on the RBAC provider and the permission type (delegated or application) that is needed, choose from the following table the least privileged permission required to call this API. To learn more, including [taking caution](/graph/auth/auth-concepts#best-practices-for-requesting-permissions) before choosing more privileged permissions, search for the following permissions in [Permissions](/graph/permissions-reference).
-| Permission type | Permissions (from least to most privileged) |
-|:|:--|
-| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
-| Delegated (personal Microsoft account) | Not supported. |
-| Application | RoleManagement.ReadWrite.Directory |
+|Supported provider | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
+|:--|:|:|:|
+| Directory | RoleManagement.ReadWrite.Directory | Not supported.| RoleManagement.ReadWrite.Directory |
+| Entitlement management | EntitlementManagement.ReadWrite.All | Not supported. | Not supported. |
## HTTP request
+Remove a role assignment from a directory provider:
+ <!-- { "blockType": "ignored" } --> ```http DELETE /roleManagement/directory/roleAssignments/{id} ```
+Remove a role assignment from the entitlement management provider:
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+DELETE /roleManagement/entitlementManagement/roleAssignments/{id}
+```
++ ## Request headers | Name | Description |
beta Unifiedroleassignment Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/unifiedroleassignment-get.md
Retrieve the properties and relationships of a [unifiedRoleAssignment](../resour
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+Depending on the RBAC provider and the permission type (delegated or application) that is needed, choose from the following table the least privileged permission required to call this API. To learn more, including [taking caution](/graph/auth/auth-concepts#best-practices-for-requesting-permissions) before choosing more privileged permissions, search for the following permissions in [Permissions](/graph/permissions-reference).
-|Permission type | Permissions (from least to most privileged) |
-|:--|:|
-|Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All |
-|Delegated (personal Microsoft account) | Not supported. |
-|Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+|Supported provider | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
+|:--|:|:|:|
+| Directory | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All | Not supported.| RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+| Entitlement management | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All | Not supported. | Not supported. |
## HTTP request
+Get a role assignment for a directory provider:
+ <!-- { "blockType": "ignored" } --> ```http GET /roleManagement/directory/roleAssignments/{id} ```
+Get a role assignment for the entitlement management provider:
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/entitlementManagement/roleAssignments/{id}
+```
+ ## Optional query parameters This method supports OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
beta Unifiedroledefinition Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/unifiedroledefinition-get.md
Get the properties and relationships of a [unifiedRoleDefinition](../resources/u
The following RBAC providers are currently supported: - cloud PC - device management (Intune)-- directory (Azure AD)
+- directory (Azure AD directory roles)
+- entitlement management (Azure AD entitlement management)
[!INCLUDE [cloudpc-api-preview](../../includes/cloudpc-api-preview.md)]
Depending on the RBAC provider and the permission type (delegated or application
| Cloud PC | CloudPC.Read.All, CloudPC.ReadWrite.All | Not supported. | CloudPC.Read.All, CloudPC.ReadWrite.All | | Device management | DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All | Not supported. | DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All | | Directory | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All | Not supported.| RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+| Entitlement management | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All | Not supported. | Not supported. |
## HTTP request
Get a role definition for a directory provider:
GET /roleManagement/directory/roleDefinitions/{id} ```
+Get a role definition for the entitlement management provider:
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/entitlementManagement/roleDefinitions/{id}
+```
+ ## Optional query parameters This method supports OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
Content-type: application/json
} ```
+## Example 5: Get the definition of a built-in role for the entitlement management provider
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "get_built-in_entitlementmanagement_role_unifiedroledefinition"
+}-->
+
+```http
+GET https://graph.microsoft.com/beta/roleManagement/entitlementManagement/roleDefinitions/ba92d953-d8e0-4e39-a797-0cbedb0a89e8
+```
++
+#### Response
+> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/entitlementManagement/roleDefinitions/$entity",
+ "id": "ba92d953-d8e0-4e39-a797-0cbedb0a89e8",
+ "displayName": "Catalog creator",
+ "description": "Catalog creator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "ba92d953-d8e0-4e39-a797-0cbedb0a89e8",
+ "version": "1.0",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.entitlementManagement/AccessPackageCatalog/Create"
+ ]
+ }
+ ]
+}
+```
++ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
beta Entitlementmanagement Root https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/entitlementmanagement-root.md
The entitlement management resource types include:
- [entitlementManagementSettings](entitlementmanagementsettings.md): Tenant-wide settings for Azure AD entitlement management. - [approval](approval.md): represents the decisions associated with an access package request.
+In addition, role assignments for entitlement management-specific roles can be managed through entitlement management [role definitions](unifiedroledefinition.md).
+ For a tutorial that shows you how to use entitlement management to create a package of resources that internal users can self-service request, see [Create an access package using Microsoft Graph APIs](/graph/tutorial-access-package-api). Note that the entitlement management feature, including the API, is included in Azure AD Premium P2. The tenant where entitlement management is being used must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription.
beta Rbacapplication https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/rbacapplication.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Role management container for unified role definitions and role assignments for Microsoft 365 RBAC providers. Currently "directory" is the only RBAC application supported.
+Role management container for unified role definitions and role assignments for Microsoft 365 RBAC providers. Currently directory and entitlement management are the only RBAC applications supported.
## Methods
beta Rolemanagement https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/rolemanagement.md
Represents a Microsoft 365 RBAC role management entity that provides access to r
The unified role management API currently supports the following RBAC providers in Microsoft 365: - cloud PC - device management (Intune)-- directory (Azure AD)
+- directory (Azure AD directory roles)
+- entitlement management (Azure AD entitlement management)
For more information, see: * [Roles in Microsoft 365, including Azure AD, service-specific and cross-service roles](/azure/active-directory/roles/concept-understand-roles#how-azure-ad-roles-are-different-from-other-microsoft-365-roles) * [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
+* [Delegation and roles in Azure AD entitlement management](/azure/active-directory/governance/entitlement-management-delegate).
* [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control) [!INCLUDE [cloudpc-api-preview](../../includes/cloudpc-api-preview.md)]
None.
|cloudPC|[rbacApplicationMultiple](rbacapplicationmultiple.md)|Provides access to role definitions and role assignments of a cloud PC RBAC provider. Read-only. Nullable.| |deviceManagement|[rbacApplicationMultiple](rbacapplicationmultiple.md)| Provides access to role definitions and role assignments of an Intune RBAC provider. Read-only. Nullable.| |directory|[rbacApplication](rbacapplication.md)|Provides access to role definitions and role assignments of an Azure AD RBAC provider. Read-only. Nullable.|-
+|entitlementManagement|[rbacApplication](rbacapplication.md)| Provides access to role definitions and role assignments of Azure AD entitlement management. Read-only. Nullable.|
## JSON representation
beta Unifiedroledefinition https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/unifiedroledefinition.md
The following RBAC providers are currently supported:
- cloud PC - device management (Intune) - directory (Azure AD)
+- entitlement management (Azure AD)
> [!NOTE]
-> The cloud PC RBAC provider currently supports only the [list](../api/rbacapplication-list-roledefinitions.md) and [get](../api/unifiedroledefinition-get.md) operations.
+> The cloud PC and entitlement management RBAC providers currently support only the [list](../api/rbacapplication-list-roledefinitions.md) and [get](../api/unifiedroledefinition-get.md) operations.
[!INCLUDE [cloudpc-api-preview](../../includes/cloudpc-api-preview.md)]
beta Unifiedrolepermission https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/unifiedrolepermission.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents a collection of allowed resource actions and the conditions that must be met for the action to be effective. Resource actions are tasks that can be perfomed on a resource. For example, the application resource supports create, update, delete, and reset password resource actions.
+Represents a collection of allowed resource actions and the conditions that must be met for the action to be effective. Resource actions are tasks that can be performed on a resource. For example, the application resource supports create, update, delete, and reset password resource actions.
## Properties