Updates from: 09/04/2021 03:13:07
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Application Addkey https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/application-addkey.md
In the request body, provide the following required properties.
|:|:--|:-| | keyCredential | [keyCredential](../resources/keycredential.md) | The new application key credential to add. The __type__, __usage__ and __key__ are required properties for this usage. Supported key types are:<br><ul><li>`AsymmetricX509Cert`: The usage must be `Verify`.</li><li>`X509CertAndPassword`: The usage must be `Sign`</li></ul>| | passwordCredential | [passwordCredential](../resources/passwordcredential.md) | Only __secretText__ is required to be set which should contain the password for the key. This property is required only for keys of type `X509CertAndPassword`. Set it to `null` otherwise.|
-| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the application's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the application that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be "nbf" + 10 mins.</li></ul><br>Here is a code [sample](/graph/application-rollkey-prooftoken) that can be used to generate this proof of possession token.|
+| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the application's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the application that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be `nbf` + 10 mins.</li></ul><br>For steps to generate this proof of possession token, see [Generating proof of possession tokens for rolling keys](/graph/application-rollkey-prooftoken).|
## Response
v1.0 Application Removekey https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/application-removekey.md
In the request body, provide the following required properties.
| Property | Type | Description| |:-|:--|:--| | keyId | GUID | The unique identifier for the password.|
-| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the application's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the application that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be "nbf" + 10 mins.</li></ul><br>Here is a code [sample](/graph/application-rollkey-prooftoken) that can be used to generate this proof of possession token.|
+| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the application's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the application that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be `nbf` + 10 mins.</li></ul><br>For steps to generate this proof of possession token, see [Generating proof of possession tokens for rolling keys](/graph/application-rollkey-prooftoken).|
## Response
v1.0 Conditionalaccessroot Post Namedlocations https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/conditionalaccessroot-post-namedlocations.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Create a new [namedLocation](../resources/namedlocation.md) object.
+Create a new [namedLocation](../resources/namedlocation.md) object. Named locations can be either [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) objects.
## Permissions
POST /identity/conditionalAccess/namedLocations
## Request body
-In the request body, supply a JSON representation of an [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) object.
+In the request body, supply a JSON representation of an [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) object. You must specify the **@odata.type** of the derived type, that is, `#microsoft.graph.ipNamedLocation` for an [ipNamedLocation](../resources/ipnamedlocation.md) object or `#microsoft.graph.countryNamedLocation` for a [countryNamedLocation](../resources/countrynamedlocation.md) object.
+The following table lists the properties that are required to create an [ipNamedLocation](../resources/ipnamedlocation.md) object.
+
+| Property | Type | Description |
+|:-|:|:|
+|displayName|String|Human-readable name of the location. Required.|
+|ipRanges|[ipRange](../resources/iprange.md) collection|List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. Required. The **@odata.type** of the ipRange is also required.|
+
+The following table lists the properties that are required to create an [countryNamedLocation](../resources/countrynamedlocation.md) object.
+
+| Property | Type | Description |
+|:-|:|:|
+|countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2. Required.|
+|displayName|String|Human-readable name of the location. Required.|
## Response If successful, this method returns a `201 Created`response code and a new [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) object in the response body.
v1.0 Countrynamedlocation Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/countrynamedlocation-update.md
PATCH /identity/conditionalAccess/namedLocations/{id}
In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.
+You must specify the **@odata.type** as `#microsoft.graph.countryNamedLocation`.
+ | Property | Type | Description | |:-|:|:| |countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2.|
v1.0 Domain Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-delete.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Forcedelete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-forcedelete.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
v1.0 Domain List Domainnamereferences https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-list-domainnamereferences.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Not supported. |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Domain.ReadWrite.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
[!INCLUDE [limited-info](../../includes/limited-info.md)] ## HTTP request <!-- { "blockType": "ignored" } --> ```http
-GET /domains/{domain-id}/domainNameReferences
+GET /domains/{id}/domainNameReferences
``` ## Optional query parameters
v1.0 Domain List Serviceconfigurationrecords https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-list-serviceconfigurationrecords.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Directory.Read.All, Domain.ReadWrite.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Domain List Verificationdnsrecords https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-list-verificationdnsrecords.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Directory.Read.All, Domain.ReadWrite.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Domain List https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-list.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
v1.0 Domain Post Domains https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-post-domains.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-update.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Verify https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/domain-verify.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Directory.Read.All, Domain.ReadWrite.All |
+|Application | Domain.ReadWrite.All |
## HTTP request
v1.0 Ediscovery Custodian Post Sitesources https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ediscovery-custodian-post-sitesources.md
The following table shows the properties that are required when you create the [
|Property|Type|Description| |:|:|:|
-|site@odata.bind|String|ID of the site, which you can get from the [site](../resources/site.md) resource by using the [Get a site resource by path](../api/site-getbypath.md) method. The usage is {hostname}:/{relative-path}. For the site URL `https://contoso.sharepoint.com/sites/HumanResources`, the Microsoft Graph request would be `https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/HumanResources`. The ID is the first GUID listed in the ID field. For the OneDrive for Business site URL `https://contoso-my.sharepoint.com/personal/adelev_contoso_com`, the Microsoft Graph request would be `https://graph.microsoft.com/v1.0/sites/contoso-my.sharepoint.com:/personal/adelev_contoso_com`. |
+|site|String|URL of the site; for example, `https://contoso.sharepoint.com/sites/HumanResources`.|
## Response
If successful, this method returns a `201 Created` response code and a [microsof
### Request
-# [HTTP](#tab/http)
<!-- { "blockType": "request", "name": "create_sitesource_from__1"
If successful, this method returns a `201 Created` response code and a [microsof
--> ``` http
-POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/4c8f8f70-7785-4bd4-b296-c98376a2c5e1/custodians/2192ca408ea2410eba3bec8ae873be6b/siteSources
+POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/15d80234-8320-4f10-96d0-d98d53ffdfc9/custodians/8904528fef4d4578b44f71a80188f400/siteSources
Content-Type: application/json Content-length: 179 {
- "site@odata.bind": "https://graph.microsoft.com/v1.0/sites/50073f3e-cb22-48e5-95a9-51a3da455181"
+ "site": {
+ "webUrl": "https://contoso.sharepoint.com/sites/HumanResources"
+ }
}
-```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
---
+```
### Response **Note:** The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('4c8f8f70-7785-4bd4-b296-c98376a2c5e1')/custodians('2192ca408ea2410eba3bec8ae873be6b')/siteSources",
- "value": [
- {
- "displayName": "Human resources site",
- "createdDateTime": "2020-10-27T15:14:11.0048392Z",
- "id": "38304445-3741-3333-4233-344238454333",
- "createdBy": {
- "user": {
- "id": "c1db6f13-332a-4d84-b111-914383ff9fc9",
- "displayName": null
- }
- }
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/custodians('8904528fef4d4578b44f71a80188f400')/siteSources/$entity",
+ "@odata.id": "https://graph.microsoft.com/v1.0/sites/2493b4eb-1a48-4cac-b0d0-aad05e6b9df0",
+ "displayName": "Human resources site",
+ "createdDateTime": "2021-08-10T18:25:48.6441363Z",
+ "id": "42393244-3838-4636-3437-453030334136",
+ "createdBy": {
+ "user": {
+ "id": "798d8d23-2087-4e03-912e-c0d9db5cb5d2",
+ "displayName": null
}
- ]
+ }
} ```
v1.0 Ediscovery Custodian Post Unifiedgroupsources https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ediscovery-custodian-post-unifiedgroupsources.md
In the request body, supply a JSON representation of the [unifiedGroupSource](..
The following table shows the properties that are required when you create the [unifiedGroupSource](../resources/ediscovery-unifiedgroupsource.md).
+>**Note:** Either **group** or **group@odata.bind** is required in order to create a **unifiedGroupSource**.
+ |Property|Type|Description| |:|:|:| |includedSources|microsoft.graph.ediscovery.sourceType|Specifies which sources are included in this group. Possible values are: `mailbox`, `site`.|
-|group@odata.bind|String|ID of the group. To get the group ID, use the [List groups](../api/group-list.md) operation.|
+|group|String|Specifies the email address for the group. To get the email address of a group, use [List groups](../api/group-list.md) or [Get group](../api/group-get.md). You can then query by the name of the group using `$filter`; for example, `https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'secret group'&$select=mail,id,displayName`.|
+|group@odata.bind|String|ID of the group. You can get this in the same way that you get the group. |
## Response
If successful, this method returns a `201 Created` response code and a [microsof
## Examples
-### Request
+### Example 1: Create unifiedGroupSource with group SMTP address
+#### Request
-# [HTTP](#tab/http)
<!-- { "blockType": "request",
- "name": "create_unifiedgroupsource_from_"
+ "name": "create_unifiedgroupsource_from_email"
} --> ``` http
-POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/{caseId}/custodians/{custodianId}/unifiedGroupSources
+POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/15d80234-8320-4f10-96d0-d98d53ffdfc9/custodians/8904528fef4d4578b44f71a80188f400/unifiedGroupSources
Content-Type: application/json Content-length: 219 {
- "group@odata.bind": "https://graph.microsoft.com/v1.0/groups/b96f95c5-b1b3-4142-b039-8ac79e7d2c84",
+ "group": {
+ "mail": "SecretGroup@contoso.com"
+ },
"includedSources": "mailbox, site" } ```
-# [C#](#tab/csharp)
-# [JavaScript](#tab/javascript)
+
-# [Objective-C](#tab/objc)
+#### Response
-# [Java](#tab/java)
+> **Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.ediscovery.unifiedGroupSource"
+}
+-->
-
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/custodians('8904528fef4d4578b44f71a80188f400')/unifiedGroupSources/$entity",
+ "@odata.id": "https://graph.microsoft.com/v1.0/groups/b96f95c5-b1b3-4142-b039-8ac79e7d2c84",
+ "displayName": "Secret Group",
+ "createdDateTime": "2021-03-31T21:22:57.0108027Z",
+ "id": "33434233-3030-3739-3043-393039324633",
+ "includedSources": "mailbox,site",
+ "createdBy": {
+ "user": {
+ "id": "c1db6f13-332a-4d84-b111-914383ff9fc9",
+ "displayName": null
+ }
+ }
+}
+```
+
+### Example 2: Create unifiedGroupSource with group@odata.bind
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedgroupsource_from_id"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/15d80234-8320-4f10-96d0-d98d53ffdfc9/custodians/8904528fef4d4578b44f71a80188f400/unifiedGroupSources
+Content-Type: application/json
+Content-length: 219
+
+{
+ "group@odata.bind": "https://graph.microsoft.com/v1.0/groups/b96f95c5-b1b3-4142-b039-8ac79e7d2c84",
+ "includedSources": "mailbox, site"
+}
+```
++
-### Response
+#### Response
> **Note:** The response object shown here might be shortened for readability. <!-- {
HTTP/1.1 201 Created
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('f4c0e095-d140-4392-bfe7-4e0ae637c566')/custodians('46363131333630303541423141324436')/unifiedGroupSources/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/custodians('8904528fef4d4578b44f71a80188f400')/unifiedGroupSources/$entity",
"@odata.id": "https://graph.microsoft.com/v1.0/groups/b96f95c5-b1b3-4142-b039-8ac79e7d2c84",
- "displayName": "SFA Videos",
+ "displayName": "Secret Group",
"createdDateTime": "2021-03-31T21:22:57.0108027Z", "id": "33434233-3030-3739-3043-393039324633", "includedSources": "mailbox,site",
v1.0 Ediscovery Legalhold Post Sitesources https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ediscovery-legalhold-post-sitesources.md
The following table shows the properties that are required when you create the [
|Property|Type|Description| |:|:|:|
-|site@odata.bind|String|ID of the site, which you can get from the [site](../resources/site.md) resource by using the [Get a site resource by path](../api/site-getbypath.md) method. The usage is {hostname}:/{relative-path}. For the site URL `https://contoso.sharepoint.com/sites/HumanResources`, the Microsoft Graph request would be `https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/HumanResources`. The ID is the first GUID listed in the ID field. For the OneDrive for business site URL `https://contoso-my.sharepoint.com/personal/adelev_contoso_com`, the Microsoft Graph request would be `https://graph.microsoft.com/v1.0/sites/contoso-my.sharepoint.com:/personal/adelev_contoso_com` |
+|site|String|URL of the site; for example, `https://contoso.sharepoint.com/sites/HumanResources`.|
## Response
If successful, this method returns a `201 Created` response code and a [microsof
### Request -
-# [HTTP](#tab/http)
<!-- { "blockType": "request", "name": "create_sitesource_from__2"
Content-Type: application/json
Content-length: 154 {
- "site@odata.bind": "https://graph.microsoft.com/v1.0/sites/50073f3e-cb22-48e5-95a9-51a3da455181"
+ "site": {
+ "webUrl": "https://contoso.sharepoint.com/sites/SecretSite"
+ }
} ```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
- ### Response **Note:** The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-Type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('c816dd6f-5af8-40c5-a760-331361e05c60')/legalHolds('387566cc-38ae-4e85-ab4b-cd2dd34faa07')/siteSources/$entity",
- "displayName": "Adele Vance",
- "createdDateTime": "2020-12-28T20:08:57.857Z",
- "id": "50073f3e-cb22-48e5-95a9-51a3da455181",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/legalHolds('644db9d3-5a67-4ca0-aa1c-0cca02168875')/siteSources/$entity",
+ "displayName": "Secret Site",
+ "createdDateTime": "2021-08-11T23:17:31.687Z",
+ "id": "32443932-4343-3545-3339-373031353742",
"createdBy": { "user": { "id": null,
- "displayName": "EDiscovery admin"
+ "displayName": "Edisco Admin"
} } }
v1.0 Ediscovery Legalhold Post Usersources https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ediscovery-legalhold-post-usersources.md
The following table shows the properties that are required when you create the [
|Property|Type|Description| |:|:|:|
-|email|String|SMTP address of the user.|
+|email|String|SMTP address of the user or the SMTP address of the group mailbox. To get the email address of the group, use [List groups](../api/group-list.md) or [Get group](../api/group-get.md). Using get group, you can query by the name of the group using `$filter`; for example, `https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'secret group'&$select=mail,id,displayName`. |
|includedSources|microsoft.graph.ediscovery.sourceType|Specifies which sources are included in this group. This value must be `mailbox`, `site` is not supported for legalHolds at this time.| ## Response
If successful, this method returns a `201 Created` response code and a [microsof
### Request
-# [HTTP](#tab/http)
<!-- { "blockType": "request", "name": "create_usersource_from__2"
Content-length: 208
"includedSources": "mailbox" } ```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
- ### Response **Note:** The response object shown here might be shortened for readability.
v1.0 Ediscovery Noncustodialdatasource Post https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ediscovery-noncustodialdatasource-post.md
If successful, this method returns a `201 Created` response code and a [noncusto
## Examples
-### Request
+### Example 1: Add a non-custodial data source user or group mailbox with an email
+#### Request
-# [HTTP](#tab/http)
<!-- { "blockType": "request",
- "name": "create_noncustodialdatasource_from_"
+ "name": "create_noncustodialdatasource_from_email"
} -->
Content-length: 206
} } ```
-# [C#](#tab/csharp)
-# [JavaScript](#tab/javascript)
+#### Response
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
----
-### Response
-
-**Note:** The response object shown here might be shortened for readability.
+>**Note:** The response object shown here might be shortened for readability.
<!-- { "blockType": "response", "truncated": true,
Content-Type: application/json
"applyHoldToSource": true } ```+
+### Example 2: Add a non-custodial data source site with a URL
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "create_noncustodialdatasource_from_siteurl"
+}
+-->
+
+``` http
+POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/15d80234-8320-4f10-96d0-d98d53ffdfc9/noncustodialdatasources
+Content-Type: application/json
+Content-length: 206
+
+{
+ "applyHoldToSource": false,
+ "dataSource": {
+ "@odata.type": "microsoft.graph.ediscovery.siteSource",
+ "site": {
+ "webUrl": "https://contoso.sharepoint.com/sites/SecretSite"
+ }
+ }
+}
+```
+
+#### Response
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.ediscovery.noncustodialDataSource"
+}
+-->
+
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/noncustodialDataSources/$entity",
+ "status": "Active",
+ "lastModifiedDateTime": "2021-08-11T22:43:45.1079425Z",
+ "releasedDateTime": "0001-01-01T00:00:00Z",
+ "id": "35393843394546413031353146334134",
+ "displayName": "Secret Site",
+ "createdDateTime": "2021-08-11T22:43:45.0189955Z",
+ "applyHoldToSource": false
+}
+```
v1.0 Ediscovery Sourcecollection Post Additionalsources https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ediscovery-sourcecollection-post-additionalsources.md
In the request body, supply a JSON representation of the [dataSource](../resourc
The following table shows the properties that are required when you create the [dataSource](../resources/ediscovery-datasource.md).
+>**Note:** Either **email** or **site** are required, not both.
+ |Property|Type|Description| |:|:|:|
-|id|String|The ID for [sourceCollection](../resources/ediscovery-sourcecollection.md) case. Read-only. Inherited from [entity](../resources/entity.md)|
-|displayName|String|The name of the [sourceCollection](../resources/ediscovery-sourcecollection.md)|
-|createdDateTime|DateTimeOffset|The date and time when the [sourceCollection](../resources/ediscovery-sourcecollection.md) was created.|
-|createdBy|[identitySet](../resources/identityset.md)|The user who created the [sourceCollection](../resources/ediscovery-sourcecollection.md).|
+|email|string|SMTP address of the mailbox. To get the email address of a group, use [List groups](../api/group-list.md) or [Get group](../api/group-get.md). You can query by the name of the group using `$filter`; for example, `https://graph.microsoft.com/v1.0/groups?$filter=displayName eq 'secret group'&$select=mail,id,displayName`.|
+|site|string|URL of the site; for example, `https://contoso.sharepoint.com/sites/HumanResources`. |
## Response
If successful, this method returns a `201 Created` response code and a [microsof
## Examples
-### Request
+### Example 1: Add a user or group mailbox to the additional sources
+#### Request
-# [HTTP](#tab/http)
<!-- { "blockType": "request", "name": "create_datasource_from__1"
If successful, this method returns a `201 Created` response code and a [microsof
--> ``` http
-POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/{caseId}/sourceCollections/{sourceCollectionId}/additionalSources
+POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/15d80234-8320-4f10-96d0-d98d53ffdfc9/sourceCollections/39b0bafd920e4360995c62e18a5e8a49/additionalsources
Content-Type: application/json Content-length: 179 {
- "@odata.type": "#microsoft.graph.ediscovery.userSource",
+ "@odata.type": "microsoft.graph.ediscovery.userSource",
"email": "badguy@contoso.com" } ```
-# [C#](#tab/csharp)
-
-# [JavaScript](#tab/javascript)
-
-# [Objective-C](#tab/objc)
-
-# [Java](#tab/java)
-
-### Response
+#### Response
> **Note:** The response object shown here might be shortened for readability. <!-- {
HTTP/1.1 201 Created
Content-Type: application/json {
- "@odata.type": "#microsoft.graph.ediscovery.dataSource",
+ "@odata.type": "microsoft.graph.ediscovery.dataSource",
"id": "0fb67fc5-7fc5-0fb6-c57f-b60fc57fb60f", "displayName": "String", "createdDateTime": "String (timestamp)",
Content-Type: application/json
} } ```+
+### Example 2: Add a site or group site to additional sources
+
+#### Request
+
+<!-- {
+ "blockType": "request",
+ "name": "create_datasource_from__1"
+}
+-->
+
+``` http
+POST https://graph.microsoft.com/beta/compliance/ediscovery/cases/15d80234-8320-4f10-96d0-d98d53ffdfc9/sourceCollections/39b0bafd920e4360995c62e18a5e8a49/additionalsources
+Content-Type: application/json
+Content-length: 179
+
+{
+ "@odata.type": "microsoft.graph.ediscovery.siteSource",
+ "site": {
+ "webUrl": "https://contoso.sharepoint.com/sites/SecretSite"
+ }
+}
+```
+++
+#### Response
+
+> **Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.ediscovery.dataSource"
+}
+-->
+
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#compliance/ediscovery/cases('15d80234-8320-4f10-96d0-d98d53ffdfc9')/sourceCollections('39b0bafd920e4360995c62e18a5e8a49')/additionalSources/$entity",
+ "@odata.type": "#microsoft.graph.ediscovery.siteSource",
+ "displayName": "Secret Site",
+ "createdDateTime": "2021-08-11T23:35:02.33986Z",
+ "id": "42393244-3838-4636-3437-453030334136",
+ "createdBy": {
+ "user": {
+ "id": "798d8d23-2087-4e03-912e-c0d9db5cb5d2",
+ "displayName": "Edisco Admin",
+ "userPrincipalname": "ediscoadmin@contoso.com"
+ }
+ }
+}
+```
v1.0 Educationassignment Setupresourcesfolder https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/educationassignment-setupresourcesfolder.md
The following is an example of a request.
"name": "educationassignment_setupresourcesfolder" }--> ```msgraph-interactive
-POST https://graph.microsoft.com/beta/education/classes/11012/assignments/19002/setUpResourcesFolder
+POST https://graph.microsoft.com/beta/education/classes/955e0bd5-52c2-41ad-b7e8-5b33a18c5e78/assignments/18d17255-3278-49fb-8da7-d095b7f610c4/setUpResourcesFolder
Content-type: application/json {
v1.0 Educationsubmission Setupresourcesfolder https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/educationsubmission-setupResourcesFolder.md
The following is an example of a request.
"name": "educationsubmission_setupresourcesfolder" }--> ```msgraph-interactive
-POST https://graph.microsoft.com/beta/education/classes/11012/assignments/19002/submissions/20302/setUpResourcesFolder
+POST https://graph.microsoft.com/beta/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/1e5222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder
Content-type: application/json {
v1.0 Group Delete Approleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/group-delete-approleassignments.md
Title: "Delete an appRoleAssignment from a group"
+ Title: "Delete appRoleAssignment"
description: "Delete an appRoleAssignment that has been granted to a group." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "groups"
-# Delete an appRoleAssignment granted to a group
+# Delete appRoleAssignment
Namespace: microsoft.graph
DELETE /groups/{id}/appRoleAssignments/{id}
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you delete app role assignments using the [Delete appRoleAssignedTo](serviceprincipal-delete-approleassignedto.md) method which deletes through the **appRoleAssignedTo** relationship of the _resource_ service principal, instead of this method.
## Request headers
v1.0 Group List Owners https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/group-list-owners.md
One of the following permissions is required to call this API. To learn more, in
|:--|:| |Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All, Directory.AccessAsUser.All | |Delegated (personal Microsoft account) | Not supported. |
-|Application | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All, Directory.AccessAsUser.All |
+|Application | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All |
[!INCLUDE [limited-info](../../includes/limited-info.md)]
v1.0 Ipnamedlocation Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/ipnamedlocation-update.md
PATCH /identity/conditionalAccess/namedLocations/{id}
In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.
+You must specify the **@odata.type** as `#microsoft.graph.ipNamedLocation`.
+ | Property | Type | Description | |:-|:|:| |displayName|String|Human-readable name of the location.|
v1.0 Profilephoto Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/profilephoto-get.md
One of the following permissions is required to call this API. To learn more, in
> **Note:** The GET photo method in beta supports a user's work, school, or personal accounts. The GET photo metadata method, however, supports only the user's work or school accounts and not personal accounts.
+### To retrieve the profile photo of a user
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | User.Read, User.ReadBasic.All, User.Read.All, User.ReadWrite, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | User.Read.All, User.ReadWrite.All |
+
+### To retrieve the profile photo of a group
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Group.Read.All, Group.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Group.Read.All, Group.ReadWrite.All |
+
+### To retrieve the profile photo of a contact
+ |Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | For **user** resource:<br/>User.Read, User.ReadBasic.All, User.Read.All, User.ReadWrite, User.ReadWrite.All<br /><br />For **group** resource:<br />Group.Read.All, Group.ReadWrite.All<br /><br />For **contact** resource:<br />Contacts.Read, Contacts.ReadWrite |
-|Delegated (personal Microsoft account) <br /> **Note**: Metadata operation is not supported. | For **user** resource:<br/>User.Read, User.ReadWrite<br /><br />For **contact** resource:<br />Contacts.Read, Contacts.ReadWrite |
-|Application | For **user** resource:<br/>User.Read.All, User.ReadWrite.All<br /><br />For **group** resource:<br />Group.Read.All, Group.ReadWrite.All<br /><br />For **contact** resource:<br />Contacts.Read, Contacts.ReadWrite |
+|Delegated (work or school account) | Contacts.Read, Contacts.ReadWrite |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Contacts.Read, Contacts.ReadWrite |
> **Note:** There is currently a [known issue](/graph/known-issues#groups) with accessing group photos using application permissions.
v1.0 Profilephoto Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/profilephoto-update.md
Only use PUT for this operation.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+### To update the profile photo of the signed-in user
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | User.ReadWrite, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | User.ReadWrite.All |
+
+### To update the profile photo of a group
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Group.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Group.ReadWrite.All |
+
+### To update the profile photo of a contact
+ |Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Profile photo of the signed-in **user**:<br/>User.ReadWrite, User.ReadWrite.All<br /><br />For **group** resource:<br />Group.ReadWrite.All<br /><br />For **contact** resource:<br />Contacts.ReadWrite |
-|Delegated (personal Microsoft account) | Not supported. |
-|Application | For **user** resource:<br/>User.ReadWrite.All<br /><br />For **group** resource:<br />Group.ReadWrite.All<br /><br />For **contact** resource:<br />Contacts.ReadWrite |
+|Delegated (work or school account) | Contacts.ReadWrite |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Contacts.ReadWrite |
-> **Note** To update the photo of any user in the organization, your app must have the User.ReadWrite.All application permission and call this API under its own identity, not on behalf of a user. To learn more, see [get access without a signed-in user](/graph/auth-v2-service). Updating the photo of the signed-in user only requires User.ReadWrite permission.
-> **Note:** There is currently a [known issue](/graph/known-issues#groups) with accessing group photos using application permissions.
+>**Notes:** To update the photo of any user in the organization, your app must have the **User.ReadWrite.All** application permission and call this API under its own identity, not on behalf of a user. To learn more, see [get access without a signed-in user](/graph/auth-v2-service). Updating the photo of the signed-in user only requires User.ReadWrite permission.
+>
+> There is currently a [known issue](/graph/known-issues#groups) with accessing group photos using application permissions.
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Serviceprincipal Addkey https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/serviceprincipal-addkey.md
In the request body, provide the following required properties.
|:|:--|:-| | keyCredential | [keyCredential](../resources/keycredential.md) | The new servicePrincipal key credential to add. The __type__, __usage__ and __key__ are required properties for this usage. Supported key types are:<br><ul><li>`AsymmetricX509Cert`: The usage must be `Verify`.</li><li>`X509CertAndPassword`: The usage must be `Sign`</li></ul>| | passwordCredential | [passwordCredential](../resources/passwordcredential.md) | Only __secretText__ is required to be set which should contain the password for the key. This property is required only for keys of type `X509CertAndPassword`. Set it to `null` otherwise.|
-| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the servicePrincipal's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the servicePrincipal that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be "nbf" + 10 mins.</li></ul><br>Here is a code [sample](/graph/application-rollkey-prooftoken) that can be used to generate this proof of possession token.|
+| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the servicePrincipal's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the servicePrincipal that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be `nbf` + 10 mins.</li></ul><br>For steps to generate this proof of possession token, see [Generating proof of possession tokens for rolling keys](/graph/application-rollkey-prooftoken).|
## Response
v1.0 Serviceprincipal Addtokensigningcertificate https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/serviceprincipal-addtokensigningcertificate.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Creates a self-signed signing certificate and returns a [selfSignedCertificate](../resources/selfsignedcertificate.md), which is the public part of the generated certificate. The self-signed signing certificate is composed of these resources: the private key ([keyCredential](../resources/keycredential.md) with usage = 'Sign'), the public key ([keyCredential](../resources/keycredential.md) with usage = 'verify'), and the [passwordCredential](../resources/passwordcredential.md). All the created resources have the same **customKeyIdentifier**.
+Creates a self-signed signing certificate and returns a [selfSignedCertificate](../resources/selfsignedcertificate.md) object, which is the public part of the generated certificate. The self-signed signing certificate is composed of the following objects which are added to the [servicePrincipal](../resources/serviceprincipal.md):
++ The [keyCredentials](../resources/keycredential.md) object with the following objects:
+ + A private key object with **usage** set to `Sign`.
+ + A public key object with **usage** set to `Verify`.
++ The [passwordCredentials](../resources/passwordcredential.md) object.
-The **passwordCredential** is used to open the pfx/private key. Also, it's associated with the privateKey having the same **keyId**. The subject of the certificate is a constant value. It won't be affected by the optional **displayName** provided in the POST call. The **startDateTime** is set to the same time the certificate is created using the action. The **endDateTime** can be up to three years after the certificate is created.
+All the objects have the same value of **customKeyIdentifier**.
+
+The **passwordCredential** is used to open the PFX file (private key). It and the associated private key object have the same value of **keyId**. Once set during creation through the **displayName** property, the subject of the certificate cannot be updated. The **startDateTime** is set to the same time the certificate is created using the action. The **endDateTime** can be up to three years after the certificate is created.
## Permissions
In the request body, provide the following required properties.
| Property | Type |Description| |:|:--|:-| | displayName | string | Friendly name for the key. It must start with `CN=`.|
-| endDateTime | DateTimeOffset |The date and time when the credential expires. It can be up to 3 years from the date the certificate is created. If not supplied, the default is three years from the time of creation. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z' .|
+| endDateTime | DateTimeOffset |The date and time when the credential expires. It can be up to 3 years from the date the certificate is created. If not supplied, the default is three years from the time of creation. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
## Response
v1.0 Serviceprincipal Delete Approleassignedto https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/serviceprincipal-delete-approleassignedto.md
Title: "Delete an appRoleAssignment granted for a service principal"
+ Title: "Delete appRoleAssignedTo"
description: "Delete an appRoleAssignment granted for a service principal." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "applications"
-# Delete an appRoleAssignment granted for a service principal
+# Delete appRoleAssignedTo
Namespace: microsoft.graph
DELETE /servicePrincipals/{resource-SP-id}/appRoleAssignedTo/{appRoleAssignment-
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you use this method to delete app role assignments, instead of the [Delete appRoleAssignments ](serviceprincipal-delete-approleassignments.md) method which deletes through the **appRoleAssignments** relationship of the assigned user, group, or service principal.
## Request headers
v1.0 Serviceprincipal Delete Approleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/serviceprincipal-delete-approleassignments.md
Title: "Delete an appRoleAssignment from a service principal"
+ Title: "Delete appRoleAssignment"
description: "Delete an appRoleAssignment from a service principal." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "applications"
-# Delete an appRoleAssignment granted to a service principal
+# Delete appRoleAssignment
Namespace: microsoft.graph
DELETE /servicePrincipals/{servicePrincipal-id}/appRoleAssignments/{appRoleAssig
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you delete app role assignments using the [Delete appRoleAssignedTo](serviceprincipal-delete-approleassignedto.md) method which deletes through the **appRoleAssignedTo** relationship of the _resource_ service principal, instead of this method.
## Request headers
v1.0 Serviceprincipal Removekey https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/serviceprincipal-removekey.md
In the request body, provide the following required properties.
| Property | Type | Description| |:-|:--|:--| | keyId | GUID | The unique identifier for the password.|
-| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the servicePrincipal's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the servicePrincipal that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be "nbf" + 10 mins.</li></ul><br>Here is a code [sample](/graph/application-rollkey-prooftoken) that can be used to generate this proof of possession token.|
+| proof | String | A self-signed JWT token used as a proof of possession of the existing keys. This JWT token must be signed using the private key of one of the servicePrincipal's existing valid certificates. The token should contain the following claims:<ul><li>`aud` - Audience needs to be `00000002-0000-0000-c000-000000000000`.</li><li>`iss` - Issuer needs to be the __id__ of the servicePrincipal that is making the call.</li><li>`nbf` - Not before time.</li><li>`exp` - Expiration time should be `nbf` + 10 mins.</li></ul><br>For steps to generate this proof of possession token, see [Generating proof of possession tokens for rolling keys](/graph/application-rollkey-prooftoken).|
## Response
v1.0 Subscription Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/subscription-delete.md
Depending on the resource and the permission type (delegated or application) req
|[chatMessage](../resources/chatmessage.md) (/teams/getAllMessages -- all channel messages in organization) | Not supported | Not supported | ChannelMessage.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/{id}/messages) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/getAllMessages -- all chat messages in organization) | Not supported | Not supported | Chat.Read.All |
+|[chatMessage](../resources/chatmessage.md) (/users/{id}/chats/getAllMessages -- chat messages for all chats a particular user is part of) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All, Chat.ReadWrite.All |
|[contact](../resources/contact.md) | Contacts.Read | Contacts.Read | Contacts.Read | |[conversationMember](../resources/conversationmember.md) (/chats/getAllMembers) | Not supported | Not supported | ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All | |[conversationMember](../resources/conversationmember.md) (/chats/{id}/members) | ChatMember.Read, ChatMember.ReadWrite, Chat.ReadBasic, Chat.Read, Chat.ReadWrite | Not supported | ChatMember.Read.Chat*, Chat.Manage.Chat*, ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All |
HTTP/1.1 204 No Content
} --> -
v1.0 Subscription Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/subscription-get.md
Depending on the resource and the permission type (delegated or application) req
|[chatMessage](../resources/chatmessage.md) (/teams/getAllMessages -- all channel messages in organization) | Not supported | Not supported | ChannelMessage.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/{id}/messages) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/getAllMessages -- all chat messages in organization) | Not supported | Not supported | Chat.Read.All |
+|[chatMessage](../resources/chatmessage.md) (/users/{id}/chats/getAllMessages -- chat messages for all chats a particular user is part of) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All, Chat.ReadWrite.All |
|[contact](../resources/contact.md) | Contacts.Read | Contacts.Read | Contacts.Read | |[conversationMember](../resources/conversationmember.md) (/chats/getAllMembers) | Not supported | Not supported | ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All | |[conversationMember](../resources/conversationmember.md) (/chats/{id}/members) | ChatMember.Read, ChatMember.ReadWrite, Chat.ReadBasic, Chat.Read, Chat.ReadWrite | Not supported | ChatMember.Read.Chat*, Chat.Manage.Chat*, ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All |
Content-length: 252
} --> -
v1.0 Subscription Post Subscriptions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/subscription-post-subscriptions.md
Depending on the resource and the permission type (delegated or application) req
|[chatMessage](../resources/chatmessage.md) (/teams/getAllMessages -- all channel messages in organization) | Not supported | Not supported | ChannelMessage.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/{id}/messages) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/getAllMessages -- all chat messages in organization) | Not supported | Not supported | Chat.Read.All |
+|[chatMessage](../resources/chatmessage.md) (/users/{id}/chats/getAllMessages -- chat messages for all chats a particular user is part of) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All, Chat.ReadWrite.All |
|[contact](../resources/contact.md) | Contacts.Read | Contacts.Read | Contacts.Read | |[conversationMember](../resources/conversationmember.md) (/chats/getAllMembers) | Not supported | Not supported | ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All | |[conversationMember](../resources/conversationmember.md) (/chats/{id}/members) | ChatMember.Read, ChatMember.ReadWrite, Chat.ReadBasic, Chat.Read, Chat.ReadWrite | Not supported | ChatMember.Read.Chat*, Chat.Manage.Chat*, ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All |
The subscription notification endpoint (specified in the **notificationUrl** pro
} --> -
v1.0 Subscription Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/subscription-update.md
Depending on the resource and the permission type (delegated or application) req
|[chatMessage](../resources/chatmessage.md) (/teams/getAllMessages -- all channel messages in organization) | Not supported | Not supported | ChannelMessage.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/{id}/messages) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All | |[chatMessage](../resources/chatmessage.md) (/chats/getAllMessages -- all chat messages in organization) | Not supported | Not supported | Chat.Read.All |
+|[chatMessage](../resources/chatmessage.md) (/users/{id}/chats/getAllMessages -- chat messages for all chats a particular user is part of) | Chat.Read, Chat.ReadWrite | Not supported | Chat.Read.All, Chat.ReadWrite.All |
|[contact](../resources/contact.md) | Contacts.Read | Contacts.Read | Contacts.Read | |[conversationMember](../resources/conversationmember.md) (/chats/getAllMembers) | Not supported | Not supported | ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All | |[conversationMember](../resources/conversationmember.md) (/chats/{id}/members) | ChatMember.Read, ChatMember.ReadWrite, Chat.ReadBasic, Chat.Read, Chat.ReadWrite | Not supported | ChatMember.Read.Chat*, Chat.Manage.Chat*, ChatMember.Read.All, ChatMember.ReadWrite.All, Chat.ReadBasic.All, Chat.Read.All, Chat.ReadWrite.All |
Content-length: 252
} --> -
v1.0 Tiindicator Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/tiindicator-update.md
In the request body, supply the values for relevant fields that should be update
|confidence|Int32|An integer representing the confidence the data within the indicator accurately identifies malicious behavior. Acceptable values are 0 ΓÇô 100 with 100 being the highest.| |description|String|Brief description (100 characters or less) of the threat represented by the indicator.| |diamondModel|[diamondModel](../resources/tiindicator.md#diamondmodel-values)|The area of the Diamond Model in which this indicator exists. Possible values are: `unknown`, `adversary`, `capability`, `infrastructure`, `victim`.|
-|expirationDateTime|DateTimeOffset| DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`.|
+|expirationDateTime|DateTimeOffset| DateTime string indicating when the Indicator expires. All indicators must have an expiration date to avoid stale indicators persisting in the system. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|externalId|String|An identification number that ties the indicator back to the indicator providerΓÇÖs system (e.g. a foreign key).| |isActive|Boolean|Used to deactivate indicators within system. By default, any indicator submitted is set as active. However, providers may submit existing indicators with this set to ΓÇÿFalseΓÇÖ to deactivate indicators in the system.| |killChain|[killChain](../resources/tiindicator.md#killchain-values) collection|A JSON array of strings that describes which point or points on the Kill Chain this indicator targets. See "killChain values" below for exact values.| |knownFalsePositives|String|Scenarios in which the indicator may cause false positives. This should be human-readable text.|
-|lastReportedDateTime|DateTimeOffset|The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`|
+|lastReportedDateTime|DateTimeOffset|The last time the indicator was seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|malwareFamilyNames|String collection|The malware family name associated with an indicator if it exists. Microsoft prefers the Microsoft malware family name if at all possible which can be found via the Windows Defender Security Intelligence [threat encyclopedia](https://www.microsoft.com/wdsi/threats).| |passiveOnly|Boolean|Determines if the indicator should trigger an event that is visible to an end-user. When set to ΓÇÿtrue,ΓÇÖ security tools will not notify the end user that a ΓÇÿhitΓÇÖ has occurred. This is most often treated as audit or silent mode by security products where they will simply log that a match occurred but will not perform the action. Default value is false.| |severity|Int32|An integer representing the severity of the malicious behavior identified by the data within the indicator. Acceptable values are 0 ΓÇô 5 where 5 is the most severe and zero is not severe at all. Default value is 3.|
v1.0 Unifiedroledefinition Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/unifiedroledefinition-update.md
In the request body, supply the values for relevant fields that should be update
## Response
-If successful, this method returns a `200 OK` response code and an updated [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object in the response body.
+If successful, this method returns a `204 No Content` response code.
## Example
The following is an example of the response.
} --> ```http
-HTTP/1.1 204 OK
+HTTP/1.1 204 No Content
Content-type: application/json ```
v1.0 Unifiedroleeligibilityschedulerequest Post Unifiedroleeligibilityschedulerequests https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/unifiedroleeligibilityschedulerequest-post-unifiedroleeligibilityschedulerequests.md
POST /roleManagement/directory/roleEligibilityScheduleRequests
## Request body In the request body, supply a JSON representation of the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md) object.
-The following table shows the properties that are required when you create the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md).
+The following table shows the optional and required properties when you create the [unifiedRoleEligibilityScheduleRequest](../resources/unifiedroleeligibilityschedulerequest.md).
|Property|Type|Description| |:|:|:|
The following table shows the properties that are required when you create the [
|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units or all users.| |directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only.| |isValidationOnly|Boolean|A boolean that determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.|
-|justification|String|A message provided by users and administrators when create the request about why it is needed.|
+|justification|String|A message provided by users and administrators when create the request about why it is needed. Optional when **action** is `AdminRemove`.|
|principalId|String|Identifier of the principal to which the assignment is being granted to. For example, a user or a group. For groups, they must be assignable to roles, that is, the **isAssignableToRole** of the group property set to `true`.|
-|roleDefinitionId|String|Identifier of the unifiedRoleDefinition the assignment is for. Read only.|
-|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The schedule object of the role assignment request.|
-|targetScheduleId|String|The time period for which the eligibility assignment is valid.|
-|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|The ticketInfo object attached to the role assignment request which includes details of the ticket number and ticket system.|
+|roleDefinitionId|String|Identifier of the unifiedRoleDefinition the assignment is for. Required. Read only.|
+|scheduleInfo|[requestSchedule](../resources/requestschedule.md)|The schedule object of the role assignment request. This property is not required when the **action** is `AdminRemove`.|
+|ticketInfo|[ticketInfo](../resources/ticketinfo.md)|The ticketInfo object attached to the role assignment request which includes details of the ticket number and ticket system. Optional.|
v1.0 User Delete Approleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/user-delete-approleassignments.md
Title: "Delete an appRoleAssignment granted to a user"
+ Title: "Delete appRoleAssignment"
description: "Delete an appRoleAssignment that has been granted to a user." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "users"
-# Delete an appRoleAssignment granted to a user
+# Delete appRoleAssignment
Namespace: microsoft.graph
DELETE /users/{id}/appRoleAssignments/{id}
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you delete app role assignments using the [Delete appRoleAssignedTo](serviceprincipal-delete-approleassignedto.md) method which deletes through the **appRoleAssignedTo** relationship of the _resource_ service principal, instead of this method.
## Request headers
v1.0 Conditionalaccessroot https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/conditionalaccessroot.md
Title: "conditionalAccess resource type"
-description: "The **conditionalaccess** resource is the entry point for the Conditinal Access object model. It doesn't contain any usable properties."
+ Title: "conditionalAccessRoot resource type"
+description: "The conditionalAccessRoot resource is the entry point for the Conditional Access (CA) object model. It doesn't contain any usable properties."
ms.localizationpriority: medium ms.prod: "identity-and-sign-in" doc_type: resourcePageType
-# conditionalaccess resource type
+# conditionalAccessRoot resource type
Namespace: microsoft.graph [!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-The **conditionalAccess** resource is the entry point for the Conditional Access object model. It doesn't contain any usable properties.
+The **conditionalAccessRoot** resource is the entry point for the Conditional Access (CA) object model. It doesn't contain any usable properties.
+For more information on Conditional Access in Azure Active Directory, see [What is Conditional Access](/azure/active-directory/conditional-access/overview)?
## Methods
-| Method | Return Type |Description|
-|:|:--|:-|
-|[Create conditionalAccessPolicy](../api/conditionalaccessroot-post-policies.md) |[conditionalAccessPolicy](conditionalaccesspolicy.md)| Create a new **conditionalAccessPolicy** by posting to the conditionalAccessPolicy collection.|
-|[Create namedLocations](../api/conditionalaccessroot-post-namedlocations.md) |[namedLocation](namedlocation.md)| Create a new **namedLocations** by posting to the namedLocations collection.|
-|[Create authenticationContextClassReferences](../api/conditionalaccessroot-post-authenticationcontextclassreferences.md)|[authenticationContextClassReferences](authenticationcontextclassreference.md)|Create a new **authenticationContextClassReferences** by posting to authenticationContextClassReferences collection.|
-
+None.
## Properties
-The conditionalAccess resource is the entry point for the Conditional Access object model and doesn't contain any properties.
+None.
## Relationships+ | Relationship | Type |Description| |:|:--|:-|
-|conditionalAccessPolicy|[conditionalAccessPolicy](conditionalaccesspolicy.md) collection| Read-only. Nullable. Returns a collection of the specified Conditional Access policies.|
-|namedLocations|[namedLocations](namedlocation.md) collection| Read-only. Nullable. Returns a collection of the specified named locations.|
-|authenticationContextClassReferences|[authenticationContextClassReferences](authenticationcontextclassreference.md) collection|Read-only. Nullable. Returns a collection of the specified authentication context class references.|
+|authenticationContextClassReferences|[authenticationContextClassReference](authenticationcontextclassreference.md) collection|Read-only. Nullable. Returns a collection of the specified authentication context class references.|
+|namedLocations|[namedLocation](namedlocation.md) collection| Read-only. Nullable. Returns a collection of the specified named locations.|
+|policies|[conditionalAccessPolicy](conditionalaccesspolicy.md) collection| Read-only. Nullable. Returns a collection of the specified Conditional Access policies.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.conditionalAccessRoot"
+}-->
+
+```json
+{
+ "@odata.type": "#microsoft.graph.conditionalAccessRoot"
+}
+```
<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79 2015-10-25 14:57:30 UTC -->
The conditionalAccess resource is the entry point for the Conditional Access obj
"tocPath": "", "suppressions": [] }>-
+-->
v1.0 Countrynamedlocation https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/countrynamedlocation.md
Inherits from [namedLocation](../resources/namedLocation.md)
| Property | Type | Description | |:-|:|:| |countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2.|
-|countryLookupMethod|countryLookupMethodType|Determines what method is used to decide which country the user is located in. Possible values are `clientIpAddress` and `authenticatorAppGps`. Note: `authenticatorAppGps` is not yet supported in the Microsoft Cloud for US Government.|
+|countryLookupMethod|countryLookupMethodType|Determines what method is used to decide which country the user is located in. Possible values are `clientIpAddress` (default) and `authenticatorAppGps`. Note: `authenticatorAppGps` is not yet supported in the Microsoft Cloud for US Government.|
|createdDateTime|DateTimeOffset|The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|displayName|String|Human-readable name of the location. Inherited from [namedLocation](../resources/namedLocation.md).|
+|displayName|String|Human-readable name of the location. Required. Inherited from [namedLocation](../resources/namedLocation.md).|
|id|String|Identifier of a namedLocation object. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|includeUnknownCountriesAndRegions|Boolean|True if IP addresses that don't map to a country or region should be included in the named location.|
+|includeUnknownCountriesAndRegions|Boolean|`true` if IP addresses that don't map to a country or region should be included in the named location. Optional. Default value is `false`.|
|modifiedDateTime|DateTimeOffset|The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
The following is a JSON representation of the resource.
} ```
+## See also
+++ [What is Conditional Access?](/azure/active-directory/conditional-access/overview)++ [Using the location condition in a Conditional Access policy](/azure/active-directory/conditional-access/location-condition)++ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Identitycontainer https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/identitycontainer.md
None.
|b2xUserFlows|[b2xIdentityUserFlow](b2xIdentityUserFlow.md) collection| Represents entry point for B2X and self-service sign-up identity userflows.| |identityProviders|[identityProviderBase](identityProviderBase.md) collection| Represents entry point for identity provider base.| |userFlowAttributes|[identityUserFlowAttribute](identityUserFlowAttribute.md) collection| Represents entry point for identity userflow attributes.|
+|conditionalAccess|[conditionalAccessRoot](conditionalAccessRoot.md) collection| the entry point for the Conditional Access (CA) object model.|
|continuousAccessEvaluationPolicy|[continuousAccessEvaluationPolicy](continuousAccessEvaluationPolicy.md)| Represents entry point for continuous access evaluation policy.| ## JSON representation
v1.0 Insights Sharingdetail https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/insights-sharingdetail.md
Here is a JSON representation of the resource
| Property | Type | Description | | - |-- | -|
-| sharedDateTime | DateTimeOffset| The date and time the file was last shared. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. Read-only. |
+| sharedDateTime | DateTimeOffset| The date and time the file was last shared. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
| sharingSubject | String | The subject with which the document was shared. | | sharingType | String | Determines the way the document was shared, can be by a "Link", "Attachment", "Group", "Site". | | sharedBy | [insightIdentity](insights-insightidentity.md) | The user who shared the document. |
v1.0 Insights Usagedetails https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/insights-usagedetails.md
Here is a JSON representation of the resource
| Property | Type | Description | | - || -|
-| lastAccessedDateTime | DateTimeOffset | The date and time the resource was last accessed by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. Read-only. |
-| lastModifiedDateTime | DateTimeOffset | The date and time the resource was last modified by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. Read-only. |
+| lastAccessedDateTime | DateTimeOffset | The date and time the resource was last accessed by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
+| lastModifiedDateTime | DateTimeOffset | The date and time the resource was last modified by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
v1.0 Ipnamedlocation https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/ipnamedlocation.md
Inherits from [namedLocation](../resources/namedLocation.md)
| Property | Type | Description | |:-|:|:| |createdDateTime|DateTimeOffset|The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|displayName|String|Human-readable name of the location.|
+|displayName|String|Human-readable name of the location. Required.|
|id|String|Identifier of a namedLocation object. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|ipRanges|[ipRange](iprange.md) collection|List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596.|
-|isTrusted|Boolean|True if this location is explicitly trusted.|
+|ipRanges|[ipRange](iprange.md) collection|List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. Required.|
+|isTrusted|Boolean|`true` if this location is explicitly trusted. Optional. Default value is `false`.|
|modifiedDateTime|DateTimeOffset|The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).| ## Relationships
The following is a JSON representation of the resource.
} ```
+## See also
+++ [What is Conditional Access?](/azure/active-directory/conditional-access/overview)++ [Using the location condition in a Conditional Access policy](/azure/active-directory/conditional-access/location-condition)++ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Iprange https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/iprange.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-IP range base class for representing IPV4 and IPV6 address ranges.
+An IP range abstract type from which the [iPv4CidrRange](ipv4cidrrange.md) and [iPv6CidrRange](ipv6cidrrange.md) resource types for configuring [ipNamedLocation](ipnamedlocation.md) objects are derived.
+
+The [iPv4CidrRange](ipv4cidrrange.md) derived type is used to configure IPv4 address ranges while the [iPv6CidrRange](ipv6cidrrange.md) derived type is used to configure IPv6 address ranges.
## Properties
The following is a JSON representation of the resource.
```json {
+ "@odata.type": "#microsoft.graph.ipRange"
} ```
v1.0 Ipv4cidrrange https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/ipv4cidrrange.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents an IPv4 range using the CIDR notation.
+Represents an IPv4 range using the Classless Inter-Domain Routing (CIDR) notation.
Inherits from [ipRange](../resources/iprange.md)
Inherits from [ipRange](../resources/iprange.md)
| Property | Type | Description | |:-|:|:|
-|cidrAddress|String|IPv4 address in CIDR notation|
+|cidrAddress|String|IPv4 address in CIDR notation. Not nullable.|
## JSON representation
The following is a JSON representation of the resource.
```json {
+ "@odata.type": "#microsoft.graph.iPv4CidrRange",
"cidrAddress": "String" } ```
v1.0 Ipv6cidrrange https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/ipv6cidrrange.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-Represents an IPv6 range using the CIDR notation.
+Represents an IPv6 range using the Classless Inter-Domain Routing (CIDR) notation.
Inherits from [ipRange](../resources/iprange.md)
Inherits from [ipRange](../resources/iprange.md)
| Property | Type | Description | |:-|:|:|
-|cidrAddress|String|IPv6 address in CIDR notation|
+|cidrAddress|String|IPv6 address in CIDR notation. Not nullable.|
## JSON representation
The following is a JSON representation of the resource.
```json {
+ "@odata.type": "#microsoft.graph.iPv6CidrRange",
"cidrAddress": "String" } ```
v1.0 Namedlocation https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/namedlocation.md
Namespace: microsoft.graph
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-This is the base class that represents an Azure Active Directory named location. Named locations are custom rules that define network locations which can then be used in a Conditional Access policy.
+This is the base class that represents an Azure Active Directory named location. Named locations are custom rules that define network locations which can then be used in a Conditional Access (CA) policy.
## Methods
The following is a JSON representation of the resource.
} ```
+## See also
+++ [What is Conditional Access?](/azure/active-directory/conditional-access/overview)++ [Using the location condition in a Conditional Access policy](/azure/active-directory/conditional-access/location-condition)++ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Report https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/report.md
doc_type: conceptualPageType
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
-With Microsoft Graph, you can access Microsoft 365 usage reports resources to get the information about how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all.
+With Microsoft Graph, you can access Microsoft 365 usage reports resources to get the information about how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who might not need a Microsoft 365 license at all.
+
+For details about the settings that govern identification/de-identification of information in the Microsoft 365 usage reports data, see [Microsoft 365 Reports in the admin center](/microsoft-365/admin/activity-reports/activity-reports) .
## Authorization
v1.0 Riskyuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/riskyuser.md
For more information about risk events, see [Azure Active Directory Identity Pro
|id|string|Unique ID of the user at risk.| |isDeleted|boolean|Indicates whether the user is deleted. Possible values are: `true`, `false`.| |isProcessing|boolean|Indicates whether a user's risky state is being processed by the backend.|
-|riskLastUpdatedDateTime|DateTimeOffset|The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`|
+|riskLastUpdatedDateTime|DateTimeOffset|The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|riskLevel|riskLevel| Level of the detected risky user. The possible values are `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. | |riskState|riskState| State of the user's risk. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`. | |riskDetail|riskDetail| The possible values are `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`. |
v1.0 Selfsignedcertificate https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/selfsignedcertificate.md
Property|Type|Description
-|--| |customKeyIdentifier|Binary| Custom key identifier. | | displayName | String | The friendly name for the key. |
-|endDateTime|DateTimeOffset|The date and time at which the credential expires. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: "2014-01-01T00:00:00Z". |
+|endDateTime|DateTimeOffset|The date and time at which the credential expires. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. |
|keyId|Guid|The unique identifier (GUID) for the key.|
-|startDateTime|DateTimeOffset|The date and time at which the credential becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: "2014-01-01T00:00:00Z". |
+|startDateTime|DateTimeOffset|The date and time at which the credential becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. |
|type|String|The type of key credential. "AsymmetricX509Cert".| |usage|String|A string that describes the purpose for which the key can be used. For example, "Verify".| |key|Binary| The value for the key credential. Should be a base-64 encoded value. |
Here is a JSON representation of the resource
```json {
- "customKeyIdentifier": "string (binary)",
- "displayName": "string",
- "endDateTime": "string (timestamp)",
- "key": "string (binary)",
- "keyId": "guid",
- "startDateTime": "String (timestamp)",
- "type": "string",
- "thumbprint":"string",
- "usage": "string"
+ "@odata.type": "#microsoft.graph.selfSignedCertificate",
+ "customKeyIdentifier": "String (Binary)",
+ "displayName": "String",
+ "endDateTime": "String (timestamp)",
+ "key": "String (Binary)",
+ "keyId": "Guid",
+ "startDateTime": "String (timestamp)",
+ "thumbprint": "String",
+ "type": "String",
+ "usage": "String"
} ```
v1.0 Usercredentialusagedetails https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/usercredentialusagedetails.md
Represents the self-service password reset usage for a given tenant. Details inc
| Property | Type | Description | |:-|:|:| | authMethod | usageAuthMethod | Represents the authentication method that the user used. Possible values are:`email`, `mobileSMS`, `mobileCall`, `officePhone`, `securityQuestion` (only used for self-service password reset), `appNotification`, `appCode`, `alternateMobileCall` (supported only in registration), `fido`, `appPassword`,`unknownFutureValue` |
-| eventDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. |
+| eventDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. |
| failureReason | String | Provides the failure reason for the corresponding reset or registration workflow. | | feature | featureType | Possible values are: `registration`, `reset`, `unknownFutureValue`. | | id | String | Read-only. The unique identifier for the activity. Read-only.|
v1.0 Webhooks https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/webhooks.md
Using the Microsoft Graph API, an app can subscribe to changes on the following
| Teams [callRecord][] | Changes to _all_ call records: `/communications/callRecords` | No | | Teams [channel][] | Changes to channels in all teams:<br>`/teams/getAllChannels` <br>Changes to channel in a specific team:<br>`/teams/{id}/channels` | Yes | | Teams [chat][] | Changes to any chat in the tenant:<br>`/chats` <br>Changes to a specific chat:<br>`/chats/{id}` | Yes |
-| Teams [chatMessage][] | Changes to chat messages in all channels in all teams:<br>`/teams/getAllMessages` <br>Changes to chat messages in a specific channel:<br>`/teams/{id}/channels/{id}/messages`<br>Changes to chat messages in all chats:<br>`/chats/getAllMessages` <br>Changes to chat messages in a specific chat:<br>`/chats/{id}/messages` | Yes |
+| Teams [chatmessage][] | Changes to chat messages in all channels in all teams:<br>`/teams/getAllMessages` <br>Changes to chat messages in a specific channel:<br>`/teams/{id}/channels/{id}/messages`<br>Changes to chat messages in all chats:<br>`/chats/getAllMessages` <br>Changes to chat messages in a specific chat:<br>`/chats/{id}/messages`<br>Changes to chat messages in all chats a particular user is part of:<br>`/users/{id}/chats/getAllMessages` | Yes |
| Teams [conversationMember][] | Changes to membership in a specific team:<br>`/teams/{id}/members` <br> Changes to membership in a specific chat:<br>`/chats/{id}/members` <br> Changes to membership in all chats:<br>`/chats/getAllMembers` | Yes | | Teams [presence][] | Changes to a single user's presence: `/communications/presences/{id}` <br> Changes to multiple user presences:<br> `/communications/presences?$filter=id in ({id},{id}...)` | Yes | | Teams [team][] | Changes to any team in the tenant:<br>`/teams` <br>Changes to a specific team:<br>`/teams/{id}` | Yes |
v1.0 Conditionalaccessroot Post Namedlocations https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/conditionalaccessroot-post-namedlocations.md
doc_type: apiPageType
Namespace: microsoft.graph
-Create a new [namedLocation](../resources/namedlocation.md) object.
+Create a new [namedLocation](../resources/namedlocation.md) object. Named locations can be either [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) objects.
## Permissions
POST /identity/conditionalAccess/namedLocations
## Request body
-In the request body, supply a JSON representation of an [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) object.
+In the request body, supply a JSON representation of an [ipNamedLocation](../resources/ipnamedlocation.md) or [countryNamedLocation](../resources/countrynamedlocation.md) object. You must specify the **@odata.type** of the derived type, that is, `#microsoft.graph.ipNamedLocation` for an [ipNamedLocation](../resources/ipnamedlocation.md) object or `#microsoft.graph.countryNamedLocation` for a [countryNamedLocation](../resources/countrynamedlocation.md) object.
+
+The following table lists the properties that are required to create an [ipNamedLocation](../resources/ipnamedlocation.md) object.
+
+| Property | Type | Description |
+|:-|:|:|
+|displayName|String|Human-readable name of the location. Required.|
+|ipRanges|[ipRange](../resources/iprange.md) collection|List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. Required. The **@odata.type** of the ipRange is also required.|
+
+The following table lists the properties that are required to create an [countryNamedLocation](../resources/countrynamedlocation.md) object.
+
+| Property | Type | Description |
+|:-|:|:|
+|countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2. Required.|
+|displayName|String|Human-readable name of the location. Required.|
## Response
v1.0 Countrynamedlocation Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/countrynamedlocation-update.md
PATCH /identity/conditionalAccess/namedLocations/{id}
In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.
+You must specify the **@odata.type** as `#microsoft.graph.countryNamedLocation`.
+ | Property | Type | Description | |:-|:|:| |countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2.|
v1.0 Domain Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-delete.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Forcedelete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-forcedelete.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-get.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
## HTTP request
v1.0 Domain List Domainnamereferences https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-list-domainnamereferences.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Not supported. |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Domain.ReadWrite.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All |
[!INCLUDE [limited-info](../../includes/limited-info.md)] ## HTTP request <!-- { "blockType": "ignored" } --> ```http
-GET /domains/{domain-id}/domainNameReferences
+GET /domains/{id}/domainNameReferences
``` ## Optional query parameters
v1.0 Domain List Serviceconfigurationrecords https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-list-serviceconfigurationrecords.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Directory.Read.All, Domain.ReadWrite.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
## HTTP request <!-- { "blockType": "ignored" } --> ```http
-GET /domains/contoso.com/serviceConfigurationRecords
+GET /domains/{id}/serviceConfigurationRecords
``` ## Optional query parameters
v1.0 Domain List Verificationdnsrecords https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-list-verificationdnsrecords.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Directory.Read.All, Domain.ReadWrite.All |
+|Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Domain List https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-list.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.Read.All, Domain.ReadWrite.All, Directory.Read.All |
v1.0 Domain Post Domains https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-post-domains.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-update.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.AccessAsUser.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. | |Application | Domain.ReadWrite.All |
v1.0 Domain Verify https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/domain-verify.md
One of the following permissions is required to call this API. To learn more, in
|Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | Directory.Read.All |
+|Delegated (work or school account) | Domain.ReadWrite.All |
|Delegated (personal Microsoft account) | Not supported. |
-|Application | Directory.Read.All, Domain.ReadWrite.All |
+|Application | Domain.ReadWrite.All |
## HTTP request
v1.0 Educationassignment Setupresourcesfolder https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/educationassignment-setupresourcesfolder.md
One of the following permissions is required to call this API. To learn more, in
<!-- { "blockType": "ignored" } --> ```http
-POST /education/classes/acdefc6b-2dc6-4e71-b1e9-6d9810ab1793/assignments/cf6005fc-9e13-44a2-a6ac-a53322006454/setUpResourcesFolder
+POST /education/classes/{id}/assignments/{id}/setUpResourcesFolder
``` ## Request headers | Header | Value |
The following is an example of a request.
"name": "educationassignment_setupresourcesfolder" }--> ```msgraph-interactive
-POST https://graph.microsoft.com/v1.0/education/classes/d38ffdea-da93-46ac-90ba-d568c6073075/assignments/ad8afb28-c138-4ad7-b7f5-a6986c2655a8/setUpResourcesFolder
+POST https://graph.microsoft.com/v1.0/education/classes/955e0bd5-52c2-41ad-b7e8-5b33a18c5e78/assignments/18d17255-3278-49fb-8da7-d095b7f610c4/setUpResourcesFolder
Content-type: application/json {
Content-type: application/json
Content-length: 279 {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#education/classes('955e0bd5-52c2-41ad-b7e8-5b33a18c5e78')/assignments/$entity",
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#education/classes('955e0bd5-52c2-41ad-b7e8-5b33a18c5e78')/assignments/$entity",
"classId": "955e0bd5-52c2-41ad-b7e8-5b33a18c5e78", "displayName": "Unit 3 Essay", "closeDateTime": "2021-04-06T00:00:00Z",
v1.0 Educationsubmission Setupresourcesfolder https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/educationsubmission-setupResourcesFolder.md
One of the following permissions is required to call this API. To learn more, in
## HTTP request <!-- { "blockType": "ignored" } --> ```http
-POST /education/classes/acdefc6b-2dc6-4e71-b1e9-6d9810ab1793/assignments/cf6005fc-9e13-44a2-a6ac-a53322006454/submissions/d1bee293-d8bb-48d4-af3e-c8cb0e3c7fe7/setUpResourcesFolder
+POST /education/classes/{id}/assignments/{id}/submissions/{id}/setUpResourcesFolder
``` ## Request headers
The following is an example of a request.
"name": "educationsubmission_setupresourcesfolder" }--> ```msgraph-interactive
-POST https://graph.microsoft.com/v1.0/education/classes/d38ffdea-da93-46ac-90ba-d568c6073075/assignments/ad8afb28-c138-4ad7-b7f5-a6986c2655a8/submissions/d1bee293-d8bb-48d4-af3e-c8cb0e3c7fe7/setUpResourcesFolder
+POST https://graph.microsoft.com/v1.0/education/classes/b07edbef-7420-4b3d-8f7c-d599cf21e069/assignments/222bd-b7d2-4d64-8a22-74b722ce2fc6/submissions/803fb5dd-3553-455f-3d94-f79fb54a1003/setUpResourcesFolder
Content-type: application/json {
Content-type: application/json
Content-length: 279 {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#education/classes('b07edbef-7420-4b3d-8f7c-d599cf21e069')/assignments('1e5222bd-b7d2-4d64-8a22-74b722ce2fc6')/submissions/$entity",
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#education/classes('b07edbef-7420-4b3d-8f7c-d599cf21e069')/assignments('1e5222bd-b7d2-4d64-8a22-74b722ce2fc6')/submissions/$entity",
"status": "working", "submittedDateTime": null, "unsubmittedDateTime": null,
v1.0 Group Delete Approleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/group-delete-approleassignments.md
Title: "Delete an appRoleAssignment from a group"
+ Title: "Delete appRoleAssignment"
description: "Delete an appRoleAssignment that has been granted to a group." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "groups"
-# Delete an appRoleAssignment granted to a group
+# Delete appRoleAssignment
Namespace: microsoft.graph
DELETE /groups/{id}/appRoleAssignments/{id}
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you delete app role assignments using the [Delete appRoleAssignedTo](serviceprincipal-delete-approleassignedto.md) method which deletes through the **appRoleAssignedTo** relationship of the _resource_ service principal, instead of this method.
## Request headers
v1.0 Group List Owners https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/group-list-owners.md
One of the following permissions is required to call this API. To learn more, in
|:--|:| |Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All, Directory.AccessAsUser.All | |Delegated (personal Microsoft account) | Not supported. |
-|Application | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All, Directory.AccessAsUser.All |
+|Application | GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All |
[!INCLUDE [limited-info](../../includes/limited-info.md)]
v1.0 Group Post Groups https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/group-post-groups.md
POST /groups
| Content-Type | application/json | ## Request body
-The following table shows the properties of the [group](../resources/group.md) resource to specify when you create a group.
-| Property | Type | Description|
-|:|:--|:-|
-| displayName | string | The name to display in the address book for the group. Maximum length: 256 characters. Required. |
-| mailEnabled | boolean | Set to `true` for mail-enabled groups. Required. |
-| mailNickname | string | The mail alias for the group. Max. length: 64 characters. This property can contain only characters in the [ASCII character set 0 - 127](/office/vba/language/reference/user-interface-help/character-set-0127) except the following: ` @ () \ [] " ; : . <> , SPACE`. Required. |
-| securityEnabled | boolean | Set to `true` for security-enabled groups, including Microsoft 365 groups. Required. |
-
-> **Note:** Groups created using the Microsoft Azure portal always have **securityEnabled** initially set to `true`.
+In the request body, supply a JSON representation of the [group](../resources/group.md) object.
-Specify other writable properties as necessary for your group. For more information, see the properties of the [group](../resources/group.md) resource.
+The following table shows the properties that are required when you create the [group](../resources/group.md). Specify other writable properties as necessary for your group.
->**Note:** Creating a group using the Group.Create application permission without specifying owners will create the group anonymously and the group will not be modifiable. You can use the `POST` operation and add owners to the group while creating it to specify owners who can modify the group.
-
-> Creating a Microsoft 365 group programmatically with an app-only context and without specifying owners will create the group anonymously. Doing so can result in the associated SharePoint Online site not being created automatically until further manual action is taken.
+| Property | Type | Description|
+|:|:--|:-|
+| displayName | String | The name to display in the address book for the group. Maximum length: 256 characters. Required. |
+| mailEnabled | Boolean | Set to `true` for mail-enabled groups. Required. |
+| mailNickname | String | The mail alias for the group. Max. length: 64 characters. This property can contain only characters in the [ASCII character set 0 - 127](/office/vba/language/reference/user-interface-help/character-set-0127) except the following: ` @ () \ [] " ; : . <> , SPACE`. Required. |
+| securityEnabled | Boolean | Set to `true` for security-enabled groups, including Microsoft 365 groups. Required. **Note:** Groups created using the Microsoft Azure portal always have **securityEnabled** initially set to `true`.|
+
+> [!IMPORTANT]
+> Creating a group using the **Group.Create** application permission without specifying owners will create the group anonymously and the group will not be modifiable. Add owners to the group while creating it to specify owners who can modify the group.
+>
+>Creating a Microsoft 365 group programmatically with an app-only context and without specifying owners will create the group anonymously. Doing so can result in the associated SharePoint Online site not being created automatically until further manual action is taken.
### groupTypes options
v1.0 Ipnamedlocation Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/ipnamedlocation-update.md
PATCH /identity/conditionalAccess/namedLocations/{id}
In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.
+You must specify the **@odata.type** as `#microsoft.graph.ipNamedLocation`.
+ | Property | Type | Description | |:-|:|:| |displayName|String|Human-readable name of the location.|
v1.0 Profilephoto Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/profilephoto-get.md
For example, if the user uploads a photo that is 504x504 pixels, all but the 648
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+### To retrieve the profile photo of a user
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | User.Read, User.ReadBasic.All, User.Read.All, User.ReadWrite, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | User.Read.All, User.ReadWrite.All |
+
+### To retrieve the profile photo of a group
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Group.Read.All, Group.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Group.Read.All, Group.ReadWrite.All |
+
+### To retrieve the profile photo of a contact
+ |Permission type | Permissions (from least to most privileged) | |:--|:|
-|Delegated (work or school account) | For **user** resource:<br/>User.Read, User.ReadBasic.All, User.Read.All, User.ReadWrite, User.ReadWrite.All<br /><br />For **group** resource:<br />Group.Read.All, Group.ReadWrite.All<br /><br />For **contact** resource:<br />Contacts.Read, Contacts.ReadWrite |
-|Delegated (personal Microsoft account) | Not supported |
-|Application | For **user** resource:<br/>User.Read.All, User.ReadWrite.All<br /><br />For **group** resource:<br />Group.Read.All, Group.ReadWrite.All<br /><br />For **contact** resource:<br />Contacts.Read, Contacts.ReadWrite |
+|Delegated (work or school account) | Contacts.Read, Contacts.ReadWrite |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Contacts.Read, Contacts.ReadWrite |
> **Note:** There is currently a [known issue](/graph/known-issues#groups) with accessing group photos using application permissions.
v1.0 Profilephoto Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/profilephoto-update.md
You can use either PATCH or PUT for this operation in version 1.0.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference). -- Profile photo of the signed-in **user** - User.ReadWrite, User.ReadWrite.All-- Profile photo of a **group** - Group.ReadWrite.All-- Photo of a **contact** - Contacts.ReadWrite
+### To update the profile photo of the signed-in user
-> **Note** To update the photo of any user in the organization, your app must have the User.ReadWrite.All application permission and call this API under its own identity, not on behalf of a user. To learn more, see [get access without a signed-in user](/graph/auth-v2-service).
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | User.ReadWrite, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | User.ReadWrite.All |
-> **Note:** There is currently a [known issue](/graph/known-issues#groups) with accessing group photos using application permissions.
+### To update the profile photo of a group
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Group.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Group.ReadWrite.All |
+
+### To update the profile photo of a contact
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | Contacts.ReadWrite |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | Contacts.ReadWrite |
+
+> **Notes:** To update the photo of any user in the organization, your app must have the User.ReadWrite.All application permission and call this API under its own identity, not on behalf of a user. To learn more, see [get access without a signed-in user](/graph/auth-v2-service).
+>
+> There is currently a [known issue](/graph/known-issues#groups) with accessing group photos using application permissions.
## HTTP request <!-- { "blockType": "ignored" } -->
v1.0 Rbacapplication List Roleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/rbacapplication-list-roleassignments.md
+
+ Title: "List unifiedRoleAssignments"
+description: "Get a list of unifiedRoleAssignment objects."
+ms.localizationpriority: medium
+++
+# List unifiedRoleAssignments
+
+Namespace: microsoft.graph
+
+Get a list of [unifiedRoleAssignment](../resources/unifiedroleassignment.md) objects for the provider.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/directory/roleAssignments?$filter=roleDefinitionId {eq roleDefinitionId}
+GET /roleManagement/directory/roleAssignments?$filter=principalId {eq principalId}
+```
+
+## Query parameters
+
+This operation requires the `$filter` query parameter to query specific instances of role assignments. You can filter on the `roleDefinitionId` or `principalId` properties. The `roleDefinitionId` property can be either a role object ID or a **templateId**. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleAssignment](../resources/unifiedroleassignment.md) objects in the response body.
+
+## Examples
+
+### Example 1: Request using a filter on roleDefinitionId and expand the principal object
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_roleAssignments_1"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&$expand=principal
+```
+++
+#### Response
+
+The following is an example of the response.
+
+>**Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments(principal())",
+ "value": [
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEMmO4KwRqtpKkUWt3wOYIz4-1",
+ "principalId": "ace08ec9-aa11-4ada-9145-addf0398233e",
+ "resourceScope": "/",
+ "directoryScopeId": "/",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "principal": {
+ "@odata.type": "#microsoft.graph.user",
+ "id": "ace08ec9-aa11-4ada-9145-addf0398233e",
+ "accountEnabled": true,
+ "displayName": "Joey Cruz",
+ "imAddresses": [
+ "joeyc@contoso.com"
+ ],
+ "mail": "joeyc@contoso.com",
+ "mailNickname": "joeyc",
+ "userType": "Member",
+
+ }
+ },
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEC6Xh29-LklLmYDrOIi9z-E-1",
+ "principalId": "6f87972e-2e7e-4b49-9980-eb3888bdcfe1",
+ "resourceScope": "/",
+ "directoryScopeId": "/",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "principal": {
+ "@odata.type": "#microsoft.graph.user",
+ "id": "6f87972e-2e7e-4b49-9980-eb3888bdcfe1",
+ "accountEnabled": true,
+ "displayName": "Kalyan Krishna",
+ "imAddresses": [],
+ "userType": "Guest",
+
+ }
+ },
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEMgc_BA2rIZBuZsM-BSqLdU-1",
+ "principalId": "10fc1cc8-ac36-4186-b99b-0cf814aa2dd5",
+ "resourceScope": "/",
+ "directoryScopeId": "/",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "principal": {
+ "@odata.type": "#microsoft.graph.user",
+ "id": "10fc1cc8-ac36-4186-b99b-0cf814aa2dd5",
+ "accountEnabled": true,
+ "displayName": "Markie Downing",
+ "imAddresses": [],
+ "userType": "Guest",
+
+ }
+ }
+ ]
+}
+```
+
+### Example 2: Request using a filter on principalId
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_roleAssignments_2"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter = principalId eq 'f1847572-48aa-47aa-96a3-2ec61904f41f'
+```
+++
+#### Response
+
+The following is an example of the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments",
+ "value": [
+ {
+ "id": "lAPpYvVpN0KRkAEhdxReEHJ1hPGqSKpHlqMuxhkE9B8-1",
+ "principalId": "f1847572-48aa-47aa-96a3-2ec61904f41f",
+ "resourceScope": "/",
+ "directoryScopeId": "/",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10"
+ },
+ {
+ "id": "LJnv8vs6uUa3z6Em7nTEUXJ1hPGqSKpHlqMuxhkE9B8-1",
+ "principalId": "f1847572-48aa-47aa-96a3-2ec61904f41f",
+ "resourceScope": "/",
+ "directoryScopeId": "/",
+ "roleDefinitionId": "f2ef992c-3afb-46b9-b7cf-a126ee74c451"
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List roleAssignments",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Rbacapplication List Roledefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/rbacapplication-list-roledefinitions.md
+
+ Title: "List unifiedRoleDefinitions"
+description: "Get a list of unifiedRoleDefinition objects."
+ms.localizationpriority: medium
+++
+# List unifiedRoleDefinitions
+
+Namespace: microsoft.graph
+
+Get a list of [unifiedRoleDefinition](../resources/unifiedroledefinition.md) objects for the provider.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/directory/roleDefinitions
+```
+
+## Optional query parameters
+This method supports the `$filter` (`eq` and `in` operators) OData query parameter on `id`, `displayName`, and `isBuiltIn` properties. It also supports `$expand` on the relationships. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [unifiedRoleDefinition](../resources/unifiedroledefinition.md) objects in the response body.
+
+## Example
+
+### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_roledefinitions"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
+```
++
+### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition",
+ "isCollection": true
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions",
+ "value": [
+ {
+ "id": "729827e3-9c14-49f7-bb1b-9608f156bbb8",
+ "description": "Can reset passwords for non-administrators and Helpdesk Administrators.",
+ "displayName": "Helpdesk Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "729827e3-9c14-49f7-bb1b-9608f156bbb8",
+ "version": "1",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/users/invalidateAllRefreshTokens",
+ "microsoft.directory/users/bitLockerRecoveryKeys/read",
+ "microsoft.directory/users/password/update",
+ "microsoft.azure.serviceHealth/allEntities/allTasks",
+ "microsoft.azure.supportTickets/allEntities/allTasks",
+ "microsoft.office365.webPortal/allEntities/standard/read",
+ "microsoft.office365.serviceHealth/allEntities/allTasks",
+ "microsoft.office365.supportTickets/allEntities/allTasks"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('729827e3-9c14-49f7-bb1b-9608f156bbb8')/inheritsPermissionsFrom",
+ "inheritsPermissionsFrom": [
+ {
+ "id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
+ }
+ ]
+ },
+ {
+ "id": "f023fd81-a637-4b56-95fd-791ac0226033",
+ "description": "Can read service health information and manage support tickets.",
+ "displayName": "Service Support Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "f023fd81-a637-4b56-95fd-791ac0226033",
+ "version": "1",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.azure.serviceHealth/allEntities/allTasks",
+ "microsoft.azure.supportTickets/allEntities/allTasks",
+ "microsoft.office365.webPortal/allEntities/standard/read",
+ "microsoft.office365.serviceHealth/allEntities/allTasks",
+ "microsoft.office365.supportTickets/allEntities/allTasks"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('f023fd81-a637-4b56-95fd-791ac0226033')/inheritsPermissionsFrom",
+ "inheritsPermissionsFrom": [
+ {
+ "id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
+ }
+ ]
+ },
+ {
+ "id": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
+ "description": "Can perform common billing related tasks like updating payment information.",
+ "displayName": "Billing Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "templateId": "b0f54661-2d74-4c50-afa3-1ec803f12efe",
+ "version": "1",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/organization/basic/update",
+ "microsoft.azure.serviceHealth/allEntities/allTasks",
+ "microsoft.azure.supportTickets/allEntities/allTasks",
+ "microsoft.commerce.billing/allEntities/allTasks",
+ "microsoft.office365.webPortal/allEntities/standard/read",
+ "microsoft.office365.serviceHealth/allEntities/allTasks",
+ "microsoft.office365.supportTickets/allEntities/allTasks"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('b0f54661-2d74-4c50-afa3-1ec803f12efe')/inheritsPermissionsFrom",
+ "inheritsPermissionsFrom": [
+ {
+ "id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
+ }
+ ]
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "List roleDefinitions",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Rbacapplication Post Roleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/rbacapplication-post-roleassignments.md
+
+ Title: "Create unifiedRoleAssignment"
+description: "Create a new unifiedRoleAssignment object."
+ms.localizationpriority: medium
+++
+# Create unifiedRoleAssignment
+
+Namespace: microsoft.graph
+
+Create a new [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /roleManagement/directory/roleAssignments
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token} |
+
+## Request body
+
+In the request body, supply a JSON representation of [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object. The request must have either a scope defined in Azure Active Directory (Azure AD) specified by **directoryScopeId**, or an application-specific scope specified by the **appScopeId**. Examples of Azure AD scopes are tenant (`/`), administrative units, or applications. For more information on appScope, see [appScope](../resources/appscope.md).
+
+The following table shows the properties that are required when you create a [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object.
+
+| Parameter | Type | Description|
+|:|:--|:-|
+|roleDefinitionId|String| Identifier of the role definition the assignment is for.|
+|principalId|String| The identifier of the principal to which the assignment is granted. |
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. Either this property or **appScopeId** is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only.|
+|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or **directoryScopeId** is required. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units.|
+
+## Response
+
+If successful, this method returns a `201 Created` response code and a new [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object in the response body.
+
+## Examples
+
+### Example 1: Create a role assignment with a tenant-wide scope
+
+#### Request
+
+The following is an example of the request. Note the use of the roleTemplateId for roleDefinitionId. roleDefinitionId can be either the service-wide template Id or the directory-specific roleDefinitionId.
++
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignment_from_rbacapplication"
+}-->
+
+```http
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
+Content-type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
+ "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
+ "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "directoryScopeId": "/"
+}
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments/$entity",
+ "id": "YUb1sHQtUEyvox7IA_Eu_mm3jqnUe4lEhvatluHVi2I-1",
+ "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
+ "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "directoryScopeId": "/"
+}
+```
+
+### Example 2 : Create a role assignment with an administrative unit scope
+
+#### Request
+
+The following example assigns a principal the User Administrator role over an administrative unit.
++
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignment_over_administrativeunit"
+}-->
+
+```http
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
+Content-type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
+ "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
+ "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "directoryScopeId": "/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a"
+}
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments/$entity",
+ "id": "BH21sHQtUEyvox7IA_Eu_mm3jqnUe4lEhvatluHIWb7-1",
+ "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
+ "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "directoryScopeId": "/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a"
+}
+```
+
+### Example 3 : Create a role assignment with an application scope
+
+#### Request
+
+The following example assigns a principal the Application Administrator role at application scope. The object ID of the application registration is 661e1310-bd76-4795-89a7-8f3c8f855bfc.
++
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroleassignment_over_application"
+}-->
+
+```http
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
+Content-type: application/json
+
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
+ "principalId": "6b937a9d-c731-465b-a844-2d5b5368c161",
+ "roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
+ "directoryScopeId": "/661e1310-bd76-4795-89a7-8f3c8f855bfc"
+}
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments/$entity",
+ "@odata.id": "https://graph.microsoft.com/v2/22350cac-d84b-466b-8c2c-f9326746709r2VR4mnjzyPhVv8-1",
+ "id": "kl2Jm9Msx0SdAqasLV6lw516k2sxx1tGqEQtW1NowWEQEx5mdr2VR4mnjzyPhVv8-1",
+ "principalId": "6b937a9d-c731-465b-a844-2d5b5368c161",
+ "principalOrganizationId": "22350cac-d84b-466b-8c2c-f9326746709a",
+ "resourceScope": "/661e1310-bd76-4795-89a7-8f3c8f855bfc",
+ "directoryScopeId": "/661e1310-bd76-4795-89a7-8f3c8f855bfc",
+ "roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create unifiedRoleAssignment",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Rbacapplication Post Roledefinitions https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/rbacapplication-post-roledefinitions.md
+
+ Title: "Create unifiedRoleDefinition"
+description: "Create a new unifiedRoleDefinition object."
+ms.localizationpriority: medium
+++
+# Create unifiedRoleDefinition
+
+Namespace: microsoft.graph
+
+Create a new custom [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+POST /roleManagement/directory/roleDefinitions
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token} |
+| Content-Type | application/json. Required. |
+
+## Request body
+
+In the request body, supply a JSON representation of [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object.
+
+The following table shows the properties that are required when you create a roleDefinition.
+
+| Parameter | Type | Description|
+|:|:--|:-|
+|displayName |string |The display name for the role definition.|
+|isEnabled |Boolean |Flag indicating if the role is enabled for assignment. If `false`, the role is not available for assignment.|
+|rolePermissions |[unifiedRolePermission](../resources/unifiedrolepermission.md) collection |List of permissions included in the role.|
+
+## Response
+
+If successful, this method returns `201 Created` response code and a new [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object in the response body.
+
+## Example
+
+### Request
+
+The following is an example of creating a custom role.
++
+<!-- {
+ "blockType": "request",
+ "name": "create_unifiedroledefinition_from_rbacapplication"
+}-->
+
+```http
+POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
+Content-type: application/json
+
+{
+ "description": "Update basic properties of application registrations",
+ "displayName": "Application Registration Support Administrator",
+ "rolePermissions":
+ [
+ {
+ "allowedResourceActions":
+ [
+ "microsoft.directory/applications/basic/read"
+ ]
+ }
+ ],
+ "isEnabled" : true
+}
+```
++
+### Response
+
+The following is an example of the response.
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions/$entity",
+ "id": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
+ "description": "Update basic properties of application registrations",
+ "displayName": "Application Registration Support Administrator",
+ "isBuiltIn": false,
+ "isEnabled": true,
+ "templateId": "c2cb59a3-2d01-4176-a458-95b0e674966f",
+ "version": null,
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/applications/standard/read",
+ "microsoft.directory/applications/basic/update"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('c2cb59a3-2d01-4176-a458-95b0e674966f')/inheritsPermissionsFrom"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Create unifiedRoleDefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Serviceprincipal Delete Approleassignedto https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/serviceprincipal-delete-approleassignedto.md
Title: "Delete an appRoleAssignment granted for a service principal"
+ Title: "Delete appRoleAssignedTo"
description: "Delete an appRoleAssignment granted for a service principal." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "applications"
-# Delete an appRoleAssignment granted for a service principal
+# Delete appRoleAssignedTo
Namespace: microsoft.graph
DELETE /servicePrincipals/{resource-SP-id}/appRoleAssignedTo/{appRoleAssignment-
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you use this method to delete app role assignments, instead of the [Delete appRoleAssignments ](serviceprincipal-delete-approleassignments.md) method which deletes through the **appRoleAssignments** relationship of the assigned user, group, or service principal.
## Request headers
v1.0 Serviceprincipal Delete Approleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/serviceprincipal-delete-approleassignments.md
Title: "Delete an appRoleAssignment from a service principal"
+ Title: "Delete appRoleAssignment"
description: "Delete an appRoleAssignment from a service principal." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "applications"
-# Delete an appRoleAssignment granted to a service principal
+# Delete appRoleAssignment
Namespace: microsoft.graph
DELETE /servicePrincipals/{servicePrincipal-id}/appRoleAssignments/{appRoleAssig
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you delete app role assignments using the [Delete appRoleAssignedTo](serviceprincipal-delete-approleassignedto.md) method which deletes through the **appRoleAssignedTo** relationship of the _resource_ service principal, instead of this method.
## Request headers
v1.0 Unifiedroleassignment Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/unifiedroleassignment-delete.md
+
+ Title: "Delete unifiedRoleAssignment"
+description: "Delete a unifiedRoleAssignment object."
+ms.localizationpriority: medium
+++
+# Delete unifiedRoleAssignment
+
+Namespace: microsoft.graph
+
+Delete a [unifiedRoleAssignment](../resources/unifiedRoleAssignment.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+DELETE /roleManagement/directory/roleAssignments/{id}
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns `204 No Content` response code. It does not return anything in the response body.
+
+## Example
+
+### Request
+
+The following is an example of the request.
+
+<!-- {
+ "blockType": "request",
+ "name": "delete_unifiedroleassignment"
+}-->
+
+```http
+DELETE https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/lAPpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1
+```
++
+### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+} -->
+
+```http
+HTTP/1.1 204 No Content
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Delete unifiedRoleAssignment",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Unifiedroleassignment Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/unifiedroleassignment-get.md
+
+ Title: "Get unifiedRoleAssignment"
+description: "Read the properties and relationships of a unifiedRoleAssignment object."
+ms.localizationpriority: medium
+++
+# Get unifiedRoleAssignment
+
+Namespace: microsoft.graph
+
+Retrieve the properties and relationships of a [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/directory/roleAssignments/{id}
+```
+
+## Optional query parameters
+
+This method supports the `$select` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and the requested [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object in the response body.
+
+## Examples
+
+### Example 1 : Get the details of a role assignment
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleassignment"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/lAPpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments/$entity",
+ "id": "lAPpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1",
+ "roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
+ "principalId": "4ab0b690-479b-47ff-af8f-2576cf521872",
+ "directoryScopeId": "28ca5a85-489a-49a0-b555-0a6d81e56f0"
+}
+```
+
+### Example 2: Get the details of a role assignment and expand the relationships
+
+#### Request
+
+The following is an example of the request with the `$expand` query parameter.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_unifiedroleassignment"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments/lAPpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1?$expand=roleDefinition,principal,directoryScope
+```
++
+#### Response
+
+The following is an example of the response.
+> **Note:** The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignments/$entity",
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
+ "id": "lAPpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1",
+ "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
+ "roleDefinition": {
+ "id": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
+ "displayName": "Billing Administrator",
+ "description": "Can perform common billing related tasks like updating payment information.",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.commerce.billing/allEntities/allTasks",
+ "microsoft.directory/organization/basic/update",
+ ],
+ "excludedResourceActions": []
+ }],
+ "isEnabled": true,
+ },
+ "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "principal": {
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
+ "id": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d ",
+ "userPrincipalName": "alice@contoso.com",
+ "displayName": "Alice Smith"
+ },
+ "directoryScopeId": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "directoryScope": {
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization/$entity",
+ "id": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
+ "displayName": "Contoso_Seattle_Admins"
+ }
+}
+```
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Get unifiedRoleAssignment",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Unifiedroledefinition Delete https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/unifiedroledefinition-delete.md
+
+ Title: "Delete unifiedRoleDefinition"
+description: "Delete a unifiedRoleDefinition object."
+ms.localizationpriority: medium
+++
+# Delete unifiedRoleDefinition
+
+Namespace: microsoft.graph
+
+Delete a [unifiedRoleDefinition](../resources/unifiedRoleDefinition.md) object. You cannot delete built-in roles.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+DELETE /roleManagement/directory/roleDefinitions/{id}
+
+```
+
+## Request headers
+
+| Name | Description |
+|:--|:--|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns `204 No Content` response code. It does not return anything in the response body.
+
+## Example
+
+### Request
+
+The following is an example of the request.
+
+<!-- {
+ "blockType": "request",
+ "name": "delete_unifiedroledefinition"
+}-->
+
+```http
+DELETE https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/f189965f-f560-4c59-9101-933d4c87a91a
+```
++
+### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+} -->
+
+```http
+HTTP/1.1 204 No Content
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Delete unifiedRoleDefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Unifiedroledefinition Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/unifiedroledefinition-get.md
+
+ Title: "Get unifiedRoleDefinition"
+description: "Read the properties and relationships of an unifiedRoleDefinition object."
+ms.localizationpriority: medium
+++
+# Get unifiedRoleDefinition
+
+Namespace: microsoft.graph
+
+Read the properties and relationships of a [unifiedRoleDefinition](../resources/unifiedRoleDefinition.md) object. Currently **directory** is the only role-based access control (RBAC) provider supported.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+|Permission type | Permissions (from least to most privileged) |
+|:--|:|
+|Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All, Directory.AccessAsUser.All |
+|Delegated (personal Microsoft account) | Not supported. |
+|Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+GET /roleManagement/directory/roleDefinitions/{id}
+```
+
+## Optional query parameters
+
+This method supports the `$select` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+| Name |Description|
+|:-|:-|
+| Authorization | Bearer {token} |
+
+## Request body
+
+Do not supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and the requested [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object in the response body.
+
+## Examples
+
+### Example 1: Get the definition of a custom role
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_custom_role_unifiedroledefinition"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/f189965f-f560-4c59-9101-933d4c87a91a
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
++
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions/$entity",
+ "id": "429c3819-053d-4250-9926-4c7dcb18ae17",
+ "description": "Allows reading Application Registrations",
+ "displayName": "Application Registration Reader",
+ "isBuiltIn": false,
+ "isEnabled": true,
+ "templateId": "f189965f-f560-4c59-9101-933d4c87a91a",
+ "version": null,
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/applications/allProperties/read"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('f189965f-f560-4c59-9101-933d4c87a91a')/inheritsPermissionsFrom",
+ "inheritsPermissionsFrom": []
+}
+```
+
+### Example 2: Get the definition of a built-in role
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_built_in_role_unifiedroledefinition"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/fdd7a751-b60b-444a-984c-02652fe8fa1c
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions/$entity",
+ "id": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "description": "Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.",
+ "displayName": "Groups Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "resourceScopes": [
+ "/"
+ ],
+ "templateId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "version": "1",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/groups/assignLicense",
+ "microsoft.directory/groups/create",
+ "microsoft.directory/groups/delete",
+ "microsoft.directory/groups/hiddenMembers/read",
+ "microsoft.directory/groups/reprocessLicenseAssignment",
+ "microsoft.directory/groups/restore",
+ "microsoft.directory/groups/basic/update",
+ "microsoft.directory/groups/classification/update",
+ "microsoft.directory/groups/dynamicMembershipRule/update",
+ "microsoft.directory/groups/groupType/update",
+ "microsoft.directory/groups/members/update",
+ "microsoft.directory/groups/owners/update",
+ "microsoft.directory/groups/settings/update",
+ "microsoft.directory/groups/visibility/update",
+ "microsoft.azure.serviceHealth/allEntities/allTasks",
+ "microsoft.azure.supportTickets/allEntities/allTasks",
+ "microsoft.office365.serviceHealth/allEntities/allTasks",
+ "microsoft.office365.supportTickets/allEntities/allTasks",
+ "microsoft.office365.webPortal/allEntities/standard/read"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('fdd7a751-b60b-444a-984c-02652fe8fa1c')/inheritsPermissionsFrom",
+ "inheritsPermissionsFrom": [
+ {
+ "id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b"
+ }
+ ]
+}
+```
+### Example 3: Get the definition of an Azure AD built-in role and $expand on the role it inherits from
+
+#### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "get_inheritsFrom_unifiedroledefinition"
+}-->
+
+```msgraph-interactive
+GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/fdd7a751-b60b-444a-984c-02652fe8fa1c?$expand=inheritsPermissionsFrom
+```
++
+#### Response
+
+The following is an example of the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true,
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition"
+} -->
+
+```http
+HTTP/1.1 200 OK
+Content-type: application/json
++
+{
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions(inheritsPermissionsFrom())/$entity",
+ "id": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "description": "Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports.",
+ "displayName": "Groups Administrator",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "resourceScopes": [
+ "/"
+ ],
+ "templateId": "fdd7a751-b60b-444a-984c-02652fe8fa1c",
+ "version": "1",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/groups/assignLicense",
+ "microsoft.directory/groups/create",
+ "microsoft.directory/groups/delete",
+ "microsoft.directory/groups/hiddenMembers/read",
+ "microsoft.directory/groups/reprocessLicenseAssignment",
+ "microsoft.directory/groups/restore",
+ "microsoft.directory/groups/basic/update",
+ "microsoft.directory/groups/classification/update",
+ "microsoft.directory/groups/dynamicMembershipRule/update",
+ "microsoft.directory/groups/groupType/update",
+ "microsoft.directory/groups/members/update",
+ "microsoft.directory/groups/owners/update",
+ "microsoft.directory/groups/settings/update",
+ "microsoft.directory/groups/visibility/update",
+ "microsoft.azure.serviceHealth/allEntities/allTasks",
+ "microsoft.azure.supportTickets/allEntities/allTasks",
+ "microsoft.office365.serviceHealth/allEntities/allTasks",
+ "microsoft.office365.supportTickets/allEntities/allTasks",
+ "microsoft.office365.webPortal/allEntities/standard/read"
+ ],
+ "condition": null
+ }
+ ],
+ "inheritsPermissionsFrom@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleDefinitions('fdd7a751-b60b-444a-984c-02652fe8fa1c')/inheritsPermissionsFrom",
+ "inheritsPermissionsFrom": [
+ {
+ "id": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
+ "description": "Can read basic directory information. Commonly used to grant directory read access to applications and guests.",
+ "displayName": "Directory Readers",
+ "isBuiltIn": true,
+ "isEnabled": true,
+ "resourceScopes": [
+ "/"
+ ],
+ "templateId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b",
+ "version": "1",
+ "rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/administrativeUnits/standard/read",
+ "microsoft.directory/administrativeUnits/members/read",
+ "microsoft.directory/applications/standard/read",
+ "microsoft.directory/applications/owners/read",
+ "microsoft.directory/applications/policies/read",
+ "microsoft.directory/contacts/standard/read",
+ "microsoft.directory/contacts/memberOf/read",
+ "microsoft.directory/contracts/standard/read",
+ "microsoft.directory/devices/standard/read",
+ "microsoft.directory/devices/memberOf/read",
+ "microsoft.directory/devices/registeredOwners/read",
+ "microsoft.directory/devices/registeredUsers/read",
+ "microsoft.directory/directoryRoles/standard/read",
+ "microsoft.directory/directoryRoles/eligibleMembers/read",
+ "microsoft.directory/directoryRoles/members/read",
+ "microsoft.directory/domains/standard/read",
+ "microsoft.directory/groups/standard/read",
+ "microsoft.directory/groups/appRoleAssignments/read",
+ "microsoft.directory/groups/memberOf/read",
+ "microsoft.directory/groups/members/read",
+ "microsoft.directory/groups/owners/read",
+ "microsoft.directory/groups/settings/read",
+ "microsoft.directory/groupSettings/standard/read",
+ "microsoft.directory/groupSettingTemplates/standard/read",
+ "microsoft.directory/oAuth2PermissionGrants/standard/read",
+ "microsoft.directory/organization/standard/read",
+ "microsoft.directory/organization/trustedCAsForPasswordlessAuth/read",
+ "microsoft.directory/applicationPolicies/standard/read",
+ "microsoft.directory/roleAssignments/standard/read",
+ "microsoft.directory/roleDefinitions/standard/read",
+ "microsoft.directory/servicePrincipals/appRoleAssignedTo/read",
+ "microsoft.directory/servicePrincipals/appRoleAssignments/read",
+ "microsoft.directory/servicePrincipals/standard/read",
+ "microsoft.directory/servicePrincipals/memberOf/read",
+ "microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read",
+ "microsoft.directory/servicePrincipals/owners/read",
+ "microsoft.directory/servicePrincipals/ownedObjects/read",
+ "microsoft.directory/servicePrincipals/policies/read",
+ "microsoft.directory/subscribedSkus/standard/read",
+ "microsoft.directory/users/standard/read",
+ "microsoft.directory/users/appRoleAssignments/read",
+ "microsoft.directory/users/directReports/read",
+ "microsoft.directory/users/manager/read",
+ "microsoft.directory/users/memberOf/read",
+ "microsoft.directory/users/oAuth2PermissionGrants/read",
+ "microsoft.directory/users/ownedDevices/read",
+ "microsoft.directory/users/ownedObjects/read",
+ "microsoft.directory/users/registeredDevices/read"
+ ],
+ "condition": null
+ }
+ ]
+ }
+ ]
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Get unifiedRoleDefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Unifiedroledefinition Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/unifiedroledefinition-update.md
+
+ Title: "Update unifiedRoleDefinition"
+description: "Update the properties of a unifiedRoleDefinition object."
+ms.localizationpriority: medium
+++
+# Update unifiedRoleDefinition
+
+Namespace: microsoft.graph
+
+Update the properties of a [unifiedRoleDefinition](../resources/unifiedroledefinition.md) object. You cannot update built-in roles.
+
+## Permissions
+
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).
+
+| Permission type | Permissions (from least to most privileged) |
+|:|:--|
+| Delegated (work or school account) | RoleManagement.ReadWrite.Directory |
+| Delegated (personal Microsoft account) | Not supported. |
+| Application | RoleManagement.ReadWrite.Directory |
+
+## HTTP request
+
+<!-- { "blockType": "ignored" } -->
+
+```http
+PATCH /roleManagement/directory/roleDefinitions/{id}
+```
+
+## Request headers
+
+| Name | Description|
+|:--|:--|
+| Authorization | Bearer {token} |
+| Content-Type | application/json. Required. |
+
+## Request body
+
+In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For the best performance, don't include existing values that haven't changed.
+
+The following table shows the properties that are required when you update the [unifiedRoleDefinition](../resources/unifiedroledefinition.md).
+
+| Property | Type | Description |
+|:-|:|:|
+|description|String| The description for the role definition. Read-only when **isBuiltIn** is `true`. |
+|displayName|String| The display name for the role definition. Read-only when **isBuiltIn** is `true`. Required.|
+|isEnabled|Boolean| Flag indicating if the role is enabled for assignment. If `false`, the role is not available for assignment. Read-only when **isBuiltIn** is true. |
+|resourceScopes|String collection| List of scopes and permissions the role definition applies to. Currently only `/` is supported. Read-only when **isBuiltIn** is true. **DO NOT USE. This property will be deprecated soon. Attach scope to role assignment.**|
+|rolePermissions|[unifiedRolePermission](../resources/unifiedrolepermission.md) collection| List of permissions included in the role. Read-only when **isBuiltIn** is `true`. Required. |
+|templateId|String| Custom template identifier that can be set when **isBuiltIn** is `false`. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when **isBuiltIn** is `true`. |
+|version|String| Indicates version of the role definition. Read-only when **isBuiltIn** is `true`.|
+
+## Response
+
+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.
+
+## Example
+
+### Request
+
+The following is an example of the request.
++
+<!-- {
+ "blockType": "request",
+ "name": "update_unifiedroledefinition"
+}-->
+
+```http
+PATCH https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/0d55728d-3e24-4309-9b1b-5ac09921475a
+Content-type: application/json
+
+{
+ "description": "Update basic properties of application registrations",
+ "displayName": "Application Registration Support Administrator",
+ "rolePermissions":
+ [
+ {
+ "allowedResourceActions":
+ [
+ "microsoft.directory/applications/basic/read"
+ ]
+ }
+ ]
+}
+```
++
+### Response
+
+The following is an example of the response.
+
+<!-- {
+ "blockType": "response",
+ "truncated": true
+} -->
+
+```http
+HTTP/1.1 204 OK
+Content-type: application/json
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "Update unifiedroledefinition",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 User Delete Approleassignments https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-delete-approleassignments.md
Title: "Delete an appRoleAssignment granted to a user"
+ Title: "Delete appRoleAssignment"
description: "Delete an appRoleAssignment that has been granted to a user." ms.localizationpriority: medium doc_type: apiPageType
ms.prod: "users"
-# Delete an appRoleAssignment granted to a user
+# Delete appRoleAssignment
Namespace: microsoft.graph
DELETE /users/{id}/appRoleAssignments/{id}
``` > [!NOTE]
-> As a best practice, we recommend deleting app role assignments through the `appRoleAssignedTo` relationship of the _resource_ service principal, instead of the `appRoleAssignments` relationship of the assigned user, group, or service principal.
+> As a best practice, we recommend you delete app role assignments using the [Delete appRoleAssignedTo](serviceprincipal-delete-approleassignedto.md) method which deletes through the **appRoleAssignedTo** relationship of the _resource_ service principal, instead of this method.
## Request headers
v1.0 Agreementacceptance https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementacceptance.md
Represents the current status of a user within scope of a company's customizable
|deviceId|String|The unique identifier of the device used for accepting the agreement.| |deviceOSType|String|The operating system used to accept the agreement.| |deviceOSVersion|String|The operating system version of the device used to accept the agreement. |
-|expirationDateTime|DateTimeOffset|The expiration date time of the acceptance. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `'2014-01-01T00:00:00Z'`|
+|expirationDateTime|DateTimeOffset|The expiration date time of the acceptance. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|id|String| The identifier of the agreement acceptance. Read-only.|
-|recordedDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `'2014-01-01T00:00:00Z'`|
+|recordedDateTime|DateTimeOffset|The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|state|string| The state of the agreement acceptance. Possible values are: `accepted`, `declined`.| |userDisplayName|String|Display name of the user when the acceptance was recorded.| |userEmail|String|Email of the user when the acceptance was recorded.|
v1.0 Agreementfile https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfile.md
Represents a customizable terms of use agreement file that a tenant manages with
|isDefault|Boolean|If none of the languages matches the client preference, indicates that this is the default agreement file. If none of the files are marked as default, the first one is treated as the default. Read-only.| |language|String|The language of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.| |isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'.|
+|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. <!--
v1.0 Agreementfilelocalization https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfilelocalization.md
Represents a customizable terms of use agreement file that a tenant manages with
|isDefault|Boolean| If none of the languages matches the client preference, indicates that this is the default agreement file. If none of the files are marked as default, the first one is treated as the default. Read-only.| |language|String|The language of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.| |isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'.|
+|createdDateTime|DateTimeOffset|The date time representing when the file was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time.For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. ## JSON representation
v1.0 Agreementfileversion https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/agreementfileversion.md
Represents a customized version of terms of use agreement file that a tenant man
|isDefault|Boolean|If none of the languages matches the client preference, indicates whether this is the default agreement file . If none of the files are marked as default, the first one is treated as the default. Read-only.| |language|String|The language of the agreement file in the format languagecode2-country/regioncode2. languagecode2 is a lowercase two-letter code derived from ISO 639-1. country/regioncode2 is derived from ISO 3166 and usually consists of two uppercase letters, or a BCP-47 language tag (for example, en-US). Read-only.| |isMajorVersion|Boolean|Indicates whether the agreement file is a major version update. Major version updates invalidate the agreement's acceptances on the corresponding language. |
-|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'.|
+|createdDateTime|DateTimeOffset|The date time representing when the file was created.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|displayName|String|Localized display name of the policy file of an agreement. The localized display name is shown to end users who view the agreement. ## JSON representation
v1.0 Appscope https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/appscope.md
+
+ Title: "appScope resource type"
+description: "An app scope is a scope defined and understood by a specific application."
+ms.localizationpriority: medium
+++
+# appScope resource type
+
+The scope of a role assignment determines the set of resources for which the principal has been granted access. An app scope is a scope defined and understood by a specific application, unlike directory scopes which are shared scopes stored in the directory and understood by multiple applications.
+
+This may be in both the following principal and scope scenarios:
++ A single principal and a single scope++ Multiple principals and multiple scopes.
+
+Inherits from [entity](entity.md).
+
+## Methods
+None
+
+## Properties
+
+| Property | Type | Description |
+|:-- |:- |:-- |
+| displayName | string | Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable id. Read-only. |
+| id | string | Identifier of an app-specific container or resource representing the scope of the assignment. Usually the immutable id of the resource. The scope of an assignment determines the set of resources for which the principal has been granted access. Required. |
+| type | String | Describes the type of app-specific resource represented by the app scope. Provided for display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read-only. |
+
+## Relationships
+
+None
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.appScope"
+}-->
+
+```json
+{
+ "id": "String (identifier)",
+ "type": "String",
+ "displayName": "String"
+}
+```
+
+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79
+2015-10-25 14:57:30 UTC -->
+<!--
+{
+ "type": "#page.annotation",
+ "description": "appScope resource",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": "",
+ "suppressions": []
+}
+-->
v1.0 Conditionalaccessroot https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/conditionalaccessroot.md
+
+ Title: "conditionalAccessRoot resource type"
+description: "The conditionalAccessRoot resource is the entry point for the Conditional Access (CA) object model. It doesn't contain any usable properties."
+ms.localizationpriority: medium
+++
+# conditionalAccessRoot resource type
+
+Namespace: microsoft.graph
+
+The **conditionalAccessRoot** resource is the entry point for the Conditional Access (CA) object model. It doesn't contain any usable properties.
+
+For more information on Conditional Access in Azure Active Directory, see [What is Conditional Access](/azure/active-directory/conditional-access/overview)?
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+| Relationship | Type |Description|
+|:|:--|:-|
+|namedLocations|[namedLocation](namedlocation.md) collection| Read-only. Nullable. Returns a collection of the specified named locations.|
+|policies|[conditionalAccessPolicy](conditionalaccesspolicy.md) collection| Read-only. Nullable. Returns a collection of the specified Conditional Access (CA) policies.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.conditionalAccessRoot"
+}-->
+
+```json
+{
+ "@odata.type": "#microsoft.graph.conditionalAccessRoot"
+}
+```
v1.0 Countrynamedlocation https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/countrynamedlocation.md
Inherits from [namedLocation](../resources/namedLocation.md)
| Property | Type | Description | |:-|:|:|
-|countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2.|
-|countryLookupMethod|countryLookupMethodType|Determines what method is used to decide which country the user is located in. Possible values are `clientIpAddress` and `authenticatorAppGps`. Note: `authenticatorAppGps` is not yet supported in the Microsoft Cloud for US Government.|
+|countriesAndRegions|String collection|List of countries and/or regions in two-letter format specified by ISO 3166-2. Required.|
+|countryLookupMethod|countryLookupMethodType|Determines what method is used to decide which country the user is located in. Possible values are `clientIpAddress`(default) and `authenticatorAppGps`. Note: `authenticatorAppGps` is not yet supported in the Microsoft Cloud for US Government.|
|createdDateTime|DateTimeOffset|The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|displayName|String|Human-readable name of the location. Inherited from [namedLocation](../resources/namedLocation.md).|
+|displayName|String|Human-readable name of the location. Required. Inherited from [namedLocation](../resources/namedLocation.md).|
|id|String|Identifier of a namedLocation object. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|includeUnknownCountriesAndRegions|Boolean|True if IP addresses that don't map to a country or region should be included in the named location.|
+|includeUnknownCountriesAndRegions|Boolean|`true` if IP addresses that don't map to a country or region should be included in the named location. Optional. Default value is `false`.|
|modifiedDateTime|DateTimeOffset|The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).| ## Relationships
The following is a JSON representation of the resource.
} ```
+## See also
+++ [What is Conditional Access?](/azure/active-directory/conditional-access/overview)++ [Using the location condition in a Conditional Access policy](/azure/active-directory/conditional-access/location-condition)++ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Identitycontainer https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/identitycontainer.md
None.
|:-|:|:| |apiConnectors|[identityApiConnector](identityApiConnector.md) collection|Represents entry point for API connectors.| |b2xUserFlows|[b2xIdentityUserFlow](b2xIdentityUserFlow.md) collection| Represents entry point for B2X/self-service sign-up identity userflows.|
+|conditionalAccess|[conditionalAccessRoot](conditionalAccessRoot.md) collection| the entry point for the Conditional Access (CA) object model.|
|identityProvider|[identityProviderBase](identityProviderBase.md) collection| Represents entry point for identity provider base.| |userFlowAttributes|[identityUserFlowAttribute](identityUserFlowAttribute.md) collection| Represents entry point for identity userflow attributes.|
v1.0 Insights Sharingdetail https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/insights-sharingdetail.md
Here is a JSON representation of the resource
| Property | Type | Description | | - |-- | -|
-| sharedDateTime | DateTimeOffset| The date and time the file was last shared. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. Read-only. |
+| sharedDateTime | DateTimeOffset| The date and time the file was last shared. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
| sharingSubject | String | The subject with which the document was shared. | | sharingType | String | Determines the way the document was shared, can be by a "Link", "Attachment", "Group", "Site". | | sharedBy | [insightIdentity](insights-insightidentity.md) | The user who shared the document. |
v1.0 Insights Usagedetails https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/insights-usagedetails.md
Here is a JSON representation of the resource
| Property | Type | Description | | - || -|
-| lastAccessedDateTime | DateTimeOffset | The date and time the resource was last accessed by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. Read-only. |
-| lastModifiedDateTime | DateTimeOffset | The date and time the resource was last modified by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`. Read-only. |
+| lastAccessedDateTime | DateTimeOffset | The date and time the resource was last accessed by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
+| lastModifiedDateTime | DateTimeOffset | The date and time the resource was last modified by the user. The timestamp represents date and time information using ISO 8601 format and is always in UTC time.For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. |
v1.0 Ipnamedlocation https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/ipnamedlocation.md
Inherits from [namedLocation](../resources/namedLocation.md)
| Property | Type | Description | |:-|:|:| |createdDateTime|DateTimeOffset|The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|displayName|String|Human-readable name of the location.|
+|displayName|String|Human-readable name of the location. Required.|
|id|String|Identifier of a namedLocation object. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).|
-|ipRanges|[ipRange](iprange.md) collection|List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596.|
-|isTrusted|Boolean|True if this location is explicitly trusted.|
+|ipRanges|[ipRange](iprange.md) collection|List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. Required.|
+|isTrusted|Boolean|`true` if this location is explicitly trusted. Optional. Default value is `false`.|
|modifiedDateTime|DateTimeOffset|The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from [namedLocation](../resources/namedLocation.md).| ## Relationships
The following is a JSON representation of the resource.
} ```
+## See also
+++ [What is Conditional Access?](/azure/active-directory/conditional-access/overview)++ [Using the location condition in a Conditional Access policy](/azure/active-directory/conditional-access/location-condition)++ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Iprange https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/iprange.md
doc_type: resourcePageType
Namespace: microsoft.graph
-IP range base class for representing IPV4 and IPV6 address ranges.
+An IP range abstract type from which the [iPv4CidrRange](ipv4cidrrange.md) and [iPv6CidrRange](ipv6cidrrange.md) resource types for configuring [ipNamedLocation](ipnamedlocation.md) objects are derived.
+
+The [iPv4CidrRange](ipv4cidrrange.md) derived type is used to configure IPv4 address ranges while the [iPv6CidrRange](ipv6cidrrange.md) derived type is used to configure IPv6 address ranges.
## Properties
The following is a JSON representation of the resource.
```json {
+ "@odata.type": "#microsoft.graph.ipRange"
} ```
v1.0 Ipv4cidrrange https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/ipv4cidrrange.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents an IPv4 range using the CIDR notation.
+Represents an IPv4 range using the Classless inter-domain routing (CIDR) notation.
Inherits from [ipRange](../resources/iprange.md)
Inherits from [ipRange](../resources/iprange.md)
| Property | Type | Description | |:-|:|:|
-|cidrAddress|String|IPv4 address in CIDR notation|
+|cidrAddress|String|IPv4 address in CIDR notation. Not nullable.|
## JSON representation
The following is a JSON representation of the resource.
```json {
+ "@odata.type": "#microsoft.graph.iPv4CidrRange",
"cidrAddress": "String" } ```
v1.0 Ipv6cidrrange https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/ipv6cidrrange.md
doc_type: resourcePageType
Namespace: microsoft.graph
-Represents an IPv6 range using the CIDR notation.
+Represents an IPv6 range using the Classless inter-domain routing (CIDR) notation.
Inherits from [ipRange](../resources/iprange.md)
Inherits from [ipRange](../resources/iprange.md)
| Property | Type | Description | |:-|:|:|
-|cidrAddress|String|IPv6 address in CIDR notation|
+|cidrAddress|String|IPv6 address in CIDR notation. Not nullable.|
## JSON representation
The following is a JSON representation of the resource.
```json {
+ "@odata.type": "#microsoft.graph.iPv6CidrRange",
"cidrAddress": "String" } ```
v1.0 Namedlocation https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/namedlocation.md
The following is a JSON representation of the resource.
} ```
+## See also
+++ [What is Conditional Access?](/azure/active-directory/conditional-access/overview)++ [Using the location condition in a Conditional Access policy](/azure/active-directory/conditional-access/location-condition)+ <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98 2019-02-04 14:57:30 UTC --> <!-- {
v1.0 Rbacapplication https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/rbacapplication.md
+
+ Title: "rbacApplication resource type"
+description: "Container for role definitions and role assignments for Microsoft 365 role-based access control (RBAC) providers"
+ms.localizationpriority: medium
+++
+# rbacApplication resource type
+
+Namespace: microsoft.graph
+
+Role management container for unified role definitions and role assignments for Microsoft 365 role-based access control (RBAC) providers. The role assignments support only a single principal and a single scope. Currently **directory** is the only RBAC provider supported.
+
+## Methods
+
+None
+
+## Properties
+
+None
+
+## Relationships
+
+|Relationship|Type|Description|
+|:|:|:|
+|roleAssignments|[unifiedRoleAssignment](../resources/unifiedroleassignment.md) collection| Resource to grant access to users or groups. |
+|roleDefinitions|[unifiedRoleDefinition](../resources/unifiedroledefinition.md) collection| Resource representing the roles allowed by RBAC providers and the permissions assigned to the roles. |
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.rbacApplication",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.rbacApplication"
+}
+```
v1.0 Report https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/report.md
doc_type: conceptualPageType
# Working with Microsoft 365 usage reports in Microsoft Graph
-With Microsoft Graph, you can access Microsoft 365 usage reports resources to get the information about how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who may not need a Microsoft 365 license at all.
+With Microsoft Graph, you can access Microsoft 365 usage reports resources to get the information about how people in your business are using Microsoft 365 services. For example, you can identify who is using a service a lot and reaching quotas, or who mght not need a Microsoft 365 license at all.
+
+For details about the settings that govern identification/de-identification of information in the Microsoft 365 usage reports data, see [Microsoft 365 Reports in the admin center](/microsoft-365/admin/activity-reports/activity-reports) .
## Authorization
v1.0 Riskyuser https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/riskyuser.md
For more information about risk events, see [Azure Active Directory Identity Pro
|isDeleted|Boolean|Indicates whether the user is deleted. Possible values are: `true`, `false`.| |isProcessing|Boolean|Indicates whether a user's risky state is being processed by the backend.| |riskDetail|riskDetail|Details of the detected risk. Possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `hidden`, `adminConfirmedUserCompromised`, `unknownFutureValue`.|
-|riskLastUpdatedDateTime|DateTimeOffset|The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: `2014-01-01T00:00:00Z`|
+|riskLastUpdatedDateTime|DateTimeOffset|The date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
|riskLevel|riskLevel|Level of the detected risky user. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.| |riskState|riskState|State of the user's risk. Possible values are: `none`, `confirmedSafe`, `remediated`, `dismissed`, `atRisk`, `confirmedCompromised`, `unknownFutureValue`.| |userDisplayName|String|Risky user display name.|
v1.0 Rolemanagement https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/rolemanagement.md
+
+ Title: "roleManagement resource type"
+description: "Microsoft 365 role-based access control (RBAC) resource."
+ms.localizationpriority: medium
+++
+# roleManagement resource type
+
+Namespace: microsoft.graph
+
+Represents a Microsoft 365 role-based access control (RBAC) role management entity. This resource provides access to role definitions and role assignments surfaced from RBAC providers. **directory** (Azure Active Directory) and **deviceManagement** (Intune) providers are currently supported.
+
+For more information, see:
+* [Administrator role permissions in Azure Active Directory](/azure/active-directory/roles/custom-overview).
+* [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control)
+
+## Methods
+
+None.
+
+## Properties
+
+None.
+
+## Relationships
+
+| Relationship | Type | Description |
+|:-|:|:|
+|directory|[rbacApplication](rbacapplication.md)| Read-only. Nullable.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+<!-- {
+ "blockType": "resource",
+ "@odata.type": "microsoft.graph.roleManagement",
+ "openType": false
+}
+-->
+``` json
+{
+ "@odata.type": "#microsoft.graph.roleManagement"
+}
+```
v1.0 Termsexpiration https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/termsexpiration.md
Provides additional settings for the scheduled expiration of the agreement.
| Property | Type | Description | | : | : | :- |
-| startDateTime|DateTimeOffset | The DateTime when the agreement is set to expire for all users. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'.|
+| startDateTime|DateTimeOffset | The DateTime when the agreement is set to expire for all users. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.|
| frequency| Duration | Represents the frequency at which the terms will expire, after its first expiration as set in **startDateTime**. The value is represented in ISO 8601 format for durations. For example, `PT1M` represents a time period of 1 month.| ## JSON representation
v1.0 Unifiedroleassignment https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/unifiedroleassignment.md
+
+ Title: "unifiedRoleAssignment resource type"
+description: "A role assignment is the link between a role definition and a principal at a particular scope for the purpose of granting access."
+ms.localizationpriority: medium
+++
+# unifiedRoleAssignment resource type
+
+Namespace: microsoft.graph
+
+A role assignment is used to grant access to resources. It represents a role definition assigned to a principal (for example, a user or a role-assignable group) at a particular scope.
+
+Inherits from [entity](entity.md).
+
+## Methods
+
+| Method | Return Type | Description |
+|:-|:|:|
+|[List unifiedRoleAssignments](../api/rbacapplication-list-roleassignments.md)|[unifiedRoleAssignment](../resources/unifiedroleassignment.md) collection| Get a list of the [unifiedRoleAssignment](../resources/unifiedroleassignment.md) objects and their properties.|
+|[Create unifiedRoleAssignment](../api/rbacapplication-post-roleassignments.md)|[unifiedRoleAssignment](../resources/unifiedroleassignment.md)|Create a new [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object.|
+|[Get unifiedRoleAssignment](../api/unifiedroleassignment-get.md)|[unifiedRoleAssignment](../resources/unifiedroleassignment.md)|Read the properties and relationships of an [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object.|
+|[Delete unifiedRoleAssignment](../api/unifiedroleassignment-delete.md)|None|Deletes an [unifiedRoleAssignment](../resources/unifiedroleassignment.md) object.|
+
+## Properties
+
+| Property | Type | Description |
+|:-|:|:|
+|id|String| The unique identifier for the role assignment. Key, not nullable, Read-only. Inherited from [entity](entity.md).|
+|roleDefinitionId|String| Identifier of the role definition the assignment is for. Read only. Supports $filter (`eq`, `in`).|
+|principalId|String| Identifier of the principal to which the assignment is granted. Supports $filter (`eq`, `in`).|
+|directoryScopeId|String|Identifier of the directory object representing the scope of the assignment. Either this property or **appScopeId** is required. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use `/` for tenant-wide scope. Use **appScopeId** to limit the scope to an application only. Supports $filter (`eq`, `in`).|
+|appScopeId|String|Identifier of the app-specific scope when the assignment scope is app-specific. Either this property or **directoryScopeId** is required. App scopes are scopes that are defined and understood by this application only. Use `/` for tenant-wide app scopes. Use **directoryScopeId** to limit the scope to particular directory objects, for example, administrative units. Supports $filter (`eq`, `in`).|
+
+## Relationships
+
+| Relationship | Type | Description |
+|:-|:|:|
+|principal|[directoryObject](directoryobject.md)| Referencing the assigned principal. Read-only. Supports `$expand`.|
+|roleDefinition|[unifiedRoleDefinition](unifiedroledefinition.md)|The roleDefinition the assignment is for. Supports `$expand`. roleDefinition.Id will be auto expanded.
+|directoryScope|[directoryObject](directoryobject.md)|The directory object that is the scope of the assignment. Read-only. Supports `$expand`.|
+|appScope|[appScope](appscope.md)|Read-only property with details of the app specific scope when the assignment scope is app specific. Containment entity. Supports `$expand`.|
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleAssignment",
+ "openType": false
+}
+-->
+
+```json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
+ "id": "String (identifier)",
+ "appScopeId": "String",
+ "condition": "String",
+ "directoryScopeId": "String",
+ "principalId": "String",
+ "roleDefinitionId": "String"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "unifiedRoleAssignment resource",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Unifiedroledefinition https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/unifiedroledefinition.md
+
+ Title: "unifiedRoleDefinition resource type"
+description: "A role definition is a collection of permissions in Azure Active Directory (Azure AD)."
+ms.localizationpriority: medium
+++
+# unifiedRoleDefinition resource type
+
+Namespace: microsoft.graph
+
+A role definition is a collection of permissions in Azure Active Directory (Azure AD) listing the operations that can be performed and the resources against which they can performed.
+
+## Methods
+
+| Method | Return Type | Description |
+|:-|:|:|
+| [List unifiedRoleDefinition](../api/rbacapplication-list-roledefinitions.md) | [unifiedRoleDefinition](unifiedroledefinition.md) collection | Read a list of unifiedRoleDefinition objects, and their properties. |
+| [Get unifiedRoleDefinition](../api/unifiedroledefinition-get.md) | [unifiedRoleDefinition](unifiedroledefinition.md) | Read the properties of a unifiedRoleDefinition object. |
+| [Create unifiedRoleDefinition](../api/rbacapplication-post-roledefinitions.md) | [unifiedRoleDefinition](unifiedroledefinition.md) | Create a unifiedRoleDefinition object. |
+| [Update unifiedRoleDefinition](../api/unifiedroledefinition-update.md) | [unifiedRoleDefinition](unifiedroledefinition.md) | Update a unifiedRoleDefinition object. |
+| [Delete unifiedRoleDefinition](../api/unifiedroledefinition-delete.md) | None | Delete a unifiedRoleDefinition object. |
+
+## Properties
+
+| Property | Type | Description |
+|:-|:|:|
+|description|String| The description for the unifiedRoleDefinition. Read-only when **isBuiltIn** is `true`. |
+|displayName|String| The display name for the unifiedRoleDefinition. Read-only when **isBuiltIn** is `true`. Required. Supports $filter (`eq`, `in`).|
+|id|String| The unique identifier for the role definition. Key, not nullable, Read-only. Inherited from [entity](../resources/entity.md). Supports $filter (`eq`, `in`). |
+|isBuiltIn|Boolean| Flag indicating whether the role definition is part of the default set included in Azure Active Directory (Azure AD) or a custom definition. Read-only. Supports $filter (`eq`, `in`). |
+|isEnabled|Boolean| Flag indicating whether the role is enabled for assignment. If `false` the role is not available for assignment. Read-only when **isBuiltIn** is true. |
+|resourceScopes|String collection| List of the scopes or permissions the role definition applies to. Currently only `/` is supported. Read-only when **isBuiltIn** is true. **DO NOT USE. This will be deprecated soon. Attach scope to role assignment.** |
+|rolePermissions|[unifiedRolePermission](unifiedrolepermission.md) collection| List of permissions included in the role. Read-only when **isBuiltIn** is `true`. Required. |
+|templateId|String| Custom template identifier that can be set when **isBuiltIn** is `false` but is read-only when **isBuiltIn** is `true`. This identifier is typically used if one needs an identifier to be the same across different directories. |
+|version|String| Indicates version of the role definition. Read-only when **isBuiltIn** is `true`.|
+
+## Relationships
+
+| Relationship | Type | Description |
+|:-|:|:|
+|inheritsPermissionsFrom| [unifiedRoleDefinition](unifiedroledefinition.md) collection| Read-only collection of role definitions that the given role definition inherits from. Only Azure AD built-in roles (**isBuiltIn** is `true`) support this attribute. Supports `$expand`. |
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "keyProperty": "id",
+ "@odata.type": "microsoft.graph.unifiedRoleDefinition",
+ "openType": false
+}
+-->
+
+```json
+{
+ "@odata.type": "#microsoft.graph.unifiedRoleDefinition",
+ "description": "String",
+ "displayName": "String",
+ "id": "String (identifier)",
+ "isBuiltIn": "Boolean",
+ "isEnabled": "Boolean",
+ "resourceScopes": [
+ "String"
+ ],
+ "rolePermissions": [
+ {
+ "@odata.type": "microsoft.graph.unifiedRolePermission"
+ }
+ ],
+ "templateId": "String",
+ "version": "String"
+}
+```
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "unifiedRoleDefinition resource",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
+
v1.0 Unifiedrolepermission https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/resources/unifiedrolepermission.md
+
+ Title: "unifiedRolePermission resource type"
+description: "A directory role permission is a collection of allowed resource actions and conditions."
+ms.localizationpriority: medium
+++
+# unifiedRolePermission resource type
+
+Namespace: microsoft.graph
+
+Represents a collection of allowed resource actions and the conditions that must be met for the action to be allowed. Resource actions are tasks that can be performed on a resource. For example, an application resource may support create, update, delete, and reset password actions.
+
+## Properties
+
+| Property | Type | Description |
+|:-|:|:|
+|allowedResourceActions|String collection| Set of tasks that can be performed on a resource. Required. |
+|condition|String| Optional constraints that must be met for the permission to be effective. |
+|excludedResourceActions|String collection| Set of tasks that may not be performed on a resource. Not yet supported. |
+
+### allowedResourceActions property
+
+The following is the schema for resource actions:
+
+```
+<Namespace>/<Entity>/<PropertySet>/<Action>
+```
+For example: `microsoft.directory/applications/credentials/update`.
+
+- Namespace - The services that exposes the task. For example, all tasks in Azure Active Directory use the namespace microsoft.directory.
+- Entity - The logical features or components exposed by the service in Microsoft Graph. For example, applications, servicePrincipals, or groups.
+- PropertySet - The specific properties or aspects of the entity for which access is being granted. For example,
+`microsoft.directory/applications/authentication/read` grants the ability to read the reply URL, logout URL, and implicit flow property on the **application** object in Azure AD. The following are reserved names for common property sets:
+ - allProperties - Designates all properties of the entity, including privileged properties. Examples include `microsoft.directory/applications/allProperties/read` and `microsoft.directory/applications/allProperties/update`.
+ - basic - Designates common read properties but excludes privileged ones. For example, `microsoft.directory/applications/basic/update` includes the ability to update standard properties like display name.
+ - standard - Designates common update properties but excludes privileged ones. For example, `microsoft.directory/applications/standard/read`.
+- Actions - The operations being granted. In most circumstances, permissions should be expressed in terms of CRUD or allTasks. Actions include:
+ - Create - The ability to create a new instance of the entity.
+ - Read - The ability to read a given property set (including allProperties).
+ - Update - The ability to update a given property set (including allProperties).
+ - Delete - The ability to delete a given entity.
+ - AllTasks - Represents all CRUD operations (create, read, update, and delete).
+
+### condition property
+Conditions define constraints that must be met. For example, a requirement that the principal be an owner of the target resource. The following are the supported conditions:
+
+- `Self`: "@Subject.objectId == @Resource.objectId"
+- `Owner`: "@Subject.objectId Any_of @Resource.owners"
+
+The following is an example of a role permission with a condition that the principal be the owner of the target resource.
+
+```json
+"rolePermissions": [
+ {
+ "allowedResourceActions": [
+ "microsoft.directory/applications/basic/update",
+ "microsoft.directory/applications/credentials/update"
+ ],
+ "condition": "@Subject.objectId Any_of @Resource.owners"
+ }
+ ]
+
+```
+
+## JSON representation
+
+The following is a JSON representation of the resource.
+
+<!-- {
+ "blockType": "resource",
+ "optionalProperties": [
+
+ ],
+ "@odata.type": "microsoft.graph.unifiedRolePermission",
+ "baseType": null
+}-->
+
+```json
+{
+ "@odata.type": "#microsoft.graph.unifiedRolePermission",
+ "allowedResourceActions": ["String"],
+ "excludedResourceActions": ["String"],
+ "condition": "String"
+}
+```
+## See also
+
+- [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles) - For information about permissions for built-in directory roles.
+- [Application registration subtypes and permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/roles-custom-available-permissions) - For information about permissions that are available for custom directory roles.
+
+<!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
+2019-02-04 14:57:30 UTC -->
+<!-- {
+ "type": "#page.annotation",
+ "description": "unifiedRolePermission resource",
+ "keywords": "",
+ "section": "documentation",
+ "tocPath": ""
+}-->
v1.0 Toc.Yml https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/toc.yml a/api-reference/v1.0/toc.yml
items:
displayname: Migration, Azure AD Graph items: - name: Overview
- href: /graph/migrate-azure-ad-graph-planning-checklist?context=graph%252fapi%252f1.0
+ href: /graph/migrate-azure-ad-graph-overview
- name: Checklist to migrate apps href: /graph/migrate-azure-ad-graph-planning-checklist?context=graph/api/1.0 - name: "1: Review differences"
items:
href: api/subscribedsku-list.md - name: Get subscribedSku href: api/subscribedsku-get.md
+ - name: Role management
+ href: resources/rolemanagement.md
+ items:
+ - name: Role definition
+ href: resources/unifiedroledefinition.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roledefinitions.md
+ - name: Create
+ href: api/rbacapplication-post-roledefinitions.md
+ - name: Get
+ href: api/unifiedroledefinition-get.md
+ - name: Update
+ href: api/unifiedroledefinition-update.md
+ - name: Delete
+ href: api/unifiedroledefinition-delete.md
+ - name: Role assignment
+ href: resources/unifiedroleassignment.md
+ items:
+ - name: List
+ href: api/rbacapplication-list-roleassignments.md
+ - name: Create
+ href: api/rbacapplication-post-roleassignments.md
+ - name: Get
+ href: api/unifiedroleassignment-get.md
+ - name: Delete
+ href: api/unifiedroleassignment-delete.md
- name: Identity and sign-in items: - name: Authentication flows policy