unifiedRolePermission resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents a collection of allowed resource actions and the conditions that must be met for the action to be effective. Resource actions are tasks that can be performed on a resource. For example, the application resource supports create, update, delete, and reset password resource actions.

Properties

Property Type Description
allowedResourceActions String collection Set of tasks that can be performed on a resource.
condition String Optional constraints that must be met for the permission to be effective. Not supported for custom roles.

allowedResourceActions property

The following is the schema for resource actions:

{Namespace}/{Entity}/{PropertySet}/{Action}  

For example: microsoft.directory/applications/credentials/update.

  • {Namespace} - The services that exposes the task. For example, all tasks in Microsoft Entra ID use the namespace microsoft.directory.
  • {Entity} - The logical features or components exposed by the service in Microsoft Graph. For example, applications, servicePrincipals, or groups.
  • {PropertySet} - Optional. The specific properties or aspects of the entity for which access is being granted. For example, microsoft.directory/applications/authentication/read grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Microsoft Entra ID. The following are reserved names for common property sets:
    • allProperties - Designates all properties of the entity, including privileged properties. Examples include microsoft.directory/applications/allProperties/read and microsoft.directory/applications/allProperties/update.
    • basic - Designates common read properties but excludes privileged ones. For example, microsoft.directory/applications/basic/update includes the ability to update standard properties like display name.
    • standard - Designates common update properties but excludes privileged ones. For example, microsoft.directory/applications/standard/read.
  • {Actions} - The operations being granted. In most circumstances, permissions should be expressed in terms of CRUD operations or allTasks. Actions include:
    • create - The ability to create a new instance of the entity.
    • read - The ability to read a given property set (including allProperties).
    • update - The ability to update a given property set (including allProperties).
    • delete - The ability to delete a given entity.
    • allTasks - Represents all CRUD operations (create, read, update, and delete).

condition property

Conditions define constraints that must be met. For example, a requirement that the principal be an "owner" of the target. The following are the supported conditions:

  • Self: "$ResourceIsSelf"
  • Owner: "$SubjectIsOwner"

The following is an example of a role permission with a condition.

"rolePermissions": [
        {
            "allowedResourceActions": [
                "microsoft.directory/applications/basic/update",
                "microsoft.directory/applications/credentials/update"
            ],
            "condition":  "$SubjectIsOwner"
        }
    ]

Conditions aren't supported for custom roles.

Relationships

None.

JSON representation

The following JSON representation shows the resource type.

{
  "allowedResourceActions": ["String"],
  "condition": "String"
}