Update-MgBetaRoleManagementEnterpriseApp
Update the navigation property enterpriseApps in roleManagement
Syntax
Update-MgBetaRoleManagementEnterpriseApp
-RbacApplicationId <String>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-Id <String>]
[-ResourceNamespaces <IMicrosoftGraphUnifiedRbacResourceNamespace[]>]
[-RoleAssignmentApprovals <IMicrosoftGraphApproval[]>]
[-RoleAssignmentScheduleInstances <IMicrosoftGraphUnifiedRoleAssignmentScheduleInstance[]>]
[-RoleAssignmentScheduleRequests <IMicrosoftGraphUnifiedRoleAssignmentScheduleRequest[]>]
[-RoleAssignmentSchedules <IMicrosoftGraphUnifiedRoleAssignmentSchedule[]>]
[-RoleAssignments <IMicrosoftGraphUnifiedRoleAssignment[]>]
[-RoleDefinitions <IMicrosoftGraphUnifiedRoleDefinition[]>]
[-RoleEligibilityScheduleInstances <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance[]>]
[-RoleEligibilityScheduleRequests <IMicrosoftGraphUnifiedRoleEligibilityScheduleRequest[]>]
[-RoleEligibilitySchedules <IMicrosoftGraphUnifiedRoleEligibilitySchedule[]>]
[-TransitiveRoleAssignments <IMicrosoftGraphUnifiedRoleAssignment[]>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgBetaRoleManagementEnterpriseApp
-RbacApplicationId <String>
-BodyParameter <IMicrosoftGraphRbacApplication>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgBetaRoleManagementEnterpriseApp
-InputObject <IIdentityGovernanceIdentity>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-Id <String>]
[-ResourceNamespaces <IMicrosoftGraphUnifiedRbacResourceNamespace[]>]
[-RoleAssignmentApprovals <IMicrosoftGraphApproval[]>]
[-RoleAssignmentScheduleInstances <IMicrosoftGraphUnifiedRoleAssignmentScheduleInstance[]>]
[-RoleAssignmentScheduleRequests <IMicrosoftGraphUnifiedRoleAssignmentScheduleRequest[]>]
[-RoleAssignmentSchedules <IMicrosoftGraphUnifiedRoleAssignmentSchedule[]>]
[-RoleAssignments <IMicrosoftGraphUnifiedRoleAssignment[]>]
[-RoleDefinitions <IMicrosoftGraphUnifiedRoleDefinition[]>]
[-RoleEligibilityScheduleInstances <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance[]>]
[-RoleEligibilityScheduleRequests <IMicrosoftGraphUnifiedRoleEligibilityScheduleRequest[]>]
[-RoleEligibilitySchedules <IMicrosoftGraphUnifiedRoleEligibilitySchedule[]>]
[-TransitiveRoleAssignments <IMicrosoftGraphUnifiedRoleAssignment[]>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgBetaRoleManagementEnterpriseApp
-InputObject <IIdentityGovernanceIdentity>
-BodyParameter <IMicrosoftGraphRbacApplication>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Update the navigation property enterpriseApps in roleManagement
Parameters
-AdditionalProperties
Additional Parameters
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BodyParameter
rbacApplication To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Type: | IMicrosoftGraphRbacApplication |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: | IIdentityGovernanceIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RbacApplicationId
The unique identifier of rbacApplication
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceNamespaces
. To construct, see NOTES section for RESOURCENAMESPACES properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRbacResourceNamespace[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleAssignmentApprovals
. To construct, see NOTES section for ROLEASSIGNMENTAPPROVALS properties and create a hash table.
Type: | IMicrosoftGraphApproval[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleAssignments
. To construct, see NOTES section for ROLEASSIGNMENTS properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleAssignment[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleAssignmentScheduleInstances
. To construct, see NOTES section for ROLEASSIGNMENTSCHEDULEINSTANCES properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleAssignmentScheduleInstance[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleAssignmentScheduleRequests
. To construct, see NOTES section for ROLEASSIGNMENTSCHEDULEREQUESTS properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleAssignmentScheduleRequest[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleAssignmentSchedules
. To construct, see NOTES section for ROLEASSIGNMENTSCHEDULES properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleAssignmentSchedule[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleDefinitions
. To construct, see NOTES section for ROLEDEFINITIONS properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleDefinition[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleEligibilityScheduleInstances
. To construct, see NOTES section for ROLEELIGIBILITYSCHEDULEINSTANCES properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleEligibilityScheduleRequests
. To construct, see NOTES section for ROLEELIGIBILITYSCHEDULEREQUESTS properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleEligibilityScheduleRequest[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RoleEligibilitySchedules
. To construct, see NOTES section for ROLEELIGIBILITYSCHEDULES properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleEligibilitySchedule[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TransitiveRoleAssignments
. To construct, see NOTES section for TRANSITIVEROLEASSIGNMENTS properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleAssignment[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.Beta.PowerShell.Models.IIdentityGovernanceIdentity
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphRbacApplication
System.Collections.IDictionary
Outputs
Microsoft.Graph.Beta.PowerShell.Models.IMicrosoftGraphRbacApplication
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphRbacApplication>
: rbacApplication
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[ResourceNamespaces <IMicrosoftGraphUnifiedRbacResourceNamespace-
[]>]
:[Id <String>]
: The unique identifier for an entity. Read-only.[Name <String>]
: Name of the resource namespace. Typically, the same name as the id property, such as microsoft.aad.b2c. Required. Supports $filter (eq, startsWith).[ResourceActions <IMicrosoftGraphUnifiedRbacResourceAction-
[]>]
: Operations that an authorized principal is allowed to perform.[Id <String>]
: The unique identifier for an entity. Read-only.[ActionVerb <String>]
: HTTP method for the action, such as DELETE, GET, PATCH, POST, PUT, or null. Supports $filter (eq) but not for null values.[AuthenticationContext <IMicrosoftGraphAuthenticationContextClassReference>]
: authenticationContextClassReference[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[Description <String>]
: A short explanation of the policies that are enforced by authenticationContextClassReference. This value should be used to provide secondary text to describe the authentication context class reference when building user facing admin experiences. For example, selection UX.[DisplayName <String>]
: A friendly name that identifies the authenticationContextClassReference object when building user-facing admin experiences. For example, a selection UX.[IsAvailable <Boolean?>]
: Indicates whether the authenticationContextClassReference has been published by the security admin and is ready for use by apps. When it's set to false, it shouldn't be shown in selection UX used to tag resources with authentication context class values. It will still be shown in the Conditional Access policy authoring experience. Supports $filter (eq).
[AuthenticationContextId <String>]
:[Description <String>]
: Description for the action. Supports $filter (eq).[IsAuthenticationContextSettable <Boolean?>]
:[IsPrivileged <Boolean?>]
: Flag indicating if the action is a sensitive resource action. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[Name <String>]
: Name for the action within the resource namespace, such as microsoft.insights/programs/update. Can include slash character (/). Case insensitive. Required. Supports $filter (eq).[ResourceScope <IMicrosoftGraphUnifiedRbacResourceScope>]
: unifiedRbacResourceScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
:[Scope <String>]
:[Type <String>]
:
[ResourceScopeId <String>]
: Not implemented.
[RoleAssignmentApprovals <IMicrosoftGraphApproval-
[]>]
:[Id <String>]
: The unique identifier for an entity. Read-only.[Steps <IMicrosoftGraphApprovalStep-
[]>]
: Used to represent the decision associated with a single step in the approval process configured in approvalStage.[Id <String>]
: The unique identifier for an entity. Read-only.[AssignedToMe <Boolean?>]
: Indicates whether the step is assigned to the calling user to review. Read-only.[DisplayName <String>]
: The label provided by the policy creator to identify an approval step. Read-only.[Justification <String>]
: The justification associated with the approval step decision.[ReviewResult <String>]
: The result of this approval record. Possible values include: NotReviewed, Approved, Denied.[ReviewedBy <IMicrosoftGraphIdentity>]
: identity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
[ReviewedDateTime <DateTime?>]
: The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.[Status <String>]
: The step status. Possible values: InProgress, Initializing, Completed, Expired. Read-only.
[RoleAssignmentScheduleInstances <IMicrosoftGraphUnifiedRoleAssignmentScheduleInstance-
[]>]
:[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or that's eligible for a role.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.[Id <String>]
: The unique identifier for an entity. Read-only.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance>]
: unifiedRoleEligibilityScheduleInstance[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or that's eligible for a role.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.[Id <String>]
: The unique identifier for an entity. Read-only.[EndDateTime <DateTime?>]
: Time that the roleEligibilityScheduleInstance will expire.[MemberType <String>]
: Membership type of the assignment. It can either be Inherited, Direct, or Group.[RoleEligibilityScheduleId <String>]
: Identifier of the parent roleEligibilitySchedule for this instance.[StartDateTime <DateTime?>]
: Time that the roleEligibilityScheduleInstance will start.
[AssignmentType <String>]
: The type of the assignment that can either be Assigned or Activated. Supports $filter (eq, ne).[EndDateTime <DateTime?>]
: The end date of the schedule instance.[MemberType <String>]
: How the assignment is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne).[RoleAssignmentOriginId <String>]
: The identifier of the role assignment in Microsoft Entra ID.[RoleAssignmentScheduleId <String>]
: The identifier of the unifiedRoleAssignmentSchedule object from which this instance was created.[StartDateTime <DateTime?>]
: When this instance starts.
[RoleAssignmentScheduleRequests <IMicrosoftGraphUnifiedRoleAssignmentScheduleRequest-
[]>]
:[ApprovalId <String>]
: The identifier of the approval of the request.[CompletedDateTime <DateTime?>]
: The request completion date time.[CreatedBy <IMicrosoftGraphIdentitySet>]
: identitySet[(Any) <Object>]
: This indicates any property can be added to this object.[Application <IMicrosoftGraphIdentity>]
: identity[Device <IMicrosoftGraphIdentity>]
: identity[User <IMicrosoftGraphIdentity>]
: identity
[CreatedDateTime <DateTime?>]
: The request creation date time.[CustomData <String>]
: Free text field to define any custom data for the request. Not used.[Status <String>]
: The status of the request. Not nullable. The possible values are: Canceled, Denied, Failed, Granted, PendingAdminDecision, PendingApproval, PendingProvisioning, PendingScheduleCreation, Provisioned, Revoked, and ScheduleCreated. Not nullable.[Id <String>]
: The unique identifier for an entity. Read-only.[Action <String>]
: Represents the type of the operation on the role assignment request. The possible values are: adminAssign, adminUpdate, adminRemove, selfActivate, selfDeactivate, adminExtend, adminRenew, selfExtend, selfRenew, unknownFutureValue. adminAssign: For administrators to assign roles to principals.adminRemove: For administrators to remove principals from roles. adminUpdate: For administrators to change existing role assignments.adminExtend: For administrators to extend expiring assignments.adminRenew: For administrators to renew expired assignments.selfActivate: For principals to activate their assignments.selfDeactivate: For principals to deactivate their active assignments.selfExtend: For principals to request to extend their expiring assignments.selfRenew: For principals to request to renew their expired assignments.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[MemberType <String>]
: Membership type of the eligible assignment. It can either be Inherited, Direct, or Group. Supports $filter (eq).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[Expiration <IMicrosoftGraphExpirationPattern>]
: expirationPattern[(Any) <Object>]
: This indicates any property can be added to this object.[Duration <TimeSpan?>]
: The requestor's desired duration of access represented in ISO 8601 format for durations. For example, PT3H refers to three hours. If specified in a request, endDateTime should not be present and the type property should be set to afterDuration.[EndDateTime <DateTime?>]
: Timestamp of date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.[Type <String>]
: expirationPatternType
[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[StartDateTime <DateTime?>]
: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. In PIM, when the eligible or active assignment becomes active.
[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values).[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values).[IsValidationOnly <Boolean?>]
: Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.[Justification <String>]
: A message provided by users and administrators when create they create the unifiedRoleAssignmentScheduleRequest object.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the assignment. Can be a user, role-assignable group, or a service principal. Supports $filter (eq, ne).[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[TargetSchedule <IMicrosoftGraphUnifiedRoleAssignmentSchedule>]
: unifiedRoleAssignmentSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[AssignmentType <String>]
: The type of the assignment that can either be Assigned or Activated. Supports $filter (eq, ne).[MemberType <String>]
: How the assignment is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule
[TargetScheduleId <String>]
: Identifier of the schedule object that's linked to the assignment request. Supports $filter (eq, ne).[TicketInfo <IMicrosoftGraphTicketInfo>]
: ticketInfo[(Any) <Object>]
: This indicates any property can be added to this object.[TicketApproverIdentityId <String>]
: ID for the request approver.[TicketNumber <String>]
: The ticket number.[TicketSubmitterIdentityId <String>]
: ID for the request submitter.[TicketSystem <String>]
: The description of the ticket system.
[RoleAssignmentSchedules <IMicrosoftGraphUnifiedRoleAssignmentSchedule-
[]>]
:[RoleAssignments <IMicrosoftGraphUnifiedRoleAssignment-
[]>]
:[Id <String>]
: The unique identifier for an entity. Read-only.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'.[Condition <String>]
:[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in).[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in).[PrincipalOrganizationId <String>]
: Identifier of the home tenant for the principal to which the assignment is granted.[ResourceScope <String>]
: The scope at which the unifiedRoleAssignment applies. This is / for service-wide. DO NOT USE. This property will be deprecated soon.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in).
[RoleDefinitions <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
:[RoleEligibilityScheduleInstances <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance-
[]>]
:[RoleEligibilityScheduleRequests <IMicrosoftGraphUnifiedRoleEligibilityScheduleRequest-
[]>]
:[ApprovalId <String>]
: The identifier of the approval of the request.[CompletedDateTime <DateTime?>]
: The request completion date time.[CreatedBy <IMicrosoftGraphIdentitySet>]
: identitySet[CreatedDateTime <DateTime?>]
: The request creation date time.[CustomData <String>]
: Free text field to define any custom data for the request. Not used.[Status <String>]
: The status of the request. Not nullable. The possible values are: Canceled, Denied, Failed, Granted, PendingAdminDecision, PendingApproval, PendingProvisioning, PendingScheduleCreation, Provisioned, Revoked, and ScheduleCreated. Not nullable.[Id <String>]
: The unique identifier for an entity. Read-only.[Action <String>]
: Represents the type of operation on the role eligibility request. The possible values are: AdminAssign: For administrators to assign eligible roles to principals.AdminRemove: For administrators to remove eligible roles from principals. AdminUpdate: For administrators to change existing role eligibilities.AdminExtend: For administrators to extend expiring role eligibilities.AdminRenew: For administrators to renew expired eligibilities.UserAdd: For users to activate their eligible assignments.UserRemove: For users to deactivate their active eligible assignments.UserExtend: For users to request to extend their expiring eligible assignments.UserRenew: For users to request to renew their expired eligible assignments.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values).[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values).[IsValidationOnly <Boolean?>]
: Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.[Justification <String>]
: A message provided by users and administrators when create they create the unifiedRoleEligibilityScheduleRequest object.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role eligibility. Can be a user or a role-assignable group. You can grant only active assignments service principals. Supports $filter (eq, ne).[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[TargetSchedule <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[TargetScheduleId <String>]
: Identifier of the schedule object that's linked to the eligibility request. Supports $filter (eq, ne).[TicketInfo <IMicrosoftGraphTicketInfo>]
: ticketInfo
[RoleEligibilitySchedules <IMicrosoftGraphUnifiedRoleEligibilitySchedule-
[]>]
:[TransitiveRoleAssignments <IMicrosoftGraphUnifiedRoleAssignment-
[]>]
:
INPUTOBJECT <IIdentityGovernanceIdentity>
: Identity Parameter
[AccessPackageAssignmentId <String>]
: The unique identifier of accessPackageAssignment[AccessPackageAssignmentPolicyId <String>]
: The unique identifier of accessPackageAssignmentPolicy[AccessPackageAssignmentRequestId <String>]
: The unique identifier of accessPackageAssignmentRequest[AccessPackageAssignmentResourceRoleId <String>]
: The unique identifier of accessPackageAssignmentResourceRole[AccessPackageCatalogId <String>]
: The unique identifier of accessPackageCatalog[AccessPackageId <String>]
: The unique identifier of accessPackage[AccessPackageId1 <String>]
: The unique identifier of accessPackage[AccessPackageResourceEnvironmentId <String>]
: The unique identifier of accessPackageResourceEnvironment[AccessPackageResourceId <String>]
: The unique identifier of accessPackageResource[AccessPackageResourceRequestId <String>]
: The unique identifier of accessPackageResourceRequest[AccessPackageResourceRoleId <String>]
: The unique identifier of accessPackageResourceRole[AccessPackageResourceRoleScopeId <String>]
: The unique identifier of accessPackageResourceRoleScope[AccessPackageResourceScopeId <String>]
: The unique identifier of accessPackageResourceScope[AccessPackageSubjectId <String>]
: The unique identifier of accessPackageSubject[AccessReviewDecisionId <String>]
: The unique identifier of accessReviewDecision[AccessReviewHistoryDefinitionId <String>]
: The unique identifier of accessReviewHistoryDefinition[AccessReviewHistoryInstanceId <String>]
: The unique identifier of accessReviewHistoryInstance[AccessReviewId <String>]
: The unique identifier of accessReview[AccessReviewId1 <String>]
: The unique identifier of accessReview[AccessReviewInstanceDecisionItemId <String>]
: The unique identifier of accessReviewInstanceDecisionItem[AccessReviewInstanceDecisionItemId1 <String>]
: The unique identifier of accessReviewInstanceDecisionItem[AccessReviewInstanceId <String>]
: The unique identifier of accessReviewInstance[AccessReviewReviewerId <String>]
: The unique identifier of accessReviewReviewer[AccessReviewScheduleDefinitionId <String>]
: The unique identifier of accessReviewScheduleDefinition[AccessReviewStageId <String>]
: The unique identifier of accessReviewStage[AgreementAcceptanceId <String>]
: The unique identifier of agreementAcceptance[AgreementFileLocalizationId <String>]
: The unique identifier of agreementFileLocalization[AgreementFileVersionId <String>]
: The unique identifier of agreementFileVersion[AgreementId <String>]
: The unique identifier of agreement[AppConsentRequestId <String>]
: The unique identifier of appConsentRequest[ApprovalId <String>]
: The unique identifier of approval[ApprovalStepId <String>]
: The unique identifier of approvalStep[BusinessFlowTemplateId <String>]
: The unique identifier of businessFlowTemplate[ConnectedOrganizationId <String>]
: The unique identifier of connectedOrganization[CustomAccessPackageWorkflowExtensionId <String>]
: The unique identifier of customAccessPackageWorkflowExtension[CustomCalloutExtensionId <String>]
: The unique identifier of customCalloutExtension[CustomExtensionHandlerId <String>]
: The unique identifier of customExtensionHandler[CustomExtensionStageSettingId <String>]
: The unique identifier of customExtensionStageSetting[CustomTaskExtensionId <String>]
: The unique identifier of customTaskExtension[DirectoryObjectId <String>]
: The unique identifier of directoryObject[EndDateTime <DateTime?>]
: Usage: endDateTime={endDateTime}[FindingId <String>]
: The unique identifier of finding[GovernanceInsightId <String>]
: The unique identifier of governanceInsight[GovernanceResourceId <String>]
: The unique identifier of governanceResource[GovernanceRoleAssignmentId <String>]
: The unique identifier of governanceRoleAssignment[GovernanceRoleAssignmentRequestId <String>]
: The unique identifier of governanceRoleAssignmentRequest[GovernanceRoleDefinitionId <String>]
: The unique identifier of governanceRoleDefinition[GovernanceRoleSettingId <String>]
: The unique identifier of governanceRoleSetting[IncompatibleAccessPackageId <String>]
: Usage: incompatibleAccessPackageId='{incompatibleAccessPackageId}'[LongRunningOperationId <String>]
: The unique identifier of longRunningOperation[ObjectId <String>]
: Alternate key of accessPackageSubject[On <String>]
: Usage: on='{on}'[PermissionsCreepIndexDistributionId <String>]
: The unique identifier of permissionsCreepIndexDistribution[PermissionsRequestChangeId <String>]
: The unique identifier of permissionsRequestChange[PrivilegedAccessGroupAssignmentScheduleId <String>]
: The unique identifier of privilegedAccessGroupAssignmentSchedule[PrivilegedAccessGroupAssignmentScheduleInstanceId <String>]
: The unique identifier of privilegedAccessGroupAssignmentScheduleInstance[PrivilegedAccessGroupAssignmentScheduleRequestId <String>]
: The unique identifier of privilegedAccessGroupAssignmentScheduleRequest[PrivilegedAccessGroupEligibilityScheduleId <String>]
: The unique identifier of privilegedAccessGroupEligibilitySchedule[PrivilegedAccessGroupEligibilityScheduleInstanceId <String>]
: The unique identifier of privilegedAccessGroupEligibilityScheduleInstance[PrivilegedAccessGroupEligibilityScheduleRequestId <String>]
: The unique identifier of privilegedAccessGroupEligibilityScheduleRequest[PrivilegedAccessId <String>]
: The unique identifier of privilegedAccess[PrivilegedApprovalId <String>]
: The unique identifier of privilegedApproval[PrivilegedOperationEventId <String>]
: The unique identifier of privilegedOperationEvent[PrivilegedRoleAssignmentId <String>]
: The unique identifier of privilegedRoleAssignment[PrivilegedRoleAssignmentId1 <String>]
: The unique identifier of privilegedRoleAssignment[PrivilegedRoleAssignmentRequestId <String>]
: The unique identifier of privilegedRoleAssignmentRequest[PrivilegedRoleId <String>]
: The unique identifier of privilegedRole[ProgramControlId <String>]
: The unique identifier of programControl[ProgramControlId1 <String>]
: The unique identifier of programControl[ProgramControlTypeId <String>]
: The unique identifier of programControlType[ProgramId <String>]
: The unique identifier of program[RbacApplicationId <String>]
: The unique identifier of rbacApplication[RunId <String>]
: The unique identifier of run[StartDateTime <DateTime?>]
: Usage: startDateTime={startDateTime}[TaskDefinitionId <String>]
: The unique identifier of taskDefinition[TaskId <String>]
: The unique identifier of task[TaskProcessingResultId <String>]
: The unique identifier of taskProcessingResult[TaskReportId <String>]
: The unique identifier of taskReport[UnifiedRbacResourceActionId <String>]
: The unique identifier of unifiedRbacResourceAction[UnifiedRbacResourceNamespaceId <String>]
: The unique identifier of unifiedRbacResourceNamespace[UnifiedRoleAssignmentId <String>]
: The unique identifier of unifiedRoleAssignment[UnifiedRoleAssignmentScheduleId <String>]
: The unique identifier of unifiedRoleAssignmentSchedule[UnifiedRoleAssignmentScheduleInstanceId <String>]
: The unique identifier of unifiedRoleAssignmentScheduleInstance[UnifiedRoleAssignmentScheduleRequestId <String>]
: The unique identifier of unifiedRoleAssignmentScheduleRequest[UnifiedRoleDefinitionId <String>]
: The unique identifier of unifiedRoleDefinition[UnifiedRoleDefinitionId1 <String>]
: The unique identifier of unifiedRoleDefinition[UnifiedRoleEligibilityScheduleId <String>]
: The unique identifier of unifiedRoleEligibilitySchedule[UnifiedRoleEligibilityScheduleInstanceId <String>]
: The unique identifier of unifiedRoleEligibilityScheduleInstance[UnifiedRoleEligibilityScheduleRequestId <String>]
: The unique identifier of unifiedRoleEligibilityScheduleRequest[UnifiedRoleManagementAlertConfigurationId <String>]
: The unique identifier of unifiedRoleManagementAlertConfiguration[UnifiedRoleManagementAlertDefinitionId <String>]
: The unique identifier of unifiedRoleManagementAlertDefinition[UnifiedRoleManagementAlertId <String>]
: The unique identifier of unifiedRoleManagementAlert[UnifiedRoleManagementAlertIncidentId <String>]
: The unique identifier of unifiedRoleManagementAlertIncident[UniqueName <String>]
: Alternate key of accessPackageCatalog[UserConsentRequestId <String>]
: The unique identifier of userConsentRequest[UserId <String>]
: The unique identifier of user[UserProcessingResultId <String>]
: The unique identifier of userProcessingResult[WorkflowId <String>]
: The unique identifier of workflow[WorkflowTemplateId <String>]
: The unique identifier of workflowTemplate[WorkflowVersionNumber <Int32?>]
: The unique identifier of workflowVersion
RESOURCENAMESPACES <IMicrosoftGraphUnifiedRbacResourceNamespace- []
>: .
[Id <String>]
: The unique identifier for an entity. Read-only.[Name <String>]
: Name of the resource namespace. Typically, the same name as the id property, such as microsoft.aad.b2c. Required. Supports $filter (eq, startsWith).[ResourceActions <IMicrosoftGraphUnifiedRbacResourceAction-
[]>]
: Operations that an authorized principal is allowed to perform.[Id <String>]
: The unique identifier for an entity. Read-only.[ActionVerb <String>]
: HTTP method for the action, such as DELETE, GET, PATCH, POST, PUT, or null. Supports $filter (eq) but not for null values.[AuthenticationContext <IMicrosoftGraphAuthenticationContextClassReference>]
: authenticationContextClassReference[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[Description <String>]
: A short explanation of the policies that are enforced by authenticationContextClassReference. This value should be used to provide secondary text to describe the authentication context class reference when building user facing admin experiences. For example, selection UX.[DisplayName <String>]
: A friendly name that identifies the authenticationContextClassReference object when building user-facing admin experiences. For example, a selection UX.[IsAvailable <Boolean?>]
: Indicates whether the authenticationContextClassReference has been published by the security admin and is ready for use by apps. When it's set to false, it shouldn't be shown in selection UX used to tag resources with authentication context class values. It will still be shown in the Conditional Access policy authoring experience. Supports $filter (eq).
[AuthenticationContextId <String>]
:[Description <String>]
: Description for the action. Supports $filter (eq).[IsAuthenticationContextSettable <Boolean?>]
:[IsPrivileged <Boolean?>]
: Flag indicating if the action is a sensitive resource action. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[Name <String>]
: Name for the action within the resource namespace, such as microsoft.insights/programs/update. Can include slash character (/). Case insensitive. Required. Supports $filter (eq).[ResourceScope <IMicrosoftGraphUnifiedRbacResourceScope>]
: unifiedRbacResourceScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
:[Scope <String>]
:[Type <String>]
:
[ResourceScopeId <String>]
: Not implemented.
ROLEASSIGNMENTAPPROVALS <IMicrosoftGraphApproval- []
>: .
[Id <String>]
: The unique identifier for an entity. Read-only.[Steps <IMicrosoftGraphApprovalStep-
[]>]
: Used to represent the decision associated with a single step in the approval process configured in approvalStage.[Id <String>]
: The unique identifier for an entity. Read-only.[AssignedToMe <Boolean?>]
: Indicates whether the step is assigned to the calling user to review. Read-only.[DisplayName <String>]
: The label provided by the policy creator to identify an approval step. Read-only.[Justification <String>]
: The justification associated with the approval step decision.[ReviewResult <String>]
: The result of this approval record. Possible values include: NotReviewed, Approved, Denied.[ReviewedBy <IMicrosoftGraphIdentity>]
: identity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
[ReviewedDateTime <DateTime?>]
: The date and time when a decision was recorded. The date and time information uses ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.[Status <String>]
: The step status. Possible values: InProgress, Initializing, Completed, Expired. Read-only.
ROLEASSIGNMENTS <IMicrosoftGraphUnifiedRoleAssignment- []
>: .
[Id <String>]
: The unique identifier for an entity. Read-only.[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'.[Condition <String>]
:[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in).[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in).[PrincipalOrganizationId <String>]
: Identifier of the home tenant for the principal to which the assignment is granted.[ResourceScope <String>]
: The scope at which the unifiedRoleAssignment applies. This is / for service-wide. DO NOT USE. This property will be deprecated soon.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in).
ROLEASSIGNMENTSCHEDULEINSTANCES <IMicrosoftGraphUnifiedRoleAssignmentScheduleInstance- []
>: .
[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or that's eligible for a role.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.[Id <String>]
: The unique identifier for an entity. Read-only.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance>]
: unifiedRoleEligibilityScheduleInstance[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or that's eligible for a role.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.[Id <String>]
: The unique identifier for an entity. Read-only.[EndDateTime <DateTime?>]
: Time that the roleEligibilityScheduleInstance will expire.[MemberType <String>]
: Membership type of the assignment. It can either be Inherited, Direct, or Group.[RoleEligibilityScheduleId <String>]
: Identifier of the parent roleEligibilitySchedule for this instance.[StartDateTime <DateTime?>]
: Time that the roleEligibilityScheduleInstance will start.
[AssignmentType <String>]
: The type of the assignment that can either be Assigned or Activated. Supports $filter (eq, ne).[EndDateTime <DateTime?>]
: The end date of the schedule instance.[MemberType <String>]
: How the assignment is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne).[RoleAssignmentOriginId <String>]
: The identifier of the role assignment in Microsoft Entra ID.[RoleAssignmentScheduleId <String>]
: The identifier of the unifiedRoleAssignmentSchedule object from which this instance was created.[StartDateTime <DateTime?>]
: When this instance starts.
ROLEASSIGNMENTSCHEDULEREQUESTS <IMicrosoftGraphUnifiedRoleAssignmentScheduleRequest- []
>: .
[ApprovalId <String>]
: The identifier of the approval of the request.[CompletedDateTime <DateTime?>]
: The request completion date time.[CreatedBy <IMicrosoftGraphIdentitySet>]
: identitySet[(Any) <Object>]
: This indicates any property can be added to this object.[Application <IMicrosoftGraphIdentity>]
: identity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
[Device <IMicrosoftGraphIdentity>]
: identity[User <IMicrosoftGraphIdentity>]
: identity
[CreatedDateTime <DateTime?>]
: The request creation date time.[CustomData <String>]
: Free text field to define any custom data for the request. Not used.[Status <String>]
: The status of the request. Not nullable. The possible values are: Canceled, Denied, Failed, Granted, PendingAdminDecision, PendingApproval, PendingProvisioning, PendingScheduleCreation, Provisioned, Revoked, and ScheduleCreated. Not nullable.[Id <String>]
: The unique identifier for an entity. Read-only.[Action <String>]
: Represents the type of the operation on the role assignment request. The possible values are: adminAssign, adminUpdate, adminRemove, selfActivate, selfDeactivate, adminExtend, adminRenew, selfExtend, selfRenew, unknownFutureValue. adminAssign: For administrators to assign roles to principals.adminRemove: For administrators to remove principals from roles. adminUpdate: For administrators to change existing role assignments.adminExtend: For administrators to extend expiring assignments.adminRenew: For administrators to renew expired assignments.selfActivate: For principals to activate their assignments.selfDeactivate: For principals to deactivate their active assignments.selfExtend: For principals to request to extend their expiring assignments.selfRenew: For principals to request to renew their expired assignments.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[MemberType <String>]
: Membership type of the eligible assignment. It can either be Inherited, Direct, or Group. Supports $filter (eq).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[Expiration <IMicrosoftGraphExpirationPattern>]
: expirationPattern[(Any) <Object>]
: This indicates any property can be added to this object.[Duration <TimeSpan?>]
: The requestor's desired duration of access represented in ISO 8601 format for durations. For example, PT3H refers to three hours. If specified in a request, endDateTime should not be present and the type property should be set to afterDuration.[EndDateTime <DateTime?>]
: Timestamp of date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.[Type <String>]
: expirationPatternType
[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[StartDateTime <DateTime?>]
: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. In PIM, when the eligible or active assignment becomes active.
[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment is scoped to an app. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values).[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values).[IsValidationOnly <Boolean?>]
: Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.[Justification <String>]
: A message provided by users and administrators when create they create the unifiedRoleAssignmentScheduleRequest object.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the assignment. Can be a user, role-assignable group, or a service principal. Supports $filter (eq, ne).[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[TargetSchedule <IMicrosoftGraphUnifiedRoleAssignmentSchedule>]
: unifiedRoleAssignmentSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[AssignmentType <String>]
: The type of the assignment that can either be Assigned or Activated. Supports $filter (eq, ne).[MemberType <String>]
: How the assignment is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule
[TargetScheduleId <String>]
: Identifier of the schedule object that's linked to the assignment request. Supports $filter (eq, ne).[TicketInfo <IMicrosoftGraphTicketInfo>]
: ticketInfo[(Any) <Object>]
: This indicates any property can be added to this object.[TicketApproverIdentityId <String>]
: ID for the request approver.[TicketNumber <String>]
: The ticket number.[TicketSubmitterIdentityId <String>]
: ID for the request submitter.[TicketSystem <String>]
: The description of the ticket system.
ROLEASSIGNMENTSCHEDULES <IMicrosoftGraphUnifiedRoleAssignmentSchedule- []
>: .
[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[ActivatedUsing <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[MemberType <String>]
: Membership type of the eligible assignment. It can either be Inherited, Direct, or Group. Supports $filter (eq).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[Expiration <IMicrosoftGraphExpirationPattern>]
: expirationPattern[(Any) <Object>]
: This indicates any property can be added to this object.[Duration <TimeSpan?>]
: The requestor's desired duration of access represented in ISO 8601 format for durations. For example, PT3H refers to three hours. If specified in a request, endDateTime should not be present and the type property should be set to afterDuration.[EndDateTime <DateTime?>]
: Timestamp of date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.[Type <String>]
: expirationPatternType
[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[StartDateTime <DateTime?>]
: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. In PIM, when the eligible or active assignment becomes active.
[AssignmentType <String>]
: The type of the assignment that can either be Assigned or Activated. Supports $filter (eq, ne).[MemberType <String>]
: How the assignment is inherited. It can either be Inherited, Direct, or Group. It can further imply whether the unifiedRoleAssignmentSchedule can be managed by the caller. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule
ROLEDEFINITIONS <IMicrosoftGraphUnifiedRoleDefinition- []
>: .
[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
ROLEELIGIBILITYSCHEDULEINSTANCES <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance- []
>: .
[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or role eligibility. The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or that's eligible for a role.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.[Id <String>]
: The unique identifier for an entity. Read-only.[EndDateTime <DateTime?>]
: Time that the roleEligibilityScheduleInstance will expire.[MemberType <String>]
: Membership type of the assignment. It can either be Inherited, Direct, or Group.[RoleEligibilityScheduleId <String>]
: Identifier of the parent roleEligibilitySchedule for this instance.[StartDateTime <DateTime?>]
: Time that the roleEligibilityScheduleInstance will start.
ROLEELIGIBILITYSCHEDULEREQUESTS <IMicrosoftGraphUnifiedRoleEligibilityScheduleRequest- []
>: .
[ApprovalId <String>]
: The identifier of the approval of the request.[CompletedDateTime <DateTime?>]
: The request completion date time.[CreatedBy <IMicrosoftGraphIdentitySet>]
: identitySet[(Any) <Object>]
: This indicates any property can be added to this object.[Application <IMicrosoftGraphIdentity>]
: identity[(Any) <Object>]
: This indicates any property can be added to this object.[DisplayName <String>]
: The display name of the identity. For drive items, the display name might not always be available or up to date. For example, if a user changes their display name the API might show the new value in a future response, but the items associated with the user don't show up as changed when using delta.[Id <String>]
: Unique identifier for the identity or actor. For example, in the access reviews decisions API, this property might record the id of the principal, that is, the group, user, or application that's subject to review.
[Device <IMicrosoftGraphIdentity>]
: identity[User <IMicrosoftGraphIdentity>]
: identity
[CreatedDateTime <DateTime?>]
: The request creation date time.[CustomData <String>]
: Free text field to define any custom data for the request. Not used.[Status <String>]
: The status of the request. Not nullable. The possible values are: Canceled, Denied, Failed, Granted, PendingAdminDecision, PendingApproval, PendingProvisioning, PendingScheduleCreation, Provisioned, Revoked, and ScheduleCreated. Not nullable.[Id <String>]
: The unique identifier for an entity. Read-only.[Action <String>]
: Represents the type of operation on the role eligibility request. The possible values are: AdminAssign: For administrators to assign eligible roles to principals.AdminRemove: For administrators to remove eligible roles from principals. AdminUpdate: For administrators to change existing role eligibilities.AdminExtend: For administrators to extend expiring role eligibilities.AdminRenew: For administrators to renew expired eligibilities.UserAdd: For users to activate their eligible assignments.UserRemove: For users to deactivate their active eligible assignments.UserExtend: For users to request to extend their expiring eligible assignments.UserRenew: For users to request to renew their expired eligible assignments.[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Supports $filter (eq, ne, and on null values).[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the role eligibility. The scope of a role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Supports $filter (eq, ne, and on null values).[IsValidationOnly <Boolean?>]
: Determines whether the call is a validation or an actual call. Only set this property if you want to check whether an activation is subject to additional rules like MFA before actually submitting the request.[Justification <String>]
: A message provided by users and administrators when create they create the unifiedRoleEligibilityScheduleRequest object.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role eligibility. Can be a user or a role-assignable group. You can grant only active assignments service principals. Supports $filter (eq, ne).[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal. Supports $filter (eq, ne).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[Expiration <IMicrosoftGraphExpirationPattern>]
: expirationPattern[(Any) <Object>]
: This indicates any property can be added to this object.[Duration <TimeSpan?>]
: The requestor's desired duration of access represented in ISO 8601 format for durations. For example, PT3H refers to three hours. If specified in a request, endDateTime should not be present and the type property should be set to afterDuration.[EndDateTime <DateTime?>]
: Timestamp of date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.[Type <String>]
: expirationPatternType
[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[StartDateTime <DateTime?>]
: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. In PIM, when the eligible or active assignment becomes active.
[TargetSchedule <IMicrosoftGraphUnifiedRoleEligibilitySchedule>]
: unifiedRoleEligibilitySchedule[(Any) <Object>]
: This indicates any property can be added to this object.[AppScope <IMicrosoftGraphAppScope>]
: appScope[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[MemberType <String>]
: Membership type of the eligible assignment. It can either be Inherited, Direct, or Group. Supports $filter (eq).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule
[TargetScheduleId <String>]
: Identifier of the schedule object that's linked to the eligibility request. Supports $filter (eq, ne).[TicketInfo <IMicrosoftGraphTicketInfo>]
: ticketInfo[(Any) <Object>]
: This indicates any property can be added to this object.[TicketApproverIdentityId <String>]
: ID for the request approver.[TicketNumber <String>]
: The ticket number.[TicketSubmitterIdentityId <String>]
: ID for the request submitter.[TicketSystem <String>]
: The description of the ticket system.
ROLEELIGIBILITYSCHEDULES <IMicrosoftGraphUnifiedRoleEligibilitySchedule- []
>: .
[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app-specific scope when the assignment or eligibility is scoped to an app. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.[CreatedDateTime <DateTime?>]
: When the schedule was created.[CreatedUsing <String>]
: Identifier of the object through which this schedule was created.[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment or eligibility. The scope of an assignment or eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only.[ModifiedDateTime <DateTime?>]
: When the schedule was last modified.[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal that has been granted the role assignment or eligibility.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that a principal is eligible for.[Status <String>]
: The status of the role assignment or eligibility request.[Id <String>]
: The unique identifier for an entity. Read-only.[MemberType <String>]
: Membership type of the eligible assignment. It can either be Inherited, Direct, or Group. Supports $filter (eq).[ScheduleInfo <IMicrosoftGraphRequestSchedule>]
: requestSchedule[(Any) <Object>]
: This indicates any property can be added to this object.[Expiration <IMicrosoftGraphExpirationPattern>]
: expirationPattern[(Any) <Object>]
: This indicates any property can be added to this object.[Duration <TimeSpan?>]
: The requestor's desired duration of access represented in ISO 8601 format for durations. For example, PT3H refers to three hours. If specified in a request, endDateTime should not be present and the type property should be set to afterDuration.[EndDateTime <DateTime?>]
: Timestamp of date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.[Type <String>]
: expirationPatternType
[Recurrence <IMicrosoftGraphPatternedRecurrence>]
: patternedRecurrence[(Any) <Object>]
: This indicates any property can be added to this object.[Pattern <IMicrosoftGraphRecurrencePattern>]
: recurrencePattern[(Any) <Object>]
: This indicates any property can be added to this object.[DayOfMonth <Int32?>]
: The day of the month on which the event occurs. Required if type is absoluteMonthly or absoluteYearly.[DaysOfWeek <String-
[]>]
: A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday. If type is relativeMonthly or relativeYearly, and daysOfWeek specifies more than one day, the event falls on the first day that satisfies the pattern. Required if type is weekly, relativeMonthly, or relativeYearly.[FirstDayOfWeek <String>]
: dayOfWeek[Index <String>]
: weekIndex[Interval <Int32?>]
: The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. Required.[Month <Int32?>]
: The month in which the event occurs. This is a number from 1 to 12.[Type <String>]
: recurrencePatternType
[Range <IMicrosoftGraphRecurrenceRange>]
: recurrenceRange[(Any) <Object>]
: This indicates any property can be added to this object.[EndDate <DateTime?>]
: The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. Required if type is endDate.[NumberOfOccurrences <Int32?>]
: The number of times to repeat the event. Required and must be positive if type is numbered.[RecurrenceTimeZone <String>]
: Time zone for the startDate and endDate properties. Optional. If not specified, the time zone of the event is used.[StartDate <DateTime?>]
: The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. Required.[Type <String>]
: recurrenceRangeType
[StartDateTime <DateTime?>]
: The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. In PIM, when the eligible or active assignment becomes active.
TRANSITIVEROLEASSIGNMENTS <IMicrosoftGraphUnifiedRoleAssignment- []
>: .
[Id <String>]
: The unique identifier for an entity. Read-only.[AppScope <IMicrosoftGraphAppScope>]
: appScope[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DisplayName <String>]
: Provides the display name of the app-specific resource represented by the app scope. Provided for display purposes since appScopeId is often an immutable, non-human-readable ID. Read only.[Type <String>]
: Describes the type of app-specific resource represented by the app scope. For display purposes, so a user interface can convey to the user the kind of app specific resource represented by the app scope. Read only.
[AppScopeId <String>]
: Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. App scopes are scopes that are defined and understood by a resource application only. For the entitlement management provider, use this property to specify a catalog. For example, /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997. Supports $filter (eq, in). For example /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'.[Condition <String>]
:[DirectoryScope <IMicrosoftGraphDirectoryObject>]
: directoryObject[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[DeletedDateTime <DateTime?>]
: Date and time when this object was deleted. Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]
: Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications, unlike app scopes that are defined and understood by a resource application only. Supports $filter (eq, in).[Principal <IMicrosoftGraphDirectoryObject>]
: directoryObject[PrincipalId <String>]
: Identifier of the principal to which the assignment is granted. Supported principals are users, role-assignable groups, and service principals. Supports $filter (eq, in).[PrincipalOrganizationId <String>]
: Identifier of the home tenant for the principal to which the assignment is granted.[ResourceScope <String>]
: The scope at which the unifiedRoleAssignment applies. This is / for service-wide. DO NOT USE. This property will be deprecated soon.[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]
: unifiedRoleDefinition[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[AllowedPrincipalTypes <String>]
: allowedRolePrincipalTypes[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq and startsWith).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute.[IsBuiltIn <Boolean?>]
: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom. Read-only. Supports $filter (eq).[IsEnabled <Boolean?>]
: Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[IsPrivileged <Boolean?>]
: Flag indicating if the role is privileged. Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects. Applies only for actions in the microsoft.directory resource namespace. Read-only. Supports $filter (eq).[ResourceScopes <String-
[]>]
: List of scopes permissions granted by the role definition apply to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
:
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true.[Version <String>]
: Indicates the version of the unifiedRoleDefinition object. Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]
: Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq, in).