Share via

List role-definition Microsoft Graph API endpoint not returning few role-definitions

Madhav M 0 Reputation points
2025-05-02T14:50:25.87+00:00

I am trying to fetch list of all role-definitions defined in an Entra tenant using the API endpoint:
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions

Then, I want to query the list of role-assignments for the role-definitions through the API endpoint:
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments

What I have observed is that there are 2 role-definitions that are not part of "List role-definition" API endpoint, but have role-assignment entries from the "List role-assignment" API.

Missing role-definition from role-directory

Fig: Missing role-definition from role-directory

Additionally, observed that these 2 role-definition objects can be retrieved individually using their id from the "Get role-definition" API. Role-definition fetched through GET role-definition Fig: Role-definition fetched through GET role-definition

They are also returned upon using a $filter query param on their id.Role-definition fetched through List role-definition API with $filter query param

Fig: Role-definition fetched through List role-definition API with $filter query param

And I am pretty sure that these 2 role-definitions were being retrieved through the "List role-definition" API 1-2 months ago.

Would like to know what is the reason for the discrepancy & any way through which I could ensure that no role-definitions are missed out from the "List role-definition" API's response.

Edit: Found out that these 2 role-definitions are part of decprecated roles. So, confused as to why they have role-assignment entries.
Source: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#deprecated-roles

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,596 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Goutam Pratti 5,220 Reputation points Microsoft External Staff Moderator
    2025-05-05T23:50:11.1166667+00:00

    Hello @Madhav M ,

    I understand that when you use the GET RoleAssignment endpoint, GET RoleDefinition by ID, or the GET RoleDefinition endpoint with a $filter query on the ID, you are still able to retrieve details of deprecated roles. This has caused some confusion about why there are still role assignment entries for these deprecated roles

    1. When using the GET RoleAssignment endpoint, you are seeing a deprecated role because it is currently assigned to a user in your tenant. That’s why it appears in the response. If you no longer want this role to appear, you can remove the user it’s assigned to, since the role is deprecated.
    2. When using the RoleDefinition endpoint with the $filter query parameter on the role ID, you are seeing a deprecated role because the filter expression is evaluated for each resource in the collection. Only items where the expression evaluates to true are included in the response. Since the specified ID matches and the user with that role still exists in the tenant, the deprecated role is returned in the results.

    For additional information follow: Role Defination , Role Assignment , Filter Parameter

    Hope this information helps.Let us know if you have any additional queries.Happy to assist you further.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.