Activate directoryRole

Namespace: microsoft.graph

Activate a directory role. To read a directory role or update its members, it must first be activated in the tenant.

The Company Administrators and the implicit user directory roles (User, Guest User, and Restricted Guest User roles) are activated by default. To access and assign members to other directory roles, you must first activate it with its corresponding directory role template ID.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet


Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) RoleManagement.ReadWrite.Directory Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application RoleManagement.ReadWrite.Directory Not available.

HTTP request

POST /directoryRoles

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json

Request body

In the request body, supply a JSON representation of directoryRole object.

The following table shows the properties that are required when you activate a directory role.

Parameter Type Description
roleTemplateId string Required. The ID of the directoryRoleTemplate that the role is based on. This is the only property that may be specified in the request.


If successful, this method returns 201 Created response code and directoryRole object in the response body.


Content-type: application/json

  "roleTemplateId": "fe930be7-5e62-47db-91af-98c3a49a38b1"

In the request body, supply a JSON representation of directoryRole object.


Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

  "@odata.context": "$metadata#directoryRoles/$entity",
  "id": "76f84d30-2759-4c66-915d-65c6e4083fa0",
  "deletedDateTime": null,
  "description": "Can manage all aspects of users and groups, including resetting passwords for limited admins.",
  "displayName": "User Administrator",
  "roleTemplateId": "fe930be7-5e62-47db-91af-98c3a49a38b1"