Create governanceRoleAssignmentRequest

Article
08/23/2023

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Caution

This version of the Privileged Identity Management (PIM) API for Azure resources will be deprecated soon. Please use the new Azure REST PIM API for Azure resource roles.

Create a role assignment request to represent the operation you want on a role assignment. The following table lists the operations.

Operation	Type
Assign a role assignment	AdminAdd
Activate an eligible role assignment	UserAdd
Deactivate an activated role assignment	UserRemove
Remove a role assignment	AdminRemove
Update a role assignment	AdminUpdate
Request to extend my role assignment	UserExtend
Extend a role assignment	AdminExtend
Request to renew my expired role assignment	UserRenew
Renew an expired role assignment	AdminRenew

This API is available in the following national cloud deployments.

Global service	US Government L4	US Government L5 (DOD)	China operated by 21Vianet
✅	✅	✅	❌

Permissions

The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Supported resource	Delegated (work or school account)	Delegated (personal Microsoft account)	Application
Microsoft Entra ID	PrivilegedAccess.ReadWrite.AzureAD	Not supported.	Not supported.
Azure resources	PrivilegedAccess.ReadWrite.AzureResources	Not supported.	Not supported.
group	PrivilegedAccess.ReadWrite.AzureADGroup	Not supported.	Not supported.

HTTP request

POST /privilegedAccess/azureResources/roleAssignmentRequests

Request headers

Name	Description
Authorization	Bearer {code}
Content-type	application/json

Request body

In the request body, supply a JSON representation of a governanceRoleAssignmentRequest object.

Property	Type	Description
resourceId	String	The unique identifier of the Azure resource that is associated with the role assignment request. Azure resources can include subscriptions, resource groups, virtual machines, and SQL databases. Required.
roleDefinitionId	String	The identifier of the Azure role definition that the role assignment request is associated with. Required.
subjectId	String	The unique identifier of the principal or subject that the role assignment request is associated with. Principals can be users, groups, or service principals. Required.
assignmentState	String	The state of assignment. The value can be `Eligible` and `Active`. Required.
type	String	The request type. The value can be `AdminAdd`, `UserAdd`, `AdminUpdate`, `AdminRemove`, `UserRemove`, `UserExtend`, `UserRenew`, `AdminRenew`and `AdminExtend`. Required.
reason	String	The reason needs to be provided for the role assignment request for audit and review purpose.
schedule	governanceSchedule	The schedule of the role assignment request. For request type of `UserAdd`, `AdminAdd`, `AdminUpdate`, and `AdminExtend`, it is required.

Response

If successful, this method returns a 201 Created response code and a governanceRoleAssignmentRequest object in the response body.

Error codes

This API returns the standard HTTP error codes. In addition, it also returns the error codes listed in the following table.

Error code	Error message	Details
400 BadRequest	RoleNotFound	The `roleDefinitionId` provided in the request body cannot be found.
400 BadRequest	ResourceIsLocked	The resource provided in the request body is in state of `Locked` and cannot create role assignment requests.
400 BadRequest	SubjectNotFound	The `subjectId` provided in the request body cannot be found.
400 BadRequest	PendingRoleAssignmentRequest	There already exists a pending governanceRoleAssignmentRequest in the system.
400 BadRequest	RoleAssignmentExists	The governanceRoleAssignment requested to be created already exists in the system.
400 BadRequest	RoleAssignmentDoesNotExist	The governanceRoleAssignment requested to be updated/extended does not exist in the system.
400 BadRequest	RoleAssignmentRequestPolicyValidationFailed	The governanceRoleAssignmentRequest does not meet internal policies and cannot be created.

Examples

The following examples show how to use this API.

Example 1: Administrator assigns user to a role

In this example, an administrator assigns user nawu@contoso.com to the Billing Reader role.

Note: In addition to the permission, this example requires that the requester have at least one Active administrator role assignment (owner or user access administrator) on the resource.

Property	Type	Required	Value
resourceId	String	Yes	<resourceId>
roleDefinitionId	String	Yes	<roleDefinitionId>
subjectId	String	Yes	<subjectId>
assignmentState	String	Yes	Eligible / Active
type	String	Yes	AdminAdd
reason	String	depends on role Settings
schedule	governanceSchedule	Yes

Request

POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json

{
  "roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
  "assignmentState": "Eligible",
  "type": "AdminAdd",
  "reason": "Assign an eligible role",
  "schedule": {
    "startDateTime": "2018-05-12T23:37:43.356Z",
    "endDateTime": "2018-11-08T23:37:43.356Z",
    "type": "Once"
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new GovernanceRoleAssignmentRequest
{
	RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
	ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
	AssignmentState = "Eligible",
	Type = "AdminAdd",
	Reason = "Assign an eligible role",
	Schedule = new GovernanceSchedule
	{
		StartDateTime = DateTimeOffset.Parse("2018-05-12T23:37:43.356Z"),
		EndDateTime = DateTimeOffset.Parse("2018-11-08T23:37:43.356Z"),
		Type = "Once",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
  "roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",\
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",\
  "assignmentState": "Eligible",\
  "type": "AdminAdd",\
  "reason": "Assign an eligible role",\
  "schedule": {\
    "startDateTime": "2018-05-12T23:37:43.356Z",\
    "endDateTime": "2018-11-08T23:37:43.356Z",\
    "type": "Once"\
  }\
}\
'

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId) 
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId) 
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState) 
type := "AdminAdd"
requestBody.SetType(&type) 
reason := "Assign an eligible role"
requestBody.SetReason(&reason) 
schedule := graphmodels.NewGovernanceSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:37:43.356Z")
schedule.SetStartDateTime(&startDateTime) 
endDateTime , err := time.Parse(time.RFC3339, "2018-11-08T23:37:43.356Z")
schedule.SetEndDateTime(&endDateTime) 
type := "Once"
schedule.SetType(&type) 
requestBody.SetSchedule(schedule)

roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("ea48ad5e-e3b0-4d10-af54-39a45bbfe68d");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminAdd");
governanceRoleAssignmentRequest.setReason("Assign an eligible role");
GovernanceSchedule schedule = new GovernanceSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:37:43.356Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-11-08T23:37:43.356Z");
schedule.setEndDateTime(endDateTime);
schedule.setType("Once");
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const governanceRoleAssignmentRequest = {
  roleDefinitionId: 'ea48ad5e-e3b0-4d10-af54-39a45bbfe68d',
  resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
  subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
  assignmentState: 'Eligible',
  type: 'AdminAdd',
  reason: 'Assign an eligible role',
  schedule: {
    startDateTime: '2018-05-12T23:37:43.356Z',
    endDateTime: '2018-11-08T23:37:43.356Z',
    type: 'Once'
  }
};

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
	.version('beta')
	.post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('ea48ad5e-e3b0-4d10-af54-39a45bbfe68d');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminAdd');
$requestBody->setReason('Assign an eligible role');
$schedule = new GovernanceSchedule();
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:37:43.356Z'));
$schedule->setEndDateTime(new \DateTime('2018-11-08T23:37:43.356Z'));
$schedule->setType('Once');
$requestBody->setSchedule($schedule);

$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	roleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
	resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
	subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
	assignmentState = "Eligible"
	type = "AdminAdd"
	reason = "Assign an eligible role"
	schedule = @{
		startDateTime = [System.DateTime]::Parse("2018-05-12T23:37:43.356Z")
		endDateTime = [System.DateTime]::Parse("2018-11-08T23:37:43.356Z")
		type = "Once"
	}
}

New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule

graph_client = GraphServiceClient(credentials, scopes)

request_body = GovernanceRoleAssignmentRequest(
	role_definition_id = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
	resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
	assignment_state = "Eligible",
	type = "AdminAdd",
	reason = "Assign an eligible role",
	schedule = GovernanceSchedule(
		start_date_time = "2018-05-12T23:37:43.356Z",
		end_date_time = "2018-11-08T23:37:43.356Z",
		type = "Once",
	),
)

result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
  "id": "1232e4ea-741a-4be5-8044-5edabdd61672",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
  "linkedEligibleRoleAssignmentId": "",
  "type": "AdminAdd",
  "assignmentState": "Eligible",
  "requestedDateTime": "0001-01-01T00:00:00Z",
  "reason": "Evaluate Only",
  "status": {
    "status": "InProgress",
    "subStatus": "Granted",
    "statusDetails": [
      {
        "key": "AdminRequestRule",
        "value": "Grant"
      },
      {
        "key": "ExpirationRule",
        "value": "Grant"
      },
      {
        "key": "MfaRule",
        "value": "Grant"
      }
    ]
  },
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-05-12T23:37:43.356Z",
    "endDateTime": "2018-11-08T23:37:43.356Z",
    "duration": "PT0S"
  }
}

Example 2: User activates eligible role

In this example, the user nawu@contoso.com activates the eligible Billing Reader role.

Property	Type	Required	Value
resourceId	String	Yes	<resourceId>
roleDefinitionId	String	Yes	<roleDefinitionId>
subjectId	String	Yes	<subjectId>
assignmentState	String	Yes	Active
type	String	Yes	UserAdd
reason	String	depends on role Settings
schedule	governanceSchedule	Yes

Request

POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json

{
  "roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
  "assignmentState": "Active",
  "type": "UserAdd",
  "reason": "Activate the owner role",
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-05-12T23:28:43.537Z",
    "duration": "PT9H"
  },
  "linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new GovernanceRoleAssignmentRequest
{
	RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
	ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
	AssignmentState = "Active",
	Type = "UserAdd",
	Reason = "Activate the owner role",
	Schedule = new GovernanceSchedule
	{
		Type = "Once",
		StartDateTime = DateTimeOffset.Parse("2018-05-12T23:28:43.537Z"),
		Duration = TimeSpan.Parse("PT9H"),
	},
	LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
  "roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",\
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",\
  "assignmentState": "Active",\
  "type": "UserAdd",\
  "reason": "Activate the owner role",\
  "schedule": {\
    "type": "Once",\
    "startDateTime": "2018-05-12T23:28:43.537Z",\
    "duration": "PT9H"\
  },\
  "linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"\
}\
'

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "8b4d1d51-08e9-4254-b0a6-b16177aae376"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId) 
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId) 
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState) 
type := "UserAdd"
requestBody.SetType(&type) 
reason := "Activate the owner role"
requestBody.SetReason(&reason) 
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type) 
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:28:43.537Z")
schedule.SetStartDateTime(&startDateTime) 
duration , err := abstractions.ParseISODuration("PT9H")
schedule.SetDuration(&duration) 
requestBody.SetSchedule(schedule)
linkedEligibleRoleAssignmentId := "e327f4be-42a0-47a2-8579-0a39b025b394"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId) 

roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("8b4d1d51-08e9-4254-b0a6-b16177aae376");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserAdd");
governanceRoleAssignmentRequest.setReason("Activate the owner role");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:28:43.537Z");
schedule.setStartDateTime(startDateTime);
PeriodAndDuration duration = PeriodAndDuration.ofDuration(Duration.parse("PT9H"));
schedule.setDuration(duration);
governanceRoleAssignmentRequest.setSchedule(schedule);
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("e327f4be-42a0-47a2-8579-0a39b025b394");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const governanceRoleAssignmentRequest = {
  roleDefinitionId: '8b4d1d51-08e9-4254-b0a6-b16177aae376',
  resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
  subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
  assignmentState: 'Active',
  type: 'UserAdd',
  reason: 'Activate the owner role',
  schedule: {
    type: 'Once',
    startDateTime: '2018-05-12T23:28:43.537Z',
    duration: 'PT9H'
  },
  linkedEligibleRoleAssignmentId: 'e327f4be-42a0-47a2-8579-0a39b025b394'
};

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
	.version('beta')
	.post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('8b4d1d51-08e9-4254-b0a6-b16177aae376');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserAdd');
$requestBody->setReason('Activate the owner role');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:28:43.537Z'));
$schedule->setDuration(new \DateInterval('PT9H'));
$requestBody->setSchedule($schedule);
$requestBody->setLinkedEligibleRoleAssignmentId('e327f4be-42a0-47a2-8579-0a39b025b394');

$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	roleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376"
	resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
	subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
	assignmentState = "Active"
	type = "UserAdd"
	reason = "Activate the owner role"
	schedule = @{
		type = "Once"
		startDateTime = [System.DateTime]::Parse("2018-05-12T23:28:43.537Z")
		duration = "PT9H"
	}
	linkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
}

New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule

graph_client = GraphServiceClient(credentials, scopes)

request_body = GovernanceRoleAssignmentRequest(
	role_definition_id = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
	resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
	assignment_state = "Active",
	type = "UserAdd",
	reason = "Activate the owner role",
	schedule = GovernanceSchedule(
		type = "Once",
		start_date_time = "2018-05-12T23:28:43.537Z",
		duration = "PT9H",
	),
	linked_eligible_role_assignment_id = "e327f4be-42a0-47a2-8579-0a39b025b394",
)

result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
  "id": "3ad49a7c-918e-4d86-9f84-fab28f8658c0",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
  "linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394",
  "type": "UserAdd",
  "assignmentState": "Active",
  "requestedDateTime": "0001-01-01T00:00:00Z",
  "reason": "Activate the owner role",
  "status": {
    "status": "InProgress",
    "subStatus": "Granted",
    "statusDetails": [
      {
        "key": "EligibilityRule",
        "value": "Grant"
      },
      {
        "key": "ExpirationRule",
        "value": "Grant"
      },
      {
        "key": "MfaRule",
        "value": "Grant"
      },
      {
        "key": "JustificationRule",
        "value": "Grant"
      },
      {
        "key": "ActivationDayRule",
        "value": "Grant"
      },
      {
        "key": "ApprovalRule",
        "value": "Grant"
      }
    ]
  },
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-05-12T23:28:43.537Z",
    "endDateTime": "0001-01-01T00:00:00Z",
    "duration": "PT9H"
  }
}

Example 3: User deactivates an assigned role

In this example, the user nawu@contoso.com deactivates the active Billing Reader role.

Property	Type	Required	Value
resourceId	String	Yes	<resourceId>
roleDefinitionId	String	Yes	<roleDefinitionId>
subjectId	String	Yes	<subjectId>
assignmentState	String	Yes	Active
type	String	Yes	UserRemove
reason	String	No
schedule	governanceSchedule	No

Request

POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json

{
  "roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
  "resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
  "assignmentState": "Active",
  "type": "UserRemove",
  "reason": "Deactivate the role",
  "linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new GovernanceRoleAssignmentRequest
{
	RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
	ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
	SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
	AssignmentState = "Active",
	Type = "UserRemove",
	Reason = "Deactivate the role",
	LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
  "roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",\
  "resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",\
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",\
  "assignmentState": "Active",\
  "type": "UserRemove",\
  "reason": "Deactivate the role",\
  "linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"\
}\
'

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "bc75b4e6-7403-4243-bf2f-d1f6990be122"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
resourceId := "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
requestBody.SetResourceId(&resourceId) 
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId) 
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState) 
type := "UserRemove"
requestBody.SetType(&type) 
reason := "Deactivate the role"
requestBody.SetReason(&reason) 
linkedEligibleRoleAssignmentId := "cb8a533e-02d5-42ad-8499-916b1e4822ec"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId) 

roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("bc75b4e6-7403-4243-bf2f-d1f6990be122");
governanceRoleAssignmentRequest.setResourceId("fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserRemove");
governanceRoleAssignmentRequest.setReason("Deactivate the role");
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("cb8a533e-02d5-42ad-8499-916b1e4822ec");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const governanceRoleAssignmentRequest = {
  roleDefinitionId: 'bc75b4e6-7403-4243-bf2f-d1f6990be122',
  resourceId: 'fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735',
  subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
  assignmentState: 'Active',
  type: 'UserRemove',
  reason: 'Deactivate the role',
  linkedEligibleRoleAssignmentId: 'cb8a533e-02d5-42ad-8499-916b1e4822ec'
};

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
	.version('beta')
	.post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('bc75b4e6-7403-4243-bf2f-d1f6990be122');
$requestBody->setResourceId('fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserRemove');
$requestBody->setReason('Deactivate the role');
$requestBody->setLinkedEligibleRoleAssignmentId('cb8a533e-02d5-42ad-8499-916b1e4822ec');

$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	roleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122"
	resourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
	subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
	assignmentState = "Active"
	type = "UserRemove"
	reason = "Deactivate the role"
	linkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}

New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest

graph_client = GraphServiceClient(credentials, scopes)

request_body = GovernanceRoleAssignmentRequest(
	role_definition_id = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
	resource_id = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
	subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
	assignment_state = "Active",
	type = "UserRemove",
	reason = "Deactivate the role",
	linked_eligible_role_assignment_id = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
)

result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
  "id": "abfcdb57-8e5d-42a0-ae67-7598b96fddb1",
  "resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
  "roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
  "subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
  "linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec",
  "type": "UserRemove",
  "assignmentState": "Active",
  "requestedDateTime": "0001-01-01T00:00:00Z",
  "reason": "Evaluate only",
  "schedule": null,
  "status": {
    "status": "Closed",
    "subStatus": "Revoked",
    "statusDetails": []
  }
}

Example 4: Administrator removes user from a role

In this example, an administrator removes the user nawu@contoso.com from the Billing Reader role.

Note: In addition to the permission, this example requires that the requester have at least one Active administrator role assignment (owner or user access administrator) on the resource.

Property	Type	Required	Value
resourceId	String	Yes	<resourceId>
roleDefinitionId	String	Yes	<roleDefinitionId>
subjectId	String	Yes	<subjectId>
assignmentState	String	Yes	Eligible / Active
type	String	Yes	AdminRemove
reason	String	No
schedule	governanceSchedule	No

Request

POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json

{
  "roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
  "assignmentState": "Eligible",
  "type": "AdminRemove"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new GovernanceRoleAssignmentRequest
{
	RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
	ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
	AssignmentState = "Eligible",
	Type = "AdminRemove",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
  "roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",\
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
  "subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",\
  "assignmentState": "Eligible",\
  "type": "AdminRemove"\
}\
'

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "65bb4622-61f5-4f25-9d75-d0e20cf92019"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId) 
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId) 
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState) 
type := "AdminRemove"
requestBody.SetType(&type) 

roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("65bb4622-61f5-4f25-9d75-d0e20cf92019");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminRemove");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const governanceRoleAssignmentRequest = {
  roleDefinitionId: '65bb4622-61f5-4f25-9d75-d0e20cf92019',
  resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
  subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
  assignmentState: 'Eligible',
  type: 'AdminRemove'
};

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
	.version('beta')
	.post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('65bb4622-61f5-4f25-9d75-d0e20cf92019');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminRemove');

$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	roleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019"
	resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
	subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
	assignmentState = "Eligible"
	type = "AdminRemove"
}

New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest

graph_client = GraphServiceClient(credentials, scopes)

request_body = GovernanceRoleAssignmentRequest(
	role_definition_id = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
	resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
	assignment_state = "Eligible",
	type = "AdminRemove",
)

result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
  "id": "c934fcb9-cf53-42ac-a8b4-6246f6726299",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
  "subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
  "linkedEligibleRoleAssignmentId": "",
  "type": "AdminRemove",
  "assignmentState": "Eligible",
  "requestedDateTime": "0001-01-01T00:00:00Z",
  "reason": null,
  "status": {
    "status": "Closed",
    "subStatus": "Revoked",
    "statusDetails": []
  },
  "schedule": null
}

Example 5: Administrator updates role assignment

In this example, administrators update the role assignment for the user nawu@contoso.com to Owner.

Note: In addition to the permission, this example requires that the requester have at least one Active administrator role assignment (owner or user access administrator) on the resource.

Property	Type	Required	Value
resourceId	String	Yes	<resourceId>
roleDefinitionId	String	Yes	<roleDefinitionId>
subjectId	String	Yes	<subjectId>
assignmentState	String	Yes	Eligible / Active
type	String	Yes	AdminUpdate
reason	String	depends on roleSettings
schedule	governanceSchedule	Yes

Request

POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json

{
  "roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
  "assignmentState": "Eligible",
  "type": "AdminUpdate",
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-03-08T05:42:45.317Z",
    "endDateTime": "2018-06-05T05:42:31.000Z"
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new GovernanceRoleAssignmentRequest
{
	RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
	ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445",
	AssignmentState = "Eligible",
	Type = "AdminUpdate",
	Schedule = new GovernanceSchedule
	{
		Type = "Once",
		StartDateTime = DateTimeOffset.Parse("2018-03-08T05:42:45.317Z"),
		EndDateTime = DateTimeOffset.Parse("2018-06-05T05:42:31.000Z"),
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
  "roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",\
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
  "subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",\
  "assignmentState": "Eligible",\
  "type": "AdminUpdate",\
  "schedule": {\
    "type": "Once",\
    "startDateTime": "2018-03-08T05:42:45.317Z",\
    "endDateTime": "2018-06-05T05:42:31.000Z"\
  }\
}\
'

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "70521f3e-3b95-4e51-b4d2-a2f485b02103"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId) 
subjectId := "1566d11d-d2b6-444a-a8de-28698682c445"
requestBody.SetSubjectId(&subjectId) 
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState) 
type := "AdminUpdate"
requestBody.SetType(&type) 
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type) 
startDateTime , err := time.Parse(time.RFC3339, "2018-03-08T05:42:45.317Z")
schedule.SetStartDateTime(&startDateTime) 
endDateTime , err := time.Parse(time.RFC3339, "2018-06-05T05:42:31.000Z")
schedule.SetEndDateTime(&endDateTime) 
requestBody.SetSchedule(schedule)

roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("70521f3e-3b95-4e51-b4d2-a2f485b02103");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("1566d11d-d2b6-444a-a8de-28698682c445");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminUpdate");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-03-08T05:42:45.317Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-06-05T05:42:31.000Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const governanceRoleAssignmentRequest = {
  roleDefinitionId: '70521f3e-3b95-4e51-b4d2-a2f485b02103',
  resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
  subjectId: '1566d11d-d2b6-444a-a8de-28698682c445',
  assignmentState: 'Eligible',
  type: 'AdminUpdate',
  schedule: {
    type: 'Once',
    startDateTime: '2018-03-08T05:42:45.317Z',
    endDateTime: '2018-06-05T05:42:31.000Z'
  }
};

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
	.version('beta')
	.post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('70521f3e-3b95-4e51-b4d2-a2f485b02103');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('1566d11d-d2b6-444a-a8de-28698682c445');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminUpdate');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-03-08T05:42:45.317Z'));
$schedule->setEndDateTime(new \DateTime('2018-06-05T05:42:31.000Z'));
$requestBody->setSchedule($schedule);

$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	roleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103"
	resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
	subjectId = "1566d11d-d2b6-444a-a8de-28698682c445"
	assignmentState = "Eligible"
	type = "AdminUpdate"
	schedule = @{
		type = "Once"
		startDateTime = [System.DateTime]::Parse("2018-03-08T05:42:45.317Z")
		endDateTime = [System.DateTime]::Parse("2018-06-05T05:42:31.000Z")
	}
}

New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule

graph_client = GraphServiceClient(credentials, scopes)

request_body = GovernanceRoleAssignmentRequest(
	role_definition_id = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
	resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	subject_id = "1566d11d-d2b6-444a-a8de-28698682c445",
	assignment_state = "Eligible",
	type = "AdminUpdate",
	schedule = GovernanceSchedule(
		type = "Once",
		start_date_time = "2018-03-08T05:42:45.317Z",
		end_date_time = "2018-06-05T05:42:31.000Z",
	),
)

result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
  "id": "4f6d4802-b3ac-4f5a-86d7-a6a4edd7d383",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
  "subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
  "linkedEligibleRoleAssignmentId": "",
  "type": "AdminUpdate",
  "assignmentState": "Eligible",
  "requestedDateTime": "0001-01-01T00:00:00Z",
  "reason": null,
  "status": {
    "status": "InProgress",
    "subStatus": "Granted",
    "statusDetails": [
      {
        "key": "AdminRequestRule",
        "value": "Grant"
      },
      {
        "key": "ExpirationRule",
        "value": "Grant"
      },
      {
        "key": "MfaRule",
        "value": "Grant"
      }
    ]
  },
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-03-08T05:42:45.317Z",
    "endDateTime": "2018-06-05T05:42:31Z",
    "duration": "PT0S"
  }
}

Example 6: Administrator extends expiring role assignment

This example extends the expiring role assignment for user ANUJCUSER to API Management Service Contributor.

Note: In addition to the permission, this example requires that the requester have at least one Active administrator role assignment (owner or user access administrator) on the resource.

Property	Type	Required	Value
resourceId	String	Yes	<resourceId>
roleDefinitionId	String	Yes	<roleDefinitionId>
subjectId	String	Yes	<subjectId>
assignmentState	String	Yes	Eligible / Active
type	String	Yes	AdminExtend
reason	String	depends on roleSettings
schedule	governanceSchedule	Yes

Request

POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json

{
  "roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
  "assignmentState": "Eligible",
  "type": "AdminExtend",
  "reason": "extend role assignment",
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-05-12T23:53:55.327Z",
    "endDateTime": "2018-08-10T23:53:55.327Z"
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new GovernanceRoleAssignmentRequest
{
	RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
	ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
	AssignmentState = "Eligible",
	Type = "AdminExtend",
	Reason = "extend role assignment",
	Schedule = new GovernanceSchedule
	{
		Type = "Once",
		StartDateTime = DateTimeOffset.Parse("2018-05-12T23:53:55.327Z"),
		EndDateTime = DateTimeOffset.Parse("2018-08-10T23:53:55.327Z"),
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta privileged-access role-assignment-requests create --privileged-access-id {privilegedAccess-id} --body '{\
  "roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",\
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",\
  "subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",\
  "assignmentState": "Eligible",\
  "type": "AdminExtend",\
  "reason": "extend role assignment",\
  "schedule": {\
    "type": "Once",\
    "startDateTime": "2018-05-12T23:53:55.327Z",\
    "endDateTime": "2018-08-10T23:53:55.327Z"\
  }\
}\
'

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "0e88fd18-50f5-4ee1-9104-01c3ed910065"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId) 
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId) 
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState) 
type := "AdminExtend"
requestBody.SetType(&type) 
reason := "extend role assignment"
requestBody.SetReason(&reason) 
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type) 
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:53:55.327Z")
schedule.SetStartDateTime(&startDateTime) 
endDateTime , err := time.Parse(time.RFC3339, "2018-08-10T23:53:55.327Z")
schedule.SetEndDateTime(&endDateTime) 
requestBody.SetSchedule(schedule)

roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("0e88fd18-50f5-4ee1-9104-01c3ed910065");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminExtend");
governanceRoleAssignmentRequest.setReason("extend role assignment");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:53:55.327Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-08-10T23:53:55.327Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const governanceRoleAssignmentRequest = {
  roleDefinitionId: '0e88fd18-50f5-4ee1-9104-01c3ed910065',
  resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
  subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
  assignmentState: 'Eligible',
  type: 'AdminExtend',
  reason: 'extend role assignment',
  schedule: {
    type: 'Once',
    startDateTime: '2018-05-12T23:53:55.327Z',
    endDateTime: '2018-08-10T23:53:55.327Z'
  }
};

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
	.version('beta')
	.post(governanceRoleAssignmentRequest);

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Generated\Models\GovernanceSchedule;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('0e88fd18-50f5-4ee1-9104-01c3ed910065');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminExtend');
$requestBody->setReason('extend role assignment');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:53:55.327Z'));
$schedule->setEndDateTime(new \DateTime('2018-08-10T23:53:55.327Z'));
$requestBody->setSchedule($schedule);

$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	roleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065"
	resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
	subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
	assignmentState = "Eligible"
	type = "AdminExtend"
	reason = "extend role assignment"
	schedule = @{
		type = "Once"
		startDateTime = [System.DateTime]::Parse("2018-05-12T23:53:55.327Z")
		endDateTime = [System.DateTime]::Parse("2018-08-10T23:53:55.327Z")
	}
}

New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


from msgraph import GraphServiceClient
from msgraph.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph.generated.models.governance_schedule import GovernanceSchedule

graph_client = GraphServiceClient(credentials, scopes)

request_body = GovernanceRoleAssignmentRequest(
	role_definition_id = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
	resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
	subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
	assignment_state = "Eligible",
	type = "AdminExtend",
	reason = "extend role assignment",
	schedule = GovernanceSchedule(
		type = "Once",
		start_date_time = "2018-05-12T23:53:55.327Z",
		end_date_time = "2018-08-10T23:53:55.327Z",
	),
)

result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)

Important

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
  "id": "486f0c05-47c8-4498-9c06-086a78c83004",
  "resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
  "roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
  "subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
  "linkedEligibleRoleAssignmentId": "",
  "type": "AdminExtend",
  "assignmentState": "Eligible",
  "requestedDateTime": "0001-01-01T00:00:00Z",
  "reason": "extend role assignment",
  "status": {
    "status": "InProgress",
    "subStatus": "Granted",
    "statusDetails": [
      {
        "key": "AdminRequestRule",
        "value": "Grant"
      },
      {
        "key": "ExpirationRule",
        "value": "Grant"
      },
      {
        "key": "MfaRule",
        "value": "Grant"
      }
    ]
  },
  "schedule": {
    "type": "Once",
    "startDateTime": "2018-05-12T23:53:55.327Z",
    "endDateTime": "2018-08-10T23:53:55.327Z",
    "duration": "PT0S"
  }
}

Create governanceRoleAssignmentRequest

Permissions

HTTP request

Request headers

Request body

Response

Error codes

Examples

Example 1: Administrator assigns user to a role

Request

Response

Example 2: User activates eligible role

Request

Response

Example 3: User deactivates an assigned role

Request

Response

Example 4: Administrator removes user from a role

Request

Response

Example 5: Administrator updates role assignment

Request

Response

Example 6: Administrator extends expiring role assignment

Request

Response

Feedback

Feedback

Additional resources