Update governanceRoleSetting

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Caution

This version of the Privileged Identity Management (PIM) API for Azure resources will be deprecated soon. Please use the new Azure REST PIM API for Azure resource roles.

Update the properties of governanceRoleSetting.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Supported resource Delegated (work or school account) Delegated (personal Microsoft account) Application
Microsoft Entra ID PrivilegedAccess.ReadWrite.AzureAD Not supported. Not supported.
Azure resources PrivilegedAccess.ReadWrite.AzureResources Not supported. Not supported.
group PrivilegedAccess.ReadWrite.AzureADGroup Not supported. Not supported.

The requester must also have at least one active administrator role assignment (owner or user access administrator) on the resource.

HTTP request

PATCH /privilegedAccess/azureResources/roleSettings/{id}

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json

Request body

In the request body, supply the values for governanceRuleSettings that need to be updated.

Property Type Description
adminEligibleSettings governanceRuleSetting collection The rule settings that are evaluated when an administrator tries to add an eligible role assignment.
adminMemberSettings governanceRuleSetting collection The rule settings that are evaluated when an administrator tries to add a direct member role assignment.
userEligibleSettings governanceRuleSetting collection The rule settings that are evaluated when a user tries to add an eligible role assignment.
userMemberSettings governanceRuleSetting collection The rule settings that are evaluated when a user tries to activate his role assignment.

Response

If successful, this method returns a 204 NoContent response code. It doesn't return anything in the response body.

Error codes

This API returns the standard HTTP error codes. In addition, it returns the following custom error codes.

Error code Error message Details
400 BadRequest RoleSettingNotFound The governanceRoleSetting does not exist in system.
400 BadRequest InvalidRoleSetting The governanceRuleSettings values provided in the request body are not valid.

Example

This example updates the role setting for Custom Role 3 in the subscription Wingtip Toys - Prod.

Request
PATCH https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleSettings/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5
Content-type: application/json

{
   "adminEligibleSettings":[
      {
         "ruleIdentifier":"ExpirationRule",
         "setting":"{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":129600}"
      }
   ]
}
Response
HTTP/1.1 204 No Content