Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
In delegated scenarios with work or school accounts, the signed-in user must be an owner or member of the group or be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
For role-assignable groups: Privileged Role Administrator
For non-role-assignable groups: Directory Writer, Groups Administrator, Identity Governance Administrator, or User Administrator
The role assignments for the calling user should be scoped at the directory level.
Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable Microsoft 365 groups) and administrators with assignments scoped at administrative unit level can manage groups through groups API and override changes made in Microsoft Entra PIM through PIM for groups APIs.
HTTP request
POST /identityGovernance/privilegedAccess/group/eligibilityScheduleRequests
You can specify the following properties when creating a privilegedAccessGroupEligibilityScheduleRequest.
Property
Type
Description
accessId
privilegedAccessGroupRelationships
The identifier of the membership or ownership eligibility relationship to the group. The possible values are: owner, member. Required.
action
String
Represents the type of operation on the group membership or ownership eligibility assignment request. The possible values are: adminAssign, adminUpdate, adminRemove, selfActivate, selfDeactivate, adminExtend, adminRenew.
adminAssign: For administrators to assign group membership or ownership eligibility to principals.
adminRemove: For administrators to remove principals from group membership or ownership eligibilities.
adminUpdate: For administrators to change existing eligible assignments.
adminExtend: For administrators to extend expiring eligible assignments.
adminRenew: For administrators to renew expired eligible assignments.
selfActivate: For principals to activate their eligible assignments.
selfDeactivate: For principals to deactivate their eligible assignments.
groupId
String
The identifier of the group representing the scope of the membership or ownership eligibility through PIM for groups. Required.
justification
String
A message provided by users and administrators when they create the privilegedAccessGroupAssignmentScheduleRequest object.
principalId
String
The identifier of the principal whose membership or ownership eligibility to the group is managed through PIM for groups. Required.
Example 1: An admin creates an eligible group ownership request for a principal
The following request creates an eligibility schedule request to make a principal eligible to be a group owner. The eligible ownership expires after two hours.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new PrivilegedAccessGroupEligibilityScheduleRequest
{
AccessId = PrivilegedAccessGroupRelationships.Member,
PrincipalId = "3cce9d87-3986-4f19-8335-7ed075408ca2",
GroupId = "2b5ed229-4072-478d-9504-a047ebd4b07d",
Action = ScheduleRequestActions.AdminAssign,
ScheduleInfo = new RequestSchedule
{
StartDateTime = DateTimeOffset.Parse("2023-02-06T19:25:00.000Z"),
Expiration = new ExpirationPattern
{
Type = ExpirationPatternType.AfterDateTime,
EndDateTime = DateTimeOffset.Parse("2023-02-07T19:56:00.000Z"),
},
},
Justification = "Assign eligible request.",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.PrivilegedAccess.Group.EligibilityScheduleRequests.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
PrivilegedAccessGroupEligibilityScheduleRequest privilegedAccessGroupEligibilityScheduleRequest = new PrivilegedAccessGroupEligibilityScheduleRequest();
privilegedAccessGroupEligibilityScheduleRequest.setAccessId(PrivilegedAccessGroupRelationships.Member);
privilegedAccessGroupEligibilityScheduleRequest.setPrincipalId("3cce9d87-3986-4f19-8335-7ed075408ca2");
privilegedAccessGroupEligibilityScheduleRequest.setGroupId("2b5ed229-4072-478d-9504-a047ebd4b07d");
privilegedAccessGroupEligibilityScheduleRequest.setAction(ScheduleRequestActions.AdminAssign);
RequestSchedule scheduleInfo = new RequestSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2023-02-06T19:25:00.000Z");
scheduleInfo.setStartDateTime(startDateTime);
ExpirationPattern expiration = new ExpirationPattern();
expiration.setType(ExpirationPatternType.AfterDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2023-02-07T19:56:00.000Z");
expiration.setEndDateTime(endDateTime);
scheduleInfo.setExpiration(expiration);
privilegedAccessGroupEligibilityScheduleRequest.setScheduleInfo(scheduleInfo);
privilegedAccessGroupEligibilityScheduleRequest.setJustification("Assign eligible request.");
PrivilegedAccessGroupEligibilityScheduleRequest result = graphClient.identityGovernance().privilegedAccess().group().eligibilityScheduleRequests().post(privilegedAccessGroupEligibilityScheduleRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\PrivilegedAccessGroupEligibilityScheduleRequest;
use Microsoft\Graph\Generated\Models\PrivilegedAccessGroupRelationships;
use Microsoft\Graph\Generated\Models\ScheduleRequestActions;
use Microsoft\Graph\Generated\Models\RequestSchedule;
use Microsoft\Graph\Generated\Models\ExpirationPattern;
use Microsoft\Graph\Generated\Models\ExpirationPatternType;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new PrivilegedAccessGroupEligibilityScheduleRequest();
$requestBody->setAccessId(new PrivilegedAccessGroupRelationships('member'));
$requestBody->setPrincipalId('3cce9d87-3986-4f19-8335-7ed075408ca2');
$requestBody->setGroupId('2b5ed229-4072-478d-9504-a047ebd4b07d');
$requestBody->setAction(new ScheduleRequestActions('adminAssign'));
$scheduleInfo = new RequestSchedule();
$scheduleInfo->setStartDateTime(new \DateTime('2023-02-06T19:25:00.000Z'));
$scheduleInfoExpiration = new ExpirationPattern();
$scheduleInfoExpiration->setType(new ExpirationPatternType('afterDateTime'));
$scheduleInfoExpiration->setEndDateTime(new \DateTime('2023-02-07T19:56:00.000Z'));
$scheduleInfo->setExpiration($scheduleInfoExpiration);
$requestBody->setScheduleInfo($scheduleInfo);
$requestBody->setJustification('Assign eligible request.');
$result = $graphServiceClient->identityGovernance()->privilegedAccess()->group()->eligibilityScheduleRequests()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.privileged_access_group_eligibility_schedule_request import PrivilegedAccessGroupEligibilityScheduleRequest
from msgraph.generated.models.privileged_access_group_relationships import PrivilegedAccessGroupRelationships
from msgraph.generated.models.schedule_request_actions import ScheduleRequestActions
from msgraph.generated.models.request_schedule import RequestSchedule
from msgraph.generated.models.expiration_pattern import ExpirationPattern
from msgraph.generated.models.expiration_pattern_type import ExpirationPatternType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = PrivilegedAccessGroupEligibilityScheduleRequest(
access_id = PrivilegedAccessGroupRelationships.Member,
principal_id = "3cce9d87-3986-4f19-8335-7ed075408ca2",
group_id = "2b5ed229-4072-478d-9504-a047ebd4b07d",
action = ScheduleRequestActions.AdminAssign,
schedule_info = RequestSchedule(
start_date_time = "2023-02-06T19:25:00.000Z",
expiration = ExpirationPattern(
type = ExpirationPatternType.AfterDateTime,
end_date_time = "2023-02-07T19:56:00.000Z",
),
),
justification = "Assign eligible request.",
)
result = await graph_client.identity_governance.privileged_access.group.eligibility_schedule_requests.post(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new PrivilegedAccessGroupEligibilityScheduleRequest
{
AccessId = PrivilegedAccessGroupRelationships.Member,
PrincipalId = "3cce9d87-3986-4f19-8335-7ed075408ca2",
GroupId = "2b5ed229-4072-478d-9504-a047ebd4b07d",
Action = ScheduleRequestActions.AdminExtend,
ScheduleInfo = new RequestSchedule
{
StartDateTime = DateTimeOffset.Parse("2023-02-06T19:25:00.000Z"),
Expiration = new ExpirationPattern
{
Type = ExpirationPatternType.AfterDateTime,
EndDateTime = DateTimeOffset.Parse("2023-02-07T20:56:00.000Z"),
},
},
Justification = "Extend eligible request.",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.PrivilegedAccess.Group.EligibilityScheduleRequests.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
PrivilegedAccessGroupEligibilityScheduleRequest privilegedAccessGroupEligibilityScheduleRequest = new PrivilegedAccessGroupEligibilityScheduleRequest();
privilegedAccessGroupEligibilityScheduleRequest.setAccessId(PrivilegedAccessGroupRelationships.Member);
privilegedAccessGroupEligibilityScheduleRequest.setPrincipalId("3cce9d87-3986-4f19-8335-7ed075408ca2");
privilegedAccessGroupEligibilityScheduleRequest.setGroupId("2b5ed229-4072-478d-9504-a047ebd4b07d");
privilegedAccessGroupEligibilityScheduleRequest.setAction(ScheduleRequestActions.AdminExtend);
RequestSchedule scheduleInfo = new RequestSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2023-02-06T19:25:00.000Z");
scheduleInfo.setStartDateTime(startDateTime);
ExpirationPattern expiration = new ExpirationPattern();
expiration.setType(ExpirationPatternType.AfterDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2023-02-07T20:56:00.000Z");
expiration.setEndDateTime(endDateTime);
scheduleInfo.setExpiration(expiration);
privilegedAccessGroupEligibilityScheduleRequest.setScheduleInfo(scheduleInfo);
privilegedAccessGroupEligibilityScheduleRequest.setJustification("Extend eligible request.");
PrivilegedAccessGroupEligibilityScheduleRequest result = graphClient.identityGovernance().privilegedAccess().group().eligibilityScheduleRequests().post(privilegedAccessGroupEligibilityScheduleRequest);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\PrivilegedAccessGroupEligibilityScheduleRequest;
use Microsoft\Graph\Generated\Models\PrivilegedAccessGroupRelationships;
use Microsoft\Graph\Generated\Models\ScheduleRequestActions;
use Microsoft\Graph\Generated\Models\RequestSchedule;
use Microsoft\Graph\Generated\Models\ExpirationPattern;
use Microsoft\Graph\Generated\Models\ExpirationPatternType;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new PrivilegedAccessGroupEligibilityScheduleRequest();
$requestBody->setAccessId(new PrivilegedAccessGroupRelationships('member'));
$requestBody->setPrincipalId('3cce9d87-3986-4f19-8335-7ed075408ca2');
$requestBody->setGroupId('2b5ed229-4072-478d-9504-a047ebd4b07d');
$requestBody->setAction(new ScheduleRequestActions('adminExtend'));
$scheduleInfo = new RequestSchedule();
$scheduleInfo->setStartDateTime(new \DateTime('2023-02-06T19:25:00.000Z'));
$scheduleInfoExpiration = new ExpirationPattern();
$scheduleInfoExpiration->setType(new ExpirationPatternType('afterDateTime'));
$scheduleInfoExpiration->setEndDateTime(new \DateTime('2023-02-07T20:56:00.000Z'));
$scheduleInfo->setExpiration($scheduleInfoExpiration);
$requestBody->setScheduleInfo($scheduleInfo);
$requestBody->setJustification('Extend eligible request.');
$result = $graphServiceClient->identityGovernance()->privilegedAccess()->group()->eligibilityScheduleRequests()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.privileged_access_group_eligibility_schedule_request import PrivilegedAccessGroupEligibilityScheduleRequest
from msgraph.generated.models.privileged_access_group_relationships import PrivilegedAccessGroupRelationships
from msgraph.generated.models.schedule_request_actions import ScheduleRequestActions
from msgraph.generated.models.request_schedule import RequestSchedule
from msgraph.generated.models.expiration_pattern import ExpirationPattern
from msgraph.generated.models.expiration_pattern_type import ExpirationPatternType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = PrivilegedAccessGroupEligibilityScheduleRequest(
access_id = PrivilegedAccessGroupRelationships.Member,
principal_id = "3cce9d87-3986-4f19-8335-7ed075408ca2",
group_id = "2b5ed229-4072-478d-9504-a047ebd4b07d",
action = ScheduleRequestActions.AdminExtend,
schedule_info = RequestSchedule(
start_date_time = "2023-02-06T19:25:00.000Z",
expiration = ExpirationPattern(
type = ExpirationPatternType.AfterDateTime,
end_date_time = "2023-02-07T20:56:00.000Z",
),
),
justification = "Extend eligible request.",
)
result = await graph_client.identity_governance.privileged_access.group.eligibility_schedule_requests.post(request_body)