List unifiedRoleAssignments
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Get a list of unifiedRoleAssignment objects for the provider.
The following RBAC providers are currently supported:
- directory (Azure AD)
- entitlement management (Azure AD)
Permissions
Depending on the RBAC provider and the permission type (delegated or application) that is needed, choose from the following table the least privileged permission required to call this API. To learn more, including taking caution before choosing more privileged permissions, search for the following permissions in Permissions.
For Directory (Azure AD) provider
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | RoleManagement.Read.Directory, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
For Entitlement management provider
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Not supported. |
HTTP request
To list role assignments for a directory provider:
GET /roleManagement/directory/roleAssignments?$filter=principalId eq '{principal id}'
GET /roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{roleDefinition id}'
To list role assignments for the entitlement management provider:
GET /roleManagement/entitlementManagement/roleAssignments?$filter=principalId eq '{principal id}'
GET /roleManagement/entitlementManagement/roleAssignments?$filter=roleDefinitionId eq '{roleDefinition id}'
GET /roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/{catalog id}'
Query parameters
This operation requires the $filter query parameter. You can filter on the roleDefinitionId, principalId or appScopeId properties. The roleDefinitionId property can be either a role object ID or a role template object ID. The $expand query parameter is also supported on principal. For general information, see OData query parameters.
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token} |
Request body
Do not supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a collection of unifiedRoleAssignment objects in the response body.
Examples
Example 1: Request using $filter on role definition ID and expand principal
Request
The following is an example of the request.
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&$expand=principal
Response
The following is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments(principal())",
"value": [
{
"id": "lAPpYvVpN0KRkAEhdxReEMmO4KwRqtpKkUWt3wOYIz4-1",
"principalId": "ace08ec9-aa11-4ada-9145-addf0398233e",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "ace08ec9-aa11-4ada-9145-addf0398233e",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": "Redmond",
"createdDateTime": "2019-02-22T20:29:07Z",
"creationType": null,
"companyName": null,
"consentProvidedForMinor": null,
"country": "US",
"department": "Office of the CEO",
"displayName": "Joey Cruz",
"employeeId": null,
"faxNumber": null,
"givenName": "Joey",
"imAddresses": [
"joeyc@woodgrove.ms"
],
"infoCatalogs": [],
"isResourceAccount": null,
"jobTitle": "Chief Security Officer",
"legalAgeGroupClassification": null,
"mail": "joeyc@woodgrove.ms",
"mailNickname": "joeyc",
"mobilePhone": null,
"onPremisesDistinguishedName": null,
"officeLocation": null,
"userType": "Member",
}
},
{
"id": "lAPpYvVpN0KRkAEhdxReEC6Xh29-LklLmYDrOIi9z-E-1",
"principalId": "6f87972e-2e7e-4b49-9980-eb3888bdcfe1",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "6f87972e-2e7e-4b49-9980-eb3888bdcfe1",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": null,
"createdDateTime": "2019-07-18T01:38:36Z",
"creationType": "Invitation",
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"department": null,
"displayName": "Kalyan Krishna",
"employeeId": null,
"faxNumber": null,
"givenName": null,
"imAddresses": [],
"userType": "Guest",
}
},
{
"id": "lAPpYvVpN0KRkAEhdxReEMgc_BA2rIZBuZsM-BSqLdU-1",
"principalId": "10fc1cc8-ac36-4186-b99b-0cf814aa2dd5",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "10fc1cc8-ac36-4186-b99b-0cf814aa2dd5",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": null,
"createdDateTime": "2019-11-13T21:54:27Z",
"creationType": "Invitation",
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"department": null,
"displayName": "Markie Downing",
"employeeId": null,
"faxNumber": null,
"givenName": null,
"imAddresses": [],
"userType": "Guest",
}
}
]
}
Example 2: Request using a filter on principal ID
Request
The following is an example of the request.
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter = principalId eq 'f1847572-48aa-47aa-96a3-2ec61904f41f'
Response
The following is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments",
"value": [
{
"id": "lAPpYvVpN0KRkAEhdxReEHJ1hPGqSKpHlqMuxhkE9B8-1",
"principalId": "f1847572-48aa-47aa-96a3-2ec61904f41f",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10"
},
{
"id": "LJnv8vs6uUa3z6Em7nTEUXJ1hPGqSKpHlqMuxhkE9B8-1",
"principalId": "f1847572-48aa-47aa-96a3-2ec61904f41f",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "f2ef992c-3afb-46b9-b7cf-a126ee74c451"
}
]
}
Example 3: Request using $filter for role assignments on an access package catalog and expand principal
Request
The following is an example of the request.
GET https://graph.microsoft.com/beta/roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/4cee616b-fdf9-4890-9d10-955e0ccb12bc'&$expand=principal
Response
The following is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments",
"value": [
{
"id": "900633fe-2508-4b13-a561-a15e320ad35f",
"principalId": "39228473-522e-4533-88cc-a9553180cb99",
"roleDefinitionId": "ae79f266-94d4-4dab-b730-feca7e132178",
"appScopeId": "/AccessPackageCatalog/4cee616b-fdf9-4890-9d10-955e0ccb12bc",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "39228473-522e-4533-88cc-a9553180cb99"
}
}
]
}
Feedback
Submit and view feedback for