Edit

Share via

Create unifiedRoleAssignmentMultiple

  • Article

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new unifiedRoleAssignmentMultiple object for an RBAC provider.

The following RBAC providers are currently supported:

  • Cloud PC
  • device management (Intune)

For other Microsoft 365 applications (like Microsoft Entra ID), use unifiedRoleAssignment.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

The following tables show the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

For Cloud PC provider

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) CloudPC.ReadWrite.All DeviceManagementRBAC.ReadWrite.All
Delegated (personal Microsoft account) Not supported. Not supported.
Application CloudPC.ReadWrite.All DeviceManagementRBAC.ReadWrite.All

For Device management (Intune) provider

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) CloudPC.ReadWrite.All DeviceManagementRBAC.ReadWrite.All
Delegated (personal Microsoft account) Not supported. Not supported.
Application CloudPC.ReadWrite.All DeviceManagementRBAC.ReadWrite.All

HTTP request

To create role assignment for a Cloud PC provider:

POST /roleManagement/cloudPC/roleAssignments

To create role assignment for an Intune provider:

POST /roleManagement/deviceManagement/roleAssignments

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json. Required.

Request body

In the request body, supply a JSON representation of unifiedRoleAssignmentMultiple object. The request must have either a scope defined in Microsoft Entra ID, such as directoryScopeIds, or an application-specific scope, such as appScopeId. Examples of Microsoft Entra scope are tenant ("/"), administrative units, or applications.

Response

If successful, this method returns a 201 Created response code and a new unifiedRoleAssignmentMultiple object in the response body.

Examples

Example 1: Create a role assignment in Intune over two scope groups (which are Microsoft Entra objects)

Request

The following example shows a request.

Note: the use of the roleTemplateId for roleDefinitionId. roleDefinitionId can be either the service-wide template ID or the directory-specific roleDefinitionId.

POST https://graph.microsoft.com/beta/roleManagement/deviceManagement/roleAssignments
Content-type: application/json

{ 
    "@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
    "displayName": "My test role assignment 1",
    "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
    "principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
    "directoryScopeIds": ["28ca5a85-489a-49a0-b555-0a6d81e56f0d", "8152656a-cf9a-4928-a457-1512d4cae295"],
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/deviceManagement/roleAssignments/$entity",
    "@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
    "id": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
    "principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
    "directoryScopeIds": ["28ca5a85-489a-49a0-b555-0a6d81e56f0d", "8152656a-cf9a-4928-a457-1512d4cae295"]
}

Example 2: Create a role assignment in Intune at Intune-specific scope of "all Devices"

Use the following information for creating Intune role assignments:

  • To allow assignments over all Intune devices, use the AllDevices value in appScopeIds.
  • To allow assignments over all Intune licensed users, use the AllLicensedUsers value in appScopeIds.
  • To allow assignments over all Intune devices and licensed users, use the / value in directoryScopeIds.

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/roleManagement/deviceManagement/roleAssignments
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
    "displayName": "My test role assignment 1",
    "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
    "principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
    "appScopeIds": ["allDevices"]
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/deviceManagement/roleAssignments/$entity",
    "@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
    "id": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
    "roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
    "principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
    "appScopeIds": ["allDevices"]
}

Example 3: Create a role assignment for a Cloud PC provider

Request

POST https://graph.microsoft.com/beta/roleManagement/cloudPC/roleAssignments
Content-type: application/json

{ 
    "@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
    "displayName": "My test role assignment 1",
    "description": "My role assignment description",
    "roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
    "principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"]
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPC/roleAssignments/$entity",
    "id": "47c88dcd-cc79-4b0c-ba7d-7af2199649c5",
    "displayName": "My role assignment",
    "description": "My role assignment description",
    "roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
    "principalIds": [
        "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
        "c1518aa9-4da5-4c84-a902-a31404023890"
    ],
    "directoryScopeIds": [
        "/"
    ],
    "appScopeIds": []
}