unifiedRoleAssignment resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

A unifiedRoleAssignment is used to grant access to resources. It represents a role definition assigned to a principal (typically a user) at a particular scope.

Providing either a directoryScopeId or an appScopeId is required.

Methods

Method Return Type Description
List unifiedRoleAssignment unifiedRoleAssignment Read a list of unifiedRoleAssignment objects and their properties.
List transitiveRoleAssignments unifiedRoleAssignment collection Get direct and transitive unifiedRoleAssignments assigned to a specific principal. Specifying principalId is required.
Get unifiedRoleAssignment unifiedRoleAssignment Read properties and relationships of unifiedRoleAssignment object.
Create unifiedRoleAssignment unifiedRoleAssignment Create a new unifiedRoleAssignment by posting to the roleAssignment collection.
Delete unifiedRoleAssignment None Delete unifiedRoleAssignment object.

Properties

Property Type Description
id String The unique identifier for the unifiedRoleAssignment. Key, not nullable, Read-only.
roleDefinitionId String Identifier of the unifiedRoleDefinition the assignment is for. Read-only. Supports $filter (eq operator only).
principalId String Identifier of the principal to which the assignment is granted. Supports $filter (eq operator only).
directoryScopeId String Identifier of the directory object representing the scope of the assignment. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. App scopes are scopes that are defined and understood by this application only.
appScopeId String Identifier of the app specific scope when the assignment scope is app specific. The scope of an assignment determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. App scopes are scopes that are defined and understood by this application only. For the entitlement management provider, use app scopes to specify a catalog, for example /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997.
resourceScope String The scope at which the unifiedRoleAssignment applies. This is / for service-wide. DO NOT USE. This property will be deprecated soon.

Relationships

Relationship Type Description
appScope appScope Details of the app specific scope when the assignment scope is app specific. Containment entity.
directoryScope directoryObject The directory object that is the scope of the assignment. Provided so that callers can get the directory object using $expand at the same time as getting the role assignment. Read-only. Supports $expand.
principal directoryObject The assigned principal. Provided so that callers can get the principal using $expand at the same time as getting the role assignment. Read-only. Supports $expand.
roleDefinition unifiedRoleDefinition The roleDefinition the assignment is for. Provided so that callers can get the role definition using $expand at the same time as getting the role assignment. roleDefinition.id will be auto expanded. Supports $expand.

JSON representation

The following is a JSON representation of the resource.

{
  "id": "String (identifier)",
  "roleDefinitionId": "String",
  "roleDefinition": {"@odata.type": "microsoft.graph.unifiedRoleDefinition"},
  "principalId": "String",
  "principal": {"@odata.type": "microsoft.graph.directoryObject"},
  "directoryScopeId": "String",
  "directoryScope": {"@odata.type": "microsoft.graph.directoryObject"},
  "appScopeId": "String",
  "appScope": {"@odata.type": "microsoft.graph.appScope"},
  "resourceScope": "String"
}