unifiedRoleManagementAlert resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents the details of a security alert in Privileged Identity Management (PIM) for Microsoft Entra roles. The alert information includes the related alert definition, configuration, and incident collection in the tenant.

Each security alert in PIM for Microsoft Entra roles is of one of several types described in Get security alerts for Microsoft Entra roles. You can list details of the actual incidents of an alert using the incidents relationship. An alert and its related incidents are always of the same type. For example, an alert about too many global administrators in the tenant relates to incidents of the type tooManyGlobalAdminsAssignedToTenantAlertIncident.

Inherits from entity.

For more information about working with security alerts for Microsoft Entra roles using PIM APIs, see Manage security alerts for Microsoft Entra roles using PIM APIs in Microsoft Graph.

Methods

Method Return type Description
List unifiedRoleManagementAlert collection Get a list of the unifiedRoleManagementAlert objects and their properties.
Get unifiedRoleManagementAlert Read the properties and relationships of an unifiedRoleManagementAlert object.
Update unifiedRoleManagementAlert Update the properties of an unifiedRoleManagementAlert object.
Refresh None Refresh incidents on all alerts or on a single alert for Privileged Identity Management (PIM) for Microsoft Entra roles.
Get long running operation None Get the status of the refresh operation if it returned a Location object.

Properties

Property Type Description
alertDefinitionId String The identifier of an alert definition. Supports $filter (eq, ne).
id String The identifier of the alert configuration. Inherited from entity.
incidentCount Int32 The number of incidents triggered in the tenant and relating to the alert. Can only be a positive integer.
isActive Boolean false by default. true if the alert is active.
lastModifiedDateTime DateTimeOffset The date time when the alert configuration was updated or new incidents generated.
lastScannedDateTime DateTimeOffset The date time when the tenant was last scanned for incidents that trigger this alert.
scopeId String The identifier of the scope where the alert is related. / is the only supported one for the tenant. Supports $filter (eq, ne).
scopeType String The type of scope where the alert is created. DirectoryRole is the only currently supported scope type for Microsoft Entra roles.

Relationships

Relationship Type Description
alertConfiguration unifiedRoleManagementAlertConfiguration The configuration of the alert in PIM for Microsoft Entra roles. Alert configurations are pre-defined and cannot be created or deleted, but some configurations can be modified. Supports $filter for the isEnabled property and $expand.
alertDefinition unifiedRoleManagementAlertDefinition Contains the description, impact, and measures to mitigate or prevent the security alert from being triggered in your tenant. Supports $expand.
alertIncidents unifiedRoleManagementAlertIncident collection Represents the incidents of this type of alert that have been triggered in Privileged Identity Management (PIM) for Microsoft Entra roles in the tenant. Supports $expand.

The following JSON representation shows the resource type. The following is a JSON representation of the resource.

{
  "@odata.type": "#microsoft.graph.unifiedRoleManagementAlert",
  "id": "String (identifier)",
  "alertDefinitionId": "String",
  "scopeId": "String",
  "scopeType": "String",
  "incidentCount": "Integer",
  "isActive": "Boolean",
  "lastModifiedDateTime": "String (timestamp)",
  "lastScannedDateTime": "String (timestamp)"
}