unifiedRolePermission resource type
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents a collection of allowed resource actions and the conditions that must be met for the action to be effective. Resource actions are tasks that can be performed on a resource. For example, the application resource supports create, update, delete, and reset password resource actions.
Properties
| Property | Type | Description |
|---|---|---|
| allowedResourceActions | String collection | Set of tasks that can be performed on a resource. |
| condition | String | Optional constraints that must be met for the permission to be effective. Not supported for custom roles. |
allowedResourceActions property
The following is the schema for resource actions:
{Namespace}/{Entity}/{PropertySet}/{Action}
For example: microsoft.directory/applications/credentials/update.
- {Namespace} - The services that exposes the task. For example, all tasks in Microsoft Entra ID use the namespace
microsoft.directory. - {Entity} - The logical features or components exposed by the service in Microsoft Graph. For example,
applications,servicePrincipals, orgroups. - {PropertySet} - Optional. The specific properties or aspects of the entity for which access is being granted. For example,
microsoft.directory/applications/authentication/readgrants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Microsoft Entra ID. The following are reserved names for common property sets:allProperties- Designates all properties of the entity, including privileged properties. Examples includemicrosoft.directory/applications/allProperties/readandmicrosoft.directory/applications/allProperties/update.basic- Designates common read properties but excludes privileged ones. For example,microsoft.directory/applications/basic/updateincludes the ability to update standard properties like display name.standard- Designates common update properties but excludes privileged ones. For example,microsoft.directory/applications/standard/read.
- {Actions} - The operations being granted. In most circumstances, permissions should be expressed in terms of CRUD operations or
allTasks. Actions include:create- The ability to create a new instance of the entity.read- The ability to read a given property set (including allProperties).update- The ability to update a given property set (including allProperties).delete- The ability to delete a given entity.allTasks- Represents all CRUD operations (create, read, update, and delete).
condition property
Conditions define constraints that must be met. For example, a requirement that the principal be an "owner" of the target. The following are the supported conditions:
- Self: "$ResourceIsSelf"
- Owner: "$SubjectIsOwner"
The following is an example of a role permission with a condition.
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/basic/update",
"microsoft.directory/applications/credentials/update"
],
"condition": "$SubjectIsOwner"
}
]
Conditions aren't supported for custom roles.
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"allowedResourceActions": ["String"],
"condition": "String"
}
Related content
- Administrator role permissions in Microsoft Entra - For information about permissions for built-in directory roles.
- Application registration subtypes and permissions in Microsoft Entra ID - For information about permissions that are available for custom directory roles.