Get unifiedRoleManagementPolicyRule
Article
02/02/2024
10 contributors
Feedback
In this article
Namespace: microsoft.graph
Retrieve a rule or settings defined for a role management policy. The rule can be one of the following types that are derived from the unifiedRoleManagementPolicyRule object:
This API is available in the following national cloud deployments .
Global service
US Government L4
US Government L5 (DOD)
China operated by 21Vianet
✅
✅
✅
✅
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions .
For PIM for Microsoft Entra roles
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
Delegated (personal Microsoft account)
Not supported.
Application
RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All, RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
For delegated scenarios, the signed-in user must also be assigned at least one of the following Microsoft Entra roles :
For read operations: Global Reader, Security Operator, Security Reader, Security Administrator, or Privileged Role Administrator
For write operations: Privileged Role Administrator
For PIM for groups
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup
Delegated (personal Microsoft account)
Not supported.
Application
RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup
HTTP request
To retrieve a rule defined for a policy for either Microsoft Entra roles or PIM for groups membership and ownership:
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Optional query parameters
This method supports some of the OData query parameters to help customize the response. For general information, see OData query parameters .
Request body
Don't supply a request body for this method.
Response
If successful, this method returns a 200 OK
response code and an unifiedRoleManagementPolicyRule object in the response body.
Examples
Example 1: Retrieve a rule defined for a policy in PIM for Microsoft Entra roles
Request
GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules/Expiration_Admin_Eligibility
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.RoleManagementPolicies["{unifiedRoleManagementPolicy-id}"].Rules["{unifiedRoleManagementPolicyRule-id}"].GetAsync();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc policies role-management-policies rules get --unified-role-management-policy-id {unifiedRoleManagementPolicy-id} --unified-role-management-policy-rule-id {unifiedRoleManagementPolicyRule-id}
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
rules, err := graphClient.Policies().RoleManagementPolicies().ByUnifiedRoleManagementPolicyId("unifiedRoleManagementPolicy-id").Rules().ByUnifiedRoleManagementPolicyRuleId("unifiedRoleManagementPolicyRule-id").Get(context.Background(), nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleManagementPolicyRule result = graphClient.policies().roleManagementPolicies().byUnifiedRoleManagementPolicyId("{unifiedRoleManagementPolicy-id}").rules().byUnifiedRoleManagementPolicyRuleId("{unifiedRoleManagementPolicyRule-id}").get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
let unifiedRoleManagementPolicyRule = await client.api('/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules/Expiration_Admin_Eligibility')
.get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->policies()->roleManagementPolicies()->byUnifiedRoleManagementPolicyId('unifiedRoleManagementPolicy-id')->rules()->byUnifiedRoleManagementPolicyRuleId('unifiedRoleManagementPolicyRule-id')->get()->wait();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.Identity.SignIns
Get-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
result = await graph_client.policies.role_management_policies.by_unified_role_management_policy_id('unifiedRoleManagementPolicy-id').rules.by_unified_role_management_policy_rule_id('unifiedRoleManagementPolicyRule-id').get()
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies('DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448')/rules/$entity",
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_Admin_Eligibility",
"isExpirationRequired": false,
"maximumDuration": "P365D",
"target": {
"caller": "Admin",
"operations": [
"all"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
}
Example 2: Retrieve a rule defined for a policy in PIM for groups
Request
The following example retrieves a role management policy rule with ID Expiration_Admin_Eligibility
.
GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/Group_60bba733-f09d-49b7-8445-32369aa066b3_f21b26d9-9ff9-4af1-b1d4-bddf28591369/rules/Expiration_Admin_Eligibility
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.RoleManagementPolicies["{unifiedRoleManagementPolicy-id}"].Rules["{unifiedRoleManagementPolicyRule-id}"].GetAsync();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc policies role-management-policies rules get --unified-role-management-policy-id {unifiedRoleManagementPolicy-id} --unified-role-management-policy-rule-id {unifiedRoleManagementPolicyRule-id}
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)
rules, err := graphClient.Policies().RoleManagementPolicies().ByUnifiedRoleManagementPolicyId("unifiedRoleManagementPolicy-id").Rules().ByUnifiedRoleManagementPolicyRuleId("unifiedRoleManagementPolicyRule-id").Get(context.Background(), nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleManagementPolicyRule result = graphClient.policies().roleManagementPolicies().byUnifiedRoleManagementPolicyId("{unifiedRoleManagementPolicy-id}").rules().byUnifiedRoleManagementPolicyRuleId("{unifiedRoleManagementPolicyRule-id}").get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
let unifiedRoleManagementPolicyRule = await client.api('/policies/roleManagementPolicies/Group_60bba733-f09d-49b7-8445-32369aa066b3_f21b26d9-9ff9-4af1-b1d4-bddf28591369/rules/Expiration_Admin_Eligibility')
.get();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->policies()->roleManagementPolicies()->byUnifiedRoleManagementPolicyId('unifiedRoleManagementPolicy-id')->rules()->byUnifiedRoleManagementPolicyRuleId('unifiedRoleManagementPolicyRule-id')->get()->wait();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.Identity.SignIns
Get-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
from msgraph import GraphServiceClient
graph_client = GraphServiceClient(credentials, scopes)
result = await graph_client.policies.role_management_policies.by_unified_role_management_policy_id('unifiedRoleManagementPolicy-id').rules.by_unified_role_management_policy_rule_id('unifiedRoleManagementPolicyRule-id').get()
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/roleManagementPolicies('Group_60bba733-f09d-49b7-8445-32369aa066b3_f21b26d9-9ff9-4af1-b1d4-bddf28591369')/rules/$entity",
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_Admin_Eligibility",
"isExpirationRequired": true,
"maximumDuration": "P365D",
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
}