Se requiere uno de los siguientes permisos para llamar a esta API. Para obtener más información, incluido cómo elegir permisos, vea Permisos.
Para el proveedor de directorios (Id. de Microsoft Entra)
Tipo de permiso
Permisos (de menos a más privilegiados)
Delegado (cuenta profesional o educativa)
RoleManagement.ReadWrite.Directory
Delegado (cuenta personal de Microsoft)
No admitida.
Aplicación
RoleManagement.ReadWrite.Directory
En escenarios delegados con cuentas profesionales o educativas, al usuario que ha iniciado sesión se le debe asignar un rol de Microsoft Entra compatible o un rol personalizado con el permiso de microsoft.directory/roleAssignments/allProperties/allTasks rol.
Privileged Role Administrator es el rol con privilegios mínimos admitido para esta operación.
Para el proveedor de administración de derechos
Tipo de permiso
Permisos (de menos a más privilegiados)
Delegado (cuenta profesional o educativa)
EntitlementManagement.ReadWrite.All
Delegado (cuenta personal de Microsoft)
No admitida.
Aplicación
EntitlementManagement.ReadWrite.All
Solicitud HTTP
Cree una asignación de roles para el proveedor de directorios:
POST /roleManagement/directory/roleAssignments
Cree una asignación de roles para el proveedor de administración de derechos:
POST /roleManagement/entitlementManagement/roleAssignments
En el cuerpo de la solicitud, proporcione una representación JSON de un objeto unifiedRoleAssignment .
Puede especificar las siguientes propiedades al crear un unifiedRoleAssignment.
Propiedad
Tipo
Descripción
appScopeId
Cadena
Obligatorio. Identificador del ámbito específico de la aplicación cuando el ámbito de asignación es específico de la aplicación. El ámbito de una asignación determina el conjunto de recursos a los que se ha concedido acceso a la entidad de seguridad. Los ámbitos de aplicación son ámbitos definidos y entendidos solo por una aplicación de recursos.
Para el proveedor de administración de derechos, use esta propiedad para especificar un catálogo, por ejemplo /AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997.
Se deben especificar appScopeId o directoryScopeId .
directoryScopeId
Cadena
Obligatorio. Identificador del objeto de directorio que representa el ámbito de la asignación. El ámbito de una asignación determina el conjunto de recursos a los que se ha concedido acceso a la entidad de seguridad. Los ámbitos de directorio son ámbitos compartidos almacenados en el directorio que entienden varias aplicaciones, a diferencia de los ámbitos de aplicación definidos y entendidos solo por una aplicación de recursos.
Para el proveedor de directorios (Microsoft Entra ID), esta propiedad admite los siguientes formatos:
/ para el ámbito de todo el inquilino
/administrativeUnits/{administrativeunit-ID} para limitar a una unidad administrativa
/{application-objectID} para limitar a una aplicación de recursos
Para el proveedor de administración de derechos, / para el ámbito de todo el inquilino. Para establecer el ámbito de un catálogo de paquetes de acceso, use la propiedad appScopeId .
Se deben especificar appScopeId o directoryScopeId .
principalId
Cadena
Obligatorio. Identificador de la entidad de seguridad a la que se concede la asignación.
roleDefinitionId
Cadena
Identificador de unifiedRoleDefinition para el que se realiza la asignación. Solo lectura. Admite $filter (eq, in).
Respuesta
Si se ejecuta correctamente, este método devuelve un 201 Created código de respuesta y un nuevo objeto unifiedRoleAssignment en el cuerpo de la respuesta.
Ejemplos
Ejemplo 1: Creación de una asignación de roles con ámbito de inquilino
Solicitud
En el ejemplo siguiente se muestra la solicitud. Tenga en cuenta el uso del roleTemplateId para roleDefinitionId. roleDefinitionId puede ser el identificador de plantilla de todo el servicio o el roleDefinitionId específico del directorio.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new UnifiedRoleAssignment
{
OdataType = "#microsoft.graph.unifiedRoleAssignment",
RoleDefinitionId = "c2cf284d-6c41-4e6b-afac-4b80928c9034",
PrincipalId = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
DirectoryScopeId = "/",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleAssignments.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleAssignment()
roleDefinitionId := "c2cf284d-6c41-4e6b-afac-4b80928c9034"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
principalId := "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
requestBody.SetPrincipalId(&principalId)
directoryScopeId := "/"
requestBody.SetDirectoryScopeId(&directoryScopeId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().Directory().RoleAssignments().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignment unifiedRoleAssignment = new UnifiedRoleAssignment();
unifiedRoleAssignment.setOdataType("#microsoft.graph.unifiedRoleAssignment");
unifiedRoleAssignment.setRoleDefinitionId("c2cf284d-6c41-4e6b-afac-4b80928c9034");
unifiedRoleAssignment.setPrincipalId("f8ca5a85-489a-49a0-b555-0a6d81e56f0d");
unifiedRoleAssignment.setDirectoryScopeId("/");
UnifiedRoleAssignment result = graphClient.roleManagement().directory().roleAssignments().post(unifiedRoleAssignment);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_assignment import UnifiedRoleAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleAssignment(
odata_type = "#microsoft.graph.unifiedRoleAssignment",
role_definition_id = "c2cf284d-6c41-4e6b-afac-4b80928c9034",
principal_id = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
directory_scope_id = "/",
)
result = await graph_client.role_management.directory.role_assignments.post(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new UnifiedRoleAssignment
{
OdataType = "#microsoft.graph.unifiedRoleAssignment",
RoleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1",
PrincipalId = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
DirectoryScopeId = "/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleAssignments.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleAssignment()
roleDefinitionId := "fe930be7-5e62-47db-91af-98c3a49a38b1"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
principalId := "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"
requestBody.SetPrincipalId(&principalId)
directoryScopeId := "/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a"
requestBody.SetDirectoryScopeId(&directoryScopeId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().Directory().RoleAssignments().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignment unifiedRoleAssignment = new UnifiedRoleAssignment();
unifiedRoleAssignment.setOdataType("#microsoft.graph.unifiedRoleAssignment");
unifiedRoleAssignment.setRoleDefinitionId("fe930be7-5e62-47db-91af-98c3a49a38b1");
unifiedRoleAssignment.setPrincipalId("f8ca5a85-489a-49a0-b555-0a6d81e56f0d");
unifiedRoleAssignment.setDirectoryScopeId("/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a");
UnifiedRoleAssignment result = graphClient.roleManagement().directory().roleAssignments().post(unifiedRoleAssignment);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_assignment import UnifiedRoleAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleAssignment(
odata_type = "#microsoft.graph.unifiedRoleAssignment",
role_definition_id = "fe930be7-5e62-47db-91af-98c3a49a38b1",
principal_id = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
directory_scope_id = "/administrativeUnits/5d107bba-d8e2-4e13-b6ae-884be90e5d1a",
)
result = await graph_client.role_management.directory.role_assignments.post(request_body)
Ejemplo 3: Creación de una asignación de roles con ámbito de aplicación
Solicitud
En el ejemplo siguiente se asigna a una entidad de seguridad el rol Administrador de aplicaciones en el ámbito de la aplicación. El identificador de objeto del registro de la aplicación es 661e1310-bd76-4795-89a7-8f3c8f855bfc.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new UnifiedRoleAssignment
{
OdataType = "#microsoft.graph.unifiedRoleAssignment",
PrincipalId = "6b937a9d-c731-465b-a844-2d5b5368c161",
RoleDefinitionId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
DirectoryScopeId = "/661e1310-bd76-4795-89a7-8f3c8f855bfc",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleAssignments.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleAssignment()
principalId := "6b937a9d-c731-465b-a844-2d5b5368c161"
requestBody.SetPrincipalId(&principalId)
roleDefinitionId := "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
directoryScopeId := "/661e1310-bd76-4795-89a7-8f3c8f855bfc"
requestBody.SetDirectoryScopeId(&directoryScopeId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().Directory().RoleAssignments().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignment unifiedRoleAssignment = new UnifiedRoleAssignment();
unifiedRoleAssignment.setOdataType("#microsoft.graph.unifiedRoleAssignment");
unifiedRoleAssignment.setPrincipalId("6b937a9d-c731-465b-a844-2d5b5368c161");
unifiedRoleAssignment.setRoleDefinitionId("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3");
unifiedRoleAssignment.setDirectoryScopeId("/661e1310-bd76-4795-89a7-8f3c8f855bfc");
UnifiedRoleAssignment result = graphClient.roleManagement().directory().roleAssignments().post(unifiedRoleAssignment);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_assignment import UnifiedRoleAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleAssignment(
odata_type = "#microsoft.graph.unifiedRoleAssignment",
principal_id = "6b937a9d-c731-465b-a844-2d5b5368c161",
role_definition_id = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
directory_scope_id = "/661e1310-bd76-4795-89a7-8f3c8f855bfc",
)
result = await graph_client.role_management.directory.role_assignments.post(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new UnifiedRoleAssignment
{
PrincipalId = "679a9213-c497-48a4-830a-8d3d25d94ddc",
RoleDefinitionId = "ae79f266-94d4-4dab-b730-feca7e132178",
AppScopeId = "/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.EntitlementManagement.RoleAssignments.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleAssignment()
principalId := "679a9213-c497-48a4-830a-8d3d25d94ddc"
requestBody.SetPrincipalId(&principalId)
roleDefinitionId := "ae79f266-94d4-4dab-b730-feca7e132178"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
appScopeId := "/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997"
requestBody.SetAppScopeId(&appScopeId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().EntitlementManagement().RoleAssignments().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignment unifiedRoleAssignment = new UnifiedRoleAssignment();
unifiedRoleAssignment.setPrincipalId("679a9213-c497-48a4-830a-8d3d25d94ddc");
unifiedRoleAssignment.setRoleDefinitionId("ae79f266-94d4-4dab-b730-feca7e132178");
unifiedRoleAssignment.setAppScopeId("/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997");
UnifiedRoleAssignment result = graphClient.roleManagement().entitlementManagement().roleAssignments().post(unifiedRoleAssignment);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\UnifiedRoleAssignment;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleAssignment();
$requestBody->setPrincipalId('679a9213-c497-48a4-830a-8d3d25d94ddc');
$requestBody->setRoleDefinitionId('ae79f266-94d4-4dab-b730-feca7e132178');
$requestBody->setAppScopeId('/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997');
$result = $graphServiceClient->roleManagement()->entitlementManagement()->roleAssignments()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_assignment import UnifiedRoleAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleAssignment(
principal_id = "679a9213-c497-48a4-830a-8d3d25d94ddc",
role_definition_id = "ae79f266-94d4-4dab-b730-feca7e132178",
app_scope_id = "/AccessPackageCatalog/beedadfe-01d5-4025-910b-84abb9369997",
)
result = await graph_client.role_management.entitlement_management.role_assignments.post(request_body)