Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Get a list of unifiedRoleAssignmentMultiple objects for an RBAC provider.
The following RBAC providers are currently supported:
- Cloud PC
- device management (Intune)
For other Microsoft 365 applications (like Microsoft Entra ID), use unifiedRoleAssignment.
This API is available in the following national cloud deployments.
| Global service |
US Government L4 |
US Government L5 (DOD) |
China operated by 21Vianet |
| ✅ |
✅ |
✅ |
✅ |
Permissions
The following tables show the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
For Cloud PC provider
| Permission type |
Least privileged permissions |
Higher privileged permissions |
| Delegated (work or school account) |
CloudPC.Read.All |
CloudPC.ReadWrite.All, DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All |
| Delegated (personal Microsoft account) |
Not supported. |
Not supported. |
| Application |
CloudPC.Read.All |
CloudPC.ReadWrite.All, DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All |
For Device management (Intune) provider
| Permission type |
Least privileged permissions |
Higher privileged permissions |
| Delegated (work or school account) |
CloudPC.Read.All |
CloudPC.ReadWrite.All, DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All |
| Delegated (personal Microsoft account) |
Not supported. |
Not supported. |
| Application |
CloudPC.Read.All |
CloudPC.ReadWrite.All, DeviceManagementRBAC.Read.All, DeviceManagementRBAC.ReadWrite.All |
HTTP request
To list role assignments for a Cloud PC provider:
GET /roleManagement/cloudPc/roleAssignments
To list role assignments for an Intune provider:
GET /roleManagement/deviceManagement/roleAssignments
Optional query parameters
You can filter on the roleDefinitionId or principalId properties. The roleDefinitionId property can be either a role object ID or a role template object ID. For general information, see OData query parameters.
Request body
Don't supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a collection of unifiedRoleAssignmentMultiple objects in the response body.
Example
Example 1: List the role assignments for a specific principal for an Intune provider
Request
The following is an example of the request:
GET https://graph.microsoft.com/beta/roleManagement/deviceManagement/roleAssignments?$filter=principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.DeviceManagement.RoleAssignments.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'";
});
mgc-beta role-management device-management role-assignments list --filter "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'"
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphrolemanagement "github.com/microsoftgraph/msgraph-beta-sdk-go/rolemanagement"
//other-imports
)
requestFilter := "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'"
requestParameters := &graphrolemanagement.DeviceManagementRoleAssignmentsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
}
configuration := &graphrolemanagement.DeviceManagementRoleAssignmentsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().DeviceManagement().RoleAssignments().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignmentMultipleCollectionResponse result = graphClient.roleManagement().deviceManagement().roleAssignments().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'";
});
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\RoleManagement\DeviceManagement\RoleAssignments\RoleAssignmentsRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new RoleAssignmentsRequestBuilderGetRequestConfiguration();
$queryParameters = RoleAssignmentsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->roleManagement()->deviceManagement()->roleAssignments()->get($requestConfiguration)->wait();
Import-Module Microsoft.Graph.Beta.DeviceManagement.Enrollment
Get-MgBetaRoleManagementDeviceManagementRoleAssignment -Filter "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'"
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.role_management.device_management.role_assignments.role_assignments_request_builder import RoleAssignmentsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = RoleAssignmentsRequestBuilder.RoleAssignmentsRequestBuilderGetQueryParameters(
filter = "principalId eq '9e47fc6f-2d7a-464c-944e-d3dd0de522e4'",
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.role_management.device_management.role_assignments.get(request_configuration = request_configuration)
Response
The following is an example of the response:
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/deviceManagement/roleAssignments/$entity",
"value": [
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"id": "lAPpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SGHI-1",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principalIds[]": ["9e47fc6f-2d7a-464c-944e-d3dd0de522e4", "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"],
"directoryScopeIds[]": ["28ca5a85-489a-49a0-b555-0a6d81e56f0", "8152656a-cf9a-4928-a457-1512d4cae295"]
},
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"id": "2BNpYvVpN0KRkAEhdxReEJC2sEqbR_9Hr48lds9SWRD-2",
"roleDefinitionId": "9e47fc6f-2d7a-464c-944e-d3dd0de522e4",
"principalIds[]": ["9e47fc6f-2d7a-464c-944e-d3dd0de522e4", "53a6c08d-0227-41bd-8bc6-2728df6be749", "a4991fe1-6d7c-427c-969b-bda6df78c458"],
"appScopeIds[]": ["28ca5a85-489a-49a0-b555-0a6d81e56f0"]
}
]
}
Example 2: List role assignments for a Cloud PC provider
Request
GET https://graph.microsoft.com/beta/roleManagement/cloudPC/roleAssignments
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.CloudPC.RoleAssignments.GetAsync();
mgc-beta role-management cloud-pc role-assignments list
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().CloudPC().RoleAssignments().Get(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignmentMultipleCollectionResponse result = graphClient.roleManagement().cloudPC().roleAssignments().get();
const options = {
authProvider,
};
const client = Client.init(options);
let roleAssignments = await client.api('/roleManagement/cloudPC/roleAssignments')
.version('beta')
.get();
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$result = $graphServiceClient->roleManagement()->cloudPC()->roleAssignments()->get()->wait();
Import-Module Microsoft.Graph.Beta.DeviceManagement.Enrollment
Get-MgBetaRoleManagementCloudPcRoleAssignment
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
result = await graph_client.role_management.cloud_p_c.role_assignments.get()
Response
Note: The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPC/roleAssignments/$entity",
"value": [
{
"id": "dbe9d288-fd87-41f4-b33d-b498ed207096",
"description": null,
"displayName": "My test role assignment 1",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": [
"8e811502-ebda-4782-8f81-071d17f0f892",
"30e3492f-964c-4d73-88c6-986a53c6e2a0"
],
"directoryScopeIds": [
"/"
],
"appScopeIds": []
},
{
"id": "fad74173-3fe3-4e64-9a80-297bdad2b36e",
"description": null,
"displayName": "My test role assignment 2",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": [
"8e811502-ebda-4782-8f81-071d17f0f892",
],
"directoryScopeIds": [
"/"
],
"appScopeIds": []
}
]
}
Example 3: List role assignments for specific role of a Cloud PC provider
Request
GET https://graph.microsoft.com/beta/roleManagement/cloudPC/roleAssignments?$filter=roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.CloudPC.RoleAssignments.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'";
});
mgc-beta role-management cloud-pc role-assignments list --filter "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'"
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphrolemanagement "github.com/microsoftgraph/msgraph-beta-sdk-go/rolemanagement"
//other-imports
)
requestFilter := "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'"
requestParameters := &graphrolemanagement.CloudPCRoleAssignmentsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
}
configuration := &graphrolemanagement.CloudPCRoleAssignmentsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().CloudPC().RoleAssignments().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleAssignmentMultipleCollectionResponse result = graphClient.roleManagement().cloudPC().roleAssignments().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'";
});
const options = {
authProvider,
};
const client = Client.init(options);
let roleAssignments = await client.api('/roleManagement/cloudPC/roleAssignments')
.version('beta')
.filter('roleDefinitionId eq \'b5c08161-a7af-481c-ace2-a20a69a48fb1\'')
.get();
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\RoleManagement\CloudPC\RoleAssignments\RoleAssignmentsRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new RoleAssignmentsRequestBuilderGetRequestConfiguration();
$queryParameters = RoleAssignmentsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->roleManagement()->cloudPC()->roleAssignments()->get($requestConfiguration)->wait();
Import-Module Microsoft.Graph.Beta.DeviceManagement.Enrollment
Get-MgBetaRoleManagementCloudPcRoleAssignment -Filter "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'"
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.role_management.cloud_p_c.role_assignments.role_assignments_request_builder import RoleAssignmentsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = RoleAssignmentsRequestBuilder.RoleAssignmentsRequestBuilderGetQueryParameters(
filter = "roleDefinitionId eq 'b5c08161-a7af-481c-ace2-a20a69a48fb1'",
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.role_management.cloud_p_c.role_assignments.get(request_configuration = request_configuration)
Response
Note: The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPC/roleAssignments",
"value": [{
"id": "ed9e247f-f23b-4d72-9e8c-97fa6f385246",
"description": "",
"displayName": "test",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": ["689c9051-77ff-4f14-9b39-3d22de07321a"],
"directoryScopeIds": ["/"],
"appScopeIds": []
}, {
"id": "3d8e564b-761a-4b32-8f50-63d555f7bc00",
"description": "test1",
"displayName": "AssignmentTest",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": ["0ec7855b-4057-4b7c-9217-09ee9bf4dfd7"],
"directoryScopeIds": ["/"],
"appScopeIds": []
}, {
"id": "f36a3269-d03d-4d33-81e7-190bded40ad2",
"description": "",
"displayName": "test3",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": ["e4ea53cf-cdd6-46b5-bf38-570033a0fba3"],
"directoryScopeIds": ["/"],
"appScopeIds": []
}]
}