unifiedRolePermission resource type

Namespace: microsoft.graph

Represents a collection of allowed resource actions and the conditions that must be met for the action to be allowed. Resource actions are tasks that can be performed on a resource. For example, an application resource may support create, update, delete, and reset password actions.

Properties

Property Type Description
allowedResourceActions String collection Set of tasks that can be performed on a resource. Required.
condition String Optional constraints that must be met for the permission to be effective. Not supported for custom roles.
excludedResourceActions String collection Set of tasks that may not be performed on a resource. Not yet supported.

allowedResourceActions property

The following is the schema for resource actions:

{Namespace}/{Entity}/{PropertySet}/{Action}  

For example: microsoft.directory/applications/credentials/update.

  • {Namespace} - The services that exposes the task. For example, all tasks in Microsoft Entra ID use the namespace microsoft.directory.
  • {Entity} - The logical features or components exposed by the service in Microsoft Graph. For example, applications, servicePrincipals, or groups.
  • {PropertySet} - Optional. The specific properties or aspects of the entity for which access is being granted. For example, microsoft.directory/applications/authentication/read grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Microsoft Entra ID. The following are reserved names for common property sets:
    • allProperties - Designates all properties of the entity, including privileged properties. Examples include microsoft.directory/applications/allProperties/read and microsoft.directory/applications/allProperties/update.
    • basic - Designates common read properties but excludes privileged ones. For example, microsoft.directory/applications/basic/update includes the ability to update standard properties like display name.
    • standard - Designates common update properties but excludes privileged ones. For example, microsoft.directory/applications/standard/read.
  • {Actions} - The operations being granted. In most circumstances, permissions should be expressed in terms of CRUD operations or allTasks. Actions include:
    • create - The ability to create a new instance of the entity.
    • read - The ability to read a given property set (including allProperties).
    • update - The ability to update a given property set (including allProperties).
    • delete - The ability to delete a given entity.
    • allTasks - Represents all CRUD operations (create, read, update, and delete).

condition property

Conditions define constraints that must be met. For example, a requirement that the principal be an owner of the target resource. The following are the supported conditions:

  • Self: "@Subject.objectId == @Resource.objectId"
  • Owner: "@Subject.objectId Any_of @Resource.owners"

The following is an example of a role permission with a condition that the principal be the owner of the target resource.

"rolePermissions": [
        {
            "allowedResourceActions": [
                "microsoft.directory/applications/basic/update",
                "microsoft.directory/applications/credentials/update"
            ],
            "condition":  "@Subject.objectId Any_of @Resource.owners"
        }
    ]

Conditions aren't supported for custom roles.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.unifiedRolePermission",
  "allowedResourceActions": ["String"],
  "excludedResourceActions": ["String"],
  "condition": "String"
}