unifiedRoleDefinition: assignedPrincipals
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Get the list of security principals (users, groups, and service principals) that are assigned to a specific role for different scopes either directly or transitively. You can use the $count query parameter to also get the count.
This API is supported for the directory (Microsoft Entra ID) provider only.
To list the direct and transitive role assignments for a specific principal, use the List transitiveRoleAssignments API.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | RoleManagement.Read.Directory | Directory.Read.All, RoleManagement.ReadWrite.Directory |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | RoleManagement.Read.Directory | Directory.Read.All, RoleManagement.ReadWrite.Directory |
Important
In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation:
- Directory Readers
- Global Reader
- Privileged Role Administrator
Important
When an application queries a relationship that returns a directoryObject type collection, if it doesn't have permission to read a certain resource type, members of that type are returned but with limited information. For example, only the @odata.type property for the object type and the id is returned, while other properties are indicated as null. With this behavior, applications can request the least privileged permissions they need, rather than rely on the set of Directory.* permissions. For details, see Limited information returned for inaccessible member objects.
HTTP request
GET /roleManagement/directory/roleDefinitions/{unifiedRoleDefinitionId}/assignedPrincipals(transitive=@transitive,directoryScopeType='@directoryScopeType',directoryScopeId='@directoryScopeId')
Function parameters
In the request URL, provide the following query parameters with values. The following table shows the parameters that can be used with this function.
| Parameter | Type | Description |
|---|---|---|
| transitive | Boolean | Indicates whether to include principals assigned through group membership (direct or transitive). false by default. |
| directoryScopeType | String | The directory scope to get assigned principals for. Supported values are tenant, administrativeUnit, and resource. |
| directoryScopeId | String | ID of the directory scope to get assigned principals for. By default, all scopes are considered. |
You can also combine all the supported function parameters in one request for fine-grained results.
Example query patterns for directoryScopeType
| Scope | Query | Supported for |
|---|---|---|
| All scopes | /assignedPrincipals(transitive={true | false}) |
All roles |
| Tenant scope | /assignedPrincipals(directoryScopeType='tenant', transitive={true | false}) |
All roles |
| All administrative unit scopes | /assignedPrincipals(directoryScopeType='administrativeUnit', transitive={true | false}) |
Directory roles |
| Specific administrative unit scope | /assignedPrincipals(directoryScopeType='administrativeUnit', directoryScopeId ='{roleDefinitionId | templateId}', transitive={true | false}) |
Directory roles |
| All resource scopes | /assignedPrincipals(directoryScopeType='resource', transitive={true | false}) |
Directory roles |
| Specific resource scope | /assignedPrincipals(directoryScopeType='resource', directoryScopeId ='{roleDefinitionId | templateId}', transitive={true | false}) |
Directory roles |
Optional query parameters
This method supports the $count, $select, $filter, and $orderby OData query parameters to help customize the response. You can also filter by the type of object using OData casting. For example, /assignedPrincipals(transitive=false)/microsoft.graph.user and /assignedPrincipals(transitive=true)/microsoft.graph.servicePrincipal/$count. For general information, see OData query parameters.
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| ConsistencyLevel | eventual. Required. For more information about the use of ConsistencyLevel, see Advanced query capabilities on directory objects. |
Request body
Don't supply a request body for this method.
Response
If successful, this function returns a 200 OK response code and a directoryObject collection in the response body.
Examples
For the examples in this section, consider the following role assignment scenario. A user named User1 has both direct and transitive role assignments as follows:
| User | Group | Role | Scope |
|---|---|---|---|
User16c62e70d-f5f5-4b9d-9eea-ed517ed9341f |
Role1 | Scope1 | |
User16c62e70d-f5f5-4b9d-9eea-ed517ed9341f |
Role1 | Scope2 | |
Group186b38db7-6e8b-4ad2-b2aa-ced7f09486c1(User1 is a member) |
Role1 | Scope1 | |
Group2182351a6-d974-4d18-88ae-8a148da44cd2(User1 is a member) |
Role1 | Scope1 | |
Group3b93d5379-a464-4db5-b8e1-694910f1e11e(User2 is a member) (User3 is a member) |
Role1 | Scope3 |
- User1 is assigned the Role1 role directly at Scope1 scope.
- User1 is assigned the Role1 role directly at Scope2 scope.
- User1 is member of the Group1 group and Group1 is assigned the Role1 role at Scope1 scope.
- User1 is member of the Group2 group and Group2 is assigned the Role1 role at Scope1 scope.
- User2 is member of the Group3 group and Group3 is assigned the Role1 role at Scope3 scope.
- User3 is member of the Group3 group and Group3 is assigned the Role1 role at Scope3 scope.
Example 1: Get a count of direct and transitive assigned principals for all scopes
Request
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/644ef478-e28f-4e28-b9dc-3fdde9aa0b1f/assignedPrincipals(transitive=true)/$count
Response
The above request returns a count of 6 representing the following role assignments:
- Two direct role assignments to User1 at Scope1 and Scope2
- Two transitive role assignments to User1 through Group1 and Group2
- Two transitive role assignments to User 2 and User3 through Group3.
HTTP/1.1 200 OK
Content-type: text/plain
6
Based on the same scenario, the following examples show the counts that are returned for each query pattern:
| Example | Count |
|---|---|
/assignedPrincipals(transitive=false)/$count |
4 (User1, Group1, Group2, Group3) |
/assignedPrincipals(transitive=false)/microsoft.graph.user/$count |
1 (User1) |
/assignedPrincipals(transitive=true)/microsoft.graph.user/$count |
3 (User1, User2, User3) |
/assignedPrincipals(transitive=false)/microsoft.graph.group/$count |
3 (Group1, Group2, Group3) |
/assignedPrincipals(transitive=true)/microsoft.graph.group/$count |
3 (Group1, Group2, Group3) |
Example 2: Get directly assigned principals for a specific administrative unit scope and directory role
Request
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/644ef478-e28f-4e28-b9dc-3fdde9aa0b1f/assignedPrincipals(directoryScopeType='administrativeUnit', directoryScopeId ='d0c2e067-9ae9-4dbf-a280-51a51c46f432')
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.user",
"id": "6c62e70d-f5f5-4b9d-9eea-ed517ed9341f"
}
]
}
Example 3: Get directly assigned principals for all scopes
Request
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/644ef478-e28f-4e28-b9dc-3fdde9aa0b1f/assignedPrincipals
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.user",
"id": "6c62e70d-f5f5-4b9d-9eea-ed517ed9341f",
"displayName": null,
"userPrincipalName": null
},
{
"@odata.type": "#microsoft.graph.group",
"id": "86b38db7-6e8b-4ad2-b2aa-ced7f09486c1",
"displayName": "Group1"
},
{
"@odata.type": "#microsoft.graph.group",
"id": "182351a6-d974-4d18-88ae-8a148da44cd2",
"displayName": "Group2"
},
{
"@odata.type": "#microsoft.graph.group",
"id": "b93d5379-a464-4db5-b8e1-694910f1e11e",
"displayName": "Group3"
}
]
}
Example 4: Get directly assigned users only for a tenant-wide scope
Request
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/644ef478-e28f-4e28-b9dc-3fdde9aa0b1f/assignedPrincipals(directoryScopeType='tenant')/microsoft.graph.user
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users",
"value": [
{
"id": "6c62e70d-f5f5-4b9d-9eea-ed517ed9341f",
"displayName": null,
"userPrincipalName": null
}
]
}
Example 5: Get directly assigned principals and inline count
The following example gets the directly assigned principals and displays an inline count.
Request
GET https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/644ef478-e28f-4e28-b9dc-3fdde9aa0b1f/assignedPrincipals?$count=true
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#directoryObjects",
"@odata.count": 4,
"value": [
{
"@odata.type": "#microsoft.graph.user",
"id": "6c62e70d-f5f5-4b9d-9eea-ed517ed9341f",
"displayName": null,
"userPrincipalName": null
},
{
"@odata.type": "#microsoft.graph.group",
"id": "86b38db7-6e8b-4ad2-b2aa-ced7f09486c1",
"displayName": "Group1"
},
{
"@odata.type": "#microsoft.graph.group",
"id": "182351a6-d974-4d18-88ae-8a148da44cd2",
"displayName": "Group2"
},
{
"@odata.type": "#microsoft.graph.group",
"id": "b93d5379-a464-4db5-b8e1-694910f1e11e",
"displayName": "Group3"
}
]
}