Update delegatedAdminRelationship

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Update the properties of a delegatedAdminRelationship object.

The following restrictions apply:

  • You can update this relationship when its status property is created.
  • You can update the autoExtendDuration property when status is either created or active.
  • You can only remove the Microsoft Entra Global Administrator role when the status property is active, which indicates a long-running operation.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) DelegatedAdminRelationship.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application DelegatedAdminRelationship.ReadWrite.All Not available.

Important

To call this API using application permissions, you must provision the service principal identified by appId 2832473f-ec63-45fb-976f-5d45a7d4bb91 and named Partner Customer Delegated Administration in the partner tenant. To provision the service principal in the partner tenant, call the Create servicePrincipal API.

HTTP request

PATCH /tenantRelationships/delegatedAdminRelationships/{delegatedAdminRelationshipId}

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
If-Match If-match: {etag}. Last known ETag value for the delegatedAdminRelationship to be updated. Retrieve the ETag value from a LIST or GET operation. Required.
Content-Type application/json. Required.

Request body

In the request body, supply only the values for properties to update. Existing properties that aren't included in the request body maintain their previous values or are recalculated based on changes to other property values.

The following table specifies the properties that can be updated.

Property Type Description
accessDetails delegatedAdminAccessDetails The identifiers of the administrative roles that the partner requests or has access to in the customer tenant.
autoExtendDuration Duration The duration by which the validity of the relationship is automatically extended, denoted in ISO 8601 format. Supported values are: P0D, PT0S, P180D. The default value is PT0S. PT0S indicates that the relationship expires when the endDateTime is reached and it isn't automatically extended.
customer delegatedAdminRelationshipCustomerParticipant The display name and unique identifier of the customer of the relationship.
displayName String The display name of the relationship used for ease of identification. Must be unique across all delegated admin relationships of the partner. Maximum length is 50 characters.
duration Duration The duration of the relationship in ISO 8601 format. Must be a value between P1D and P2Y inclusive.

Response

If successful, this method returns either a 200 OK or a 202 Accepted response code. The response body contains a delegatedAdminRelationship object when the response is 200 OK.

Response headers

Name Description
Content-Type application/json.
Location The location of the long-running operation.
Retry-After The time after which a subsequent API call can be made to the Location URL to check the status of the long-running operation.

This method returns a 202 Accepted response if you remove the Microsoft Entra Global Administrator role from the relationship while its status property is active. The response includes a URL in the Location header that you can use to monitor the operation's progress.

If you don't supply the template ID that corresponds to the Microsoft Entra Global Administrator role in the unifiedRoles array in the accessDetails property of the request body, then the API returns 200 OK and the original delegatedAdminRelationship object in the response body.

Examples

Request

The following example shows the request.

PATCH https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/5d027261-d21f-4aa9-b7db-7fa1f56fb163-8777b240-c6f0-4469-9e98-a3205431b836
If-Match: W/"JyI0NzAwNjg0NS0wMDAwLTE5MDAtMDAwMC02MGY0Yjg4MzAwMDAiJw=="
Content-Type: application/json

{
  "displayName": "Updated Contoso admin relationship",
  "duration": "P31D",
  "customer": {
    "tenantId": "52eaad04-13a2-4a2f-9ce8-93a294fadf36"
  },
  "accessDetails": {
    "unifiedRoles": [
      {
        "roleDefinitionId": "44367163-eba1-44c3-98af-f5787879f96a"
      },
      {
        "roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de"
      },
      {
        "roleDefinitionId": "69091246-20e8-4a56-aa4d-066075b2a7a8"
      },
      {
        "roleDefinitionId": "3a2c62db-5318-420d-8d74-23affee5d9d5"
      }
    ]
  },
  "autoExtendDuration": "P180D"
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.delegatedAdminRelationship",
  "@odata.context": "https://graph.microsoft.com/beta/tenantRelationships/$metadata#delegatedAdminRelationships/$entity",
  "@odata.etag": "W/\"JyIwMzAwZTM0ZS0wMDAwLTAyMDAtMDAwMC02MTRjZjI1YzAwMDAiJw==\"",
  "id": "5d027261-d21f-4aa9-b7db-7fa1f56fb163-8777b240-c6f0-4469-9e98-a3205431b836",
  "displayName": "Updated Contoso admin relationship",
  "duration": "P31D",
  "status": "created",
  "createdDateTime": "2022-02-10T11:24:42.3148266Z",
  "lastModifiedDateTime": "2022-02-10T11:26:44.9941884Z",
  "customer": {
    "tenantId": "52eaad04-13a2-4a2f-9ce8-93a294fadf36"
  },
  "accessDetails": {
    "unifiedRoles": [
      {
        "roleDefinitionId": "44367163-eba1-44c3-98af-f5787879f96a"
      },
      {
        "roleDefinitionId": "29232cdf-9323-42fd-ade2-1d097af3e4de"
      },
      {
        "roleDefinitionId": "69091246-20e8-4a56-aa4d-066075b2a7a8"
      },
      {
        "roleDefinitionId": "3a2c62db-5318-420d-8d74-23affee5d9d5"
      }
    ]
  },
  "autoExtendDuration": "P180D"
}

The following is an example response that returns a 202 Accepted response code along with Location and Retry-After headers.

HTTP/1.1 202 Accepted
Location: https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/5e5594d3-6f82-458b-b567-77db4811f0cd-00000000-0000-0000-0000-000000001234/operations/d8dbb27b-7fe7-4523-a3df-f766355fe0f2
Retry-After: 10
Content-Type: application/json

{
}