Update-MgPolicyRoleManagementPolicyRule
Update a rule defined for a role management policy.
The rule can be one of the following types that are derived from the unifiedRoleManagementPolicyRule object: For more information about rules for Microsoft Entra roles and examples of updating rules, see the following articles:
Syntax
UpdateExpanded (Default)
Update-MgPolicyRoleManagementPolicyRule
-UnifiedRoleManagementPolicyId <String>
-UnifiedRoleManagementPolicyRuleId <String>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-Id <String>]
[-Target <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>]
[-Headers <IDictionary>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update
Update-MgPolicyRoleManagementPolicyRule
-UnifiedRoleManagementPolicyId <String>
-UnifiedRoleManagementPolicyRuleId <String>
-BodyParameter <IMicrosoftGraphUnifiedRoleManagementPolicyRule>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateViaIdentityExpanded
Update-MgPolicyRoleManagementPolicyRule
-InputObject <IIdentitySignInsIdentity>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-Id <String>]
[-Target <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>]
[-Headers <IDictionary>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateViaIdentity
Update-MgPolicyRoleManagementPolicyRule
-InputObject <IIdentitySignInsIdentity>
-BodyParameter <IMicrosoftGraphUnifiedRoleManagementPolicyRule>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Update a rule defined for a role management policy.
The rule can be one of the following types that are derived from the unifiedRoleManagementPolicyRule object: For more information about rules for Microsoft Entra roles and examples of updating rules, see the following articles:
Permissions
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory,
Delegated (personal Microsoft account)
Not supported
Application
Not supported
Examples
Example 1: Update a rule defined for a policy in PIM for Microsoft Entra roles
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
id = "Expiration_EndUser_Assignment"
isExpirationRequired = $true
maximumDuration = "PT1H45M"
target = @{
"@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
caller = "EndUser"
operations = @(
"All"
)
level = "Assignment"
inheritableSettings = @(
)
enforcedSettings = @(
)
}
}
Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId -BodyParameter $params
This example will update a rule defined for a policy in pim for microsoft entra roles
Example 2: Update a rule defined for a policy in PIM for groups
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
id = "Expiration_EndUser_Assignment"
isExpirationRequired = $true
maximumDuration = "PT1H45M"
target = @{
caller = "EndUser"
operations = @(
"All"
)
level = "Assignment"
inheritableSettings = @(
)
enforcedSettings = @(
)
}
}
Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId -BodyParameter $params
This example will update a rule defined for a policy in pim for groups
Parameters
-AdditionalProperties
Additional Parameters
Parameter properties
Type: Hashtable
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
UpdateViaIdentityExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-BodyParameter
unifiedRoleManagementPolicyRule
To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Parameter properties
Type: IMicrosoftGraphUnifiedRoleManagementPolicyRule
Default value: None Supports wildcards: False DontShow: False
Parameter sets
Update
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
UpdateViaIdentity
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Optional headers that will be added to the request.
Type: IDictionary
Default value: None Supports wildcards: False DontShow: False
(All)
Position: Named Mandatory: False Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
-Id
The unique identifier for an entity.
Read-only.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
UpdateViaIdentityExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Identity Parameter
To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: IIdentitySignInsIdentity
Default value: None Supports wildcards: False DontShow: False
UpdateViaIdentityExpanded
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
UpdateViaIdentity
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
Optional Response Headers Variable.
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: RHV
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Target
unifiedRoleManagementPolicyRuleTarget
To construct, see NOTES section for TARGET properties and create a hash table.
Parameter properties
Type: IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
UpdateViaIdentityExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-UnifiedRoleManagementPolicyId
The unique identifier of unifiedRoleManagementPolicy
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Update
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-UnifiedRoleManagementPolicyRuleId
The unique identifier of unifiedRoleManagementPolicyRule
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Update
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Microsoft.Graph.PowerShell.Models.IIdentitySignInsIdentity
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphUnifiedRoleManagementPolicyRule
System.Collections.IDictionary
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphUnifiedRoleManagementPolicyRule
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties.
For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphUnifiedRoleManagementPolicyRule>: unifiedRoleManagementPolicyRule
[(Any) <Object>]: This indicates any property can be added to this object.[Id <String>]: The unique identifier for an entity.
Read-only.[Target <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>]: unifiedRoleManagementPolicyRuleTarget
[(Any) <Object>]: This indicates any property can be added to this object.[Caller <String>]: The type of caller that's the target of the policy rule.
Allowed values are: None, Admin, EndUser.[EnforcedSettings <String- []>]: The list of role settings that are enforced and cannot be overridden by child scopes.
Use All for all settings.[InheritableSettings <String- []>]: The list of role settings that can be inherited by child scopes.
Use All for all settings.[Level <String>]: The role assignment type that's the target of policy rule.
Allowed values are: Eligibility, Assignment.[Operations <String- []>]: The role management operations that are the target of the policy rule.
Allowed values are: All, Activate, Deactivate, Assign, Update, Remove, Extend, Renew.[TargetObjects <IMicrosoftGraphDirectoryObject- []>]:
[Id <String>]: The unique identifier for an entity.
Read-only.[DeletedDateTime <DateTime?>]: Date and time when this object was deleted.
Always null when the object hasn't been deleted.
INPUTOBJECT <IIdentitySignInsIdentity>: Identity Parameter
[ActivityBasedTimeoutPolicyId <String>]: The unique identifier of activityBasedTimeoutPolicy[AppManagementPolicyId <String>]: The unique identifier of appManagementPolicy[AuthenticationCombinationConfigurationId <String>]: The unique identifier of authenticationCombinationConfiguration[AuthenticationConditionApplicationAppId <String>]: The unique identifier of authenticationConditionApplication[AuthenticationContextClassReferenceId <String>]: The unique identifier of authenticationContextClassReference[AuthenticationEventListenerId <String>]: The unique identifier of authenticationEventListener[AuthenticationEventsFlowId <String>]: The unique identifier of authenticationEventsFlow[AuthenticationMethodConfigurationId <String>]: The unique identifier of authenticationMethodConfiguration[AuthenticationMethodId <String>]: The unique identifier of authenticationMethod[AuthenticationMethodModeDetailId <String>]: The unique identifier of authenticationMethodModeDetail[AuthenticationStrengthPolicyId <String>]: The unique identifier of authenticationStrengthPolicy[B2XIdentityUserFlowId <String>]: The unique identifier of b2xIdentityUserFlow[BitlockerRecoveryKeyId <String>]: The unique identifier of bitlockerRecoveryKey[CertificateBasedAuthConfigurationId <String>]: The unique identifier of certificateBasedAuthConfiguration[ClaimsMappingPolicyId <String>]: The unique identifier of claimsMappingPolicy[ConditionalAccessPolicyId <String>]: The unique identifier of conditionalAccessPolicy[ConditionalAccessTemplateId <String>]: The unique identifier of conditionalAccessTemplate[CrossTenantAccessPolicyConfigurationPartnerTenantId <String>]: The unique identifier of crossTenantAccessPolicyConfigurationPartner[CustomAuthenticationExtensionId <String>]: The unique identifier of customAuthenticationExtension[DataPolicyOperationId <String>]: The unique identifier of dataPolicyOperation[DirectoryObjectId <String>]: The unique identifier of directoryObject[EmailAuthenticationMethodId <String>]: The unique identifier of emailAuthenticationMethod[FeatureRolloutPolicyId <String>]: The unique identifier of featureRolloutPolicy[Fido2AuthenticationMethodId <String>]: The unique identifier of fido2AuthenticationMethod[HomeRealmDiscoveryPolicyId <String>]: The unique identifier of homeRealmDiscoveryPolicy[IdentityApiConnectorId <String>]: The unique identifier of identityApiConnector[IdentityProviderBaseId <String>]: The unique identifier of identityProviderBase[IdentityProviderId <String>]: The unique identifier of identityProvider[IdentityUserFlowAttributeAssignmentId <String>]: The unique identifier of identityUserFlowAttributeAssignment[IdentityUserFlowAttributeId <String>]: The unique identifier of identityUserFlowAttribute[LongRunningOperationId <String>]: The unique identifier of longRunningOperation[MicrosoftAuthenticatorAuthenticationMethodId <String>]: The unique identifier of microsoftAuthenticatorAuthenticationMethod[MultiTenantOrganizationMemberId <String>]: The unique identifier of multiTenantOrganizationMember[NamedLocationId <String>]: The unique identifier of namedLocation[OAuth2PermissionGrantId <String>]: The unique identifier of oAuth2PermissionGrant[OrganizationId <String>]: The unique identifier of organization[PasswordAuthenticationMethodId <String>]: The unique identifier of passwordAuthenticationMethod[PermissionGrantConditionSetId <String>]: The unique identifier of permissionGrantConditionSet[PermissionGrantPolicyId <String>]: The unique identifier of permissionGrantPolicy[PhoneAuthenticationMethodId <String>]: The unique identifier of phoneAuthenticationMethod[RiskDetectionId <String>]: The unique identifier of riskDetection[RiskyServicePrincipalHistoryItemId <String>]: The unique identifier of riskyServicePrincipalHistoryItem[RiskyServicePrincipalId <String>]: The unique identifier of riskyServicePrincipal[RiskyUserHistoryItemId <String>]: The unique identifier of riskyUserHistoryItem[RiskyUserId <String>]: The unique identifier of riskyUser[ServicePrincipalRiskDetectionId <String>]: The unique identifier of servicePrincipalRiskDetection[SoftwareOathAuthenticationMethodId <String>]: The unique identifier of softwareOathAuthenticationMethod[TemporaryAccessPassAuthenticationMethodId <String>]: The unique identifier of temporaryAccessPassAuthenticationMethod[ThreatAssessmentRequestId <String>]: The unique identifier of threatAssessmentRequest[ThreatAssessmentResultId <String>]: The unique identifier of threatAssessmentResult[TokenIssuancePolicyId <String>]: The unique identifier of tokenIssuancePolicy[TokenLifetimePolicyId <String>]: The unique identifier of tokenLifetimePolicy[UnifiedRoleManagementPolicyAssignmentId <String>]: The unique identifier of unifiedRoleManagementPolicyAssignment[UnifiedRoleManagementPolicyId <String>]: The unique identifier of unifiedRoleManagementPolicy[UnifiedRoleManagementPolicyRuleId <String>]: The unique identifier of unifiedRoleManagementPolicyRule[UserFlowLanguageConfigurationId <String>]: The unique identifier of userFlowLanguageConfiguration[UserFlowLanguagePageId <String>]: The unique identifier of userFlowLanguagePage[UserId <String>]: The unique identifier of user[WindowsHelloForBusinessAuthenticationMethodId <String>]: The unique identifier of windowsHelloForBusinessAuthenticationMethod
TARGET <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>: unifiedRoleManagementPolicyRuleTarget
[(Any) <Object>]: This indicates any property can be added to this object.[Caller <String>]: The type of caller that's the target of the policy rule.
Allowed values are: None, Admin, EndUser.[EnforcedSettings <String- []>]: The list of role settings that are enforced and cannot be overridden by child scopes.
Use All for all settings.[InheritableSettings <String- []>]: The list of role settings that can be inherited by child scopes.
Use All for all settings.[Level <String>]: The role assignment type that's the target of policy rule.
Allowed values are: Eligibility, Assignment.[Operations <String- []>]: The role management operations that are the target of the policy rule.
Allowed values are: All, Activate, Deactivate, Assign, Update, Remove, Extend, Renew.[TargetObjects <IMicrosoftGraphDirectoryObject- []>]:
[Id <String>]: The unique identifier for an entity.
Read-only.[DeletedDateTime <DateTime?>]: Date and time when this object was deleted.
Always null when the object hasn't been deleted.