Update-MgPolicyRoleManagementPolicyRule

Update a rule defined for a role management policy. The rule can be one of the following types that are derived from the unifiedRoleManagementPolicyRule object: For more information about rules for Microsoft Entra roles and examples of updating rules, see the following articles:

Note

To view the beta release of this cmdlet, view Update-MgBetaPolicyRoleManagementPolicyRule

Syntax

Update-MgPolicyRoleManagementPolicyRule
      -UnifiedRoleManagementPolicyId <String>
      -UnifiedRoleManagementPolicyRuleId <String>
      [-ResponseHeadersVariable <String>]
      [-AdditionalProperties <Hashtable>]
      [-Id <String>]
      [-Target <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Update-MgPolicyRoleManagementPolicyRule
      -UnifiedRoleManagementPolicyId <String>
      -UnifiedRoleManagementPolicyRuleId <String>
      -BodyParameter <IMicrosoftGraphUnifiedRoleManagementPolicyRule>
      [-ResponseHeadersVariable <String>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Update-MgPolicyRoleManagementPolicyRule
      -InputObject <IIdentitySignInsIdentity>
      [-ResponseHeadersVariable <String>]
      [-AdditionalProperties <Hashtable>]
      [-Id <String>]
      [-Target <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
Update-MgPolicyRoleManagementPolicyRule
      -InputObject <IIdentitySignInsIdentity>
      -BodyParameter <IMicrosoftGraphUnifiedRoleManagementPolicyRule>
      [-ResponseHeadersVariable <String>]
      [-Headers <IDictionary>]
      [-ProgressAction <ActionPreference>]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]

Description

Update a rule defined for a role management policy. The rule can be one of the following types that are derived from the unifiedRoleManagementPolicyRule object: For more information about rules for Microsoft Entra roles and examples of updating rules, see the following articles:

Examples

Example 1: Update a rule defined for a policy in PIM for Microsoft Entra roles

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
	id = "Expiration_EndUser_Assignment"
	isExpirationRequired = $true
	maximumDuration = "PT1H45M"
	target = @{
		"@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
		caller = "EndUser"
		operations = @(
		"All"
	)
	level = "Assignment"
	inheritableSettings = @(
	)
	enforcedSettings = @(
	)
}
}

Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId -BodyParameter $params

This example will update a rule defined for a policy in pim for microsoft entra roles

Example 2: Update a rule defined for a policy in PIM for groups

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
	id = "Expiration_EndUser_Assignment"
	isExpirationRequired = $true
	maximumDuration = "PT1H45M"
	target = @{
		caller = "EndUser"
		operations = @(
		"All"
	)
	level = "Assignment"
	inheritableSettings = @(
	)
	enforcedSettings = @(
	)
}
}

Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -UnifiedRoleManagementPolicyRuleId $unifiedRoleManagementPolicyRuleId -BodyParameter $params

This example will update a rule defined for a policy in pim for groups

Parameters

-AdditionalProperties

Additional Parameters

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-BodyParameter

unifiedRoleManagementPolicyRule To construct, see NOTES section for BODYPARAMETER properties and create a hash table.

Type:IMicrosoftGraphUnifiedRoleManagementPolicyRule
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Headers

Optional headers that will be added to the request.

Type:IDictionary
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Id

The unique identifier for an entity. Read-only.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.

Type:IIdentitySignInsIdentity
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ProgressAction

{{ Fill ProgressAction Description }}

Type:ActionPreference
Aliases:proga
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Type:String
Aliases:RHV
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Target

unifiedRoleManagementPolicyRuleTarget To construct, see NOTES section for TARGET properties and create a hash table.

Type:IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-UnifiedRoleManagementPolicyId

The unique identifier of unifiedRoleManagementPolicy

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-UnifiedRoleManagementPolicyRuleId

The unique identifier of unifiedRoleManagementPolicyRule

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Microsoft.Graph.PowerShell.Models.IIdentitySignInsIdentity

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphUnifiedRoleManagementPolicyRule

System.Collections.IDictionary

Outputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphUnifiedRoleManagementPolicyRule

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

BODYPARAMETER <IMicrosoftGraphUnifiedRoleManagementPolicyRule>: unifiedRoleManagementPolicyRule

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Id <String>]: The unique identifier for an entity. Read-only.
  • [Target <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>]: unifiedRoleManagementPolicyRuleTarget
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [Caller <String>]: The type of caller that's the target of the policy rule. Allowed values are: None, Admin, EndUser.
    • [EnforcedSettings <String- []>]: The list of role settings that are enforced and cannot be overridden by child scopes. Use All for all settings.
    • [InheritableSettings <String- []>]: The list of role settings that can be inherited by child scopes. Use All for all settings.
    • [Level <String>]: The role assignment type that's the target of policy rule. Allowed values are: Eligibility, Assignment.
    • [Operations <String- []>]: The role management operations that are the target of the policy rule. Allowed values are: All, Activate, Deactivate, Assign, Update, Remove, Extend, Renew.
    • [TargetObjects <IMicrosoftGraphDirectoryObject- []>]:
      • [Id <String>]: The unique identifier for an entity. Read-only.
      • [DeletedDateTime <DateTime?>]: Date and time when this object was deleted. Always null when the object hasn't been deleted.

INPUTOBJECT <IIdentitySignInsIdentity>: Identity Parameter

  • [ActivityBasedTimeoutPolicyId <String>]: The unique identifier of activityBasedTimeoutPolicy
  • [AppManagementPolicyId <String>]: The unique identifier of appManagementPolicy
  • [AuthenticationCombinationConfigurationId <String>]: The unique identifier of authenticationCombinationConfiguration
  • [AuthenticationConditionApplicationAppId <String>]: The unique identifier of authenticationConditionApplication
  • [AuthenticationContextClassReferenceId <String>]: The unique identifier of authenticationContextClassReference
  • [AuthenticationEventListenerId <String>]: The unique identifier of authenticationEventListener
  • [AuthenticationEventsFlowId <String>]: The unique identifier of authenticationEventsFlow
  • [AuthenticationMethodConfigurationId <String>]: The unique identifier of authenticationMethodConfiguration
  • [AuthenticationMethodId <String>]: The unique identifier of authenticationMethod
  • [AuthenticationMethodModeDetailId <String>]: The unique identifier of authenticationMethodModeDetail
  • [AuthenticationStrengthPolicyId <String>]: The unique identifier of authenticationStrengthPolicy
  • [B2XIdentityUserFlowId <String>]: The unique identifier of b2xIdentityUserFlow
  • [BitlockerRecoveryKeyId <String>]: The unique identifier of bitlockerRecoveryKey
  • [CertificateBasedAuthConfigurationId <String>]: The unique identifier of certificateBasedAuthConfiguration
  • [ClaimsMappingPolicyId <String>]: The unique identifier of claimsMappingPolicy
  • [ConditionalAccessPolicyId <String>]: The unique identifier of conditionalAccessPolicy
  • [ConditionalAccessTemplateId <String>]: The unique identifier of conditionalAccessTemplate
  • [CrossTenantAccessPolicyConfigurationPartnerTenantId <String>]: The unique identifier of crossTenantAccessPolicyConfigurationPartner
  • [CustomAuthenticationExtensionId <String>]: The unique identifier of customAuthenticationExtension
  • [DataPolicyOperationId <String>]: The unique identifier of dataPolicyOperation
  • [DirectoryObjectId <String>]: The unique identifier of directoryObject
  • [EmailAuthenticationMethodId <String>]: The unique identifier of emailAuthenticationMethod
  • [FeatureRolloutPolicyId <String>]: The unique identifier of featureRolloutPolicy
  • [Fido2AuthenticationMethodId <String>]: The unique identifier of fido2AuthenticationMethod
  • [HomeRealmDiscoveryPolicyId <String>]: The unique identifier of homeRealmDiscoveryPolicy
  • [IdentityApiConnectorId <String>]: The unique identifier of identityApiConnector
  • [IdentityProviderBaseId <String>]: The unique identifier of identityProviderBase
  • [IdentityProviderId <String>]: The unique identifier of identityProvider
  • [IdentityUserFlowAttributeAssignmentId <String>]: The unique identifier of identityUserFlowAttributeAssignment
  • [IdentityUserFlowAttributeId <String>]: The unique identifier of identityUserFlowAttribute
  • [LongRunningOperationId <String>]: The unique identifier of longRunningOperation
  • [MicrosoftAuthenticatorAuthenticationMethodId <String>]: The unique identifier of microsoftAuthenticatorAuthenticationMethod
  • [MultiTenantOrganizationMemberId <String>]: The unique identifier of multiTenantOrganizationMember
  • [NamedLocationId <String>]: The unique identifier of namedLocation
  • [OAuth2PermissionGrantId <String>]: The unique identifier of oAuth2PermissionGrant
  • [OrganizationId <String>]: The unique identifier of organization
  • [PasswordAuthenticationMethodId <String>]: The unique identifier of passwordAuthenticationMethod
  • [PermissionGrantConditionSetId <String>]: The unique identifier of permissionGrantConditionSet
  • [PermissionGrantPolicyId <String>]: The unique identifier of permissionGrantPolicy
  • [PhoneAuthenticationMethodId <String>]: The unique identifier of phoneAuthenticationMethod
  • [RiskDetectionId <String>]: The unique identifier of riskDetection
  • [RiskyServicePrincipalHistoryItemId <String>]: The unique identifier of riskyServicePrincipalHistoryItem
  • [RiskyServicePrincipalId <String>]: The unique identifier of riskyServicePrincipal
  • [RiskyUserHistoryItemId <String>]: The unique identifier of riskyUserHistoryItem
  • [RiskyUserId <String>]: The unique identifier of riskyUser
  • [ServicePrincipalRiskDetectionId <String>]: The unique identifier of servicePrincipalRiskDetection
  • [SoftwareOathAuthenticationMethodId <String>]: The unique identifier of softwareOathAuthenticationMethod
  • [TemporaryAccessPassAuthenticationMethodId <String>]: The unique identifier of temporaryAccessPassAuthenticationMethod
  • [ThreatAssessmentRequestId <String>]: The unique identifier of threatAssessmentRequest
  • [ThreatAssessmentResultId <String>]: The unique identifier of threatAssessmentResult
  • [TokenIssuancePolicyId <String>]: The unique identifier of tokenIssuancePolicy
  • [TokenLifetimePolicyId <String>]: The unique identifier of tokenLifetimePolicy
  • [UnifiedRoleManagementPolicyAssignmentId <String>]: The unique identifier of unifiedRoleManagementPolicyAssignment
  • [UnifiedRoleManagementPolicyId <String>]: The unique identifier of unifiedRoleManagementPolicy
  • [UnifiedRoleManagementPolicyRuleId <String>]: The unique identifier of unifiedRoleManagementPolicyRule
  • [UserFlowLanguageConfigurationId <String>]: The unique identifier of userFlowLanguageConfiguration
  • [UserFlowLanguagePageId <String>]: The unique identifier of userFlowLanguagePage
  • [UserId <String>]: The unique identifier of user
  • [WindowsHelloForBusinessAuthenticationMethodId <String>]: The unique identifier of windowsHelloForBusinessAuthenticationMethod

TARGET <IMicrosoftGraphUnifiedRoleManagementPolicyRuleTarget>: unifiedRoleManagementPolicyRuleTarget

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [Caller <String>]: The type of caller that's the target of the policy rule. Allowed values are: None, Admin, EndUser.
  • [EnforcedSettings <String- []>]: The list of role settings that are enforced and cannot be overridden by child scopes. Use All for all settings.
  • [InheritableSettings <String- []>]: The list of role settings that can be inherited by child scopes. Use All for all settings.
  • [Level <String>]: The role assignment type that's the target of policy rule. Allowed values are: Eligibility, Assignment.
  • [Operations <String- []>]: The role management operations that are the target of the policy rule. Allowed values are: All, Activate, Deactivate, Assign, Update, Remove, Extend, Renew.
  • [TargetObjects <IMicrosoftGraphDirectoryObject- []>]:
    • [Id <String>]: The unique identifier for an entity. Read-only.
    • [DeletedDateTime <DateTime?>]: Date and time when this object was deleted. Always null when the object hasn't been deleted.