Application-RemoteDesktopConfig.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to read and write the remote desktop security configuration for all apps in your organization, without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write the remote desktop security configuration for all apps
Allows the app to read and write the remote desktop security configuration for all apps in your organization, without a signed-in user.
Permission ID:
3be0012a-cc4e-426b-895b-f9c836bf6381
Delegated Permission
Admin consent required
Read and write the remote desktop security configuration for apps
Allows the app to read and write other apps' remote desktop security configuration, on behalf of the signed-in user.
User sees: Allows the app to read and write other apps' remote desktop security configuration, on your behalf.
Permission ID:
ffa91d43-2ad8-45cc-b592-09caddeb24bb
Properties
Microsoft Graph v1.0
endpoint-derived-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
accountEnabled |
BooleanNullable |
true if the service principal account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Supports $filter (eq, ne, not, in). |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
String collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appDescription |
StringNullable |
The description exposed by the associated application. |
appDisplayName |
StringNullable |
The display name exposed by the associated application. Maximum length is 256 characters. |
appId |
StringNullable |
The unique identifier for the associated application (its appId property). Alternate key. Supports $filter (eq, ne, not, in, startsWith). |
applicationTemplateId |
StringNullable |
Unique identifier of the applicationTemplate. Supports $filter (eq, not, ne). Read-only. null if the service principal wasn't created from an application template. |
appOwnerOrganizationId |
GuidNullable |
Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
appRoleAssignmentRequired |
Boolean |
Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. Not nullable. , , Supports $filter (eq, ne, NOT). |
appRoles |
appRole collection |
The roles exposed by the application that's linked to this service principal. For more information, see the appRoles property definition on the application entity. Not nullable. |
createdByAppId |
String |
The appId of the application that created this service principal. Set internally by Microsoft Entra ID. Read-only. |
customSecurityAttributes |
customSecurityAttributeValue |
An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. , , Returned only on $select. Supports $filter (eq, ne, not, startsWith). Filter value is case sensitive. , <liTo read this property, the calling app must be assigned the CustomSecAttributeAssignment.Read.All permission. To write this property, the calling app must be assigned the CustomSecAttributeAssignment.ReadWrite.All permissions. <liTo read or write this property in delegated scenarios, the admin must be assigned the Attribute Assignment Administrator role. |
deletedDateTime |
DateTimeOffsetNullable |
The date and time the service principal was deleted. Read-only. |
description |
StringNullable |
Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps displays the application description in this field. The maximum allowed size is 1,024 characters. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
disabledByMicrosoftStatus |
StringNullable |
Specifies whether Microsoft has disabled the registered application. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). , , Supports $filter (eq, ne, not). |
Showing 15 of 55 properties.
JSON Representation
Microsoft Graph v1.0
endpoint-derived-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"accountEnabled": true,
"addIns": [
{
"@odata.type": "microsoft.graph.addIn"
}
],
"alternativeNames": [
"String"
],
"appDisplayName": "String",
"appId": "String",
"appOwnerOrganizationId": "Guid",
"appRoleAssignmentRequired": true,
"appRoles": [
{
"@odata.type": "microsoft.graph.appRole"
}
],
"createdByAppId": "String",
"customSecurityAttributes": {
"@odata.type": "microsoft.graph.customSecurityAttributeValue"
},
"disabledByMicrosoftStatus": "String",
"displayName": "String",
"homepage": "String",
"id": "String (identifier)",
"info": {
"@odata.type": "microsoft.graph.informationalUrl"
},
"keyCredentials": [
{
"@odata.type": "microsoft.graph.keyCredential"
}
],
"logoutUrl": "String",
"notes": "String",
"oauth2PermissionScopes": [
{
"@odata.type": "microsoft.graph.permissionScope"
}
],
"passwordCredentials": [
{
"@odata.type": "microsoft.graph.passwordCredential"
}
],
"preferredTokenSigningKeyThumbprint": "String",
"replyUrls": [
"String"
],
"resourceSpecificApplicationPermissions": [
{
"@odata.type": "microsoft.graph.resourceSpecificPermission"
}
],
"servicePrincipalNames": [
"String"
],
"servicePrincipalType": "String",
"tags": [
"String"
],
"tokenEncryptionKeyId": "String",
"verifiedPublisher": {
"@odata.type": "microsoft.graph.verifiedPublisher"
}
}Relationships
Microsoft Graph v1.0
endpoint-derived-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
appManagementPolicies |
appManagementPolicy collection |
The appManagementPolicy applied to this application. |
appRoleAssignedTo |
appRoleAssignment |
App role assignments for this app or service, granted to users, groups, and other service principals. Supports $expand. |
appRoleAssignments |
appRoleAssignment collection |
App role assignment for another app or service, granted to this service principal. Supports $expand. |
claimsMappingPolicies |
claimsMappingPolicy collection |
The claimsMappingPolicies assigned to this service principal. Supports $expand. |
createdObjects |
directoryObject collection |
Directory objects created by this service principal. Read-only. Nullable. |
federatedIdentityCredentials |
federatedIdentityCredential collection |
Federated identities for a specific type of service principal - managed identity. Supports $expand and $filter (/$count eq 0, /$count ne 0). |
homeRealmDiscoveryPolicies |
homeRealmDiscoveryPolicy collection |
The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand. |
memberOf |
directoryObject collection |
Roles that this service principal is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand. |
oauth2PermissionGrants |
oAuth2PermissionGrant collection |
Delegated permission grants authorizing this service principal to access an API on behalf of a signed-in user. Read-only. Nullable. |
ownedObjects |
directoryObject collection |
Directory objects that this service principal owns. Read-only. Nullable. Supports $expand, $select nested in $expand, and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). |
owners |
directoryObject collection |
Directory objects that are owners of this servicePrincipal. The owners are a set of nonadmin users or servicePrincipals who are allowed to modify this object. Supports $expand, $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1), and $select nested in $expand. |
remoteDesktopSecurityConfiguration |
remoteDesktopSecurityConfiguration |
The remoteDesktopSecurityConfiguration object applied to this service principal. Supports $filter (eq) for isRemoteDesktopProtocolEnabled property. |
synchronization |
synchronization |
Represents the capability for Microsoft Entra identity synchronization through the Microsoft Graph API. |
tokenIssuancePolicies |
tokenIssuancePolicy collection |
The tokenIssuancePolicies assigned to this service principal. |
tokenLifetimePolicies |
tokenLifetimePolicy collection |
The tokenLifetimePolicies assigned to this service principal. |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
string collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appOwnerOrganizationId |
uuid |
Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
appRoles |
appRole collection |
The roles exposed by the application that's linked to this service principal. For more information, see the appRoles property definition on the application entity. Not nullable. |
delegatedPermissionClassifications |
delegatedPermissionClassification collection |
Related delegatedPermissionClassifications data exposed by this resource. |
endpoints |
endpoint collection |
Related endpoints data exposed by this resource. |
keyCredentials |
keyCredential collection |
The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le). |
notificationEmailAddresses |
string collection |
Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications. |
oauth2PermissionScopes |
permissionScope collection |
The delegated permissions exposed by the application. For more information, see the oauth2PermissionScopes property on the application entity's api property. Not nullable. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Create targetDeviceGroup
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new TargetDeviceGroup
{
OdataType = "#microsoft.graph.targetDeviceGroup",
Id = "b9e4eae4-b781-45a1-ce65-f2dd8ac3b696",
DisplayName = "Device Group A",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].RemoteDesktopSecurityConfiguration.TargetDeviceGroups.PostAsync(requestBody);
JavaScript
Create remoteDesktopSecurityConfiguration
const options = {
authProvider,
};
const client = Client.init(options);
const remoteDesktopSecurityConfiguration = {
'@odata.type': '#microsoft.graph.remoteDesktopSecurityConfiguration',
isRemoteDesktopProtocolEnabled: true
};
await client.api('/servicePrincipals/00af5dfb-85da-4b41-a677-0c6b86dd34f8/remoteDesktopSecurityConfiguration')
.post(remoteDesktopSecurityConfiguration);
PowerShell
Create targetDeviceGroup
Import-Module Microsoft.Graph.Applications
$params = @{
"@odata.type" = "#microsoft.graph.targetDeviceGroup"
id = "b9e4eae4-b781-45a1-ce65-f2dd8ac3b696"
displayName = "Device Group A"
}
New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Python
Create targetDeviceGroup
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.target_device_group import TargetDeviceGroup
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = TargetDeviceGroup(
odata_type = "#microsoft.graph.targetDeviceGroup",
id = "b9e4eae4-b781-45a1-ce65-f2dd8ac3b696",
display_name = "Device Group A",
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').remote_desktop_security_configuration.target_device_groups.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for Application-RemoteDesktopConfig.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.