AppRoleAssignment.ReadWrite.All
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.
Permission Details
Manage app permission grants and app role assignments
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.
06b708a9-e830-4db3-a914-8e69da51d44f
Manage app permission grants and app role assignments
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
84bccea3-f856-4a8a-967b-dbe0a3d53a64
Properties
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
appRoleId |
Guid |
The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |
createdDateTime |
DateTimeOffsetNullable |
The time when the app role assignment was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
deletedDateTime |
DateTimeOffsetNullable |
The date and time when the app role assignment was deleted. Always null for an appRoleAssignment object that hasn't been deleted. Inherited from directoryObject. |
id |
String |
A unique identifier for the appRoleAssignment key. Not nullable. Read-only. Supports $filter (eq only). |
principalDisplayName |
StringNullable |
The display name of the user, group, or service principal that was granted the app role assignment. Maximum length is 256 characters. Read-only. Supports $filter (eq and startswith). |
principalId |
GuidNullable |
The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create. |
principalType |
StringNullable |
The type of the assigned principal. This can either be User, Group, or ServicePrincipal. Read-only. |
resourceDisplayName |
StringNullable |
The display name of the resource app's service principal to which the assignment is made. Maximum length is 256 characters. |
resourceId |
GuidNullable |
The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only). |
JSON Representation
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
{
"appRoleId": "Guid",
"createdDateTime": "String (timestamp)",
"deletedDateTime": "String (timestamp)",
"id": "String",
"principalDisplayName": "String",
"principalId": "Guid",
"principalType": "String",
"resourceDisplayName": "String",
"resourceId": "Guid"
}Relationships
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
appRoleId |
uuid |
The identifier (id) for the app role that's assigned to the principal. This app role must be exposed in the appRoles property on the resource application's service principal (resourceId). If the resource application hasn't declared any app roles, a default app role ID of 00000000-0000-0000-0000-000000000000 can be specified to signal that the principal is assigned to the resource app without any specific app roles. Required on create. |
principalId |
uuid |
The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create. |
resourceId |
uuid |
The unique identifier (id) for the resource service principal for which the assignment is made. Required on create. Supports $filter (eq only). |
Graph Methods
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo["{appRoleAssignment-id}"].DeleteAsync();const options = {
authProvider,
};
const client = Client.init(options);
await client.api('/servicePrincipals/{resource-SP-id}/appRoleAssignedTo/{appRoleAssignment-id}')
.delete();Import-Module Microsoft.Graph.Applications
Remove-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipalId -AppRoleAssignmentId $appRoleAssignmentId# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.by_app_role_assignment_id('appRoleAssignment-id').delete()App Registration
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
Select Permission Type
Choose Application permissions or delegated permissions and search for AppRoleAssignment.ReadWrite.All
Grant Admin Consent
Application permissions always require admin consent.