DelegatedAdminRelationship.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Manage Delegated Admin relationships with customers
Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user.
Permission ID:
cc13eba4-8cd8-44c6-b4d4-f93237adce58
Delegated Permission
Admin consent required
Manage Delegated Admin relationships with customers
Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user.
User sees: Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships on your behalf.
Permission ID:
885f682f-a990-4bad-a642-36736a74b0c7
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
accessDetails |
delegatedAdminAccessDetails |
The access details that contain the identifiers of the administrative roles that the partner admin is requesting in the customer tenant. |
activatedDateTime |
DateTimeOffsetNullable |
The date and time in ISO 8601 format and in UTC time when the relationship became active. Read-only. |
autoExtendDuration |
DurationNullable |
The duration by which the validity of the relationship is automatically extended, denoted in ISO 8601 format. Supported values are: P0D, PT0S, P180D. The default value is PT0S. PT0S indicates that the relationship expires when the endDateTime is reached and it isn't automatically extended. |
createdDateTime |
DateTimeOffsetNullable |
The date and time in ISO 8601 format and in UTC time when the relationship was created. Read-only. |
customer |
delegatedAdminRelationshipCustomerParticipant |
The display name and unique identifier of the customer of the relationship. This is configured either by the partner at the time the relationship is created or by the system after the customer approves the relationship. Can't be changed by the customer. |
displayName |
String |
The display name of the relationship used for ease of identification. Must be unique across all delegated admin relationships of the partner and is set by the partner only when the relationship is in the created status and can't be changed by the customer. Maximum length is 50 characters. |
duration |
Duration |
The duration of the relationship in ISO 8601 format. Must be a value between P1D and P2Y inclusive. This is set by the partner only when the relationship is in the created status and can't be changed by the customer. |
endDateTime |
DateTimeOffsetNullable |
The date and time in ISO 8601 format and in UTC time when the status of relationship changes to either terminated or expired. Calculated as endDateTime = activatedDateTime + duration. Read-only. |
id |
String |
The unique identifier of the relationship. Read-only. Inherited from entity. |
lastModifiedDateTime |
DateTimeOffsetNullable |
The date and time in ISO 8601 format and in UTC time when the relationship was last modified. Read-only. |
status |
delegatedAdminRelationshipStatus |
The status of the relationship. Read Only. The possible values are: activating, active, approvalPending, approved, created, expired, expiring, terminated, terminating, terminationRequested, unknownFutureValue. Supports $orderby. |
accessAssignments |
delegatedAdminAccessAssignment collection |
The access assignments associated with the delegated admin relationship. |
operations |
delegatedAdminRelationshipOperation collection |
The long running operations associated with the delegated admin relationship. |
requests |
delegatedAdminRelationshipRequest collection |
The requests associated with the delegated admin relationship. |
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.delegatedAdminRelationship",
"accessDetails": {
"@odata.type": "microsoft.graph.delegatedAdminAccessDetails"
},
"activatedDateTime": "String (timestamp)",
"autoExtendDuration": "String (duration)",
"createdDateTime": "String (timestamp)",
"customer": {
"@odata.type": "microsoft.graph.delegatedAdminRelationshipCustomerParticipant"
},
"displayName": "String",
"duration": "String (duration)",
"endDateTime": "String (timestamp)",
"id": "String (identifier)",
"lastModifiedDateTime": "String (timestamp)",
"status": "String"
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
accessAssignments |
delegatedAdminAccessAssignment collection |
The access assignments associated with the delegated admin relationship. |
operations |
delegatedAdminRelationshipOperation collection |
The long running operations associated with the delegated admin relationship. |
requests |
delegatedAdminRelationshipRequest collection |
The requests associated with the delegated admin relationship. |
accessDetails |
delegatedAdminAccessDetails |
Related accessDetails data exposed by this resource. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Create accessAssignments
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new DelegatedAdminAccessAssignment
{
AccessContainer = new DelegatedAdminAccessContainer
{
AccessContainerId = "869713c9-0b28-4d08-8949-ae07ae1bf528",
AccessContainerType = DelegatedAdminAccessContainerType.SecurityGroup,
},
AccessDetails = new DelegatedAdminAccessDetails
{
UnifiedRoles = new List<UnifiedRole>
{
new UnifiedRole
{
RoleDefinitionId = "29232cdf-9323-42fd-ade2-1d097af3e4de",
},
new UnifiedRole
{
RoleDefinitionId = "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
},
new UnifiedRole
{
RoleDefinitionId = "729827e3-9c14-49f7-bb1b-9608f156bbb8",
},
new UnifiedRole
{
RoleDefinitionId = "3a2c62db-5318-420d-8d74-23affee5d9d5",
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.TenantRelationships.DelegatedAdminRelationships["{delegatedAdminRelationship-id}"].AccessAssignments.PostAsync(requestBody);
JavaScript
Create accessAssignments
const options = {
authProvider,
};
const client = Client.init(options);
const delegatedAdminAccessAssignment = {
accessContainer: {
accessContainerId: '869713c9-0b28-4d08-8949-ae07ae1bf528',
accessContainerType: 'securityGroup'
},
accessDetails: {
unifiedRoles: [
{
roleDefinitionId: '29232cdf-9323-42fd-ade2-1d097af3e4de'
},
{
roleDefinitionId: 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'
},
{
roleDefinitionId: '729827e3-9c14-49f7-bb1b-9608f156bbb8'
},
{
roleDefinitionId: '3a2c62db-5318-420d-8d74-23affee5d9d5'
}
]
}
};
await client.api('/tenantRelationships/delegatedAdminRelationships/72a7ae7e-4887-4e34-9755-2e1e9b26b943-63f017cb-9e0d-4f14-94bd-4871902b3409/accessAssignments')
.post(delegatedAdminAccessAssignment);
PowerShell
Create accessAssignments
Import-Module Microsoft.Graph.Identity.Partner
$params = @{
accessContainer = @{
accessContainerId = "869713c9-0b28-4d08-8949-ae07ae1bf528"
accessContainerType = "securityGroup"
}
accessDetails = @{
unifiedRoles = @(
@{
roleDefinitionId = "29232cdf-9323-42fd-ade2-1d097af3e4de"
}
@{
roleDefinitionId = "f2ef992c-3afb-46b9-b7cf-a126ee74c451"
}
@{
roleDefinitionId = "729827e3-9c14-49f7-bb1b-9608f156bbb8"
}
@{
roleDefinitionId = "3a2c62db-5318-420d-8d74-23affee5d9d5"
}
)
}
}
New-MgTenantRelationshipDelegatedAdminRelationshipAccessAssignment -DelegatedAdminRelationshipId $delegatedAdminRelationshipId -BodyParameter $params
Python
Create accessAssignments
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.delegated_admin_access_assignment import DelegatedAdminAccessAssignment
from msgraph.generated.models.delegated_admin_access_container import DelegatedAdminAccessContainer
from msgraph.generated.models.delegated_admin_access_container_type import DelegatedAdminAccessContainerType
from msgraph.generated.models.delegated_admin_access_details import DelegatedAdminAccessDetails
from msgraph.generated.models.unified_role import UnifiedRole
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DelegatedAdminAccessAssignment(
access_container = DelegatedAdminAccessContainer(
access_container_id = "869713c9-0b28-4d08-8949-ae07ae1bf528",
access_container_type = DelegatedAdminAccessContainerType.SecurityGroup,
),
access_details = DelegatedAdminAccessDetails(
unified_roles = [
UnifiedRole(
role_definition_id = "29232cdf-9323-42fd-ade2-1d097af3e4de",
),
UnifiedRole(
role_definition_id = "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
),
UnifiedRole(
role_definition_id = "729827e3-9c14-49f7-bb1b-9608f156bbb8",
),
UnifiedRole(
role_definition_id = "3a2c62db-5318-420d-8d74-23affee5d9d5",
),
],
),
)
result = await graph_client.tenant_relationships.delegated_admin_relationships.by_delegated_admin_relationship_id('delegatedAdminRelationship-id').access_assignments.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for DelegatedAdminRelationship.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.