DeviceManagementRBAC.ReadWrite.All

DeviceManagementRBAC.ReadWrite.All

Permission Details

Application Permission

Read and write Microsoft Intune RBAC settings

Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.

Permission ID: e330c4f0-4170-414e-a55a-2f022ec2b57b

Delegated Permission

Read and write Microsoft Intune RBAC settings

Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.

Permission ID: 0c5e8a55-87a6-4556-93ab-adc52c4d862d

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`applePushNotificationCertificate`	`object`	Apple push notification certificate.
`auditEvents`	`auditEvent collection`	The Audit Events
`complianceManagementPartners`	`complianceManagementPartner collection`	The list of Compliance Management Partners configured by the tenant.
`conditionalAccessSettings`	`object`	The Exchange on premises conditional access settings. On premises conditional access will require devices to be both enrolled and compliant for mail access
`detectedApps`	`detectedApp collection`	The list of detected apps associated with a device.
`deviceCategories`	`deviceCategory collection`	The list of device categories with the tenant.
`deviceCompliancePolicies`	`deviceCompliancePolicy collection`	The device compliance policies.
`deviceCompliancePolicyDeviceStateSummary`	`object`	The device compliance state summary for this account.
`deviceCompliancePolicySettingStateSummaries`	`deviceCompliancePolicySettingStateSummary collection`	The summary states of compliance policy settings for this account.
`deviceConfigurationDeviceStateSummaries`	`object`	The device configuration device state summary for this account.
`deviceConfigurations`	`deviceConfiguration collection`	The device configurations.
`deviceEnrollmentConfigurations`	`deviceEnrollmentConfiguration collection`	The list of device enrollment configurations
`deviceManagementPartners`	`deviceManagementPartner collection`	The list of Device Management Partners configured by the tenant.
`deviceProtectionOverview`	`object`	Device protection overview.
`exchangeConnectors`	`deviceManagementExchangeConnector collection`	The list of Exchange Connectors configured by the tenant.

Showing 15 of 65 properties.

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "@odata.type": "#microsoft.graph.roleManagement"
}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`directory`	`rbacApplication`	Read-only. Nullable.
`entitlementManagement`	`rbacApplication`	Container for roles and assignments for entitlement management resources.
`auditEvents`	`auditEvent collection`	The Audit Events
`complianceManagementPartners`	`complianceManagementPartner collection`	The list of Compliance Management Partners configured by the tenant.
`detectedApps`	`detectedApp collection`	The list of detected apps associated with a device.
`deviceCategories`	`deviceCategory collection`	The list of device categories with the tenant.
`deviceCompliancePolicies`	`deviceCompliancePolicy collection`	The device compliance policies.
`deviceCompliancePolicySettingStateSummaries`	`deviceCompliancePolicySettingStateSummary collection`	The summary states of compliance policy settings for this account.
`deviceConfigurations`	`deviceConfiguration collection`	The device configurations.
`deviceEnrollmentConfigurations`	`deviceEnrollmentConfiguration collection`	The list of device enrollment configurations
`deviceManagementPartners`	`deviceManagementPartner collection`	The list of Device Management Partners configured by the tenant.
`exchangeConnectors`	`deviceManagementExchangeConnector collection`	The list of Exchange Connectors configured by the tenant.
`importedWindowsAutopilotDeviceIdentities`	`importedWindowsAutopilotDeviceIdentity collection`	Collection of imported Windows autopilot devices.
`intuneAccountId`	`uuid`	Intune Account Id for given tenant
`iosUpdateStatuses`	`iosUpdateDeviceStatus collection`	The IOS software update installation statuses for this account.
`managedDevices`	`managedDevice collection`	The list of managed devices.
`mobileAppTroubleshootingEvents`	`mobileAppTroubleshootingEvent collection`	The collection property of MobileAppTroubleshootingEvent.
`mobileThreatDefenseConnectors`	`mobileThreatDefenseConnector collection`	The list of Mobile threat Defense connectors configured by the tenant.
`notificationMessageTemplates`	`notificationMessageTemplate collection`	The Notification Message Templates.
`remoteAssistancePartners`	`remoteAssistancePartner collection`	The remote assist partners.
`resourceOperations`	`resourceOperation collection`	The Resource Operations.
`roleAssignments`	`deviceAndAppManagementRoleAssignment collection`	The Role Assignments.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/deviceManagement/getEffectivePermissions`
GET `/deviceManagement/resourceOperations`
GET `/deviceManagement/resourceOperations/{resourceOperationId}`
GET `/deviceManagement/roleAssignments`
GET `/deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}`
GET `/deviceManagement/roleDefinitions`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition`
POST `/deviceManagement/resourceOperations`
POST `/deviceManagement/roleAssignments`
POST `/deviceManagement/roleDefinitions`
POST `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments`
PATCH `/deviceManagement/resourceOperations/{resourceOperationId}`
PATCH `/deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition`
DELETE `/deviceManagement/resourceOperations/{resourceOperationId}`
DELETE `/deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/deviceManagement/getAssignedRoleDetails`
GET `/deviceManagement/getEffectivePermissions`
GET `/deviceManagement/getRoleScopeTagsByIds`
GET `/deviceManagement/getRoleScopeTagsByResource`
GET `/deviceManagement/operationApprovalPolicies`
GET `/deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}`
GET `/deviceManagement/operationApprovalPolicies/getApprovableOperations`
GET `/deviceManagement/operationApprovalPolicies/getOperationsRequiringApproval`
GET `/deviceManagement/operationApprovalRequests`
GET `/deviceManagement/operationApprovalRequests/{operationApprovalRequestId}`
GET `/deviceManagement/resourceOperations`
GET `/deviceManagement/resourceOperations/{resourceOperationId}`
GET `/deviceManagement/resourceOperations/{resourceOperationId}/getScopesForUser`
GET `/deviceManagement/roleAssignments`
GET `/deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}`
GET `/deviceManagement/roleDefinitions`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/hasCustomRoleScopeTag`
GET `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition`
GET `/deviceManagement/roleScopeTags`
GET `/deviceManagement/roleScopeTags/{roleScopeTagId}`
GET `/deviceManagement/roleScopeTags/hasCustomRoleScopeTag`
GET `/deviceManagement/scopedForResource`
GET `/deviceManagement/tenantAttachRBAC/getState`
GET `/roleManagement`
GET `/roleManagement/cloudPc/roleAssignments`
GET `/roleManagement/cloudPC/roleAssignments/{id}`
GET `/roleManagement/cloudPC/roleDefinitions`
GET `/roleManagement/cloudPC/roleDefinitions/{id}`
GET `/roleManagement/defender/roleAssignments`
GET `/roleManagement/defender/roleDefinitions`
GET `/roleManagement/defender/roleDefinitions/{id}`
GET `/roleManagement/deviceManagement`
GET `/roleManagement/deviceManagement/roleAssignments`
GET `/roleManagement/deviceManagement/roleAssignments/{id}`
GET `/roleManagement/deviceManagement/roleDefinitions`
GET `/roleManagement/deviceManagement/roleDefinitions/{id}`
GET `/roleManagement/directory/roleDefinitions`
GET `/roleManagement/directory/roleDefinitions/{id}`
GET `/roleManagement/entitlementManagement/roleDefinitions`
GET `/roleManagement/entitlementManagement/roleDefinitions/{id}`
GET `/roleManagement/exchange/roleDefinitions`
GET `/roleManagement/exchange/roleDefinitions/{id}`
POST `/deviceManagement/operationApprovalPolicies`
POST `/deviceManagement/operationApprovalRequests`
POST `/deviceManagement/resourceOperations`
POST `/deviceManagement/roleAssignments`
POST `/deviceManagement/roleDefinitions`
POST `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments`
POST `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags`
POST `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assign`
POST `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments`
POST `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/getRoleScopeTagsById`
POST `/deviceManagement/roleScopeTags`
POST `/deviceManagement/roleScopeTags/{roleScopeTagId}/assign`
POST `/deviceManagement/roleScopeTags/getRoleScopeTagsById`
POST `/deviceManagement/tenantAttachRBAC/enable`
POST `/roleManagement/cloudPC/roleAssignments`
POST `/roleManagement/cloudPc/roleDefinitions`
POST `/roleManagement/defender/roleAssignments`
POST `/roleManagement/defender/roleDefinitions`
POST `/roleManagement/deviceManagement/roleAssignments`
POST `/roleManagement/deviceManagement/roleDefinitions`
POST `/roleManagement/directory/roleDefinitions`
PATCH `/deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}`
PATCH `/deviceManagement/operationApprovalRequests/{operationApprovalRequestId}`
PATCH `/deviceManagement/resourceOperations/{resourceOperationId}`
PATCH `/deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}`
PATCH `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition`
PATCH `/deviceManagement/roleScopeTags/{roleScopeTagId}`
PATCH `/roleManagement`
PATCH `/roleManagement/cloudPC/roleAssignments/{id}`
PATCH `/roleManagement/cloudPc/roleDefinitions/{id}`
PATCH `/roleManagement/deviceManagement`
PATCH `/roleManagement/deviceManagement/roleAssignments/{id}`
PATCH `/roleManagement/deviceManagement/roleDefinitions/{id}`
PATCH `/roleManagement/directory/roleDefinitions/{id}`
DELETE `/deviceManagement/operationApprovalPolicies/{operationApprovalPolicyId}`
DELETE `/deviceManagement/operationApprovalRequests/{operationApprovalRequestId}`
DELETE `/deviceManagement/resourceOperations/{resourceOperationId}`
DELETE `/deviceManagement/roleAssignments/{deviceAndAppManagementRoleAssignmentId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/microsoft.graph.deviceAndAppManagementRoleAssignment/roleScopeTags/{roleScopeTagId}/assignments/{roleScopeTagAutoAssignmentId}`
DELETE `/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments/{roleAssignmentId}/roleDefinition`
DELETE `/deviceManagement/roleScopeTags/{roleScopeTagId}`
DELETE `/roleManagement/cloudPC/roleAssignments/{id}`
DELETE `/roleManagement/cloudPc/roleDefinitions/{id}`
DELETE `/roleManagement/defender/roleAssignments/{id}`
DELETE `/roleManagement/defender/roleDefinitions/{id}`
DELETE `/roleManagement/deviceManagement/roleAssignments/{id}`
DELETE `/roleManagement/deviceManagement/roleDefinitions/{id}`
DELETE `/roleManagement/directory/roleDefinitions/{id}`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgBetaRoleManagementCloudPcRoleAssignment` /roleManagement/cloudPc/roleAssignments List unifiedRoleAssignmentMultiple
`Get-MgBetaRoleManagementCloudPcRoleAssignment` /roleManagement/cloudPC/roleAssignments/{id} Get unifiedRoleAssignmentMultiple
`Get-MgBetaRoleManagementCloudPcRoleDefinition` /roleManagement/cloudPC/roleDefinitions List roleDefinitions
`Get-MgBetaRoleManagementCloudPcRoleDefinition` /roleManagement/cloudPC/roleDefinitions/{id} Get unifiedRoleDefinition
`Get-MgBetaRoleManagementDeviceManagementRoleAssignment` /roleManagement/cloudPc/roleAssignments List unifiedRoleAssignmentMultiple
`Get-MgBetaRoleManagementDeviceManagementRoleAssignment` /roleManagement/cloudPC/roleAssignments/{id} Get unifiedRoleAssignmentMultiple
`Get-MgBetaRoleManagementDirectoryRoleDefinition` /roleManagement/cloudPC/roleDefinitions List roleDefinitions
`Get-MgBetaRoleManagementDirectoryRoleDefinition` /roleManagement/cloudPC/roleDefinitions/{id} Get unifiedRoleDefinition
`Get-MgBetaRoleManagementEntitlementManagementRoleDefinition` /roleManagement/cloudPC/roleDefinitions List roleDefinitions
`Get-MgBetaRoleManagementEntitlementManagementRoleDefinition` /roleManagement/cloudPC/roleDefinitions/{id} Get unifiedRoleDefinition
`Get-MgBetaRoleManagementExchangeRoleDefinition` /roleManagement/cloudPC/roleDefinitions List roleDefinitions
`Get-MgBetaRoleManagementExchangeRoleDefinition` /roleManagement/cloudPC/roleDefinitions/{id} Get unifiedRoleDefinition
`New-MgBetaRoleManagementCloudPcRoleAssignment` /roleManagement/cloudPC/roleAssignments Create unifiedRoleAssignmentMultiple
`New-MgBetaRoleManagementCloudPcRoleDefinition` /roleManagement/deviceManagement/roleDefinitions Create roleDefinitions
`New-MgBetaRoleManagementDeviceManagementRoleAssignment` /roleManagement/cloudPC/roleAssignments Create unifiedRoleAssignmentMultiple
`New-MgBetaRoleManagementDirectoryRoleDefinition` /roleManagement/deviceManagement/roleDefinitions Create roleDefinitions
`Remove-MgBetaRoleManagementCloudPcRoleAssignment` /roleManagement/cloudPC/roleAssignments/{id} Delete unifiedRoleAssignmentMultiple
`Remove-MgBetaRoleManagementCloudPcRoleDefinition` /roleManagement/deviceManagement/roleDefinitions/{id} Delete unifiedRoleDefinition
`Remove-MgBetaRoleManagementDeviceManagementRoleAssignment` /roleManagement/cloudPC/roleAssignments/{id} Delete unifiedRoleAssignmentMultiple
`Remove-MgBetaRoleManagementDirectoryRoleDefinition` /roleManagement/deviceManagement/roleDefinitions/{id} Delete unifiedRoleDefinition
`Update-MgBetaRoleManagementCloudPcRoleAssignment` /roleManagement/cloudPC/roleAssignments/{id} Update unifiedRoleAssignmentMultiple
`Update-MgBetaRoleManagementCloudPcRoleDefinition` /roleManagement/deviceManagement/roleDefinitions/{id} Update unifiedRoleDefinition
`Update-MgBetaRoleManagementDeviceManagementRoleAssignment` /roleManagement/cloudPC/roleAssignments/{id} Update unifiedRoleAssignmentMultiple
`Update-MgBetaRoleManagementDirectoryRoleDefinition` /roleManagement/deviceManagement/roleDefinitions/{id} Update unifiedRoleDefinition

Code Examples

C# / .NET SDK

Create roleDefinitions

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new UnifiedRoleDefinition
{
	Description = "Update basic properties of application registrations",
	DisplayName = "Application Registration Support Administrator",
	RolePermissions = new List<UnifiedRolePermission>
	{
		new UnifiedRolePermission
		{
			AllowedResourceActions = new List<string>
			{
				"microsoft.directory/applications/basic/read",
			},
		},
	},
	IsEnabled = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleDefinitions.PostAsync(requestBody);

JavaScript

Create roleDefinitions

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

const unifiedRoleDefinition = {
  description: 'Update basic properties of application registrations',
  displayName: 'Application Registration Support Administrator',
  rolePermissions: 
    [
        {
            allowedResourceActions: 
            [
                'microsoft.directory/applications/basic/read'
            ]
        }
    ],
    isEnabled: 'true'
};

await client.api('/roleManagement/directory/roleDefinitions')
	.version('beta')
	.post(unifiedRoleDefinition);

PowerShell

Create roleDefinitions

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	description = "Update basic properties of application registrations"
	displayName = "Application Registration Support Administrator"
	rolePermissions = @(
		@{
			allowedResourceActions = @(
			"microsoft.directory/applications/basic/read"
		)
	}
)
isEnabled = "true"
}

New-MgBetaRoleManagementDirectoryRoleDefinition -BodyParameter $params

Python

Create roleDefinitions

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
	description = "Update basic properties of application registrations",
	display_name = "Application Registration Support Administrator",
	role_permissions = [
		UnifiedRolePermission(
			allowed_resource_actions = [
				"microsoft.directory/applications/basic/read",
			],
		),
	],
	is_enabled = True,
)

result = await graph_client.role_management.directory.role_definitions.post(request_body)

App Registration

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

Select Permission Type

Choose Application permissions or delegated permissions and search for DeviceManagementRBAC.ReadWrite.All

Grant Admin Consent

Application permissions always require admin consent.