Does EntitlementManagement.ReadWrite.All require admin consent?

Yes, Application permissions always require admin consent. An administrator must grant consent in the Azure portal.

How do I add EntitlementManagement.ReadWrite.All to my app registration?

Go to Azure Portal > App registrations > Your app > API permissions > Add permission > Microsoft Graph, then search for EntitlementManagement.ReadWrite.All and select it.

EntitlementManagement.ReadWrite.All Permission - Microsoft Graph API

Permission Details

Application Permission

Read and write all entitlement management resources

Allows the app to read and write access packages and related entitlement management resources without a signed-in user.

Permission ID: 9acd699f-1e81-4958-b001-93b1d2506e19

Delegated Permission

Read and write entitlement management resources

Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user.

Permission ID: ae7a573d-81d7-432b-ad44-4ed5c9d89038

Properties

Property	Type	Description
`id`	`string`	The unique identifier for an entity. Read-only.
`accessPackageAssignmentApprovals`	`microsoft.graph.approval collection`
`accessPackageAssignmentResourceRoles`	`microsoft.graph.accessPackageAssignmentResourceRole collection`	Represents the resource-specific role which a subject has been assigned through an access package assignment.
`accessPackageCatalogs`	`microsoft.graph.accessPackageCatalog collection`	A container of access packages.
`accessPackageResourceRoleScopes`	`microsoft.graph.accessPackageResourceRoleScope collection`	A reference to both a scope within a resource, and a role in that resource for that scope.
`accessPackageAssignmentRequests`	`microsoft.graph.accessPackageAssignmentRequest collection`	Represents access package assignment requests created by or on behalf of a user. DO NOT USE. TO BE RETIRED SOON. Use the assignmentRequests relationship instead.
`accessPackageResources`	`microsoft.graph.accessPackageResource collection`	A reference to a resource associated with an access package catalog.
`accessPackageResourceEnvironments`	`microsoft.graph.accessPackageResourceEnvironment collection`	A reference to the geolocation environment in which a resource is located.
`accessPackages`	`microsoft.graph.accessPackage collection`	Represents access package objects.
`accessPackageAssignmentPolicies`	`microsoft.graph.accessPackageAssignmentPolicy collection`	Represents the policy that governs which subjects can request or be assigned an access package via an access package assignment.
`accessPackageSuggestions`	`microsoft.graph.accessPackageSuggestion collection`
`availableAccessPackages`	`microsoft.graph.availableAccessPackage collection`
`controlConfigurations`	`microsoft.graph.controlConfiguration collection`	Represents the policies that control lifecycle and access to access packages across the organization.
`settings`	`object`	Represents the settings that control the behavior of Microsoft Entra entitlement management.
`assignmentRequests`	`microsoft.graph.accessPackageAssignmentRequest collection`	Represents access package assignment requests created by or on behalf of a user.

Showing 15 of 19 properties. View all on Microsoft Learn →

JSON Representation

JSON representation

{
  "id": "String",
  "accessPackageAssignmentApprovals": "[...]",
  "accessPackageAssignmentResourceRoles": "[...]",
  "accessPackageCatalogs": "[...]",
  "accessPackageResourceRoleScopes": "[...]",
  "accessPackageAssignmentRequests": "[...]",
  "accessPackageResources": "[...]",
  "accessPackageResourceEnvironments": "[...]",
  "accessPackages": "[...]",
  "accessPackageAssignmentPolicies": "[...]",
  "accessPackageSuggestions": "[...]",
  "availableAccessPackages": "[...]",
  "controlConfigurations": "[...]",
  "settings": "{...}",
  "assignmentRequests": "[...]",
  "accessPackageResourceRequests": "[...]",
  "accessPackageAssignments": "[...]",
  "subjects": "[...]",
  "connectedOrganizations": "[...]"
}

Relationships

Relationship	Type	Description
`accessPackageAssignmentApprovals`	`approval collection`	Approval stages for decisions associated with access package assignment requests.
`accessPackages`	`accessPackage collection`	Access packages define the collection of resource roles and the policies for how one or more users can get access to those resources.
`assignmentPolicies`	`accessPackageAssignmentPolicy collection`	Access package assignment policies govern which subjects may request or be assigned an access package via an access package assignment.
`assignmentRequests`	`accessPackageAssignmentRequest collection`	Access package assignment requests created by or on behalf of a subject.
`assignments`	`accessPackageAssignment collection`	The assignment of an access package to a subject for a period of time.
`catalogs`	`accessPackageCatalog collection`	A container for access packages.
`connectedOrganizations`	`connectedOrganization collection`	References to a directory or domain of another organization whose users can request access.
`resourceEnvironments`	`accessPackageResourceEnvironment collection`	A reference to the geolocation environments in which a resource is located.
`resourceRequests`	`accessPackageResourceRequest collection`	Represents a request to add or remove a resource to or from a catalog respectively.
`resourceRoleScopes`	`accessPackageResourceRoleScope collection`	A reference to both a scope within a resource, and a role in that resource for that scope.
`resources`	`accessPackageResource collection`	The resources associated with the catalogs.
`settings`	`entitlementManagementSettings`	The settings that control the behavior of Azure AD entitlement management.
`subjects`	`accessPackageSubject collection`	The subjects within entitlement management.

Graph Methods

Delegated access App-only access

Methods
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/filterByCurrentUser(on='approver')`
GET `/identityGovernance/entitlementManagement/accessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}?$expand=resourceRoleScopes($expand=role,scope)`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackagesIncompatibleWith`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups`
GET `/identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')`
GET `/identityGovernance/entitlementManagement/assignmentPolicies`
GET `/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}`
GET `/identityGovernance/entitlementManagement/assignmentRequests`
GET `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}`
GET `/identityGovernance/entitlementManagement/assignmentRequests/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/assignments`
GET `/identityGovernance/entitlementManagement/assignments/{accessPackageAssignmentId}`
GET `/identityGovernance/entitlementManagement/assignments/additionalAccess(accessPackageId='parameterValue',incompatibleAccessPackageId='parameterValue')`
GET `/identityGovernance/entitlementManagement/assignments/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/catalogs`
GET `/identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}`
GET `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions`
GET `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{accessPackageCustomWorkflowExtensionId}`
GET `/identityGovernance/entitlementManagement/catalogs/{catalogId}/resourceRoles?$filter=(originSystem+eq+%27{originSystemType}%27+and+resource/id+eq+%27{resourceId}%27)&$expand=resource`
GET `/identityGovernance/entitlementManagement/catalogs/{id}/resources`
GET `/identityGovernance/entitlementManagement/connectedOrganizations`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors`
GET `/identityGovernance/entitlementManagement/resourceRequests`
GET `/identityGovernance/entitlementManagement/settings`
GET `/roleManagement/directory/roleAssignments`
GET `/roleManagement/directory/roleAssignments/{id}`
GET `/roleManagement/directory/roleDefinitions`
GET `/roleManagement/directory/roleDefinitions/{id}`
GET `identityGovernance/entitlementManagement/resourceEnvironments?$filter=originSystem eq 'SharePointOnline'`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/refresh`
POST `/identityGovernance/entitlementManagement/accessPackages`
POST `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}/getApplicablePolicyRequirements`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages/$ref`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups/$ref`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/resourceRoleScopes`
POST `/identityGovernance/entitlementManagement/assignmentPolicies`
POST `/identityGovernance/entitlementManagement/assignmentRequests`
POST `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}/cancel`
POST `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}/resume`
POST `/identityGovernance/entitlementManagement/assignmentRequests/{id}/reprocess`
POST `/identityGovernance/entitlementManagement/assignments/{id}/reprocess`
POST `/identityGovernance/entitlementManagement/catalogs`
POST `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions`
POST `/identityGovernance/entitlementManagement/connectedOrganizations`
POST `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors/$ref`
POST `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors/$ref`
POST `/identityGovernance/entitlementManagement/resourceRequests`
POST `/roleManagement/directory/roleAssignments`
PATCH `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}`
PATCH `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}`
PATCH `/identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}`
PATCH `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}`
PATCH `/identityGovernance/entitlementManagement/settings`
PUT `/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}`
PUT `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{customAccessPackageWorkflowExtensionId}`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}/resourceRoleScopes/{id}`
DELETE `/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}`
DELETE `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}`
DELETE `/identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}`
DELETE `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{customAccessPackageWorkflowExtensionId}`
DELETE `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}`
DELETE `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}/externalSponsors/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}/internalSponsors/{id}/$ref`
DELETE `/roleManagement/directory/roleAssignments/{id}`

Methods
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/filterByCurrentUser(on='approver')`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentResourceRoles`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentResourceRoles/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignments`
GET `/identityGovernance/entitlementManagement/accessPackageAssignments/additionalAccess(accessPackageId='parameterValue',incompatibleAccessPackageId='parameterValue')`
GET `/identityGovernance/entitlementManagement/accessPackageAssignments/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/uploadSessions/{customDataProvidedResourceUploadSessionId}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageCustomWorkflowExtensions`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageCustomWorkflowExtensions/{accessPackageCustomWorkflowExtensionId}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageResourceRoles?$filter=(originSystem+eq+%27{originSystemType}%27+and+accessPackageResource/id+eq+%27{resourceId}%27)&$expand=accessPackageResource`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions/{customAccessPackageWorkflowExtensionId}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{id}/accessPackageResources`
GET `/identityGovernance/entitlementManagement/accessPackageResourceEnvironments/{accessPackageResourceEnvironmentId}`
GET `/identityGovernance/entitlementManagement/accessPackageResourceRequests`
GET `/identityGovernance/entitlementManagement/accessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}?$expand=accessPackageResourceRoleScopes($expand=accessPackageResourceRole,accessPackageResourceScope)`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackagesIncompatibleWith`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups`
GET `/identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')`
GET `/identityGovernance/entitlementManagement/accessPackageSuggestions/filterByCurrentUser(on={on})`
GET `/identityGovernance/entitlementManagement/assignmentRequests`
GET `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}`
GET `/identityGovernance/entitlementManagement/assignmentRequests/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/availableAccessPackages/{availableAccessPackage-id}/resourceRoleScopes`
GET `/identityGovernance/entitlementManagement/connectedOrganizations`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors`
GET `/identityGovernance/entitlementManagement/controlConfigurations/endUserSettings`
GET `/identityGovernance/entitlementManagement/settings`
GET `/identityGovernance/entitlementManagement/subjects(objectId='{objectIdOfUser}')`
GET `/roleManagement/cloudPC/roleDefinitions`
GET `/roleManagement/cloudPC/roleDefinitions/{id}`
GET `/roleManagement/directory/roleAssignments`
GET `/roleManagement/directory/roleAssignments/{id}`
GET `identityGovernance/entitlementManagement/accessPackageResourceEnvironments?$filter=originSystem eq 'SharePointOnline'`
POST `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies`
POST `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests`
POST `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{accessPackageAssignmentRequestId}/resume`
POST `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}/cancel`
POST `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}/reprocess`
POST `/identityGovernance/entitlementManagement/accessPackageAssignments/{id}/reprocess`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/refresh`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/uploadSessions`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/uploadSessions/{customDataProvidedResourceUploadSessionId}/uploadFile`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageCustomWorkflowExtensions`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions`
POST `/identityGovernance/entitlementManagement/accessPackageResourceRequests`
POST `/identityGovernance/entitlementManagement/accessPackages`
POST `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}/moveToCatalog`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/getApplicablePolicyRequirements`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages/$ref`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups/$ref`
POST `/identityGovernance/entitlementManagement/assignmentRequests`
POST `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}/cancel`
POST `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}/resume`
POST `/identityGovernance/entitlementManagement/assignmentRequests/{id}/reprocess`
POST `/identityGovernance/entitlementManagement/connectedOrganizations`
POST `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors/$ref`
POST `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors/$ref`
POST `/roleManagement/directory/roleAssignments`
PATCH `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps/{id}`
PATCH `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}`
PATCH `/identityGovernance/entitlementManagement/accessPackageCatalogs/{accessPackageCatalogId}/accessPackageResources/{accessPackageResourceId}/uploadSessions/{customDataProvidedResourceUploadSessionId}`
PATCH `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}`
PATCH `/identityGovernance/entitlementManagement/connectedOrganizations/{id}`
PATCH `/identityGovernance/entitlementManagement/settings`
PATCH `/identityGovernance/entitlementManagement/subjects(objectId='{objectIdOfUser}')`
PUT `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{accessPackageAssignmentPolicyId}`
PUT `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions/{customAccessPackageWorkflowExtensionId}`
PUT `/identityGovernance/entitlementManagement/controlConfigurations/endUserSettings`
DELETE `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{id}`
DELETE `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}`
DELETE `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions/{customAccessPackageWorkflowExtensionId}`
DELETE `/identityGovernance/entitlementManagement/accessPackageCatalogs/{id}`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes/{id}`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}`
DELETE `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}/externalSponsors/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}/internalSponsors/{id}/$ref`
DELETE `/identityGovernance/entitlementManagement/connectedOrganizations/{id}`
DELETE `/roleManagement/directory/roleAssignments/{id}`

Commands
`Get-MgEntitlementManagementAccessPackage`
`Get-MgEntitlementManagementAccessPackageApplicablePolicyRequirement`
`Get-MgEntitlementManagementAccessPackageAssignmentApprovalStage`
`Get-MgEntitlementManagementAccessPackageIncompatibleAccessPackage`
`Get-MgEntitlementManagementAccessPackageIncompatibleGroup`
`Get-MgEntitlementManagementAccessPackageIncompatibleWith`
`Get-MgEntitlementManagementAssignment`
`Get-MgEntitlementManagementAssignmentAdditional`
`Get-MgEntitlementManagementAssignmentPolicy`
`Get-MgEntitlementManagementAssignmentRequest`
`Get-MgEntitlementManagementCatalog`
`Get-MgEntitlementManagementCatalogCustomWorkflowExtension`
`Get-MgEntitlementManagementCatalogResource`
`Get-MgEntitlementManagementCatalogResourceRole`
`Get-MgEntitlementManagementConnectedOrganization`
`Get-MgEntitlementManagementConnectedOrganizationExternalSponsor`
`Get-MgEntitlementManagementConnectedOrganizationInternalSponsor`
`Get-MgEntitlementManagementResourceEnvironment`
`Get-MgEntitlementManagementResourceRequest`
`Get-MgEntitlementManagementSetting`
`Get-MgRoleManagementDirectoryRoleAssignment`
`Get-MgRoleManagementDirectoryRoleDefinition`
`Get-MgRoleManagementEntitlementManagementRoleAssignment`
`Get-MgRoleManagementEntitlementManagementRoleDefinition`
`Invoke-MgFilterEntitlementManagementAccessPackageByCurrentUser`
`Invoke-MgFilterEntitlementManagementAssignmentByCurrentUser`
`Invoke-MgFilterEntitlementManagementAssignmentRequestByCurrentUser`
`Invoke-MgFilterIdentityGovernancePrivilegedAccessGroupAssignmentApprovalByCurrentUser`
`New-MgBetaEntitlementManagementConnectedOrganization`
`New-MgEntitlementManagementAccessPackage`
`New-MgEntitlementManagementAccessPackageIncompatibleAccessPackageByRef`
`New-MgEntitlementManagementAccessPackageIncompatibleGroupByRef`
`New-MgEntitlementManagementAccessPackageResourceRoleScope`
`New-MgEntitlementManagementAssignmentPolicy`
`New-MgEntitlementManagementAssignmentRequest`
`New-MgEntitlementManagementCatalog`
`New-MgEntitlementManagementCatalogCustomWorkflowExtension`
`New-MgEntitlementManagementConnectedOrganizationExternalSponsorByRef`
`New-MgEntitlementManagementConnectedOrganizationInternalSponsorByRef`
`New-MgEntitlementManagementResourceRequest`
`New-MgRoleManagementEntitlementManagementRoleAssignment`
`Remove-MgEntitlementManagementAccessPackage`
`Remove-MgEntitlementManagementAccessPackageIncompatibleAccessPackageByRef`
`Remove-MgEntitlementManagementAccessPackageIncompatibleGroupByRef`
`Remove-MgEntitlementManagementAccessPackageResourceRoleScope`
`Remove-MgEntitlementManagementAssignmentPolicy`
`Remove-MgEntitlementManagementAssignmentRequest`
`Remove-MgEntitlementManagementCatalog`
`Remove-MgEntitlementManagementCatalogCustomWorkflowExtension`
`Remove-MgEntitlementManagementConnectedOrganization`
`Remove-MgEntitlementManagementConnectedOrganizationExternalSponsorDirectoryObjectByRef`
`Remove-MgEntitlementManagementConnectedOrganizationInternalSponsorDirectoryObjectByRef`
`Remove-MgRoleManagementDirectoryRoleAssignment`
`Resume-MgEntitlementManagementAssignmentRequest`
`Set-MgEntitlementManagementAssignmentPolicy`
`Stop-MgEntitlementManagementAssignmentRequest`
`Update-MgEntitlementManagementAccessPackage`
`Update-MgEntitlementManagementAccessPackageAssignmentApprovalStage`
`Update-MgEntitlementManagementAssignment`
`Update-MgEntitlementManagementAssignmentRequest`
`Update-MgEntitlementManagementCatalog`
`Update-MgEntitlementManagementCatalogCustomWorkflowExtension`
`Update-MgEntitlementManagementConnectedOrganization`
`Update-MgEntitlementManagementSetting`

Commands
`Get-MgBetaEntitlementManagementAccessPackage`
`Get-MgBetaEntitlementManagementAccessPackageApplicablePolicyRequirement`
`Get-MgBetaEntitlementManagementAccessPackageAssignment`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentAdditional`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentResourceRole`
`Get-MgBetaEntitlementManagementAccessPackageCatalog`
`Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageCustomWorkflowExtension`
`Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource`
`Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResourceRole`
`Get-MgBetaEntitlementManagementAccessPackageCatalogCustomAccessPackageWorkflowExtension`
`Get-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackage`
`Get-MgBetaEntitlementManagementAccessPackageIncompatibleGroup`
`Get-MgBetaEntitlementManagementAccessPackageIncompatibleWith`
`Get-MgBetaEntitlementManagementAccessPackageResourceEnvironment`
`Get-MgBetaEntitlementManagementAccessPackageResourceRequest`
`Get-MgBetaEntitlementManagementAssignmentRequest`
`Get-MgBetaEntitlementManagementAvailableAccessPackageResourceRoleScope`
`Get-MgBetaEntitlementManagementConnectedOrganization`
`Get-MgBetaEntitlementManagementConnectedOrganizationExternalSponsor`
`Get-MgBetaEntitlementManagementConnectedOrganizationInternalSponsor`
`Get-MgBetaEntitlementManagementSetting`
`Get-MgBetaEntitlementManagementSubjectByObjectId`
`Get-MgBetaRoleManagementDirectoryRoleAssignment`
`Get-MgBetaRoleManagementDirectoryRoleDefinition`
`Get-MgBetaRoleManagementExchangeRoleAssignment`
`Get-MgBetaRoleManagementExchangeRoleDefinition`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageAssignmentByCurrentUser`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageAssignmentRequestByCurrentUser`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageByCurrentUser`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageSuggestionByCurrentUser`
`Invoke-MgBetaFilterIdentityGovernancePrivilegedAccessGroupAssignmentApprovalByCurrentUser`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceRoleAccessPackageResourceAccessPackageResourceScopeAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceRoleAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceScopeAccessPackageResourceAccessPackageResourceRoleAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceScopeAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceRoleAccessPackageResourceAccessPackageResourceScopeAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceRoleAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceScopeAccessPackageResourceAccessPackageResourceRoleAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceScopeAccessPackageResourceUploadSessionFile`
`Invoke-MgBetaUploadIdentityGovernanceCatalogAccessPackageResourceUploadSessionFile`
`Move-MgBetaEntitlementManagementAccessPackageToCatalog`
`New-MgBetaEntitlementManagementAccessPackage`
`New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy`
`New-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`New-MgBetaEntitlementManagementAccessPackageCatalog`
`New-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageCustomWorkflowExtension`
`New-MgBetaEntitlementManagementAccessPackageCatalogCustomAccessPackageWorkflowExtension`
`New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef`
`New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef`
`New-MgBetaEntitlementManagementAccessPackageResourceRequest`
`New-MgBetaEntitlementManagementAccessPackageResourceRoleScope`
`New-MgBetaEntitlementManagementAssignmentRequest`
`New-MgBetaEntitlementManagementConnectedOrganization`
`New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef`
`New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef`
`New-MgBetaRoleManagementExchangeRoleAssignment`
`Remove-MgBetaEntitlementManagementAccessPackage`
`Remove-MgBetaEntitlementManagementAccessPackageAssignmentPolicy`
`Remove-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`Remove-MgBetaEntitlementManagementAccessPackageCatalog`
`Remove-MgBetaEntitlementManagementAccessPackageCatalogCustomAccessPackageWorkflowExtension`
`Remove-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef`
`Remove-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef`
`Remove-MgBetaEntitlementManagementAccessPackageResourceRoleScope`
`Remove-MgBetaEntitlementManagementConnectedOrganization`
`Remove-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorDirectoryObjectByRef`
`Remove-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorDirectoryObjectByRef`
`Remove-MgBetaRoleManagementExchangeRoleAssignment`
`Resume-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`Set-MgBetaEntitlementManagementAccessPackageAssignmentPolicy`
`Stop-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`Update-MgBetaEntitlementManagementAccessPackage`
`Update-MgBetaEntitlementManagementAccessPackageAssignment`
`Update-MgBetaEntitlementManagementAccessPackageAssignmentApprovalStep`
`Update-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`Update-MgBetaEntitlementManagementAccessPackageCatalog`
`Update-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageCustomWorkflowExtension`
`Update-MgBetaEntitlementManagementAccessPackageCatalogCustomAccessPackageWorkflowExtension`
`Update-MgBetaEntitlementManagementAssignmentRequest`
`Update-MgBetaEntitlementManagementConnectedOrganization`
`Update-MgBetaEntitlementManagementSetting`
`Update-MgBetaEntitlementManagementSubjectByObjectId`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceRoleAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceRoleAccessPackageResourceAccessPackageResourceScopeAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceScopeAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceAccessPackageResourceScopeAccessPackageResourceAccessPackageResourceRoleAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceRoleAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceRoleAccessPackageResourceAccessPackageResourceScopeAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceScopeAccessPackageResource`
`Update-MgBetaIdentityGovernanceCatalogAccessPackageResourceScopeAccessPackageResourceAccessPackageResourceRoleAccessPackageResource`

Code Examples

C# / .NET SDK

// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "EntitlementManagement.ReadWrite.All" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

// Application permissions - daemon/service app
var tenantId = "YOUR_TENANT_ID";
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";

var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(credential);

// Example: GET /users/{user-id}
var users = await graphClient.Users.GetAsync();
foreach (var user in users?.Value ?? [])
{
    Console.WriteLine($"User: {user.DisplayName}");
}

JavaScript / TypeScript

// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["EntitlementManagement.ReadWrite.All"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["EntitlementManagement.ReadWrite.All"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

// Application: Use client credentials (Node.js backend only)
// npm install @azure/identity @microsoft/microsoft-graph-client
import { ClientSecretCredential } from "@azure/identity";
import { TokenCredentialAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials";

const credential = new ClientSecretCredential(
    "YOUR_TENANT_ID",
    "YOUR_CLIENT_ID", 
    "YOUR_CLIENT_SECRET"
);

const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: ["https://graph.microsoft.com/.default"]
});

const graphClient = Client.initWithMiddleware({ authProvider });
const result = await graphClient.api("/users").get();
console.log(result);

PowerShell

# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5

# Application access with certificate
$params = @{
    ClientId = "YOUR_CLIENT_ID"
    TenantId = "YOUR_TENANT_ID"
    CertificateThumbprint = "YOUR_CERT_THUMBPRINT"
}
Connect-MgGraph @params

# Or with client secret (not recommended for production)
# Connect-MgGraph -ClientSecretCredential $credential

# Example: GET /users
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users"
$result | ConvertTo-Json -Depth 5

# Always disconnect when done
Disconnect-MgGraph

Python

# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["EntitlementManagement.ReadWrite.All"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

# Application permissions - client credentials
credential = ClientSecretCredential(
    tenant_id="YOUR_TENANT_ID",
    client_id="YOUR_CLIENT_ID",
    client_secret="YOUR_CLIENT_SECRET"
)
scopes = ["https://graph.microsoft.com/.default"]
client = GraphServiceClient(credential, scopes)

async def get_users():
    # Example: GET /users
    result = await client.users.get()
    for user in result.value:
        print(f"User: {user.display_name}")
    return result

asyncio.run(get_users())

App Registration

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

Select Permission Type

Choose Application permissions or Delegated permissions and search for EntitlementManagement.ReadWrite.All

Grant Admin Consent

Application permissions always require admin consent. Click "Grant admin consent" in the Azure portal.