Can users consent to EntitlementMgmt-SubjectAccess.ReadWrite themselves?

Yes, this delegated permission allows user consent. Users can grant this permission during sign-in without admin approval.

How do I add EntitlementMgmt-SubjectAccess.ReadWrite to my app registration?

Go to Azure Portal > App registrations > Your app > API permissions > Add permission > Microsoft Graph, then search for EntitlementMgmt-SubjectAccess.ReadWrite and select it.

EntitlementMgmt-SubjectAccess.ReadWrite Permission - Microsoft Graph API

EntitlementMgmt-SubjectAccess.ReadWrite

Permission Details

Delegated Permission

Read and write entitlement management resources related to self-service operations

Allows the app to manage self-service entitlement management resources on behalf of the signed-in user. This includes operations such as requesting access and approving access of others.

Permission ID: e9fdcbbb-8807-410f-b9ec-8d5468c7c2ac

Graph Methods

Delegated access App-only access

No API methods available for this version.

No PowerShell cmdlets found for this permission.

Code Examples

C# / .NET SDK

// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "EntitlementMgmt-SubjectAccess.ReadWrite" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

JavaScript / TypeScript

// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["EntitlementMgmt-SubjectAccess.ReadWrite"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["EntitlementMgmt-SubjectAccess.ReadWrite"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

PowerShell

# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "EntitlementMgmt-SubjectAccess.ReadWrite"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5


# Always disconnect when done
Disconnect-MgGraph

Python

# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["EntitlementMgmt-SubjectAccess.ReadWrite"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

App Registration

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

Select Permission Type

Choose Delegated permissions and search for EntitlementMgmt-SubjectAccess.ReadWrite

Grant Admin Consent

Users can consent to this permission themselves during sign-in.