LifecycleWorkflows-Workflow.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to create, update, list, read and delete all workflows and tasks in lifecycle workflows without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write all workflows in Lifecycle workflows
Allows the app to create, update, list, read and delete all workflows and tasks in lifecycle workflows without a signed-in user.
Permission ID:
94c88098-1d9d-4c42-a356-4d5a95312554
Delegated Permission
Admin consent required
Read and write all workflows in Lifecycle workflows
Allows the app to create, update, list, read and delete all workflows and tasks in lifecycle workflows on behalf of a signed-in user.
User sees: Allows the app to create, update, list, read and delete all workflows and tasks in lifecycle workflows on your behalf.
Permission ID:
29e49f0c-a053-4cc5-a4b1-7da0c8c1e643
Properties
Microsoft Graph v1.0
endpoint-derived-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
accessReviews |
object |
|
appConsent |
object |
|
entitlementManagement |
object |
|
lifecycleWorkflows |
object |
|
privilegedAccess |
object |
|
termsOfUse |
object |
JSON Representation
Microsoft Graph v1.0
endpoint-derived-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"accessReviews": {
"sample": "value"
},
"appConsent": {
"sample": "value"
},
"entitlementManagement": {
"sample": "value"
},
"lifecycleWorkflows": {
"sample": "value"
},
"privilegedAccess": {
"sample": "value"
},
"termsOfUse": {
"sample": "value"
}
}Relationships
Microsoft Graph v1.0
endpoint-derived-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
accessReviews |
accessReviewSet |
Container for the base resources that expose the access reviews API and features. |
appConsent |
appConsent |
Container for base resources that expose the app consent request API and features. Currently exposes only the appConsentRequests resource. |
entitlementManagement |
entitlementManagement |
Container for entitlement management resources, including accessPackageCatalog, connectedOrganization, and entitlementManagementSettings. |
termsOfUse |
termsOfUseContainer |
Container for the resources that expose the terms of use API and its features, including agreements and agreementAcceptances. |
lifecycleWorkflows |
identityGovernance.lifecycleWorkflowsContainer |
Container for Lifecycle Workflow resources, including workflow, customTaskExtension, and lifecycleManagementSettings. |
privilegedAccess |
privilegedAccessRoot |
Container for the base resources that expose the API and features related to Privileged Identity Management (PIM) for Groups. |
catalogs |
accessPackageCatalog collection |
Related catalogs data exposed by this resource. |
permissionsAnalytics |
permissionsAnalyticsAggregation |
Related permissionsAnalytics data exposed by this resource. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Create workflow
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models.IdentityGovernance;
using Microsoft.Graph.Models;
var requestBody = new Workflow
{
Category = LifecycleWorkflowCategory.Joiner,
Description = "Configure new hire tasks for onboarding employees on their first day",
DisplayName = "Australia Onboard new hire employee",
IsEnabled = true,
IsSchedulingEnabled = true,
ExecutionConditions = new TriggerAndScopeBasedConditions
{
OdataType = "#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions",
Scope = new RuleBasedSubjectSet
{
OdataType = "#microsoft.graph.identityGovernance.ruleBasedSubjectSet",
Rule = "(country eq 'Australia')",
},
Trigger = new TimeBasedAttributeTrigger
{
OdataType = "#microsoft.graph.identityGovernance.timeBasedAttributeTrigger",
TimeBasedAttribute = WorkflowTriggerTimeBasedAttribute.EmployeeHireDate,
OffsetInDays = 0,
},
},
Tasks = new List<TaskObject>
{
new TaskObject
{
ContinueOnError = false,
Description = "Enable user account in the directory",
DisplayName = "Enable User Account",
IsEnabled = true,
TaskDefinitionId = "6fc52c9d-398b-4305-9763-15f42c1676fc",
Arguments = new List<KeyValuePair>
{
},
},
new TaskObject
{
ContinueOnError = false,
Description = "Send welcome email to new hire",
DisplayName = "Send Welcome Email",
IsEnabled = true,
TaskDefinitionId = "70b29d51-b59a-4773-9280-8841dfd3f2ea",
Arguments = new List<KeyValuePair>
{
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.LifecycleWorkflows.Workflows.PostAsync(requestBody);
JavaScript
Create workflow
const options = {
authProvider,
};
const client = Client.init(options);
const workflow = {
category: 'joiner',
description: 'Configure new hire tasks for onboarding employees on their first day',
displayName: 'Australia Onboard new hire employee',
isEnabled: true,
isSchedulingEnabled: true,
executionConditions: {
'@odata.type': '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions',
scope: {
'@odata.type': '#microsoft.graph.identityGovernance.ruleBasedSubjectSet',
rule: '(country eq \'Australia\')'
},
trigger: {
'@odata.type': '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger',
timeBasedAttribute: 'employeeHireDate',
offsetInDays: 0
}
},
tasks: [
{
continueOnError: false,
description: 'Enable user account in the directory',
displayName: 'Enable User Account',
isEnabled: true,
taskDefinitionId: '6fc52c9d-398b-4305-9763-15f42c1676fc',
arguments: []
},
{
continueOnError: false,
description: 'Send welcome email to new hire',
displayName: 'Send Welcome Email',
isEnabled: true,
taskDefinitionId: '70b29d51-b59a-4773-9280-8841dfd3f2ea',
arguments: []
}
]
};
await client.api('/identityGovernance/lifecycleWorkflows/workflows')
.post(workflow);
PowerShell
Create workflow
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
category = "joiner"
description = "Configure new hire tasks for onboarding employees on their first day"
displayName = "Australia Onboard new hire employee"
isEnabled = $true
isSchedulingEnabled = $true
executionConditions = @{
"@odata.type" = "#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions"
scope = @{
"@odata.type" = "#microsoft.graph.identityGovernance.ruleBasedSubjectSet"
rule = "(country eq 'Australia')"
}
trigger = @{
"@odata.type" = "#microsoft.graph.identityGovernance.timeBasedAttributeTrigger"
timeBasedAttribute = "employeeHireDate"
offsetInDays =
}
}
tasks = @(
@{
continueOnError = $false
description = "Enable user account in the directory"
displayName = "Enable User Account"
isEnabled = $true
taskDefinitionId = "6fc52c9d-398b-4305-9763-15f42c1676fc"
arguments = @(
)
}
@{
continueOnError = $false
description = "Send welcome email to new hire"
displayName = "Send Welcome Email"
isEnabled = $true
taskDefinitionId = "70b29d51-b59a-4773-9280-8841dfd3f2ea"
arguments = @(
)
}
)
}
New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $params
Python
Create workflow
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.identity_governance.workflow import Workflow
from msgraph.generated.models.lifecycle_workflow_category import LifecycleWorkflowCategory
from msgraph.generated.models.identity_governance.trigger_and_scope_based_conditions import TriggerAndScopeBasedConditions
from msgraph.generated.models.identity_governance.rule_based_subject_set import RuleBasedSubjectSet
from msgraph.generated.models.identity_governance.time_based_attribute_trigger import TimeBasedAttributeTrigger
from msgraph.generated.models.workflow_trigger_time_based_attribute import WorkflowTriggerTimeBasedAttribute
from msgraph.generated.models.identity_governance.task import Task
from msgraph.generated.models.key_value_pair import KeyValuePair
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Workflow(
category = LifecycleWorkflowCategory.Joiner,
description = "Configure new hire tasks for onboarding employees on their first day",
display_name = "Australia Onboard new hire employee",
is_enabled = True,
is_scheduling_enabled = True,
execution_conditions = TriggerAndScopeBasedConditions(
odata_type = "#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions",
scope = RuleBasedSubjectSet(
odata_type = "#microsoft.graph.identityGovernance.ruleBasedSubjectSet",
rule = "(country eq 'Australia')",
),
trigger = TimeBasedAttributeTrigger(
odata_type = "#microsoft.graph.identityGovernance.timeBasedAttributeTrigger",
time_based_attribute = WorkflowTriggerTimeBasedAttribute.EmployeeHireDate,
offset_in_days = 0,
),
),
tasks = [
Task(
continue_on_error = False,
description = "Enable user account in the directory",
display_name = "Enable User Account",
is_enabled = True,
task_definition_id = "6fc52c9d-398b-4305-9763-15f42c1676fc",
arguments = [
],
),
Task(
continue_on_error = False,
description = "Send welcome email to new hire",
display_name = "Send Welcome Email",
is_enabled = True,
task_definition_id = "70b29d51-b59a-4773-9280-8841dfd3f2ea",
arguments = [
],
),
],
)
result = await graph_client.identity_governance.lifecycle_workflows.workflows.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for LifecycleWorkflows-Workflow.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.