PrivilegedAccess.Read.AzureResources

Permission Details

Application Permission

Read privileged access to Azure resources

Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your organization, without a signed-in user.

Permission ID: 5df6fe86-1be0-44eb-b916-7bd443a71236

Delegated Permission

Read privileged access to Azure resources

Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on behalf of the signed-in user.

Permission ID: 1d89d70c-dcac-4248-b214-903c457af83a

Properties

Microsoft Graph beta exact-category-docs

Properties is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Property	Type	Description
`id`	`String`	The id of the provider managed by PIM.
`displayName`	`String`Nullable	The display name of the provider managed by PIM.
`resources`	`governanceResource collection`	A collection of resources for the provider.
`roleAssignmentRequests`	`governanceRoleAssignmentRequest collection`	A collection of role assignment requests for the provider.
`roleAssignments`	`governanceRoleAssignment collection`	A collection of role assignments for the provider.
`roleDefinitions`	`governanceRoleDefinition collection`	A collection of role definitions for the provider.
`roleSettings`	`governanceRoleSetting collection`	A collection of role settings for the provider.

JSON Representation

Microsoft Graph beta exact-category-docs

JSON representation is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

JSON representation

{
  "id": "String (identifier)",
  "displayName": "String",
}

Relationships

Microsoft Graph beta exact-category-docs

Relationships is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Relationship	Type	Description
`resources`	`governanceResource collection`	A collection of resources for the provider.
`roleAssignments`	`governanceRoleAssignment collection`	A collection of role assignments for the provider.
`roleDefinitions`	`governanceRoleDefinition collection`	A collection of role definitions for the provider.
`roleAssignmentRequests`	`governanceRoleAssignmentRequest collection`	A collection of role assignment requests for the provider.
`roleSettings`	`governanceRoleSetting collection`	A collection of role settings for the provider.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests`
GET `/privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}'`
GET `/privilegedAccess/azureResources/roleAssignmentRequests?$filter=status/subStatus+eq+'PendingAdminDecision'`
GET `/privilegedAccess/azureResources/roleAssignmentRequests?$filter=subjectId+eq+'{myId}'`

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Code Examples

C# / .NET SDK

using Azure.Identity;
using Microsoft.Graph;

var scopes = new[] { "PrivilegedAccess.Read.AzureResources" };
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        ClientId = "YOUR_CLIENT_ID",
        TenantId = "YOUR_TENANT_ID",
        RedirectUri = new Uri("http://localhost")
    });

var graphClient = new GraphServiceClient(credential, scopes);
var response = await graphClient
    .WithUrl("https://graph.microsoft.com/v1.0/privilegedAccess/azureResources/resources/{id}/roleAssignmentRequests")
    .GetAsync();

JavaScript

import { Client } from "@microsoft/microsoft-graph-client";
import { InteractiveBrowserCredential } from "@azure/identity";

const credential = new InteractiveBrowserCredential({
  clientId: "YOUR_CLIENT_ID",
  tenantId: "YOUR_TENANT_ID",
  redirectUri: "http://localhost"
});

const token = await credential.getToken(["PrivilegedAccess.Read.AzureResources"]);
const client = Client.init({
  authProvider: (done) => done(null, token.token)
});

const response = await client.api("/privilegedAccess/azureResources/resources/{id}/roleAssignmentRequests").get();

PowerShell

Connect-MgGraph -Scopes "PrivilegedAccess.Read.AzureResources"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/privilegedAccess/azureResources/resources/{id}/roleAssignmentRequests"

Python

from azure.identity import InteractiveBrowserCredential
import requests

credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)

token = credential.get_token("PrivilegedAccess.Read.AzureResources")
response = requests.get(
    "https://graph.microsoft.com/v1.0/privilegedAccess/azureResources/resources/{id}/roleAssignmentRequests",
    headers={"Authorization": f"Bearer {token.token}"}
)

print(response.json())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for PrivilegedAccess.Read.AzureResources

4

Grant Admin Consent

Application permissions always require admin consent.