ESC
Type to search...
Navigate Open ESC Close

PrivilegedAccess.ReadWrite.AzureAD

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write User Scope

Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write privileged access to Azure AD roles

Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.

Permission ID: 854d9ab1-6657-4ec8-be45-823027bcd009
Delegated Permission Admin consent required

Read and write privileged access to Azure AD

Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.

User sees: Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on your behalf.
Permission ID: 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37

Properties

Microsoft Graph beta exact-category-docs

Properties is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Property Type Description
id String The id of the provider managed by PIM.
displayName StringNullable The display name of the provider managed by PIM.
resources governanceResource collection A collection of resources for the provider.
roleAssignmentRequests governanceRoleAssignmentRequest collection A collection of role assignment requests for the provider.
roleAssignments governanceRoleAssignment collection A collection of role assignments for the provider.
roleDefinitions governanceRoleDefinition collection A collection of role definitions for the provider.
roleSettings governanceRoleSetting collection A collection of role settings for the provider.

JSON Representation

Microsoft Graph beta exact-category-docs

JSON representation is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

JSON representation 
{
  "id": "String (identifier)",
  "displayName": "String",
}

Relationships

Microsoft Graph beta exact-category-docs

Relationships is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Relationship Type Description
resources governanceResource collection A collection of resources for the provider.
roleAssignments governanceRoleAssignment collection A collection of role assignments for the provider.
roleDefinitions governanceRoleDefinition collection A collection of role definitions for the provider.
roleAssignmentRequests governanceRoleAssignmentRequest collection A collection of role assignment requests for the provider.
roleSettings governanceRoleSetting collection A collection of role settings for the provider.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests
GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}'
GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=status/subStatus+eq+'PendingAdminDecision'
GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=subjectId+eq+'{myId}'
GET /roleManagement/directory/roleScheduleInstances(directoryScopeId='@directoryScopeId',appScopeId='@appScopeId',principalId='@principalId',roleDefinitionId='@roleDefinitionId')
GET /roleManagement/directory/roleSchedules(directoryScopeId='@directoryScopeId',appScopeId='@appScopeId',principalId='@principalId',roleDefinitionId='@roleDefinitionId')
POST /privilegedAccess/azureResources/roleAssignmentRequests/{id}/cancel
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Invoke-MgBetaScheduleRoleManagementDirectory /roleManagement/directory/roleScheduleInstances(directoryScopeId='@directoryScopeId',appScopeId='@appScopeId',principalId='@principalId',roleDefinitionId='@roleDefinitionId')
rbacApplication: roleScheduleInstances
Invoke-MgBetaScheduleRoleManagementDirectoryRole /roleManagement/directory/roleSchedules(directoryScopeId='@directoryScopeId',appScopeId='@appScopeId',principalId='@principalId',roleDefinitionId='@roleDefinitionId')
rbacApplication: roleSchedules

Code Examples

C# / .NET SDK
Cancel governanceRoleAssignmentRequest (deprecated)
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests["{governanceRoleAssignmentRequest-id}"].Cancel.PostAsync();
JavaScript
Cancel governanceRoleAssignmentRequest (deprecated)
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests/7c53453e-d5a4-41e0-8eb1-32d5ec8bfdee/cancel')
	.version('beta')
	.post();
PowerShell
Cancel governanceRoleAssignmentRequest (deprecated)
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Beta.Identity.Governance

Stop-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -GovernanceRoleAssignmentRequestId $governanceRoleAssignmentRequestId
Python
Cancel governanceRoleAssignmentRequest (deprecated)
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.by_governance_role_assignment_request_id('governanceRoleAssignmentRequest-id').cancel.post()

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for PrivilegedAccess.ReadWrite.AzureAD

4

Grant Admin Consent

Application permissions always require admin consent.