PrivilegedAccess.ReadWrite.AzureResources

Permission Details

Application Permission

Read and write privileged access to Azure resources

Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user.

Permission ID: 6f9d5abc-2db6-400b-a267-7de22a40fb87

Delegated Permission

Read and write privileged access to Azure resources

Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users.

Permission ID: a84a9652-ffd3-496e-a991-22ba5529156a

Properties

Microsoft Graph beta exact-category-docs

Properties is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Property	Type	Description
`id`	`String`	The id of the provider managed by PIM.
`displayName`	`String`Nullable	The display name of the provider managed by PIM.
`resources`	`governanceResource collection`	A collection of resources for the provider.
`roleAssignmentRequests`	`governanceRoleAssignmentRequest collection`	A collection of role assignment requests for the provider.
`roleAssignments`	`governanceRoleAssignment collection`	A collection of role assignments for the provider.
`roleDefinitions`	`governanceRoleDefinition collection`	A collection of role definitions for the provider.
`roleSettings`	`governanceRoleSetting collection`	A collection of role settings for the provider.

JSON Representation

Microsoft Graph beta exact-category-docs

JSON representation is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

JSON representation

{
  "id": "String (identifier)",
  "displayName": "String",
}

Relationships

Microsoft Graph beta exact-category-docs

Relationships is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.

Relationship	Type	Description
`resources`	`governanceResource collection`	A collection of resources for the provider.
`roleAssignments`	`governanceRoleAssignment collection`	A collection of role assignments for the provider.
`roleDefinitions`	`governanceRoleDefinition collection`	A collection of role definitions for the provider.
`roleAssignmentRequests`	`governanceRoleAssignmentRequest collection`	A collection of role assignment requests for the provider.
`roleSettings`	`governanceRoleSetting collection`	A collection of role settings for the provider.

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

No API methods available for this version.

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests`
GET `/privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}'`
GET `/privilegedAccess/azureResources/roleAssignmentRequests?$filter=status/subStatus+eq+'PendingAdminDecision'`
GET `/privilegedAccess/azureResources/roleAssignmentRequests?$filter=subjectId+eq+'{myId}'`
POST `/privilegedAccess/azureResources/roleAssignmentRequests/{id}/cancel`

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

No Microsoft Learn PowerShell mapping available

Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.

No deterministic PowerShell command map is available for this permission.

Browse PowerShell docs

Code Examples

C# / .NET SDK

Cancel governanceRoleAssignmentRequest (deprecated)

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests["{governanceRoleAssignmentRequest-id}"].Cancel.PostAsync();

JavaScript

Cancel governanceRoleAssignmentRequest (deprecated)

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/privilegedAccess/azureResources/roleAssignmentRequests/7c53453e-d5a4-41e0-8eb1-32d5ec8bfdee/cancel')
	.version('beta')
	.post();

PowerShell

Cancel governanceRoleAssignmentRequest (deprecated)

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Beta.Identity.Governance

Stop-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -GovernanceRoleAssignmentRequestId $governanceRoleAssignmentRequestId

Python

Cancel governanceRoleAssignmentRequest (deprecated)

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.by_governance_role_assignment_request_id('governanceRoleAssignmentRequest-id').cancel.post()

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for PrivilegedAccess.ReadWrite.AzureResources

4

Grant Admin Consent

Application permissions always require admin consent.