ESC
Type to search...
Navigate Open ESC Close

RecordsManagement.ReadWrite.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write All Resources

Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user.

Delegated Access App-Only Access

Permission Details

Application Permission

Read and write Records Management configuration, labels and policies

Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user.

Permission ID: eb158f57-df43-4751-8b21-b8932adb3d34
Delegated Permission Admin consent required

Read and write Records Management configuration, labels, and policies

Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.

User sees: Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on your behalf.
Permission ID: f2833d75-a4e6-40ab-86d4-6dfe73c97605

Graph Methods

Delegated access App-only access
Methods
GET /security/labels/authorities
GET /security/labels/authorities/{authorityTemplateId}
GET /security/labels/categories
GET /security/labels/categories/{categoryTemplateId}
GET /security/labels/categories/{categoryTemplateId}/subcategories
GET /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}
GET /security/labels/citations
GET /security/labels/citations/{citationTemplateId}
GET /security/labels/departments
GET /security/labels/departments/{departmentTemplateId}
GET /security/labels/filePlanReferences
GET /security/labels/filePlanReferences/{filePlanReferenceTemplateId}
GET /security/labels/retentionLabels
GET /security/labels/retentionLabels/{retentionLabelId}
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/eventType
GET /security/triggers/retentionEvents
GET /security/triggers/retentionEvents/{retentionEventId}
GET /security/triggers/retentionEvents/{retentionEventId}/labels/{retentionLabelId}
GET /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
GET /security/triggerTypes/retentionEventTypes
GET /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
POST /security/labels/authorities
POST /security/labels/categories
POST /security/labels/categories/{categoryTemplateId}/subcategories
POST /security/labels/citations
POST /security/labels/departments
POST /security/labels/filePlanReferences
POST /security/labels/retentionLabels
POST /security/triggers/retentionEvents
POST /security/triggerTypes/retentionEventTypes
PATCH /security/labels/retentionLabels/{retentionLabelId}
PATCH /security/labels/retentionLabels/{retentionLabelId}/eventType
PATCH /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
PATCH /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
DELETE /security/labels/authorities/{authorityTemplateId}/$ref
DELETE /security/labels/categories/{categoryTemplateId}/$ref
DELETE /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}/$ref
DELETE /security/labels/citations/{citationTemplateId}/$ref
DELETE /security/labels/departments/{departmentTemplateId}/$ref
DELETE /security/labels/filePlanReferences/{filePlanReferenceTemplateId}/$ref
DELETE /security/labels/retentionLabels/{retentionLabelId}
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate/$ref
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate/$ref
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate/$ref
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate/$ref
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate/$ref
DELETE /security/labels/retentionLabels/{retentionLabelId}/eventType/$ref
DELETE /security/triggers/retentionEvents/{retentionEventId}
DELETE /security/triggers/retentionEvents/{retentionEventId}/retentionEventType/$ref
DELETE /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}/$ref
Methods
GET /security/labels/authorities
GET /security/labels/authorities/{authorityTemplateId}
GET /security/labels/categories
GET /security/labels/categories/{categoryTemplateId}
GET /security/labels/categories/{categoryTemplateId}/subcategories
GET /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}
GET /security/labels/citations
GET /security/labels/citations/{citationTemplateId}
GET /security/labels/departments
GET /security/labels/departments/{departmentTemplateId}
GET /security/labels/filePlanReferences
GET /security/labels/filePlanReferences/{filePlanReferenceTemplateId}
GET /security/labels/retentionLabels
GET /security/labels/retentionLabels/{retentionLabelId}
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate
GET /security/labels/retentionLabels/{retentionLabelId}/eventType
GET /security/triggers/retentionEvents
GET /security/triggers/retentionEvents/{retentionEventId}
GET /security/triggers/retentionEvents/{retentionEventId}/labels/{retentionLabelId}
GET /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
GET /security/triggerTypes/retentionEventTypes
GET /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
POST /security/labels/authorities
POST /security/labels/categories
POST /security/labels/categories/{categoryTemplateId}/subcategories
POST /security/labels/citations
POST /security/labels/departments
POST /security/labels/filePlanReferences
POST /security/labels/retentionLabels
POST /security/triggers/retentionEvents
POST /security/triggerTypes/retentionEventTypes
PATCH /security/labels/retentionLabels/{retentionLabelId}
PATCH /security/labels/retentionLabels/{retentionLabelId}/eventType
PATCH /security/triggers/retentionEvents/{retentionEventId}/retentionEventType
PATCH /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}
DELETE /security/labels/authorities/{authorityTemplateId}
DELETE /security/labels/categories/{categoryTemplateId}
DELETE /security/labels/categories/{categoryTemplateId}/subcategories/{subcategoryTemplateId}/$ref
DELETE /security/labels/citations/{citationTemplateId}
DELETE /security/labels/departments/{departmentTemplateId}
DELETE /security/labels/filePlanReferences/{filePlanReferenceTemplateId}
DELETE /security/labels/retentionLabels/{retentionLabelId}
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/authorityTemplate
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/categoryTemplate
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/citationTemplate
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/departmentTemplate
DELETE /security/labels/retentionLabels/{retentionLabelId}/descriptors/filePlanReferenceTemplate
DELETE /security/labels/retentionLabels/{retentionLabelId}/eventType/$ref
DELETE /security/triggers/retentionEvents/{retentionEventId}
DELETE /security/triggers/retentionEvents/{retentionEventId}/retentionEventType/$ref
DELETE /security/triggerTypes/retentionEventTypes/{retentionEventTypeId}/$ref
Commands
Get-MgSecurityLabelAuthority
Get-MgSecurityLabelCategory
Get-MgSecurityLabelCategorySubcategory
Get-MgSecurityLabelCitation
Get-MgSecurityLabelDepartment
Get-MgSecurityLabelFilePlanReference
Get-MgSecurityLabelRetentionLabel
Get-MgSecurityTriggerRetentionEvent
Get-MgSecurityTriggerTypeRetentionEventType
New-MgSecurityLabelAuthority
New-MgSecurityLabelCategory
New-MgSecurityLabelCategorySubcategory
New-MgSecurityLabelCitation
New-MgSecurityLabelDepartment
New-MgSecurityLabelFilePlanReference
New-MgSecurityLabelRetentionLabel
New-MgSecurityTriggerRetentionEvent
New-MgSecurityTriggerTypeRetentionEventType
Remove-MgSecurityLabelAuthority
Remove-MgSecurityLabelCategory
Remove-MgSecurityLabelCategorySubcategory
Remove-MgSecurityLabelCitation
Remove-MgSecurityLabelDepartment
Remove-MgSecurityLabelFilePlanReference
Remove-MgSecurityLabelRetentionLabel
Remove-MgSecurityTriggerRetentionEvent
Remove-MgSecurityTriggerTypeRetentionEventType
Update-MgBetaSecurityLabelRetentionLabel
Update-MgSecurityTriggerTypeRetentionEventType
Commands
Get-MgBetaSecurityLabelAuthority
Get-MgBetaSecurityLabelCategory
Get-MgBetaSecurityLabelCategorySubcategory
Get-MgBetaSecurityLabelCitation
Get-MgBetaSecurityLabelDepartment
Get-MgBetaSecurityLabelFilePlanReference
Get-MgBetaSecurityLabelRetentionLabel
Get-MgBetaSecurityTriggerRetentionEvent
Get-MgBetaSecurityTriggerTypeRetentionEventType
New-MgBetaSecurityLabelAuthority
New-MgBetaSecurityLabelCategory
New-MgBetaSecurityLabelCategorySubcategory
New-MgBetaSecurityLabelCitation
New-MgBetaSecurityLabelDepartment
New-MgBetaSecurityLabelFilePlanReference
New-MgBetaSecurityLabelRetentionLabel
New-MgBetaSecurityTriggerRetentionEvent
New-MgBetaSecurityTriggerTypeRetentionEventType
Remove-MgBetaSecurityLabelAuthority
Remove-MgBetaSecurityLabelCategory
Remove-MgBetaSecurityLabelCategorySubcategory
Remove-MgBetaSecurityLabelCitation
Remove-MgBetaSecurityLabelDepartment
Remove-MgBetaSecurityLabelFilePlanReference
Remove-MgBetaSecurityLabelRetentionLabel
Remove-MgBetaSecurityTriggerRetentionEvent
Remove-MgBetaSecurityTriggerTypeRetentionEventType
Update-MgBetaSecurityLabelRetentionLabel
Update-MgBetaSecurityTriggerTypeRetentionEventType

Code Examples

C# / .NET SDK 
// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "RecordsManagement.ReadWrite.All" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

// Application permissions - daemon/service app
var tenantId = "YOUR_TENANT_ID";
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";

var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(credential);

// Example: GET /users/{user-id}
var users = await graphClient.Users.GetAsync();
foreach (var user in users?.Value ?? [])
{
    Console.WriteLine($"User: {user.DisplayName}");
}
JavaScript / TypeScript 
// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["RecordsManagement.ReadWrite.All"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["RecordsManagement.ReadWrite.All"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

// Application: Use client credentials (Node.js backend only)
// npm install @azure/identity @microsoft/microsoft-graph-client
import { ClientSecretCredential } from "@azure/identity";
import { TokenCredentialAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials";

const credential = new ClientSecretCredential(
    "YOUR_TENANT_ID",
    "YOUR_CLIENT_ID", 
    "YOUR_CLIENT_SECRET"
);

const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: ["https://graph.microsoft.com/.default"]
});

const graphClient = Client.initWithMiddleware({ authProvider });
const result = await graphClient.api("/users").get();
console.log(result);
PowerShell 
# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "RecordsManagement.ReadWrite.All"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5

# Application access with certificate
$params = @{
    ClientId = "YOUR_CLIENT_ID"
    TenantId = "YOUR_TENANT_ID"
    CertificateThumbprint = "YOUR_CERT_THUMBPRINT"
}
Connect-MgGraph @params

# Or with client secret (not recommended for production)
# Connect-MgGraph -ClientSecretCredential $credential

# Example: GET /users
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users"
$result | ConvertTo-Json -Depth 5

# Always disconnect when done
Disconnect-MgGraph
Python 
# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["RecordsManagement.ReadWrite.All"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

# Application permissions - client credentials
credential = ClientSecretCredential(
    tenant_id="YOUR_TENANT_ID",
    client_id="YOUR_CLIENT_ID",
    client_secret="YOUR_CLIENT_SECRET"
)
scopes = ["https://graph.microsoft.com/.default"]
client = GraphServiceClient(credential, scopes)

async def get_users():
    # Example: GET /users
    result = await client.users.get()
    for user in result.value:
        print(f"User: {user.display_name}")
    return result

asyncio.run(get_users())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or Delegated permissions and search for RecordsManagement.ReadWrite.All

4

Grant Admin Consent

Application permissions always require admin consent. Click "Grant admin consent" in the Azure portal.