RoleManagement.ReadWrite.Defender
Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user.
Permission Details
Read M365 Defender RBAC configuration
Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user.
8b7e8c0a-7e9d-4049-97ec-04b5e1bcaf05
Read M365 Defender RBAC configuration
Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading M365 Defender role definitions and role assignments.
d8914f8f-9f64-4bd1-b4d3-f5a701ed8457
Properties
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
directory |
object |
|
entitlementManagement |
object |
Container for roles and assignments for entitlement management resources. |
JSON Representation
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
{
"@odata.type": "#microsoft.graph.roleManagement"
}Relationships
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
directory |
rbacApplication |
Read-only. Nullable. |
entitlementManagement |
rbacApplication |
Container for roles and assignments for entitlement management resources. |
enterpriseApps |
rbacApplication collection |
Related enterpriseApps data exposed by this resource. |
Graph Methods
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No API methods available for this version.
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docsMicrosoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "Update basic properties of application registrations",
DisplayName = "Application Registration Support Administrator",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"microsoft.directory/applications/basic/read",
},
},
},
IsEnabled = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleDefinitions.PostAsync(requestBody);const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Update basic properties of application registrations',
displayName: 'Application Registration Support Administrator',
rolePermissions:
[
{
allowedResourceActions:
[
'microsoft.directory/applications/basic/read'
]
}
],
isEnabled: 'true'
};
await client.api('/roleManagement/directory/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
description = "Update basic properties of application registrations"
displayName = "Application Registration Support Administrator"
rolePermissions = @(
@{
allowedResourceActions = @(
"microsoft.directory/applications/basic/read"
)
}
)
isEnabled = "true"
}
New-MgBetaRoleManagementDirectoryRoleDefinition -BodyParameter $params# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "Update basic properties of application registrations",
display_name = "Application Registration Support Administrator",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"microsoft.directory/applications/basic/read",
],
),
],
is_enabled = True,
)
result = await graph_client.role_management.directory.role_definitions.post(request_body)App Registration
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
Select Permission Type
Choose Application permissions or delegated permissions and search for RoleManagement.ReadWrite.Defender
Grant Admin Consent
Application permissions always require admin consent.