ESC
Type to search...
Navigate Open ESC Close

RoleManagement.ReadWrite.Directory

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write User Scope

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write all directory RBAC settings

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Permission ID: 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8
Delegated Permission Admin consent required

Read and write directory RBAC settings

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

User sees: Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on your behalf. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.
Permission ID: d01b97e9-cbc0-49fe-810a-750afd5527a3

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
directory object
entitlementManagement object Container for roles and assignments for entitlement management resources.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.roleManagement"
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
directory rbacApplication Read-only. Nullable.
entitlementManagement rbacApplication Container for roles and assignments for entitlement management resources.
enterpriseApps rbacApplication collection Related enterpriseApps data exposed by this resource.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /directory/administrativeUnits/{id}/scopedRoleMembers
GET /directory/administrativeUnits/{id}/scopedRoleMembers/{id}
GET /directoryRoles
GET /directoryRoles(roleTemplateId='{roleTemplateId}')
GET /directoryRoles(roleTemplateId='{roleTemplateId}')/members
GET /directoryRoles(roleTemplateId='{roleTemplateId}')/scopedMembers
GET /directoryRoles/{role-id}
GET /directoryRoles/{role-id}/members
GET /directoryroles/{role-id}/scopedMembers
GET /directoryRoles/delta
GET /directoryRoleTemplates
GET /directoryRoleTemplates/{id}
GET /policies/roleManagementPolicies?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
GET /roleManagement/directory/roleAssignments
GET /roleManagement/directory/roleAssignments/{id}
GET /roleManagement/directory/roleAssignmentScheduleInstances
GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstanceId}
GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on=parameterValue)
GET /roleManagement/directory/roleAssignmentScheduleRequests
GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId}
GET /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='parameterValue')
GET /roleManagement/directory/roleAssignmentSchedules
GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentScheduleId}
GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='parameterValue')
GET /roleManagement/directory/roleDefinitions
GET /roleManagement/directory/roleDefinitions/{id}
GET /roleManagement/directory/roleEligibilityScheduleInstances
GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstanceId}
GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='parameterValue')
GET /roleManagement/directory/roleEligibilityScheduleRequests
GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}
GET /roleManagement/directory/roleEligibilityScheduleRequests/filterByCurrentUser(on='parameterValue')
GET /roleManagement/directory/roleEligibilitySchedules
GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilityScheduleId}
GET /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='parameterValue')
GET /roleManagement/entitlementManagement/roleAssignments
GET /roleManagement/entitlementManagement/roleAssignments/{id}
GET /roleManagement/entitlementManagement/roleDefinitions
GET /roleManagement/entitlementManagement/roleDefinitions/{id}
POST /directory/administrativeUnits/{id}/scopedRoleMembers
POST /directoryRoles
POST /directoryRoles/{role-id}/members/$ref
POST /directoryRoles/roleTemplateId={roleTemplateId}/members/$ref
POST /roleManagement/directory/roleAssignments
POST /roleManagement/directory/roleAssignmentScheduleRequests
POST /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId}/cancel
POST /roleManagement/directory/roleDefinitions
POST /roleManagement/directory/roleEligibilityScheduleRequests
POST /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}/cancel
POST /roleManagement/entitlementManagement/roleAssignments
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
PATCH /roleManagement/directory/roleDefinitions/{id}
DELETE /directory/administrativeUnits/{id}/scopedRoleMembers/{id}
DELETE /directoryRoles(roleTemplateId='{roleTemplateId}')/members/{id}/$ref
DELETE /directoryRoles/{role-id}/members/{id}/$ref
DELETE /roleManagement/directory/roleAssignments/{id}
DELETE /roleManagement/directory/roleDefinitions/{id}
DELETE /roleManagement/entitlementManagement/roleAssignments/{id}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /administrativeUnits/{id}/scopedRoleMembers
GET /administrativeUnits/{id}/scopedRoleMembers/{id}
GET /directoryRoles
GET /directoryRoles(roleTemplateId='{roleTemplateId}')
GET /directoryRoles(roleTemplateId='{roleTemplateId}')/members
GET /directoryRoles(roleTemplateId='{roleTemplateId}')/scopedMembers
GET /directoryRoles/{role-id}
GET /directoryRoles/{role-id}/members
GET /directoryroles/{role-id}/scopedMembers
GET /directoryRoles/delta
GET /directoryRoleTemplates
GET /directoryRoleTemplates/{id}
GET /policies/roleManagementPolicies?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
GET /roleManagement/cloudPC/roleDefinitions
GET /roleManagement/cloudPC/roleDefinitions/{id}
GET /roleManagement/defender/roleDefinitions
GET /roleManagement/defender/roleDefinitions/{id}
GET /roleManagement/deviceManagement/roleDefinitions
GET /roleManagement/deviceManagement/roleDefinitions/{id}
GET /roleManagement/directory/resourceNamespaces
GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}
GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions
GET /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions/{unifiedRbacResourceActionId}
GET /roleManagement/directory/roleAssignments
GET /roleManagement/directory/roleAssignments/{id}
GET /roleManagement/directory/roleAssignmentScheduleInstances
GET /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstancesId}
GET /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on='principal')
GET /roleManagement/directory/roleAssignmentScheduleRequests
GET /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestsId}
GET /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='principal')
GET /roleManagement/directory/roleAssignmentSchedules
GET /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentSchedulesId}
GET /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='principal')
GET /roleManagement/directory/roleDefinitions
GET /roleManagement/directory/roleDefinitions/{id}
GET /roleManagement/directory/roleDefinitions/{unifiedRoleDefinitionId}/assignedPrincipals(transitive=@transitive,directoryScopeType='@directoryScopeType',directoryScopeId='@directoryScopeId')
GET /roleManagement/directory/roleEligibilityScheduleInstances
GET /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstancesId}
GET /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='principal')
GET /roleManagement/directory/roleEligibilityScheduleRequests
GET /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestsId}
GET /roleManagement/directory/RoleEligibilityScheduleRequests/filterByCurrentUser(on='principal')
GET /roleManagement/directory/roleEligibilitySchedules
GET /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilitySchedulesId}
GET /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')
GET /roleManagement/directory/transitiveRoleAssignments?$filter=principalId eq '{principalId}'
GET /roleManagement/entitlementManagement/roleAssignments?
GET /roleManagement/entitlementManagement/roleAssignments/{id}
GET /roleManagement/entitlementManagement/roleDefinitions
GET /roleManagement/entitlementManagement/roleDefinitions/{id}
GET /roleManagement/exchange/roleAssignments
GET /roleManagement/exchange/roleAssignments/{id}
GET /roleManagement/exchange/roleDefinitions
GET /roleManagement/exchange/roleDefinitions/{id}
POST /administrativeUnits/{id}/scopedRoleMembers
POST /directoryRoles
POST /directoryRoles/{role-id}/members/$ref
POST /directoryRoles/roleTemplateId={roleTemplateId}/members/$ref
POST /roleManagement/cloudPc/roleDefinitions
POST /roleManagement/defender/roleDefinitions
POST /roleManagement/deviceManagement/roleDefinitions
POST /roleManagement/directory/roleAssignments
POST /roleManagement/directory/roleAssignmentScheduleRequests
POST /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestsId}/cancel
POST /roleManagement/directory/roleDefinitions
POST /roleManagement/directory/roleEligibilityScheduleRequests
POST /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestsId}/cancel
POST /roleManagement/entitlementManagement/roleAssignments
POST /roleManagement/exchange/roleAssignments
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
PATCH /roleManagement/cloudPc/roleDefinitions/{id}
PATCH /roleManagement/deviceManagement/roleDefinitions/{id}
PATCH /roleManagement/directory/roleDefinitions/{id}
DELETE /administrativeUnits/{id}/scopedRoleMembers/{id}
DELETE /directoryRoles(roleTemplateId='{roleTemplateId}')/members/{id}/$ref
DELETE /directoryRoles/{role-id}/members/{id}/$ref
DELETE /roleManagement/cloudPc/roleDefinitions/{id}
DELETE /roleManagement/defender/roleDefinitions/{id}
DELETE /roleManagement/deviceManagement/roleDefinitions/{id}
DELETE /roleManagement/directory/roleAssignments/{id}
DELETE /roleManagement/directory/roleDefinitions/{id}
DELETE /roleManagement/entitlementManagement/roleAssignments/{id}
DELETE /roleManagement/exchange/roleAssignments/{id}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgDirectoryAdministrativeUnitScopedRoleMember /directory/administrativeUnits/{id}/scopedRoleMembers
List scopedRoleMembers
Get-MgDirectoryAdministrativeUnitScopedRoleMember /directory/administrativeUnits/{id}/scopedRoleMembers/{id}
Get a scopedRoleMember
Get-MgDirectoryRole /directoryRoles
List directoryRoles
Get-MgDirectoryRole /directoryRoles/{role-id}
Get directoryRole
Get-MgDirectoryRoleDelta /directoryRoles/delta
directoryRole: delta
Get-MgDirectoryRoleMember /directoryRoles/{role-id}/members
List members of a directory role
Get-MgDirectoryRoleScopedMember /directoryroles/{role-id}/scopedMembers
List scopedMembers for a directory role
Get-MgDirectoryRoleTemplate /directoryRoleTemplates
List directoryRoleTemplates
Get-MgDirectoryRoleTemplate /directoryRoleTemplates/{id}
Get directoryRoleTemplate
Get-MgPolicyRoleManagementPolicy /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicies
Get-MgPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Get unifiedRoleManagementPolicy
Get-MgPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicyAssignments
Get-MgPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
Get unifiedRoleManagementPolicyAssignment
Get-MgPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
List rules (for a role management policy)
Get-MgPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Get unifiedRoleManagementPolicyRule
Get-MgRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments
List unifiedRoleAssignments
Get-MgRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments/{id}
Get unifiedRoleAssignment
Get-MgRoleManagementDirectoryRoleAssignmentSchedule /roleManagement/directory/roleAssignmentSchedules
List roleAssignmentSchedules
Get-MgRoleManagementDirectoryRoleAssignmentSchedule /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentScheduleId}
Get unifiedRoleAssignmentSchedule
Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance /roleManagement/directory/roleAssignmentScheduleInstances
List roleAssignmentScheduleInstances
Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstanceId}
Get unifiedRoleAssignmentScheduleInstance
Get-MgRoleManagementDirectoryRoleAssignmentScheduleRequest /roleManagement/directory/roleAssignmentScheduleRequests
List roleAssignmentScheduleRequests
Get-MgRoleManagementDirectoryRoleAssignmentScheduleRequest /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestId}
Get unifiedRoleAssignmentScheduleRequest
Get-MgRoleManagementDirectoryRoleDefinition /roleManagement/directory/roleDefinitions
List roleDefinitions
Get-MgRoleManagementDirectoryRoleDefinition /roleManagement/directory/roleDefinitions/{id}
Get unifiedRoleDefinition
Get-MgRoleManagementDirectoryRoleEligibilitySchedule /roleManagement/directory/roleEligibilitySchedules
List roleEligibilitySchedules
Get-MgRoleManagementDirectoryRoleEligibilitySchedule /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilityScheduleId}
Get unifiedRoleEligibilitySchedule
Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance /roleManagement/directory/roleEligibilityScheduleInstances
List roleEligibilityScheduleInstances
Get-MgRoleManagementDirectoryRoleEligibilityScheduleInstance /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstanceId}
Get unifiedRoleEligibilityScheduleInstance
Get-MgRoleManagementDirectoryRoleEligibilityScheduleRequest /roleManagement/directory/roleEligibilityScheduleRequests
List roleEligibilityScheduleRequests
Get-MgRoleManagementDirectoryRoleEligibilityScheduleRequest /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestId}
Get unifiedRoleEligibilityScheduleRequest
Get-MgRoleManagementEntitlementManagementRoleAssignment /roleManagement/directory/roleAssignments
List unifiedRoleAssignments
Get-MgRoleManagementEntitlementManagementRoleDefinition /roleManagement/directory/roleDefinitions
List roleDefinitions
Invoke-MgFilterRoleManagementDirectoryRoleAssignmentScheduleByCurrentUser /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='parameterValue')
unifiedRoleAssignmentSchedule: filterByCurrentUser
Invoke-MgFilterRoleManagementDirectoryRoleAssignmentScheduleInstanceByCurrentUser /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on=parameterValue)
unifiedRoleAssignmentScheduleInstance: filterByCurrentUser
Invoke-MgFilterRoleManagementDirectoryRoleAssignmentScheduleRequestByCurrentUser /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='parameterValue')
unifiedRoleAssignmentScheduleRequest: filterByCurrentUser
Invoke-MgFilterRoleManagementDirectoryRoleEligibilityScheduleByCurrentUser /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='parameterValue')
unifiedRoleEligibilitySchedule: filterByCurrentUser
Invoke-MgFilterRoleManagementDirectoryRoleEligibilityScheduleInstanceByCurrentUser /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='parameterValue')
unifiedRoleEligibilityScheduleInstance: filterByCurrentUser
Invoke-MgFilterRoleManagementDirectoryRoleEligibilityScheduleRequestByCurrentUser /roleManagement/directory/roleEligibilityScheduleRequests/filterByCurrentUser(on='parameterValue')
unifiedRoleEligibilityScheduleRequest: filterByCurrentUser
New-MgDirectoryAdministrativeUnitScopedRoleMember /directory/administrativeUnits/{id}/scopedRoleMembers
Add a scopedRoleMember
New-MgDirectoryRole /directoryRoles
Activate directoryRole
New-MgDirectoryRoleMemberByRef /directoryRoles/{role-id}/members/$ref
Add directory role member
New-MgRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments
Create unifiedRoleAssignment
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest /roleManagement/directory/roleAssignmentScheduleRequests
Create roleAssignmentScheduleRequests
New-MgRoleManagementDirectoryRoleDefinition /roleManagement/directory/roleDefinitions
Create roleDefinitions
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest /roleManagement/directory/roleEligibilityScheduleRequests
Create roleEligibilityScheduleRequest
New-MgRoleManagementEntitlementManagementRoleAssignment /roleManagement/directory/roleAssignments
Create unifiedRoleAssignment
Remove-MgDirectoryAdministrativeUnitScopedRoleMember /directory/administrativeUnits/{id}/scopedRoleMembers/{id}
Remove a scopedRoleMember
Remove-MgDirectoryRoleMemberDirectoryObjectByRef /directoryRoles/{role-id}/members/{id}/$ref
Remove directory role member
Remove-MgRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments/{id}
Delete unifiedRoleAssignment
Remove-MgRoleManagementDirectoryRoleDefinition /roleManagement/directory/roleDefinitions/{id}
Delete unifiedRoleDefinition
Update-MgPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Update unifiedRoleManagementPolicy
Update-MgPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Update unifiedRoleManagementPolicyRule
Update-MgRoleManagementDirectoryRoleDefinition /roleManagement/directory/roleDefinitions/{id}
Update unifiedRoleDefinition
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaAdministrativeUnitScopedRoleMember /administrativeUnits/{id}/scopedRoleMembers
List scopedRoleMembers
Get-MgBetaAdministrativeUnitScopedRoleMember /administrativeUnits/{id}/scopedRoleMembers/{id}
Get a scopedRoleMember
Get-MgBetaDirectoryRole /directoryRoles
List directoryRoles
Get-MgBetaDirectoryRole /directoryRoles/{role-id}
Get directoryRole
Get-MgBetaDirectoryRoleByRoleTemplateId /directoryRoles/{role-id}
Get directoryRole
Get-MgBetaDirectoryRoleDelta /directoryRoles/delta
directoryRole: delta
Get-MgBetaDirectoryRoleMember /directoryRoles/{role-id}/members
List members
Get-MgBetaDirectoryRoleScopedMember /directoryroles/{role-id}/scopedMembers
List scopedMembers for a directory role
Get-MgBetaDirectoryRoleTemplate /directoryRoleTemplates
List directoryRoleTemplates
Get-MgBetaDirectoryRoleTemplate /directoryRoleTemplates/{id}
Get directoryRoleTemplate
Get-MgBetaPolicyRoleManagementPolicy /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicies
Get-MgBetaPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Get unifiedRoleManagementPolicy
Get-MgBetaPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicyAssignments
Get-MgBetaPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
Get unifiedRoleManagementPolicyAssignment
Get-MgBetaPolicyRoleManagementPolicyEffectiveRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules
List effectiveRules
Get-MgBetaPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
List rules (for a role management policy)
Get-MgBetaPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Get unifiedRoleManagementPolicyRule
Get-MgBetaRoleManagementCloudPcRoleDefinition /roleManagement/cloudPC/roleDefinitions
List roleDefinitions
Get-MgBetaRoleManagementCloudPcRoleDefinition /roleManagement/cloudPC/roleDefinitions/{id}
Get unifiedRoleDefinition
Get-MgBetaRoleManagementDirectoryResourceNamespace /roleManagement/directory/resourceNamespaces
List resourceNamespaces
Get-MgBetaRoleManagementDirectoryResourceNamespace /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}
Get unifiedRbacResourceNamespace
Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions
List resourceActions
Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction /roleManagement/directory/resourceNamespaces/{unifiedRbacResourceNamespaceId}/resourceActions/{unifiedRbacResourceActionId}
Get unifiedRbacResourceAction
Get-MgBetaRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments
List unifiedRoleAssignments
Get-MgBetaRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments/{id}
Get unifiedRoleAssignment
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule /roleManagement/directory/roleAssignmentSchedules
List roleAssignmentSchedules
Get-MgBetaRoleManagementDirectoryRoleAssignmentSchedule /roleManagement/directory/roleAssignmentSchedules/{unifiedRoleAssignmentSchedulesId}
Get unifiedRoleAssignmentSchedule
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleInstance /roleManagement/directory/roleAssignmentScheduleInstances
List roleAssignmentScheduleInstances
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleInstance /roleManagement/directory/roleAssignmentScheduleInstances/{unifiedRoleAssignmentScheduleInstancesId}
Get unifiedRoleAssignmentScheduleInstance
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest /roleManagement/directory/roleAssignmentScheduleRequests
List roleAssignmentScheduleRequests
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest /roleManagement/directory/roleAssignmentScheduleRequests/{unifiedRoleAssignmentScheduleRequestsId}
Get unifiedRoleAssignmentScheduleRequest
Get-MgBetaRoleManagementDirectoryRoleDefinition /roleManagement/cloudPC/roleDefinitions
List roleDefinitions
Get-MgBetaRoleManagementDirectoryRoleDefinition /roleManagement/cloudPC/roleDefinitions/{id}
Get unifiedRoleDefinition
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule /roleManagement/directory/roleEligibilitySchedules
List roleEligibilitySchedules
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule /roleManagement/directory/roleEligibilitySchedules/{unifiedRoleEligibilitySchedulesId}
Get unifiedRoleEligibilitySchedule
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance /roleManagement/directory/roleEligibilityScheduleInstances
List roleEligibilityScheduleInstances
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance /roleManagement/directory/roleEligibilityScheduleInstances/{unifiedRoleEligibilityScheduleInstancesId}
Get unifiedRoleEligibilityScheduleInstance
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest /roleManagement/directory/roleEligibilityScheduleRequests
List roleEligibilityScheduleRequests
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest /roleManagement/directory/roleEligibilityScheduleRequests/{unifiedRoleEligibilityScheduleRequestsId}
Get unifiedRoleEligibilityScheduleRequest
Get-MgBetaRoleManagementDirectoryTransitiveRoleAssignment /roleManagement/directory/transitiveRoleAssignments?$filter=principalId eq '{principalId}'
List transitiveRoleAssignment
Get-MgBetaRoleManagementEntitlementManagementRoleAssignment /roleManagement/directory/roleAssignments
List unifiedRoleAssignments
Get-MgBetaRoleManagementEntitlementManagementRoleDefinition /roleManagement/cloudPC/roleDefinitions
List roleDefinitions
Get-MgBetaRoleManagementEntitlementManagementRoleDefinition /roleManagement/cloudPC/roleDefinitions/{id}
Get unifiedRoleDefinition
Get-MgBetaRoleManagementExchangeRoleAssignment /roleManagement/directory/roleAssignments
List unifiedRoleAssignments
Get-MgBetaRoleManagementExchangeRoleAssignment /roleManagement/directory/roleAssignments/{id}
Get unifiedRoleAssignment
Get-MgBetaRoleManagementExchangeRoleDefinition /roleManagement/cloudPC/roleDefinitions
List roleDefinitions
Get-MgBetaRoleManagementExchangeRoleDefinition /roleManagement/cloudPC/roleDefinitions/{id}
Get unifiedRoleDefinition
Invoke-MgBetaFilterRoleManagementDirectoryRoleAssignmentScheduleByCurrentUser /roleManagement/directory/roleAssignmentSchedules/filterByCurrentUser(on='principal')
unifiedRoleAssignmentSchedule: filterByCurrentUser
Invoke-MgBetaFilterRoleManagementDirectoryRoleAssignmentScheduleInstanceByCurrentUser /roleManagement/directory/roleAssignmentScheduleInstances/filterByCurrentUser(on='principal')
unifiedRoleAssignmentScheduleInstance: filterByCurrentUser
Invoke-MgBetaFilterRoleManagementDirectoryRoleAssignmentScheduleRequestByCurrentUser /roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='principal')
unifiedRoleAssignmentScheduleRequest: filterByCurrentUser
Invoke-MgBetaFilterRoleManagementDirectoryRoleEligibilityScheduleByCurrentUser /roleManagement/directory/roleEligibilitySchedules/filterByCurrentUser(on='principal')
unifiedRoleEligibilitySchedule: filterByCurrentUser
Invoke-MgBetaFilterRoleManagementDirectoryRoleEligibilityScheduleInstanceByCurrentUser /roleManagement/directory/roleEligibilityScheduleInstances/filterByCurrentUser(on='principal')
unifiedRoleEligibilityScheduleInstance: filterByCurrentUser
Invoke-MgBetaFilterRoleManagementDirectoryRoleEligibilityScheduleRequestByCurrentUser /roleManagement/directory/RoleEligibilityScheduleRequests/filterByCurrentUser(on='principal')
unifiedRoleEligibilityScheduleRequest: filterByCurrentUser
New-MgBetaAdministrativeUnitScopedRoleMember /administrativeUnits/{id}/scopedRoleMembers
Add a scopedRoleMember
New-MgBetaDirectoryRole /directoryRoles
Activate directoryRole
New-MgBetaDirectoryRoleMemberByRef /directoryRoles/{role-id}/members/$ref
Add directory role member
New-MgBetaRoleManagementCloudPcRoleDefinition /roleManagement/deviceManagement/roleDefinitions
Create roleDefinitions
New-MgBetaRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments
Create unifiedRoleAssignment
New-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest /roleManagement/directory/roleAssignmentScheduleRequests
Create roleAssignmentScheduleRequests
New-MgBetaRoleManagementDirectoryRoleDefinition /roleManagement/deviceManagement/roleDefinitions
Create roleDefinitions
New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest /roleManagement/directory/roleEligibilityScheduleRequests
Create roleEligibilityScheduleRequests
New-MgBetaRoleManagementEntitlementManagementRoleAssignment /roleManagement/directory/roleAssignments
Create unifiedRoleAssignment
New-MgBetaRoleManagementExchangeRoleAssignment /roleManagement/directory/roleAssignments
Create unifiedRoleAssignment
Remove-MgBetaAdministrativeUnitScopedRoleMember /administrativeUnits/{id}/scopedRoleMembers/{id}
Remove a scopedRoleMember
Remove-MgBetaDirectoryRoleMemberDirectoryObjectByRef /directoryRoles/{role-id}/members/{id}/$ref
Remove directory role member
Remove-MgBetaRoleManagementCloudPcRoleDefinition /roleManagement/deviceManagement/roleDefinitions/{id}
Delete unifiedRoleDefinition
Remove-MgBetaRoleManagementDirectoryRoleAssignment /roleManagement/directory/roleAssignments/{id}
Delete unifiedRoleAssignment
Remove-MgBetaRoleManagementDirectoryRoleDefinition /roleManagement/deviceManagement/roleDefinitions/{id}
Delete unifiedRoleDefinition
Remove-MgBetaRoleManagementExchangeRoleAssignment /roleManagement/directory/roleAssignments/{id}
Delete unifiedRoleAssignment
Update-MgBetaPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Update unifiedRoleManagementPolicy
Update-MgBetaPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Update unifiedRoleManagementPolicyRule
Update-MgBetaRoleManagementCloudPcRoleDefinition /roleManagement/deviceManagement/roleDefinitions/{id}
Update unifiedRoleDefinition
Update-MgBetaRoleManagementDirectoryRoleDefinition /roleManagement/deviceManagement/roleDefinitions/{id}
Update unifiedRoleDefinition

Code Examples

C# / .NET SDK
Activate directoryRole
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new DirectoryRole
{
	RoleTemplateId = "fe930be7-5e62-47db-91af-98c3a49a38b1",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.DirectoryRoles.PostAsync(requestBody);
JavaScript
Activate directoryRole
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const directoryRole = {
  roleTemplateId: 'fe930be7-5e62-47db-91af-98c3a49a38b1'
};

await client.api('/directoryRoles')
	.post(directoryRole);
PowerShell
Activate directoryRole
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.DirectoryManagement

$params = @{
	roleTemplateId = "fe930be7-5e62-47db-91af-98c3a49a38b1"
}

New-MgDirectoryRole -BodyParameter $params
Python
Activate directoryRole
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.directory_role import DirectoryRole
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DirectoryRole(
	role_template_id = "fe930be7-5e62-47db-91af-98c3a49a38b1",
)

result = await graph_client.directory_roles.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for RoleManagement.ReadWrite.Directory

4

Grant Admin Consent

Application permissions always require admin consent.