ESC
Type to search...
Navigate Open ESC Close

RoleManagementPolicy.ReadWrite.Directory

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write User Scope

Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read, update, and delete all policies for privileged role assignments of your company's directory

Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user.

Permission ID: 31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad
Delegated Permission Admin consent required

Read, update, and delete all policies for privileged role assignments of your company's directory

Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.

User sees: Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on your behalf.
Permission ID: 1ff1be21-34eb-448c-9ac9-ce1f506b2a68

Properties

Properties metadata is not available for this permission mapping. View on Microsoft Learn

JSON Representation

JSON representation is not available for this permission mapping. View on Microsoft Learn

Relationships

Relationships metadata is not available for this permission mapping.

View resource documentation

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /policies/roleManagementPolicies?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /policies/roleManagementPolicies?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '{groupId}' and scopeType eq 'Group'
GET /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
GET /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
PATCH /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgPolicyRoleManagementPolicy /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicies
Get-MgPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Get unifiedRoleManagementPolicy
Get-MgPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicyAssignments
Get-MgPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
Get unifiedRoleManagementPolicyAssignment
Get-MgPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
List rules (for a role management policy)
Get-MgPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Get unifiedRoleManagementPolicyRule
Update-MgPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Update unifiedRoleManagementPolicy
Update-MgPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Update unifiedRoleManagementPolicyRule
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaPolicyRoleManagementPolicy /policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicies
Get-MgBetaPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Get unifiedRoleManagementPolicy
Get-MgBetaPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
List roleManagementPolicyAssignments
Get-MgBetaPolicyRoleManagementPolicyAssignment /policies/roleManagementPolicyAssignments/{unifiedRoleManagementPolicyAssignmentId}
Get unifiedRoleManagementPolicyAssignment
Get-MgBetaPolicyRoleManagementPolicyEffectiveRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/effectiveRules
List effectiveRules
Get-MgBetaPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
List rules (for a role management policy)
Get-MgBetaPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Get unifiedRoleManagementPolicyRule
Update-MgBetaPolicyRoleManagementPolicy /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}
Update unifiedRoleManagementPolicy
Update-MgBetaPolicyRoleManagementPolicyRule /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules/{unifiedRoleManagementPolicyRuleId}
Update unifiedRoleManagementPolicyRule

Code Examples

C# / .NET SDK
Update unifiedRoleManagementPolicy
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new UnifiedRoleManagementPolicy
{
	Rules = new List<UnifiedRoleManagementPolicyRule>
	{
		new UnifiedRoleManagementPolicyApprovalRule
		{
			OdataType = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
			Id = "Approval_EndUser_Assignment",
			Target = new UnifiedRoleManagementPolicyRuleTarget
			{
				Caller = "EndUser",
				Operations = new List<UnifiedRoleManagementPolicyRuleTargetOperations?>
				{
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				},
				Level = "Assignment",
				InheritableSettings = new List<string>
				{
				},
				EnforcedSettings = new List<string>
				{
				},
			},
			Setting = new ApprovalSettings
			{
				IsApprovalRequired = false,
				IsApprovalRequiredForExtension = false,
				IsRequestorJustificationRequired = true,
				ApprovalMode = "SingleStage",
				ApprovalStages = new List<UnifiedApprovalStage>
				{
					new UnifiedApprovalStage
					{
						ApprovalStageTimeOutInDays = 1,
						IsApproverJustificationRequired = true,
						EscalationTimeInMinutes = 0,
						IsEscalationEnabled = false,
						PrimaryApprovers = new List<SubjectSet>
						{
						},
						EscalationApprovers = new List<SubjectSet>
						{
						},
					},
				},
			},
		},
		new UnifiedRoleManagementPolicyAuthenticationContextRule
		{
			OdataType = "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
			Id = "AuthenticationContext_EndUser_Assignment",
			IsEnabled = false,
			ClaimValue = "",
			Target = new UnifiedRoleManagementPolicyRuleTarget
			{
				Caller = "EndUser",
				Operations = new List<UnifiedRoleManagementPolicyRuleTargetOperations?>
				{
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				},
				Level = "Assignment",
				InheritableSettings = new List<string>
				{
				},
				EnforcedSettings = new List<string>
				{
				},
			},
		},
		new UnifiedRoleManagementPolicyEnablementRule
		{
			OdataType = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
			Id = "Enablement_Admin_Eligibility",
			EnabledRules = new List<string>
			{
			},
			Target = new UnifiedRoleManagementPolicyRuleTarget
			{
				Caller = "Admin",
				Operations = new List<UnifiedRoleManagementPolicyRuleTargetOperations?>
				{
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				},
				Level = "Eligibility",
				InheritableSettings = new List<string>
				{
				},
				EnforcedSettings = new List<string>
				{
				},
			},
		},
		new UnifiedRoleManagementPolicyExpirationRule
		{
			OdataType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
			Id = "Expiration_Admin_Eligibility",
			IsExpirationRequired = false,
			MaximumDuration = TimeSpan.Parse("P365D"),
			Target = new UnifiedRoleManagementPolicyRuleTarget
			{
				Caller = "Admin",
				Operations = new List<UnifiedRoleManagementPolicyRuleTargetOperations?>
				{
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				},
				Level = "Eligibility",
				InheritableSettings = new List<string>
				{
				},
				EnforcedSettings = new List<string>
				{
				},
			},
		},
		new UnifiedRoleManagementPolicyNotificationRule
		{
			OdataType = "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
			Id = "Notification_Admin_Admin_Eligibility",
			NotificationType = "Email",
			RecipientType = "Admin",
			NotificationLevel = "All",
			IsDefaultRecipientsEnabled = true,
			NotificationRecipients = new List<string>
			{
			},
			Target = new UnifiedRoleManagementPolicyRuleTarget
			{
				Caller = "Admin",
				Operations = new List<UnifiedRoleManagementPolicyRuleTargetOperations?>
				{
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				},
				Level = "Eligibility",
				InheritableSettings = new List<string>
				{
				},
				EnforcedSettings = new List<string>
				{
				},
			},
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.RoleManagementPolicies["{unifiedRoleManagementPolicy-id}"].PatchAsync(requestBody);
JavaScript
Update unifiedRoleManagementPolicy
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const unifiedRoleManagementPolicy = {
  rules: [
    {
      '@odata.type': '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule',
      id: 'Approval_EndUser_Assignment',
      target: {
        caller: 'EndUser',
        operations: [
          'All'
        ],
        level: 'Assignment',
        inheritableSettings: [],
        enforcedSettings: []
      },
      setting: {
        isApprovalRequired: false,
        isApprovalRequiredForExtension: false,
        isRequestorJustificationRequired: true,
        approvalMode: 'SingleStage',
        approvalStages: [
          {
            approvalStageTimeOutInDays: 1,
            isApproverJustificationRequired: true,
            escalationTimeInMinutes: 0,
            isEscalationEnabled: false,
            primaryApprovers: [],
            escalationApprovers: []
          }
        ]
      }
    },
    {
      '@odata.type': '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule',
      id: 'AuthenticationContext_EndUser_Assignment',
      isEnabled: false,
      claimValue: '',
      target: {
        caller: 'EndUser',
        operations: [
          'All'
        ],
        level: 'Assignment',
        inheritableSettings: [],
        enforcedSettings: []
      }
    },
    {
      '@odata.type': '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule',
      id: 'Enablement_Admin_Eligibility',
      enabledRules: [],
      target: {
        caller: 'Admin',
        operations: [
          'All'
        ],
        level: 'Eligibility',
        inheritableSettings: [],
        enforcedSettings: []
      }
    },
    {
      '@odata.type': '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule',
      id: 'Expiration_Admin_Eligibility',
      isExpirationRequired: false,
      maximumDuration: 'P365D',
      target: {
        caller: 'Admin',
        operations: [
          'All'
        ],
        level: 'Eligibility',
        inheritableSettings: [],
        enforcedSettings: []
      }
    },
    {
      '@odata.type': '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule',
      id: 'Notification_Admin_Admin_Eligibility',
      notificationType: 'Email',
      recipientType: 'Admin',
      notificationLevel: 'All',
      isDefaultRecipientsEnabled: true,
      notificationRecipients: [],
      target: {
        caller: 'Admin',
        operations: [
          'All'
        ],
        level: 'Eligibility',
        inheritableSettings: [],
        enforcedSettings: []
      }
    }
  ]
};

await client.api('/policies/roleManagementPolicies/DirectoryRole_2132228a-d66e-401c-ab8a-a8ae31254a36_0f8c4bbc-4f1a-421c-b63d-a68f571b7fab')
	.update(unifiedRoleManagementPolicy);
PowerShell
Update unifiedRoleManagementPolicy
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	rules = @(
		@{
			"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"
			id = "Approval_EndUser_Assignment"
			target = @{
				caller = "EndUser"
				operations = @(
				"All"
			)
			level = "Assignment"
			inheritableSettings = @(
			)
			enforcedSettings = @(
			)
		}
		setting = @{
			isApprovalRequired = $false
			isApprovalRequiredForExtension = $false
			isRequestorJustificationRequired = $true
			approvalMode = "SingleStage"
			approvalStages = @(
				@{
					approvalStageTimeOutInDays = 
					isApproverJustificationRequired = $true
					escalationTimeInMinutes = 
					isEscalationEnabled = $false
					primaryApprovers = @(
					)
					escalationApprovers = @(
					)
				}
			)
		}
	}
	@{
		"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule"
		id = "AuthenticationContext_EndUser_Assignment"
		isEnabled = $false
		claimValue = ""
		target = @{
			caller = "EndUser"
			operations = @(
			"All"
		)
		level = "Assignment"
		inheritableSettings = @(
		)
		enforcedSettings = @(
		)
	}
}
@{
	"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule"
	id = "Enablement_Admin_Eligibility"
	enabledRules = @(
	)
	target = @{
		caller = "Admin"
		operations = @(
		"All"
	)
	level = "Eligibility"
	inheritableSettings = @(
	)
	enforcedSettings = @(
	)
}
}
@{
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
id = "Expiration_Admin_Eligibility"
isExpirationRequired = $false
maximumDuration = "P365D"
target = @{
	caller = "Admin"
	operations = @(
	"All"
)
level = "Eligibility"
inheritableSettings = @(
)
enforcedSettings = @(
)
}
}
@{
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule"
id = "Notification_Admin_Admin_Eligibility"
notificationType = "Email"
recipientType = "Admin"
notificationLevel = "All"
isDefaultRecipientsEnabled = $true
notificationRecipients = @(
)
target = @{
caller = "Admin"
operations = @(
"All"
)
level = "Eligibility"
inheritableSettings = @(
)
enforcedSettings = @(
)
}
}
)
}

Update-MgPolicyRoleManagementPolicy -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -BodyParameter $params
Python
Update unifiedRoleManagementPolicy
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_management_policy import UnifiedRoleManagementPolicy
from msgraph.generated.models.unified_role_management_policy_rule import UnifiedRoleManagementPolicyRule
from msgraph.generated.models.unified_role_management_policy_approval_rule import UnifiedRoleManagementPolicyApprovalRule
from msgraph.generated.models.unified_role_management_policy_rule_target import UnifiedRoleManagementPolicyRuleTarget
from msgraph.generated.models.unified_role_management_policy_rule_target_operations import UnifiedRoleManagementPolicyRuleTargetOperations
from msgraph.generated.models.approval_settings import ApprovalSettings
from msgraph.generated.models.unified_approval_stage import UnifiedApprovalStage
from msgraph.generated.models.subject_set import SubjectSet
from msgraph.generated.models.unified_role_management_policy_authentication_context_rule import UnifiedRoleManagementPolicyAuthenticationContextRule
from msgraph.generated.models.unified_role_management_policy_enablement_rule import UnifiedRoleManagementPolicyEnablementRule
from msgraph.generated.models.unified_role_management_policy_expiration_rule import UnifiedRoleManagementPolicyExpirationRule
from msgraph.generated.models.unified_role_management_policy_notification_rule import UnifiedRoleManagementPolicyNotificationRule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleManagementPolicy(
	rules = [
		UnifiedRoleManagementPolicyApprovalRule(
			odata_type = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
			id = "Approval_EndUser_Assignment",
			target = UnifiedRoleManagementPolicyRuleTarget(
				caller = "EndUser",
				operations = [
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				],
				level = "Assignment",
				inheritable_settings = [
				],
				enforced_settings = [
				],
			),
			setting = ApprovalSettings(
				is_approval_required = False,
				is_approval_required_for_extension = False,
				is_requestor_justification_required = True,
				approval_mode = "SingleStage",
				approval_stages = [
					UnifiedApprovalStage(
						approval_stage_time_out_in_days = 1,
						is_approver_justification_required = True,
						escalation_time_in_minutes = 0,
						is_escalation_enabled = False,
						primary_approvers = [
						],
						escalation_approvers = [
						],
					),
				],
			),
		),
		UnifiedRoleManagementPolicyAuthenticationContextRule(
			odata_type = "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
			id = "AuthenticationContext_EndUser_Assignment",
			is_enabled = False,
			claim_value = "",
			target = UnifiedRoleManagementPolicyRuleTarget(
				caller = "EndUser",
				operations = [
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				],
				level = "Assignment",
				inheritable_settings = [
				],
				enforced_settings = [
				],
			),
		),
		UnifiedRoleManagementPolicyEnablementRule(
			odata_type = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
			id = "Enablement_Admin_Eligibility",
			enabled_rules = [
			],
			target = UnifiedRoleManagementPolicyRuleTarget(
				caller = "Admin",
				operations = [
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				],
				level = "Eligibility",
				inheritable_settings = [
				],
				enforced_settings = [
				],
			),
		),
		UnifiedRoleManagementPolicyExpirationRule(
			odata_type = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
			id = "Expiration_Admin_Eligibility",
			is_expiration_required = False,
			maximum_duration = "P365D",
			target = UnifiedRoleManagementPolicyRuleTarget(
				caller = "Admin",
				operations = [
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				],
				level = "Eligibility",
				inheritable_settings = [
				],
				enforced_settings = [
				],
			),
		),
		UnifiedRoleManagementPolicyNotificationRule(
			odata_type = "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
			id = "Notification_Admin_Admin_Eligibility",
			notification_type = "Email",
			recipient_type = "Admin",
			notification_level = "All",
			is_default_recipients_enabled = True,
			notification_recipients = [
			],
			target = UnifiedRoleManagementPolicyRuleTarget(
				caller = "Admin",
				operations = [
					UnifiedRoleManagementPolicyRuleTargetOperations.All,
				],
				level = "Eligibility",
				inheritable_settings = [
				],
				enforced_settings = [
				],
			),
		),
	],
)

result = await graph_client.policies.role_management_policies.by_unified_role_management_policy_id('unifiedRoleManagementPolicy-id').patch(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for RoleManagementPolicy.ReadWrite.Directory

4

Grant Admin Consent

Application permissions always require admin consent.