| title | Update unifiedRoleDefinition |
|---|---|
| description | Update the properties of a unifiedRoleDefinition object. |
| ms.localizationpriority | medium |
| author | DougKirschner |
| ms.reviewer | msodsrbac |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 07/26/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Update the properties of a unifiedRoleDefinition object for an RBAC provider. You cannot update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license.
The following RBAC providers are currently supported:
- Cloud PC
- device management (Intune)
- directory (Microsoft Entra ID)
[!INCLUDE national-cloud-support]
The following tables show the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE permissions-table]
[!INCLUDE permissions-table]
[!INCLUDE rbac-role-definition-apis-write]
To update a role definition for a device management provider:
PATCH /roleManagement/deviceManagement/roleDefinitions/{id}To update a role definition for a directory provider:
PATCH /roleManagement/directory/roleDefinitions/{id}To update a role definition for a Cloud PC provider:
PATCH /roleManagement/cloudPc/roleDefinitions/{id}| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
In the request body, supply the values for relevant fields that should be updated. Existing properties that aren't included in the request body maintain their previous values or are recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.
| Property | Type | Description |
|---|---|---|
| description | String | The description for the role definition. Read-only when isBuiltIn is true. |
| displayName | String | The display name for the role definition. Read-only when isBuiltIn is true. Required. |
| id | String | The unique identifier for the role definition. Key, not nullable, Read-only. |
| isBuiltIn | Boolean | Flag indicating if the role definition is part of the default set included with the product or custom. Read-only. |
| isEnabled | Boolean | Flag indicating if the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true. |
| rolePermissions | unifiedRolePermission collection | List of permissions included in the role. Read-only when isBuiltIn is true. Required. |
| templateId | String | Custom template identifier that can be set when isBuiltIn is false. This identifier is typically used if one needs an identifier to be the same across different directories. Read-only when isBuiltIn is true. |
| inheritsPermissionsFrom | unifiedRoleDefinition collection | Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles support this attribute. |
| version | String | Indicates version of the role definition. Read-only when isBuiltIn is true. |
If successful, this method returns a 204 No Content response code.
PATCH https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/0d55728d-3e24-4309-9b1b-5ac09921475a
Content-type: application/json
{
"description": "Update basic properties of application registrations",
"displayName": "Application Registration Support Administrator",
"rolePermissions":
[
{
"allowedResourceActions":
[
"microsoft.directory/applications/basic/read"
]
}
]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 204 No Content
Content-type: application/json
PATCH https://graph.microsoft.com/beta/roleManagement/cloudPC/roleDefinitions/b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff
Content-type: application/json
{
"description": "Update basic properties and permission of application registrations",
"displayName": "ExampleCustomRole",
"rolePermissions":
[
{
"allowedResourceActions":
[
"Microsoft.CloudPC/CloudPCs/Read",
"Microsoft.CloudPC/CloudPCs/Reprovision"
]
}
]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 204 No Content
Content-type: application/json