| title | Update inheritablePermission |
|---|---|
| description | Update an inheritablePermission object for an agent identity blueprint. |
| author | zallison22 |
| ms.date | 11/13/2025 |
| ms.localizationpriority | medium |
| ms.subservice | entra-applications |
| doc_type | apiPageType |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Update the properties of an inheritablePermission object on an agent identity blueprint. When moving to a more restrictive inheritance pattern, such as from allAllowedScopes to enumeratedScopes or noScopes, any agent identities that require access will require new consent grant to acquire the newly restricted scopes.
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE rbac-agentid-apis-write]
PATCH /applications/{id}/microsoft.graph.agentIdentityBlueprint/inheritablePermissions/{resourceAppId}| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
[!INCLUDE table-intro]
| Property | Type | Description |
|---|---|---|
| inheritableScopes | inheritableScopes | Inheritance pattern applied to delegated permission scopes for the agent identity blueprint. Required. |
If successful, this method returns a 200 OK response code and an updated inheritablePermission object in the response body.
This example updates an existing inheritablePermission to use the allAllowedScopes inheritance pattern, allowing all delegated permission scopes from the resource application to be inheritable by agent identities.
The following example shows a request.
PATCH https://graph.microsoft.com/beta/applications/bc057821-f236-49d6-9f2c-1ebf43e9437a/microsoft.graph.agentIdentityBlueprint/inheritablePermissions/00000003-0000-0ff1-ce00-000000000000
Content-Type: application/json
{
"inheritableScopes": {
"@odata.type": "microsoft.graph.allAllowedScopes"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 204 No ContentThis example updates an existing inheritablePermission to use the enumeratedScopes inheritance pattern, allowing only the specified delegated permission scopes from the resource application to be inheritable by agent identities.
The following example shows a request.
PATCH https://graph.microsoft.com/beta/applications/bc057821-f236-49d6-9f2c-1ebf43e9437a/microsoft.graph.agentIdentityBlueprint/inheritablePermissions/00000003-0000-0000-c000-000000000000
Content-Type: application/json
{
"inheritableScopes": {
"@odata.type": "microsoft.graph.enumeratedScopes",
"scopes": [
"User.Read",
"Mail.Read"
]
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 204 No ContentThis example updates an existing inheritablePermission to use the noScopes inheritance pattern, preventing any delegated permission scopes from the resource application from being inheritable by agent identities.
The following example shows a request.
PATCH https://graph.microsoft.com/beta/applications/bc057821-f236-49d6-9f2c-1ebf43e9437a/microsoft.graph.agentIdentityBlueprint/inheritablePermissions/00000003-0000-0000-c000-000000000000
Content-Type: application/json
{
"inheritableScopes": {
"@odata.type": "microsoft.graph.noScopes"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 204 No Content