| title | List unifiedRoleAssignments |
|---|---|
| description | Get a list of unifiedRoleAssignment objects. |
| ms.localizationpriority | medium |
| author | DougKirschner |
| ms.reviewer | msodsrbac |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 07/26/2024 |
| ms.custom | sfi-ga-nochange |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Get a list of unifiedRoleAssignment objects for the provider.
The following RBAC providers are currently supported:
- directory (Microsoft Entra ID)
- entitlement management (Microsoft Entra entitlement management)
- Exchange Online
[!INCLUDE national-cloud-support]
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | RoleManagement.Read.Directory, RoleManagement.Read.All, Directory.Read.All, RoleManagement.ReadWrite.Directory, Directory.ReadWrite.All |
[!INCLUDE rbac-role-assignment-apis-read]
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Not supported. |
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | RoleManagement.Read.Exchange, RoleManagement.Read.All, RoleManagement.ReadWrite.Exchange |
| Delegated (personal Microsoft account) | Not supported. |
| Application | RoleManagement.Read.Exchange, RoleManagement.Read.All, RoleManagement.ReadWrite.Exchange |
To list role assignments for the directory provider:
GET /roleManagement/directory/roleAssignmentsTo list role assignments for the entitlement management provider:
GET /roleManagement/entitlementManagement/roleAssignments?To list role assignments for the Exchange Online provider:
GET /roleManagement/exchange/roleAssignmentsThis method supports the $filter, $expand, and $select OData query parameters to help customize the response.
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
Don't supply a request body for this method.
If successful, this method returns a 200 OK response code and a collection of unifiedRoleAssignment objects in the response body.
The following example shows a request.
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&$expand=principal
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments(principal())",
"value": [
{
"id": "lAPpYvVpN0KRkAEhdxReEMmO4KwRqtpKkUWt3wOYIz4-1",
"principalId": "ace08ec9-aa11-4ada-9145-addf0398233e",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "ace08ec9-aa11-4ada-9145-addf0398233e",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": "Redmond",
"createdDateTime": "2019-02-22T20:29:07Z",
"creationType": null,
"companyName": null,
"consentProvidedForMinor": null,
"country": "US",
"department": "Office of the CEO",
"displayName": "Joey Cruz",
"employeeId": null,
"faxNumber": null,
"givenName": "Joey",
"imAddresses": [
"joeyc@woodgrove.ms"
],
"infoCatalogs": [],
"isResourceAccount": null,
"jobTitle": "Chief Security Officer",
"legalAgeGroupClassification": null,
"mail": "joeyc@woodgrove.ms",
"mailNickname": "joeyc",
"mobilePhone": null,
"onPremisesDistinguishedName": null,
"officeLocation": null,
"userType": "Member",
}
},
{
"id": "lAPpYvVpN0KRkAEhdxReEC6Xh29-LklLmYDrOIi9z-E-1",
"principalId": "6f87972e-2e7e-4b49-9980-eb3888bdcfe1",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "6f87972e-2e7e-4b49-9980-eb3888bdcfe1",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": null,
"createdDateTime": "2019-07-18T01:38:36Z",
"creationType": "Invitation",
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"department": null,
"displayName": "Kalyan Krishna",
"employeeId": null,
"faxNumber": null,
"givenName": null,
"imAddresses": [],
"userType": "Guest",
}
},
{
"id": "lAPpYvVpN0KRkAEhdxReEMgc_BA2rIZBuZsM-BSqLdU-1",
"principalId": "10fc1cc8-ac36-4186-b99b-0cf814aa2dd5",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "10fc1cc8-ac36-4186-b99b-0cf814aa2dd5",
"deletedDateTime": null,
"accountEnabled": true,
"ageGroup": null,
"businessPhones": [],
"city": null,
"createdDateTime": "2019-11-13T21:54:27Z",
"creationType": "Invitation",
"companyName": null,
"consentProvidedForMinor": null,
"country": null,
"department": null,
"displayName": "Markie Downing",
"employeeId": null,
"faxNumber": null,
"givenName": null,
"imAddresses": [],
"userType": "Guest",
}
}
]
}The following example shows a request.
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$filter = principalId eq 'f1847572-48aa-47aa-96a3-2ec61904f41f'
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments",
"value": [
{
"id": "lAPpYvVpN0KRkAEhdxReEHJ1hPGqSKpHlqMuxhkE9B8-1",
"principalId": "f1847572-48aa-47aa-96a3-2ec61904f41f",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "62e90394-69f5-4237-9190-012177145e10"
},
{
"id": "LJnv8vs6uUa3z6Em7nTEUXJ1hPGqSKpHlqMuxhkE9B8-1",
"principalId": "f1847572-48aa-47aa-96a3-2ec61904f41f",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "f2ef992c-3afb-46b9-b7cf-a126ee74c451"
}
]
}Example 3: Request using $filter for role assignments on an access package catalog and expand principal
The following example shows a request.
GET https://graph.microsoft.com/beta/roleManagement/entitlementManagement/roleAssignments?$filter=appScopeId eq '/AccessPackageCatalog/4cee616b-fdf9-4890-9d10-955e0ccb12bc'&$expand=principal
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments",
"value": [
{
"id": "900633fe-2508-4b13-a561-a15e320ad35f",
"principalId": "39228473-522e-4533-88cc-a9553180cb99",
"roleDefinitionId": "ae79f266-94d4-4dab-b730-feca7e132178",
"appScopeId": "/AccessPackageCatalog/4cee616b-fdf9-4890-9d10-955e0ccb12bc",
"principal": {
"@odata.type": "#microsoft.graph.user",
"id": "39228473-522e-4533-88cc-a9553180cb99"
}
}
]
}The following example shows a request.
GET https://graph.microsoft.com/beta/roleManagement/exchange/roleAssignments?$filter=principalId eq '/ServicePrincipals/5d39cc4d-ba68-4c44-92c7-5056e3a1ce39'
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/exchange/roleAssignments",
"value": [
{
"id": "e664cde0-fbdf-4b1e-bcb2-d134ef32194d",
"principalId": "/ServicePrincipals/5d39cc4d-ba68-4c44-92c7-5056e3a1ce39",
"roleDefinitionId": "7224da60-d8e2-4f45-9380-8e4fda64e133",
"directoryScopeId": "/",
"appScopeId": null
},
{
"id": "6f0be5be-49f3-42e6-8086-cdcd67b6eac0",
"principalId": "/ServicePrincipals/5d39cc4d-ba68-4c44-92c7-5056e3a1ce39",
"roleDefinitionId": "ba6ab9a1-045c-4812-9e0b-f851f0da3907",
"directoryScopeId": "/Users/62ef60ab-0736-495b-b2b0-a4ca2c5b11d7",
"appScopeId": null
},
{
"id": "7ce3e76d-5997-447b-be59-798468265b41",
"principalId": "/ServicePrincipals/5d39cc4d-ba68-4c44-92c7-5056e3a1ce39",
"roleDefinitionId": "42f85b54-af39-40fd-acea-083b9c14d3f3",
"directoryScopeId": "/AdministrativeUnits/62ef60ab-0736-495b-b2b0-a4ca2c5b11d7",
"appScopeId": null
}
]
}The following example shows a request.
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?$expand=roleDefinition&$filter=roleDefinition/isPrivileged eq true
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignments(roleDefinition())",
"value": [
{
"id": "{id}",
"principalId": "{principalId}",
"principalOrganizationId": "{principalOrganizationId}",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"roleDefinition": {
"id": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"description": "Can manage Conditional Access capabilities.",
"displayName": "Conditional Access Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/namedLocations/create",
"microsoft.directory/namedLocations/delete",
"microsoft.directory/namedLocations/standard/read",
"microsoft.directory/namedLocations/basic/update",
"microsoft.directory/conditionalAccessPolicies/create",
"microsoft.directory/conditionalAccessPolicies/delete",
"microsoft.directory/conditionalAccessPolicies/standard/read",
"microsoft.directory/conditionalAccessPolicies/owners/read",
"microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read",
"microsoft.directory/conditionalAccessPolicies/basic/update",
"microsoft.directory/conditionalAccessPolicies/owners/update",
"microsoft.directory/conditionalAccessPolicies/tenantDefault/update"
],
"condition": null
}
]
}
},
{
"id": "{id}",
"principalId": "{principalId}",
"principalOrganizationId": "{principalOrganizationId}",
"resourceScope": "/",
"directoryScopeId": "/",
"roleDefinitionId": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"roleDefinition": {
"id": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"description": "Can access to view, set and reset authentication method information for any non-admin user.",
"displayName": "Authentication Administrator",
"isBuiltIn": true,
"isEnabled": true,
"isPrivileged": true,
"resourceScopes": [
"/"
],
"templateId": "c4e39bd9-1100-46d3-8c65-fb160da0071f",
"version": "1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/users/authenticationMethods/create",
"microsoft.directory/users/authenticationMethods/delete",
"microsoft.directory/users/authenticationMethods/standard/restrictedRead",
"microsoft.directory/users/authenticationMethods/basic/update",
"microsoft.directory/deletedItems.users/restore",
"microsoft.directory/users/delete",
"microsoft.directory/users/disable",
"microsoft.directory/users/enable",
"microsoft.directory/users/invalidateAllRefreshTokens",
"microsoft.directory/users/restore",
"microsoft.directory/users/basic/update",
"microsoft.directory/users/manager/update",
"microsoft.directory/users/password/update",
"microsoft.directory/users/userPrincipalName/update",
"microsoft.azure.serviceHealth/allEntities/allTasks",
"microsoft.azure.supportTickets/allEntities/allTasks",
"microsoft.office365.serviceHealth/allEntities/allTasks",
"microsoft.office365.supportTickets/allEntities/allTasks",
"microsoft.office365.webPortal/allEntities/standard/read"
],
"condition": null
}
]
}
}
]
}