Skip to content

rbacapplication-post-roledefinitions.md

Latest commit

 

History

History
394 lines (308 loc) · 13.5 KB

rbacapplication-post-roledefinitions.md

File metadata and controls

394 lines (308 loc) · 13.5 KB
title Create roleDefinitions
description Create a new unifiedRoleDefinition object.
ms.localizationpriority medium
author DougKirschner
ms.reviewer msodsrbac
ms.subservice entra-directory-management
doc_type apiPageType
ms.date 07/26/2024

Create roleDefinitions

Namespace: microsoft.graph

[!INCLUDE beta-disclaimer]

Create a new unifiedRoleDefinition object for an RBAC provider. This feature requires a Microsoft Entra ID P1 or P2 license.

The following RBAC providers are currently supported:

  • Cloud PC
  • device management (Intune)
  • Defender (Microsoft Defender XDR)
  • directory (Microsoft Entra ID)

[!INCLUDE national-cloud-support]

Permissions

The following tables show the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

For a Cloud PC provider

[!INCLUDE permissions-table]

For a device management (Intune) provider

[!INCLUDE permissions-table]

For a Defender provider

[!INCLUDE permissions-table]

For a directory (Microsoft Entra ID) provider

[!INCLUDE permissions-table]

[!INCLUDE rbac-role-definition-apis-write]

HTTP request

To create a role definition for a device management provider:

POST /roleManagement/deviceManagement/roleDefinitions

To create a role definition for a Defender provider:

POST /roleManagement/defender/roleDefinitions

To create a role definition for a directory provider:

POST /roleManagement/directory/roleDefinitions

To create a role definition for a Cloud PC provider:

POST /roleManagement/cloudPc/roleDefinitions

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.

Request body

In the request body, supply a JSON representation of unifiedRoleDefinition object.

The following table shows the properties that are required when you create a roleDefinition.

Parameter Type Description
displayName string The display name for the role definition.
isEnabled Boolean Flag indicating if the role is enabled for assignment. If false the role is not available for assignment.
rolePermissions unifiedRolePermission collection List of permissions included in the role.

Response

If successful, this method returns 201 Created response code and a new unifiedRoleDefinition object in the response body.

Example 1:Create a custom role for a directory provider

Request

HTTP

POST https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Content-type: application/json

{
  "description": "Update basic properties of application registrations",
  "displayName": "Application Registration Support Administrator",
  "rolePermissions":
    [
        {
            "allowedResourceActions": 
            [
                "microsoft.directory/applications/basic/read"
            ]
        }
    ],
    "isEnabled" : "true"
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleDefinitions/$entity",
    "id": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
    "description": "Update basic properties of application registrations",
    "displayName": "Application Registration Support Administrator",
    "isBuiltIn": false,
    "isEnabled": true,
    "templateId": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
    "version": null,
    "rolePermissions": [
        {
            "allowedResourceActions": [
                "microsoft.directory/applications/standard/read",
                "microsoft.directory/applications/basic/update"
            ],
            "condition": null
        }
    ],
    "inheritsPermissionsFrom": []
}

Example 2: Create a custom role for a Cloud PC provider

Request

HTTP

POST https://graph.microsoft.com/beta/roleManagement/cloudPC/roleDefinitions
Content-type: application/json

{
  "description": "An example custom role",
  "displayName": "ExampleCustomRole",
  "rolePermissions":
    [
        {
            "allowedResourceActions": 
            [
                "Microsoft.CloudPC/CloudPCs/Read"
            ]
        }
    ],
    "condition" : "null"
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPc/roleDefinitions/$entity",
    "id": "b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff",
    "description": "An example custom role",
    "displayName": "ExampleCustomRole",
    "isBuiltIn": false,
    "isEnabled": true,
    "templateId": "b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff",
    "version": null,
    "rolePermissions": [
        {
            "allowedResourceActions": [
                "Microsoft.CloudPC/CloudPCs/Read"
            ],
            "condition": null
        }
    ],
    "resourceScopes":["/"]
}

Example 3: Create a custom role for a Defender provider

Request

HTTP

POST https://graph.microsoft.com/beta/roleManagement/defender/roleDefinitions
Content-type: application/json

{
  "description": "Role 1 description",
  "displayName": "Role 1",
  "rolePermissions":
    [
        {
            "allowedResourceActions": 
            [
                "microsoft.xdr/securityposture/read"
            ]
        }
    ]
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/defender/roleDefinitions/$entity",
    "id": "d5eec5e0-6992-4c6b-b430-0f833f1a815b",
    "description": "Role 1 description",
    "displayName": "Role 1",
    "rolePermissions": [
        {
            "allowedResourceActions": [
                "microsoft.xdr/securityposture/read"
            ]
        }
    ]
}