| title | Create unifiedRoleAssignmentMultiple |
|---|---|
| description | Create a new unifiedRoleAssignmentMultiple object. |
| ms.localizationpriority | medium |
| author | DougKirschner |
| ms.reviewer | msodsrbac |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 04/04/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Create a new unifiedRoleAssignmentMultiple object for an RBAC provider.
The following RBAC providers are currently supported:
- Cloud PC
- device management (Intune)
- Defender (Microsoft Defender XDR)
For other Microsoft 365 applications (like Microsoft Entra ID), use unifiedRoleAssignment.
[!INCLUDE national-cloud-support]
The following tables show the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE permissions-table]
[!INCLUDE permissions-table]
To create role assignment for a Cloud PC provider:
POST /roleManagement/cloudPC/roleAssignmentsTo create role assignment for an Intune provider:
POST /roleManagement/deviceManagement/roleAssignmentsTo create role assignment for a Defender provider:
POST /roleManagement/defender/roleAssignments| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-type | application/json. Required. |
In the request body, supply a JSON representation of unifiedRoleAssignmentMultiple object. The request must have either a scope defined in Microsoft Entra ID, such as directoryScopeIds, or an application-specific scope, such as appScopeId. Examples of Microsoft Entra scope are tenant ("/"), administrative units, or applications.
If successful, this method returns a 201 Created response code and a new unifiedRoleAssignmentMultiple object in the response body.
Example 1: Create a role assignment in Intune over two scope groups (which are Microsoft Entra objects)
The following example shows a request.
Note: the use of the roleTemplateId for roleDefinitionId. roleDefinitionId can be either the service-wide template ID or the directory-specific roleDefinitionId.
POST https://graph.microsoft.com/beta/roleManagement/deviceManagement/roleAssignments
Content-type: application/json
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"displayName": "My test role assignment 1",
"roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
"principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
"directoryScopeIds": ["28ca5a85-489a-49a0-b555-0a6d81e56f0d", "8152656a-cf9a-4928-a457-1512d4cae295"],
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/deviceManagement/roleAssignments/$entity",
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"id": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
"roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
"principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
"directoryScopeIds": ["28ca5a85-489a-49a0-b555-0a6d81e56f0d", "8152656a-cf9a-4928-a457-1512d4cae295"]
}Use the following information for creating Intune role assignments:
- To allow assignments over all Intune devices, use the
AllDevicesvalue in appScopeIds. - To allow assignments over all Intune licensed users, use the
AllLicensedUsersvalue in appScopeIds. - To allow assignments over all Intune devices and licensed users, use the
/value in directoryScopeIds.
The following example shows a request.
POST https://graph.microsoft.com/beta/roleManagement/deviceManagement/roleAssignments
Content-type: application/json
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"displayName": "My test role assignment 1",
"roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
"principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
"appScopeIds": ["allDevices"]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/deviceManagement/roleAssignments/$entity",
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"id": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
"roleDefinitionId": "c2cf284d-6c41-4e6b-afac-4b80928c9034",
"principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"],
"appScopeIds": ["allDevices"]
}POST https://graph.microsoft.com/beta/roleManagement/cloudPC/roleAssignments
Content-type: application/json
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"displayName": "My test role assignment 1",
"description": "My role assignment description",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": ["f8ca5a85-489a-49a0-b555-0a6d81e56f0d", "c1518aa9-4da5-4c84-a902-a31404023890"]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability. All the properties will be returned from an actual call.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPC/roleAssignments/$entity",
"id": "47c88dcd-cc79-4b0c-ba7d-7af2199649c5",
"displayName": "My role assignment",
"description": "My role assignment description",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": [
"f8ca5a85-489a-49a0-b555-0a6d81e56f0d",
"c1518aa9-4da5-4c84-a902-a31404023890"
],
"directoryScopeIds": [
"/"
],
"appScopeIds": []
}Example 4: Create a role assignment in Defender over all and future workloads, in scope of CloudSet '123':
Use the following information for creating Intune role assignments:
- To allow assignments over all and future workloads, use the
/value in appScopeIds. - To allow assignments over workload, on all scopes, don't add any scope after the following workload IDs in appScopeIds:
Mdi,Mdc,Mda,Mde,Mdo,SecureScoreExternal. - To allow assignments over specific scope, use
/<ScopeType>/<ScopeId>in appScopeIds.
The following example shows a request.
POST https://graph.microsoft.com/beta/roleManagement/defender/roleAssignments
Content-type: application/json
{
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"displayName": "Example role assignment",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": [
"8e811502-ebda-4782-8f81-071d17f0f892",
"30e3492f-964c-4d73-88c6-986a53c6e2a0"
],
"appScopeIds": [
"Mdc", "/CloudSet/123"
]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/defender/roleAssignments/$entity",
"@odata.type": "#microsoft.graph.unifiedRoleAssignmentMultiple",
"id": "28ca5a85-489a-49a0-b555-0a6d81e56f0d",
"roleDefinitionId": "b5c08161-a7af-481c-ace2-a20a69a48fb1",
"principalIds": [
"8e811502-ebda-4782-8f81-071d17f0f892",
"30e3492f-964c-4d73-88c6-986a53c6e2a0"
],
"appScopeIds": [
"Mdc", "/CloudSet/123"
]
}