Update approleassignment


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

Update the properties of approleassignment object.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Directory.AccessAsUser.All
Delegated (personal Microsoft account) Not supported.
Application Not supported.

HTTP request

PATCH /users/{id | userPrincipalName}/appRoleAssignments/{id}
PATCH /servicePrincipals/{id}/appRoleAssignedTo
PATCH /groups/{id}/appRoleAssignments/{id}

Request headers

Name Type Description
Authorization string Bearer {token}. Required.

Request body

In the request body, supply the values for relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't changed.

Property Type Description
creationTimestamp DateTimeOffset The time when the grant was created.
id Guid The role id that was assigned to the principal. This role must be declared by the target resource application resourceId in its appRoles property. Where the resource does not declare any permissions, a default id (zero GUID) must be specified. Notes: not nullable.
principalDisplayName String The display name of the principal that was granted the access.
principalId Guid The unique identifier (objectId) for the principal being granted the access. Notes: required.
principalType String The type of principal. This can either be "User", "Group" or "ServicePrincipal".
resourceDisplayName String The display name of the resource to which the assignment was made.
resourceId Guid The unique identifier (objectId) for the target resource (service principal) for which the assignment was made.


If successful, this method returns a 200 OK response code and updated appRoleAssignment object in the response body.



Here is an example of the request.

PATCH https://graph.microsoft.com/beta/appRoleAssignments/{id}
Content-type: application/json
Content-length: 233

  "creationTimestamp": "2016-10-19T10:37:00Z",
  "principalDisplayName": "principalDisplayName-value",
  "principalId": "principalId-value",
  "principalType": "principalType-value",
  "resourceDisplayName": "resourceDisplayName-value"

Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.

HTTP/1.1 200 OK
Content-type: application/json
Content-length: 253

  "creationTimestamp": "2016-10-19T10:37:00Z",
  "id": "id-value",
  "principalDisplayName": "principalDisplayName-value",
  "principalId": "principalId-value",
  "principalType": "principalType-value",
  "resourceDisplayName": "resourceDisplayName-value"

SDK sample code

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var appRoleAssignment = new AppRoleAssignment
	CreationTimestamp = "2016-10-19T10:37:00Z",
	PrincipalDisplayName = "principalDisplayName-value",
	PrincipalId = "principalId-value",
	PrincipalType = "principalType-value",
	ResourceDisplayName = "resourceDisplayName-value"

await graphClient.AppRoleAssignments["{id}"]

Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.