appRole resource type

Namespace: microsoft.graph

Represents an application role that can be requested by (and granted to) a client application, or that can be used to assign an application to users or groups in a specified role.

The appRoles property of the application and servicePrincipal entities are a collection of appRole.

With appRoleAssignments, app roles can be assigned to users, groups, or other applications' service principals.


Property Type Description
allowedMemberTypes String collection Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities.
description String The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
displayName String Display name for the permission that appears in the app role assignment and consent experiences.
id Guid Unique role identifier inside the appRoles collection. When creating a new app role, a new Guid identifier must be provided.
isEnabled Boolean When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed.
origin String Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests. Read-only.
value String Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. Must not exceed 120 characters in length. Allowed characters are : ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ] ^ + _ ` { | } ~, as well as characters in the ranges 0-9, A-Z and a-z. Any other character, including the space character, are not allowed.

JSON representation

The following is a JSON representation of the resource.

  "allowedMemberTypes": ["string"],
  "description": "string",
  "displayName": "string",
  "id": "guid",
  "isEnabled": true,
  "origin": "string",
  "value": "string"