Privileged Identity Management

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Microsoft 365 or Microsoft Intune. Microsoft Graph provides APIs that you can use to manage Azure AD roles and Azure resource roles.


The API to manage Azure AD roles is deprecated for most tenants except for a few that use an older version of Privileged Identity Management (PIM). For more information about PIM versions, see Determine your version of PIM. If you are using the new version and are recieving a TenantEnabledInAadRoleMigration error, you can wait until a new API is available for PIM functionality under the unifiedRoleManagement API for Azure AD roles, or you can use the Azure Resource API for your Azure AD roles. To use the Azure resource API, replace azureResources with aadRoles for provider_id and use your tenant id for resource_id. We recommend that you wait for the new API. You will be able to continue using the Azure resource API after the new API is available. Any new features made available in the Azure portal will also be made exclusively available through the new API.