Create roleAssignment
Namespace: microsoft.graph
Important: Microsoft Graph APIs under the /beta version are subject to change; production use is not supported.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Create a new roleAssignment object.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | DeviceManagementConfiguration.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | DeviceManagementConfiguration.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All |
HTTP Request
POST /deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
Request headers
| Header | Value |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Accept | application/json |
Request body
In the request body, supply a JSON representation for the roleAssignment object.
The following table shows the properties that are required when you create the roleAssignment.
| Property | Type | Description |
|---|---|---|
| id | String | Key of the entity. This is read-only and automatically generated. |
| displayName | String | The display or friendly name of the role Assignment. |
| description | String | Description of the Role Assignment. |
| scopeMembers | String collection | List of ids of role scope member security groups. These are IDs from Azure Active Directory. |
| scopeType | roleAssignmentScopeType | Specifies the type of scope for a Role Assignment. Default type 'ResourceScope' allows assignment of ResourceScopes. For 'AllDevices', 'AllLicensedUsers', and 'AllDevicesAndLicensedUsers', the ResourceScopes property should be left empty. Possible values are: resourceScope, allDevices, allLicensedUsers, allDevicesAndLicensedUsers. |
| resourceScopes | String collection | List of ids of role scope member security groups. These are IDs from Azure Active Directory. |
Response
If successful, this method returns a 201 Created response code and a roleAssignment object in the response body.
Example
Request
Here is an example of the request.
POST https://graph.microsoft.com/beta/deviceManagement/roleDefinitions/{roleDefinitionId}/roleAssignments
Content-type: application/json
Content-length: 277
{
"@odata.type": "#microsoft.graph.roleAssignment",
"displayName": "Display Name value",
"description": "Description value",
"scopeMembers": [
"Scope Members value"
],
"scopeType": "allDevices",
"resourceScopes": [
"Resource Scopes value"
]
}
Response
Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 326
{
"@odata.type": "#microsoft.graph.roleAssignment",
"id": "b3234d24-4d24-b323-244d-23b3244d23b3",
"displayName": "Display Name value",
"description": "Description value",
"scopeMembers": [
"Scope Members value"
],
"scopeType": "allDevices",
"resourceScopes": [
"Resource Scopes value"
]
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for