ルールの一覧表示 (ロール管理ポリシーの場合)
名前空間: microsoft.graph
重要
Microsoft Graph の /beta バージョンの API は変更される可能性があります。 実稼働アプリケーションでこれらの API を使用することは、サポートされていません。 v1.0 で API を使用できるかどうかを確認するには、Version セレクターを使用します。
ロール管理ポリシーに対して定義されているルールを取得します。 規則は、 unifiedRoleManagementPolicyRule オブジェクトから派生した次の型のコレクションです。
- unifiedRoleManagementPolicyApprovalRule
- unifiedRoleManagementPolicyAuthenticationContextRule
- unifiedRoleManagementPolicyEnablementRule
- unifiedRoleManagementPolicyExpirationRule
- unifiedRoleManagementPolicyNotificationRule
Azure RBAC に適用されるポリシーのルールを取得するには、 ロール管理ポリシーに Azure REST PIM API を使用します。
この API は、次の国内クラウド展開で使用できます。
| グローバル サービス | 米国政府機関 L4 | 米国政府機関 L5 (DOD) | 21Vianet が運営する中国 |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
アクセス許可
この API を呼び出すには、次のいずれかのアクセス許可が必要です。 アクセス許可の選択方法などの詳細については、「アクセス許可」を参照してください。
Microsoft Entra ロールの PIM の場合
| アクセス許可の種類 | アクセス許可 (特権の小さいものから大きいものへ) |
|---|---|
| 委任 (職場または学校のアカウント) | RoleManagementPolicy.Read.Directory、RoleManagement.Read.Directory、RoleManagement.Read.All、RoleManagementPolicy.ReadWrite.Directory、RoleManagement.ReadWrite.Directory |
| 委任 (個人用 Microsoft アカウント) | サポートされていません。 |
| アプリケーション | RoleManagementPolicy.Read.Directory、RoleManagement.Read.Directory、RoleManagement.Read.All、RoleManagementPolicy.ReadWrite.Directory、RoleManagement.ReadWrite.Directory |
委任されたシナリオの場合、サインインしているユーザーには、次のMicrosoft Entraロールの少なくとも 1 つを割り当てる必要があります。
- 読み取り操作の場合: グローバル 閲覧者、セキュリティ オペレーター、セキュリティ閲覧者、セキュリティ管理者、または特権ロール管理者
- 書き込み操作の場合: 特権ロール管理者
グループの PIM の場合
| アクセス許可の種類 | アクセス許可 (特権の小さいものから大きいものへ) |
|---|---|
| 委任 (職場または学校のアカウント) | RoleManagementPolicy.Read.AzureADGroup、RoleManagementPolicy.ReadWrite.AzureADGroup |
| 委任 (個人用 Microsoft アカウント) | サポートされていません。 |
| アプリケーション | RoleManagementPolicy.Read.AzureADGroup、RoleManagementPolicy.ReadWrite.AzureADGroup |
HTTP 要求
Microsoft Entraロールまたはグループのポリシーでルールを取得するには:
GET /policies/roleManagementPolicies/{unifiedRoleManagementPolicyId}/rules
オプションのクエリ パラメーター
このメソッドは、 $select および $filter OData クエリ パラメーターをサポートし、応答のカスタマイズに役立ちます。 一般的な情報については、「OData クエリ パラメーター」を参照してください。
要求ヘッダー
| 名前 | 説明 |
|---|---|
| Authorization | ベアラー {token}。 必須です。 認証と承認の詳細については、こちらをご覧ください。 |
要求本文
このメソッドには、要求本文を指定しません。
応答
成功した場合、このメソッドは応答コードと、応答本文の unifiedRoleManagementPolicyRule オブジェクトのコレクションを返200 OKします。
例
例 1: Microsoft Entra ロールの PIM でポリシーのルールを取得する
要求
次の例は要求を示しています。
GET https://graph.microsoft.com/beta/policies/roleManagementPolicies/DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448/rules
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/roleManagementPolicies('DirectoryRole_cab01047-8ad9-4792-8e42-569340767f1b_70c808b5-0d35-4863-a0ba-07888e99d448')/rules",
"value": [
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"id": "Enablement_Admin_Eligibility",
"enabledRules": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_Admin_Eligibility",
"isExpirationRequired": false,
"maximumDuration": "P365D",
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Admin_Admin_Eligibility",
"notificationType": "Email",
"recipientType": "Admin",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Requestor_Admin_Eligibility",
"notificationType": "Email",
"recipientType": "Requestor",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Approver_Admin_Eligibility",
"notificationType": "Email",
"recipientType": "Approver",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"id": "Enablement_Admin_Assignment",
"enabledRules": [
"Justification"
],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_Admin_Assignment",
"isExpirationRequired": false,
"maximumDuration": "P180D",
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Admin_Admin_Assignment",
"notificationType": "Email",
"recipientType": "Admin",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Requestor_Admin_Assignment",
"notificationType": "Email",
"recipientType": "Requestor",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Approver_Admin_Assignment",
"notificationType": "Email",
"recipientType": "Approver",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
"id": "Approval_EndUser_Assignment",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
},
"setting": {
"isApprovalRequired": false,
"isApprovalRequiredForExtension": false,
"isRequestorJustificationRequired": true,
"approvalMode": "SingleStage",
"approvalStages": [
{
"approvalStageTimeOutInDays": 1,
"isApproverJustificationRequired": true,
"escalationTimeInMinutes": 0,
"isEscalationEnabled": false,
"primaryApprovers": [],
"escalationApprovers": []
}
]
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
"id": "AuthenticationContext_EndUser_Assignment",
"isEnabled": false,
"claimValue": null,
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"id": "Enablement_EndUser_Assignment",
"enabledRules": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_EndUser_Assignment",
"isExpirationRequired": true,
"maximumDuration": "PT1H45M",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Admin_EndUser_Assignment",
"notificationType": "Email",
"recipientType": "Admin",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Requestor_EndUser_Assignment",
"notificationType": "Email",
"recipientType": "Requestor",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Approver_EndUser_Assignment",
"notificationType": "Email",
"recipientType": "Approver",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
}
]
}
例 2: グループの PIM でポリシーのルールを取得する
要求
次の例は要求を示しています。
GET https://graph.microsoft.com/beta/policies/roleManagementPolicies/Group_60bba733-f09d-49b7-8445-32369aa066b3_f21b26d9-9ff9-4af1-b1d4-bddf28591369/rules
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/roleManagementPolicies('Group_60bba733-f09d-49b7-8445-32369aa066b3_f21b26d9-9ff9-4af1-b1d4-bddf28591369')/rules",
"value": [
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_Admin_Eligibility",
"isExpirationRequired": true,
"maximumDuration": "P365D",
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Admin_Admin_Eligibility",
"notificationType": "Email",
"recipientType": "Admin",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Requestor_Admin_Eligibility",
"notificationType": "Email",
"recipientType": "Requestor",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Approver_Admin_Eligibility",
"notificationType": "Email",
"recipientType": "Approver",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"id": "Enablement_Admin_Eligibility",
"enabledRules": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Eligibility",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_Admin_Assignment",
"isExpirationRequired": true,
"maximumDuration": "P180D",
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"id": "Enablement_Admin_Assignment",
"enabledRules": [
"Justification"
],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Admin_Admin_Assignment",
"notificationType": "Email",
"recipientType": "Admin",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Requestor_Admin_Assignment",
"notificationType": "Email",
"recipientType": "Requestor",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Approver_Admin_Assignment",
"notificationType": "Email",
"recipientType": "Approver",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "Admin",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule",
"id": "Expiration_EndUser_Assignment",
"isExpirationRequired": true,
"maximumDuration": "PT7H",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"id": "Enablement_EndUser_Assignment",
"enabledRules": [
"Justification"
],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule",
"id": "Approval_EndUser_Assignment",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
},
"setting": {
"isApprovalRequired": false,
"isApprovalRequiredForExtension": false,
"isRequestorJustificationRequired": true,
"approvalMode": "SingleStage",
"approvalStages": [
{
"approvalStageTimeOutInDays": 1,
"isApproverJustificationRequired": true,
"escalationTimeInMinutes": 0,
"isEscalationEnabled": false,
"primaryApprovers": [],
"escalationApprovers": []
}
]
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule",
"id": "AuthenticationContext_EndUser_Assignment",
"isEnabled": false,
"claimValue": "",
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Admin_EndUser_Assignment",
"notificationType": "Email",
"recipientType": "Admin",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Requestor_EndUser_Assignment",
"notificationType": "Email",
"recipientType": "Requestor",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
},
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"id": "Notification_Approver_EndUser_Assignment",
"notificationType": "Email",
"recipientType": "Approver",
"notificationLevel": "All",
"isDefaultRecipientsEnabled": true,
"notificationRecipients": [],
"target": {
"caller": "EndUser",
"operations": [
"All"
],
"level": "Assignment",
"inheritableSettings": [],
"enforcedSettings": []
}
}
]
}
フィードバック
以下は間もなく提供いたします。2024 年を通じて、コンテンツのフィードバック メカニズムとして GitHub の issue を段階的に廃止し、新しいフィードバック システムに置き換えます。 詳細については、「https://aka.ms/ContentUserFeedback」を参照してください。
フィードバックの送信と表示