Role-based access control (RBAC) in the Graph API

RBAC

Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users based on their role within an organization. It’s a policy-neutral access control mechanism defined around roles and privileges.

Key components of RBAC are:

• security principal - an object that represents a user, group, service principal, or managed identity that is requesting access to resources
• role definition - a collection of permissions, typically just called a role which lists the actions that can be performed
• scope - a set of resources that the access applies to

The Graph API supports several RBAC providers

• directory (Microsoft Entra ID) - supported in v1.0, beta
• entitlement management (Microsoft Entra entitlement management) - supported in v1.0, beta
• device management (Microsoft Intune) - supported in v1.0, beta
• cloud PC (Windows 365) - beta
• Exchange Online - beta

In Microsoft 365 admin center the administrators can configure role assignments for Microsoft Entra ID, Exchnage Online and Intune.

Role assignment

With a role assignment you can manage who will get a specific permission or set of permissions and where are those permissions applicable:

• grant access - create a role assignment
• revoke access - remove a role assignment

Role assignment resource contains:

• principal - identifies who has the permissions
• role definition - identifies what can be done, a set of permissions
• scope - identifies where are permissions applied

Directory (Microsoft Entra ID) RBAC provider

With RBAC provider for Microsoft Entra ID, you can control who has access to what resources, and what they can do with those resources inside your tenant.

Role definitions

Entra ID supports built-in and custom roles. In general, built-in roles have a fixed set of permissions and cannot be modified. Custom roles are useful in case you have more sophisticated requirements

Scope

The permissions can be applied either to the whole tenant, an administrative unit, or a security attribute

Principal

The principal who gets the permissions can be:

• user
• group
• service principal
• managed identity

Manage via Graph API

The table below shows the endpoint and related cmdlets for PowerShell SDK.

Action	Graph API	PowerShell SDK
List role definitions	GET /roleManagement/directory/roleDefinitions	Get-MgRoleManagementDirectoryRoleDefinition
List role assignment	GET /roleManagement/directory/roleAssignments	Get-MgRoleManagementDirectoryRoleAssignment
Create role assignment	POST /roleManagement/directory/roleAssignments	New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
Remove role assignment	DELETE /roleManagement/directory/roleAssignments	Remove-MgRoleManagementDirectoryRoleAssignment -UnifiedRoleAssignmentId $unifiedRoleAssignmentId

Entitlement management (Microsoft Entra entitlement management) RBAC provider

Entitlement management is an identity management feature that lets customers manage and control access to applications and resources. It helps to automate access requests, access assignments, reviews, and expiration workflows

The entitlement management introduces a concept of an access package catalog. The access package catalog represents a set of resources to which a principal has the access rights. Resources are applications, groups, SharePoint sites and teams.

Role definitions

Roles can be used for delegating administrative access to non-administrators because they know which users need access, for how long, and to which resources.

The set of the roles is relative small:

• Catalog creator - can create and manage catalogs
• Catalog owner - can edit and manage access packages
• Catalog reader - can view existing packages in a catalog
• AccessPackages manager - can edit and manage all existing packages in a catalog
• AccessPackage assignment manager - can edit and manage all existing packages' assignments

Scope

The permissions are applied to a specific access package catalog.

Principal

The principal who gets the permissions can be only a user.

Manage via Graph API

The table below shows the endpoint and related cmdlets for PowerShell SDK.

Action	Graph API	PowerShell SDK
List role definitions	GET /roleManagement/entitlementManagement/roleDefinitions	Get-MgRoleManagementEntitlementManagementRoleDefinition
List role assignment	GET /roleManagement/entitlementManagement/roleAssignments	Get-MgRoleManagementEntitlementManagementRoleAssignment
Create role assignment	POST /roleManagement/entitlementManagement/roleAssignments	New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $params
Remove role assignment	DELETE /roleManagement/entitlementManagement/roleAssignments	Remove-MgRoleManagementEntitlementManagementRoleAssignment -UnifiedRoleAssignmentId $unifiedRoleAssignmentId

Device management (Microsoft Intune) RBAC provider

Microsoft Intune is a cloud-based endpoint management solution. It helps your organization manage the different devices that access organization resources.

RBAC provider for Micrsoft Intune helps you manage who has access to you organization's resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change.

Role definitions

Similar to Microsoft Entra ID, there are built-in and custom roles.

Scope

The permissions can be applied to

• all users
• all devices
• all users & all devices
• security group

Principal

The permissions are assigned to the users from a security groups.

Manage via Graph API

The table below shows the endpoint and related cmdlets for PowerShell SDK.

Action	Graph API	PowerShell SDK
List role definitions v1.0	GET /deviceManagement/roleDefinitions	Get-MgDeviceManagementRoleDefinition
List role definitions beta	GET /roleManagement/deviceManagement/roleAssignments	Get-MgBetaRoleManagementDeviceManagementRoleDefinition
List role assignment v1.0	GET /deviceManagement/roleAssignments	Get-MgDeviceManagementRoleAssignment
List role assignment beta	GET /roleManagement/deviceManagement/roleAssignments	Get-MgBetaRoleManagementDeviceManagementRoleAssignment
Create role assignment v1.0	POST /deviceManagement/roleAssignments	New-MgDeviceManagementRoleAssignment -BodyParameter $params
Create role assignment beta	POST /roleManagement/deviceManagement/roleAssignments	New-MgDeviceManagementRoleAssignment -BodyParameter $params
Remove role assignment v1.0	DELETE /deviceManagement/roleAssignments	Remove-MgDeviceManagementRoleAssignment -RoleAssignmentId $roleAssignmentId
Remove role assignment beta	DELETE /roleManagement/deviceManagement/roleAssignments	Remove-MgBetaRoleManagementDeviceManagementRoleAssignment -UnifiedRoleAssignmentId $unifiedRoleAssignmentId

Cloud PC (Windows 365)

Windows 365 is a cloud-based service that provisions and hosts Cloud PCs as virtual machines for end users.

With RBAC provider, you can define who has the permissions to set up, manage, and scale Windows 365 Cloud PCs.

Roles for Cloud PCs can be manually assigned in the Microsoft Intune admin center.

Role definitions

Cloud PC supports the Windows 365 Administrator (to manage Windows 365 Cloud PCs) role available for role assignment through the Microsoft Admin Center and Microsoft Entra ID.

Cloud PC itself has the following built-in roles

• Cloud PC Administrator - manage all spects of Cloud PCs
• Cloud PC Reader - view Cloud PC data
• Windows 365 Network Interface Contributor - create and join the NIC and manage deployment in the resource group

Scope

The permissions can be applied to all devices, a group of devices or to a single device.

Principal

The permissions are assigned to the users from a security groups.

Manage via Graph API

The table below shows the endpoint and related cmdlets for PowerShell SDK.

Action	Graph API	PowerShell SDK
List role definitions	GET /roleManagement/cloudPc/roleDefinitions	Get-MgBetaRoleManagementCloudPcRoleDefinition
List role assignment	GET /roleManagement/cloudPc/roleAssignments	Get-MgBetaRoleManagementCloudPcRoleAssignment
Create role assignment	POST /roleManagement/cloudPc/roleAssignments	New-MgBetaRoleManagementCloudPcRoleAssignment -BodyParameter $params
Remove role assignment	DELETE /roleManagement/cloudPc/roleAssignments	Remove-MgBetaRoleManagementEntitlementManagementRoleAssignment -UnifiedRoleAssignmentId $unifiedRoleAssignmentId

Currently, only beta version supports RBAC provider for Cloud PC.

Exchange Online

With RBAC provider for Exchange Online you can grant permissions to your administrators and users. Permissions model is based on management roles, which define the set of tasks that an administrator or user can perform.

Role definitions

RBAC provider for Exchange Online has only built-in roles and doesn't support creation of custom roles.

There are two types of roles:

• Administrative roles - can be assigned to administrators that manage a part of your organization
• End-user roles - can be assigned to users that can manage aspects of their own mailbox and distribution groups that they own

Another feature is to grant permissions to an application than can independently accessing data (mails, calendars, etc.). This grant can be paired with a scope of access to specify which mailboxes an app can access.

Scope

The permissions can be applied to the whole tenant, an administrative unit or a service principal.

Principal

The principal who gets the permissions can be:

• user
• group
• service principal
• managed identity

Manage via Graph API

The table below shows the endpoint and related cmdlets for PowerShell SDK.

Action	Graph API	PowerShell SDK
List role definitions	GET /roleManagement/exchange/roleDefinitions	Not supported
List role assignment	GET /roleManagement/exchange/roleAssignments	Not supported
Create role assignment	POST /roleManagement/exchange/roleAssignments	Not supported
Remove role assignment	DELETE /roleManagement/exchange/roleAssignments	Not supported

Currently, no Graph API SDK supports RBAC provider for Exchange Online.