What API permission do I need in order to assign role to a user

MIRIAM GRAHAM 40 Reputation points
2024-12-19T10:00:15.6166667+00:00

I'm doing a (@POST) request the role assignment endpoint

https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments

with this payload:

{
    "@odata.type": "#microsoft.graph.unifiedRoleAssignment",
    "roleDefinitionId": "xxxxxxx-xxxxx-xxxx-xxxx-xxxxxx",
    "principalId": "aaaaa-cccc-bbbb-bddd-eeeeee",
    "directoryScopeId": "/"
}

and I'm getting this error message:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2024-12-19T08:49:21",
            "request-id": "aaaaaa-aaaa-aa-aaa-aaaaaa",
            "client-request-id": "aaaaaa-aaaaa-aaaaaaa-aaaa-aaaaaaaaaa"
        }
    }
}
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
0 comments No comments
{count} votes

Accepted answer
  1. FrankEscarosBuechsel-MSFT 575 Reputation points Microsoft Employee
    2024-12-19T11:14:09.19+00:00

    Hi @MIRIAM GRAHAM • Thank you for reaching out.

    It looks like you are looking for the permission requirements for a specific API call, these are usually documented in the Graph API documentation itself.

    You can find the permissions required for your particular scenario here: Create unifiedRoleAssignment

    For the directory (Microsoft Entra ID) provider:

    Permission type Permissions (from least to most privileged)
    Delegated (work or school account) RoleManagement.ReadWrite.Directory
    Delegated (work or school account) RoleManagement.ReadWrite.Directory
    Delegated (personal Microsoft account) Not supported.
    Application RoleManagement.ReadWrite.Directory

    And For the entitlement management provider:

    Permission type Permissions (from least to most privileged)
    Delegated (work or school account) EntitlementManagement.ReadWrite.All
    Delegated (work or school account) EntitlementManagement.ReadWrite.All
    Delegated (personal Microsoft account) Not supported.
    Application EntitlementManagement.ReadWrite.All

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.