Create roleDefinition
Article 01/27/2024
12 contributors
Feedback
In this article
Namespace: microsoft.graph
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Create a new roleDefinition object.
This API is available in the following national cloud deployments .
Global service
US Government L4
US Government L5 (DOD)
China operated by 21Vianet
✅
✅
✅
✅
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions .
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
DeviceManagementRBAC.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
DeviceManagementRBAC.ReadWrite.All
HTTP Request
POST /deviceManagement/roleDefinitions
Request body
In the request body, supply a JSON representation for the roleDefinition object.
The following table shows the properties that are required when you create the roleDefinition.
Property
Type
Description
id
String
Key of the entity. This is read-only and automatically generated.
displayName
String
Display Name of the Role definition.
description
String
Description of the Role definition.
rolePermissions
rolePermission collectionList of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission.
isBuiltIn
Boolean
Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition.
Response
If successful, this method returns a 201 Created response code and a roleDefinition object in the response body.
Example
Request
Here is an example of the request.
POST https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions
Content-type: application/json
Content-length: 580
{
"@odata.type": "#microsoft.graph.roleDefinition",
"displayName": "Display Name value",
"description": "Description value",
"rolePermissions": [
{
"@odata.type": "microsoft.graph.rolePermission",
"resourceActions": [
{
"@odata.type": "microsoft.graph.resourceAction",
"allowedResourceActions": [
"Allowed Resource Actions value"
],
"notAllowedResourceActions": [
"Not Allowed Resource Actions value"
]
}
]
}
],
"isBuiltIn": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new RoleDefinition
{
OdataType = "#microsoft.graph.roleDefinition",
DisplayName = "Display Name value",
Description = "Description value",
RolePermissions = new List<RolePermission>
{
new RolePermission
{
OdataType = "microsoft.graph.rolePermission",
ResourceActions = new List<ResourceAction>
{
new ResourceAction
{
OdataType = "microsoft.graph.resourceAction",
AllowedResourceActions = new List<string>
{
"Allowed Resource Actions value",
},
NotAllowedResourceActions = new List<string>
{
"Not Allowed Resource Actions value",
},
},
},
},
},
IsBuiltIn = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.DeviceManagement.RoleDefinitions.PostAsync(requestBody);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
mgc device-management role-definitions create --body '{\
"@odata.type": "#microsoft.graph.roleDefinition",\
"displayName": "Display Name value",\
"description": "Description value",\
"rolePermissions": [\
{\
"@odata.type": "microsoft.graph.rolePermission",\
"resourceActions": [\
{\
"@odata.type": "microsoft.graph.resourceAction",\
"allowedResourceActions": [\
"Allowed Resource Actions value"\
],\
"notAllowedResourceActions": [\
"Not Allowed Resource Actions value"\
]\
}\
]\
}\
],\
"isBuiltIn": true\
}\
'
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewRoleDefinition()
displayName := "Display Name value"
requestBody.SetDisplayName(&displayName)
description := "Description value"
requestBody.SetDescription(&description)
rolePermission := graphmodels.NewRolePermission()
resourceAction := graphmodels.NewResourceAction()
allowedResourceActions := []string {
"Allowed Resource Actions value",
}
resourceAction.SetAllowedResourceActions(allowedResourceActions)
notAllowedResourceActions := []string {
"Not Allowed Resource Actions value",
}
resourceAction.SetNotAllowedResourceActions(notAllowedResourceActions)
resourceActions := []graphmodels.ResourceActionable {
resourceAction,
}
rolePermission.SetResourceActions(resourceActions)
rolePermissions := []graphmodels.RolePermissionable {
rolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
isBuiltIn := true
requestBody.SetIsBuiltIn(&isBuiltIn)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.DeviceManagement().RoleDefinitions().Post(context.Background(), requestBody, nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
RoleDefinition roleDefinition = new RoleDefinition();
roleDefinition.setOdataType("#microsoft.graph.roleDefinition");
roleDefinition.setDisplayName("Display Name value");
roleDefinition.setDescription("Description value");
LinkedList<RolePermission> rolePermissions = new LinkedList<RolePermission>();
RolePermission rolePermission = new RolePermission();
rolePermission.setOdataType("microsoft.graph.rolePermission");
LinkedList<ResourceAction> resourceActions = new LinkedList<ResourceAction>();
ResourceAction resourceAction = new ResourceAction();
resourceAction.setOdataType("microsoft.graph.resourceAction");
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("Allowed Resource Actions value");
resourceAction.setAllowedResourceActions(allowedResourceActions);
LinkedList<String> notAllowedResourceActions = new LinkedList<String>();
notAllowedResourceActions.add("Not Allowed Resource Actions value");
resourceAction.setNotAllowedResourceActions(notAllowedResourceActions);
resourceActions.add(resourceAction);
rolePermission.setResourceActions(resourceActions);
rolePermissions.add(rolePermission);
roleDefinition.setRolePermissions(rolePermissions);
roleDefinition.setIsBuiltIn(true);
RoleDefinition result = graphClient.deviceManagement().roleDefinitions().post(roleDefinition);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
const roleDefinition = {
'@odata.type': '#microsoft.graph.roleDefinition',
displayName: 'Display Name value',
description: 'Description value',
rolePermissions: [
{
'@odata.type': 'microsoft.graph.rolePermission',
resourceActions: [
{
'@odata.type': 'microsoft.graph.resourceAction',
allowedResourceActions: [
'Allowed Resource Actions value'
],
notAllowedResourceActions: [
'Not Allowed Resource Actions value'
]
}
]
}
],
isBuiltIn: true
};
await client.api('/deviceManagement/roleDefinitions')
.post(roleDefinition);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\RoleDefinition;
use Microsoft\Graph\Generated\Models\RolePermission;
use Microsoft\Graph\Generated\Models\ResourceAction;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new RoleDefinition();
$requestBody->setOdataType('#microsoft.graph.roleDefinition');
$requestBody->setDisplayName('Display Name value');
$requestBody->setDescription('Description value');
$rolePermissionsRolePermission1 = new RolePermission();
$rolePermissionsRolePermission1->setOdataType('microsoft.graph.rolePermission');
$resourceActionsResourceAction1 = new ResourceAction();
$resourceActionsResourceAction1->setOdataType('microsoft.graph.resourceAction');
$resourceActionsResourceAction1->setAllowedResourceActions(['Allowed Resource Actions value', ]);
$resourceActionsResourceAction1->setNotAllowedResourceActions(['Not Allowed Resource Actions value', ]);
$resourceActionsArray []= $resourceActionsResourceAction1;
$rolePermissionsRolePermission1->setResourceActions($resourceActionsArray);
$rolePermissionsArray []= $rolePermissionsRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$requestBody->setIsBuiltIn(true);
$result = $graphServiceClient->deviceManagement()->roleDefinitions()->post($requestBody)->wait();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.DeviceManagement.Administration
$params = @{
"@odata.type" = "#microsoft.graph.roleDefinition"
displayName = "Display Name value"
description = "Description value"
rolePermissions = @(
@{
"@odata.type" = "microsoft.graph.rolePermission"
resourceActions = @(
@{
"@odata.type" = "microsoft.graph.resourceAction"
allowedResourceActions = @(
"Allowed Resource Actions value"
)
notAllowedResourceActions = @(
"Not Allowed Resource Actions value"
)
}
)
}
)
isBuiltIn = $true
}
New-MgDeviceManagementRoleDefinition -BodyParameter $params
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.role_definition import RoleDefinition
from msgraph.generated.models.role_permission import RolePermission
from msgraph.generated.models.resource_action import ResourceAction
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = RoleDefinition(
odata_type = "#microsoft.graph.roleDefinition",
display_name = "Display Name value",
description = "Description value",
role_permissions = [
RolePermission(
odata_type = "microsoft.graph.rolePermission",
resource_actions = [
ResourceAction(
odata_type = "microsoft.graph.resourceAction",
allowed_resource_actions = [
"Allowed Resource Actions value",
],
not_allowed_resource_actions = [
"Not Allowed Resource Actions value",
],
),
],
),
],
is_built_in = True,
)
result = await graph_client.device_management.role_definitions.post(request_body)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 629
{
"@odata.type": "#microsoft.graph.roleDefinition",
"id": "70fdcd08-cd08-70fd-08cd-fd7008cdfd70",
"displayName": "Display Name value",
"description": "Description value",
"rolePermissions": [
{
"@odata.type": "microsoft.graph.rolePermission",
"resourceActions": [
{
"@odata.type": "microsoft.graph.resourceAction",
"allowedResourceActions": [
"Allowed Resource Actions value"
],
"notAllowedResourceActions": [
"Not Allowed Resource Actions value"
]
}
]
}
],
"isBuiltIn": true
}