Update-MgRoleManagementDirectoryRoleDefinition
Update the properties of a unifiedRoleDefinition object. You cannot update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license.
Note
To view the beta release of this cmdlet, view Update-MgBetaRoleManagementDirectoryRoleDefinition
Syntax
Update-MgRoleManagementDirectoryRoleDefinition
-UnifiedRoleDefinitionId <String>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-Description <String>]
[-DisplayName <String>]
[-Id <String>]
[-InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]
[-IsBuiltIn]
[-IsEnabled]
[-ResourceScopes <String[]>]
[-RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]
[-TemplateId <String>]
[-Version <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgRoleManagementDirectoryRoleDefinition
-UnifiedRoleDefinitionId <String>
-BodyParameter <IMicrosoftGraphUnifiedRoleDefinition>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgRoleManagementDirectoryRoleDefinition
-InputObject <IIdentityGovernanceIdentity>
[-ResponseHeadersVariable <String>]
[-AdditionalProperties <Hashtable>]
[-Description <String>]
[-DisplayName <String>]
[-Id <String>]
[-InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]
[-IsBuiltIn]
[-IsEnabled]
[-ResourceScopes <String[]>]
[-RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]
[-TemplateId <String>]
[-Version <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-MgRoleManagementDirectoryRoleDefinition
-InputObject <IIdentityGovernanceIdentity>
-BodyParameter <IMicrosoftGraphUnifiedRoleDefinition>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Update the properties of a unifiedRoleDefinition object. You cannot update built-in roles. This feature requires a Microsoft Entra ID P1 or P2 license.
Permissions
Permission type | Least privileged permissions | Higher privileged permissions |
---|---|---|
Delegated (work or school account) | RoleManagement.ReadWrite.Directory | Directory.ReadWrite.All |
Delegated (personal Microsoft account) | Not supported. | Not supported. |
Application | RoleManagement.ReadWrite.Directory | Directory.ReadWrite.All |
Examples
Example 1: Code snippet
Import-Module Microsoft.Graph.Identity.Governance
$params = @{
description = "Update basic properties of application registrations"
displayName = "Application Registration Support Administrator"
rolePermissions = @(
@{
allowedResourceActions = @(
"microsoft.directory/applications/basic/read"
)
}
)
}
Update-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $unifiedRoleDefinitionId -BodyParameter $params
This example shows how to use the Update-MgRoleManagementDirectoryRoleDefinition Cmdlet.
Parameters
-AdditionalProperties
Additional Parameters
Type: | Hashtable |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-BodyParameter
unifiedRoleDefinition To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleDefinition |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Description
The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DisplayName
The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
Type: | IDictionary |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InheritsPermissionsFrom
Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles (isBuiltIn is true) support this attribute. Supports $expand. To construct, see NOTES section for INHERITSPERMISSIONSFROM properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRoleDefinition[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: | IIdentityGovernanceIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-IsBuiltIn
Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (eq, in).
Type: | SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-IsEnabled
Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.
Type: | SwitchParameter |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
Type: | ActionPreference |
Aliases: | proga |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceScopes
List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
Type: | String |
Aliases: | RHV |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RolePermissions
List of permissions included in the role. Read-only when isBuiltIn is true. Required. To construct, see NOTES section for ROLEPERMISSIONS properties and create a hash table.
Type: | IMicrosoftGraphUnifiedRolePermission[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-TemplateId
Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-UnifiedRoleDefinitionId
The unique identifier of unifiedRoleDefinition
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Version
Indicates version of the role definition. Read-only when isBuiltIn is true.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Microsoft.Graph.PowerShell.Models.IIdentityGovernanceIdentity
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphUnifiedRoleDefinition
System.Collections.IDictionary
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphUnifiedRoleDefinition
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphUnifiedRoleDefinition>
: unifiedRoleDefinition
[(Any) <Object>]
: This indicates any property can be added to this object.[Id <String>]
: The unique identifier for an entity. Read-only.[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles (isBuiltIn is true) support this attribute. Supports $expand.[IsBuiltIn <Boolean?>]
: Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (eq, in).[IsEnabled <Boolean?>]
: Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[ResourceScopes <String-
[]>]
: List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource. Required.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
: Set of tasks that may not be performed on a resource. Not yet supported.
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.[Version <String>]
: Indicates version of the role definition. Read-only when isBuiltIn is true.
INHERITSPERMISSIONSFROM <IMicrosoftGraphUnifiedRoleDefinition- []
>: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles (isBuiltIn is true) support this attribute.
Supports $expand.
[Id <String>]
: The unique identifier for an entity. Read-only.[Description <String>]
: The description for the unifiedRoleDefinition. Read-only when isBuiltIn is true.[DisplayName <String>]
: The display name for the unifiedRoleDefinition. Read-only when isBuiltIn is true. Required. Supports $filter (eq, in).[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition-
[]>]
: Read-only collection of role definitions that the given role definition inherits from. Only Microsoft Entra built-in roles (isBuiltIn is true) support this attribute. Supports $expand.[IsBuiltIn <Boolean?>]
: Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition. Read-only. Supports $filter (eq, in).[IsEnabled <Boolean?>]
: Flag indicating whether the role is enabled for assignment. If false the role is not available for assignment. Read-only when isBuiltIn is true.[ResourceScopes <String-
[]>]
: List of the scopes or permissions the role definition applies to. Currently only / is supported. Read-only when isBuiltIn is true. DO NOT USE. This will be deprecated soon. Attach scope to role assignment.[RolePermissions <IMicrosoftGraphUnifiedRolePermission-
[]>]
: List of permissions included in the role. Read-only when isBuiltIn is true. Required.[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource. Required.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
: Set of tasks that may not be performed on a resource. Not yet supported.
[TemplateId <String>]
: Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true. This identifier is typically used if one needs an identifier to be the same across different directories.[Version <String>]
: Indicates version of the role definition. Read-only when isBuiltIn is true.
INPUTOBJECT <IIdentityGovernanceIdentity>
: Identity Parameter
[AccessPackageAssignmentId <String>]
: The unique identifier of accessPackageAssignment[AccessPackageAssignmentPolicyId <String>]
: The unique identifier of accessPackageAssignmentPolicy[AccessPackageAssignmentRequestId <String>]
: The unique identifier of accessPackageAssignmentRequest[AccessPackageCatalogId <String>]
: The unique identifier of accessPackageCatalog[AccessPackageId <String>]
: The unique identifier of accessPackage[AccessPackageId1 <String>]
: The unique identifier of accessPackage[AccessPackageQuestionId <String>]
: The unique identifier of accessPackageQuestion[AccessPackageResourceEnvironmentId <String>]
: The unique identifier of accessPackageResourceEnvironment[AccessPackageResourceId <String>]
: The unique identifier of accessPackageResource[AccessPackageResourceRequestId <String>]
: The unique identifier of accessPackageResourceRequest[AccessPackageResourceRoleId <String>]
: The unique identifier of accessPackageResourceRole[AccessPackageResourceRoleId1 <String>]
: The unique identifier of accessPackageResourceRole[AccessPackageResourceRoleScopeId <String>]
: The unique identifier of accessPackageResourceRoleScope[AccessPackageResourceScopeId <String>]
: The unique identifier of accessPackageResourceScope[AccessPackageResourceScopeId1 <String>]
: The unique identifier of accessPackageResourceScope[AccessReviewHistoryDefinitionId <String>]
: The unique identifier of accessReviewHistoryDefinition[AccessReviewHistoryInstanceId <String>]
: The unique identifier of accessReviewHistoryInstance[AccessReviewInstanceDecisionItemId <String>]
: The unique identifier of accessReviewInstanceDecisionItem[AccessReviewInstanceId <String>]
: The unique identifier of accessReviewInstance[AccessReviewReviewerId <String>]
: The unique identifier of accessReviewReviewer[AccessReviewScheduleDefinitionId <String>]
: The unique identifier of accessReviewScheduleDefinition[AccessReviewStageId <String>]
: The unique identifier of accessReviewStage[AgreementAcceptanceId <String>]
: The unique identifier of agreementAcceptance[AgreementFileLocalizationId <String>]
: The unique identifier of agreementFileLocalization[AgreementFileVersionId <String>]
: The unique identifier of agreementFileVersion[AgreementId <String>]
: The unique identifier of agreement[AppConsentRequestId <String>]
: The unique identifier of appConsentRequest[ApprovalId <String>]
: The unique identifier of approval[ApprovalStageId <String>]
: The unique identifier of approvalStage[ConnectedOrganizationId <String>]
: The unique identifier of connectedOrganization[CustomCalloutExtensionId <String>]
: The unique identifier of customCalloutExtension[CustomExtensionStageSettingId <String>]
: The unique identifier of customExtensionStageSetting[CustomTaskExtensionId <String>]
: The unique identifier of customTaskExtension[DirectoryObjectId <String>]
: The unique identifier of directoryObject[EndDateTime <DateTime?>]
: Usage: endDateTime={endDateTime}[GovernanceInsightId <String>]
: The unique identifier of governanceInsight[IncompatibleAccessPackageId <String>]
: Usage: incompatibleAccessPackageId='{incompatibleAccessPackageId}'[On <String>]
: Usage: on='{on}'[PrivilegedAccessGroupAssignmentScheduleId <String>]
: The unique identifier of privilegedAccessGroupAssignmentSchedule[PrivilegedAccessGroupAssignmentScheduleInstanceId <String>]
: The unique identifier of privilegedAccessGroupAssignmentScheduleInstance[PrivilegedAccessGroupAssignmentScheduleRequestId <String>]
: The unique identifier of privilegedAccessGroupAssignmentScheduleRequest[PrivilegedAccessGroupEligibilityScheduleId <String>]
: The unique identifier of privilegedAccessGroupEligibilitySchedule[PrivilegedAccessGroupEligibilityScheduleInstanceId <String>]
: The unique identifier of privilegedAccessGroupEligibilityScheduleInstance[PrivilegedAccessGroupEligibilityScheduleRequestId <String>]
: The unique identifier of privilegedAccessGroupEligibilityScheduleRequest[RunId <String>]
: The unique identifier of run[StartDateTime <DateTime?>]
: Usage: startDateTime={startDateTime}[TaskDefinitionId <String>]
: The unique identifier of taskDefinition[TaskId <String>]
: The unique identifier of task[TaskProcessingResultId <String>]
: The unique identifier of taskProcessingResult[TaskReportId <String>]
: The unique identifier of taskReport[UnifiedRbacResourceActionId <String>]
: The unique identifier of unifiedRbacResourceAction[UnifiedRbacResourceNamespaceId <String>]
: The unique identifier of unifiedRbacResourceNamespace[UnifiedRoleAssignmentId <String>]
: The unique identifier of unifiedRoleAssignment[UnifiedRoleAssignmentScheduleId <String>]
: The unique identifier of unifiedRoleAssignmentSchedule[UnifiedRoleAssignmentScheduleInstanceId <String>]
: The unique identifier of unifiedRoleAssignmentScheduleInstance[UnifiedRoleAssignmentScheduleRequestId <String>]
: The unique identifier of unifiedRoleAssignmentScheduleRequest[UnifiedRoleDefinitionId <String>]
: The unique identifier of unifiedRoleDefinition[UnifiedRoleDefinitionId1 <String>]
: The unique identifier of unifiedRoleDefinition[UnifiedRoleEligibilityScheduleId <String>]
: The unique identifier of unifiedRoleEligibilitySchedule[UnifiedRoleEligibilityScheduleInstanceId <String>]
: The unique identifier of unifiedRoleEligibilityScheduleInstance[UnifiedRoleEligibilityScheduleRequestId <String>]
: The unique identifier of unifiedRoleEligibilityScheduleRequest[UserConsentRequestId <String>]
: The unique identifier of userConsentRequest[UserId <String>]
: The unique identifier of user[UserProcessingResultId <String>]
: The unique identifier of userProcessingResult[WorkflowId <String>]
: The unique identifier of workflow[WorkflowTemplateId <String>]
: The unique identifier of workflowTemplate[WorkflowVersionNumber <Int32?>]
: The unique identifier of workflowVersion
ROLEPERMISSIONS <IMicrosoftGraphUnifiedRolePermission- []
>: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String-
[]>]
: Set of tasks that can be performed on a resource. Required.[Condition <String>]
: Optional constraints that must be met for the permission to be effective. Not supported for custom roles.[ExcludedResourceActions <String-
[]>]
: Set of tasks that may not be performed on a resource. Not yet supported.
RELATED LINKS
https://learn.microsoft.com/graph/api/unifiedroledefinition-update?view=graph-rest-1.0