Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles support this attribute.
To construct, see NOTES section for INHERITSPERMISSIONSFROM properties and create a hash table.
Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom.
Read-only.
Supports $filter (eq).
Parameter properties
Type:
System.Management.Automation.SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-IsEnabled
Flag indicating if the role is enabled for assignment.
If false the role is not available for assignment.
Read-only when isBuiltIn is true.
Parameter properties
Type:
System.Management.Automation.SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-IsPrivileged
Flag indicating if the role is privileged.
Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects.
Applies only for actions in the microsoft.directory resource namespace.
Read-only.
Supports $filter (eq).
Parameter properties
Type:
System.Management.Automation.SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Proxy
The URI for the proxy server to use
Parameter properties
Type:
System.Uri
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ProxyCredential
Credentials for a proxy server to use for the remote call
Parameter properties
Type:
System.Management.Automation.PSCredential
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ProxyUseDefaultCredentials
Use the default credentials for the proxy
Parameter properties
Type:
System.Management.Automation.SwitchParameter
Default value:
False
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ResourceScopes
List of scopes permissions granted by the role definition apply to.
Currently only / is supported.
Read-only when isBuiltIn is true.
DO NOT USE.
This will be deprecated soon.
Attach scope to role assignment.
Parameter properties
Type:
System.String[]
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-ResponseHeadersVariable
Optional Response Headers Variable.
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Aliases:
RHV
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RolePermissions
List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
To construct, see NOTES section for ROLEPERMISSIONS properties and create a hash table.
Custom template identifier that can be set when isBuiltIn is false.
This identifier is typically used if one needs an identifier to be the same across different directories.
Read-only when isBuiltIn is true.
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-UnifiedRoleDefinitionId
The unique identifier of unifiedRoleDefinition
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateExpanded
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
Update
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-UnifiedRoleDefinitionId1
The unique identifier of unifiedRoleDefinition
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateExpanded
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
Update
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Version
Indicates the version of the unifiedRoleDefinition object.
Read-only when isBuiltIn is true.
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-WhatIf
Runs the command in a mode that only reports what would happen without performing the actions.
Parameter properties
Type:
System.Management.Automation.SwitchParameter
Supports wildcards:
False
DontShow:
False
Aliases:
wi
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
To create the parameters described below, construct a hash table containing the appropriate properties.
For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphUnifiedRoleDefinition>: unifiedRoleDefinition
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[AllowedPrincipalTypes <String>]: allowedRolePrincipalTypes
[Description <String>]: The description for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
[DisplayName <String>]: The display name for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
Required.
Supports $filter (eq and startsWith).
[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles support this attribute.
[IsBuiltIn <Boolean?>]: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom.
Read-only.
Supports $filter (eq).
[IsEnabled <Boolean?>]: Flag indicating if the role is enabled for assignment.
If false the role is not available for assignment.
Read-only when isBuiltIn is true.
[IsPrivileged <Boolean?>]: Flag indicating if the role is privileged.
Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects.
Applies only for actions in the microsoft.directory resource namespace.
Read-only.
Supports $filter (eq).
[ResourceScopes <String[]>]: List of scopes permissions granted by the role definition apply to.
Currently only / is supported.
Read-only when isBuiltIn is true.
DO NOT USE.
This will be deprecated soon.
Attach scope to role assignment.
[RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String[]>]: Set of tasks that can be performed on a resource.
[Condition <String>]: Optional constraints that must be met for the permission to be effective.
Not supported for custom roles.
[ExcludedResourceActions <String[]>]:
[TemplateId <String>]: Custom template identifier that can be set when isBuiltIn is false.
This identifier is typically used if one needs an identifier to be the same across different directories.
Read-only when isBuiltIn is true.
[Version <String>]: Indicates the version of the unifiedRoleDefinition object.
Read-only when isBuiltIn is true.
INHERITSPERMISSIONSFROM <IMicrosoftGraphUnifiedRoleDefinition[]>: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles support this attribute.
[Id <String>]: The unique identifier for an entity.
Read-only.
[AllowedPrincipalTypes <String>]: allowedRolePrincipalTypes
[Description <String>]: The description for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
[DisplayName <String>]: The display name for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
Required.
Supports $filter (eq and startsWith).
[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles support this attribute.
[IsBuiltIn <Boolean?>]: Flag indicating if the unifiedRoleDefinition is part of the default set included with the product or custom.
Read-only.
Supports $filter (eq).
[IsEnabled <Boolean?>]: Flag indicating if the role is enabled for assignment.
If false the role is not available for assignment.
Read-only when isBuiltIn is true.
[IsPrivileged <Boolean?>]: Flag indicating if the role is privileged.
Microsoft Entra ID defines a role as privileged if it contains at least one sensitive resource action in the rolePermissions and allowedResourceActions objects.
Applies only for actions in the microsoft.directory resource namespace.
Read-only.
Supports $filter (eq).
[ResourceScopes <String[]>]: List of scopes permissions granted by the role definition apply to.
Currently only / is supported.
Read-only when isBuiltIn is true.
DO NOT USE.
This will be deprecated soon.
Attach scope to role assignment.
[RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String[]>]: Set of tasks that can be performed on a resource.
[Condition <String>]: Optional constraints that must be met for the permission to be effective.
Not supported for custom roles.
[ExcludedResourceActions <String[]>]:
[TemplateId <String>]: Custom template identifier that can be set when isBuiltIn is false.
This identifier is typically used if one needs an identifier to be the same across different directories.
Read-only when isBuiltIn is true.
[Version <String>]: Indicates the version of the unifiedRoleDefinition object.
Read-only when isBuiltIn is true.
INPUTOBJECT <IIdentityGovernanceIdentity>: Identity Parameter
[AccessPackageAssignmentId <String>]: The unique identifier of accessPackageAssignment
[AccessPackageAssignmentPolicyId <String>]: The unique identifier of accessPackageAssignmentPolicy
[AccessPackageAssignmentRequestId <String>]: The unique identifier of accessPackageAssignmentRequest
[AccessPackageAssignmentResourceRoleId <String>]: The unique identifier of accessPackageAssignmentResourceRole
[AccessPackageCatalogId <String>]: The unique identifier of accessPackageCatalog
[AccessPackageId <String>]: The unique identifier of accessPackage
[AccessPackageId1 <String>]: The unique identifier of accessPackage
[AccessPackageResourceEnvironmentId <String>]: The unique identifier of accessPackageResourceEnvironment
[AccessPackageResourceId <String>]: The unique identifier of accessPackageResource
[AccessPackageResourceRequestId <String>]: The unique identifier of accessPackageResourceRequest
[AccessPackageResourceRoleId <String>]: The unique identifier of accessPackageResourceRole
[AccessPackageResourceRoleScopeId <String>]: The unique identifier of accessPackageResourceRoleScope
[AccessPackageResourceScopeId <String>]: The unique identifier of accessPackageResourceScope
[AccessPackageSubjectId <String>]: The unique identifier of accessPackageSubject
[AccessReviewDecisionId <String>]: The unique identifier of accessReviewDecision
[AccessReviewHistoryDefinitionId <String>]: The unique identifier of accessReviewHistoryDefinition
[AccessReviewHistoryInstanceId <String>]: The unique identifier of accessReviewHistoryInstance
[AccessReviewId <String>]: The unique identifier of accessReview
[AccessReviewId1 <String>]: The unique identifier of accessReview
[AccessReviewInstanceDecisionItemId <String>]: The unique identifier of accessReviewInstanceDecisionItem
[AccessReviewInstanceDecisionItemId1 <String>]: The unique identifier of accessReviewInstanceDecisionItem
[AccessReviewInstanceId <String>]: The unique identifier of accessReviewInstance
[AccessReviewReviewerId <String>]: The unique identifier of accessReviewReviewer
[AccessReviewScheduleDefinitionId <String>]: The unique identifier of accessReviewScheduleDefinition
[AccessReviewStageId <String>]: The unique identifier of accessReviewStage
[AgreementAcceptanceId <String>]: The unique identifier of agreementAcceptance
[AgreementFileLocalizationId <String>]: The unique identifier of agreementFileLocalization
[AgreementFileVersionId <String>]: The unique identifier of agreementFileVersion
[AgreementId <String>]: The unique identifier of agreement
[AppConsentRequestId <String>]: The unique identifier of appConsentRequest
[ApprovalId <String>]: The unique identifier of approval
[ApprovalStepId <String>]: The unique identifier of approvalStep
[BusinessFlowTemplateId <String>]: The unique identifier of businessFlowTemplate
[ConnectedOrganizationId <String>]: The unique identifier of connectedOrganization
[CustomAccessPackageWorkflowExtensionId <String>]: The unique identifier of customAccessPackageWorkflowExtension
[CustomCalloutExtensionId <String>]: The unique identifier of customCalloutExtension
[CustomExtensionHandlerId <String>]: The unique identifier of customExtensionHandler
[CustomExtensionStageSettingId <String>]: The unique identifier of customExtensionStageSetting
[CustomTaskExtensionId <String>]: The unique identifier of customTaskExtension
[DirectoryObjectId <String>]: The unique identifier of directoryObject
[EndDateTime <DateTime?>]: Usage: endDateTime={endDateTime}
[FindingId <String>]: The unique identifier of finding
[GovernanceInsightId <String>]: The unique identifier of governanceInsight
[GovernanceResourceId <String>]: The unique identifier of governanceResource
[GovernanceRoleAssignmentId <String>]: The unique identifier of governanceRoleAssignment
[GovernanceRoleAssignmentRequestId <String>]: The unique identifier of governanceRoleAssignmentRequest
[GovernanceRoleDefinitionId <String>]: The unique identifier of governanceRoleDefinition
[GovernanceRoleSettingId <String>]: The unique identifier of governanceRoleSetting
[IncompatibleAccessPackageId <String>]: Usage: incompatibleAccessPackageId='{incompatibleAccessPackageId}'
[LongRunningOperationId <String>]: The unique identifier of longRunningOperation
[ObjectId <String>]: Alternate key of accessPackageSubject
[On <String>]: Usage: on='{on}'
[PermissionsCreepIndexDistributionId <String>]: The unique identifier of permissionsCreepIndexDistribution
[PermissionsRequestChangeId <String>]: The unique identifier of permissionsRequestChange
[PrivilegedAccessGroupAssignmentScheduleId <String>]: The unique identifier of privilegedAccessGroupAssignmentSchedule
[PrivilegedAccessGroupAssignmentScheduleInstanceId <String>]: The unique identifier of privilegedAccessGroupAssignmentScheduleInstance
[PrivilegedAccessGroupAssignmentScheduleRequestId <String>]: The unique identifier of privilegedAccessGroupAssignmentScheduleRequest
[PrivilegedAccessGroupEligibilityScheduleId <String>]: The unique identifier of privilegedAccessGroupEligibilitySchedule
[PrivilegedAccessGroupEligibilityScheduleInstanceId <String>]: The unique identifier of privilegedAccessGroupEligibilityScheduleInstance
[PrivilegedAccessGroupEligibilityScheduleRequestId <String>]: The unique identifier of privilegedAccessGroupEligibilityScheduleRequest
[PrivilegedAccessId <String>]: The unique identifier of privilegedAccess
[PrivilegedApprovalId <String>]: The unique identifier of privilegedApproval
[PrivilegedOperationEventId <String>]: The unique identifier of privilegedOperationEvent
[PrivilegedRoleAssignmentId <String>]: The unique identifier of privilegedRoleAssignment
[PrivilegedRoleAssignmentId1 <String>]: The unique identifier of privilegedRoleAssignment
[PrivilegedRoleAssignmentRequestId <String>]: The unique identifier of privilegedRoleAssignmentRequest
[PrivilegedRoleId <String>]: The unique identifier of privilegedRole
[ProgramControlId <String>]: The unique identifier of programControl
[ProgramControlId1 <String>]: The unique identifier of programControl
[ProgramControlTypeId <String>]: The unique identifier of programControlType
[ProgramId <String>]: The unique identifier of program
[RbacApplicationId <String>]: The unique identifier of rbacApplication
[RunId <String>]: The unique identifier of run
[StartDateTime <DateTime?>]: Usage: startDateTime={startDateTime}
[TaskDefinitionId <String>]: The unique identifier of taskDefinition
[TaskId <String>]: The unique identifier of task
[TaskProcessingResultId <String>]: The unique identifier of taskProcessingResult
[TaskReportId <String>]: The unique identifier of taskReport
[UnifiedRbacResourceActionId <String>]: The unique identifier of unifiedRbacResourceAction
[UnifiedRbacResourceNamespaceId <String>]: The unique identifier of unifiedRbacResourceNamespace
[UnifiedRoleAssignmentId <String>]: The unique identifier of unifiedRoleAssignment
[UnifiedRoleAssignmentScheduleId <String>]: The unique identifier of unifiedRoleAssignmentSchedule
[UnifiedRoleAssignmentScheduleInstanceId <String>]: The unique identifier of unifiedRoleAssignmentScheduleInstance
[UnifiedRoleAssignmentScheduleRequestId <String>]: The unique identifier of unifiedRoleAssignmentScheduleRequest
[UnifiedRoleDefinitionId <String>]: The unique identifier of unifiedRoleDefinition
[UnifiedRoleDefinitionId1 <String>]: The unique identifier of unifiedRoleDefinition
[UnifiedRoleEligibilityScheduleId <String>]: The unique identifier of unifiedRoleEligibilitySchedule
[UnifiedRoleEligibilityScheduleInstanceId <String>]: The unique identifier of unifiedRoleEligibilityScheduleInstance
[UnifiedRoleEligibilityScheduleRequestId <String>]: The unique identifier of unifiedRoleEligibilityScheduleRequest
[UnifiedRoleManagementAlertConfigurationId <String>]: The unique identifier of unifiedRoleManagementAlertConfiguration
[UnifiedRoleManagementAlertDefinitionId <String>]: The unique identifier of unifiedRoleManagementAlertDefinition
[UnifiedRoleManagementAlertId <String>]: The unique identifier of unifiedRoleManagementAlert
[UnifiedRoleManagementAlertIncidentId <String>]: The unique identifier of unifiedRoleManagementAlertIncident
[UniqueName <String>]: Alternate key of accessPackageCatalog
[UserConsentRequestId <String>]: The unique identifier of userConsentRequest
[UserId <String>]: The unique identifier of user
[UserProcessingResultId <String>]: The unique identifier of userProcessingResult
[WorkflowId <String>]: The unique identifier of workflow
[WorkflowTemplateId <String>]: The unique identifier of workflowTemplate
[WorkflowVersionNumber <Int32?>]: The unique identifier of workflowVersion
ROLEPERMISSIONS <IMicrosoftGraphUnifiedRolePermission[]>: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String[]>]: Set of tasks that can be performed on a resource.
[Condition <String>]: Optional constraints that must be met for the permission to be effective.
Not supported for custom roles.
[ExcludedResourceActions <String[]>]: