Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app.
The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access.
App scopes are scopes that are defined and understood by this application only.
Use / for tenant-wide app scopes.
Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-BodyParameter
unifiedRoleEligibilityScheduleInstance
To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
Identifier of the directory object representing the scope of the assignment or role eligibility.
The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access.
Directory scopes are shared scopes stored in the directory that are understood by multiple applications.
Use / for tenant-wide scope.
Use appScopeId to limit the scope to an application only.
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-EndDateTime
The end date of the schedule instance.
Parameter properties
Type:
System.DateTime
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Headers
Optional headers that will be added to the request.
Parameter properties
Type:
System.Collections.IDictionary
Supports wildcards:
False
DontShow:
False
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
True
Value from pipeline by property name:
False
Value from remaining arguments:
False
-HttpPipelineAppend
SendAsync Pipeline Steps to be appended to the front of the pipeline
How the role eligibility is inherited.
It can either be Inherited, Direct, or Group.
It can further imply whether the unifiedRoleEligibilitySchedule can be managed by the caller.
Supports $filter (eq, ne).
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-Principal
directoryObject
To construct, see NOTES section for PRINCIPAL properties and create a hash table.
Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-RoleEligibilityScheduleId
The identifier of the unifiedRoleEligibilitySchedule object from which this instance was created.
Supports $filter (eq, ne).
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-StartDateTime
When this instance starts.
Parameter properties
Type:
System.DateTime
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateViaIdentityExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
UpdateExpanded
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-UnifiedRoleEligibilityScheduleInstanceId
The unique identifier of unifiedRoleEligibilityScheduleInstance
Parameter properties
Type:
System.String
Supports wildcards:
False
DontShow:
False
Parameter sets
UpdateExpanded
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
Update
Position:
Named
Mandatory:
True
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
-WhatIf
Runs the command in a mode that only reports what would happen without performing the actions.
Parameter properties
Type:
System.Management.Automation.SwitchParameter
Supports wildcards:
False
DontShow:
False
Aliases:
wi
Parameter sets
(All)
Position:
Named
Mandatory:
False
Value from pipeline:
False
Value from pipeline by property name:
False
Value from remaining arguments:
False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters.
To create the parameters described below, construct a hash table containing the appropriate properties.
For information on hash tables, run Get-Help about_Hash_Tables.
APPSCOPE <IMicrosoftGraphAppScope>: appScope
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[DisplayName <String>]: Provides the display name of the app-specific resource represented by the app scope.
Read-only.
[Type <String>]: Describes the type of app-specific resource represented by the app scope.
Read-only.
BODYPARAMETER <IMicrosoftGraphUnifiedRoleEligibilityScheduleInstance>: unifiedRoleEligibilityScheduleInstance
[(Any) <Object>]: This indicates any property can be added to this object.
[AppScope <IMicrosoftGraphAppScope>]: appScope
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[DisplayName <String>]: Provides the display name of the app-specific resource represented by the app scope.
Read-only.
[Type <String>]: Describes the type of app-specific resource represented by the app scope.
Read-only.
[AppScopeId <String>]: Identifier of the app-specific scope when the assignment or role eligibility is scoped to an app.
The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access.
App scopes are scopes that are defined and understood by this application only.
Use / for tenant-wide app scopes.
Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units.
[DirectoryScope <IMicrosoftGraphDirectoryObject>]: directoryObject
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[DeletedDateTime <DateTime?>]: Date and time when this object was deleted.
Always null when the object hasn't been deleted.
[DirectoryScopeId <String>]: Identifier of the directory object representing the scope of the assignment or role eligibility.
The scope of an assignment or role eligibility determines the set of resources for which the principal has been granted access.
Directory scopes are shared scopes stored in the directory that are understood by multiple applications.
Use / for tenant-wide scope.
Use appScopeId to limit the scope to an application only.
[Principal <IMicrosoftGraphDirectoryObject>]: directoryObject
[PrincipalId <String>]: Identifier of the principal that has been granted the role assignment or that's eligible for a role.
[RoleDefinition <IMicrosoftGraphUnifiedRoleDefinition>]: unifiedRoleDefinition
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[Description <String>]: The description for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
[DisplayName <String>]: The display name for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
Required.
Supports $filter (eq, in).
[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles (isBuiltIn is true) support this attribute.
Supports $expand.
[IsBuiltIn <Boolean?>]: Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition.
Read-only.
Supports $filter (eq, in).
[IsEnabled <Boolean?>]: Flag indicating whether the role is enabled for assignment.
If false the role is not available for assignment.
Read-only when isBuiltIn is true.
[ResourceScopes <String[]>]: List of the scopes or permissions the role definition applies to.
Currently only / is supported.
Read-only when isBuiltIn is true.
DO NOT USE.
This will be deprecated soon.
Attach scope to role assignment.
[RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String[]>]: Set of tasks that can be performed on a resource.
Required.
[Condition <String>]: Optional constraints that must be met for the permission to be effective.
Not supported for custom roles.
[ExcludedResourceActions <String[]>]: Set of tasks that may not be performed on a resource.
Not yet supported.
[TemplateId <String>]: Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true.
This identifier is typically used if one needs an identifier to be the same across different directories.
[Version <String>]: Indicates version of the role definition.
Read-only when isBuiltIn is true.
[RoleDefinitionId <String>]: Identifier of the unifiedRoleDefinition object that is being assigned to the principal or that the principal is eligible for.
[Id <String>]: The unique identifier for an entity.
Read-only.
[EndDateTime <DateTime?>]: The end date of the schedule instance.
[MemberType <String>]: How the role eligibility is inherited.
It can either be Inherited, Direct, or Group.
It can further imply whether the unifiedRoleEligibilitySchedule can be managed by the caller.
Supports $filter (eq, ne).
[RoleEligibilityScheduleId <String>]: The identifier of the unifiedRoleEligibilitySchedule object from which this instance was created.
Supports $filter (eq, ne).
[StartDateTime <DateTime?>]: When this instance starts.
DIRECTORYSCOPE <IMicrosoftGraphDirectoryObject>: directoryObject
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[DeletedDateTime <DateTime?>]: Date and time when this object was deleted.
Always null when the object hasn't been deleted.
INPUTOBJECT <IIdentityGovernanceIdentity>: Identity Parameter
[AccessPackageAssignmentId <String>]: The unique identifier of accessPackageAssignment
[AccessPackageAssignmentPolicyId <String>]: The unique identifier of accessPackageAssignmentPolicy
[AccessPackageAssignmentRequestId <String>]: The unique identifier of accessPackageAssignmentRequest
[AccessPackageCatalogId <String>]: The unique identifier of accessPackageCatalog
[AccessPackageId <String>]: The unique identifier of accessPackage
[AccessPackageId1 <String>]: The unique identifier of accessPackage
[AccessPackageQuestionId <String>]: The unique identifier of accessPackageQuestion
[AccessPackageResourceEnvironmentId <String>]: The unique identifier of accessPackageResourceEnvironment
[AccessPackageResourceId <String>]: The unique identifier of accessPackageResource
[AccessPackageResourceRequestId <String>]: The unique identifier of accessPackageResourceRequest
[AccessPackageResourceRoleId <String>]: The unique identifier of accessPackageResourceRole
[AccessPackageResourceRoleId1 <String>]: The unique identifier of accessPackageResourceRole
[AccessPackageResourceRoleScopeId <String>]: The unique identifier of accessPackageResourceRoleScope
[AccessPackageResourceScopeId <String>]: The unique identifier of accessPackageResourceScope
[AccessPackageResourceScopeId1 <String>]: The unique identifier of accessPackageResourceScope
[AccessReviewHistoryDefinitionId <String>]: The unique identifier of accessReviewHistoryDefinition
[AccessReviewHistoryInstanceId <String>]: The unique identifier of accessReviewHistoryInstance
[AccessReviewInstanceDecisionItemId <String>]: The unique identifier of accessReviewInstanceDecisionItem
[AccessReviewInstanceId <String>]: The unique identifier of accessReviewInstance
[AccessReviewReviewerId <String>]: The unique identifier of accessReviewReviewer
[AccessReviewScheduleDefinitionId <String>]: The unique identifier of accessReviewScheduleDefinition
[AccessReviewStageId <String>]: The unique identifier of accessReviewStage
[AgreementAcceptanceId <String>]: The unique identifier of agreementAcceptance
[AgreementFileLocalizationId <String>]: The unique identifier of agreementFileLocalization
[AgreementFileVersionId <String>]: The unique identifier of agreementFileVersion
[AgreementId <String>]: The unique identifier of agreement
[AppConsentRequestId <String>]: The unique identifier of appConsentRequest
[ApprovalId <String>]: The unique identifier of approval
[ApprovalStageId <String>]: The unique identifier of approvalStage
[ConnectedOrganizationId <String>]: The unique identifier of connectedOrganization
[CustomCalloutExtensionId <String>]: The unique identifier of customCalloutExtension
[CustomExtensionStageSettingId <String>]: The unique identifier of customExtensionStageSetting
[CustomTaskExtensionId <String>]: The unique identifier of customTaskExtension
[DirectoryObjectId <String>]: The unique identifier of directoryObject
[EndDateTime <DateTime?>]: Usage: endDateTime={endDateTime}
[GovernanceInsightId <String>]: The unique identifier of governanceInsight
[IncompatibleAccessPackageId <String>]: Usage: incompatibleAccessPackageId='{incompatibleAccessPackageId}'
[On <String>]: Usage: on='{on}'
[PrivilegedAccessGroupAssignmentScheduleId <String>]: The unique identifier of privilegedAccessGroupAssignmentSchedule
[PrivilegedAccessGroupAssignmentScheduleInstanceId <String>]: The unique identifier of privilegedAccessGroupAssignmentScheduleInstance
[PrivilegedAccessGroupAssignmentScheduleRequestId <String>]: The unique identifier of privilegedAccessGroupAssignmentScheduleRequest
[PrivilegedAccessGroupEligibilityScheduleId <String>]: The unique identifier of privilegedAccessGroupEligibilitySchedule
[PrivilegedAccessGroupEligibilityScheduleInstanceId <String>]: The unique identifier of privilegedAccessGroupEligibilityScheduleInstance
[PrivilegedAccessGroupEligibilityScheduleRequestId <String>]: The unique identifier of privilegedAccessGroupEligibilityScheduleRequest
[RunId <String>]: The unique identifier of run
[StartDateTime <DateTime?>]: Usage: startDateTime={startDateTime}
[TaskDefinitionId <String>]: The unique identifier of taskDefinition
[TaskId <String>]: The unique identifier of task
[TaskProcessingResultId <String>]: The unique identifier of taskProcessingResult
[TaskReportId <String>]: The unique identifier of taskReport
[UnifiedRbacResourceActionId <String>]: The unique identifier of unifiedRbacResourceAction
[UnifiedRbacResourceNamespaceId <String>]: The unique identifier of unifiedRbacResourceNamespace
[UnifiedRoleAssignmentId <String>]: The unique identifier of unifiedRoleAssignment
[UnifiedRoleAssignmentScheduleId <String>]: The unique identifier of unifiedRoleAssignmentSchedule
[UnifiedRoleAssignmentScheduleInstanceId <String>]: The unique identifier of unifiedRoleAssignmentScheduleInstance
[UnifiedRoleAssignmentScheduleRequestId <String>]: The unique identifier of unifiedRoleAssignmentScheduleRequest
[UnifiedRoleDefinitionId <String>]: The unique identifier of unifiedRoleDefinition
[UnifiedRoleDefinitionId1 <String>]: The unique identifier of unifiedRoleDefinition
[UnifiedRoleEligibilityScheduleId <String>]: The unique identifier of unifiedRoleEligibilitySchedule
[UnifiedRoleEligibilityScheduleInstanceId <String>]: The unique identifier of unifiedRoleEligibilityScheduleInstance
[UnifiedRoleEligibilityScheduleRequestId <String>]: The unique identifier of unifiedRoleEligibilityScheduleRequest
[UserConsentRequestId <String>]: The unique identifier of userConsentRequest
[UserId <String>]: The unique identifier of user
[UserProcessingResultId <String>]: The unique identifier of userProcessingResult
[WorkflowId <String>]: The unique identifier of workflow
[WorkflowTemplateId <String>]: The unique identifier of workflowTemplate
[WorkflowVersionNumber <Int32?>]: The unique identifier of workflowVersion
PRINCIPAL <IMicrosoftGraphDirectoryObject>: directoryObject
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[DeletedDateTime <DateTime?>]: Date and time when this object was deleted.
Always null when the object hasn't been deleted.
ROLEDEFINITION <IMicrosoftGraphUnifiedRoleDefinition>: unifiedRoleDefinition
[(Any) <Object>]: This indicates any property can be added to this object.
[Id <String>]: The unique identifier for an entity.
Read-only.
[Description <String>]: The description for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
[DisplayName <String>]: The display name for the unifiedRoleDefinition.
Read-only when isBuiltIn is true.
Required.
Supports $filter (eq, in).
[InheritsPermissionsFrom <IMicrosoftGraphUnifiedRoleDefinition[]>]: Read-only collection of role definitions that the given role definition inherits from.
Only Microsoft Entra built-in roles (isBuiltIn is true) support this attribute.
Supports $expand.
[IsBuiltIn <Boolean?>]: Flag indicating whether the role definition is part of the default set included in Microsoft Entra or a custom definition.
Read-only.
Supports $filter (eq, in).
[IsEnabled <Boolean?>]: Flag indicating whether the role is enabled for assignment.
If false the role is not available for assignment.
Read-only when isBuiltIn is true.
[ResourceScopes <String[]>]: List of the scopes or permissions the role definition applies to.
Currently only / is supported.
Read-only when isBuiltIn is true.
DO NOT USE.
This will be deprecated soon.
Attach scope to role assignment.
[RolePermissions <IMicrosoftGraphUnifiedRolePermission[]>]: List of permissions included in the role.
Read-only when isBuiltIn is true.
Required.
[AllowedResourceActions <String[]>]: Set of tasks that can be performed on a resource.
Required.
[Condition <String>]: Optional constraints that must be met for the permission to be effective.
Not supported for custom roles.
[ExcludedResourceActions <String[]>]: Set of tasks that may not be performed on a resource.
Not yet supported.
[TemplateId <String>]: Custom template identifier that can be set when isBuiltIn is false but is read-only when isBuiltIn is true.
This identifier is typically used if one needs an identifier to be the same across different directories.
[Version <String>]: Indicates version of the role definition.
Read-only when isBuiltIn is true.