Create roleDefinition

2024-08-01

Namespace: microsoft.graph

Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.

Create a new roleDefinition object.

This API is available in the following national cloud deployments.

Global service	US Government L4	US Government L5 (DOD)	China operated by 21Vianet
✅	✅	✅	✅

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	DeviceManagementRBAC.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	DeviceManagementRBAC.ReadWrite.All

HTTP Request

POST /deviceManagement/roleDefinitions

Request headers

Header	Value
Authorization	Bearer {token}. Required. Learn more about authentication and authorization.
Accept	application/json

Request body

In the request body, supply a JSON representation for the roleDefinition object.

The following table shows the properties that are required when you create the roleDefinition.

Property	Type	Description
id	String	Key of the entity. This is read-only and automatically generated.
displayName	String	Display Name of the Role definition.
description	String	Description of the Role definition.
rolePermissions	rolePermission collection	List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission.
isBuiltIn	Boolean	Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition.

Response

If successful, this method returns a 201 Created response code and a roleDefinition object in the response body.

Example

Request

Here is an example of the request.

POST https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions
Content-type: application/json
Content-length: 580

{
  "@odata.type": "#microsoft.graph.roleDefinition",
  "displayName": "Display Name value",
  "description": "Description value",
  "rolePermissions": [
    {
      "@odata.type": "microsoft.graph.rolePermission",
      "resourceActions": [
        {
          "@odata.type": "microsoft.graph.resourceAction",
          "allowedResourceActions": [
            "Allowed Resource Actions value"
          ],
          "notAllowedResourceActions": [
            "Not Allowed Resource Actions value"
          ]
        }
      ]
    }
  ],
  "isBuiltIn": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new RoleDefinition
{
	OdataType = "#microsoft.graph.roleDefinition",
	DisplayName = "Display Name value",
	Description = "Description value",
	RolePermissions = new List<RolePermission>
	{
		new RolePermission
		{
			OdataType = "microsoft.graph.rolePermission",
			ResourceActions = new List<ResourceAction>
			{
				new ResourceAction
				{
					OdataType = "microsoft.graph.resourceAction",
					AllowedResourceActions = new List<string>
					{
						"Allowed Resource Actions value",
					},
					NotAllowedResourceActions = new List<string>
					{
						"Not Allowed Resource Actions value",
					},
				},
			},
		},
	},
	IsBuiltIn = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.DeviceManagement.RoleDefinitions.PostAsync(requestBody);

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



mgc device-management role-definitions create --body '{\
  "@odata.type": "#microsoft.graph.roleDefinition",\
  "displayName": "Display Name value",\
  "description": "Description value",\
  "rolePermissions": [\
    {\
      "@odata.type": "microsoft.graph.rolePermission",\
      "resourceActions": [\
        {\
          "@odata.type": "microsoft.graph.resourceAction",\
          "allowedResourceActions": [\
            "Allowed Resource Actions value"\
          ],\
          "notAllowedResourceActions": [\
            "Not Allowed Resource Actions value"\
          ]\
        }\
      ]\
    }\
  ],\
  "isBuiltIn": true\
}\
'

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewRoleDefinition()
displayName := "Display Name value"
requestBody.SetDisplayName(&displayName) 
description := "Description value"
requestBody.SetDescription(&description) 


rolePermission := graphmodels.NewRolePermission()


resourceAction := graphmodels.NewResourceAction()
allowedResourceActions := []string {
	"Allowed Resource Actions value",
}
resourceAction.SetAllowedResourceActions(allowedResourceActions)
notAllowedResourceActions := []string {
	"Not Allowed Resource Actions value",
}
resourceAction.SetNotAllowedResourceActions(notAllowedResourceActions)

resourceActions := []graphmodels.ResourceActionable {
	resourceAction,
}
rolePermission.SetResourceActions(resourceActions)

rolePermissions := []graphmodels.RolePermissionable {
	rolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
isBuiltIn := true
requestBody.SetIsBuiltIn(&isBuiltIn) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.DeviceManagement().RoleDefinitions().Post(context.Background(), requestBody, nil)

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

RoleDefinition roleDefinition = new RoleDefinition();
roleDefinition.setOdataType("#microsoft.graph.roleDefinition");
roleDefinition.setDisplayName("Display Name value");
roleDefinition.setDescription("Description value");
LinkedList<RolePermission> rolePermissions = new LinkedList<RolePermission>();
RolePermission rolePermission = new RolePermission();
rolePermission.setOdataType("microsoft.graph.rolePermission");
LinkedList<ResourceAction> resourceActions = new LinkedList<ResourceAction>();
ResourceAction resourceAction = new ResourceAction();
resourceAction.setOdataType("microsoft.graph.resourceAction");
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("Allowed Resource Actions value");
resourceAction.setAllowedResourceActions(allowedResourceActions);
LinkedList<String> notAllowedResourceActions = new LinkedList<String>();
notAllowedResourceActions.add("Not Allowed Resource Actions value");
resourceAction.setNotAllowedResourceActions(notAllowedResourceActions);
resourceActions.add(resourceAction);
rolePermission.setResourceActions(resourceActions);
rolePermissions.add(rolePermission);
roleDefinition.setRolePermissions(rolePermissions);
roleDefinition.setIsBuiltIn(true);
RoleDefinition result = graphClient.deviceManagement().roleDefinitions().post(roleDefinition);

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const roleDefinition = {
  '@odata.type': '#microsoft.graph.roleDefinition',
  displayName: 'Display Name value',
  description: 'Description value',
  rolePermissions: [
    {
      '@odata.type': 'microsoft.graph.rolePermission',
      resourceActions: [
        {
          '@odata.type': 'microsoft.graph.resourceAction',
          allowedResourceActions: [
            'Allowed Resource Actions value'
          ],
          notAllowedResourceActions: [
            'Not Allowed Resource Actions value'
          ]
        }
      ]
    }
  ],
  isBuiltIn: true
};

await client.api('/deviceManagement/roleDefinitions')
	.post(roleDefinition);

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\RoleDefinition;
use Microsoft\Graph\Generated\Models\RolePermission;
use Microsoft\Graph\Generated\Models\ResourceAction;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new RoleDefinition();
$requestBody->setOdataType('#microsoft.graph.roleDefinition');
$requestBody->setDisplayName('Display Name value');
$requestBody->setDescription('Description value');
$rolePermissionsRolePermission1 = new RolePermission();
$rolePermissionsRolePermission1->setOdataType('microsoft.graph.rolePermission');
$resourceActionsResourceAction1 = new ResourceAction();
$resourceActionsResourceAction1->setOdataType('microsoft.graph.resourceAction');
$resourceActionsResourceAction1->setAllowedResourceActions(['Allowed Resource Actions value', 	]);
$resourceActionsResourceAction1->setNotAllowedResourceActions(['Not Allowed Resource Actions value', 	]);
$resourceActionsArray []= $resourceActionsResourceAction1;
$rolePermissionsRolePermission1->setResourceActions($resourceActionsArray);

$rolePermissionsArray []= $rolePermissionsRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);

$requestBody->setIsBuiltIn(true);

$result = $graphServiceClient->deviceManagement()->roleDefinitions()->post($requestBody)->wait();

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.DeviceManagement.Administration

$params = @{
	"@odata.type" = "#microsoft.graph.roleDefinition"
	displayName = "Display Name value"
	description = "Description value"
	rolePermissions = @(
		@{
			"@odata.type" = "microsoft.graph.rolePermission"
			resourceActions = @(
				@{
					"@odata.type" = "microsoft.graph.resourceAction"
					allowedResourceActions = @(
					"Allowed Resource Actions value"
				)
				notAllowedResourceActions = @(
				"Not Allowed Resource Actions value"
			)
		}
	)
}
)
isBuiltIn = $true
}

New-MgDeviceManagementRoleDefinition -BodyParameter $params

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.role_definition import RoleDefinition
from msgraph.generated.models.role_permission import RolePermission
from msgraph.generated.models.resource_action import ResourceAction
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = RoleDefinition(
	odata_type = "#microsoft.graph.roleDefinition",
	display_name = "Display Name value",
	description = "Description value",
	role_permissions = [
		RolePermission(
			odata_type = "microsoft.graph.rolePermission",
			resource_actions = [
				ResourceAction(
					odata_type = "microsoft.graph.resourceAction",
					allowed_resource_actions = [
						"Allowed Resource Actions value",
					],
					not_allowed_resource_actions = [
						"Not Allowed Resource Actions value",
					],
				),
			],
		),
	],
	is_built_in = True,
)

result = await graph_client.device_management.role_definitions.post(request_body)

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.

HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 629

{
  "@odata.type": "#microsoft.graph.roleDefinition",
  "id": "70fdcd08-cd08-70fd-08cd-fd7008cdfd70",
  "displayName": "Display Name value",
  "description": "Description value",
  "rolePermissions": [
    {
      "@odata.type": "microsoft.graph.rolePermission",
      "resourceActions": [
        {
          "@odata.type": "microsoft.graph.resourceAction",
          "allowedResourceActions": [
            "Allowed Resource Actions value"
          ],
          "notAllowedResourceActions": [
            "Not Allowed Resource Actions value"
          ]
        }
      ]
    }
  ],
  "isBuiltIn": true
}

Share via

Create roleDefinition

Permissions

HTTP Request

Request headers

Request body

Response

Example

Request

Response

Feedback

Additional resources