Create deviceAndAppManagementRoleDefinition
Article 08/01/2024
13 contributors
Feedback
In this article
Namespace: microsoft.graph
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Create a new deviceAndAppManagementRoleDefinition object.
This API is available in the following national cloud deployments .
Global service
US Government L4
US Government L5 (DOD)
China operated by 21Vianet
✅
✅
✅
✅
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions .
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
DeviceManagementRBAC.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
DeviceManagementRBAC.ReadWrite.All
HTTP Request
POST /deviceManagement/roleDefinitions
Request body
In the request body, supply a JSON representation for the deviceAndAppManagementRoleDefinition object.
The following table shows the properties that are required when you create the deviceAndAppManagementRoleDefinition.
Property
Type
Description
id
String
Key of the entity. This is read-only and automatically generated. Inherited from roleDefinition
displayName
String
Display Name of the Role definition. Inherited from roleDefinition
description
String
Description of the Role definition. Inherited from roleDefinition
rolePermissions
rolePermission collection
List of Role Permissions this role is allowed to perform. These must match the actionName that is defined as part of the rolePermission. Inherited from roleDefinition
isBuiltIn
Boolean
Type of Role. Set to True if it is built-in, or set to False if it is a custom role definition. Inherited from roleDefinition
Response
If successful, this method returns a 201 Created
response code and a deviceAndAppManagementRoleDefinition object in the response body.
Example
Request
Here is an example of the request.
POST https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions
Content-type: application/json
Content-length: 602
{
"@odata.type": "#microsoft.graph.deviceAndAppManagementRoleDefinition",
"displayName": "Display Name value",
"description": "Description value",
"rolePermissions": [
{
"@odata.type": "microsoft.graph.rolePermission",
"resourceActions": [
{
"@odata.type": "microsoft.graph.resourceAction",
"allowedResourceActions": [
"Allowed Resource Actions value"
],
"notAllowedResourceActions": [
"Not Allowed Resource Actions value"
]
}
]
}
],
"isBuiltIn": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new DeviceAndAppManagementRoleDefinition
{
OdataType = "#microsoft.graph.deviceAndAppManagementRoleDefinition",
DisplayName = "Display Name value",
Description = "Description value",
RolePermissions = new List<RolePermission>
{
new RolePermission
{
OdataType = "microsoft.graph.rolePermission",
ResourceActions = new List<ResourceAction>
{
new ResourceAction
{
OdataType = "microsoft.graph.resourceAction",
AllowedResourceActions = new List<string>
{
"Allowed Resource Actions value",
},
NotAllowedResourceActions = new List<string>
{
"Not Allowed Resource Actions value",
},
},
},
},
},
IsBuiltIn = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.DeviceManagement.RoleDefinitions.PostAsync(requestBody);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
mgc device-management role-definitions create --body '{\
"@odata.type": "#microsoft.graph.deviceAndAppManagementRoleDefinition",\
"displayName": "Display Name value",\
"description": "Description value",\
"rolePermissions": [\
{\
"@odata.type": "microsoft.graph.rolePermission",\
"resourceActions": [\
{\
"@odata.type": "microsoft.graph.resourceAction",\
"allowedResourceActions": [\
"Allowed Resource Actions value"\
],\
"notAllowedResourceActions": [\
"Not Allowed Resource Actions value"\
]\
}\
]\
}\
],\
"isBuiltIn": true\
}\
'
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewRoleDefinition()
displayName := "Display Name value"
requestBody.SetDisplayName(&displayName)
description := "Description value"
requestBody.SetDescription(&description)
rolePermission := graphmodels.NewRolePermission()
resourceAction := graphmodels.NewResourceAction()
allowedResourceActions := []string {
"Allowed Resource Actions value",
}
resourceAction.SetAllowedResourceActions(allowedResourceActions)
notAllowedResourceActions := []string {
"Not Allowed Resource Actions value",
}
resourceAction.SetNotAllowedResourceActions(notAllowedResourceActions)
resourceActions := []graphmodels.ResourceActionable {
resourceAction,
}
rolePermission.SetResourceActions(resourceActions)
rolePermissions := []graphmodels.RolePermissionable {
rolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
isBuiltIn := true
requestBody.SetIsBuiltIn(&isBuiltIn)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.DeviceManagement().RoleDefinitions().Post(context.Background(), requestBody, nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
DeviceAndAppManagementRoleDefinition roleDefinition = new DeviceAndAppManagementRoleDefinition();
roleDefinition.setOdataType("#microsoft.graph.deviceAndAppManagementRoleDefinition");
roleDefinition.setDisplayName("Display Name value");
roleDefinition.setDescription("Description value");
LinkedList<RolePermission> rolePermissions = new LinkedList<RolePermission>();
RolePermission rolePermission = new RolePermission();
rolePermission.setOdataType("microsoft.graph.rolePermission");
LinkedList<ResourceAction> resourceActions = new LinkedList<ResourceAction>();
ResourceAction resourceAction = new ResourceAction();
resourceAction.setOdataType("microsoft.graph.resourceAction");
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("Allowed Resource Actions value");
resourceAction.setAllowedResourceActions(allowedResourceActions);
LinkedList<String> notAllowedResourceActions = new LinkedList<String>();
notAllowedResourceActions.add("Not Allowed Resource Actions value");
resourceAction.setNotAllowedResourceActions(notAllowedResourceActions);
resourceActions.add(resourceAction);
rolePermission.setResourceActions(resourceActions);
rolePermissions.add(rolePermission);
roleDefinition.setRolePermissions(rolePermissions);
roleDefinition.setIsBuiltIn(true);
RoleDefinition result = graphClient.deviceManagement().roleDefinitions().post(roleDefinition);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
const roleDefinition = {
'@odata.type': '#microsoft.graph.deviceAndAppManagementRoleDefinition',
displayName: 'Display Name value',
description: 'Description value',
rolePermissions: [
{
'@odata.type': 'microsoft.graph.rolePermission',
resourceActions: [
{
'@odata.type': 'microsoft.graph.resourceAction',
allowedResourceActions: [
'Allowed Resource Actions value'
],
notAllowedResourceActions: [
'Not Allowed Resource Actions value'
]
}
]
}
],
isBuiltIn: true
};
await client.api('/deviceManagement/roleDefinitions')
.post(roleDefinition);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\DeviceAndAppManagementRoleDefinition;
use Microsoft\Graph\Generated\Models\RolePermission;
use Microsoft\Graph\Generated\Models\ResourceAction;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new DeviceAndAppManagementRoleDefinition();
$requestBody->setOdataType('#microsoft.graph.deviceAndAppManagementRoleDefinition');
$requestBody->setDisplayName('Display Name value');
$requestBody->setDescription('Description value');
$rolePermissionsRolePermission1 = new RolePermission();
$rolePermissionsRolePermission1->setOdataType('microsoft.graph.rolePermission');
$resourceActionsResourceAction1 = new ResourceAction();
$resourceActionsResourceAction1->setOdataType('microsoft.graph.resourceAction');
$resourceActionsResourceAction1->setAllowedResourceActions(['Allowed Resource Actions value', ]);
$resourceActionsResourceAction1->setNotAllowedResourceActions(['Not Allowed Resource Actions value', ]);
$resourceActionsArray []= $resourceActionsResourceAction1;
$rolePermissionsRolePermission1->setResourceActions($resourceActionsArray);
$rolePermissionsArray []= $rolePermissionsRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$requestBody->setIsBuiltIn(true);
$result = $graphServiceClient->deviceManagement()->roleDefinitions()->post($requestBody)->wait();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.DeviceManagement.Administration
$params = @{
"@odata.type" = "#microsoft.graph.deviceAndAppManagementRoleDefinition"
displayName = "Display Name value"
description = "Description value"
rolePermissions = @(
@{
"@odata.type" = "microsoft.graph.rolePermission"
resourceActions = @(
@{
"@odata.type" = "microsoft.graph.resourceAction"
allowedResourceActions = @(
"Allowed Resource Actions value"
)
notAllowedResourceActions = @(
"Not Allowed Resource Actions value"
)
}
)
}
)
isBuiltIn = $true
}
New-MgDeviceManagementRoleDefinition -BodyParameter $params
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.device_and_app_management_role_definition import DeviceAndAppManagementRoleDefinition
from msgraph.generated.models.role_permission import RolePermission
from msgraph.generated.models.resource_action import ResourceAction
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DeviceAndAppManagementRoleDefinition(
odata_type = "#microsoft.graph.deviceAndAppManagementRoleDefinition",
display_name = "Display Name value",
description = "Description value",
role_permissions = [
RolePermission(
odata_type = "microsoft.graph.rolePermission",
resource_actions = [
ResourceAction(
odata_type = "microsoft.graph.resourceAction",
allowed_resource_actions = [
"Allowed Resource Actions value",
],
not_allowed_resource_actions = [
"Not Allowed Resource Actions value",
],
),
],
),
],
is_built_in = True,
)
result = await graph_client.device_management.role_definitions.post(request_body)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 651
{
"@odata.type": "#microsoft.graph.deviceAndAppManagementRoleDefinition",
"id": "bca1dfb5-dfb5-bca1-b5df-a1bcb5dfa1bc",
"displayName": "Display Name value",
"description": "Description value",
"rolePermissions": [
{
"@odata.type": "microsoft.graph.rolePermission",
"resourceActions": [
{
"@odata.type": "microsoft.graph.resourceAction",
"allowedResourceActions": [
"Allowed Resource Actions value"
],
"notAllowedResourceActions": [
"Not Allowed Resource Actions value"
]
}
]
}
],
"isBuiltIn": true
}