appRole resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents an application role. Client applications can request application roles. Application roles can also be used to assign an application to users or groups in a specified role.

To add, update, or remove app roles for an application, update the application for the app or service. App roles on the application entity will be available in all tenants where the application is used. To define app roles that are only applicable in your tenant (for example, app roles representing custom roles in your instance of a multitenant application), you can also update the service principal for the app, to add or update app roles to the appRoles collection.

With appRoleAssignments, app roles can be assigned to users, groups, or other applications' service principals.

Properties

Property Type Description
allowedMemberTypes String collection Specifies whether this app role can be assigned to users and groups (by setting to ["User"]), to other application's (by setting to ["Application"], or both (by setting to ["User", "Application"]). App roles supporting assignment to other applications' service principals are also known as application permissions. The "Application" value is only supported for app roles defined on application entities.
description String The description for the app role. This is displayed when the app role is being assigned and, if the app role functions as an application permission, during consent experiences.
displayName String Display name for the permission that appears in the app role assignment and consent experiences.
id Guid Unique role identifier inside the appRoles collection. You must specify a new GUID identifier when you create a new app role.
isEnabled Boolean When you create or updating an app role, this value must be true. To delete a role, this must first be set to false. At that point, in a subsequent call, this role might be removed. Default value is true.
origin String Specifies if the app role is defined on the application object or on the servicePrincipal entity. Must not be included in any POST or PATCH requests. Read-only.
value String Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. Must not exceed 120 characters in length. Allowed characters are : ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ] ^ + _ ` { | } ~, and characters in the ranges 0-9, A-Z, and a-z. Any other character, including the space character, aren't allowed. May not begin with ..

Relationships

None.

JSON representation

The following JSON representation shows the resource type.

{
  "allowedMemberTypes": ["String"],
  "description": "String",
  "displayName": "String",
  "id": "Guid",
  "isEnabled": true,
  "origin": "String",
  "value": "String"
}