Merge pull request #25418 from microsoftgraph/rbac-sps-approleassignments

Entra admin roles - groups/users/SPs - app role assignments/to

Author: Lauragra

api-reference/beta/api/approleassignment-get.md

@@ -18,45 +18,6 @@ Read the properties and relationships of an [appRoleAssignment](../resources/app
 
 ## Permissions
 
-<!--
-### For client service principals
-<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
-<!--
-|Permission type      | Permissions (from least to most privileged)              |
-|:--------------------|:---------------------------------------------------------|
-|Delegated (work or school account) | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All  |
-|Delegated (personal Microsoft account) | Not supported.    |
-|Application | Application.Read.All, Directory.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.ReadWrite.All |
-
-### For resource service principals
-<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
-<!--
-|Permission type      | Permissions (from least to most privileged)              |
-|:--------------------|:---------------------------------------------------------|
-|Delegated (work or school account) | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All  |
-|Delegated (personal Microsoft account) | Not supported.    |
-|Application | Application.Read.All, Directory.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.ReadWrite.All |
-
-### For groups
-<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
-<!--
-|Permission type      | Permissions (from least to most privileged)              |
-|:--------------------|:---------------------------------------------------------|
-|Delegated (work or school account) | Group.Read.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All  |
-|Delegated (personal Microsoft account) | Not supported.    |
-|Application | Group.Read.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All |
-
-### For users
-<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
-<!--
-|Permission type      | Permissions (from least to most privileged)              |
-|:--------------------|:---------------------------------------------------------|
-|Delegated (work or school account) | User.Read, User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All  |
-|Delegated (personal Microsoft account) | Not supported.    |
-|Application | Directory.Read.All, AppRoleAssignment.ReadWrite.All |
-
--->
-
 The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow [best practices](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions) to request least privileged permissions. For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
 
 <!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
@@ -69,6 +30,18 @@ The following table shows the least privileged permission or permissions require
 
 [!INCLUDE [rbac-approleassignments-apis-read](../includes/rbac-for-apis/rbac-approleassignments-apis-read.md)]
 
+### Other supported permissions
+
+The following higher privileged permissions are supported by each resource:
+- Groups:
+  - Delegated and application permissions: Directory.Read.All, AppRoleAssignment.ReadWrite.All, Directory.ReadWrite.All
+- Users: 
+  - Delegated permissions: User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All
+  - Application permissions: Directory.Read.All, AppRoleAssignment.ReadWrite.All
+- Service principals:
+  - Delegated permissions: Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
+  - Application permissions: Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.ReadWrite.All
+
 ## HTTP request
 
 To get details of an appRole granted to a service principal:

api-reference/beta/api/group-delete-approleassignments.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "group_delete_approleassignments" } -->
 [!INCLUDE [permissions-table](../includes/permissions/group-delete-approleassignments-permissions.md)]
 
+[!INCLUDE [rbac-approleassignments-apis-write](../includes/rbac-for-apis/rbac-approleassignments-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/group-list-approleassignments.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "group_list_approleassignments" } -->
 [!INCLUDE [permissions-table](../includes/permissions/group-list-approleassignments-permissions.md)]
 
+[!INCLUDE [rbac-approleassignments-apis-read](../includes/rbac-for-apis/rbac-approleassignments-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/group-post-approleassignments.md

@@ -30,6 +30,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "group_post_approleassignments" } -->
 [!INCLUDE [permissions-table](../includes/permissions/group-post-approleassignments-permissions.md)]
 
+[!INCLUDE [rbac-approleassignments-apis-write](../includes/rbac-for-apis/rbac-approleassignments-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/serviceprincipal-list-approleassignedto.md

@@ -30,7 +30,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "serviceprincipal_list_approleassignedto" } -->
 [!INCLUDE [permissions-table](../includes/permissions/serviceprincipal-list-approleassignedto-permissions.md)]
 
-[!INCLUDE [rbac-approleassignments-apis-write](../includes/rbac-for-apis/rbac-approleassignments-apis-write.md)]
+[!INCLUDE [rbac-approleassignments-apis-read](../includes/rbac-for-apis/rbac-approleassignments-apis-read.md)]
 
 
 ## HTTP request

api-reference/beta/api/serviceprincipal-list-approleassignments.md

@@ -31,7 +31,7 @@ Choose the permission or permissions marked as least privileged for this API. Us
 
 
 
-[!INCLUDE [rbac-approleassignments-apis-write](../includes/rbac-for-apis/rbac-approleassignments-apis-write.md)]
+[!INCLUDE [rbac-approleassignments-apis-read](../includes/rbac-for-apis/rbac-approleassignments-apis-read.md)]
 
 
 ## HTTP request

api-reference/beta/api/user-delete-approleassignments.md

@@ -24,6 +24,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "user_delete_approleassignments" } -->
 [!INCLUDE [permissions-table](../includes/permissions/user-delete-approleassignments-permissions.md)]
 
+[!INCLUDE [rbac-approleassignments-apis-write](../includes/rbac-for-apis/rbac-approleassignments-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/user-list-approleassignments.md

@@ -27,6 +27,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "user_list_approleassignments" } -->
 [!INCLUDE [permissions-table](../includes/permissions/user-list-approleassignments-permissions.md)]
 
+[!INCLUDE [rbac-approleassignments-apis-read](../includes/rbac-for-apis/rbac-approleassignments-apis-read.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/beta/api/user-post-approleassignments.md

@@ -28,6 +28,8 @@ Choose the permission or permissions marked as least privileged for this API. Us
 <!-- { "blockType": "permissions", "name": "user_post_approleassignments" } -->
 [!INCLUDE [permissions-table](../includes/permissions/user-post-approleassignments-permissions.md)]
 
+[!INCLUDE [rbac-approleassignments-apis-write](../includes/rbac-for-apis/rbac-approleassignments-apis-write.md)]
+
 ## HTTP request
 
 <!-- { "blockType": "ignored" } -->

api-reference/beta/includes/rbac-for-apis/rbac-approleassignments-apis-read.md

@@ -3,15 +3,17 @@ author: psignoret
 ms.topic: include
 ---
 
-In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
-
-- Directory Readers
-- Guest Inviter - Read app role assignments for users only
-- Directory Synchronization Accounts - for Microsoft Entra Connect and Microsoft Entra Cloud Sync services
-- Directory Writer
-- Hybrid Identity Administrator
-- Identity Governance Administrator
-- Privileged Role Administrator
-- User Administrator
-- Application Administrator
-- Cloud Application Administrator
+> [!IMPORTANT]
+> 
+> In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with a supported role permission. The following least privileged roles are supported for this operation:
+> 
+> - Guest Inviter - Read app role assignments for users only
+> - Directory Readers
+> - Directory Synchronization Accounts - for Microsoft Entra Connect and Microsoft Entra Cloud Sync services
+> - Directory Writer
+> - Hybrid Identity Administrator
+> - Identity Governance Administrator
+> - Privileged Role Administrator
+> - User Administrator
+> - Application Administrator
+> - Cloud Application Administrator