Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Caution
This version of the Privileged Identity Management (PIM) API for Azure resources is deprecated and will stop returning data on October 28, 2026. Use the new Azure REST PIM API for Azure resource roles.
Enable administrators to update their decisions (AdminApproved or AdminDenied) on governanceRoleAssignmentRequests that are in status of PendingAdminDecision.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ❌ |
Permissions
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
|---|---|---|---|
| Microsoft Entra ID | PrivilegedAccess.ReadWrite.AzureAD | Not supported. | Not supported. |
| Azure resources | PrivilegedAccess.ReadWrite.AzureResources | Not supported. | Not supported. |
| group | PrivilegedAccess.ReadWrite.AzureADGroup | Not supported. | Not supported. |
The requester must also have at least one active administrator role assignment (owner or user access administrator) on the resource that the governanceRoleAssignmentRequest belongs to.
HTTP request
POST /privilegedAccess/azureResources/roleAssignmentRequests/{id}/updateRequest
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-type | application/json |
Request body
| Parameters | Type | Required | Description |
|---|---|---|---|
| reason | String | ✓ | The reason provided by the administrator for his decision. |
| decision | String | ✓ | The administrator decision of the role assignment request. The value should be updated as AdminApproved or AdminDenied. |
| schedule | governanceSchedule | The schedule of the role assignment request. For status of AdminApproved, it is required. |
|
| assignmentState | String | The state of assignment, and the values can be Eligible or Active. For decision of AdminApproved, it is required. |
Response
This method can only be applied to requests that are in status of PendingAdminDecision.
If successful, this method returns a 204 No Content response code. It doesn't return anything in the response body.
Example
Request
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests/7c53453e-d5a4-41e0-8eb1-32d5ec8bfdee/updateRequest
Request body
{
"reason":"approve the request to extend role assignment",
"schedule":{
"type":"Once",
"startDateTime":"2018-02-20T07:31:13.451Z",
"stopDateTime":"2018-05-21T07:31:13.451Z",
},
"decision":"AdminApproved",
"assignmentState": "Eligible"
}
Response
HTTP/1.1 204 No Content