Espacio de nombres: microsoft.graph
Importante
Las API de la versión /beta de Microsoft Graph están sujetas a cambios. No se admite el uso de estas API en aplicaciones de producción. Para determinar si una API está disponible en la versión 1.0, use el selector de Versión.
Cree un nuevo objeto unifiedRoleDefinition para un proveedor de RBAC. Esta característica requiere una licencia Microsoft Entra ID P1 o P2.
Actualmente se admiten los siguientes proveedores de RBAC:
- PC en la nube.
- administración de dispositivos (Intune)
- Defender (Microsoft Defender XDR)
- directorio (Microsoft Entra ID)
Esta API está disponible en las siguientes implementaciones nacionales de nube.
| Servicio global |
Gobierno de EE. UU. L4 |
Us Government L5 (DOD) |
China operada por 21Vianet |
| ✅ |
✅ |
✅ |
✅ |
Permissions
En las tablas siguientes se muestran los permisos o permisos con privilegios mínimos necesarios para llamar a esta API en cada tipo de recurso admitido. Siga los procedimientos recomendados para solicitar permisos con privilegios mínimos. Para obtener más información sobre los permisos delegados y de aplicación, consulte Tipos de permisos. Para obtener más información sobre estos permisos, consulte la referencia de permisos.
Para un proveedor de PC en la nube
| Tipo de permiso |
Permisos con privilegios mínimos |
Permisos con privilegios más altos |
| Delegado (cuenta profesional o educativa) |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.CloudPC, RoleManagement.ReadWrite.Directory |
| Delegado (cuenta personal de Microsoft) |
No admitida. |
No admitida. |
| Aplicación |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.CloudPC, RoleManagement.ReadWrite.Directory |
Para un proveedor de administración de dispositivos (Intune)
| Tipo de permiso |
Permisos con privilegios mínimos |
Permisos con privilegios más altos |
| Delegado (cuenta profesional o educativa) |
RoleManagement.ReadWrite.Defender |
No disponible. |
| Delegado (cuenta personal de Microsoft) |
No admitida. |
No admitida. |
| Aplicación |
RoleManagement.ReadWrite.Defender |
No disponible. |
Para un proveedor de Defender
| Tipo de permiso |
Permisos con privilegios mínimos |
Permisos con privilegios más altos |
| Delegado (cuenta profesional o educativa) |
RoleManagement.ReadWrite.Directory |
Directory.ReadWrite.All |
| Delegado (cuenta personal de Microsoft) |
No admitida. |
No admitida. |
| Aplicación |
RoleManagement.ReadWrite.Directory |
Directory.ReadWrite.All |
Para un proveedor de directorios (Microsoft Entra ID)
| Tipo de permiso |
Permisos con privilegios mínimos |
Permisos con privilegios más altos |
| Delegado (cuenta profesional o educativa) |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.CloudPC, RoleManagement.ReadWrite.Directory |
| Delegado (cuenta personal de Microsoft) |
No admitida. |
No admitida. |
| Aplicación |
DeviceManagementRBAC.ReadWrite.All |
CloudPC.ReadWrite.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.CloudPC, RoleManagement.ReadWrite.Directory |
Importante
En escenarios delegados con cuentas profesionales o educativas, al usuario que ha iniciado sesión se le debe asignar un rol de Microsoft Entra compatible o un rol personalizado con un permiso de rol admitido.
Privileged Role Administrator es el rol con privilegios mínimos admitido para esta operación.
Solicitud HTTP
Para crear una definición de rol para un proveedor de administración de dispositivos:
POST /roleManagement/deviceManagement/roleDefinitions
Para crear una definición de rol para un proveedor de Defender:
POST /roleManagement/defender/roleDefinitions
Para crear una definición de rol para un proveedor de directorios:
POST /roleManagement/directory/roleDefinitions
Para crear una definición de rol para un proveedor de PC en la nube:
POST /roleManagement/cloudPc/roleDefinitions
Cuerpo de la solicitud
En el cuerpo de la solicitud, proporcione una representación JSON del objeto unifiedRoleDefinition .
En la tabla siguiente se muestran las propiedades necesarias al crear un roleDefinition.
| Parámetro |
Tipo |
Descripción |
| displayName |
string |
Nombre para mostrar de la definición de rol. |
| isEnabled |
Boolean |
Marca que indica si el rol está habilitado para la asignación. Si es false, el rol no está disponible para la asignación. |
| rolePermissions |
unifiedRolePermission (colección) |
Lista de permisos incluidos en el rol. |
Respuesta
Si se ejecuta correctamente, este método devuelve 201 Created código de respuesta y un nuevo objeto unifiedRoleDefinition en el cuerpo de la respuesta.
Ejemplo 1: Creación de un rol personalizado para un proveedor de directorios
Solicitud
POST https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions
Content-type: application/json
{
"description": "Update basic properties of application registrations",
"displayName": "Application Registration Support Administrator",
"rolePermissions":
[
{
"allowedResourceActions":
[
"microsoft.directory/applications/basic/read"
]
}
],
"isEnabled" : "true"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "Update basic properties of application registrations",
DisplayName = "Application Registration Support Administrator",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"microsoft.directory/applications/basic/read",
},
},
},
IsEnabled = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleDefinitions.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleDefinition()
description := "Update basic properties of application registrations"
requestBody.SetDescription(&description)
displayName := "Application Registration Support Administrator"
requestBody.SetDisplayName(&displayName)
unifiedRolePermission := graphmodels.NewUnifiedRolePermission()
allowedResourceActions := []string {
"microsoft.directory/applications/basic/read",
}
unifiedRolePermission.SetAllowedResourceActions(allowedResourceActions)
rolePermissions := []graphmodels.UnifiedRolePermissionable {
unifiedRolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
isEnabled := true
requestBody.SetIsEnabled(&isEnabled)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.RoleManagement().Directory().RoleDefinitions().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.setDescription("Update basic properties of application registrations");
unifiedRoleDefinition.setDisplayName("Application Registration Support Administrator");
LinkedList<UnifiedRolePermission> rolePermissions = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission unifiedRolePermission = new UnifiedRolePermission();
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("microsoft.directory/applications/basic/read");
unifiedRolePermission.setAllowedResourceActions(allowedResourceActions);
rolePermissions.add(unifiedRolePermission);
unifiedRoleDefinition.setRolePermissions(rolePermissions);
unifiedRoleDefinition.setIsEnabled(true);
UnifiedRoleDefinition result = graphClient.roleManagement().directory().roleDefinitions().post(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Update basic properties of application registrations',
displayName: 'Application Registration Support Administrator',
rolePermissions:
[
{
allowedResourceActions:
[
'microsoft.directory/applications/basic/read'
]
}
],
isEnabled: 'true'
};
await client.api('/roleManagement/directory/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRoleDefinition;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRolePermission;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleDefinition();
$requestBody->setDescription('Update basic properties of application registrations');
$requestBody->setDisplayName('Application Registration Support Administrator');
$rolePermissionsUnifiedRolePermission1 = new UnifiedRolePermission();
$rolePermissionsUnifiedRolePermission1->setAllowedResourceActions(['microsoft.directory/applications/basic/read', ]);
$rolePermissionsArray []= $rolePermissionsUnifiedRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$requestBody->setIsEnabled(true);
$result = $graphServiceClient->roleManagement()->directory()->roleDefinitions()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
description = "Update basic properties of application registrations"
displayName = "Application Registration Support Administrator"
rolePermissions = @(
@{
allowedResourceActions = @(
"microsoft.directory/applications/basic/read"
)
}
)
isEnabled = "true"
}
New-MgBetaRoleManagementDirectoryRoleDefinition -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "Update basic properties of application registrations",
display_name = "Application Registration Support Administrator",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"microsoft.directory/applications/basic/read",
],
),
],
is_enabled = True,
)
result = await graph_client.role_management.directory.role_definitions.post(request_body)
Respuesta
En el ejemplo siguiente se muestra la respuesta.
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleDefinitions/$entity",
"id": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
"description": "Update basic properties of application registrations",
"displayName": "Application Registration Support Administrator",
"isBuiltIn": false,
"isEnabled": true,
"templateId": "d5eec5e0-6992-4c6b-b430-0f833f1a815a",
"version": null,
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/standard/read",
"microsoft.directory/applications/basic/update"
],
"condition": null
}
],
"inheritsPermissionsFrom": []
}
Ejemplo 2: Creación de un rol personalizado para un proveedor de PC en la nube
Solicitud
POST https://graph.microsoft.com/beta/roleManagement/cloudPC/roleDefinitions
Content-type: application/json
{
"description": "An example custom role",
"displayName": "ExampleCustomRole",
"rolePermissions":
[
{
"allowedResourceActions":
[
"Microsoft.CloudPC/CloudPCs/Read"
]
}
],
"condition" : "null"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "An example custom role",
DisplayName = "ExampleCustomRole",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"Microsoft.CloudPC/CloudPCs/Read",
},
},
},
AdditionalData = new Dictionary<string, object>
{
{
"condition" , "null"
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.CloudPC.RoleDefinitions.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleDefinition()
description := "An example custom role"
requestBody.SetDescription(&description)
displayName := "ExampleCustomRole"
requestBody.SetDisplayName(&displayName)
unifiedRolePermission := graphmodels.NewUnifiedRolePermission()
allowedResourceActions := []string {
"Microsoft.CloudPC/CloudPCs/Read",
}
unifiedRolePermission.SetAllowedResourceActions(allowedResourceActions)
rolePermissions := []graphmodels.UnifiedRolePermissionable {
unifiedRolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
additionalData := map[string]interface{}{
"condition" : "null",
}
requestBody.SetAdditionalData(additionalData)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.RoleManagement().CloudPC().RoleDefinitions().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.setDescription("An example custom role");
unifiedRoleDefinition.setDisplayName("ExampleCustomRole");
LinkedList<UnifiedRolePermission> rolePermissions = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission unifiedRolePermission = new UnifiedRolePermission();
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("Microsoft.CloudPC/CloudPCs/Read");
unifiedRolePermission.setAllowedResourceActions(allowedResourceActions);
rolePermissions.add(unifiedRolePermission);
unifiedRoleDefinition.setRolePermissions(rolePermissions);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("condition", "null");
unifiedRoleDefinition.setAdditionalData(additionalData);
UnifiedRoleDefinition result = graphClient.roleManagement().cloudPC().roleDefinitions().post(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'An example custom role',
displayName: 'ExampleCustomRole',
rolePermissions:
[
{
allowedResourceActions:
[
'Microsoft.CloudPC/CloudPCs/Read'
]
}
],
condition: 'null'
};
await client.api('/roleManagement/cloudPC/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRoleDefinition;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRolePermission;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleDefinition();
$requestBody->setDescription('An example custom role');
$requestBody->setDisplayName('ExampleCustomRole');
$rolePermissionsUnifiedRolePermission1 = new UnifiedRolePermission();
$rolePermissionsUnifiedRolePermission1->setAllowedResourceActions(['Microsoft.CloudPC/CloudPCs/Read', ]);
$rolePermissionsArray []= $rolePermissionsUnifiedRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$additionalData = [
'condition' => 'null',
];
$requestBody->setAdditionalData($additionalData);
$result = $graphServiceClient->roleManagement()->cloudPC()->roleDefinitions()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.DeviceManagement.Enrollment
$params = @{
description = "An example custom role"
displayName = "ExampleCustomRole"
rolePermissions = @(
@{
allowedResourceActions = @(
"Microsoft.CloudPC/CloudPCs/Read"
)
}
)
condition = "null"
}
New-MgBetaRoleManagementCloudPcRoleDefinition -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "An example custom role",
display_name = "ExampleCustomRole",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"Microsoft.CloudPC/CloudPCs/Read",
],
),
],
additional_data = {
"condition" : "null",
}
)
result = await graph_client.role_management.cloud_p_c.role_definitions.post(request_body)
Respuesta
En el ejemplo siguiente se muestra la respuesta.
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/cloudPc/roleDefinitions/$entity",
"id": "b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff",
"description": "An example custom role",
"displayName": "ExampleCustomRole",
"isBuiltIn": false,
"isEnabled": true,
"templateId": "b7f5ddc1-b7dc-4d37-abce-b9d6fc15ffff",
"version": null,
"rolePermissions": [
{
"allowedResourceActions": [
"Microsoft.CloudPC/CloudPCs/Read"
],
"condition": null
}
],
"resourceScopes":["/"]
}
Ejemplo 3: Creación de un rol personalizado para un proveedor de Defender
Solicitud
POST https://graph.microsoft.com/beta/roleManagement/defender/roleDefinitions
Content-type: application/json
{
"description": "Role 1 description",
"displayName": "Role 1",
"rolePermissions":
[
{
"allowedResourceActions":
[
"microsoft.xdr/securityposture/read"
]
}
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new UnifiedRoleDefinition
{
Description = "Role 1 description",
DisplayName = "Role 1",
RolePermissions = new List<UnifiedRolePermission>
{
new UnifiedRolePermission
{
AllowedResourceActions = new List<string>
{
"microsoft.xdr/securityposture/read",
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Defender.RoleDefinitions.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewUnifiedRoleDefinition()
description := "Role 1 description"
requestBody.SetDescription(&description)
displayName := "Role 1"
requestBody.SetDisplayName(&displayName)
unifiedRolePermission := graphmodels.NewUnifiedRolePermission()
allowedResourceActions := []string {
"microsoft.xdr/securityposture/read",
}
unifiedRolePermission.SetAllowedResourceActions(allowedResourceActions)
rolePermissions := []graphmodels.UnifiedRolePermissionable {
unifiedRolePermission,
}
requestBody.SetRolePermissions(rolePermissions)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleDefinitions, err := graphClient.RoleManagement().Defender().RoleDefinitions().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
UnifiedRoleDefinition unifiedRoleDefinition = new UnifiedRoleDefinition();
unifiedRoleDefinition.setDescription("Role 1 description");
unifiedRoleDefinition.setDisplayName("Role 1");
LinkedList<UnifiedRolePermission> rolePermissions = new LinkedList<UnifiedRolePermission>();
UnifiedRolePermission unifiedRolePermission = new UnifiedRolePermission();
LinkedList<String> allowedResourceActions = new LinkedList<String>();
allowedResourceActions.add("microsoft.xdr/securityposture/read");
unifiedRolePermission.setAllowedResourceActions(allowedResourceActions);
rolePermissions.add(unifiedRolePermission);
unifiedRoleDefinition.setRolePermissions(rolePermissions);
UnifiedRoleDefinition result = graphClient.roleManagement().defender().roleDefinitions().post(unifiedRoleDefinition);
const options = {
authProvider,
};
const client = Client.init(options);
const unifiedRoleDefinition = {
description: 'Role 1 description',
displayName: 'Role 1',
rolePermissions:
[
{
allowedResourceActions:
[
'microsoft.xdr/securityposture/read'
]
}
]
};
await client.api('/roleManagement/defender/roleDefinitions')
.version('beta')
.post(unifiedRoleDefinition);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRoleDefinition;
use Microsoft\Graph\Beta\Generated\Models\UnifiedRolePermission;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new UnifiedRoleDefinition();
$requestBody->setDescription('Role 1 description');
$requestBody->setDisplayName('Role 1');
$rolePermissionsUnifiedRolePermission1 = new UnifiedRolePermission();
$rolePermissionsUnifiedRolePermission1->setAllowedResourceActions(['microsoft.xdr/securityposture/read', ]);
$rolePermissionsArray []= $rolePermissionsUnifiedRolePermission1;
$requestBody->setRolePermissions($rolePermissionsArray);
$result = $graphServiceClient->roleManagement()->defender()->roleDefinitions()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.unified_role_definition import UnifiedRoleDefinition
from msgraph_beta.generated.models.unified_role_permission import UnifiedRolePermission
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleDefinition(
description = "Role 1 description",
display_name = "Role 1",
role_permissions = [
UnifiedRolePermission(
allowed_resource_actions = [
"microsoft.xdr/securityposture/read",
],
),
],
)
result = await graph_client.role_management.defender.role_definitions.post(request_body)
Respuesta
En el ejemplo siguiente se muestra la respuesta.
Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/defender/roleDefinitions/$entity",
"id": "d5eec5e0-6992-4c6b-b430-0f833f1a815b",
"description": "Role 1 description",
"displayName": "Role 1",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.xdr/securityposture/read"
]
}
]
}