Merge pull request #28784 from microsoftgraph/main

Auto Publish – main to live - 2026-05-01 00:30 UTC

Author: learn-build-service-prod[bot]

.gitignore

@@ -1,5 +1,6 @@
 # Visual Studio Code Settings
 .vscode/
+.vscode/settings.json
 
 # Test-Docs.ps1 related files
 nuget.exe
@@ -10,4 +11,4 @@ apidoc.exe
 .DS_Store
 
 # Unotes related files
-.unotes/
+.unotes/

api-reference/beta/api/accesspackage-post-accesspackageresourcerolescopes.md

@@ -409,3 +409,211 @@ Content-type: application/json
     "modifiedDateTime": "2019-12-11T01:35:26.4754081Z"
 }
 ```
+
+### Example 5: Add an Active Subscription scoped to a Resource Group Resource Role to an access package
+
+#### Request
+
+The following example shows a request to add an active Subscription scoped to a Resource Group Resource Role to an access package.
+
+Before this request, you must have already added the access package resource `b09a0288-a83e-4ae6-8a53-bc09aeb966ea` for the Subscription `828b526f-c769-4b19-9797-734b4843b978` to the access package catalog containing this access package. The resource could have been added to the catalog by [creating an access package resource request](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?view=graph-rest-beta).
+
+<!-- {
+  "blockType": "request",
+  "name": "create_accesspackageresourcerolescope_from_accesspackage_subscription"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/5f7f4c7d-b3f5-4988-a17b-3f09b6f5a9ee/accessPackageResourceRoleScopes
+Content-type: application/json
+
+{
+    "accessPackageResourceRole": {
+        "originId": "/subscriptions/828b526f-c769-4b19-9797-734b4843b978/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475",
+        "displayName": "Access Review Operator Service Role",
+        "description": "Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process.",
+        "accessPackageResource": {
+            "id": "b09a0288-a83e-4ae6-8a53-bc09aeb966ea",
+            "description": "Dev",
+            "displayName": "Dev",
+            "resourceType": "Subscription",
+            "originId": "/subscriptions/828b526f-c769-4b19-9797-734b4843b978",
+            "originSystem": "AzureResources"
+        },
+        "originSystem": "AzureResources",
+        "type": "active"
+    },
+    "accessPackageResourceScope": {
+        "id": "e1e0ec8c-472d-4ec5-a8f9-29e0bc275640",
+        "description": "/resourceGroups/rg",
+        "displayName": "/resourceGroups/rg",
+        "isRootScope": false,
+                "originSystem": "AzureResources",
+                "originId": "/subscriptions/828b526f-c769-4b19-9797-734b4843b978/resourceGroups/rg"
+            }
+        }
+```
+
+#### Response
+
+The following example shows the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.accessPackageResourceRoleScope"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+  "id": "34b2d7de-e8d6-4ba8-843e-a03546feac63_e1e0ec8c-472d-4ec5-a8f9-29e0bc275640",
+  "createdBy": "admin@example.com",
+  "createdDateTime": "2026-02-09T22:31:55.3690356Z",
+  "modifiedBy": "admin@example.com",
+  "modifiedDateTime": "2026-02-09T22:31:55.3690356Z"
+}
+```
+
+### Example 6: Add Eligible Management Group Resource Role to an access package
+
+#### Request
+
+The following example shows a request to add an eligible Management Group scoped to a Resource Role to an access package.
+
+Before this request, you must have already added the access package resource `c347ca9b-a9cc-4df9-bc3c-00c8e0297692` for the Management Group `test-mgmtgroup` to the access package catalog containing this access package. The resource could have been added to the catalog by [creating an access package resource request](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?view=graph-rest-beta).
+
+<!-- {
+  "blockType": "request",
+  "name": "create_accesspackageresourcerolescope_from_accesspackage_subscription_management_group"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/5f7f4c7d-b3f5-4988-a17b-3f09b6f5a9ee/accessPackageResourceRoleScopes
+Content-type: application/json
+
+{
+    "accessPackageResourceRole": {
+        "id": "055c76c1-a466-4f1a-9279-4a2ccaa7ac3e",
+        "originId": "/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475",
+        "displayName": "Access Review Operator Service Role",
+        "description": "Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process.",
+        "accessPackageResource": {
+            "id": "c347ca9b-a9cc-4df9-bc3c-00c8e0297692",
+            "description": "test-mgmtgroup",
+            "displayName": "test-mgmtgroup",
+            "resourceType": "ManagementGroup",
+            "originId": "/providers/Microsoft.Management/managementGroups/test-mgmtgroup",
+            "originSystem": "AzureResources"
+        },
+        "originSystem": "AzureResources",
+        "type": "eligible"
+    },
+    "accessPackageResourceScope": {
+        "id": "338613b3-b410-4c6d-b5e9-45590bc8a357",
+        "displayName": "Root",
+        "description": "Root Scope",
+        "originId": "/providers/Microsoft.Management/managementGroups/test-mgmtgroup",
+        "originSystem": "AzureResources",
+        "isRootScope": true
+    }
+}
+```
+
+#### Response
+
+The following example shows the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.accessPackageResourceRoleScope"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+  "id": "055c76c1-a466-4f1a-9279-4a2ccaa7ac3e_338613b3-b410-4c6d-b5e9-45590bc8a357",
+  "createdBy": "admin@example.com",
+  "createdDateTime": "2026-02-09T22:23:14.8561335Z",
+  "modifiedBy": "admin@example.com",
+  "modifiedDateTime": "2026-02-09T22:23:14.8561335Z"
+}
+```
+
+### Example 7: Add Active Subscription Resource Role to access package
+
+#### Request
+
+The following example shows a request to Add Active Subscription Resource Role to an access package scoped to a Resource Role to an access package.
+
+Before this request, you must have already added the access package resource `b09a0288-a83e-4ae6-8a53-bc09aeb966ea` for the Subscription `828b526f-c769-4b19-9797-734b4843b978` to the access package catalog containing this access package. The resource could have been added to the catalog by [creating an access package resource request](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?view=graph-rest-beta).
+
+<!-- {
+  "blockType": "request",
+  "name": "create_accesspackageresourcerolescope_from_accesspackage_subscription_management_active"
+}-->
+
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/5f7f4c7d-b3f5-4988-a17b-3f09b6f5a9ee/accessPackageResourceRoleScopes
+Content-type: application/json
+
+{
+    "accessPackageResourceRole": {
+        "originId": "/subscriptions/828b526f-c769-4b19-9797-734b4843b978/providers/Microsoft.Authorization/roleDefinitions/76cc9ee4-d5d3-4a45-a930-26add3d73475",
+        "displayName": "Access Review Operator Service Role",
+        "description": "Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process.",
+        "accessPackageResource": {
+            "id": "b09a0288-a83e-4ae6-8a53-bc09aeb966ea",
+            "description": "Dev",
+            "displayName": "Dev",
+            "resourceType": "Subscription",
+            "originId": "/subscriptions/828b526f-c769-4b19-9797-734b4843b978",
+            "originSystem": "AzureResources"
+        },
+        "originSystem": "AzureResources",
+        "type": "active"
+    },
+    "accessPackageResourceScope": {
+        "id": "c66c1e22-1093-46fb-a8a8-c0e334113ca4",
+        "description": "Root",
+        "displayName": "Root",
+        "isRootScope": true,
+        "originSystem": "AzureResources",
+        "originId": "/subscriptions/828b526f-c769-4b19-9797-734b4843b978"
+    }
+}
+```
+
+#### Response
+
+The following example shows the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.accessPackageResourceRoleScope"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+  "id": "34b2d7de-e8d6-4ba8-843e-a03546feac63_c66c1e22-1093-46fb-a8a8-c0e334113ca4",
+  "createdBy": "admin@example.com",
+  "createdDateTime": "2026-02-09T22:29:40.3420825Z",
+  "modifiedBy": "admin@example.com",
+  "modifiedDateTime": "2026-02-09T22:29:40.3420825Z"
+}
+```

api-reference/beta/api/agentidentityblueprint-post.md

@@ -21,7 +21,7 @@ Create a new [agent identity blueprint](../resources/agentidentityblueprint.md)
 Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
 
 
-<!-- { "blockType": "permissions", "name": "application_post_applications" } -->
+<!-- { "blockType": "permissions", "name": "agentidentityblueprint_post" } -->
 [!INCLUDE [permissions-table](../includes/permissions/agentidentityblueprint-post-permissions.md)]
 
 [!INCLUDE [rbac-agentid-apis-write](../includes/rbac-for-apis/rbac-agentid-apis-write.md)]
@@ -43,7 +43,7 @@ In the request body, supply a JSON representation of [agent identity blueprint](
 
 ## Response
 
-If successful, this method returns `201 Created` response code and an [agent identity blueprint](../resources/agentidentityblueprint.md) object in the response body.
+If successful, this method returns `201 Created` response code and an [agentIdentityBlueprint](../resources/agentidentityblueprint.md) object in the response body.
 
 ## Examples
 
@@ -82,4 +82,4 @@ Content-type: application/json
     "requiredResourceAccess": [],
     "signInAudience": "AzureADMyOrg"
 }
-```
+```

api-reference/beta/api/authenticationeventlistener-delete.md

@@ -26,6 +26,7 @@ Delete an [authenticationEventListener](../resources/authenticationeventlistener
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onVerifiedIdClaimValidationListener](../resources/onverifiedidclaimvalidationlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 

api-reference/beta/api/authenticationeventlistener-get.md

@@ -26,6 +26,7 @@ Read the properties and relationships of an [authenticationEventListener](../res
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onVerifiedIdClaimValidationListener](../resources/onverifiedidclaimvalidationlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 

api-reference/beta/api/authenticationeventlistener-update.md

@@ -26,6 +26,7 @@ Update the properties of an [authenticationEventListener](../resources/authentic
 - [onEmailOtpSendListener](../resources/onemailotpsendlistener.md) resource type
 - [onPasswordSubmitListener](../resources/onpasswordsubmitlistener.md) resource type
 - [onFraudProtectionLoadStartListener](../resources/onfraudprotectionloadstartlistener.md) resource type
+- [onVerifiedIdClaimValidationListener](../resources/onverifiedidclaimvalidationlistener.md) resource type
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
 
@@ -73,6 +74,7 @@ You must specify the **@odata.type** property and the value of the [authenticati
 |handler|[onPhoneMethodLoadStartHandler](../resources/onphonemethodloadstarthandler.md) | The handler to invoke when conditions are met. Can be updated for the **onPhoneMethodStartListener** type. |
 |handler|[onPasswordSubmitHandler](../resources/onpasswordsubmithandler.md) | The handler to invoke when conditions are met. Can be updated for the **onPasswordSubmitListener** type. |
 |handler|[onFraudProtectionLoadStartHandler](../resources/onFraudProtectionLoadStartHandler.md) | The handler to invoke when conditions are met. Can be updated for the **onFraudProtectionLoadStartListener** type. |
+|handler|[onVerifiedIdClaimValidationCustomExtensionHandler](../resources/onverifiedidclaimvalidationcustomextensionhandler.md) | The handler to invoke when conditions are met. Can be updated for the **onVerifiedIdClaimValidationListener** type. |
 |priority|Int32|The priority of this handler. Between 0 (lower priority) and 1000 (higher priority). Required.|
 
 ## Response
@@ -217,3 +219,47 @@ Content-Type: application/json
     "appId": "63856651-13d9-4784-9abf-20758d509e19"
 }
 ```
+
+### Example 3: Update an onVerifiedIdClaimValidationListener object
+
+#### Request
+The following example shows a request to update an onVerifiedIdClaimValidationListener object.
+<!-- {
+  "blockType": "request",
+  "name": "update_authenticationeventlistener_onVerifiedIdClaimValidationListener"
+}
+-->
+``` http
+PATCH https://graph.microsoft.com/beta/identity/authenticationEventListeners/6a7455ef-0906-bbc3-f902-0f9ab8903082
+Content-Type: application/json
+
+{
+    "@odata.type": "#microsoft.graph.onVerifiedIdClaimValidationListener",
+    "displayName": "Verified ID Claim Validation Listener (updated)",
+    "handler": {
+        "@odata.type": "#microsoft.graph.onVerifiedIdClaimValidationCustomExtensionHandler",
+        "configuration": {
+            "@odata.type": "#microsoft.graph.customExtensionOverwriteConfiguration",
+            "clientConfiguration": {
+                "@odata.type": "#microsoft.graph.customExtensionClientConfiguration",
+                "maximumRetries": 1,
+                "timeoutInMilliseconds": 2000
+            },
+            "behaviorOnError": {
+                "@odata.type": "#microsoft.graph.customExtensionBehaviorOnError"
+            }
+        }
+    }
+}
+```
+
+#### Response
+The following example shows the response.
+<!-- {
+  "blockType": "response",
+  "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```

api-reference/beta/api/customauthenticationextension-delete.md

@@ -20,6 +20,7 @@ Delete a [customAuthenticationExtension](../resources/customauthenticationextens
 - [onAttributeCollectionSubmitCustomExtension](../resources/onattributecollectionsubmitcustomextension.md) resource type.
 - [onOtpSendCustomExtension](../resources/onOtpSendCustomExtension.md) resource type.
 - [onPasswordSubmitCustomExtension](../resources/onpasswordsubmitcustomextension.md) resource type.
+- [onVerifiedIdClaimValidationCustomExtension](../resources/onverifiedidclaimvalidationcustomextension.md) resource type.
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]