Merge pull request #28786 from microsoftgraph/main

merge to publish.

Author: Danipocket

api-reference/beta/api/agentidentity-list-inheritedapproleassignments.md

@@ -0,0 +1,110 @@
+---
+title: "List inherited app role assignments for an agent identity"
+description: "Retrieve the application role assignments (appRoleAssignment objects) that an agent identity inherits from its parent agent identity blueprint principal."
+author: "mvoznyarskiy"
+ms.date: 04/13/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-agent-id"
+doc_type: apiPageType
+---
+
+# List inherited app role assignments for an agent identity
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Retrieve the application role assignments ([appRoleAssignment](../resources/approleassignment.md) objects) that an [agent identity](../resources/agentidentity.md) inherits from its parent agent identity blueprint principal. These inherited assignments represent the effective application-level permissions applied at token issuance time.
+
+The inherited collection is strictly read-only. POST, PATCH, and DELETE requests return `405 Method Not Allowed`. To modify the permissions that agent identities inherit, update the parent agent identity blueprint principal's `appRoleAssignments` instead.
+
+Pagination is not supported. All results are returned in a single response. `$top`, `$skip`, and `$skiptoken` are not supported.
+
+Calling this endpoint on a service principal that is not an agent identity returns `404 Not Found`.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- {
+  "blockType": "permissions",
+  "name": "agentidentity-list-inheritedapproleassignments-permissions"
+}
+-->
+[!INCLUDE [permissions-table](../includes/permissions/agentidentity-list-inheritedapproleassignments-permissions.md)]
+
+[!INCLUDE [rbac-approleassignments-apis-read](../includes/rbac-for-apis/rbac-approleassignments-apis-read.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+GET /servicePrincipals/microsoft.graph.agentIdentity/{agentIdentity-id}/inheritedAppRoleAssignments
+```
+
+## Optional query parameters
+
+This method does not support OData query parameters.
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [appRoleAssignment](../resources/approleassignment.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "list_inheritedapproleassignment"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/servicePrincipals/microsoft.graph.agentIdentity/b3f37624-8113-471c-9de3-0234828e3ca2/inheritedAppRoleAssignments
+```
+
+
+### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "Collection(microsoft.graph.appRoleAssignment)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+  "value": [
+    {
+      "id": "aabbccdd-1122-3344-5566-778899001122",
+      "creationTimestamp": "2026-01-15T10:30:00Z",
+      "appRoleId": "11112222-aaaa-3333-bbbb-4444cccc5555",
+      "principalDisplayName": "My Agent Identity",
+      "principalId": "b3f37624-8113-471c-9de3-0234828e3ca2",
+      "principalType": "ServicePrincipal",
+      "resourceDisplayName": "Microsoft Graph",
+      "resourceId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
+    }
+  ]
+}
+```
+

api-reference/beta/api/agentidentity-list-inheritedoauth2permissiongrants.md

@@ -0,0 +1,112 @@
+---
+title: "List inherited OAuth2 permission grants for an agent identity"
+description: "Retrieve the delegated permission grants (oAuth2PermissionGrant objects) that an agent identity inherits from its parent agent identity blueprint principal."
+author: "mvoznyarskiy"
+ms.date: 04/13/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-agent-id"
+doc_type: apiPageType
+---
+
+# List inherited OAuth2 permission grants for an agent identity
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Retrieve the delegated permission grants ([oAuth2PermissionGrant](../resources/oauth2permissiongrant.md) objects) that an [agent identity](../resources/agentidentity.md) inherits from its parent agent identity blueprint principal. These inherited grants represent the effective delegated permissions applied at token issuance time.
+
+This endpoint returns only inherited grants where `consentType` is `AllPrincipals` (admin-consented, tenant-wide grants). Grants where `consentType` is `Principal` (user-specific grants) are not returned by this endpoint.
+
+The inherited collection is strictly read-only. POST, PATCH, and DELETE requests return `405 Method Not Allowed`. To modify the permissions that agent identities inherit, update the parent agent identity blueprint principal's `oauth2PermissionGrants` instead.
+
+Pagination is not supported. All results are returned in a single response. `$top`, `$skip`, and `$skiptoken` are not supported.
+
+Calling this endpoint on a service principal that is not an agent identity returns `404 Not Found`.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- {
+  "blockType": "permissions",
+  "name": "agentidentity-list-inheritedoauth2permissiongrants-permissions"
+}
+-->
+[!INCLUDE [permissions-table](../includes/permissions/agentidentity-list-inheritedoauth2permissiongrants-permissions.md)]
+
+[!INCLUDE [rbac-oauth2permissiongrant-serviceprincipal-apis-read](../includes/rbac-for-apis/rbac-oauth2permissiongrant-serviceprincipal-apis-read.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+GET /servicePrincipals/microsoft.graph.agentIdentity/{agentIdentity-id}/inheritedOauth2PermissionGrants
+```
+
+## Optional query parameters
+
+This method does not support OData query parameters.
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [oAuth2PermissionGrant](../resources/oauth2permissiongrant.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "list_inheritedoauth2permissiongrant"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/servicePrincipals/microsoft.graph.agentIdentity/b3f37624-8113-471c-9de3-0234828e3ca2/inheritedOauth2PermissionGrants
+```
+
+
+### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "Collection(microsoft.graph.oAuth2PermissionGrant)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "value": [
+    {
+      "id": "abc123def456",
+      "clientId": "b3f37624-8113-471c-9de3-0234828e3ca2",
+      "consentType": "AllPrincipals",
+      "principalId": null,
+      "resourceId": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
+      "scope": "User.Read Mail.Read",
+      "startTime": "2026-06-15T00:00:00Z",
+      "expiryTime": "2027-06-15T00:00:00Z"
+    }
+  ]
+}
+```
+

api-reference/beta/api/driveitem-post-permissions.md

@@ -19,7 +19,7 @@ Create a new [permission](../resources/permission.md) object on a [driveItem](..
 > [!IMPORTANT]
 > This API has the following restrictions:
 >
-> - For OneDrive for work or school and SharePoint Online, you can only use this method to create a new application permission. If you want to create a new user permission in a **driveItem**, see [invite](./driveitem-invite.md). For more information on application permissions, see [Overview of Selected permissions in OneDrive and SharePoint](/graph/permissions-selected-overview).
+> - For OneDrive for work or school and SharePoint Online, you can only use this method to create a new application permission. If you want to create a new user permission in a **driveItem**, see [invite](./driveitem-invite.md). For more information on application permissions, see [Overview of selected permissions in OneDrive and SharePoint](/graph/permissions-selected-overview).
 > - For SharePoint Embedded, you can only use this method to create a new [sharePointGroup](../resources/sharepointgroup.md) permission with app-only access. You can't create a permission on the root item of a container.
 
 [!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
@@ -57,8 +57,8 @@ In the request body, supply a JSON representation of the [permission](../resourc
 
 > [!IMPORTANT]
 >
-> - This API only accepts `grantedToV2` as input for the **permission** object. Other properties such as `grantedToIdentitiesV2` or the deprecated `grantedTo` and `grantedToIdentities` are not accepted.
-> - For SharePoint Embedded, when creating a new [sharePointGroup](../resources/sharepointgroup.md) permission, the request body must include both the `id` and `displayName` of the **sharePointGroup** referenced in the `grantedToV2.siteGroup` property. See [Example 2](#example-2-add-a-sharepoint-group-permission-to-a-driveitem-in-a-sharepoint-embedded-container).
+> - This API only accepts **grantedToV2** as input for the **permission** object. Other properties such as **grantedToIdentitiesV2** or the deprecated **grantedTo** and **grantedToIdentities** aren't accepted.
+> - For SharePoint Embedded, when you create a new [sharePointGroup](../resources/sharepointgroup.md) permission, we recommend that you reference the **sharePointGroup** using the **grantedToV2.sharePointGroup.id** property in the request body. This **id** should map to the **id** of the **sharePointGroup** property. For more information, see [Example 2](#example-2-add-a-sharepoint-group-permission-to-a-driveitem-in-a-sharepoint-embedded-container-using-its-id). We don't recommend that you reference a **sharePointGroup** using its **principalId** because the **principalId** is only unique within the site, unlike the **id** of the **sharePointGroup**, which is globally unique. In that case, the request body must include both **id** and **displayName** in the **grantedToV2.siteGroup** property. The **id** must point to the **principalId** of the **sharePointGroup** and the **displayName** must point to the **title** of the **sharePointGroup**. For more information, see [Example 3](#example-3-add-a-sharepoint-group-permission-to-a-driveitem-in-a-sharepoint-embedded-container-using-the-principalid).
 
 ## Response
 
@@ -159,9 +159,78 @@ Content-Type: application/json
 }
 ```
 
-### Example 2: Add a SharePoint group permission to a driveItem in a SharePoint Embedded container
+### Example 2: Add a SharePoint group permission to a driveItem in a SharePoint Embedded container using its ID
 
-The following example shows how to add a `write` [permission](../resources/permission.md) for the `Internal Collaborators` [sharePointGroup](../resources/sharepointgroup.md) on a [driveItem](../resources/driveitem.md) identified by `01V4EPHZNV2OJQJNBPWNCKDTXCQ5TSVBJU` in a SharePoint Embedded [fileStorageContainer](../resources/filestoragecontainer.md) identified by `b!s8RqPCGh0ESQS2EYnKM0IKS3lM7GxjdAviiob7oc5pXv_0LiL-62Qq3IXyrXnEop`.
+The following example shows how to add a `write` [permission](../resources/permission.md) for the `internal collaborators` [sharePointGroup](../resources/sharepointgroup.md) on a [driveItem](../resources/driveitem.md) identified by `01V4EPHZNV2OJQJNBPWNCKDTXCQ5TSVBJU` in a SharePoint Embedded [fileStorageContainer](../resources/filestoragecontainer.md) identified by `b!s8RqPCGh0ESQS2EYnKM0IKS3lM7GxjdAviiob7oc5pXv_0LiL-62Qq3IXyrXnEop`.
+
+#### Request
+
+The following example shows a request.
+
+<!-- {
+  "blockType": "request",
+  "name": "driveitem-post-permissions-3",
+  "scopes": "filestoragecontainer.selected",
+  "target": "action"
+} -->
+```http
+POST https://graph.microsoft.com/beta/drives/b!s8RqPCGh0ESQS2EYnKM0IKS3lM7GxjdAviiob7oc5pXv_0LiL-62Qq3IXyrXnEop/items/01V4EPHZNV2OJQJNBPWNCKDTXCQ5TSVBJU/permissions
+Content-Type: application/json
+
+{
+  "grantedToV2": {
+    "sharePointGroup": {
+      "id": "ZGYwZTEzYTgtOTExOS00MjdmLWEzNjktOTdjOWM3YjNlYjcyXzE0"
+    }
+  },
+  "roles": ["write"]
+}
+```
+
+---
+
+#### Response
+
+The following example shows the response.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.permission"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "id": "aTowaS50fG1zLnNwLmV4dHwxMEBkOWNlMGZjMS02MWQ4LTRhMmUtYjVkMy0xODc3MGRmMDY3MmM=",
+  "roles": [
+    "write"
+  ],
+  "grantedToV2": {
+    "sharePointGroup": {
+      "id": "ZGYwZTEzYTgtOTExOS00MjdmLWEzNjktOTdjOWM3YjNlYjcyXzE0",
+      "principalId": "10",
+      "title": "Internal Collaborators"
+    },
+    "siteGroup": {
+      "id": "10",
+      "displayName": "Internal Collaborators"
+    }
+  },
+  "grantedTo": {
+    "siteGroup": {
+      "id": "10",
+      "displayName": "Internal Collaborators"
+    }
+  }
+}
+```
+
+### Example 3: Add a SharePoint group permission to a driveItem in a SharePoint Embedded container using the principalId
+
+The following example shows how to add a `write` [permission](../resources/permission.md) for the `internal collaborators` [sharePointGroup](../resources/sharepointgroup.md) on a [driveItem](../resources/driveitem.md) identified by `01V4EPHZNV2OJQJNBPWNCKDTXCQ5TSVBJU` in a SharePoint Embedded [fileStorageContainer](../resources/filestoragecontainer.md) identified by `b!s8RqPCGh0ESQS2EYnKM0IKS3lM7GxjdAviiob7oc5pXv_0LiL-62Qq3IXyrXnEop`.
 
 #### Request
 

api-reference/beta/api/filestoragecontainer-delete-sharepointgroups.md

@@ -1,6 +1,6 @@
 ---
 title: "Delete sharePointGroup"
-description: "Delete a sharePointGroup object."
+description: "Delete a sharePointGroup object that is local to a fileStorageContainer."
 author: "tmarwendo-microsoft"
 ms.localizationpriority: medium
 ms.subservice: "onedrive"
@@ -56,7 +56,7 @@ If successful, this method returns a `204 No Content` response code.
 
 ### Example 1: Delete a SharePoint group
 
-The following example deletes a **sharePointGroup** identified by the ID `10` from the **fileStorageContainer** identified by the container ID `b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z`.
+The following example deletes a **sharePointGroup** identified by the ID `ZGYwZTEzYTgtOTExOS00MjdmLWEzNjktOTdjOWM3YjNlYjcyXzE0` from the **fileStorageContainer** identified by the container ID `b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z`.
 
 #### Request
 
@@ -68,7 +68,7 @@ The following example shows a request.
   "name": "delete_sharepointgroup"
 }-->
 ```http
-DELETE https://graph.microsoft.com/beta/storage/fileStorage/containers/b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z/sharePointGroups/10
+DELETE https://graph.microsoft.com/beta/storage/fileStorage/containers/b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z/sharePointGroups/ZGYwZTEzYTgtOTExOS00MjdmLWEzNjktOTdjOWM3YjNlYjcyXzE0
 ```
 
 # [C#](#tab/csharp)
@@ -112,7 +112,7 @@ HTTP/1.1 204 No Content
 
 ### Example 2: Attempt to delete a SharePoint group that doesn't exist
 
-The following example attempts to delete a **sharePointGroup** identified by the ID `11` from the **fileStorageContainer** identified by the container ID `b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z`; however, the group doesn't exist in the container.
+The following example attempts to delete a **sharePointGroup** identified by the ID `ZGYwZTEzYTgtOTExOS00MjdmLWEzNjktOTdjOWM3YjNlYjcyXzE1` from the **fileStorageContainer** identified by the container ID `b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z`; however, the group doesn't exist in the container.
 
 #### Request
 
@@ -122,7 +122,7 @@ The following example attempts to delete a **sharePointGroup** identified by the
   "name": "delete_nonexisting_sharepointgroup"
 }-->
 ```http
-DELETE https://graph.microsoft.com/beta/storage/fileStorage/containers/b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z/sharePointGroups/11
+DELETE https://graph.microsoft.com/beta/storage/fileStorage/containers/b!ISJs1WRro0y0EWgkUYcktDa0mE8zSlFEqFzqRn70Zwp1CEtDEBZgQICPkRbil_5Z/sharePointGroups/ZGYwZTEzYTgtOTExOS00MjdmLWEzNjktOTdjOWM3YjNlYjcyXzE1
 ```
 
 # [C#](#tab/csharp)