Merge pull request #27774 from microsoftgraph/main

learn-build-service-prod[bot] · web-flow · commit efa05ba64267 · 2025-11-21T00:33:38.000Z
Auto Publish – main to live - 2025-11-21 00:30 UTC
diff --git a/api-reference/beta/api/groupresource-get.md b/api-reference/beta/api/groupresource-get.md
@@ -0,0 +1,86 @@
+---
+title: "Get groupResource"
+description: "Read the properties and relationships of a groupResource object"
+author: "kwshea"
+ms.localizationpriority: medium
+ms.subservice: "entra-id-governance"
+doc_type: apiPageType
+ms.date: 11/03/2025
+---
+
+# Get groupResource
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Read the properties and relationships of a [groupResource](../resources/groupResource.md) object.
+
+[!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
+
+## Permissions
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "permissions", "name": "groupresource_get" } -->
+[!INCLUDE [permissions-table](../includes/permissions/privilegedaccessgroupgroupresource-get-permissions.md)]
+
+> [!NOTE]
+> In delegated scenarios that use work or school accounts, any Microsoft Entra ID member user can call this API if the required permissions are granted."
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/privilegedAccess/group/resources/{groupId}
+```
+
+## Optional query parameters
+This method supports the `$select` OData query parameter to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a [groupResource](../resources/groupResource.md) object in the response body.
+
+## Examples
+
+### Request
+The following example shows a request.
+
+<!-- {
+  "blockType": "request",
+  "name": "get_privilegedaccessgroupgroupresource_beta_e1"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/privilegedAccess/group/resources/a13fc7b0-a4ff-45fc-82c4-1d31a807426a
+```
+
+### Response
+The following example shows the response.
+
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.groupResource"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+  "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/privilegedAccess/group/resources",
+  "id": "a13fc7b0-a4ff-45fc-82c4-1d31a807426a"
+}
+```
diff --git a/api-reference/beta/api/privilegedaccessgroup-list-resources.md b/api-reference/beta/api/privilegedaccessgroup-list-resources.md
@@ -0,0 +1,94 @@
+---
+title: "List groupResource objects"
+description: "Get a list of the groupResource objects and their properties."
+author: "kwshea"
+ms.localizationpriority: medium
+ms.subservice: "entra-id-governance"
+doc_type: apiPageType
+ms.date: 11/03/2025
+---
+
+# List groupResource objects
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Get a list of the [groupResource](../resources/groupResource.md) objects and their properties.
+
+[!INCLUDE [national-cloud-support](../../includes/all-clouds.md)]
+
+## Permissions
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "permissions", "name": "privilegedaccessgroup_list_resources" } -->
+[!INCLUDE [permissions-table](../includes/permissions/privilegedaccessgroup-list-resources-permissions.md)]
+
+> [!NOTE]
+> In delegated scenarios that use work or school accounts, any Microsoft Entra ID member user can call this API if the required permissions are granted."
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/privilegedAccess/group/resources
+```
+
+## Query parameters
+This method supports the `$select` and `$filter` OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [groupResource](../resources/groupResource.md) objects in the response body.
+
+## Examples
+
+### Request
+The following example shows a request.
+
+<!-- {
+  "blockType": "request",
+  "name": "list_privilegedaccessgroupgroupresource"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/privilegedAccess/group/resources
+```
+
+### Response
+If successful, this method returns a `200 OK` response code and a collection of [groupResource](../resources/groupResource.md) objects in the response body.
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "Collection(microsoft.graph.groupResource)"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+    "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/privilegedAccess/group/resources",
+    "value": [
+          {
+            "id": "b88fc7b0-a4ff-45fc-82c4-1d31a807315e"
+          },
+          {
+            "id": "a13fc7b0-a4ff-45fc-82c4-1d31a807426a"
+          }
+    ]
+}
+```
diff --git a/api-reference/beta/includes/permissions/privilegedaccessgroup-list-resources-permissions.md b/api-reference/beta/includes/permissions/privilegedaccessgroup-list-resources-permissions.md
@@ -0,0 +1,12 @@
+---
+description: "Automatically generated file. DO NOT MODIFY"
+ms.topic: include
+ms.localizationpriority: medium
+---
+
+|Permission type|Least privileged permissions|Higher privileged permissions|
+|:---|:---|:---|
+|Delegated (work or school account)|PrivilegedAccess.Read.AzureADGroup|PrivilegedAccess.ReadWrite.AzureADGroup|
+|Delegated (personal Microsoft account)|Not supported.|Not supported.|
+|Application|PrivilegedAccess.Read.AzureADGroup|PrivilegedAccess.ReadWrite.AzureADGroup|
+
diff --git a/api-reference/beta/includes/permissions/privilegedaccessgroupgroupresource-get-permissions.md b/api-reference/beta/includes/permissions/privilegedaccessgroupgroupresource-get-permissions.md
@@ -0,0 +1,12 @@
+---
+description: "Automatically generated file. DO NOT MODIFY"
+ms.topic: include
+ms.localizationpriority: medium
+---
+
+|Permission type|Least privileged permissions|Higher privileged permissions|
+|:---|:---|:---|
+|Delegated (work or school account)|PrivilegedAccess.Read.AzureADGroup|PrivilegedAccess.ReadWrite.AzureADGroup|
+|Delegated (personal Microsoft account)|Not supported.|Not supported.|
+|Application|PrivilegedAccess.Read.AzureADGroup|PrivilegedAccess.ReadWrite.AzureADGroup|
+
diff --git a/api-reference/beta/resources/groupresource.md b/api-reference/beta/resources/groupresource.md
@@ -0,0 +1,51 @@
+---
+title: "groupResource resource type"
+description: "Represents the group resource in Privileged Identity Management (PIM) for groups."
+ms.localizationpriority: medium
+author: "shea3100"
+ms.subservice: "entra-id-governance"
+doc_type: "resourcePageType"
+ms.date: 11/01/2025
+---
+
+# groupResource resource type
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Represents the [group](../resources/group.md) resource in PIM for groups. This entity extends [directoryObject](../resources/directoryobject.md).
+
+## Methods
+
+| Method       | Return Type | Description |
+|:-------------|:------------|:------------|
+| [List](../api/privilegedaccessgroup-list-resources.md) | [groupResource](groupResource.md) collection | Retrieve a list of [groupResource](groupResource.md) objects. |
+| [Get](../api/groupresource-get.md)|[groupResource](groupResource.md)|Read the properties of a [groupResource](groupResource.md) object. |
+
+## Properties
+| Property    | Type   | Description |
+| :---------------| :---------- | :---------- |
+| id | String | Indicates the identifier of the group. Inherited from [entity](../resources/entity.md).|
+|deletedDateTime|DateTimeOffset|`null`. Inherited from [directoryObject](../resources/directoryobject.md).|
+
+## Relationships
+
+None
+
+## JSON representation
+
+
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.groupResource",
+  "baseType": "microsoft.graph.directoryObject",
+  "openType": false
+}-->
+```json
+{
+  "id": "String (identifier)",
+  "deletedDateTime": "String (timestamp)"
+}
+```
diff --git a/api-reference/beta/resources/privilegedaccessgroup.md b/api-reference/beta/resources/privilegedaccessgroup.md
@@ -33,6 +33,7 @@ None.
 |eligibilityScheduleInstances|[privilegedAccessGroupEligibilityScheduleInstance](../resources/privilegedaccessgroupeligibilityscheduleinstance.md) collection|The instances of eligibility schedules to activate a just-in-time access.|
 |eligibilityScheduleRequests|[privilegedAccessGroupEligibilityScheduleRequest](../resources/privilegedaccessgroupeligibilityschedulerequest.md) collection|The schedule requests for operations to create, update, delete, extend, and renew an eligibility.|
 |eligibilitySchedules|[privilegedAccessGroupEligibilitySchedule](../resources/privilegedaccessgroupeligibilityschedule.md) collection|The eligibility schedules to activate a just-in-time access.|
+|resources|[groupResource](../resources/privilegedaccessgroupeligibilityschedule.md) collection|The privileged groups in PIM for Groups.|
 
 ## JSON representation
 The following JSON representation shows the resource type.
diff --git a/api-reference/beta/toc/identity-and-access/toc.yml b/api-reference/beta/toc/identity-and-access/toc.yml
@@ -1888,6 +1888,14 @@ items:
           href: ../../api/privilegedaccessgroupeligibilityscheduleinstance-get.md
         - name: Filter by current user
           href: ../../api/privilegedaccessgroupeligibilityscheduleinstance-filterbycurrentuser.md
+      - name: Group resource
+        items:
+        - name: Group resource
+          href: ../../resources/groupresource.md
+        - name: List
+          href: ../../api/privilegedaccessgroup-list-resources.md
+        - name: Get
+          href: ../../api/groupresource-get.md
       - name: Policy
         items:
         - name: Policy
diff --git a/api-reference/beta/toc/toc.mapping.json b/api-reference/beta/toc/toc.mapping.json
@@ -1538,6 +1538,7 @@
                     "privilegedAccessGroupEligibilityScheduleRequest",
                     "privilegedAccessGroupEligibilitySchedule",
                     "privilegedAccessGroupEligibilityScheduleInstance",
+                    "groupResource",
                     "unifiedRoleManagementPolicy",
                     "unifiedRoleManagementPolicyRule",
                     "unifiedRoleManagementPolicyAssignment",
diff --git a/changelog/Microsoft.PIM.AzureRBAC.json b/changelog/Microsoft.PIM.AzureRBAC.json
@@ -1127,6 +1127,32 @@
       "CreatedDateTime": "2023-05-05T00:00:00.0000000Z",
       "WorkloadArea": "Identity and access",
       "SubArea": "Governance"
+    },
+    {
+      "ChangeList": [
+        {
+          "Id": "3e5f5eb7-1ab2-4761-a64d-5574089b794b",
+          "ApiChange": "Resource",
+          "ChangedApiName": "groupResource",
+          "ChangeType": "Addition",
+          "Description": "Added the [groupResource](https://learn.microsoft.com/en-us/graph/api/resources/groupResource?view=graph-rest-beta) resource.",
+          "Target": "groupResource"
+        },
+        {
+          "Id": "3e5f5eb7-1ab2-4761-a64d-5574089b794b",
+          "ApiChange": "Relationship",
+          "ChangedApiName": "resources",
+          "ChangeType": "Addition",
+          "Description": "Added the **resources** relationship to the [privilegedAccessGroup](https://learn.microsoft.com/en-us/graph/api/resources/privilegedAccessGroup?view=graph-rest-beta) resource.",
+          "Target": "privilegedAccessGroup"
+        }
+      ],
+      "Id": "3e5f5eb7-1ab2-4761-a64d-5574089b794b",
+      "Cloud": "Prod",
+      "Version": "beta",
+      "CreatedDateTime": "2025-11-20T00:00:00.0000000Z",
+      "WorkloadArea": "Identity and access",
+      "SubArea": "Governance"
     }
   ]
 }
