Verwalten des Zugriffs auf Ressourcen mithilfe der Berechtigungsverwaltungs-APIs

Artikel
04/01/2024

Microsoft Entra Berechtigungsverwaltung können Sie den Zugriff auf Ressourcen verwalten, die Mitarbeiter benötigen, um produktiv zu sein. In diesem Tutorial verwenden Sie die Berechtigungsverwaltungs-APIs, um ein Ressourcenpaket zu erstellen, das interne Benutzer selbst anfordern. Die APIs sind die programmgesteuerte Alternative zum Erstellen benutzerdefinierter Apps anstelle der verwendung der Microsoft Entra Admin Center.

In diesem Tutorial wird Folgendes vermittelt:

Erstellen Sie ein Zugriffspaket, das Benutzer self-Service anfordern können.
Weisen Sie dem Zugriffspaket eine Gruppenressource zu.
Anfordern eines Zugriffspakets

Voraussetzungen

Für dieses Tutorial benötigen Sie die folgenden Ressourcen und Berechtigungen:

Ein Funktionierender Microsoft Entra Mandant mit aktivierter Microsoft Entra ID P2- oder Microsoft Entra ID Governance-Lizenz. Eine dieser Lizenzen ist für die Funktionen in diesem Tutorial ausreichend.
Ein Testgastkonto und eine Testsicherheitsgruppe in Ihrem Mandanten. Die Sicherheitsgruppe ist die Ressource in diesem Tutorial. Stellen Sie sicher, dass Sie entweder der Besitzer der Gruppe oder die Rolle Gruppenadministrator zugewiesen sind. In diesem Tutorial:
- Der Benutzer verfügt über die ID 007d1c7e-7fa8-4e33-b678-5e437acdcddc und hat den Namen Requestor1.
  - [Optional] Öffnen Sie ein neues anonymes Browserfenster. Sie melden sich später in diesem Tutorial an.
- Die Gruppe verfügt über die ID f4892fac-e81c-4712-bdf2-a4450008a4b0 mit der Beschreibung "Marketinggruppe" und dem Anzeigenamen "Marketingressourcen".
Melden Sie sich bei einem API-Client wie Graph Explorer mit einem Konto an, das mindestens über die Rolle Identity Governance-Administrator verfügt.
Gewähren Sie sich die folgenden delegierten Berechtigungen: User.ReadWrite.All, Group.ReadWrite.Allund EntitlementManagement.ReadWrite.All.

Hinweis

Einige Schritte in diesem Tutorial verwenden den beta Endpunkt.

Schritt 1: Hinzufügen von Ressourcen zu einem Katalog und Erstellen eines Zugriffspakets

Ein Zugriffspaket ist ein Bündel von Ressourcen, die ein Team oder Projekt benötigt und das mit Richtlinien gesteuert wird. Zugriffspakete werden in Containern definiert, die als Kataloge bezeichnet werden. Kataloge können auf Ressourcen wie Gruppen, Apps und Websites verweisen, die im Zugriffspaket verwendet werden. Die Berechtigungsverwaltung umfasst einen Standardkatalog General .

In diesem Schritt erstellen Sie ein Zugriffspaket für die Marketingkampagne im Katalog Allgemein.

Schritt 1.1: Abrufen des Bezeichners für den allgemeinen Katalog

Rufen Sie zunächst die ID des Katalogs ab, dem Sie Ressourcen hinzufügen möchten.

Anforderung

GET https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs?$filter=(displayName eq 'General')


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.Catalogs.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "(displayName eq 'General')";
});



mgc identity-governance entitlement-management catalogs list --filter "(displayName eq 'General')"



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphidentitygovernance "github.com/microsoftgraph/msgraph-sdk-go/identitygovernance"
	  //other-imports
)


requestFilter := "(displayName eq 'General')"

requestParameters := &graphidentitygovernance.IdentityGovernanceEntitlementManagementCatalogsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphidentitygovernance.IdentityGovernanceEntitlementManagementCatalogsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
catalogs, err := graphClient.IdentityGovernance().EntitlementManagement().Catalogs().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageCatalogCollectionResponse result = graphClient.identityGovernance().entitlementManagement().catalogs().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "(displayName eq 'General')";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let catalogs = await client.api('/identityGovernance/entitlementManagement/catalogs')
	.filter('(displayName eq \'General\')')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\IdentityGovernance\EntitlementManagement\Catalogs\CatalogsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new CatalogsRequestBuilderGetRequestConfiguration();
$queryParameters = CatalogsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "(displayName eq 'General')";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->identityGovernance()->entitlementManagement()->catalogs()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Identity.Governance

Get-MgEntitlementManagementCatalog -Filter "(displayName eq 'General')"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity_governance.entitlement_management.catalogs.catalogs_request_builder import CatalogsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = CatalogsRequestBuilder.CatalogsRequestBuilderGetQueryParameters(
		filter = "(displayName eq 'General')",
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.identity_governance.entitlement_management.catalogs.get(request_configuration = request_configuration)

Antwort

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET identityGovernance/entitlementManagement/catalogs?$select=catalogType,createdDateTime",
    "value": [
        {
            "id": "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
            "displayName": "General",
            "description": "Built-in catalog.",
            "catalogType": "serviceDefault",
            "state": "published",
            "isExternallyVisible": true,
            "createdDateTime": "2023-04-13T14:43:19.44Z",
            "modifiedDateTime": "2023-04-13T14:43:19.44Z"
        }
    ]
}

Schritt 1.2: Hinzufügen der Gruppe zum Katalog

In diesem Tutorial ist die Ressource eine Sicherheitsgruppe mit der ID e93e24d1-2b65-4a6c-a1dd-654a12225487.

Um die Gruppe, die Sie erstellt haben, dem Katalog hinzuzufügen, geben Sie die folgenden Eigenschaftswerte an:

catalogId : die ID des Katalogs, den Sie verwenden.
originId : die ID der Gruppe, die Sie erstellt haben.

Wenn Sie nicht der Besitzer der Gruppe sind, auf die Sie in originId verweisen, oder wenn Ihnen nicht die Rolle Gruppenadministrator zugewiesen ist, schlägt diese Anforderung mit einem 403 Forbidden Fehlercode fehl.

Anforderung

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/resourceRequests
Content-type: application/json

{
  "catalogId":"cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
  "requestType": "AdminAdd",
  "justification": "",
  "accessPackageResource": {
    "resourceType": "AadGroup",
    "originId": "e93e24d1-2b65-4a6c-a1dd-654a12225487",
    "originSystem": "AadGroup"
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;
using Microsoft.Kiota.Abstractions.Serialization;

var requestBody = new AccessPackageResourceRequest
{
	RequestType = AccessPackageRequestType.AdminAdd,
	AdditionalData = new Dictionary<string, object>
	{
		{
			"catalogId" , "cec5d6ab-c75d-47c0-9c1c-92e89f66e384"
		},
		{
			"justification" , ""
		},
		{
			"accessPackageResource" , new UntypedObject(new Dictionary<string, UntypedNode>
			{
				{
					"resourceType", new UntypedString("AadGroup")
				},
				{
					"originId", new UntypedString("e93e24d1-2b65-4a6c-a1dd-654a12225487")
				},
				{
					"originSystem", new UntypedString("AadGroup")
				},
			})
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.ResourceRequests.PostAsync(requestBody);



mgc identity-governance entitlement-management resource-requests create --body '{\
  "catalogId":"cec5d6ab-c75d-47c0-9c1c-92e89f66e384",\
  "requestType": "AdminAdd",\
  "justification": "",\
  "accessPackageResource": {\
    "resourceType": "AadGroup",\
    "originId": "e93e24d1-2b65-4a6c-a1dd-654a12225487",\
    "originSystem": "AadGroup"\
  }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewAccessPackageResourceRequest()
requestType := graphmodels.ADMINADD_ACCESSPACKAGEREQUESTTYPE 
requestBody.SetRequestType(&requestType) 
additionalData := map[string]interface{}{
	"catalogId" : "cec5d6ab-c75d-47c0-9c1c-92e89f66e384", 
	"justification" : "", 
accessPackageResource := graph.New()
resourceType := "AadGroup"
accessPackageResource.SetResourceType(&resourceType) 
originId := "e93e24d1-2b65-4a6c-a1dd-654a12225487"
accessPackageResource.SetOriginId(&originId) 
originSystem := "AadGroup"
accessPackageResource.SetOriginSystem(&originSystem) 
	requestBody.SetAccessPackageResource(accessPackageResource)
}
requestBody.SetAdditionalData(additionalData)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
resourceRequests, err := graphClient.IdentityGovernance().EntitlementManagement().ResourceRequests().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageResourceRequest accessPackageResourceRequest = new AccessPackageResourceRequest();
accessPackageResourceRequest.setRequestType(AccessPackageRequestType.AdminAdd);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("catalogId", "cec5d6ab-c75d-47c0-9c1c-92e89f66e384");
additionalData.put("justification", "");
 accessPackageResource = new ();
accessPackageResource.setResourceType("AadGroup");
accessPackageResource.setOriginId("e93e24d1-2b65-4a6c-a1dd-654a12225487");
accessPackageResource.setOriginSystem("AadGroup");
additionalData.put("accessPackageResource", accessPackageResource);
accessPackageResourceRequest.setAdditionalData(additionalData);
AccessPackageResourceRequest result = graphClient.identityGovernance().entitlementManagement().resourceRequests().post(accessPackageResourceRequest);


const options = {
	authProvider,
};

const client = Client.init(options);

const accessPackageResourceRequest = {
  catalogId: 'cec5d6ab-c75d-47c0-9c1c-92e89f66e384',
  requestType: 'AdminAdd',
  justification: '',
  accessPackageResource: {
    resourceType: 'AadGroup',
    originId: 'e93e24d1-2b65-4a6c-a1dd-654a12225487',
    originSystem: 'AadGroup'
  }
};

await client.api('/identityGovernance/entitlementManagement/resourceRequests')
	.post(accessPackageResourceRequest);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessPackageResourceRequest;
use Microsoft\Graph\Generated\Models\AccessPackageRequestType;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AccessPackageResourceRequest();
$requestBody->setRequestType(new AccessPackageRequestType('adminAdd'));
$additionalData = [
	'catalogId' => 'cec5d6ab-c75d-47c0-9c1c-92e89f66e384',
	'justification' => '',
	'accessPackageResource' => [
		'resourceType' => 'AadGroup',
		'originId' => 'e93e24d1-2b65-4a6c-a1dd-654a12225487',
		'originSystem' => 'AadGroup',
	],
];
$requestBody->setAdditionalData($additionalData);

$result = $graphServiceClient->identityGovernance()->entitlementManagement()->resourceRequests()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	catalogId = "cec5d6ab-c75d-47c0-9c1c-92e89f66e384"
	requestType = "AdminAdd"
	justification = ""
	accessPackageResource = @{
		resourceType = "AadGroup"
		originId = "e93e24d1-2b65-4a6c-a1dd-654a12225487"
		originSystem = "AadGroup"
	}
}

New-MgEntitlementManagementResourceRequest -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.access_package_resource_request import AccessPackageResourceRequest
from msgraph.generated.models.access_package_request_type import AccessPackageRequestType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRequest(
	request_type = AccessPackageRequestType.AdminAdd,
	additional_data = {
			"catalog_id" : "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
			"justification" : "",
			"access_package_resource" : {
					"resource_type" : "AadGroup",
					"origin_id" : "e93e24d1-2b65-4a6c-a1dd-654a12225487",
					"origin_system" : "AadGroup",
			},
	}
)

result = await graph_client.identity_governance.entitlement_management.resource_requests.post(request_body)

Antwort

In dieser Antwort stellt die ID die ID für die Gruppe als Ressource im Katalog Allgemein dar. Diese ID ist nicht die Gruppen-ID. Notieren Sie sich diese ID.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/resourceRequests/$entity",
    "id": "44e521e0-fb6b-4d5e-a282-e7e68dc59493",
    "requestType": "AdminAdd",
    "requestState": "Delivered",
    "requestStatus": "Fulfilled",
    "catalogId": "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
    "executeImmediately": false,
    "justification": "",
    "expirationDateTime": null
}

Schritt 1.3: Abrufen von Katalogressourcen

In diesem Schritt rufen Sie die Details der Ressourcen ab, die der ID der Gruppenressource entsprechen, die Sie dem Katalog Allgemein hinzugefügt haben.

Anforderung

GET https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/cec5d6ab-c75d-47c0-9c1c-92e89f66e384/resources?$filter=originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.Catalogs["{accessPackageCatalog-id}"].Resources.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'";
});



mgc identity-governance entitlement-management catalogs resources list --access-package-catalog-id {accessPackageCatalog-id} --filter "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'"



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphidentitygovernance "github.com/microsoftgraph/msgraph-sdk-go/identitygovernance"
	  //other-imports
)


requestFilter := "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'"

requestParameters := &graphidentitygovernance.IdentityGovernanceEntitlementManagementCatalogItemResourcesRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphidentitygovernance.IdentityGovernanceEntitlementManagementCatalogItemResourcesRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
resources, err := graphClient.IdentityGovernance().EntitlementManagement().Catalogs().ByAccessPackageCatalogId("accessPackageCatalog-id").Resources().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageResourceCollectionResponse result = graphClient.identityGovernance().entitlementManagement().catalogs().byAccessPackageCatalogId("{accessPackageCatalog-id}").resources().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let resources = await client.api('/identityGovernance/entitlementManagement/catalogs/cec5d6ab-c75d-47c0-9c1c-92e89f66e384/resources')
	.filter('originId eq \'e93e24d1-2b65-4a6c-a1dd-654a12225487\'')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\IdentityGovernance\EntitlementManagement\Catalogs\Item\Resources\ResourcesRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ResourcesRequestBuilderGetRequestConfiguration();
$queryParameters = ResourcesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->identityGovernance()->entitlementManagement()->catalogs()->byAccessPackageCatalogId('accessPackageCatalog-id')->resources()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Identity.Governance

Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $accessPackageCatalogId -Filter "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity_governance.entitlement_management.catalogs.item.resources.resources_request_builder import ResourcesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ResourcesRequestBuilder.ResourcesRequestBuilderGetQueryParameters(
		filter = "originId eq 'e93e24d1-2b65-4a6c-a1dd-654a12225487'",
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.identity_governance.entitlement_management.catalogs.by_access_package_catalog_id('accessPackageCatalog-id').resources.get(request_configuration = request_configuration)

Antwort

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('cec5d6ab-c75d-47c0-9c1c-92e89f66e384')/resources",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET identityGovernance/entitlementManagement/catalogs('<guid>')/resources?$select=attributes,createdDateTime",
  "value": [
    {
      "id": "4a1e21c5-8a76-4578-acb1-641160e076e8",
      "displayName": "Marketing resources",
      "description": "Marketing group",
      "originId": "e93e24d1-2b65-4a6c-a1dd-654a12225487",
      "originSystem": "AadGroup",
      "createdDateTime": "2024-03-26T09:44:50.527Z",
      "attributes": []
    }
  ]
}

Schritt 1.4: Abrufen von Ressourcenrollen

Das Zugriffspaket weist Benutzer den Rollen einer Ressource zu. Die typische Rolle einer Gruppe ist die Member Rolle. Andere Ressourcen, z. B. SharePoint Online-Websites und -Anwendungen, haben möglicherweise viele Rollen. Die typische Rolle einer Gruppe, die in einem Zugriffspaket verwendet wird, ist die Member Rolle. Sie benötigen die Memberrolle, um dem Zugriffspaket später in diesem Tutorial eine Ressourcenrolle hinzuzufügen.

Verwenden Sie in der Anforderung die ID des Katalogs und die ID der Gruppenressource im Katalog, den Sie notiert haben, um die originId der Member-Ressourcenrolle abzurufen. Notieren Sie sich den Wert der originId-Eigenschaft , die später in diesem Tutorial verwendet werden soll.

Anforderung

GET https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/ede67938-cda7-4127-a9ca-7c7bf86a19b7/resourceRoles?$filter=(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')&$expand=resource


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.Catalogs["{accessPackageCatalog-id}"].ResourceRoles.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')";
	requestConfiguration.QueryParameters.Expand = new string []{ "resource" };
});



mgc identity-governance entitlement-management catalogs resource-roles list --access-package-catalog-id {accessPackageCatalog-id} --filter "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')" --expand "resource"



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphidentitygovernance "github.com/microsoftgraph/msgraph-sdk-go/identitygovernance"
	  //other-imports
)


requestFilter := "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')"

requestParameters := &graphidentitygovernance.IdentityGovernanceEntitlementManagementCatalogItemResourceRolesRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
	Expand: [] string {"resource"},
}
configuration := &graphidentitygovernance.IdentityGovernanceEntitlementManagementCatalogItemResourceRolesRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
resourceRoles, err := graphClient.IdentityGovernance().EntitlementManagement().Catalogs().ByAccessPackageCatalogId("accessPackageCatalog-id").ResourceRoles().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageResourceRoleCollectionResponse result = graphClient.identityGovernance().entitlementManagement().catalogs().byAccessPackageCatalogId("{accessPackageCatalog-id}").resourceRoles().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')";
	requestConfiguration.queryParameters.expand = new String []{"resource"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let resourceRoles = await client.api('/identityGovernance/entitlementManagement/catalogs/ede67938-cda7-4127-a9ca-7c7bf86a19b7/resourceRoles')
	.filter('(originSystem eq \'AadGroup\' and displayName eq \'Member\' and resource/id eq \'274a1e21c5-8a76-4578-acb1-641160e076e\')')
	.expand('resource/id eq \'274a1e21c5-8a76-4578-acb1-641160e076e\')')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\IdentityGovernance\EntitlementManagement\Catalogs\Item\ResourceRoles\ResourceRolesRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ResourceRolesRequestBuilderGetRequestConfiguration();
$queryParameters = ResourceRolesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')";
$queryParameters->expand = ["resource"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->identityGovernance()->entitlementManagement()->catalogs()->byAccessPackageCatalogId('accessPackageCatalog-id')->resourceRoles()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Identity.Governance

Get-MgEntitlementManagementCatalogResourceRole -AccessPackageCatalogId $accessPackageCatalogId -Filter "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')" -ExpandProperty "resource"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity_governance.entitlement_management.catalogs.item.resource_roles.resource_roles_request_builder import ResourceRolesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ResourceRolesRequestBuilder.ResourceRolesRequestBuilderGetQueryParameters(
		filter = "(originSystem eq 'AadGroup' and displayName eq 'Member' and resource/id eq '274a1e21c5-8a76-4578-acb1-641160e076e')",
		expand = ["resource"],
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.identity_governance.entitlement_management.catalogs.by_access_package_catalog_id('accessPackageCatalog-id').resource_roles.get(request_configuration = request_configuration)

Antwort

Da Sie nach originId, Anzeigename und Ressourcen-ID gefiltert haben, wird bei erfolgreicher Ausführung ein einzelner Wert zurückgegeben, der die Member-Rolle dieser Gruppe darstellt. Wenn keine Rollen zurückgegeben werden, überprüfen Sie die ID-Werte des Katalogs und der Zugriffspaketressource.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('ede67938-cda7-4127-a9ca-7c7bf86a19b7')/resourceRoles(resource())",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET identityGovernance/entitlementManagement/catalogs('<guid>')/resourceRoles?$select=description,displayName",
    "value": [
        {
            "id": "00000000-0000-0000-0000-000000000000",
            "displayName": "Member",
            "description": null,
            "originSystem": "AadGroup",
            "originId": "Member_e93e24d1-2b65-4a6c-a1dd-654a12225487",
            "resource@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('ede67938-cda7-4127-a9ca-7c7bf86a19b7')/resourceRoles('00000000-0000-0000-0000-000000000000')/resource/$entity",
            "resource": {
                "id": "ec09e90e-e021-4599-a8c3-bce77c2b2000",
                "displayName": "Marketing resources",
                "description": "Marketing group",
                "originId": "e93e24d1-2b65-4a6c-a1dd-654a12225487",
                "originSystem": "AadGroup",
                "createdDateTime": "2023-04-13T14:43:21.43Z",
                "attributes": []
            }
        }
    ]
}

Schritt 1.5: Erstellen des Zugriffspakets

Sie verfügen nun über einen Katalog mit einer Gruppenressource, und Sie möchten die Ressourcenrolle des Gruppenmitglieds im Zugriffspaket verwenden. Der nächste Schritt besteht darin, das Zugriffspaket zu erstellen. Nachdem Sie über das Zugriffspaket verfügen, können Sie ihr die Ressourcenrolle hinzufügen und eine Richtlinie erstellen, die beschreibt, wie Benutzer Zugriff auf diese Ressourcenrolle anfordern können. Sie verwenden die ID des Katalogs, den Sie zuvor notiert haben, um das Zugriffspaket zu erstellen. Notieren Sie sich die ID des Zugriffspakets, das später in diesem Tutorial verwendet werden soll.

Anforderung

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages
Content-type: application/json

{
  "catalogId": "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
  "displayName": "Marketing Campaign",
  "description": "Access to resources for the campaign"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new AccessPackage
{
	DisplayName = "Marketing Campaign",
	Description = "Access to resources for the campaign",
	AdditionalData = new Dictionary<string, object>
	{
		{
			"catalogId" , "cec5d6ab-c75d-47c0-9c1c-92e89f66e384"
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages.PostAsync(requestBody);



mgc identity-governance entitlement-management access-packages create --body '{\
  "catalogId": "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",\
  "displayName": "Marketing Campaign",\
  "description": "Access to resources for the campaign"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewAccessPackage()
displayName := "Marketing Campaign"
requestBody.SetDisplayName(&displayName) 
description := "Access to resources for the campaign"
requestBody.SetDescription(&description) 
additionalData := map[string]interface{}{
	"catalogId" : "cec5d6ab-c75d-47c0-9c1c-92e89f66e384", 
}
requestBody.SetAdditionalData(additionalData)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackages, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackages().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackage accessPackage = new AccessPackage();
accessPackage.setDisplayName("Marketing Campaign");
accessPackage.setDescription("Access to resources for the campaign");
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("catalogId", "cec5d6ab-c75d-47c0-9c1c-92e89f66e384");
accessPackage.setAdditionalData(additionalData);
AccessPackage result = graphClient.identityGovernance().entitlementManagement().accessPackages().post(accessPackage);


const options = {
	authProvider,
};

const client = Client.init(options);

const accessPackage = {
  catalogId: 'cec5d6ab-c75d-47c0-9c1c-92e89f66e384',
  displayName: 'Marketing Campaign',
  description: 'Access to resources for the campaign'
};

await client.api('/identityGovernance/entitlementManagement/accessPackages')
	.post(accessPackage);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AccessPackage;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AccessPackage();
$requestBody->setDisplayName('Marketing Campaign');
$requestBody->setDescription('Access to resources for the campaign');
$additionalData = [
	'catalogId' => 'cec5d6ab-c75d-47c0-9c1c-92e89f66e384',
];
$requestBody->setAdditionalData($additionalData);

$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	catalogId = "cec5d6ab-c75d-47c0-9c1c-92e89f66e384"
	displayName = "Marketing Campaign"
	description = "Access to resources for the campaign"
}

New-MgEntitlementManagementAccessPackage -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.access_package import AccessPackage
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackage(
	display_name = "Marketing Campaign",
	description = "Access to resources for the campaign",
	additional_data = {
			"catalog_id" : "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
	}
)

result = await graph_client.identity_governance.entitlement_management.access_packages.post(request_body)

Antwort

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/accessPackages/$entity",
    "id": "88203d16-0e31-41d4-87b2-dd402f1435e9",
    "catalogId": "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
    "displayName": "Marketing Campaign",
    "description": "Access to resources for the campaign",
    "isHidden": false,
    "isRoleScopesVisible": false,
    "createdBy": "admin@contoso.com",
    "createdDateTime": "2024-03-26T17:36:45.411033Z",
    "modifiedBy": "admin@contoso.com",
    "modifiedDateTime": "2024-03-26T17:36:45.411033Z"
}

Schritt 1.6: Hinzufügen einer Ressourcenrolle zum Zugriffspaket

Anforderung

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages/88203d16-0e31-41d4-87b2-dd402f1435e9/accessPackageResourceRoleScopes
Content-type: application/json

{
  "role": {
    "originId":"Member_f4892fac-e81c-4712-bdf2-a4450008a4b0",
    "displayName":"Member",
    "originSystem":"AadGroup",
    "resource": {
      "id":"4a1e21c5-8a76-4578-acb1-641160e076e8",
      "resourceType":"Security Group",
      "originId":"f4892fac-e81c-4712-bdf2-a4450008a4b0",
      "originSystem":"AadGroup"
    }
  },
  "scope": {
    "originId":"f4892fac-e81c-4712-bdf2-a4450008a4b0",
    "originSystem":"AadGroup"
  }
}

Antwort

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/accessPackages('88203d16-0e31-41d4-87b2-dd402f1435e9')/accessPackageResourceRoleScopes/$entity",
  "id": "e081321b-2802-4834-a6ca-6f598ce3cdf7_6dbd2209-9d14-4c76-b92b-fcb00e835fe1",
  "createdDateTime": "2024-03-26T19:56:00.6320729Z",
}

Das Zugriffspaket verfügt jetzt über eine Ressourcenrolle, die Gruppenmitgliedschaft. Die Rolle wird jedem Benutzer zugewiesen, der über das Zugriffspaket verfügt.

Schritt 1.7: Erstellen einer Zugriffspaketrichtlinie

Nachdem Sie das Zugriffspaket erstellt und Ressourcen und Rollen hinzugefügt haben, können Sie entscheiden, wer darauf zugreifen kann, indem Sie eine Zugriffspaketrichtlinie erstellen. In diesem Tutorial aktivieren Sie das von Ihnen erstellte Requestor1-Konto , um Zugriff auf die Ressourcen im Zugriffspaket anzufordern. Für diese Aufgabe benötigen Sie die folgenden Werte:

ID des Zugriffspakets für den Wert der accessPackageId-Eigenschaft
ID des Benutzerkontos Requestor1 für den Wert der Id-Eigenschaft in allowedRequestors

Der Wert der durationInDays-Eigenschaft ermöglicht es dem Requestor1-Konto , bis zu 30 Tage lang auf die Ressourcen im Zugriffspaket zuzugreifen. Notieren Sie sich den Wert der id-Eigenschaft , die später in diesem Tutorial zur Verwendung zurückgegeben wird.

Anforderung

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies
Content-type: application/json

{
  "accessPackageId": "88203d16-0e31-41d4-87b2-dd402f1435e9",
  "displayName": "Specific users",
  "description": "Specific users can request assignment",
  "accessReviewSettings": null,
  "durationInDays": 30,
  "requestorSettings": {
    "scopeType": "SpecificDirectorySubjects",
    "acceptRequests": true,
    "allowedRequestors": [
       {
         "@odata.type": "#microsoft.graph.singleUser",
         "isBackup": false,
         "id": "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
         "description": "Requestor1"
       }
    ]
  },
  "requestApprovalSettings": {
    "isApprovalRequired": false,
    "isApprovalRequiredForExtension": false,
    "isRequestorJustificationRequired": false,
    "approvalMode": "NoApproval",
    "approvalStages": []
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new AccessPackageAssignmentPolicy
{
	AccessPackageId = "88203d16-0e31-41d4-87b2-dd402f1435e9",
	DisplayName = "Specific users",
	Description = "Specific users can request assignment",
	AccessReviewSettings = null,
	DurationInDays = 30,
	RequestorSettings = new RequestorSettings
	{
		ScopeType = "SpecificDirectorySubjects",
		AcceptRequests = true,
		AllowedRequestors = new List<UserSet>
		{
			new SingleUser
			{
				OdataType = "#microsoft.graph.singleUser",
				IsBackup = false,
				Id = "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
				Description = "Requestor1",
			},
		},
	},
	RequestApprovalSettings = new ApprovalSettings
	{
		IsApprovalRequired = false,
		IsApprovalRequiredForExtension = false,
		IsRequestorJustificationRequired = false,
		ApprovalMode = "NoApproval",
		ApprovalStages = new List<ApprovalStage>
		{
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignmentPolicies.PostAsync(requestBody);



mgc-beta identity-governance entitlement-management access-package-assignment-policies create --body '{\
  "accessPackageId": "88203d16-0e31-41d4-87b2-dd402f1435e9",\
  "displayName": "Specific users",\
  "description": "Specific users can request assignment",\
  "accessReviewSettings": null,\
  "durationInDays": 30,\
  "requestorSettings": {\
    "scopeType": "SpecificDirectorySubjects",\
    "acceptRequests": true,\
    "allowedRequestors": [\
       {\
         "@odata.type": "#microsoft.graph.singleUser",\
         "isBackup": false,\
         "id": "007d1c7e-7fa8-4e33-b678-5e437acdcddc",\
         "description": "Requestor1"\
       }\
    ]\
  },\
  "requestApprovalSettings": {\
    "isApprovalRequired": false,\
    "isApprovalRequiredForExtension": false,\
    "isRequestorJustificationRequired": false,\
    "approvalMode": "NoApproval",\
    "approvalStages": []\
  }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewAccessPackageAssignmentPolicy()
accessPackageId := "88203d16-0e31-41d4-87b2-dd402f1435e9"
requestBody.SetAccessPackageId(&accessPackageId) 
displayName := "Specific users"
requestBody.SetDisplayName(&displayName) 
description := "Specific users can request assignment"
requestBody.SetDescription(&description) 
accessReviewSettings := null
requestBody.SetAccessReviewSettings(&accessReviewSettings) 
durationInDays := int32(30)
requestBody.SetDurationInDays(&durationInDays) 
requestorSettings := graphmodels.NewRequestorSettings()
scopeType := "SpecificDirectorySubjects"
requestorSettings.SetScopeType(&scopeType) 
acceptRequests := true
requestorSettings.SetAcceptRequests(&acceptRequests) 


userSet := graphmodels.NewSingleUser()
isBackup := false
userSet.SetIsBackup(&isBackup) 
id := "007d1c7e-7fa8-4e33-b678-5e437acdcddc"
userSet.SetId(&id) 
description := "Requestor1"
userSet.SetDescription(&description) 

allowedRequestors := []graphmodels.UserSetable {
	userSet,
}
requestorSettings.SetAllowedRequestors(allowedRequestors)
requestBody.SetRequestorSettings(requestorSettings)
requestApprovalSettings := graphmodels.NewApprovalSettings()
isApprovalRequired := false
requestApprovalSettings.SetIsApprovalRequired(&isApprovalRequired) 
isApprovalRequiredForExtension := false
requestApprovalSettings.SetIsApprovalRequiredForExtension(&isApprovalRequiredForExtension) 
isRequestorJustificationRequired := false
requestApprovalSettings.SetIsRequestorJustificationRequired(&isRequestorJustificationRequired) 
approvalMode := "NoApproval"
requestApprovalSettings.SetApprovalMode(&approvalMode) 
approvalStages := []graphmodels.ApprovalStageable {

}
requestApprovalSettings.SetApprovalStages(approvalStages)
requestBody.SetRequestApprovalSettings(requestApprovalSettings)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageAssignmentPolicies, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackageAssignmentPolicies().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageAssignmentPolicy accessPackageAssignmentPolicy = new AccessPackageAssignmentPolicy();
accessPackageAssignmentPolicy.setAccessPackageId("88203d16-0e31-41d4-87b2-dd402f1435e9");
accessPackageAssignmentPolicy.setDisplayName("Specific users");
accessPackageAssignmentPolicy.setDescription("Specific users can request assignment");
accessPackageAssignmentPolicy.setAccessReviewSettings(null);
accessPackageAssignmentPolicy.setDurationInDays(30);
RequestorSettings requestorSettings = new RequestorSettings();
requestorSettings.setScopeType("SpecificDirectorySubjects");
requestorSettings.setAcceptRequests(true);
LinkedList<UserSet> allowedRequestors = new LinkedList<UserSet>();
SingleUser userSet = new SingleUser();
userSet.setOdataType("#microsoft.graph.singleUser");
userSet.setIsBackup(false);
userSet.setId("007d1c7e-7fa8-4e33-b678-5e437acdcddc");
userSet.setDescription("Requestor1");
allowedRequestors.add(userSet);
requestorSettings.setAllowedRequestors(allowedRequestors);
accessPackageAssignmentPolicy.setRequestorSettings(requestorSettings);
ApprovalSettings requestApprovalSettings = new ApprovalSettings();
requestApprovalSettings.setIsApprovalRequired(false);
requestApprovalSettings.setIsApprovalRequiredForExtension(false);
requestApprovalSettings.setIsRequestorJustificationRequired(false);
requestApprovalSettings.setApprovalMode("NoApproval");
LinkedList<ApprovalStage> approvalStages = new LinkedList<ApprovalStage>();
requestApprovalSettings.setApprovalStages(approvalStages);
accessPackageAssignmentPolicy.setRequestApprovalSettings(requestApprovalSettings);
AccessPackageAssignmentPolicy result = graphClient.identityGovernance().entitlementManagement().accessPackageAssignmentPolicies().post(accessPackageAssignmentPolicy);


const options = {
	authProvider,
};

const client = Client.init(options);

const accessPackageAssignmentPolicy = {
  accessPackageId: '88203d16-0e31-41d4-87b2-dd402f1435e9',
  displayName: 'Specific users',
  description: 'Specific users can request assignment',
  accessReviewSettings: null,
  durationInDays: 30,
  requestorSettings: {
    scopeType: 'SpecificDirectorySubjects',
    acceptRequests: true,
    allowedRequestors: [
       {
         '@odata.type': '#microsoft.graph.singleUser',
         isBackup: false,
         id: '007d1c7e-7fa8-4e33-b678-5e437acdcddc',
         description: 'Requestor1'
       }
    ]
  },
  requestApprovalSettings: {
    isApprovalRequired: false,
    isApprovalRequiredForExtension: false,
    isRequestorJustificationRequired: false,
    approvalMode: 'NoApproval',
    approvalStages: []
  }
};

await client.api('/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies')
	.version('beta')
	.post(accessPackageAssignmentPolicy);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageAssignmentPolicy;
use Microsoft\Graph\Beta\Generated\Models\RequestorSettings;
use Microsoft\Graph\Beta\Generated\Models\UserSet;
use Microsoft\Graph\Beta\Generated\Models\SingleUser;
use Microsoft\Graph\Beta\Generated\Models\ApprovalSettings;
use Microsoft\Graph\Beta\Generated\Models\ApprovalStage;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AccessPackageAssignmentPolicy();
$requestBody->setAccessPackageId('88203d16-0e31-41d4-87b2-dd402f1435e9');
$requestBody->setDisplayName('Specific users');
$requestBody->setDescription('Specific users can request assignment');
$requestBody->setAccessReviewSettings(null);
$requestBody->setDurationInDays(30);
$requestorSettings = new RequestorSettings();
$requestorSettings->setScopeType('SpecificDirectorySubjects');
$requestorSettings->setAcceptRequests(true);
$allowedRequestorsUserSet1 = new SingleUser();
$allowedRequestorsUserSet1->setOdataType('#microsoft.graph.singleUser');
$allowedRequestorsUserSet1->setIsBackup(false);
$allowedRequestorsUserSet1->setId('007d1c7e-7fa8-4e33-b678-5e437acdcddc');
$allowedRequestorsUserSet1->setDescription('Requestor1');
$allowedRequestorsArray []= $allowedRequestorsUserSet1;
$requestorSettings->setAllowedRequestors($allowedRequestorsArray);

$requestBody->setRequestorSettings($requestorSettings);
$requestApprovalSettings = new ApprovalSettings();
$requestApprovalSettings->setIsApprovalRequired(false);
$requestApprovalSettings->setIsApprovalRequiredForExtension(false);
$requestApprovalSettings->setIsRequestorJustificationRequired(false);
$requestApprovalSettings->setApprovalMode('NoApproval');
$requestApprovalSettings->setApprovalStages([]);
$requestBody->setRequestApprovalSettings($requestApprovalSettings);

$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackageAssignmentPolicies()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	accessPackageId = "88203d16-0e31-41d4-87b2-dd402f1435e9"
	displayName = "Specific users"
	description = "Specific users can request assignment"
	accessReviewSettings = $null
	durationInDays = 30
	requestorSettings = @{
		scopeType = "SpecificDirectorySubjects"
		acceptRequests = $true
		allowedRequestors = @(
			@{
				"@odata.type" = "#microsoft.graph.singleUser"
				isBackup = $false
				id = "007d1c7e-7fa8-4e33-b678-5e437acdcddc"
				description = "Requestor1"
			}
		)
	}
	requestApprovalSettings = @{
		isApprovalRequired = $false
		isApprovalRequiredForExtension = $false
		isRequestorJustificationRequired = $false
		approvalMode = "NoApproval"
		approvalStages = @(
		)
	}
}

New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_assignment_policy import AccessPackageAssignmentPolicy
from msgraph_beta.generated.models.requestor_settings import RequestorSettings
from msgraph_beta.generated.models.user_set import UserSet
from msgraph_beta.generated.models.single_user import SingleUser
from msgraph_beta.generated.models.approval_settings import ApprovalSettings
from msgraph_beta.generated.models.approval_stage import ApprovalStage
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageAssignmentPolicy(
	access_package_id = "88203d16-0e31-41d4-87b2-dd402f1435e9",
	display_name = "Specific users",
	description = "Specific users can request assignment",
	access_review_settings = None,
	duration_in_days = 30,
	requestor_settings = RequestorSettings(
		scope_type = "SpecificDirectorySubjects",
		accept_requests = True,
		allowed_requestors = [
			SingleUser(
				odata_type = "#microsoft.graph.singleUser",
				is_backup = False,
				id = "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
				description = "Requestor1",
			),
		],
	),
	request_approval_settings = ApprovalSettings(
		is_approval_required = False,
		is_approval_required_for_extension = False,
		is_requestor_justification_required = False,
		approval_mode = "NoApproval",
		approval_stages = [
		],
	),
)

result = await graph_client.identity_governance.entitlement_management.access_package_assignment_policies.post(request_body)

Antwort

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignmentPolicies/$entity",
  "id": "db440482-1210-4a60-9b55-3ac7a72f63ba",
  "accessPackageId": "88203d16-0e31-41d4-87b2-dd402f1435e9",
  "displayName": "Specific users",
  "description": "Specific users can request assignment",
  "canExtend": false,
  "durationInDays": 30,
  "expirationDateTime": null,
  "createdBy": "admin@contoso.com",
  "createdDateTime": "2020-06-29T19:47:44.7399675Z",
  "modifiedBy": "admin@contoso.com",
  "modifiedDateTime": "2020-06-29T19:47:44.7555489Z",
  "accessReviewSettings": null,
  "requestorSettings": {
    "scopeType": "SpecificDirectorySubjects",
    "acceptRequests": true,
    "allowedRequestors": [
      {
        "@odata.type": "#microsoft.graph.singleUser",
        "isBackup": false,
        "id": "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
        "description": "Requestor1"
      }
    ]
  },
  "requestApprovalSettings": {
    "isApprovalRequired": false,
    "isApprovalRequiredForExtension": false,
    "isRequestorJustificationRequired": false,
    "approvalMode": "NoApproval",
    "approvalStages": []
  }
}

Schritt 2: Anfordern des Zugriffs

In diesem Schritt fordert das Benutzerkonto Requestor1 Zugriff auf die Ressourcen im Zugriffspaket an.

Um zugriff auf Ressourcen im Zugriffspaket anzufordern, müssen Sie die folgenden Werte angeben:

ID des Requestor1-Benutzerkontos , das Sie für den Wert der targetId-Eigenschaft erstellt haben
ID der Zuweisungsrichtlinie für den Wert der assignmentPolicyId-Eigenschaft
ID des Zugriffspakets für den Wert der accessPackageId-Eigenschaft

In der Antwort ist Accepted der status und ein Zustand ist Submitted. Notieren Sie sich den Wert der id-Eigenschaft, der zurückgegeben wird, um später die status der Anforderung abzurufen.

Starten Sie eine neue anonyme Browsersitzung, und melden Sie sich bei Requestor1 an. Dadurch unterbrechen Sie ihre aktuelle Administratorsitzung nicht. Alternativ können Sie Ihre aktuelle Administratorsitzung unterbrechen, indem Sie sich bei Graph Explorer abmelden und sich als Anforderer1 wieder anmelden.

Anforderung

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
Content-type: application/json

{
  "requestType": "UserAdd",
  "accessPackageAssignment":{
     "targetId":"007d1c7e-7fa8-4e33-b678-5e437acdcddc",
     "assignmentPolicyId":"db440482-1210-4a60-9b55-3ac7a72f63ba",
     "accessPackageId":"88203d16-0e31-41d4-87b2-dd402f1435e9"
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new AccessPackageAssignmentRequest
{
	RequestType = "UserAdd",
	AccessPackageAssignment = new AccessPackageAssignment
	{
		TargetId = "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
		AssignmentPolicyId = "db440482-1210-4a60-9b55-3ac7a72f63ba",
		AccessPackageId = "88203d16-0e31-41d4-87b2-dd402f1435e9",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignmentRequests.PostAsync(requestBody);



mgc-beta identity-governance entitlement-management access-package-assignment-requests create --body '{\
  "requestType": "UserAdd",\
  "accessPackageAssignment":{\
     "targetId":"007d1c7e-7fa8-4e33-b678-5e437acdcddc",\
     "assignmentPolicyId":"db440482-1210-4a60-9b55-3ac7a72f63ba",\
     "accessPackageId":"88203d16-0e31-41d4-87b2-dd402f1435e9"\
  }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewAccessPackageAssignmentRequest()
requestType := "UserAdd"
requestBody.SetRequestType(&requestType) 
accessPackageAssignment := graphmodels.NewAccessPackageAssignment()
targetId := "007d1c7e-7fa8-4e33-b678-5e437acdcddc"
accessPackageAssignment.SetTargetId(&targetId) 
assignmentPolicyId := "db440482-1210-4a60-9b55-3ac7a72f63ba"
accessPackageAssignment.SetAssignmentPolicyId(&assignmentPolicyId) 
accessPackageId := "88203d16-0e31-41d4-87b2-dd402f1435e9"
accessPackageAssignment.SetAccessPackageId(&accessPackageId) 
requestBody.SetAccessPackageAssignment(accessPackageAssignment)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageAssignmentRequests, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackageAssignmentRequests().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageAssignmentRequest accessPackageAssignmentRequest = new AccessPackageAssignmentRequest();
accessPackageAssignmentRequest.setRequestType("UserAdd");
AccessPackageAssignment accessPackageAssignment = new AccessPackageAssignment();
accessPackageAssignment.setTargetId("007d1c7e-7fa8-4e33-b678-5e437acdcddc");
accessPackageAssignment.setAssignmentPolicyId("db440482-1210-4a60-9b55-3ac7a72f63ba");
accessPackageAssignment.setAccessPackageId("88203d16-0e31-41d4-87b2-dd402f1435e9");
accessPackageAssignmentRequest.setAccessPackageAssignment(accessPackageAssignment);
AccessPackageAssignmentRequest result = graphClient.identityGovernance().entitlementManagement().accessPackageAssignmentRequests().post(accessPackageAssignmentRequest);


const options = {
	authProvider,
};

const client = Client.init(options);

const accessPackageAssignmentRequest = {
  requestType: 'UserAdd',
  accessPackageAssignment: {
     targetId: '007d1c7e-7fa8-4e33-b678-5e437acdcddc',
     assignmentPolicyId: 'db440482-1210-4a60-9b55-3ac7a72f63ba',
     accessPackageId: '88203d16-0e31-41d4-87b2-dd402f1435e9'
  }
};

await client.api('/identityGovernance/entitlementManagement/accessPackageAssignmentRequests')
	.version('beta')
	.post(accessPackageAssignmentRequest);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageAssignment;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AccessPackageAssignmentRequest();
$requestBody->setRequestType('UserAdd');
$accessPackageAssignment = new AccessPackageAssignment();
$accessPackageAssignment->setTargetId('007d1c7e-7fa8-4e33-b678-5e437acdcddc');
$accessPackageAssignment->setAssignmentPolicyId('db440482-1210-4a60-9b55-3ac7a72f63ba');
$accessPackageAssignment->setAccessPackageId('88203d16-0e31-41d4-87b2-dd402f1435e9');
$requestBody->setAccessPackageAssignment($accessPackageAssignment);

$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackageAssignmentRequests()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	requestType = "UserAdd"
	accessPackageAssignment = @{
		targetId = "007d1c7e-7fa8-4e33-b678-5e437acdcddc"
		assignmentPolicyId = "db440482-1210-4a60-9b55-3ac7a72f63ba"
		accessPackageId = "88203d16-0e31-41d4-87b2-dd402f1435e9"
	}
}

New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_assignment_request import AccessPackageAssignmentRequest
from msgraph_beta.generated.models.access_package_assignment import AccessPackageAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageAssignmentRequest(
	request_type = "UserAdd",
	access_package_assignment = AccessPackageAssignment(
		target_id = "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
		assignment_policy_id = "db440482-1210-4a60-9b55-3ac7a72f63ba",
		access_package_id = "88203d16-0e31-41d4-87b2-dd402f1435e9",
	),
)

result = await graph_client.identity_governance.entitlement_management.access_package_assignment_requests.post(request_body)

Antwort

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignmentRequests/$entity",
    "createdDateTime": null,
    "completedDate": null,
    "id": "a6bb6942-3ae1-4259-9908-0133aaee9377",
    "requestType": "UserAdd",
    "requestState": "Submitted",
    "requestStatus": "Accepted",
    "isValidationOnly": false,
    "expirationDateTime": null,
    "justification": null
}

Sie können sich jetzt abmelden und die anonyme Sitzung beenden.

Schritt 3: Überprüfen, ob der Zugriff zugewiesen wurde

In diesem Schritt bestätigen Sie, dass dem Benutzerkonto Requestor1 das Zugriffspaket zugewiesen wurde und dass sie jetzt Mitglied der Gruppe Marketingressourcen sind. Kehren Sie zur Administratorsitzung in Graph Explorer zurück.

Schritt 3.1: Abrufen der status der Anforderung

Verwenden Sie den Wert der id-Eigenschaft der Anforderung, um die aktuelle status abzurufen. In der Antwort sehen Sie, dass sich die status in Erfüllt und der Status in Übermittelt geändert hat.

Anforderung

GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/a6bb6942-3ae1-4259-9908-0133aaee9377


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignmentRequests["{accessPackageAssignmentRequest-id}"].GetAsync();



mgc-beta identity-governance entitlement-management access-package-assignment-requests get --access-package-assignment-request-id {accessPackageAssignmentRequest-id}



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageAssignmentRequests, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackageAssignmentRequests().ByAccessPackageAssignmentRequestId("accessPackageAssignmentRequest-id").Get(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageAssignmentRequest result = graphClient.identityGovernance().entitlementManagement().accessPackageAssignmentRequests().byAccessPackageAssignmentRequestId("{accessPackageAssignmentRequest-id}").get();


const options = {
	authProvider,
};

const client = Client.init(options);

let accessPackageAssignmentRequest = await client.api('/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/a6bb6942-3ae1-4259-9908-0133aaee9377')
	.version('beta')
	.get();


<?php
use Microsoft\Graph\Beta\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackageAssignmentRequests()->byAccessPackageAssignmentRequestId('accessPackageAssignmentRequest-id')->get()->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

Get-MgBetaEntitlementManagementAccessPackageAssignmentRequest -AccessPackageAssignmentRequestId $accessPackageAssignmentRequestId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.identity_governance.entitlement_management.access_package_assignment_requests.by_access_package_assignment_request_id('accessPackageAssignmentRequest-id').get()

Antwort

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignmentRequests/$entity",
  "createdDateTime": "2020-06-29T20:24:24.683Z",
  "completedDate": "2020-06-29T20:24:47.937Z",
  "id": "a6bb6942-3ae1-4259-9908-0133aaee9377",
  "requestType": "UserAdd",
  "requestState": "Delivered",
  "requestStatus": "FulfilledNotificationTriggered",
  "isValidationOnly": false,
  "expirationDateTime": null,
  "justification": null
}

Schritt 3.2: Abrufen von Zugriffspaketzuweisungen

Sie können auch die ID der Zugriffspaketrichtlinie verwenden, die Sie erstellt haben, um festzustellen, dass Ressourcen dem Benutzerkonto Requestor1 zugewiesen wurden.

Anforderung

GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignments?$filter=accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'&$expand=target,accessPackageAssignmentResourceRoles


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignments.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'";
	requestConfiguration.QueryParameters.Expand = new string []{ "target","accessPackageAssignmentResourceRoles" };
});



mgc-beta identity-governance entitlement-management access-package-assignments list --filter "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'" --expand "target,accessPackageAssignmentResourceRoles"



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphidentitygovernance "github.com/microsoftgraph/msgraph-beta-sdk-go/identitygovernance"
	  //other-imports
)


requestFilter := "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'"

requestParameters := &graphidentitygovernance.IdentityGovernanceEntitlementManagementAccessPackageAssignmentsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
	Expand: [] string {"target","accessPackageAssignmentResourceRoles"},
}
configuration := &graphidentitygovernance.IdentityGovernanceEntitlementManagementAccessPackageAssignmentsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageAssignments, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackageAssignments().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageAssignmentCollectionResponse result = graphClient.identityGovernance().entitlementManagement().accessPackageAssignments().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'";
	requestConfiguration.queryParameters.expand = new String []{"target", "accessPackageAssignmentResourceRoles"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let accessPackageAssignments = await client.api('/identityGovernance/entitlementManagement/accessPackageAssignments')
	.version('beta')
	.filter('accessPackageAssignmentPolicy/Id eq \'db440482-1210-4a60-9b55-3ac7a72f63ba\'')
	.expand('target,accessPackageAssignmentResourceRoles')
	.get();


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\IdentityGovernance\EntitlementManagement\AccessPackageAssignments\AccessPackageAssignmentsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new AccessPackageAssignmentsRequestBuilderGetRequestConfiguration();
$queryParameters = AccessPackageAssignmentsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'";
$queryParameters->expand = ["target","accessPackageAssignmentResourceRoles"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackageAssignments()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

Get-MgBetaEntitlementManagementAccessPackageAssignment -Filter "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'" -ExpandProperty "target,accessPackageAssignmentResourceRoles"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.identity_governance.entitlement_management.access_package_assignments.access_package_assignments_request_builder import AccessPackageAssignmentsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = AccessPackageAssignmentsRequestBuilder.AccessPackageAssignmentsRequestBuilderGetQueryParameters(
		filter = "accessPackageAssignmentPolicy/Id eq 'db440482-1210-4a60-9b55-3ac7a72f63ba'",
		expand = ["target","accessPackageAssignmentResourceRoles"],
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.identity_governance.entitlement_management.access_package_assignments.get(request_configuration = request_configuration)

Antwort

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignments",
  "value": [
    {
      "id": "a6bb6942-3ae1-4259-9908-0133aaee9377",
      "catalogId": "cec5d6ab-c75d-47c0-9c1c-92e89f66e384",
      "accessPackageId": "88203d16-0e31-41d4-87b2-dd402f1435e9",
      "assignmentPolicyId": "db440482-1210-4a60-9b55-3ac7a72f63ba",
      "targetId": "2bc42425-6dc5-4f2a-9ebb-7a7464481eb0",
      "assignmentStatus": "Delivered",
      "assignmentState": "Delivered",
      "isExtended": false,
      "expiredDateTime": null,
      "target": {
         "id": "8586ddc8-0ff7-4c24-9c79-f192bc3566e3",
         "objectId": "2bc42425-6dc5-4f2a-9ebb-7a7464481eb0"
      },
      "accessPackageAssignmentResourceRoles": [
         {
            "id": "bdb7e0a0-a927-42ab-bf30-c5b5533dc54a",
            "originSystem": "AadGroup",
            "status": "Fulfilled"
         }
      ]
    }
  ]
}

Schritt 3.3: Abrufen der Mitglieder der Gruppe

Nachdem die Anforderung erteilt wurde, können Sie die ID verwenden, die Sie für die Gruppe Marketingressourcen notiert haben, um festzustellen, dass ihr das Benutzerkonto Requestor1 hinzugefügt wurde.

Anforderung

GET https://graph.microsoft.com/v1.0/groups/f4892fac-e81c-4712-bdf2-a4450008a4b0/members


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Groups["{group-id}"].Members.GetAsync();



mgc groups members list --group-id {group-id}



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
members, err := graphClient.Groups().ByGroupId("group-id").Members().Get(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

DirectoryObjectCollectionResponse result = graphClient.groups().byGroupId("{group-id}").members().get();


const options = {
	authProvider,
};

const client = Client.init(options);

let members = await client.api('/groups/f4892fac-e81c-4712-bdf2-a4450008a4b0/members')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$result = $graphServiceClient->groups()->byGroupId('group-id')->members()->get()->wait();


Import-Module Microsoft.Graph.Groups

Get-MgGroupMember -GroupId $groupId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.groups.by_group_id('group-id').members.get()

Antwort:

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#directoryObjects",
  "value": [
    {
      "@odata.type": "#microsoft.graph.user",
      "id": "007d1c7e-7fa8-4e33-b678-5e437acdcddc",
      "deletedDateTime": null,
      "accountEnabled": true,
      "ageGroup": null,
      "businessPhones": [],
      "city": null,
      "createdDateTime": "2020-06-23T18:43:24Z",
      "creationType": null,
      "companyName": null,
      "consentProvidedForMinor": null,
      "country": null,
      "department": null,
      "displayName": "Requestor1",
      "employeeId": null,
      "faxNumber": null,
      "givenName": null,
      "imAddresses": [],
      "infoCatalogs": [],
      "isResourceAccount": null,
      "jobTitle": null,
      "legalAgeGroupClassification": null,
      "mail": null,
      "mailNickname": "Requestor1"
    }
  ]
}

Schritt 4: Bereinigen von Ressourcen

In diesem Schritt entfernen Sie die vorgenommenen Änderungen und löschen das Zugriffspaket für die Marketingkampagne .

Entfernen einer Zugriffspaketzuweisung

Sie müssen alle Zuweisungen zum Zugriffspaket entfernen, bevor Sie es löschen können. Verwenden Sie die ID der Zuweisungsanforderung, die Sie zuvor aufgezeichnet haben, um sie zu löschen.

Anforderung

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
Content-type: application/json

{
  "requestType": "AdminRemove",
  "accessPackageAssignment":{
     "id": "a6bb6942-3ae1-4259-9908-0133aaee9377"
  }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models;

var requestBody = new AccessPackageAssignmentRequest
{
	RequestType = "AdminRemove",
	AccessPackageAssignment = new AccessPackageAssignment
	{
		Id = "a6bb6942-3ae1-4259-9908-0133aaee9377",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignmentRequests.PostAsync(requestBody);



mgc-beta identity-governance entitlement-management access-package-assignment-requests create --body '{\
  "requestType": "AdminRemove",\
  "accessPackageAssignment":{\
     "id": "a6bb6942-3ae1-4259-9908-0133aaee9377"\
  }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewAccessPackageAssignmentRequest()
requestType := "AdminRemove"
requestBody.SetRequestType(&requestType) 
accessPackageAssignment := graphmodels.NewAccessPackageAssignment()
id := "a6bb6942-3ae1-4259-9908-0133aaee9377"
accessPackageAssignment.SetId(&id) 
requestBody.SetAccessPackageAssignment(accessPackageAssignment)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageAssignmentRequests, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackageAssignmentRequests().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AccessPackageAssignmentRequest accessPackageAssignmentRequest = new AccessPackageAssignmentRequest();
accessPackageAssignmentRequest.setRequestType("AdminRemove");
AccessPackageAssignment accessPackageAssignment = new AccessPackageAssignment();
accessPackageAssignment.setId("a6bb6942-3ae1-4259-9908-0133aaee9377");
accessPackageAssignmentRequest.setAccessPackageAssignment(accessPackageAssignment);
AccessPackageAssignmentRequest result = graphClient.identityGovernance().entitlementManagement().accessPackageAssignmentRequests().post(accessPackageAssignmentRequest);


const options = {
	authProvider,
};

const client = Client.init(options);

const accessPackageAssignmentRequest = {
  requestType: 'AdminRemove',
  accessPackageAssignment: {
     id: 'a6bb6942-3ae1-4259-9908-0133aaee9377'
  }
};

await client.api('/identityGovernance/entitlementManagement/accessPackageAssignmentRequests')
	.version('beta')
	.post(accessPackageAssignmentRequest);


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageAssignment;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AccessPackageAssignmentRequest();
$requestBody->setRequestType('AdminRemove');
$accessPackageAssignment = new AccessPackageAssignment();
$accessPackageAssignment->setId('a6bb6942-3ae1-4259-9908-0133aaee9377');
$requestBody->setAccessPackageAssignment($accessPackageAssignment);

$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackageAssignmentRequests()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

$params = @{
	requestType = "AdminRemove"
	accessPackageAssignment = @{
		id = "a6bb6942-3ae1-4259-9908-0133aaee9377"
	}
}

New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_assignment_request import AccessPackageAssignmentRequest
from msgraph_beta.generated.models.access_package_assignment import AccessPackageAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageAssignmentRequest(
	request_type = "AdminRemove",
	access_package_assignment = AccessPackageAssignment(
		id = "a6bb6942-3ae1-4259-9908-0133aaee9377",
	),
)

result = await graph_client.identity_governance.entitlement_management.access_package_assignment_requests.post(request_body)

Antwort

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageAssignmentRequests/$entity",
    "createdDateTime": null,
    "completedDate": null,
    "id": "78eaee8c-e6cf-48c9-8f99-aae44c35e379",
    "requestType": "AdminRemove",
    "requestState": "Submitted",
    "requestStatus": "Accepted",
    "isValidationOnly": false,
    "expirationDateTime": null,
    "justification": null
}

Löschen der Zugriffspaketzuweisungsrichtlinie

Verwenden Sie die ID der Zuweisungsrichtlinie, die Sie zuvor notiert haben, um sie zu löschen. Stellen Sie sicher, dass zuerst alle Zuweisungen entfernt werden. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

DELETE https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/6c1f65ec-8c25-4a45-83c2-a1de2a6d0e9f


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.IdentityGovernance.EntitlementManagement.AccessPackageAssignmentPolicies["{accessPackageAssignmentPolicy-id}"].DeleteAsync();



mgc-beta identity-governance entitlement-management access-package-assignment-policies delete --access-package-assignment-policy-id {accessPackageAssignmentPolicy-id}



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.IdentityGovernance().EntitlementManagement().AccessPackageAssignmentPolicies().ByAccessPackageAssignmentPolicyId("accessPackageAssignmentPolicy-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.identityGovernance().entitlementManagement().accessPackageAssignmentPolicies().byAccessPackageAssignmentPolicyId("{accessPackageAssignmentPolicy-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/6c1f65ec-8c25-4a45-83c2-a1de2a6d0e9f')
	.version('beta')
	.delete();


<?php
use Microsoft\Graph\Beta\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->identityGovernance()->entitlementManagement()->accessPackageAssignmentPolicies()->byAccessPackageAssignmentPolicyId('accessPackageAssignmentPolicy-id')->delete()->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

Remove-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageAssignmentPolicyId $accessPackageAssignmentPolicyId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.identity_governance.entitlement_management.access_package_assignment_policies.by_access_package_assignment_policy_id('accessPackageAssignmentPolicy-id').delete()

Löschen des Zugriffspakets

Verwenden Sie die ID des Zuvor aufgezeichneten Zugriffspakets, um es zu löschen. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

Anforderung

DELETE https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/cf54c6ca-d717-49bc-babe-d140d035dfdd


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].DeleteAsync();



mgc-beta identity-governance entitlement-management access-packages delete --access-package-id {accessPackage-id}



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.IdentityGovernance().EntitlementManagement().AccessPackages().ByAccessPackageId("accessPackage-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/identityGovernance/entitlementManagement/accessPackages/cf54c6ca-d717-49bc-babe-d140d035dfdd')
	.version('beta')
	.delete();


<?php
use Microsoft\Graph\Beta\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->delete()->wait();


Import-Module Microsoft.Graph.Beta.Identity.Governance

Remove-MgBetaEntitlementManagementAccessPackage -AccessPackageId $accessPackageId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').delete()

Zusammenfassung

In diesem Tutorial waren die Marketingkampagnenressourcen Mitglied einer einzelnen Gruppe, die Zugriff auf andere Ressourcen haben könnte. Die Ressourcen können auch eine Sammlung von Gruppen, Anwendungen oder SharePoint Online-Websites sein.

Die Funktionen in diesem Tutorial werden in Microsoft Entra ID P2- oder Microsoft Entra ID Governance-Lizenzen unterstützt. Andere erweiterte Berechtigungsverwaltungsfunktionen erfordern jedoch eine zusätzliche Lizenzierung. Weitere Informationen finden Sie unter Microsoft Entra ID Governance Lizenzierungsgrundlagen.

Arbeiten mit den APIs für die Microsoft Entra-Berechtigungsverwaltung

Freigeben über

Verwalten des Zugriffs auf Ressourcen mithilfe der Berechtigungsverwaltungs-APIs

Voraussetzungen

Schritt 1: Hinzufügen von Ressourcen zu einem Katalog und Erstellen eines Zugriffspakets

Schritt 1.1: Abrufen des Bezeichners für den allgemeinen Katalog

Anforderung

Antwort

Schritt 1.2: Hinzufügen der Gruppe zum Katalog

Anforderung

Antwort

Schritt 1.3: Abrufen von Katalogressourcen

Anforderung

Antwort

Schritt 1.4: Abrufen von Ressourcenrollen

Anforderung

Antwort

Schritt 1.5: Erstellen des Zugriffspakets

Anforderung

Antwort

Schritt 1.6: Hinzufügen einer Ressourcenrolle zum Zugriffspaket

Anforderung

Antwort

Schritt 1.7: Erstellen einer Zugriffspaketrichtlinie

Anforderung

Antwort

Schritt 2: Anfordern des Zugriffs

Anforderung

Antwort

Schritt 3: Überprüfen, ob der Zugriff zugewiesen wurde

Schritt 3.1: Abrufen der status der Anforderung

Anforderung

Antwort

Schritt 3.2: Abrufen von Zugriffspaketzuweisungen

Anforderung

Antwort

Schritt 3.3: Abrufen der Mitglieder der Gruppe

Anforderung

Antwort:

Schritt 4: Bereinigen von Ressourcen

Entfernen einer Zugriffspaketzuweisung

Anforderung

Antwort

Löschen der Zugriffspaketzuweisungsrichtlinie

Löschen des Zugriffspakets

Anforderung

Zusammenfassung

Verwandte Inhalte

Feedback

Zusätzliche Ressourcen