Share via

Azure Access Package direct assignment with approval

Gavin McCollin 20 Reputation points
2023-02-08T17:53:57.5933333+00:00

n the Azure Portal, I can navigate to Identity Governance | Access Packages | Access Package and then create a direct assignment for a user. The Azure Portal allows me to specify whether or not approvals are applied to the assignment request.

[Azure Portal Access Package Direct Assignment Screenshot

](https://i.stack.imgur.com/GryfJ.png)

I can also create a direct assignment request using the Microsoft Graph, but I cannot figure out how to apply approvals to this request. Requests from the Graph seem to always bypass the approval policy.

Using Fiddler and the Azure Portal (ref screenshot above), I can see that the following JSON payload is POST to the Graph. So I took that exact same JSON payload and POST it with the Graph Explorer, but the approval process is still being bypassed.

How can I achieve the same behavior as the Azure Portal (i.e., direct access package assignment with approval)?

{
    "requestType": "userAdd",
    "assignment": {
        "targetId": "eb8c01b5-0133-47c6-bfe2-7b1ba6c180d5",
        "assignmentPolicyId": "eb6a929c-e368-4d2f-ba48-2ddbe23671df",
        "accessPackageId": "3e239fde-d9e6-4e28-92b4-4b1a990799ce"
    },
    "requestApprovalSettings": {
        "isApprovalRequired": "true"
    }
}
Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CharanyaB-MSFT 1,891 Reputation points
    2023-02-09T14:29:37.64+00:00

    Hello @Gavin McCollin,

    As per documentation, accessPackageAssignmentRequest currently doesn't support requestApprovalSettings property.

    Instead, you can try specifying the approvals while creating assignmentPolicies.

    Please refer to the example in below document:

    https://learn.microsoft.com/en-us/graph/api/entitlementmanagement-post-assignmentpolicies?view=graph-rest-1.0&tabs=http#examples

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

  2. James Seddon 0 Reputation points
    2024-12-05T22:12:01.51+00:00

    Also requiring this functionality, I have tried every request type and JSON schema I can imagine and yet "adminAdd" always bypasses the approval flow defined in the policy. As the OP mentioned, this is possible through the Entra portal directly, which is using the "elm.iga.azure.com" API rather than GraphAPI.

    I am currently trying to build some automation that can raise requests on behalf of users for their managers to approve (which then triggers a logic app to make them eligible on a PIM group, but that's another story), I've hit a brick wall with this limitation.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.