UserAdd onbehalf permission graphAPI accessPackageAssignmentRequests

Prasuna kakani 6 Reputation points
2021-07-07T12:14:19.627+00:00

I have tried graph api https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests

however Admin Add is working with Client credentails flow,
I want the UserADD requestType to be performed so that approval process should go as usual and this needs to be executed on hehalf using a service prinicpal or so.
Can any one help here.

This is my request body

{
"requestType": "UserAdd",
"accessPackageAssignment":{
"targetId":"",
"assignmentPolicyId":"",
"accessPackageId":""
},
"justification":""
}

I am getting error when i try to go in that direction,

{
"error": {
"code": "",
"message": "[{\"Code\":\"PolicyOnBehalfCheckFailed\",\"Detail\":\"Policy with this request does not allow the requested target.\"}]",
"innerError": {
"date": "2021-07-07T11:54:09",
"request-id": "",
"client-request-id": ""
}
}
}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,024 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 91,276 Reputation points MVP
    2021-07-07T12:46:27.077+00:00

    If you are using the same policyId it wont work, as you cannot have the same policy configured for both user assignments and admin assignments. You'll need to create a new policy for the same Access package with the corresponding setting.