Working with the Azure AD entitlement management API
Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users as well as users outside your organization.
By creating access packages with the roles users need to have across those resources, and defining policies for who can request an access package and how long they can have an assignment to an access package, you can govern the lifecycle of access for both internal and external users.
The entitlement management resource types include:
- accessPackage: Defines the collections of resource roles and the policies for how one or more users may obtain access to those resources.
- accessPackageAssignmentPolicy: Specifies the policy by which subjects may request or be assigned an access package via an access package assignment.
- accessPackageAssignmentRequest: Created by a user who wishes to obtain an access package assignment.
- accessPackageAssignment: An assignment of an access package to a particular subject, for a period of time.
- accessPackageCatalog: A container for access packages.
- accessPackageResource: A reference to a resource associated with an access package catalog.
- accessPackageResourceRequest: A request to add a resource to an access package catalog.
- accessPackageResourceEnvironment: A reference to the geolocation of the resource. Applicable to Multi-Geo SharePoint Online sites.
- connectedOrganization: A connected organization for external users who can request access.
- entitlementManagementSettings: Tenant-wide settings for Azure AD entitlement management.
- approval: represents the decisions associated with an access package request.
In addition, you can manage role assignments for users, groups of users, and service principals to entitlement management-specific roles through entitlement management role definitions.
The tenant where entitlement management is being used must have sufficient purchased or trial licenses. For more information about license requirements for the entitlement management feature, see Entitlement management license requirements.
The following table lists the methods that you can use to interact with entitlement management-related resources.
|Get||entitlementManagementSettings||Read the properties of an entitlementManagementSettings object.|
|Update||entitlementManagementSettings||Update the properties of an entitlementManagementSettings object.|
|List accessPackages||accessPackage collection||Retrieve a list of accessPackage objects.|
|Create accessPackage||accessPackage||Create a new accessPackage object.|
|Get accessPackage||accessPackage||Read properties and relationships of an accessPackage object.|
|Update accessPackage||None||Update the properties of an accesspackage object.|
|Delete accessPackage||Delete accessPackage.|
|List incompatibleAccessPackages||accessPackage collection||Retrieve a list of the incompatible accesspackage objects for this access package.|
|Add accessPackage to incompatibleAccessPackages||None||Add a link to indicate another accesspackage is incompatible with a specified access package.|
|Remove accessPackage from incompatibleAccessPackages||None||Remove a link that indicated an accesspackage was incompatible.|
|List incompatibleGroups||group collection||Retrieve a list of the incompatible group objects for this access package.|
|Add group to incompatibleGroups||None||Add a link to indicate membership of a group is incompatible with a specified access package.|
|Remove group from incompatibleGroups||None||Remove a link that indicated a group membership was incompatible.|
|List accessPackagesIncompatibleWith||accessPackage collection||Retrieve a list of the accesspackage objects which list this access package as incompatible.|
|FilterByCurrentUser||accessPackage collection||Retrieve a list of accessPackage objects filtered on the signed-in user.|
|List accessPackageAssignmentRequests||accessPackageAssignmentRequest collection||Retrieve a list of accessPackageAssignmentRequest objects.|
|Create accessPackageAssignmentRequest||accessPackageAssignmentRequest||Creates a new accessPackageAssignmentRequest object.|
|Get accessPackageAssignmentRequest||accessPackageAssignmentRequest||Read properties and relationships of an accessPackageAssignmentRequest object.|
|Delete accessPackageAssignmentRequest||None||Delete an accessPackageAssignmentRequest.|
|FilterByCurrentUser||accessPackageAssignmentRequest collection||Retrieve the list of accessPackageAssignmentRequest objects filtered on the signed-in user.|
|cancel||accessPackageAssignmentRequest collection||Cancel an accessPackageAssignmentRequest object that is in a cancellable state:
|List accessPackageAssignments||accessPackageAssignment collection||Retrieve a list of accessPackageAssignment objects.|
|Get accessPackageAssignment||accessPackageAssignment||Retrieve a accessPackageAssignment object.|
|FilterByCurrentUser||accessPackageAssignment collection||Retrieve the list of accessPackageAssignment objects filtered on the signed-in user.|
|List accessPackageCatalogs||accessPackageCatalog collection||Retrieve a list of accessPackageCatalogs objects.|
|Create accessPackageCatalog||accessPackageCatalog||Create a new accessPackageCatalog object.|
|Get accessPackageCatalog||accessPackageCatalog||Read properties and relationships of an accessPackageCatalog object.|
|Update accessPackageCatalog||None||Update the properties of an accessPackageCatalog object.|
|Delete accessPackageCatalog||Delete an accessPackageCatalog.|
|List accessPackageAssignmentPolicies||accessPackageAssignmentPolicy collection||Get a list of the accessPackageAssignmentPolicy objects and their properties.|
|Create accessPackageAssignmentPolicy||accessPackageAssignmentPolicy||Create a new accessPackageAssignmentPolicy object.|
|Get accessPackageAssignmentPolicy||accessPackageAssignmentPolicy||Read the properties and relationships of an accessPackageAssignmentPolicy object.|
|Update accessPackageAssignmentPolicy||accessPackageAssignmentPolicy||Update the properties of an accessPackageAssignmentPolicy object.|
|Delete accessPackageAssignmentPolicy||None||Deletes an accessPackageAssignmentPolicy object.|
|List connectedOrganizations||connectedOrganization collection||Retrieve a list of connectedOrganization objects.|
|Create connectedOrganization||connectedOrganization||Create a new connectedOrganization object.|
|Get connectedOrganization||connectedOrganization||Read properties and relationships of a connectedOrganization object.|
|Update connectedOrganization||None||Update a connectedOrganization.|
|Delete connectedOrganization||None||Delete a connectedOrganization.|
|List internalSponsors||directoryObject collection||Retrieve a list of a connectedOrganization's internal sponsors.|
|List externalSponsors||directoryObject collection||Retrieve a list of a connectedOrganization's external sponsors.|
|Add internalSponsors||None||Add a user or group to a connectedOrganization's internal sponsors.|
|Add externalSponsors||None||Add a user or group to a connectedOrganization's external sponsors.|
|Remove internalSponsors||None||Remove a user or group from a connectedOrganization's internal sponsors.|
|Remove externalSponsors||None||Remove a user or group from a connectedOrganization's external sponsors.|
|Get approval||approval||Retrieve the properties of an approval object.|
|filterByCurrentUser||approval collection||Retrieve the approval objects for an approver.|
|List approvalStages||approvalStage collection||List the approvalStage objects associated with an approval object.|
|Get approvalStage||approvalStage||Retrieve the properties of an approvalStage object.|
|Update approvalStage||None||Apply approve or deny decision on an approvalStage object.|
- What is Azure AD entitlement management?
- subjectSet subtypes singleUser, groupMembers, connectedOrganizationMembers, requestorManager, internalSponsors, and externalSponsors.
- accessPackageSubject - Used in the accessPackageAssignment as a subject user who has an access package assignment.
- identitySource - used in the connectedOrganization, one of azureActiveDirectoryTenant, domainIdentitySource or externalDomainFederation.