Espace de noms: microsoft.graph
Importante
Les API sous la version /beta dans Microsoft Graph sont susceptibles d’être modifiées. L’utilisation de ces API dans des applications de production n’est pas prise en charge. Pour déterminer si une API est disponible dans v1.0, utilisez le sélecteur Version .
Créez une demande d’attribution de rôle pour représenter l’opération souhaitée sur une attribution de rôle. Le tableau suivant répertorie les opérations.
| Opération |
Type |
| Attribuer une attribution de rôle |
AdministrateurAjouter |
| Activer une attribution de rôle éligible |
UserAdd |
| Désactiver une attribution de rôle activée |
UserRemove |
| Supprimer une attribution de rôle |
AdminRemove |
| Mettre à jour une attribution de rôle |
AdminUpdate |
| Demande d’extension de mon attribution de rôle |
UserExtend |
| Étendre une attribution de rôle |
AdminExtend |
| Demande de renouvellement de mon attribution de rôle expirée |
UserRenew |
| Renouveler une attribution de rôle expirée |
AdminRenew |
Cette API est disponible dans les déploiements de cloud national suivants.
| Service global |
Gouvernement des États-Unis L4 |
Us Government L5 (DOD) |
Chine gérée par 21Vianet |
| ✅ |
✅ |
✅ |
❌ |
Autorisations
Le tableau suivant indique l’autorisation ou les autorisations les moins privilégiées requises pour appeler cette API sur chaque type de ressource pris en charge. Suivez les bonnes pratiques pour demander des autorisations minimales. Pour plus d’informations sur les autorisations déléguées et d’application, consultez Types d’autorisations. Pour en savoir plus sur ces autorisations, consultez les informations de référence sur les autorisations.
| Ressource prise en charge |
Déléguée (compte professionnel ou scolaire) |
Déléguée (compte Microsoft personnel) |
Application |
| Identifiant Microsoft Entra |
PrivilegedAccess.ReadWrite.AzureAD |
Non prise en charge. |
Non prise en charge. |
| Ressources Azure |
PrivilegedAccess.ReadWrite.AzureResources |
Non prise en charge. |
Non prise en charge. |
|
groupe |
PrivilegedAccess.ReadWrite.AzureADGroup |
Non prise en charge. |
Non prise en charge. |
Requête HTTP
POST /privilegedAccess/azureResources/roleAssignmentRequests
Corps de la demande
Dans le corps de la demande, fournissez une représentation JSON d’un objet governanceRoleAssignmentRequest .
| Propriété |
Type |
Description |
| resourceId |
String |
Identificateur unique de la ressource Azure associée à la demande d’attribution de rôle. Azure ressources peuvent inclure des abonnements, des groupes de ressources, des machines virtuelles et des bases de données SQL. Obligatoire. |
| roleDefinitionId |
String |
Identificateur de l’Azure définition de rôle à laquelle la demande d’attribution de rôle est associée. Obligatoire. |
| subjectId |
String |
Identificateur unique du principal ou du sujet auquel la demande d’attribution de rôle est associée. Les principaux peuvent être des utilisateurs, des groupes ou des principaux de service. Obligatoire. |
| assignmentState |
String |
État de l’affectation. La valeur peut être Eligible et Active. Obligatoire. |
| type |
String |
Type de demande. La valeur peut être AdminAdd, UserAdd, AdminUpdate, AdminRemoveUserRemove, UserExtend, UserRenew, AdminRenewet AdminExtend. Obligatoire. |
| reason (Raison) |
String |
La raison doit être fournie pour la demande d’attribution de rôle à des fins d’audit et de révision. |
| planifier |
governanceSchedule |
Planification de la demande d’attribution de rôle. Pour le type de demande , UserAddAdminAdd, AdminUpdateet AdminExtend, il est nécessaire. |
Réponse
Si elle réussit, cette méthode renvoie un 201 Created code de réponse et un objet governanceRoleAssignmentRequest dans le corps de la réponse.
Codes d’erreur
Cette API retourne les codes d’erreur HTTP standard. En outre, elle retourne également les codes d’erreur répertoriés dans le tableau suivant.
| Code d’erreur |
Message d’erreur |
Détails |
| 400 BadRequest |
RoleNotFound |
Le roleDefinitionId fourni dans le corps de la demande est introuvable. |
| 400 BadRequest |
ResourceIsLocked |
La ressource fournie dans le corps de la demande est dans l’état de et ne peut pas créer de demandes d’attribution de Locked rôle. |
| 400 BadRequest |
SubjectNotFound |
Le subjectId fourni dans le corps de la demande est introuvable. |
| 400 BadRequest |
PendingRoleAssignmentRequest |
Il existe déjà une demande governanceRoleAssignmentRequest en attente dans le système. |
| 400 BadRequest |
RoleAssignmentExists |
Le governanceRoleAssignment demandé à être créé existe déjà dans le système. |
| 400 BadRequest |
RoleAssignmentDoesNotExist |
Le governanceRoleAssignment demandé pour être mis à jour/étendu n’existe pas dans le système. |
| 400 BadRequest |
RoleAssignmentRequestPolicyValidationFailed |
Le governanceRoleAssignmentRequest ne répond pas aux stratégies internes et ne peut pas être créé. |
Exemples
Les exemples suivants montrent comment utiliser cette API.
Exemple 1 : L’administrateur attribue un rôle à l’utilisateur
Dans cet exemple, un administrateur attribue à l’utilisateur nawu@contoso.com le rôle Lecteur de facturation.
Note: En plus de l’autorisation, cet exemple exige que le demandeur dispose d’au moins une attribution de rôle d’administrateur Active (owner ou user access administrator) sur la ressource.
| Propriété |
Type |
Requis |
Valeur |
| resourceId |
String |
Oui |
<resourceId> |
| roleDefinitionId |
String |
Oui |
<roleDefinitionId> |
| subjectId |
String |
Oui |
<subjectId> |
| assignmentState |
String |
Oui |
Éligible / Actif |
| type |
String |
Oui |
AdministrateurAjouter |
| reason (Raison) |
String |
dépend des paramètres de rôle |
|
| planifier |
governanceSchedule |
Oui |
|
Demande
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "Assign an eligible role",
"schedule": {
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"type": "Once"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Eligible",
Type = "AdminAdd",
Reason = "Assign an eligible role",
Schedule = new GovernanceSchedule
{
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:37:43.356Z"),
EndDateTime = DateTimeOffset.Parse("2018-11-08T23:37:43.356Z"),
Type = "Once",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminAdd"
requestBody.SetType(&type)
reason := "Assign an eligible role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:37:43.356Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-11-08T23:37:43.356Z")
schedule.SetEndDateTime(&endDateTime)
type := "Once"
schedule.SetType(&type)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("ea48ad5e-e3b0-4d10-af54-39a45bbfe68d");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminAdd");
governanceRoleAssignmentRequest.setReason("Assign an eligible role");
GovernanceSchedule schedule = new GovernanceSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:37:43.356Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-11-08T23:37:43.356Z");
schedule.setEndDateTime(endDateTime);
schedule.setType("Once");
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'ea48ad5e-e3b0-4d10-af54-39a45bbfe68d',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Eligible',
type: 'AdminAdd',
reason: 'Assign an eligible role',
schedule: {
startDateTime: '2018-05-12T23:37:43.356Z',
endDateTime: '2018-11-08T23:37:43.356Z',
type: 'Once'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('ea48ad5e-e3b0-4d10-af54-39a45bbfe68d');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminAdd');
$requestBody->setReason('Assign an eligible role');
$schedule = new GovernanceSchedule();
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:37:43.356Z'));
$schedule->setEndDateTime(new \DateTime('2018-11-08T23:37:43.356Z'));
$schedule->setType('Once');
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Eligible"
type = "AdminAdd"
reason = "Assign an eligible role"
schedule = @{
startDateTime = [System.DateTime]::Parse("2018-05-12T23:37:43.356Z")
endDateTime = [System.DateTime]::Parse("2018-11-08T23:37:43.356Z")
type = "Once"
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Eligible",
type = "AdminAdd",
reason = "Assign an eligible role",
schedule = GovernanceSchedule(
start_date_time = "2018-05-12T23:37:43.356Z",
end_date_time = "2018-11-08T23:37:43.356Z",
type = "Once",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Réponse
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "1232e4ea-741a-4be5-8044-5edabdd61672",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminAdd",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate Only",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"duration": "PT0S"
}
}
Exemple 2 : L’utilisateur active un rôle éligible
Dans cet exemple, l’utilisateur nawu@contoso.com active le rôle Lecteur de facturation éligible.
| Propriété |
Type |
Requis |
Valeur |
| resourceId |
String |
Oui |
<resourceId> |
| roleDefinitionId |
String |
Oui |
<roleDefinitionId> |
| subjectId |
String |
Oui |
<subjectId> |
| assignmentState |
String |
Oui |
Actif |
| type |
String |
Oui |
UserAdd |
| reason (Raison) |
String |
dépend des paramètres de rôle |
|
| planifier |
governanceSchedule |
Oui |
|
Demande
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserAdd",
"reason": "Activate the owner role",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"duration": "PT9H"
},
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserAdd",
Reason = "Activate the owner role",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:28:43.537Z"),
Duration = TimeSpan.Parse("PT9H"),
},
LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "8b4d1d51-08e9-4254-b0a6-b16177aae376"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserAdd"
requestBody.SetType(&type)
reason := "Activate the owner role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:28:43.537Z")
schedule.SetStartDateTime(&startDateTime)
duration , err := abstractions.ParseISODuration("PT9H")
schedule.SetDuration(&duration)
requestBody.SetSchedule(schedule)
linkedEligibleRoleAssignmentId := "e327f4be-42a0-47a2-8579-0a39b025b394"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("8b4d1d51-08e9-4254-b0a6-b16177aae376");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserAdd");
governanceRoleAssignmentRequest.setReason("Activate the owner role");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:28:43.537Z");
schedule.setStartDateTime(startDateTime);
PeriodAndDuration duration = PeriodAndDuration.ofDuration(Duration.parse("PT9H"));
schedule.setDuration(duration);
governanceRoleAssignmentRequest.setSchedule(schedule);
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("e327f4be-42a0-47a2-8579-0a39b025b394");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '8b4d1d51-08e9-4254-b0a6-b16177aae376',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserAdd',
reason: 'Activate the owner role',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:28:43.537Z',
duration: 'PT9H'
},
linkedEligibleRoleAssignmentId: 'e327f4be-42a0-47a2-8579-0a39b025b394'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('8b4d1d51-08e9-4254-b0a6-b16177aae376');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserAdd');
$requestBody->setReason('Activate the owner role');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:28:43.537Z'));
$schedule->setDuration(new \DateInterval('PT9H'));
$requestBody->setSchedule($schedule);
$requestBody->setLinkedEligibleRoleAssignmentId('e327f4be-42a0-47a2-8579-0a39b025b394');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserAdd"
reason = "Activate the owner role"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:28:43.537Z")
duration = "PT9H"
}
linkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserAdd",
reason = "Activate the owner role",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:28:43.537Z",
duration = "PT9H",
),
linked_eligible_role_assignment_id = "e327f4be-42a0-47a2-8579-0a39b025b394",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Réponse
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "3ad49a7c-918e-4d86-9f84-fab28f8658c0",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394",
"type": "UserAdd",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Activate the owner role",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "EligibilityRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
},
{
"key": "JustificationRule",
"value": "Grant"
},
{
"key": "ActivationDayRule",
"value": "Grant"
},
{
"key": "ApprovalRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"endDateTime": "0001-01-01T00:00:00Z",
"duration": "PT9H"
}
}
Exemple 3 : L’utilisateur désactive un rôle attribué
Dans cet exemple, l’utilisateur nawu@contoso.com désactive le rôle Lecteur de facturation actif.
| Propriété |
Type |
Requis |
Valeur |
| resourceId |
String |
Oui |
<resourceId> |
| roleDefinitionId |
String |
Oui |
<roleDefinitionId> |
| subjectId |
String |
Oui |
<subjectId> |
| assignmentState |
String |
Oui |
Actif |
| type |
String |
Oui |
UserRemove |
| reason (Raison) |
String |
Non |
|
| planifier |
governanceSchedule |
Non |
|
Demande
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserRemove",
"reason": "Deactivate the role",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserRemove",
Reason = "Deactivate the role",
LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "bc75b4e6-7403-4243-bf2f-d1f6990be122"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserRemove"
requestBody.SetType(&type)
reason := "Deactivate the role"
requestBody.SetReason(&reason)
linkedEligibleRoleAssignmentId := "cb8a533e-02d5-42ad-8499-916b1e4822ec"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("bc75b4e6-7403-4243-bf2f-d1f6990be122");
governanceRoleAssignmentRequest.setResourceId("fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserRemove");
governanceRoleAssignmentRequest.setReason("Deactivate the role");
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("cb8a533e-02d5-42ad-8499-916b1e4822ec");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'bc75b4e6-7403-4243-bf2f-d1f6990be122',
resourceId: 'fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserRemove',
reason: 'Deactivate the role',
linkedEligibleRoleAssignmentId: 'cb8a533e-02d5-42ad-8499-916b1e4822ec'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('bc75b4e6-7403-4243-bf2f-d1f6990be122');
$requestBody->setResourceId('fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserRemove');
$requestBody->setReason('Deactivate the role');
$requestBody->setLinkedEligibleRoleAssignmentId('cb8a533e-02d5-42ad-8499-916b1e4822ec');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122"
resourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserRemove"
reason = "Deactivate the role"
linkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
resource_id = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserRemove",
reason = "Deactivate the role",
linked_eligible_role_assignment_id = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Réponse
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "abfcdb57-8e5d-42a0-ae67-7598b96fddb1",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec",
"type": "UserRemove",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate only",
"schedule": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
}
}
Exemple 4 : L’administrateur supprime un utilisateur d’un rôle
Dans cet exemple, un administrateur supprime l’utilisateur nawu@contoso.com du rôle Lecteur de facturation.
Note: En plus de l’autorisation, cet exemple exige que le demandeur dispose d’au moins une attribution de rôle d’administrateur Active (owner ou user access administrator) sur la ressource.
| Propriété |
Type |
Requis |
Valeur |
| resourceId |
String |
Oui |
<resourceId> |
| roleDefinitionId |
String |
Oui |
<roleDefinitionId> |
| subjectId |
String |
Oui |
<subjectId> |
| assignmentState |
String |
Oui |
Éligible / Actif |
| type |
String |
Oui |
AdminRemove |
| reason (Raison) |
String |
Non |
|
| planifier |
governanceSchedule |
Non |
|
Demande
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminRemove"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminRemove",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "65bb4622-61f5-4f25-9d75-d0e20cf92019"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminRemove"
requestBody.SetType(&type)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("65bb4622-61f5-4f25-9d75-d0e20cf92019");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminRemove");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '65bb4622-61f5-4f25-9d75-d0e20cf92019',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminRemove'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('65bb4622-61f5-4f25-9d75-d0e20cf92019');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminRemove');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminRemove"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminRemove",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Réponse
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "c934fcb9-cf53-42ac-a8b4-6246f6726299",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminRemove",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
},
"schedule": null
}
Exemple 5 : l’administrateur met à jour l’attribution de rôle
Dans cet exemple, les administrateurs mettent à jour l’attribution de rôle de l’utilisateur nawu@contoso.com sur Propriétaire.
Note: En plus de l’autorisation, cet exemple exige que le demandeur dispose d’au moins une attribution de rôle d’administrateur Active (owner ou user access administrator) sur la ressource.
| Propriété |
Type |
Requis |
Valeur |
| resourceId |
String |
Oui |
<resourceId> |
| roleDefinitionId |
String |
Oui |
<roleDefinitionId> |
| subjectId |
String |
Oui |
<subjectId> |
| assignmentState |
String |
Oui |
Éligible / Actif |
| type |
String |
Oui |
AdminUpdate |
| reason (Raison) |
String |
dépend de roleSettings |
|
| planifier |
governanceSchedule |
Oui |
|
Demande
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"assignmentState": "Eligible",
"type": "AdminUpdate",
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31.000Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445",
AssignmentState = "Eligible",
Type = "AdminUpdate",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-03-08T05:42:45.317Z"),
EndDateTime = DateTimeOffset.Parse("2018-06-05T05:42:31.000Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "70521f3e-3b95-4e51-b4d2-a2f485b02103"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "1566d11d-d2b6-444a-a8de-28698682c445"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminUpdate"
requestBody.SetType(&type)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-03-08T05:42:45.317Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-06-05T05:42:31.000Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("70521f3e-3b95-4e51-b4d2-a2f485b02103");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("1566d11d-d2b6-444a-a8de-28698682c445");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminUpdate");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-03-08T05:42:45.317Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-06-05T05:42:31.000Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '70521f3e-3b95-4e51-b4d2-a2f485b02103',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '1566d11d-d2b6-444a-a8de-28698682c445',
assignmentState: 'Eligible',
type: 'AdminUpdate',
schedule: {
type: 'Once',
startDateTime: '2018-03-08T05:42:45.317Z',
endDateTime: '2018-06-05T05:42:31.000Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('70521f3e-3b95-4e51-b4d2-a2f485b02103');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('1566d11d-d2b6-444a-a8de-28698682c445');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminUpdate');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-03-08T05:42:45.317Z'));
$schedule->setEndDateTime(new \DateTime('2018-06-05T05:42:31.000Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "1566d11d-d2b6-444a-a8de-28698682c445"
assignmentState = "Eligible"
type = "AdminUpdate"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-03-08T05:42:45.317Z")
endDateTime = [System.DateTime]::Parse("2018-06-05T05:42:31.000Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "1566d11d-d2b6-444a-a8de-28698682c445",
assignment_state = "Eligible",
type = "AdminUpdate",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-03-08T05:42:45.317Z",
end_date_time = "2018-06-05T05:42:31.000Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Réponse
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "4f6d4802-b3ac-4f5a-86d7-a6a4edd7d383",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminUpdate",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31Z",
"duration": "PT0S"
}
}
Exemple 6 : L’administrateur étend l’attribution de rôle arrivant à expiration
Cet exemple étend l’attribution de rôle arrivant à expiration pour l’utilisateur ANUJCUSER à Gestion des API Contributeur de service.
Note: En plus de l’autorisation, cet exemple exige que le demandeur dispose d’au moins une attribution de rôle d’administrateur Active (owner ou user access administrator) sur la ressource.
| Propriété |
Type |
Requis |
Valeur |
| resourceId |
String |
Oui |
<resourceId> |
| roleDefinitionId |
String |
Oui |
<roleDefinitionId> |
| subjectId |
String |
Oui |
<subjectId> |
| assignmentState |
String |
Oui |
Éligible / Actif |
| type |
String |
Oui |
AdminExtend |
| reason (Raison) |
String |
dépend de roleSettings |
|
| planifier |
governanceSchedule |
Oui |
|
Demande
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminExtend",
"reason": "extend role assignment",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminExtend",
Reason = "extend role assignment",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:53:55.327Z"),
EndDateTime = DateTimeOffset.Parse("2018-08-10T23:53:55.327Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "0e88fd18-50f5-4ee1-9104-01c3ed910065"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminExtend"
requestBody.SetType(&type)
reason := "extend role assignment"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:53:55.327Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-08-10T23:53:55.327Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("0e88fd18-50f5-4ee1-9104-01c3ed910065");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminExtend");
governanceRoleAssignmentRequest.setReason("extend role assignment");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:53:55.327Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-08-10T23:53:55.327Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '0e88fd18-50f5-4ee1-9104-01c3ed910065',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminExtend',
reason: 'extend role assignment',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:53:55.327Z',
endDateTime: '2018-08-10T23:53:55.327Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('0e88fd18-50f5-4ee1-9104-01c3ed910065');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminExtend');
$requestBody->setReason('extend role assignment');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:53:55.327Z'));
$schedule->setEndDateTime(new \DateTime('2018-08-10T23:53:55.327Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminExtend"
reason = "extend role assignment"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:53:55.327Z")
endDateTime = [System.DateTime]::Parse("2018-08-10T23:53:55.327Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminExtend",
reason = "extend role assignment",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:53:55.327Z",
end_date_time = "2018-08-10T23:53:55.327Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
Réponse
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "486f0c05-47c8-4498-9c06-086a78c83004",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminExtend",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "extend role assignment",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z",
"duration": "PT0S"
}
}