Attribuer des rôles privilégiés à l’aide de PIM pour les API de rôles Microsoft Entra

2025-03-25

Privileged Identity Management (PIM) aide les organisations à réduire les risques associés à l’accès privilégié en limitant le moment où l’accès est actif, en gérant l’étendue d’accès et en fournissant un journal d’accès privilégié pouvant être audité. L’accès privilégié est généralement accordé à des fins administratives par le biais de groupes pouvant être attribués à un rôle ou de rôles d’administrateur.

Contoso souhaite déléguer certaines fonctions d’administration en attribuant des rôles Microsoft Entra aux utilisateurs via des groupes de sécurité. L’entreprise attribue l’éligibilité au lieu de rôles privilégiés actifs en permanence. Cette méthode est efficace pour les raisons suivantes :

La suppression ou l’ajout de membres du groupe entraîne également la suppression ou l’ajout d’administrateurs.
Les membres du groupe héritent des attributions de rôles. Vous pouvez attribuer davantage de rôles à un groupe au lieu d’attribuer des rôles directement à des utilisateurs individuels.
L’attribution d’éligibilité au lieu de privilèges actifs persistants applique l’accès juste-à-temps, en accordant des autorisations temporaires pour effectuer des tâches privilégiées. Lorsqu’un membre du groupe a besoin de privilèges, il active temporairement son affectation. Toutes les activations de rôle peuvent être auditables.

Vous pouvez modéliser l’éligibilité aux rôles par le biais de groupes de deux manières :

Accordez à un groupe une attribution de rôle permanente et rendez les principaux éligibles pour le groupe. Dans ce scénario, les membres du groupe activent leur appartenance au groupe pour obtenir des attributions de rôles actives.
Accordez à un groupe une attribution de rôle éligible et faites des principaux des membres permanents du groupe. Dans ce scénario, les membres du groupe activent leurs attributions de rôles pour obtenir des privilèges.

Dans ce tutoriel, vous apprenez à effectuer les opérations suivantes :

Créez un groupe de sécurité pouvant être attribué à un rôle.
Rendre un groupe de sécurité assignable à un rôle éligible pour un rôle privilégié.
Accordez un accès juste-à-temps à un utilisateur en activant son affectation éligible.

Configuration requise

Pour suivre ce didacticiel, vous avez besoin des éléments suivants :

Un locataire Microsoft Entra avec une licence Microsoft Entra ID P2 ou Gouvernance Microsoft Entra ID
Un client API tel que Graph Explorer connecté avec un compte qui a au moins le rôle Administrateur de rôle privilégié
Un utilisateur de test activé pour l’authentification multifacteur avec accès à son application Microsoft Authenticator
Autorisations déléguées :
- Group.ReadWrite.All pour créer le groupe
- RoleManagement.ReadWrite.Directory pour rendre le groupe assignable aux rôles et pour configurer et gérer les attributions de rôles éligibles et actifs. Cette autorisation doit être accordée à tous les utilisateurs du locataire.

Étape 1 : Créer un groupe de sécurité pouvant être attribué à un rôle

Attribuez-vous en tant que propriétaire du groupe et ajoutez-vous-même et l’utilisateur de test en tant que membres.

Demande : Créer un groupe assignable à un rôle

POST https://graph.microsoft.com/v1.0/groups
Content-type: application/json

{
    "description": "IT Helpdesk to support Contoso employees",
    "displayName": "IT Helpdesk (User)",
    "mailEnabled": false,
    "mailNickname": "userHelpdesk",
    "securityEnabled": true,
    "isAssignableToRole": true,
    "owners@odata.bind": [
        "https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6"
    ],
    "members@odata.bind": [
        "https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
        "https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725"
    ]
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Group
{
	Description = "IT Helpdesk to support Contoso employees",
	DisplayName = "IT Helpdesk (User)",
	MailEnabled = false,
	MailNickname = "userHelpdesk",
	SecurityEnabled = true,
	IsAssignableToRole = true,
	AdditionalData = new Dictionary<string, object>
	{
		{
			"owners@odata.bind" , new List<string>
			{
				"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
			}
		},
		{
			"members@odata.bind" , new List<string>
			{
				"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
				"https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725",
			}
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Groups.PostAsync(requestBody);



mgc groups create --body '{\
    "description": "IT Helpdesk to support Contoso employees",\
    "displayName": "IT Helpdesk (User)",\
    "mailEnabled": false,\
    "mailNickname": "userHelpdesk",\
    "securityEnabled": true,\
    "isAssignableToRole": true,\
    "owners@odata.bind": [\
        "https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6"\
    ],\
    "members@odata.bind": [\
        "https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",\
        "https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725"\
    ]\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewGroup()
description := "IT Helpdesk to support Contoso employees"
requestBody.SetDescription(&description) 
displayName := "IT Helpdesk (User)"
requestBody.SetDisplayName(&displayName) 
mailEnabled := false
requestBody.SetMailEnabled(&mailEnabled) 
mailNickname := "userHelpdesk"
requestBody.SetMailNickname(&mailNickname) 
securityEnabled := true
requestBody.SetSecurityEnabled(&securityEnabled) 
isAssignableToRole := true
requestBody.SetIsAssignableToRole(&isAssignableToRole) 
additionalData := map[string]interface{}{
	odataBind := []string {
		"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
	}
	odataBind := []string {
		"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
		"https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725",
	}
}
requestBody.SetAdditionalData(additionalData)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
groups, err := graphClient.Groups().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Group group = new Group();
group.setDescription("IT Helpdesk to support Contoso employees");
group.setDisplayName("IT Helpdesk (User)");
group.setMailEnabled(false);
group.setMailNickname("userHelpdesk");
group.setSecurityEnabled(true);
group.setIsAssignableToRole(true);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
LinkedList<String> ownersOdataBind = new LinkedList<String>();
ownersOdataBind.add("https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6");
additionalData.put("owners@odata.bind", ownersOdataBind);
LinkedList<String> membersOdataBind = new LinkedList<String>();
membersOdataBind.add("https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6");
membersOdataBind.add("https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725");
additionalData.put("members@odata.bind", membersOdataBind);
group.setAdditionalData(additionalData);
Group result = graphClient.groups().post(group);


const options = {
	authProvider,
};

const client = Client.init(options);

const group = {
    description: 'IT Helpdesk to support Contoso employees',
    displayName: 'IT Helpdesk (User)',
    mailEnabled: false,
    mailNickname: 'userHelpdesk',
    securityEnabled: true,
    isAssignableToRole: true,
    'owners@odata.bind': [
        'https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6'
    ],
    'members@odata.bind': [
        'https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6',
        'https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725'
    ]
};

await client.api('/groups')
	.post(group);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Group;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Group();
$requestBody->setDescription('IT Helpdesk to support Contoso employees');
$requestBody->setDisplayName('IT Helpdesk (User)');
$requestBody->setMailEnabled(false);
$requestBody->setMailNickname('userHelpdesk');
$requestBody->setSecurityEnabled(true);
$requestBody->setIsAssignableToRole(true);
$additionalData = [
	'owners@odata.bind' => [
'https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6', ],
	'members@odata.bind' => [
'https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6', 'https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725', ],
];
$requestBody->setAdditionalData($additionalData);

$result = $graphServiceClient->groups()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Groups

$params = @{
	description = "IT Helpdesk to support Contoso employees"
	displayName = "IT Helpdesk (User)"
	mailEnabled = $false
	mailNickname = "userHelpdesk"
	securityEnabled = $true
	isAssignableToRole = $true
	"owners@odata.bind" = @(
	"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6"
)
"members@odata.bind" = @(
"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6"
"https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725"
)
}

New-MgGroup -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.group import Group
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Group(
	description = "IT Helpdesk to support Contoso employees",
	display_name = "IT Helpdesk (User)",
	mail_enabled = False,
	mail_nickname = "userHelpdesk",
	security_enabled = True,
	is_assignable_to_role = True,
	additional_data = {
			"owners@odata_bind" : [
				"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
			],
			"members@odata_bind" : [
				"https://graph.microsoft.com/v1.0/users/e2330663-f949-41b5-a3dc-faeb793e14c6",
				"https://graph.microsoft.com/v1.0/users/d9771b4c-06c5-491a-92cb-3aa4e225a725",
			],
	}
)

result = await graph_client.groups.post(request_body)

Réponse

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups/$entity",
    "id": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
    "description": "IT Helpdesk to support Contoso employees",
    "displayName": "IT Helpdesk (User)",
    "groupTypes": [],
    "isAssignableToRole": true,
    "mailEnabled": false,
    "mailNickname": "userHelpdesk",
    "securityEnabled": true
}

Étape 2 : Créer une demande unifiedRoleEligibilityScheduleRequest

Affectez le groupe de sécurité comme éligible au rôle Administrateur d’utilisateurs pendant un an. Étendue de l’attribution éligible à l’ensemble de votre locataire. L’étendue au niveau du locataire permet à l’administrateur utilisateur de gérer tous les utilisateurs de votre locataire, à l’exception des utilisateurs disposant de privilèges plus élevés comme les administrateurs généraux.

Demande

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
Content-type: application/json

{
    "action": "AdminAssign",
    "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "directoryScopeId": "/",
    "principalId": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
    "scheduleInfo": {
        "startDateTime": "2025-03-21T11:06:00Z",
        "expiration": {
            "endDateTime": "2026-03-21T00:00:00Z",
            "type": "AfterDateTime"
        }
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new UnifiedRoleEligibilityScheduleRequest
{
	Action = UnifiedRoleScheduleRequestActions.AdminAssign,
	Justification = "Assign User Admin eligibility to IT Helpdesk (User) group",
	RoleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1",
	DirectoryScopeId = "/",
	PrincipalId = "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
	ScheduleInfo = new RequestSchedule
	{
		StartDateTime = DateTimeOffset.Parse("2025-03-21T11:06:00Z"),
		Expiration = new ExpirationPattern
		{
			EndDateTime = DateTimeOffset.Parse("2026-03-21T00:00:00Z"),
			Type = ExpirationPatternType.AfterDateTime,
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleEligibilityScheduleRequests.PostAsync(requestBody);



mgc role-management directory role-eligibility-schedule-requests create --body '{\
    "action": "AdminAssign",\
    "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",\
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",\
    "directoryScopeId": "/",\
    "principalId": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",\
    "scheduleInfo": {\
        "startDateTime": "2025-03-21T11:06:00Z",\
        "expiration": {\
            "endDateTime": "2026-03-21T00:00:00Z",\
            "type": "AfterDateTime"\
        }\
    }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewUnifiedRoleEligibilityScheduleRequest()
action := graphmodels.ADMINASSIGN_UNIFIEDROLESCHEDULEREQUESTACTIONS 
requestBody.SetAction(&action) 
justification := "Assign User Admin eligibility to IT Helpdesk (User) group"
requestBody.SetJustification(&justification) 
roleDefinitionId := "fe930be7-5e62-47db-91af-98c3a49a38b1"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
directoryScopeId := "/"
requestBody.SetDirectoryScopeId(&directoryScopeId) 
principalId := "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3"
requestBody.SetPrincipalId(&principalId) 
scheduleInfo := graphmodels.NewRequestSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2025-03-21T11:06:00Z")
scheduleInfo.SetStartDateTime(&startDateTime) 
expiration := graphmodels.NewExpirationPattern()
endDateTime , err := time.Parse(time.RFC3339, "2026-03-21T00:00:00Z")
expiration.SetEndDateTime(&endDateTime) 
type := graphmodels.AFTERDATETIME_EXPIRATIONPATTERNTYPE 
expiration.SetType(&type) 
scheduleInfo.SetExpiration(expiration)
requestBody.SetScheduleInfo(scheduleInfo)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleEligibilityScheduleRequests, err := graphClient.RoleManagement().Directory().RoleEligibilityScheduleRequests().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

UnifiedRoleEligibilityScheduleRequest unifiedRoleEligibilityScheduleRequest = new UnifiedRoleEligibilityScheduleRequest();
unifiedRoleEligibilityScheduleRequest.setAction(UnifiedRoleScheduleRequestActions.AdminAssign);
unifiedRoleEligibilityScheduleRequest.setJustification("Assign User Admin eligibility to IT Helpdesk (User) group");
unifiedRoleEligibilityScheduleRequest.setRoleDefinitionId("fe930be7-5e62-47db-91af-98c3a49a38b1");
unifiedRoleEligibilityScheduleRequest.setDirectoryScopeId("/");
unifiedRoleEligibilityScheduleRequest.setPrincipalId("1189bbdd-1268-4a72-8c6d-6fe77d28f2e3");
RequestSchedule scheduleInfo = new RequestSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2025-03-21T11:06:00Z");
scheduleInfo.setStartDateTime(startDateTime);
ExpirationPattern expiration = new ExpirationPattern();
OffsetDateTime endDateTime = OffsetDateTime.parse("2026-03-21T00:00:00Z");
expiration.setEndDateTime(endDateTime);
expiration.setType(ExpirationPatternType.AfterDateTime);
scheduleInfo.setExpiration(expiration);
unifiedRoleEligibilityScheduleRequest.setScheduleInfo(scheduleInfo);
UnifiedRoleEligibilityScheduleRequest result = graphClient.roleManagement().directory().roleEligibilityScheduleRequests().post(unifiedRoleEligibilityScheduleRequest);


const options = {
	authProvider,
};

const client = Client.init(options);

const unifiedRoleEligibilityScheduleRequest = {
    action: 'AdminAssign',
    justification: 'Assign User Admin eligibility to IT Helpdesk (User) group',
    roleDefinitionId: 'fe930be7-5e62-47db-91af-98c3a49a38b1',
    directoryScopeId: '/',
    principalId: '1189bbdd-1268-4a72-8c6d-6fe77d28f2e3',
    scheduleInfo: {
        startDateTime: '2025-03-21T11:06:00Z',
        expiration: {
            endDateTime: '2026-03-21T00:00:00Z',
            type: 'AfterDateTime'
        }
    }
};

await client.api('/roleManagement/directory/roleEligibilityScheduleRequests')
	.post(unifiedRoleEligibilityScheduleRequest);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\UnifiedRoleEligibilityScheduleRequest;
use Microsoft\Graph\Generated\Models\UnifiedRoleScheduleRequestActions;
use Microsoft\Graph\Generated\Models\RequestSchedule;
use Microsoft\Graph\Generated\Models\ExpirationPattern;
use Microsoft\Graph\Generated\Models\ExpirationPatternType;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new UnifiedRoleEligibilityScheduleRequest();
$requestBody->setAction(new UnifiedRoleScheduleRequestActions('adminAssign'));
$requestBody->setJustification('Assign User Admin eligibility to IT Helpdesk (User) group');
$requestBody->setRoleDefinitionId('fe930be7-5e62-47db-91af-98c3a49a38b1');
$requestBody->setDirectoryScopeId('/');
$requestBody->setPrincipalId('1189bbdd-1268-4a72-8c6d-6fe77d28f2e3');
$scheduleInfo = new RequestSchedule();
$scheduleInfo->setStartDateTime(new \DateTime('2025-03-21T11:06:00Z'));
$scheduleInfoExpiration = new ExpirationPattern();
$scheduleInfoExpiration->setEndDateTime(new \DateTime('2026-03-21T00:00:00Z'));
$scheduleInfoExpiration->setType(new ExpirationPatternType('afterDateTime'));
$scheduleInfo->setExpiration($scheduleInfoExpiration);
$requestBody->setScheduleInfo($scheduleInfo);

$result = $graphServiceClient->roleManagement()->directory()->roleEligibilityScheduleRequests()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	action = "AdminAssign"
	justification = "Assign User Admin eligibility to IT Helpdesk (User) group"
	roleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1"
	directoryScopeId = "/"
	principalId = "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3"
	scheduleInfo = @{
		startDateTime = [System.DateTime]::Parse("2025-03-21T11:06:00Z")
		expiration = @{
			endDateTime = [System.DateTime]::Parse("2026-03-21T00:00:00Z")
			type = "AfterDateTime"
		}
	}
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_eligibility_schedule_request import UnifiedRoleEligibilityScheduleRequest
from msgraph.generated.models.unified_role_schedule_request_actions import UnifiedRoleScheduleRequestActions
from msgraph.generated.models.request_schedule import RequestSchedule
from msgraph.generated.models.expiration_pattern import ExpirationPattern
from msgraph.generated.models.expiration_pattern_type import ExpirationPatternType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleEligibilityScheduleRequest(
	action = UnifiedRoleScheduleRequestActions.AdminAssign,
	justification = "Assign User Admin eligibility to IT Helpdesk (User) group",
	role_definition_id = "fe930be7-5e62-47db-91af-98c3a49a38b1",
	directory_scope_id = "/",
	principal_id = "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
	schedule_info = RequestSchedule(
		start_date_time = "2025-03-21T11:06:00Z",
		expiration = ExpirationPattern(
			end_date_time = "2026-03-21T00:00:00Z",
			type = ExpirationPatternType.AfterDateTime,
		),
	),
)

result = await graph_client.role_management.directory.role_eligibility_schedule_requests.post(request_body)

Réponse

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
    "id": "12956159-24b8-4619-b9ea-8ce21f81a38f",
    "status": "Provisioned",
    "createdDateTime": "2025-03-21T11:07:23.4563591Z",
    "completedDateTime": "2025-03-21T11:07:24.8573295Z",
    "action": "adminAssign",
    "principalId": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "directoryScopeId": "/",
    "targetScheduleId": "12956159-24b8-4619-b9ea-8ce21f81a38f",
    "justification": "Assign User Admin eligibility to IT Helpdesk (User) group",
    "createdBy": {
        "application": null,
        "device": null,
        "user": {
            "id": "e2330663-f949-41b5-a3dc-faeb793e14c6"
        }
    },
    "scheduleInfo": {
        "startDateTime": "2025-03-21T11:07:24.8573295Z",
        "expiration": {
            "type": "afterDateTime",
            "endDateTime": "2026-03-21T00:00:00Z",
            "duration": null
        }
    },
    "ticketInfo": {}
}

Étape 3 : Confirmer les attributions de rôles actuelles de l’utilisateur

Les membres du groupe sont désormais éligibles pour le rôle Administrateur d’utilisateurs, mais ne peuvent pas utiliser le rôle tant qu’ils ne l’ont pas activé. La requête suivante confirme les attributions de rôles actives existantes de l’utilisateur. La requête retourne une collection vide.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$filter=principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleAssignments.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'";
});



mgc role-management directory role-assignments list --filter "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'"



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphrolemanagement "github.com/microsoftgraph/msgraph-sdk-go/rolemanagement"
	  //other-imports
)


requestFilter := "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'"

requestParameters := &graphrolemanagement.DirectoryRoleAssignmentsRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphrolemanagement.DirectoryRoleAssignmentsRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignments, err := graphClient.RoleManagement().Directory().RoleAssignments().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

UnifiedRoleAssignmentCollectionResponse result = graphClient.roleManagement().directory().roleAssignments().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let roleAssignments = await client.api('/roleManagement/directory/roleAssignments')
	.filter('principalId eq \'d9771b4c-06c5-491a-92cb-3aa4e225a725\'')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\RoleManagement\Directory\RoleAssignments\RoleAssignmentsRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new RoleAssignmentsRequestBuilderGetRequestConfiguration();
$queryParameters = RoleAssignmentsRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->roleManagement()->directory()->roleAssignments()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Identity.Governance

Get-MgRoleManagementDirectoryRoleAssignment -Filter "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.role_management.directory.role_assignments.role_assignments_request_builder import RoleAssignmentsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = RoleAssignmentsRequestBuilder.RoleAssignmentsRequestBuilderGetQueryParameters(
		filter = "principalId eq 'd9771b4c-06c5-491a-92cb-3aa4e225a725'",
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.role_management.directory.role_assignments.get(request_configuration = request_configuration)

Étape 4 : L’utilisateur active lui-même son affectation éligible

Un ticket CONTOSO: Security-012345 d’incident nécessite l’invalidation de tous les jetons d’actualisation des employés. En tant que membre du support technique informatique, Aline souhaite résoudre cette tâche.

Démarrez l’application Authenticator sur votre téléphone et ouvrez le compte d’Aline Dupuy.

Connectez-vous à Graph Explorer en tant que Aline. La requête suivante montre comment activer votre rôle Administrateur d’utilisateurs pendant cinq heures.

Demande

Pour activer un rôle, appelez le point de roleAssignmentScheduleRequests terminaison. Dans cette demande, l’action UserActivate vous permet d’activer votre affectation éligible.

Pour principalId, indiquez la valeur de votre ID (Aline).
RoleDefinitionId est l’ID du rôle auquel vous êtes éligible, dans ce cas, le rôle Administrateur d’utilisateurs.
Entrez les détails du système de tickets qui fournit une justification vérifiable pour l’activation de la demande.

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
Content-type: application/json

{
    "action": "SelfActivate",
    "principalId": "d9771b4c-06c5-491a-92cb-3aa4e225a725",
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "directoryScopeId": "/",
    "justification": "Need to invalidate all app refresh tokens for Contoso users.",
    "scheduleInfo": {
        "startDateTime": "2025-03-21T11:46:00.000Z",
        "expiration": {
            "type": "AfterDuration",
            "duration": "PT5H"
        }
    },
    "ticketInfo": {
        "ticketNumber": "CONTOSO:Security-012345",
        "ticketSystem": "Contoso ICM"
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new UnifiedRoleAssignmentScheduleRequest
{
	Action = UnifiedRoleScheduleRequestActions.SelfActivate,
	PrincipalId = "d9771b4c-06c5-491a-92cb-3aa4e225a725",
	RoleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1",
	DirectoryScopeId = "/",
	Justification = "Need to invalidate all app refresh tokens for Contoso users.",
	ScheduleInfo = new RequestSchedule
	{
		StartDateTime = DateTimeOffset.Parse("2025-03-21T11:46:00.000Z"),
		Expiration = new ExpirationPattern
		{
			Type = ExpirationPatternType.AfterDuration,
			Duration = TimeSpan.Parse("PT5H"),
		},
	},
	TicketInfo = new TicketInfo
	{
		TicketNumber = "CONTOSO:Security-012345",
		TicketSystem = "Contoso ICM",
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleAssignmentScheduleRequests.PostAsync(requestBody);



mgc role-management directory role-assignment-schedule-requests create --body '{\
    "action": "SelfActivate",\
    "principalId": "d9771b4c-06c5-491a-92cb-3aa4e225a725",\
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",\
    "directoryScopeId": "/",\
    "justification": "Need to invalidate all app refresh tokens for Contoso users.",\
    "scheduleInfo": {\
        "startDateTime": "2025-03-21T11:46:00.000Z",\
        "expiration": {\
            "type": "AfterDuration",\
            "duration": "PT5H"\
        }\
    },\
    "ticketInfo": {\
        "ticketNumber": "CONTOSO:Security-012345",\
        "ticketSystem": "Contoso ICM"\
    }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewUnifiedRoleAssignmentScheduleRequest()
action := graphmodels.SELFACTIVATE_UNIFIEDROLESCHEDULEREQUESTACTIONS 
requestBody.SetAction(&action) 
principalId := "d9771b4c-06c5-491a-92cb-3aa4e225a725"
requestBody.SetPrincipalId(&principalId) 
roleDefinitionId := "fe930be7-5e62-47db-91af-98c3a49a38b1"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
directoryScopeId := "/"
requestBody.SetDirectoryScopeId(&directoryScopeId) 
justification := "Need to invalidate all app refresh tokens for Contoso users."
requestBody.SetJustification(&justification) 
scheduleInfo := graphmodels.NewRequestSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2025-03-21T11:46:00.000Z")
scheduleInfo.SetStartDateTime(&startDateTime) 
expiration := graphmodels.NewExpirationPattern()
type := graphmodels.AFTERDURATION_EXPIRATIONPATTERNTYPE 
expiration.SetType(&type) 
duration , err := abstractions.ParseISODuration("PT5H")
expiration.SetDuration(&duration) 
scheduleInfo.SetExpiration(expiration)
requestBody.SetScheduleInfo(scheduleInfo)
ticketInfo := graphmodels.NewTicketInfo()
ticketNumber := "CONTOSO:Security-012345"
ticketInfo.SetTicketNumber(&ticketNumber) 
ticketSystem := "Contoso ICM"
ticketInfo.SetTicketSystem(&ticketSystem) 
requestBody.SetTicketInfo(ticketInfo)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentScheduleRequests, err := graphClient.RoleManagement().Directory().RoleAssignmentScheduleRequests().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

UnifiedRoleAssignmentScheduleRequest unifiedRoleAssignmentScheduleRequest = new UnifiedRoleAssignmentScheduleRequest();
unifiedRoleAssignmentScheduleRequest.setAction(UnifiedRoleScheduleRequestActions.SelfActivate);
unifiedRoleAssignmentScheduleRequest.setPrincipalId("d9771b4c-06c5-491a-92cb-3aa4e225a725");
unifiedRoleAssignmentScheduleRequest.setRoleDefinitionId("fe930be7-5e62-47db-91af-98c3a49a38b1");
unifiedRoleAssignmentScheduleRequest.setDirectoryScopeId("/");
unifiedRoleAssignmentScheduleRequest.setJustification("Need to invalidate all app refresh tokens for Contoso users.");
RequestSchedule scheduleInfo = new RequestSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2025-03-21T11:46:00.000Z");
scheduleInfo.setStartDateTime(startDateTime);
ExpirationPattern expiration = new ExpirationPattern();
expiration.setType(ExpirationPatternType.AfterDuration);
PeriodAndDuration duration = PeriodAndDuration.ofDuration(Duration.parse("PT5H"));
expiration.setDuration(duration);
scheduleInfo.setExpiration(expiration);
unifiedRoleAssignmentScheduleRequest.setScheduleInfo(scheduleInfo);
TicketInfo ticketInfo = new TicketInfo();
ticketInfo.setTicketNumber("CONTOSO:Security-012345");
ticketInfo.setTicketSystem("Contoso ICM");
unifiedRoleAssignmentScheduleRequest.setTicketInfo(ticketInfo);
UnifiedRoleAssignmentScheduleRequest result = graphClient.roleManagement().directory().roleAssignmentScheduleRequests().post(unifiedRoleAssignmentScheduleRequest);


const options = {
	authProvider,
};

const client = Client.init(options);

const unifiedRoleAssignmentScheduleRequest = {
    action: 'SelfActivate',
    principalId: 'd9771b4c-06c5-491a-92cb-3aa4e225a725',
    roleDefinitionId: 'fe930be7-5e62-47db-91af-98c3a49a38b1',
    directoryScopeId: '/',
    justification: 'Need to invalidate all app refresh tokens for Contoso users.',
    scheduleInfo: {
        startDateTime: '2025-03-21T11:46:00.000Z',
        expiration: {
            type: 'AfterDuration',
            duration: 'PT5H'
        }
    },
    ticketInfo: {
        ticketNumber: 'CONTOSO:Security-012345',
        ticketSystem: 'Contoso ICM'
    }
};

await client.api('/roleManagement/directory/roleAssignmentScheduleRequests')
	.post(unifiedRoleAssignmentScheduleRequest);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\UnifiedRoleAssignmentScheduleRequest;
use Microsoft\Graph\Generated\Models\UnifiedRoleScheduleRequestActions;
use Microsoft\Graph\Generated\Models\RequestSchedule;
use Microsoft\Graph\Generated\Models\ExpirationPattern;
use Microsoft\Graph\Generated\Models\ExpirationPatternType;
use Microsoft\Graph\Generated\Models\TicketInfo;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new UnifiedRoleAssignmentScheduleRequest();
$requestBody->setAction(new UnifiedRoleScheduleRequestActions('selfActivate'));
$requestBody->setPrincipalId('d9771b4c-06c5-491a-92cb-3aa4e225a725');
$requestBody->setRoleDefinitionId('fe930be7-5e62-47db-91af-98c3a49a38b1');
$requestBody->setDirectoryScopeId('/');
$requestBody->setJustification('Need to invalidate all app refresh tokens for Contoso users.');
$scheduleInfo = new RequestSchedule();
$scheduleInfo->setStartDateTime(new \DateTime('2025-03-21T11:46:00.000Z'));
$scheduleInfoExpiration = new ExpirationPattern();
$scheduleInfoExpiration->setType(new ExpirationPatternType('afterDuration'));
$scheduleInfoExpiration->setDuration(new \DateInterval('PT5H'));
$scheduleInfo->setExpiration($scheduleInfoExpiration);
$requestBody->setScheduleInfo($scheduleInfo);
$ticketInfo = new TicketInfo();
$ticketInfo->setTicketNumber('CONTOSO:Security-012345');
$ticketInfo->setTicketSystem('Contoso ICM');
$requestBody->setTicketInfo($ticketInfo);

$result = $graphServiceClient->roleManagement()->directory()->roleAssignmentScheduleRequests()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	action = "SelfActivate"
	principalId = "d9771b4c-06c5-491a-92cb-3aa4e225a725"
	roleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1"
	directoryScopeId = "/"
	justification = "Need to invalidate all app refresh tokens for Contoso users."
	scheduleInfo = @{
		startDateTime = [System.DateTime]::Parse("2025-03-21T11:46:00.000Z")
		expiration = @{
			type = "AfterDuration"
			duration = "PT5H"
		}
	}
	ticketInfo = @{
		ticketNumber = "CONTOSO:Security-012345"
		ticketSystem = "Contoso ICM"
	}
}

New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_assignment_schedule_request import UnifiedRoleAssignmentScheduleRequest
from msgraph.generated.models.unified_role_schedule_request_actions import UnifiedRoleScheduleRequestActions
from msgraph.generated.models.request_schedule import RequestSchedule
from msgraph.generated.models.expiration_pattern import ExpirationPattern
from msgraph.generated.models.expiration_pattern_type import ExpirationPatternType
from msgraph.generated.models.ticket_info import TicketInfo
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleAssignmentScheduleRequest(
	action = UnifiedRoleScheduleRequestActions.SelfActivate,
	principal_id = "d9771b4c-06c5-491a-92cb-3aa4e225a725",
	role_definition_id = "fe930be7-5e62-47db-91af-98c3a49a38b1",
	directory_scope_id = "/",
	justification = "Need to invalidate all app refresh tokens for Contoso users.",
	schedule_info = RequestSchedule(
		start_date_time = "2025-03-21T11:46:00.000Z",
		expiration = ExpirationPattern(
			type = ExpirationPatternType.AfterDuration,
			duration = "PT5H",
		),
	),
	ticket_info = TicketInfo(
		ticket_number = "CONTOSO:Security-012345",
		ticket_system = "Contoso ICM",
	),
)

result = await graph_client.role_management.directory.role_assignment_schedule_requests.post(request_body)

Réponse

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
    "id": "fdde3804-2cd0-4349-b1f6-674927c94f0b",
    "status": "Provisioned",
    "createdDateTime": "2025-03-21T11:46:41.9645736Z",
    "completedDateTime": "2025-03-21T11:46:42.4165908Z",
    "action": "selfActivate",
    "principalId": "d9771b4c-06c5-491a-92cb-3aa4e225a725",
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "directoryScopeId": "/",
    "isValidationOnly": false,
    "targetScheduleId": "fdde3804-2cd0-4349-b1f6-674927c94f0b",
    "justification": "Need to invalidate all app refresh tokens for Contoso users.",
    "createdBy": {
        "user": {
            "id": "d9771b4c-06c5-491a-92cb-3aa4e225a725"
        }
    },
    "scheduleInfo": {
        "startDateTime": "2025-03-21T11:46:42.4165908Z",
        "expiration": {
            "type": "afterDuration",
            "endDateTime": null,
            "duration": "PT5H"
        }
    },
    "ticketInfo": {
        "ticketNumber": "CONTOSO:Security-012345",
        "ticketSystem": "Contoso ICM"
    }
}

Étape 5 : Confirmer l’attribution de rôle

Vous pouvez confirmer votre affectation en exécutant la requête suivante. L’objet response retourne votre attribution de rôle nouvellement activée avec son status défini sur Provisioned ou Granted. Avec votre nouveau privilège, effectuez toutes les actions autorisées dans les cinq heures pour lesquelles votre affectation est active. Après cinq heures, l’affectation active expire, mais grâce à votre appartenance au groupe Support informatique (utilisateurs), vous êtes éligible au rôle Administrateur d’utilisateurs.

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='principal')?$expand=roleDefinition


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleAssignmentScheduleRequests.FilterByCurrentUserWithOn("principal").GetAsFilterByCurrentUserWithOnGetResponseAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Expand = new string []{ "roleDefinition" };
});



mgc role-management directory role-assignment-schedule-requests filter-by-current-user-with-on get --on {on-id} --expand "roleDefinition"



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphrolemanagement "github.com/microsoftgraph/msgraph-sdk-go/rolemanagement"
	  //other-imports
)

requestParameters := &graphrolemanagement.DirectoryRoleAssignmentScheduleRequestsFilterByCurrentUserWithOnRequestBuilderGetQueryParameters{
	Expand: [] string {"roleDefinition"},
}
configuration := &graphrolemanagement.DirectoryRoleAssignmentScheduleRequestsFilterByCurrentUserWithOnRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
on := "principal"
filterByCurrentUser, err := graphClient.RoleManagement().Directory().RoleAssignmentScheduleRequests().FilterByCurrentUserWithOn(&on).GetAsFilterByCurrentUserWithOnGetResponse(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

var result = graphClient.roleManagement().directory().roleAssignmentScheduleRequests().filterByCurrentUserWithOn("principal").get(requestConfiguration -> {
	requestConfiguration.queryParameters.expand = new String []{"roleDefinition"};
});


const options = {
	authProvider,
};

const client = Client.init(options);

let filterByCurrentUser = await client.api('/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='principal')')
	.expand('roleDefinition')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\RoleManagement\Directory\RoleAssignmentScheduleRequests\FilterByCurrentUser(on='{on}')\FilterByCurrentUserWithOnRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new FilterByCurrentUserWithOnRequestBuilderGetRequestConfiguration();
$queryParameters = FilterByCurrentUserWithOnRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->expand = ["roleDefinition"];
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->roleManagement()->directory()->roleAssignmentScheduleRequests()->filterByCurrentUserWithOn('principal', )->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Identity.Governance

Invoke-MgFilterRoleManagementDirectoryRoleAssignmentScheduleRequestByCurrentUser -ExpandProperty "roleDefinition"  -On $onId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.role_management.directory.role_assignment_schedule_requests.filter_by_current_user(on='{on}').filter_by_current_user_with_on_request_builder import FilterByCurrentUserWithOnRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = FilterByCurrentUserWithOnRequestBuilder.FilterByCurrentUserWithOnRequestBuilderGetQueryParameters(
		expand = ["roleDefinition"],
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.role_management.directory.role_assignment_schedule_requests.filter_by_current_user_with_on("principal").get(request_configuration = request_configuration)

Étape 6 : Nettoyer les ressources

Connectez-vous en tant qu’administrateur de rôle privilégié et supprimez les ressources créées pour ce didacticiel.

Révoquer l’éligibilité au rôle pour le groupe

Demande

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
Content-type: application/json

{
    "action": "AdminRemove",
    "principalId": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "directoryScopeId": "/"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new UnifiedRoleEligibilityScheduleRequest
{
	Action = UnifiedRoleScheduleRequestActions.AdminRemove,
	PrincipalId = "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
	RoleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1",
	DirectoryScopeId = "/",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.RoleManagement.Directory.RoleEligibilityScheduleRequests.PostAsync(requestBody);



mgc role-management directory role-eligibility-schedule-requests create --body '{\
    "action": "AdminRemove",\
    "principalId": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",\
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",\
    "directoryScopeId": "/"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewUnifiedRoleEligibilityScheduleRequest()
action := graphmodels.ADMINREMOVE_UNIFIEDROLESCHEDULEREQUESTACTIONS 
requestBody.SetAction(&action) 
principalId := "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3"
requestBody.SetPrincipalId(&principalId) 
roleDefinitionId := "fe930be7-5e62-47db-91af-98c3a49a38b1"
requestBody.SetRoleDefinitionId(&roleDefinitionId) 
directoryScopeId := "/"
requestBody.SetDirectoryScopeId(&directoryScopeId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleEligibilityScheduleRequests, err := graphClient.RoleManagement().Directory().RoleEligibilityScheduleRequests().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

UnifiedRoleEligibilityScheduleRequest unifiedRoleEligibilityScheduleRequest = new UnifiedRoleEligibilityScheduleRequest();
unifiedRoleEligibilityScheduleRequest.setAction(UnifiedRoleScheduleRequestActions.AdminRemove);
unifiedRoleEligibilityScheduleRequest.setPrincipalId("1189bbdd-1268-4a72-8c6d-6fe77d28f2e3");
unifiedRoleEligibilityScheduleRequest.setRoleDefinitionId("fe930be7-5e62-47db-91af-98c3a49a38b1");
unifiedRoleEligibilityScheduleRequest.setDirectoryScopeId("/");
UnifiedRoleEligibilityScheduleRequest result = graphClient.roleManagement().directory().roleEligibilityScheduleRequests().post(unifiedRoleEligibilityScheduleRequest);


const options = {
	authProvider,
};

const client = Client.init(options);

const unifiedRoleEligibilityScheduleRequest = {
    action: 'AdminRemove',
    principalId: '1189bbdd-1268-4a72-8c6d-6fe77d28f2e3',
    roleDefinitionId: 'fe930be7-5e62-47db-91af-98c3a49a38b1',
    directoryScopeId: '/'
};

await client.api('/roleManagement/directory/roleEligibilityScheduleRequests')
	.post(unifiedRoleEligibilityScheduleRequest);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\UnifiedRoleEligibilityScheduleRequest;
use Microsoft\Graph\Generated\Models\UnifiedRoleScheduleRequestActions;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new UnifiedRoleEligibilityScheduleRequest();
$requestBody->setAction(new UnifiedRoleScheduleRequestActions('adminRemove'));
$requestBody->setPrincipalId('1189bbdd-1268-4a72-8c6d-6fe77d28f2e3');
$requestBody->setRoleDefinitionId('fe930be7-5e62-47db-91af-98c3a49a38b1');
$requestBody->setDirectoryScopeId('/');

$result = $graphServiceClient->roleManagement()->directory()->roleEligibilityScheduleRequests()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.Governance

$params = @{
	action = "AdminRemove"
	principalId = "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3"
	roleDefinitionId = "fe930be7-5e62-47db-91af-98c3a49a38b1"
	directoryScopeId = "/"
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.unified_role_eligibility_schedule_request import UnifiedRoleEligibilityScheduleRequest
from msgraph.generated.models.unified_role_schedule_request_actions import UnifiedRoleScheduleRequestActions
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = UnifiedRoleEligibilityScheduleRequest(
	action = UnifiedRoleScheduleRequestActions.AdminRemove,
	principal_id = "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
	role_definition_id = "fe930be7-5e62-47db-91af-98c3a49a38b1",
	directory_scope_id = "/",
)

result = await graph_client.role_management.directory.role_eligibility_schedule_requests.post(request_body)

Réponse

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
    "id": "749ebf39-ffa9-4f43-aaaf-58e0d41f9efc",
    "status": "Revoked",
    "createdDateTime": "2025-03-21T12:03:14.551954Z",
    "action": "adminRemove",
    "principalId": "1189bbdd-1268-4a72-8c6d-6fe77d28f2e3",
    "roleDefinitionId": "fe930be7-5e62-47db-91af-98c3a49a38b1",
    "directoryScopeId": "/",
    "createdBy": {
        "user": {
            "displayName": null,
            "id": "e2330663-f949-41b5-a3dc-faeb793e14c6"
        }
    }
}

Supprimer le groupe Support informatique (utilisateurs)

La requête retourne un code de réponse 204 No Content .

DELETE https://graph.microsoft.com/v1.0/groups/d9771b4c-06c5-491a-92cb-3aa4e225a725


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Groups["{group-id}"].DeleteAsync();



mgc groups delete --group-id {group-id}



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Groups().ByGroupId("group-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.groups().byGroupId("{group-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/groups/d9771b4c-06c5-491a-92cb-3aa4e225a725')
	.delete();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->groups()->byGroupId('group-id')->delete()->wait();


Import-Module Microsoft.Graph.Groups

Remove-MgGroup -GroupId $groupId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.groups.by_group_id('group-id').delete()

Conclusion

Dans ce tutoriel, vous avez appris à gérer les attributions de rôles privilégiés dans Microsoft Entra ID à l’aide d’API PIM.

Au lieu de rendre le groupe éligible pour le rôle privilégié, vous pouvez attribuer un rôle actif au groupe et rendre les membres éligibles pour le groupe à l’aide des API PIM pour les groupes.
L’authentification multifacteur était requise pour l’activation du rôle. Vous pouvez modifier cette exigence dans Microsoft Entra paramètres de rôle.
Vous pouvez également configurer :
- Durée maximale autorisée pour l’activation du rôle.
- Indique si des informations de justification et de ticket sont requises pour activer le rôle.

Partager via

Attribuer des rôles privilégiés à l’aide de PIM pour les API de rôles Microsoft Entra

Configuration requise

Étape 1 : Créer un groupe de sécurité pouvant être attribué à un rôle

Demande : Créer un groupe assignable à un rôle

Réponse

Étape 2 : Créer une demande unifiedRoleEligibilityScheduleRequest

Demande

Réponse

Étape 3 : Confirmer les attributions de rôles actuelles de l’utilisateur

Étape 4 : L’utilisateur active lui-même son affectation éligible

Demande

Réponse

Étape 5 : Confirmer l’attribution de rôle

Étape 6 : Nettoyer les ressources

Révoquer l’éligibilité au rôle pour le groupe

Demande

Réponse

Supprimer le groupe Support informatique (utilisateurs)

Conclusion

Contenu connexe

Commentaires

Ressources supplémentaires