名前空間: microsoft.graph
重要
Microsoft Graph の /beta バージョンの API は変更される可能性があります。 実稼働アプリケーションでこれらの API を使用することは、サポートされていません。 v1.0 で API を使用できるかどうかを確認するには、Version セレクターを使用します。
ロールの割り当てに必要な操作を表すロールの割り当て要求を作成します。 次の表に、操作の一覧を示します。
| 操作 |
型 |
| ロールの割り当てを割り当てる |
AdminAdd |
| 適格なロールの割り当てをアクティブ化する |
UserAdd |
| アクティブ化されたロールの割り当てを非アクティブ化する |
UserRemove |
| ロールの割り当てを削除する |
AdminRemove |
| ロールの割り当てを更新する |
AdminUpdate |
| ロールの割り当てを延長する要求 |
UserExtend |
| ロールの割り当てを拡張する |
AdminExtend |
| 期限切れのロールの割り当ての更新を要求する |
UserRenew |
| 期限切れのロールの割り当てを更新する |
AdminRenew |
この API は、次の国内クラウド展開で使用できます。
| グローバル サービス |
米国政府機関 L4 |
米国政府機関 L5 (DOD) |
21Vianet が運営する中国 |
| ✅ |
✅ |
✅ |
❌ |
アクセス許可
次の表は、サポートされている各リソースの種類でこの API を呼び出すために必要な最小特権のアクセス許可またはアクセス許可を示しています。
ベスト プラクティスに従って、最小限の特権のアクセス許可を要求します。 委任されたアクセス許可とアプリケーションのアクセス許可の詳細については、「アクセス許可の種類」を参照してください。 これらのアクセス許可の詳細については、「アクセス許可のリファレンス」を参照してください。
| サポートされているリソース |
委任 (職場または学校のアカウント) |
委任 (個人用 Microsoft アカウント) |
アプリケーション |
| Microsoft Entra ID |
PrivilegedAccess.ReadWrite.AzureAD |
サポートされていません。 |
サポートされていません。 |
| Azure リソース |
PrivilegedAccess.ReadWrite.AzureResources |
サポートされていません。 |
サポートされていません。 |
|
group |
PrivilegedAccess.ReadWrite.AzureADGroup |
サポートされていません。 |
サポートされていません。 |
HTTP 要求
POST /privilegedAccess/azureResources/roleAssignmentRequests
| 名前 |
説明 |
| Authorization |
ベアラー {token}。 必須です。
認証と認可についての詳細をご覧ください。 |
| Content-type |
application/json |
要求本文
要求本文で、 governanceRoleAssignmentRequest オブジェクトの JSON 表現を指定します。
| プロパティ |
型 |
説明 |
| resourceId |
String |
ロールの割り当て要求に関連付けられているAzure リソースの一意識別子。 Azureリソースには、サブスクリプション、リソース グループ、仮想マシン、SQL データベースを含めることができます。 必須です。 |
| roleDefinitionId |
文字列 |
ロール割り当て要求が関連付けられているAzureロール定義の識別子。 必須です。 |
| subjectId |
文字列 |
ロールの割り当て要求が関連付けられているプリンシパルまたはサブジェクトの一意識別子。 プリンシパルには、ユーザー、グループ、またはサービス プリンシパルを指定できます。 必須です。 |
| assignmentState |
文字列 |
割り当ての状態。 値は、 Eligible および Activeできます。 必須です。 |
| type |
String |
要求の種類。 値には、 AdminAdd、 UserAdd、 AdminUpdate、 AdminRemove、 UserRemove、 UserExtend、 UserRenew、 AdminRenew、 AdminExtendを指定できます。 必須です。 |
| 理由 |
文字列 |
監査とレビューの目的でロールの割り当て要求に理由を指定する必要があります。 |
| schedule |
governanceSchedule |
ロールの割り当て要求のスケジュール。
UserAdd、AdminAdd、AdminUpdate、AdminExtendの要求の種類については、必須です。 |
応答
成功した場合、このメソッドは応答コード 201 Created と、応答本文の governanceRoleAssignmentRequest オブジェクトを返します。
エラー コード
この API は、標準の HTTP エラー コードを返します。 さらに、次の表に示すエラー コードも返されます。
| エラー コード |
エラー メッセージ |
詳細 |
| 400 BadRequest |
RoleNotFound |
要求本文で指定された roleDefinitionId が見つかりません。 |
| 400 BadRequest |
ResourceIsLocked |
要求本文で提供されるリソースは Locked 状態であり、ロールの割り当て要求を作成できません。 |
| 400 BadRequest |
SubjectNotFound |
要求本文で指定された subjectId が見つかりません。 |
| 400 BadRequest |
PendingRoleAssignmentRequest |
システムには、保留中の governanceRoleAssignmentRequest が既に存在します。 |
| 400 BadRequest |
RoleAssignmentExists |
作成を要求された governanceRoleAssignment は、システムに既に存在します。 |
| 400 BadRequest |
RoleAssignmentDoesNotExist |
更新/拡張を要求された governanceRoleAssignment がシステムに存在しません。 |
| 400 BadRequest |
RoleAssignmentRequestPolicyValidationFailed |
governanceRoleAssignmentRequest は内部ポリシーを満たしていないため、作成できません。 |
例
次の例では、この API の使用方法を示します。
例 1: 管理者がユーザーをロールに割り当てる
この例では、管理者がユーザー nawu@contoso.com を課金閲覧者ロールに割り当てます。
手記: この例では、アクセス許可に加えて、要求者がリソースに対して少なくとも 1 つの Active 管理者ロールの割り当て (owner または user access administrator) を持っている必要があります。
| プロパティ |
型 |
必須 |
値 |
| resourceId |
String |
はい |
<resourceId> |
| roleDefinitionId |
文字列 |
はい |
<roleDefinitionId> |
| subjectId |
文字列 |
はい |
<subjectId> |
| assignmentState |
文字列 |
はい |
対象/アクティブ |
| type |
String |
はい |
AdminAdd |
| 理由 |
文字列 |
ロールの設定によって異なります |
|
| schedule |
governanceSchedule |
はい |
|
要求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Eligible",
"type": "AdminAdd",
"reason": "Assign an eligible role",
"schedule": {
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"type": "Once"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Eligible",
Type = "AdminAdd",
Reason = "Assign an eligible role",
Schedule = new GovernanceSchedule
{
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:37:43.356Z"),
EndDateTime = DateTimeOffset.Parse("2018-11-08T23:37:43.356Z"),
Type = "Once",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminAdd"
requestBody.SetType(&type)
reason := "Assign an eligible role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:37:43.356Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-11-08T23:37:43.356Z")
schedule.SetEndDateTime(&endDateTime)
type := "Once"
schedule.SetType(&type)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("ea48ad5e-e3b0-4d10-af54-39a45bbfe68d");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminAdd");
governanceRoleAssignmentRequest.setReason("Assign an eligible role");
GovernanceSchedule schedule = new GovernanceSchedule();
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:37:43.356Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-11-08T23:37:43.356Z");
schedule.setEndDateTime(endDateTime);
schedule.setType("Once");
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'ea48ad5e-e3b0-4d10-af54-39a45bbfe68d',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Eligible',
type: 'AdminAdd',
reason: 'Assign an eligible role',
schedule: {
startDateTime: '2018-05-12T23:37:43.356Z',
endDateTime: '2018-11-08T23:37:43.356Z',
type: 'Once'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('ea48ad5e-e3b0-4d10-af54-39a45bbfe68d');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminAdd');
$requestBody->setReason('Assign an eligible role');
$schedule = new GovernanceSchedule();
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:37:43.356Z'));
$schedule->setEndDateTime(new \DateTime('2018-11-08T23:37:43.356Z'));
$schedule->setType('Once');
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Eligible"
type = "AdminAdd"
reason = "Assign an eligible role"
schedule = @{
startDateTime = [System.DateTime]::Parse("2018-05-12T23:37:43.356Z")
endDateTime = [System.DateTime]::Parse("2018-11-08T23:37:43.356Z")
type = "Once"
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Eligible",
type = "AdminAdd",
reason = "Assign an eligible role",
schedule = GovernanceSchedule(
start_date_time = "2018-05-12T23:37:43.356Z",
end_date_time = "2018-11-08T23:37:43.356Z",
type = "Once",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
応答
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "1232e4ea-741a-4be5-8044-5edabdd61672",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "ea48ad5e-e3b0-4d10-af54-39a45bbfe68d",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminAdd",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate Only",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:37:43.356Z",
"endDateTime": "2018-11-08T23:37:43.356Z",
"duration": "PT0S"
}
}
例 2: ユーザーが適格なロールをアクティブにする
この例では、ユーザー nawu@contoso.com は、対象となる課金閲覧者ロールをアクティブ化します。
| プロパティ |
型 |
必須 |
値 |
| resourceId |
String |
はい |
<resourceId> |
| roleDefinitionId |
文字列 |
はい |
<roleDefinitionId> |
| subjectId |
文字列 |
はい |
<subjectId> |
| assignmentState |
文字列 |
はい |
アクティブ |
| type |
String |
はい |
UserAdd |
| 理由 |
文字列 |
ロールの設定によって異なります |
|
| schedule |
governanceSchedule |
はい |
|
要求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserAdd",
"reason": "Activate the owner role",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"duration": "PT9H"
},
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserAdd",
Reason = "Activate the owner role",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:28:43.537Z"),
Duration = TimeSpan.Parse("PT9H"),
},
LinkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "8b4d1d51-08e9-4254-b0a6-b16177aae376"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserAdd"
requestBody.SetType(&type)
reason := "Activate the owner role"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:28:43.537Z")
schedule.SetStartDateTime(&startDateTime)
duration , err := abstractions.ParseISODuration("PT9H")
schedule.SetDuration(&duration)
requestBody.SetSchedule(schedule)
linkedEligibleRoleAssignmentId := "e327f4be-42a0-47a2-8579-0a39b025b394"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("8b4d1d51-08e9-4254-b0a6-b16177aae376");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserAdd");
governanceRoleAssignmentRequest.setReason("Activate the owner role");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:28:43.537Z");
schedule.setStartDateTime(startDateTime);
PeriodAndDuration duration = PeriodAndDuration.ofDuration(Duration.parse("PT9H"));
schedule.setDuration(duration);
governanceRoleAssignmentRequest.setSchedule(schedule);
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("e327f4be-42a0-47a2-8579-0a39b025b394");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '8b4d1d51-08e9-4254-b0a6-b16177aae376',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserAdd',
reason: 'Activate the owner role',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:28:43.537Z',
duration: 'PT9H'
},
linkedEligibleRoleAssignmentId: 'e327f4be-42a0-47a2-8579-0a39b025b394'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('8b4d1d51-08e9-4254-b0a6-b16177aae376');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserAdd');
$requestBody->setReason('Activate the owner role');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:28:43.537Z'));
$schedule->setDuration(new \DateInterval('PT9H'));
$requestBody->setSchedule($schedule);
$requestBody->setLinkedEligibleRoleAssignmentId('e327f4be-42a0-47a2-8579-0a39b025b394');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "8b4d1d51-08e9-4254-b0a6-b16177aae376"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserAdd"
reason = "Activate the owner role"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:28:43.537Z")
duration = "PT9H"
}
linkedEligibleRoleAssignmentId = "e327f4be-42a0-47a2-8579-0a39b025b394"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "8b4d1d51-08e9-4254-b0a6-b16177aae376",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserAdd",
reason = "Activate the owner role",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:28:43.537Z",
duration = "PT9H",
),
linked_eligible_role_assignment_id = "e327f4be-42a0-47a2-8579-0a39b025b394",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
応答
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "3ad49a7c-918e-4d86-9f84-fab28f8658c0",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "8b4d1d51-08e9-4254-b0a6-b16177aae376",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "e327f4be-42a0-47a2-8579-0a39b025b394",
"type": "UserAdd",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Activate the owner role",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "EligibilityRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
},
{
"key": "JustificationRule",
"value": "Grant"
},
{
"key": "ActivationDayRule",
"value": "Grant"
},
{
"key": "ApprovalRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:28:43.537Z",
"endDateTime": "0001-01-01T00:00:00Z",
"duration": "PT9H"
}
}
例 3: ユーザーが割り当てられたロールを非アクティブ化する
この例では、ユーザーはアクティブな課金閲覧者ロールを非アクティブ化 nawu@contoso.com 。
| プロパティ |
型 |
必須 |
値 |
| resourceId |
String |
はい |
<resourceId> |
| roleDefinitionId |
文字列 |
はい |
<roleDefinitionId> |
| subjectId |
文字列 |
はい |
<subjectId> |
| assignmentState |
文字列 |
はい |
アクティブ |
| type |
String |
はい |
UserRemove |
| 理由 |
文字列 |
いいえ |
|
| schedule |
governanceSchedule |
不要 |
|
要求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"assignmentState": "Active",
"type": "UserRemove",
"reason": "Deactivate the role",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
ResourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
SubjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
AssignmentState = "Active",
Type = "UserRemove",
Reason = "Deactivate the role",
LinkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "bc75b4e6-7403-4243-bf2f-d1f6990be122"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
requestBody.SetResourceId(&resourceId)
subjectId := "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Active"
requestBody.SetAssignmentState(&assignmentState)
type := "UserRemove"
requestBody.SetType(&type)
reason := "Deactivate the role"
requestBody.SetReason(&reason)
linkedEligibleRoleAssignmentId := "cb8a533e-02d5-42ad-8499-916b1e4822ec"
requestBody.SetLinkedEligibleRoleAssignmentId(&linkedEligibleRoleAssignmentId)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("bc75b4e6-7403-4243-bf2f-d1f6990be122");
governanceRoleAssignmentRequest.setResourceId("fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735");
governanceRoleAssignmentRequest.setSubjectId("918e54be-12c4-4f4c-a6d3-2ee0e3661c51");
governanceRoleAssignmentRequest.setAssignmentState("Active");
governanceRoleAssignmentRequest.setType("UserRemove");
governanceRoleAssignmentRequest.setReason("Deactivate the role");
governanceRoleAssignmentRequest.setLinkedEligibleRoleAssignmentId("cb8a533e-02d5-42ad-8499-916b1e4822ec");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: 'bc75b4e6-7403-4243-bf2f-d1f6990be122',
resourceId: 'fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735',
subjectId: '918e54be-12c4-4f4c-a6d3-2ee0e3661c51',
assignmentState: 'Active',
type: 'UserRemove',
reason: 'Deactivate the role',
linkedEligibleRoleAssignmentId: 'cb8a533e-02d5-42ad-8499-916b1e4822ec'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('bc75b4e6-7403-4243-bf2f-d1f6990be122');
$requestBody->setResourceId('fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735');
$requestBody->setSubjectId('918e54be-12c4-4f4c-a6d3-2ee0e3661c51');
$requestBody->setAssignmentState('Active');
$requestBody->setType('UserRemove');
$requestBody->setReason('Deactivate the role');
$requestBody->setLinkedEligibleRoleAssignmentId('cb8a533e-02d5-42ad-8499-916b1e4822ec');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "bc75b4e6-7403-4243-bf2f-d1f6990be122"
resourceId = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735"
subjectId = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51"
assignmentState = "Active"
type = "UserRemove"
reason = "Deactivate the role"
linkedEligibleRoleAssignmentId = "cb8a533e-02d5-42ad-8499-916b1e4822ec"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "bc75b4e6-7403-4243-bf2f-d1f6990be122",
resource_id = "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
subject_id = "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
assignment_state = "Active",
type = "UserRemove",
reason = "Deactivate the role",
linked_eligible_role_assignment_id = "cb8a533e-02d5-42ad-8499-916b1e4822ec",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
応答
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "abfcdb57-8e5d-42a0-ae67-7598b96fddb1",
"resourceId": "fb016e3a-c3ed-4d9d-96b6-a54cd4f0b735",
"roleDefinitionId": "bc75b4e6-7403-4243-bf2f-d1f6990be122",
"subjectId": "918e54be-12c4-4f4c-a6d3-2ee0e3661c51",
"linkedEligibleRoleAssignmentId": "cb8a533e-02d5-42ad-8499-916b1e4822ec",
"type": "UserRemove",
"assignmentState": "Active",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "Evaluate only",
"schedule": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
}
}
例 4: 管理者がロールからユーザーを削除する
この例では、管理者が課金閲覧者ロールからユーザー nawu@contoso.com を削除します。
手記: この例では、アクセス許可に加えて、要求者がリソースに対して少なくとも 1 つの Active 管理者ロールの割り当て (owner または user access administrator) を持っている必要があります。
| プロパティ |
型 |
必須 |
値 |
| resourceId |
String |
はい |
<resourceId> |
| roleDefinitionId |
文字列 |
はい |
<roleDefinitionId> |
| subjectId |
文字列 |
はい |
<subjectId> |
| assignmentState |
文字列 |
はい |
対象/アクティブ |
| type |
String |
はい |
AdminRemove |
| 理由 |
文字列 |
いいえ |
|
| schedule |
governanceSchedule |
不要 |
|
要求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminRemove"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminRemove",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "65bb4622-61f5-4f25-9d75-d0e20cf92019"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminRemove"
requestBody.SetType(&type)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("65bb4622-61f5-4f25-9d75-d0e20cf92019");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminRemove");
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '65bb4622-61f5-4f25-9d75-d0e20cf92019',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminRemove'
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('65bb4622-61f5-4f25-9d75-d0e20cf92019');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminRemove');
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "65bb4622-61f5-4f25-9d75-d0e20cf92019"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminRemove"
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "65bb4622-61f5-4f25-9d75-d0e20cf92019",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminRemove",
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
応答
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "c934fcb9-cf53-42ac-a8b4-6246f6726299",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "65bb4622-61f5-4f25-9d75-d0e20cf92019",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminRemove",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "Closed",
"subStatus": "Revoked",
"statusDetails": []
},
"schedule": null
}
例 5: 管理者がロールの割り当てを更新する
この例では、管理者はユーザーのロールの割り当てを [所有者] に nawu@contoso.com 更新します。
手記: この例では、アクセス許可に加えて、要求者がリソースに対して少なくとも 1 つの Active 管理者ロールの割り当て (owner または user access administrator) を持っている必要があります。
| プロパティ |
型 |
必須 |
値 |
| resourceId |
String |
はい |
<resourceId> |
| roleDefinitionId |
文字列 |
はい |
<roleDefinitionId> |
| subjectId |
文字列 |
はい |
<subjectId> |
| assignmentState |
文字列 |
はい |
対象/アクティブ |
| type |
String |
はい |
AdminUpdate |
| 理由 |
文字列 |
roleSettings によって異なります |
|
| schedule |
governanceSchedule |
はい |
|
要求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"assignmentState": "Eligible",
"type": "AdminUpdate",
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31.000Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "1566d11d-d2b6-444a-a8de-28698682c445",
AssignmentState = "Eligible",
Type = "AdminUpdate",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-03-08T05:42:45.317Z"),
EndDateTime = DateTimeOffset.Parse("2018-06-05T05:42:31.000Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "70521f3e-3b95-4e51-b4d2-a2f485b02103"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "1566d11d-d2b6-444a-a8de-28698682c445"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminUpdate"
requestBody.SetType(&type)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-03-08T05:42:45.317Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-06-05T05:42:31.000Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("70521f3e-3b95-4e51-b4d2-a2f485b02103");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("1566d11d-d2b6-444a-a8de-28698682c445");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminUpdate");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-03-08T05:42:45.317Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-06-05T05:42:31.000Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '70521f3e-3b95-4e51-b4d2-a2f485b02103',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '1566d11d-d2b6-444a-a8de-28698682c445',
assignmentState: 'Eligible',
type: 'AdminUpdate',
schedule: {
type: 'Once',
startDateTime: '2018-03-08T05:42:45.317Z',
endDateTime: '2018-06-05T05:42:31.000Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('70521f3e-3b95-4e51-b4d2-a2f485b02103');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('1566d11d-d2b6-444a-a8de-28698682c445');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminUpdate');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-03-08T05:42:45.317Z'));
$schedule->setEndDateTime(new \DateTime('2018-06-05T05:42:31.000Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "70521f3e-3b95-4e51-b4d2-a2f485b02103"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "1566d11d-d2b6-444a-a8de-28698682c445"
assignmentState = "Eligible"
type = "AdminUpdate"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-03-08T05:42:45.317Z")
endDateTime = [System.DateTime]::Parse("2018-06-05T05:42:31.000Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "70521f3e-3b95-4e51-b4d2-a2f485b02103",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "1566d11d-d2b6-444a-a8de-28698682c445",
assignment_state = "Eligible",
type = "AdminUpdate",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-03-08T05:42:45.317Z",
end_date_time = "2018-06-05T05:42:31.000Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
応答
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "4f6d4802-b3ac-4f5a-86d7-a6a4edd7d383",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "70521f3e-3b95-4e51-b4d2-a2f485b02103",
"subjectId": "1566d11d-d2b6-444a-a8de-28698682c445",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminUpdate",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": null,
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-03-08T05:42:45.317Z",
"endDateTime": "2018-06-05T05:42:31Z",
"duration": "PT0S"
}
}
例 6: 管理者が期限切れのロールの割り当てを拡張する
この例では、ユーザー ANUJCUSER の期限切れのロールの割り当てを、サービス共同作成者API Managementに拡張します。
手記: この例では、アクセス許可に加えて、要求者がリソースに対して少なくとも 1 つの Active 管理者ロールの割り当て (owner または user access administrator) を持っている必要があります。
| プロパティ |
型 |
必須 |
値 |
| resourceId |
String |
はい |
<resourceId> |
| roleDefinitionId |
文字列 |
はい |
<roleDefinitionId> |
| subjectId |
文字列 |
はい |
<subjectId> |
| assignmentState |
文字列 |
はい |
対象/アクティブ |
| type |
String |
はい |
AdminExtend |
| 理由 |
文字列 |
roleSettings によって異なります |
|
| schedule |
governanceSchedule |
はい |
|
要求
POST https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests
Content-type: application/json
{
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"assignmentState": "Eligible",
"type": "AdminExtend",
"reason": "extend role assignment",
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new GovernanceRoleAssignmentRequest
{
RoleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
ResourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
SubjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6",
AssignmentState = "Eligible",
Type = "AdminExtend",
Reason = "extend role assignment",
Schedule = new GovernanceSchedule
{
Type = "Once",
StartDateTime = DateTimeOffset.Parse("2018-05-12T23:53:55.327Z"),
EndDateTime = DateTimeOffset.Parse("2018-08-10T23:53:55.327Z"),
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.PrivilegedAccess["{privilegedAccess-id}"].RoleAssignmentRequests.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewGovernanceRoleAssignmentRequest()
roleDefinitionId := "0e88fd18-50f5-4ee1-9104-01c3ed910065"
requestBody.SetRoleDefinitionId(&roleDefinitionId)
resourceId := "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
requestBody.SetResourceId(&resourceId)
subjectId := "74765671-9ca4-40d7-9e36-2f4a570608a6"
requestBody.SetSubjectId(&subjectId)
assignmentState := "Eligible"
requestBody.SetAssignmentState(&assignmentState)
type := "AdminExtend"
requestBody.SetType(&type)
reason := "extend role assignment"
requestBody.SetReason(&reason)
schedule := graphmodels.NewGovernanceSchedule()
type := "Once"
schedule.SetType(&type)
startDateTime , err := time.Parse(time.RFC3339, "2018-05-12T23:53:55.327Z")
schedule.SetStartDateTime(&startDateTime)
endDateTime , err := time.Parse(time.RFC3339, "2018-08-10T23:53:55.327Z")
schedule.SetEndDateTime(&endDateTime)
requestBody.SetSchedule(schedule)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
roleAssignmentRequests, err := graphClient.PrivilegedAccess().ByPrivilegedAccessId("privilegedAccess-id").RoleAssignmentRequests().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
GovernanceRoleAssignmentRequest governanceRoleAssignmentRequest = new GovernanceRoleAssignmentRequest();
governanceRoleAssignmentRequest.setRoleDefinitionId("0e88fd18-50f5-4ee1-9104-01c3ed910065");
governanceRoleAssignmentRequest.setResourceId("e5e7d29d-5465-45ac-885f-4716a5ee74b5");
governanceRoleAssignmentRequest.setSubjectId("74765671-9ca4-40d7-9e36-2f4a570608a6");
governanceRoleAssignmentRequest.setAssignmentState("Eligible");
governanceRoleAssignmentRequest.setType("AdminExtend");
governanceRoleAssignmentRequest.setReason("extend role assignment");
GovernanceSchedule schedule = new GovernanceSchedule();
schedule.setType("Once");
OffsetDateTime startDateTime = OffsetDateTime.parse("2018-05-12T23:53:55.327Z");
schedule.setStartDateTime(startDateTime);
OffsetDateTime endDateTime = OffsetDateTime.parse("2018-08-10T23:53:55.327Z");
schedule.setEndDateTime(endDateTime);
governanceRoleAssignmentRequest.setSchedule(schedule);
GovernanceRoleAssignmentRequest result = graphClient.privilegedAccess().byPrivilegedAccessId("{privilegedAccess-id}").roleAssignmentRequests().post(governanceRoleAssignmentRequest);
const options = {
authProvider,
};
const client = Client.init(options);
const governanceRoleAssignmentRequest = {
roleDefinitionId: '0e88fd18-50f5-4ee1-9104-01c3ed910065',
resourceId: 'e5e7d29d-5465-45ac-885f-4716a5ee74b5',
subjectId: '74765671-9ca4-40d7-9e36-2f4a570608a6',
assignmentState: 'Eligible',
type: 'AdminExtend',
reason: 'extend role assignment',
schedule: {
type: 'Once',
startDateTime: '2018-05-12T23:53:55.327Z',
endDateTime: '2018-08-10T23:53:55.327Z'
}
};
await client.api('/privilegedAccess/azureResources/roleAssignmentRequests')
.version('beta')
.post(governanceRoleAssignmentRequest);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\GovernanceRoleAssignmentRequest;
use Microsoft\Graph\Beta\Generated\Models\GovernanceSchedule;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new GovernanceRoleAssignmentRequest();
$requestBody->setRoleDefinitionId('0e88fd18-50f5-4ee1-9104-01c3ed910065');
$requestBody->setResourceId('e5e7d29d-5465-45ac-885f-4716a5ee74b5');
$requestBody->setSubjectId('74765671-9ca4-40d7-9e36-2f4a570608a6');
$requestBody->setAssignmentState('Eligible');
$requestBody->setType('AdminExtend');
$requestBody->setReason('extend role assignment');
$schedule = new GovernanceSchedule();
$schedule->setType('Once');
$schedule->setStartDateTime(new \DateTime('2018-05-12T23:53:55.327Z'));
$schedule->setEndDateTime(new \DateTime('2018-08-10T23:53:55.327Z'));
$requestBody->setSchedule($schedule);
$result = $graphServiceClient->privilegedAccess()->byPrivilegedAccessId('privilegedAccess-id')->roleAssignmentRequests()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
roleDefinitionId = "0e88fd18-50f5-4ee1-9104-01c3ed910065"
resourceId = "e5e7d29d-5465-45ac-885f-4716a5ee74b5"
subjectId = "74765671-9ca4-40d7-9e36-2f4a570608a6"
assignmentState = "Eligible"
type = "AdminExtend"
reason = "extend role assignment"
schedule = @{
type = "Once"
startDateTime = [System.DateTime]::Parse("2018-05-12T23:53:55.327Z")
endDateTime = [System.DateTime]::Parse("2018-08-10T23:53:55.327Z")
}
}
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.governance_role_assignment_request import GovernanceRoleAssignmentRequest
from msgraph_beta.generated.models.governance_schedule import GovernanceSchedule
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = GovernanceRoleAssignmentRequest(
role_definition_id = "0e88fd18-50f5-4ee1-9104-01c3ed910065",
resource_id = "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
subject_id = "74765671-9ca4-40d7-9e36-2f4a570608a6",
assignment_state = "Eligible",
type = "AdminExtend",
reason = "extend role assignment",
schedule = GovernanceSchedule(
type = "Once",
start_date_time = "2018-05-12T23:53:55.327Z",
end_date_time = "2018-08-10T23:53:55.327Z",
),
)
result = await graph_client.privileged_access.by_privileged_access_id('privilegedAccess-id').role_assignment_requests.post(request_body)
応答
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#governanceRoleAssignmentRequests/$entity",
"id": "486f0c05-47c8-4498-9c06-086a78c83004",
"resourceId": "e5e7d29d-5465-45ac-885f-4716a5ee74b5",
"roleDefinitionId": "0e88fd18-50f5-4ee1-9104-01c3ed910065",
"subjectId": "74765671-9ca4-40d7-9e36-2f4a570608a6",
"linkedEligibleRoleAssignmentId": "",
"type": "AdminExtend",
"assignmentState": "Eligible",
"requestedDateTime": "0001-01-01T00:00:00Z",
"reason": "extend role assignment",
"status": {
"status": "InProgress",
"subStatus": "Granted",
"statusDetails": [
{
"key": "AdminRequestRule",
"value": "Grant"
},
{
"key": "ExpirationRule",
"value": "Grant"
},
{
"key": "MfaRule",
"value": "Grant"
}
]
},
"schedule": {
"type": "Once",
"startDateTime": "2018-05-12T23:53:55.327Z",
"endDateTime": "2018-08-10T23:53:55.327Z",
"duration": "PT0S"
}
}