Use Role Assignment Approvals to approve PIM role activation requests with REST API
Role Assignment Approvals help you manage approval requests for role assignment activation requests. For example, you can get approvals which require an approval from the calling user or you can get approvals where the calling user requested the activation. Then, a PATCH operation can be performed on each stage of the approval to approve or deny the request.
List all role assignment approval requests
To list role assignment approval requests, you can use the Role Assignment Schedule Requests - List For Scope REST API. To refine your results, you can specify an optional filter.
Start with the following request:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests?api-version=2020-10-01Replace {filter} with the condition that you want to apply to filter the role assignment list.
Filter Description $filter=asApprover()List only includes all role assignment approvals that the calling user is assigned as an approver for. $filter=asCreatedBy()List only includes all role assignment approvals that the calling user created requests for. $filter=asTarget()List only includes all role assignment approvals that the calling user has requests targeted for. The approval
idcomes from thenameproperty from step 1.
Get approval stage details
To get the details of any stage of a role assignment approval, you can use Role Assignment Approval Step - Get By ID REST API.
Use the following request:
GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentApprovals/{approvalId}/stages?api-version=2021-01-01-preview
Approve or Deny an approval stage
To approve or deny of any stage of a role assignment approval, you can use Role Assignment Approval Step - Patch REST API.
Use the following request:
PATCH https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentApprovals/{approvalId}/stages/{stageId}?api-version=2021-01-01-preview{ "properties": { "reviewResult": "Approve", // Or "Deny" "justification": "Trusted User" } }