Forum Discussion

Joshua_Reynolds's avatar
Joshua_Reynolds
Copper Contributor
Nov 14, 2023

Access Package Policy via script

Think I'm going crazy wondering if anyone can help.   I'm attempting to create a policy for an existing Access Package and set the duration time to 12 hours The intention is these packages will wo...
Azure Identity
Windows PowerShell
Adrian_Clenshaw's avatar
Adrian_Clenshaw
Copper Contributor
Jan 14, 2024

Joshua_Reynolds 

 

Hey Josh,

I came across your thread whilst trying to solve another issue, and thought I would share code I have used that successfully works (if I have understood your challenge correctly).

 

Please forgive my inefficient coding skills - in my current role I don't write much anymore, but very much enjoy opportunities to get back to the tools! 🙂

# 1.3.7 Create Access Package Policies
    # T1requestorSettings
    $T1requestorSettings = @"
        {
        "acceptRequests": true,
        "allowedRequestors": [
            {
            "@odata.type": "#microsoft.graph.groupMembers",
            "id": "$($T1allowedRequestors.id)",
            "description": "$($T1allowedRequestors.displayName)",
            "isBackup": false
            }
        ],
        "scopeType": "SpecificDirectorySubjects"
        }
"@
    $T1requestorSettingsJSON = ConvertFrom-Json $T1requestorSettings

    # T1requestApprovalSettings
    $T1requestApprovalSettings = @"
        {
        "approvalMode": "Serial",
        "approvalStages": [
            {
            "approvalStageTimeOutInDays": 7,
            "escalationApprovers": [ ],
            "escalationTimeInMinutes": 0,
            "isApproverJustificationRequired": true,
            "isEscalationEnabled": false,
            "primaryApprovers": [
                {
                "@odata.type": "#microsoft.graph.groupMembers",
                "id": "$($T1primaryApprovers.id)",
                "description": "$($T1primaryApprovers.displayName)",
                "isBackup": true
                },
                {
                "@odata.type": "#microsoft.graph.requestorManager",
                "managerLevel": 1,
                "isBackup": false
                }
            ]
            },
            {
            "approvalStageTimeOutInDays": 7,
            "escalationApprovers": [ ],
            "escalationTimeInMinutes": 0,
            "isApproverJustificationRequired": true,
            "isEscalationEnabled": false,
            "primaryApprovers": [
                {
                "@odata.type": "#microsoft.graph.groupMembers",
                "id": "$($T1secondaryApprovers.id)",
                "description": "$($T1secondaryApprovers.displayName)",
                "isBackup": false
                }
            ]
            }
        ],
        "isApprovalRequired": true,
        "isApprovalRequiredForExtension": false,
        "isRequestorJustificationRequired": true
        }
"@
    $T1requestApprovalSettingsJSON = ConvertFrom-Json $T1requestApprovalSettings

    # T1accessReviewSettings
    $T1accessReviewSettings = @{
        "accessReviewTimeoutBehavior" = 'acceptAccessRecommendation'
        "durationInDays" =25
        "isAccessRecommendationEnabled" = $true
        "isApprovalJustificationRequired" = $true
        "isEnabled" = $true
        "recurrenceType" = 'quarterly'
        "reviewers" = '[ ]'
        "reviewerType" = 'Self'
        }

$T1policy = New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageId $T1accessPackage.id -DisplayName $T1AccessPackagePolicyName -Description $T1AccessPackagePolicyDesc -DurationInDays $duration -RequestorSettings ($T1requestorSettingsJSON | ConvertTo-Json -Depth 😎 -RequestApprovalSettings ($T1requestApprovalSettingsJSON | convertto-json -Depth 😎 -AccessReviewSettings $T1accessReviewSettings | Format-List

 

It certainly took some time to get this working and as you can see I broke down each individual component to feed into the powershell cmdelet instead of a single body parameter. 

 

I believe the area of expiration falls under the $accessreviewsettings part of the code above. I have used days for my configuration, but after a quick look believe that hours should be possible using something like the below (however this would need to be verified):

# T1accessReviewSettings
    $T1accessReviewSettings = @{
        "accessReviewTimeoutBehavior" = 'acceptAccessRecommendation'
        "durationInHours" =12
        "isAccessRecommendationEnabled" = $true
        "isApprovalJustificationRequired" = $true
        "isEnabled" = $true
        "recurrenceType" = 'daily'
        "reviewers" = '[ ]'
        "reviewerType" = 'Self'
        }

 

I hope this might give you some further avenues to investigate if you have not already managed to sort it.

 

Happy days,

adrian 

 

Joshua_Reynolds's avatar
Joshua_Reynolds
Copper Contributor
Apr 12, 2024
Thanks heaps for this Adrian unfortunately I was given other priorities for a while so only just getting back to this now. Its not quite what I needed but I think I can get the rest of the way after your massive help.

One question I've never been able to figure out having been self-taught in all of this, where do you go in order to find out what the templates for all these settings are and their potential answers?

Like for
$T1requestApprovalSettings = @"
{
"approvalMode": "Serial",
"approvalStages": [
{
"approvalStageTimeOutInDays": 7,
"escalationApprovers": [ ],
"escalationTimeInMinutes": 0,
"isApproverJustificationRequired": true,
"isEscalationEnabled": false,


how do you know Serial is the answer for "approvalMode": "Serial",
and how do you bring up a list that shows all the variable you can play with like approvalMode, approvalStages, approvalStageTimeOutInDays, etc

Resources