Access Package Policy via script

Copper Contributor

Think I'm going crazy wondering if anyone can help.

 

I'm attempting to create a policy for an existing Access Package and set the duration time to 12 hours

The intention is these packages will work a lot like a PIM group but they are for certain testing profiles

Script looks like

 

 

 

 

 

$allowedRequestors = @(@{
        "@odata.type" = '#microsoft.graph.groupMembers'
        "id"= 'GroupIDRedacted'
        "description" = 'GroupNameRedacted'
    })

$params = @{
        displayName = "12 Hour Tester Policy"
        description = "Provide access for 12 hours"
        allowedTargetScope = "notSpecified"
        expiration = @{
            duration = 'PT12H'
            type = 'afterDuration'
        }
        requestorSettings = @{
            "scopeType" = 'SpecificDirectorySubjects'
            "acceptRequests" = $true
            "allowedRequestors" = $allowedRequestors
        }
        requestApprovalSettings = @{
            "isApprovalRequired" = $false
            "isApprovalRequiredForExtension" =$false
            "isRequestorJustificationRequired"= $false
            "approvalMode"= 'NoApproval'
            "approvalStages"= '[]'
        }
        accessPackage = @{
            id = $ap.id
        }
    }

 

 

 

 

 

This is to set the parameters I then run the command of 

 

 

 

 

 

New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -BodyParameter $params -verbose

 

 

 

 

 

And it will create the policy but the lifecycle expiration is still set to never while all other settings have worked.

If I try the non beta command It prompts me for an AccessPackageID as tho none is in the parameters so I supply the same id of the access package as in $ap.id I get the error:

 

"New-MgEntitlementManagementAccessPackageAssignmentPolicy_Create: The request URI is not valid. Since the segment 'accessPackages' refers to a collection, this must be the last segment in the request URI or it must be followed
by an function or action that can be bound to it otherwise all intermediate segments must refer to a single resource."

 

Has anyone successfully created an azure access package policy via PowerShell with a duration lifecycle? care to post and example of your parameters if so?

2 Replies

@Joshua_Reynolds 

 

Hey Josh,

I came across your thread whilst trying to solve another issue, and thought I would share code I have used that successfully works (if I have understood your challenge correctly).

 

Please forgive my inefficient coding skills - in my current role I don't write much anymore, but very much enjoy opportunities to get back to the tools! 🙂

# 1.3.7 Create Access Package Policies
    # T1requestorSettings
    $T1requestorSettings = @"
        {
        "acceptRequests": true,
        "allowedRequestors": [
            {
            "@odata.type": "#microsoft.graph.groupMembers",
            "id": "$($T1allowedRequestors.id)",
            "description": "$($T1allowedRequestors.displayName)",
            "isBackup": false
            }
        ],
        "scopeType": "SpecificDirectorySubjects"
        }
"@
    $T1requestorSettingsJSON = ConvertFrom-Json $T1requestorSettings

    # T1requestApprovalSettings
    $T1requestApprovalSettings = @"
        {
        "approvalMode": "Serial",
        "approvalStages": [
            {
            "approvalStageTimeOutInDays": 7,
            "escalationApprovers": [ ],
            "escalationTimeInMinutes": 0,
            "isApproverJustificationRequired": true,
            "isEscalationEnabled": false,
            "primaryApprovers": [
                {
                "@odata.type": "#microsoft.graph.groupMembers",
                "id": "$($T1primaryApprovers.id)",
                "description": "$($T1primaryApprovers.displayName)",
                "isBackup": true
                },
                {
                "@odata.type": "#microsoft.graph.requestorManager",
                "managerLevel": 1,
                "isBackup": false
                }
            ]
            },
            {
            "approvalStageTimeOutInDays": 7,
            "escalationApprovers": [ ],
            "escalationTimeInMinutes": 0,
            "isApproverJustificationRequired": true,
            "isEscalationEnabled": false,
            "primaryApprovers": [
                {
                "@odata.type": "#microsoft.graph.groupMembers",
                "id": "$($T1secondaryApprovers.id)",
                "description": "$($T1secondaryApprovers.displayName)",
                "isBackup": false
                }
            ]
            }
        ],
        "isApprovalRequired": true,
        "isApprovalRequiredForExtension": false,
        "isRequestorJustificationRequired": true
        }
"@
    $T1requestApprovalSettingsJSON = ConvertFrom-Json $T1requestApprovalSettings

    # T1accessReviewSettings
    $T1accessReviewSettings = @{
        "accessReviewTimeoutBehavior" = 'acceptAccessRecommendation'
        "durationInDays" =25
        "isAccessRecommendationEnabled" = $true
        "isApprovalJustificationRequired" = $true
        "isEnabled" = $true
        "recurrenceType" = 'quarterly'
        "reviewers" = '[ ]'
        "reviewerType" = 'Self'
        }

$T1policy = New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageId $T1accessPackage.id -DisplayName $T1AccessPackagePolicyName -Description $T1AccessPackagePolicyDesc -DurationInDays $duration -RequestorSettings ($T1requestorSettingsJSON | ConvertTo-Json -Depth 😎 -RequestApprovalSettings ($T1requestApprovalSettingsJSON | convertto-json -Depth 😎 -AccessReviewSettings $T1accessReviewSettings | Format-List

 

It certainly took some time to get this working and as you can see I broke down each individual component to feed into the powershell cmdelet instead of a single body parameter. 

 

I believe the area of expiration falls under the $accessreviewsettings part of the code above. I have used days for my configuration, but after a quick look believe that hours should be possible using something like the below (however this would need to be verified):

# T1accessReviewSettings
    $T1accessReviewSettings = @{
        "accessReviewTimeoutBehavior" = 'acceptAccessRecommendation'
        "durationInHours" =12
        "isAccessRecommendationEnabled" = $true
        "isApprovalJustificationRequired" = $true
        "isEnabled" = $true
        "recurrenceType" = 'daily'
        "reviewers" = '[ ]'
        "reviewerType" = 'Self'
        }

 

I hope this might give you some further avenues to investigate if you have not already managed to sort it.

 

Happy days,

adrian 

 

Thanks heaps for this Adrian unfortunately I was given other priorities for a while so only just getting back to this now. Its not quite what I needed but I think I can get the rest of the way after your massive help.

One question I've never been able to figure out having been self-taught in all of this, where do you go in order to find out what the templates for all these settings are and their potential answers?

Like for
$T1requestApprovalSettings = @"
{
"approvalMode": "Serial",
"approvalStages": [
{
"approvalStageTimeOutInDays": 7,
"escalationApprovers": [ ],
"escalationTimeInMinutes": 0,
"isApproverJustificationRequired": true,
"isEscalationEnabled": false,


how do you know Serial is the answer for "approvalMode": "Serial",
and how do you bring up a list that shows all the variable you can play with like approvalMode, approvalStages, approvalStageTimeOutInDays, etc