Azure Graph API - 批准 PIM 请求
Azure Graph API - Approve PIM requests
我正在尝试 approve/deny 角色激活请求 使用新的 Azure AD 特权身份管理 REST API.
我已经能够使用以下请求读取所有待处理的角色激活请求:
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests
响应如下所示:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
"value": [
{
"id": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"status": "PendingApproval",
"createdDateTime": "2021-06-04T10:47:40.34Z",
"completedDateTime": "2021-06-04T10:47:40.15Z",
"approvalId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"customData": null,
"action": "SelfActivate",
"principalId": "049bad91-8812-4daa-870e-1edf05f5ced1",
"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"directoryScopeId": "/",
"appScopeId": null,
"isValidationOnly": false,
"targetScheduleId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"justification": "My custom reason",
"createdBy": {
"application": null,
"device": null,
"user": {
"displayName": null,
"id": "049bad91-8812-4daa-870e-1edf05f5ced1"
}
},
"scheduleInfo": {
"startDateTime": null,
"recurrence": null,
"expiration": {
"type": "afterDuration",
"endDateTime": null,
"duration": "PT8H"
}
},
"ticketInfo": {
"ticketNumber": "",
"ticketSystem": ""
}
}
]
}
这与我在 Azure 门户中看到的请求相匹配:
现在我正在尝试 通过提供返回的 id:
使用 PATCH 操作批准 上述请求
PATCH https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests/40b1dff9-9703-4da8-bf8f-275141347b6e
对于有效负载,我尝试添加 Provisioned 和 Denied:
{
"status": "Denied"
}
但无论出于何种原因,我不断收到以下错误(代码 404):
{
"error": {
"code": "UnknownError",
"message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleAssignmentScheduleRequests('40b1dff9-9703-4da8-bf8f-275141347b6e')?'.\"}",
"innerError": {
"date": "2021-06-04T11:06:18",
"request-id": "ec668ea0-cf33-4e41-bfb4-19ca4ac683ad",
"client-request-id": "ca765884-79b1-7695-5c72-c5783dd9968c"
}
}
}
有什么想法吗?
您使用 roleAssignmentScheduleRequests 获取待处理请求的方式正确。查看响应,值数组中有一个 ID。在 Update privilegedapproval 调用中使用该 ID。 (https://docs.microsoft.com/en-us/graph/api/privilegedapproval-update?view=graph-rest-beta&tabs=http)
PATCH /privilegedApproval/{id}
使用您分享的 ID 的示例:
PATCH https://graph.microsoft.com/beta/privilegedApproval/40b1dff9-9703-4da8-bf8f-275141347b6e
Content-type: application/json
Content-length: 180
{
"approvalState": "approved",
"approverReason": "Martin Brandl approves you!"
}
在批准状态的请求正文中,您可能的值为:待定、批准、拒绝、中止、取消。
终于,我找到了解决办法。以下是使用 PowerShell Graph SDK 的完整示例:
$scopes = @(
"PrivilegedAccess.Read.AzureAD",
"RoleAssignmentSchedule.ReadWrite.Directory",
"PrivilegedAccess.ReadWrite.AzureAD"
)
Connect-MgGraph -Scopes $scopes
[array]$pendingApprovals = Invoke-GraphRequest `
-Method GET `
-Uri '/beta/roleManagement/directory/roleAssignmentScheduleRequests?$filter=(status eq ''PendingApproval'')' |
Select-Object -ExpandProperty value
$approvalSteps = Invoke-GraphRequest `
-Method GET `
-Uri ('/beta/roleManagement/directory/roleAssignmentApprovals/{0}' -f $pendingApprovals[0].approvalId) |
Select-Object -ExpandProperty steps | Where-Object status -eq InProgress
$body = @{
reviewResult = 'Approve'
justification = 'Seems legit'
}
Invoke-GraphRequest `
-Method PATCH `
-Uri ('https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/{0}/steps/{1}' -f $pendingApprovals[0].approvalId, $approvalSteps.id) `
-Body $body
我还写了一篇关于它的博客文章:
Approve requests for Azure AD roles in PIM
我正在尝试 approve/deny 角色激活请求 使用新的 Azure AD 特权身份管理 REST API.
我已经能够使用以下请求读取所有待处理的角色激活请求:
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests
响应如下所示:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
"value": [
{
"id": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"status": "PendingApproval",
"createdDateTime": "2021-06-04T10:47:40.34Z",
"completedDateTime": "2021-06-04T10:47:40.15Z",
"approvalId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"customData": null,
"action": "SelfActivate",
"principalId": "049bad91-8812-4daa-870e-1edf05f5ced1",
"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"directoryScopeId": "/",
"appScopeId": null,
"isValidationOnly": false,
"targetScheduleId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"justification": "My custom reason",
"createdBy": {
"application": null,
"device": null,
"user": {
"displayName": null,
"id": "049bad91-8812-4daa-870e-1edf05f5ced1"
}
},
"scheduleInfo": {
"startDateTime": null,
"recurrence": null,
"expiration": {
"type": "afterDuration",
"endDateTime": null,
"duration": "PT8H"
}
},
"ticketInfo": {
"ticketNumber": "",
"ticketSystem": ""
}
}
]
}
这与我在 Azure 门户中看到的请求相匹配:
现在我正在尝试 通过提供返回的 id:
使用PATCH 操作批准 上述请求
PATCH https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests/40b1dff9-9703-4da8-bf8f-275141347b6e
对于有效负载,我尝试添加 Provisioned 和 Denied:
{
"status": "Denied"
}
但无论出于何种原因,我不断收到以下错误(代码 404):
{
"error": {
"code": "UnknownError",
"message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleAssignmentScheduleRequests('40b1dff9-9703-4da8-bf8f-275141347b6e')?'.\"}",
"innerError": {
"date": "2021-06-04T11:06:18",
"request-id": "ec668ea0-cf33-4e41-bfb4-19ca4ac683ad",
"client-request-id": "ca765884-79b1-7695-5c72-c5783dd9968c"
}
}
}
有什么想法吗?
您使用 roleAssignmentScheduleRequests 获取待处理请求的方式正确。查看响应,值数组中有一个 ID。在 Update privilegedapproval 调用中使用该 ID。 (https://docs.microsoft.com/en-us/graph/api/privilegedapproval-update?view=graph-rest-beta&tabs=http)
PATCH /privilegedApproval/{id}
使用您分享的 ID 的示例:
PATCH https://graph.microsoft.com/beta/privilegedApproval/40b1dff9-9703-4da8-bf8f-275141347b6e
Content-type: application/json
Content-length: 180
{
"approvalState": "approved",
"approverReason": "Martin Brandl approves you!"
}
在批准状态的请求正文中,您可能的值为:待定、批准、拒绝、中止、取消。
终于,我找到了解决办法。以下是使用 PowerShell Graph SDK 的完整示例:
$scopes = @(
"PrivilegedAccess.Read.AzureAD",
"RoleAssignmentSchedule.ReadWrite.Directory",
"PrivilegedAccess.ReadWrite.AzureAD"
)
Connect-MgGraph -Scopes $scopes
[array]$pendingApprovals = Invoke-GraphRequest `
-Method GET `
-Uri '/beta/roleManagement/directory/roleAssignmentScheduleRequests?$filter=(status eq ''PendingApproval'')' |
Select-Object -ExpandProperty value
$approvalSteps = Invoke-GraphRequest `
-Method GET `
-Uri ('/beta/roleManagement/directory/roleAssignmentApprovals/{0}' -f $pendingApprovals[0].approvalId) |
Select-Object -ExpandProperty steps | Where-Object status -eq InProgress
$body = @{
reviewResult = 'Approve'
justification = 'Seems legit'
}
Invoke-GraphRequest `
-Method PATCH `
-Uri ('https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/{0}/steps/{1}' -f $pendingApprovals[0].approvalId, $approvalSteps.id) `
-Body $body
我还写了一篇关于它的博客文章: Approve requests for Azure AD roles in PIM