편집

다음을 통해 공유


Create accessPackageAssignmentRequest

Namespace: microsoft.graph

In Microsoft Entra Entitlement Management, create a new accessPackageAssignmentRequest object. This operation is used to assign a user to an access package, update the assignment, or to remove an access package assignment.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) EntitlementManagement.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application EntitlementManagement.ReadWrite.All Not available.

Tip

In delegated scenarios with work or school accounts, the signed-in user must also be assigned an administrator role with supported role permissions through one of the following options:

  • A user who is specified in the specificAllowedTargets property of the access package's policies. This is the least privileged option.
  • More privileged roles in the Entitlement Management system where the least privileged roles are supported for this operation:
    • Access package assignment manager
    • Access package manager
    • Catalog owner
  • More privileged Microsoft Entra roles, where the following least privileged roles are supported for this operation:
    • Identity Governance Administrator

In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the EntitlementManagement.ReadWrite.All application permission. A user who is specified in the specificAllowedTargets property of the access package's policies is less privileged than the EntitlementManagement.ReadWrite.All application permission.

For more information, see Delegation and roles in entitlement management and how to delegate access governance to access package managers in entitlement management.

HTTP request

POST /identityGovernance/entitlementManagement/assignmentRequests

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of accessPackageAssignmentRequest object.

For an administrator to request to create an assignment for a user, the value of the requestType property is adminAdd, and the assignment property contains the targetId of the user being assigned, the assignmentPolicyId property identifying the accessPackageAssignmentPolicy, and the accessPackageId property identifying the accessPackage.

For an administrator to request to update an assignment (for example to extend the assignment or update answers to questions), the value of the requestType property is adminUpdate, and the assignment property contains the id property identifying the accessPackageAssignment being updated.

For an administrator to request to remove an assignment, the value of the requestType property is adminRemove, and the assignment property contains the id property identifying the accessPackageAssignment being removed.

For a non-administrator user to request to create their own assignment for either a first assignment or to renew an assignment, the value of the requestType property is userAdd. The assignment property contains an object with the targetId with the id of the user. The assignmentPolicyId property identifies the accessPackageAssignmentPolicy. The accessPackageId property identifies the accessPackage. The user making the request must already exist in the directory.

For a non-administrator user to request to update their own assignment, the value of the requestType property is userUpdate. The assignment property contains the ID property identifying the accessPackageAssignment being updated. The schedule property contains the updated schedule.

Response

If successful, this method returns a 200-series response code and a new accessPackageAssignmentRequest object in the response body.

If this is an adminAdd or userAdd request, then after any approval checks an accessPackageAssignment and, if needed, an accessPackageSubject are also created. You can locate those using the query parameters when listing accessPackageAssignments.

Examples

Example 1: Admin requests a direct assignment for a user already in the directory

Request

The following example shows a request for a direct assignment, in which the administrator requests the creation of an assignment for a user. Because the accessPackageSubject might not yet exist, the value of the targetID is the object ID of the user being assigned, the value of the accessPackageId is the desired access package for that user, and the value of assignmentPolicyId is a direct assignment policy in that access package.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
  "requestType": "adminAdd",
  "assignment":{
     "targetId":"46184453-e63b-4f20-86c2-c557ed5d5df9",
     "assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",
     "accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"
  }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
  "id": "46184453-e63b-4f20-86c2-c557ed5d5df9",
  "requestType": "adminAdd",
  "requestState": "Submitted",
  "requestStatus": "Accepted"
}

Example 2: Remove an assignment

To remove assignments, create a new accessPackageAssignmentRequest object with the following settings:

  • The value of the requestType property set to adminRemove.
  • In the assignment property, include an object with the identifier of the accessPackageAssignment object to delete.

Request

The following example shows how to remove an assignment.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
    "requestType": "adminRemove",
    "assignment":{
     "id": "a6bb6942-3ae1-4259-9908-0133aaee9377"
    }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#accessPackageAssignmentRequests/$entity",
    "id": "78eaee8c-e6cf-48c9-8f99-aae44c35e379",
    "requestType": "adminRemove",
    "requestState": "Submitted",
    "requestStatus": "Accepted"
}

Example 3: Request an assignment by providing answers to questions

The following example shows how a user can request an access package assignment for themselves by answering questions required by the policy during the request process.

Request

The following example shows a request.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.accessPackageAssignmentRequest",
    "requestType": "userAdd",
    "answers": [
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "displayValue": "This is the answer to a multiple choice question",
            "value": "MultipleChoiceAnswerValue",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
                "id": "8fe745e7-80b2-490d-bd22-4e708c77288c"
            }
        },
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "This is my answer to a text input question.",
            "displayValue": "This is my answer.",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
                "id": "7aaa18c9-8e4f-440f-bd5a-3a7ce312cbe6"
            }
        }
    ],
    "assignment": {
        "accessPackageId": "977c7ff4-ef8f-4910-9d31-49048ddf3120"
    }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#accessPackageAssignmentRequests/$entity",
    "id": "7a6ab703-0780-4b37-8445-81f679b2d75c",
    "requestType": "userAdd",
    "state": "submitted",
    "status": "Accepted",
    "createdDateTime": null,
    "completedDateTime": null,
    "schedule": {
        "startDateTime": null,
        "recurrence": null,
        "expiration": {
            "endDateTime": null,
            "duration": null,
            "type": "notSpecified"
        }
    },
    "answers": [
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "MultipleChoiceAnswerValue",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
                "id": "8fe745e7-80b2-490d-bd22-4e708c77288c"   
            },
            "displayValue": "This is the answer to a multiple choice question"
        },
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "This is my answer to a text input question.",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
                "id": "7aaa18c9-8e4f-440f-bd5a-3a7ce312cbe6"
            },
            "displayValue": "This is my answer."
        }
    ]
}

Example 4: Request a package and provide a justification

The following example shows how to request an access package and provide justification to the approver.

Request

The following example shows a request.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
    "requestType": "UserAdd",
    "accessPackageAssignment": {
        "accessPackageId": "a914b616-e04e-476b-aa37-91038f0b165b"
    },
    "justification":"Need access to New Hire access package"
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentRequests/$entity",
    "id": "9c1e258d-7723-43b1-ae21-e6eeeb324fe5",
    "requestType": "UserAdd",
    "requestState": "Submitted",
    "requestStatus": "Accepted",
    "createdDateTime": null,
    "completedDate": null,
    "justification": "Need access to New Hire access package",
    "isValidationOnly": false,
    "schedule": {
        "startDateTime": null,
        "recurrence": null,
        "expiration": {
            "endDateTime": null,
            "duration": null,
            "type": "notSpecified"
        }
    },
    "answers": [],
    "verifiedCredentialsData": []
}

Example 5: Admin requests a direct assignment for a user not yet in the directory

Request

The following example shows a request for a direct assignment, in which the administrator requests the creation of an assignment for a user who doesn't exist in the directory. The value of the accessPackageId is the desired access package for that user, and the value of assignmentPolicyId is a direct assignment policy in that access package.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
  "requestType": "AdminAdd",
  "accessPackageAssignment":{
     "target": {
        "email": "user@contoso.com"
     },
     "assignmentPolicyId":"2264bf65-76ba-417b-a27d-54d291f0cbc8",
     "accessPackageId":"a914b616-e04e-476b-aa37-91038f0b165b"
  }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentRequests/$entity",
    "id": "cb32aef9-2976-496d-9804-eb432fd894a7",
    "requestType": "AdminAdd",
    "requestState": "Submitted",
    "requestStatus": "Accepted",
    "createdDateTime": null,
    "completedDate": null,
    "justification": null,
    "isValidationOnly": false,
    "schedule": {
        "startDateTime": null,
        "recurrence": null,
        "expiration": {
            "endDateTime": null,
            "duration": null,
            "type": "notSpecified"
        }
    },
    "answers": [],
    "verifiedCredentialsData": [],
    "customExtensionHandlerInstances": [],
    "customExtensionCalloutInstances": []
}

Example 6: Request an update to answers for an assignment

The following example shows how an admin can request updates to an assignment to edit their responses to questions that were answered during the request for the assignment.

Request

The following example shows a request.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.accessPackageAssignmentRequest",
    "requestType": "adminUpdate",
    "answers": [
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "UpdatedAnswerValue",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
                "id": "8fe745e7-80b2-490d-bd22-4e708c77288c"
            }
        },
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "My updated answer.",
            "displayValue": "This is my updated answer to the question.",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
                "id": "7aaa18c9-8e4f-440f-bd5a-3a7ce312cbe6"
            }
        }
    ],
    "assignment": {
        "id": "44c741c1-2cf4-40db-83b6-e0112f8e5a83"
    }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#accessPackageAssignmentRequests/$entity",
    "id": "0c471116-e439-40a6-8441-fe739dd48dab",
    "requestType": "adminUpdate",
    "state": "submitted",
    "status": "Accepted",
    "createdDateTime": null,
    "completedDateTime": null,
    "schedule": {
        "startDateTime": null,
        "recurrence": null,
        "expiration": {
            "endDateTime": null,
            "duration": null,
            "type": "notSpecified"
        }
    },
    "answers": [
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "UpdatedAnswerValue",
            "displayValue": "This is the answer to a multiple choice question",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageMultipleChoiceQuestion",
                "id": "8fe745e7-80b2-490d-bd22-4e708c77288c"   
            }         
        },
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "My updated answer.",
            "displayValue": "This is my updated answer to the question.",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
                "id": "7aaa18c9-8e4f-440f-bd5a-3a7ce312cbe6"
            }
        }
    ]
}

Example 7: Update the expiration date for an access package assignment

The following example shows how to update the expiration date for an access package assignment.

Request

The following example shows a request.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.accessPackageAssignmentRequest",
    "requestType": "adminUpdate",
    "schedule": {
        "startDateTime": "2023-05-23T20:04:02.39Z",
        "recurrence": null,
        "expiration": {
            "endDateTime": "2024-07-01T00:00:00.00Z",
            "duration": null,
            "type": "afterDateTime"
        }
    },
    "assignment": {
        "id": "329f8dac-8062-4c1b-a9b8-39b7132f9bff"
    }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentRequests/$entity",
    "id": "5b682fbb-d6e5-4118-a471-46dfc553e9cc",
    "requestType": "adminUpdate",
    "state": "submitted",
    "status": "Accepted",
    "createdDateTime": null,
    "completedDateTime": null,
    "schedule": {
        "startDateTime": "2024-06-07T15:53:35.333Z",
        "recurrence": null,
        "expiration": {
            "endDateTime": "2024-07-01T00:00:00Z",
            "duration": null,
            "type": "afterDateTime"
        }
    },
    "answers": [],
    "customExtensionCalloutInstances": []
}

Example 8: Update the answers and expiration date for an access package assignment

The following example shows how a user can update their answers and the expiration date for their access package assignment.

Request

The following example shows a request.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
    "requestType": "userUpdate",
    "answers": [
        {
            "@odata.type": "#microsoft.graph.accessPackageAnswerString",
            "value": "My updated answer.",
            "answeredQuestion": {
                "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
                "id": "0d31cc60-968e-4f92-955b-443fed03d6f6"
            }
        }

    ],
    "schedule": {
        "startDateTime": "2024-09-18T20:49:16.17Z",
        "recurrence": null,
        "expiration": {
            "endDateTime": "2024-10-18T20:49:15.17Z",
            "duration": null,
            "type": "afterDateTime"
        }
    },
    "assignment": {
        "id": "329f8dac-8062-4c1b-a9b8-39b7132f9bff"
    }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentRequests/$entity",
    "id": "e0f8458c-7681-42ad-a0b5-0c9587c4dad8",
    "requestType": "userUpdate",
    "state": "submitted",
    "status": "Accepted"
}

Example 9: Request a package on behalf of a direct employee

The following example shows how a manager can request an access package assignment on behalf of their direct employee.

Note

The requestor (manager) is extracted from the token, and the target object is determined by the id of the direct employee who is receiving access.

Request

The following example shows a request.

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentRequests
Content-type: application/json

{
   "assignment": {
       "accessPackageId": "5b98f958-0dea-4a5b-836e-109dccbd530c",
       "schedule": {
           "startDateTime": null,
           "stopDateTime": null
       },
       "assignmentPolicyId": "c5f7847f-83a8-4315-a754-d94a6f39b875",
       "target": {
           "displayName": "Idris Ibrahim",
           "email": "IdrisIbrahim@woodgrovebank.com",
           "objectId": "21aceaba-fe13-4e3b-aa8c-4c588d5e7387",
           "subjectType": "user"
       }
   },
   "justification": "Access for direct employee",
   "requestType": "UserAdd",
   "answers": []
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability. All the properties are returned from an actual call.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentRequests/$entity",
    "id": "445a3118-6bf2-4a19-94ad-5660295963fd",
    "requestType": "userAdd",
    "state": "submitted",
    "status": "Accepted",
    "createdDateTime": null,
    "completedDateTime": null,
    "schedule": {
        "startDateTime": null,
        "recurrence": null,
        "expiration": {
            "endDateTime": null,
            "duration": null,
            "type": "notSpecified"
        }
    },
    "answers": [],
    "customExtensionCalloutInstances": []
}