Open dmaloney02 opened 5 months ago
Update and progress made.
When a AAD security group is added to the catalog two generic roles are created Member and Owner.
Documentation mentions in multiple locates the following command, however the Roles property object is not returned for an AAD group freshly added to the Catalog.
$rrs = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $catalog.id -Filter $filt -ExpandProperty roles,scopes
Instead the "role" specific command is required.
Get-MgEntitlementManagementCatalogResourceRole -AccessPackageCatalogId $catalog.Id -Filter $filter -ExpandProperty "resource"
Once you have these results you can add the role to an access package via New-MgEntitlementManagementAccessPackageResourceRoleScope.
The Graph documentation is hard to follow as raw examples are used.
It took me a week to crack this one.
using the SDK Entitlement Management Catalog resources are created without role properties. The role properties are mandatory for adding the group/role to an access package.
Example of a new catalog group post "New-MgEntitlementManagementResourceRequest" with empty Role properties: $a = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $catalog.id -Filter "originID eq '$($g.ID)'" -ExpandProperty scopes
$a | fl
Attributes : {} CreatedDateTime : 6/19/2024 11:14:19 PM Description : For Development of AP automation only, then can be deleted. DisplayName : AzureIAM-DEV_Group Environment : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResourceEnvironment Id : c15b9b94-fdc3-414c-a818-dcdca81cc05d ModifiedDateTime : OriginId : 3acf4b9f-5601-4eed-8f40-180aa9282f82 OriginSystem : AadGroup Roles : Scopes : {e0b1d2cb-0774-4272-a27e-ee2a6d825f74} AdditionalProperties : {[scopes@odata.context, https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('d1d12211-49c5-4a14-9ad0-b2eb2b44 1363')/resources('c15b9b94-fdc3-414c-a818-dcdca81cc05d')/scopes]}
Graph API documentation for "accessPackageResourceRole resource type" states the following: In Microsoft Entra entitlement management, an access package resource role is a reference to a role defined in a resource. These roles are automatically present after a resource is added to an access package catalog. A group can have two roles, one for the owner and another for the member.
Subsequently, the Catalog group cannot be assigned to an access package via New-MgEntitlementManagementAccessPackageResourceRoleScope because the Resource Role ID does not exist.
SDK Documentation here: https://learn.microsoft.com/en-us/graph/api/accesspackage-post-resourcerolescopes?view=graph-rest-1.0&preserve-view=true&tabs=powershell