Azure Graph批准PIM请求

Question

我试图使用新的Azure AD特权标识管理REST来批准/拒绝的角色激活请求。

我已经能够使用以下请求读取所有挂起的角色激活请求：

GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests

答复如下：

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
    "value": [
        {
            "id": "40b1dff9-9703-4da8-bf8f-275141347b6e",
            "status": "PendingApproval",
            "createdDateTime": "2021-06-04T10:47:40.34Z",
            "completedDateTime": "2021-06-04T10:47:40.15Z",
            "approvalId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
            "customData": null,
            "action": "SelfActivate",
            "principalId": "049bad91-8812-4daa-870e-1edf05f5ced1",
            "roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
            "directoryScopeId": "/",
            "appScopeId": null,
            "isValidationOnly": false,
            "targetScheduleId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
            "justification": "My custom reason",
            "createdBy": {
                "application": null,
                "device": null,
                "user": {
                    "displayName": null,
                    "id": "049bad91-8812-4daa-870e-1edf05f5ced1"
                }
            },
            "scheduleInfo": {
                "startDateTime": null,
                "recurrence": null,
                "expiration": {
                    "type": "afterDuration",
                    "endDateTime": null,
                    "duration": "PT8H"
                }
            },
            "ticketInfo": {
                "ticketNumber": "",
                "ticketSystem": ""
            }
        }
    ]
}

它与我在Azure门户中看到的请求相匹配：

​

现在，我试图通过提供返回的id来使用PATCH操作来批准上述请求：

PATCH https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests/40b1dff9-9703-4da8-bf8f-275141347b6e 

对于有效负载，我尝试添加Provisioned和Denied

{
    "status": "Denied"
}

但是，无论出于什么原因，我始终得到以下错误(代码404)：

{
    "error": {
        "code": "UnknownError",
        "message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleAssignmentScheduleRequests('40b1dff9-9703-4da8-bf8f-275141347b6e')?'.\"}",
        "innerError": {
            "date": "2021-06-04T11:06:18",
            "request-id": "ec668ea0-cf33-4e41-bfb4-19ca4ac683ad",
            "client-request-id": "ca765884-79b1-7695-5c72-c5783dd9968c"
        }
    }
}

有什么想法吗？

Answer 1

最后，我找到了一个解决办法。下面是一个使用PowerShell图形SDK的完整示例：

$scopes = @(
    "PrivilegedAccess.Read.AzureAD",
    "RoleAssignmentSchedule.ReadWrite.Directory", 
    "PrivilegedAccess.ReadWrite.AzureAD"    
)

Connect-MgGraph -Scopes $scopes

[array]$pendingApprovals = Invoke-GraphRequest `
    -Method GET `
    -Uri '/beta/roleManagement/directory/roleAssignmentScheduleRequests?$filter=(status eq ''PendingApproval'')' | 
Select-Object -ExpandProperty value

$approvalSteps = Invoke-GraphRequest `
    -Method GET `
    -Uri ('/beta/roleManagement/directory/roleAssignmentApprovals/{0}' -f $pendingApprovals[0].approvalId) | 
Select-Object -ExpandProperty steps | Where-Object status -eq InProgress

$body = @{
    reviewResult  = 'Approve'
    justification = 'Seems legit'
}

Invoke-GraphRequest `
    -Method PATCH `
    -Uri ('https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/{0}/steps/{1}' -f $pendingApprovals[0].approvalId, $approvalSteps.id) `
    -Body $body

我还写了一篇关于它的博客文章：批准PIM中Azure AD角色的请求

Answer 2

使用roleAssignmentScheduleRequests获取挂起的请求是正确的。检查响应，在值数组中有一个ID。在更新权限调用中使用该ID。(https://learn.microsoft.com/en-us/graph/api/privilegedapproval-update?view=graph-rest-beta&tabs=http)

PATCH /privilegedApproval/{id}

示例使用您共享的ID：

PATCH https://graph.microsoft.com/beta/privilegedApproval/40b1dff9-9703-4da8-bf8f-275141347b6e
Content-type: application/json
Content-length: 180

{
  "approvalState": "approved",
  "approverReason": "Martin Brandl approves you!"
}

在“审批请求体”中，您可能的值是:挂起、批准、拒绝、中止、取消。