msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Set-MgEntitlementManagementAssignmentPolicy command makes all existing properties null except provided properties

Open dhanaSena opened this issue 2 years ago • 1 comments

Describe the bug Set-MgEntitlementManagementAssignmentPolicy command makes all existing properties null except provided properties. eg:- Requester Information, Requests, Lifecycle all configs are lost.

Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId "xxxxxxxx-2308-4502-b92d-166e94e7070a" -Expiration @{duration = "PT8H";type = "afterDuration"} -DisplayName "Policy for Team Members"

To Reproduce Steps to reproduce the behavior:

  1. Create an access package using the azure portal with an access policy image image

  2. Execute the following PowerShell command to update the expiration duration Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId "xxxxxxxx-2308-4502-b92d-166e94e7070a" -Expiration @{duration = "PT8H";type = "afterDuration"} -DisplayName "Policy for Team Members" image image

Expected behavior

All other configs should be preserved after executing Set-MgEntitlementManagementAssignmentPolicy

Debug Output

PS /Users/dhananjaya.senanayake> Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId "f833dfc1-2308-4502-b92d-166e94e7070a" -Expiration @{duration = "PT8H";type = "afterDuration"} -DisplayName "Policy for Team Members" -Debug
DEBUG: [CmdletBeginProcessing]: - Set-MgEntitlementManagementAssignmentPolicy begin processing with parameterSet 'SetExpanded'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, AppRoleAssignment.ReadWrite.All, email, EntitlementManagement.ReadWrite.All, Group.ReadWrite.All, openid, Organization.Read.All, profile, User.Read, User.Read.All, User.ReadWrite.All].

Confirm
Are you sure you want to perform this action?
Performing the operation "Set-MgEntitlementManagementAssignmentPolicy_SetExpanded" on target "Call remote 'PUT
/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicy-id}' operation".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies/xxxxxxxx-2308-4502-b92d-166e94e7070a

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Macintosh; Darwin 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14:41:43 PDT 2023; root:xnu-10002.1.13~1/RELEASE_ARM64_T6000; en-FI),PowerShell/7.3.3
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.9.0
client-request-id             : 26c32e1c-c712-436e-a0ff-96438db115e

Body:
{
  "displayName": "Policy for Team Members",
  "expiration": {
    "duration": "PT8H",
    "type": "afterDuration"
  }
}


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : private
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : dd72dcb7-b083-46ed-9b27-3164644c5013
client-request-id             : 26c32e1c-c712-436e-a0ff-96438db115e8
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"011","RoleInstance":"AM2PEPF0001BE80"}}
OData-Version                 : 4.0
Date                          : Thu, 09 Nov 2023 14:19:45 GM

Body:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentPolicies/$entity",
  "id": "xxxxxxxx-2308-4502-b92d-166e94e7070a",
  "displayName": "Policy for Team Members",
  "description": "",
  "allowedTargetScope": "notSpecified",
  "createdDateTime": "0001-01-01T00:00:00Z",
  "modifiedDateTime": "0001-01-01T00:00:00Z",
  "automaticRequestSettings": null,
  "reviewSettings": null,
  "specificAllowedTargets": [],
  "expiration": {
    "endDateTime": null,
    "duration": "PT8H",
    "type": "afterDuration"
  },
  "requestorSettings": {
    "enableTargetsToSelfAddAccess": false,
    "enableTargetsToSelfUpdateAccess": false,
    "enableTargetsToSelfRemoveAccess": false,
    "allowCustomAssignmentSchedule": true,
    "enableOnBehalfRequestorsToAddAccess": false,
    "enableOnBehalfRequestorsToUpdateAccess": false,
    "enableOnBehalfRequestorsToRemoveAccess": false,
    "onBehalfRequestors": []
  },
  "requestApprovalSettings": {
    "isApprovalRequiredForAdd": false,
    "isApprovalRequiredForUpdate": false,
    "stages": []
  },
  "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentPolicies('xxxxxxxx-2308-4502-b92d-166e94e7070a')/questions",
  "questions": []
}



DEBUG: [CmdletEndProcessing]: - Set-MgEntitlementManagementAssignmentPolicy end processing.
Id                                   AllowedTargetScope CreatedDateTime  Description DisplayName             ModifiedDateTime
--                                   ------------------ ---------------  ----------- -----------             ----------------
xxxxxxxx-2308-4502-b92d-166e94e7070a notSpecified       1.1.0001 0.00.00             Policy for Team Members 1.1.0001 0.00.00

Module Version

PS /Users/dhananjaya.senanayake> Get-Module Microsoft.Graph*

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.9.0                 Microsoft.Graph.Authentication      {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}
Script     2.9.0                 Microsoft.Graph.Identity.Governance {Add-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision, Get-MgAgreement, Get…

Environment Data

PS /Users/dhananjaya.senanayake> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.3
PSEdition                      Core
GitCommitId                    7.3.3
OS                             Darwin 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14:41:43 PDT 2023; root:xnu-10002.1.13~1/RELEASE_ARM64_T6000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Additional context Trying to automate the access package creation using terraform. But terraform only allows to set the duration of the access package access policy only in days. So trying to do a workaround with PowerShell to set the field as local-exec. https://github.com/hashicorp/terraform-provider-azuread/issues/1119

dhanaSena avatar Nov 09 '23 14:11 dhanaSena