msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Unable to require requestor justification on Entitlement Management Access Package Policy

Open lbruck95 opened this issue 1 year ago • 9 comments

Is your feature request related to a problem? Please describe. I am unable to require requestor justification for an access package policy using the Powershell Graph Module for Entitlement Management.

Describe the solution you'd like Require user justification for an access package policy programmatically

Describe alternatives you've considered I've used the beta version which allows you to require requestor justification but the beta module doesn't allow you to set the expiration duration to hours which we need. It requires the duration to be in days.

I've tried creating the policy with the Powershell module that uses the v1.0 endpoints and then using the beta module to update the policy to require justification but when doing that, it wipes out any properties that you don't specify in the update request.

I've set my own business justification question on the access package policy and made it required which would solve the problem except that the built in Business Justification question is presented whether you require requestor justification or not.

Lastly, I tried making this request with the Invoke-MgGraphRequest and specifying the PATCH method to update the value I need but that does not work either.

Additional context We are stuck at the moment as we are unable to programmatically configure these policies to what we need. Please provide a way to accomplish this so we can move forward in migrating to the Entitlement Management Powershell modules.

lbruck95 avatar Dec 12 '23 21:12 lbruck95

This is also a deal breaker for me quite a while. Judging by both v1.0 and beta documentation the data is not even recognized as part of the data model and it's not even being retrieved on responses if there was an error in the documentation.

This issue is requiring me to have to edit each assignment policy manually and switch the toggle.

fernando-almeida-sprinklr avatar Jan 02 '24 12:01 fernando-almeida-sprinklr

Any news here ? I have the same problem. There is no way to set the justification toggle programatically

steverding avatar Mar 06 '24 09:03 steverding

Noticed the same issue. Any updates?

NiciAl avatar Jun 26 '24 10:06 NiciAl

I can confirm I have the same issue with the 2.20 version of the module. This is a very big issue as it prevents scale out automation of Access Packages in large enterprise environments.

I've got a 10K E5 environment and I am dead in the water provisioning access packages.

It looks like there is a new command in the works "New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy" with the following property.

isRequestorJustificationRequired = $false

As soon as I add this property to my policy parameters it bombs out. It seems like the Beta endpoint for this command is expecting different parameters or is completely messed up.

dmaloney02 avatar Jul 24 '24 00:07 dmaloney02

Having the same issue. This is the last setting i need for being able to make compliant Access Packages programatically. It is really cumbersome having to do anything manual in relation to Access Packages.

Fingers crossed that the new ms graph for bicep will be able to create access packages in the future.

jvesthansen1990 avatar Jul 26 '24 11:07 jvesthansen1990

This is a major setback! After spending a lot of time upgrading our automation from Microsoft.Graph.Identity.Governance beta (module version 1.22.0) to 1.0 (module version 2.20.0 - I will update this to 2.22.0 shortly), now I have to go back to beta? This can't be right. Please fix this major problem as soon as possible. Or is there some other automated way to require justification from the requester?

Marc013 avatar Aug 13 '24 12:08 Marc013

@timayabi2020 Is there any update on this? Multiple others are having this issue and nothing has happened for the past 8 months since I opened this issue. Please provide an update as this is a major issue for many of us.

lbruck95 avatar Aug 13 '24 14:08 lbruck95

I have the same issue, If I add the isRequestorJustificationRequired in the $params object when using the powershell module, I get error about Invalid Model: New-MgEntitlementManagementAssignmentPolicy : The model is invalid. Status: 400 (BadRequest) ErrorCode: InvalidModel

If I use another cmdlet to get the policy, I can see the attribute there in the response data, and it also reflects true/false based on whether the GUI setting is enabled or not on the policy.

Using the New-MgEntitlementManagementAssignmentPolicy function, version 2.11.1 in the module "Microsoft.Graph.Identity.Governance".

bfond82 avatar Aug 14 '24 12:08 bfond82