New-MgEntitlementManagementResourceRequest does not populate Role properties

[dmaloney02]

using the SDK Entitlement Management Catalog resources are created without role properties. The role properties are mandatory for adding the group/role to an access package.

Example of a new catalog group post "New-MgEntitlementManagementResourceRequest" with empty Role properties: $a = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId $catalog.id -Filter "originID eq '$($g.ID)'" -ExpandProperty scopes

$a | fl

Attributes : {} CreatedDateTime : 6/19/2024 11:14:19 PM Description : For Development of AP automation only, then can be deleted. DisplayName : AzureIAM-DEV_Group Environment : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResourceEnvironment Id : c15b9b94-fdc3-414c-a818-dcdca81cc05d ModifiedDateTime : OriginId : 3acf4b9f-5601-4eed-8f40-180aa9282f82 OriginSystem : AadGroup Roles : Scopes : {e0b1d2cb-0774-4272-a27e-ee2a6d825f74} AdditionalProperties : {[[email protected], https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('d1d12211-49c5-4a14-9ad0-b2eb2b44 1363')/resources('c15b9b94-fdc3-414c-a818-dcdca81cc05d')/scopes]}

Graph API documentation for "accessPackageResourceRole resource type" states the following: In Microsoft Entra entitlement management, an access package resource role is a reference to a role defined in a resource. These roles are automatically present after a resource is added to an access package catalog. A group can have two roles, one for the owner and another for the member.

Subsequently, the Catalog group cannot be assigned to an access package via New-MgEntitlementManagementAccessPackageResourceRoleScope because the Resource Role ID does not exist.

SDK Documentation here: https://learn.microsoft.com/en-us/graph/api/accesspackage-post-resourcerolescopes?view=graph-rest-1.0&preserve-view=true&tabs=powershell