| title | Create accessPackageResourceRequest |
|---|---|
| description | Create a new accessPackageResourceRequest object to request the addition of a resource to an access package catalog, update of a resource, or the removal of a resource from a catalog. |
| ms.localizationpriority | medium |
| author | markwahl-msft |
| ms.subservice | entra-id-governance |
| doc_type | apiPageType |
| ms.date | 03/19/2024 |
Namespace: microsoft.graph
Create a new accessPackageResourceRequest object to request the addition of a resource to an access package catalog, update of a resource, or the removal of a resource from a catalog. A resource must be included in an access package catalog before a role of that resource can be added to an access package.
- To add a Microsoft Entra group as a resource to a catalog, set the requestType to be
adminAdd, and aresourcerepresenting the resource. The value of the originSystem property within theresourceshould beAadGroupand the value of the originId is the identifier of the group. - To add a Microsoft Entra application as a resource to a catalog, set the requestType to be
adminAdd, and aresourcerepresenting the resource. The value of the originSystem property within theresourceshould beAadApplicationand the value of the originId is the identifier of the servicePrincipal. - To add a SharePoint Online site as a resource to a catalog, set the requestType to be
adminAdd, and aresourcerepresenting the resource. The value of the originSystem property within theresourceshould beSharePointOnlineand the value of the originId is the URI of the site. - To remove a resource from a catalog, set the requestType to be
adminRemove, and theresourceto contain theidof the resource object to be removed. The resource object can be retrieved using list resources.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
Tip
In delegated scenarios with work or school accounts, the signed-in user must also be assigned an administrator role with supported role permissions through one of the following options:
- A role in the Entitlement Management system where the least privileged role is Catalog owner. This is the least privileged option.
- More privileged Microsoft Entra roles supported for this operation:
- Identity Governance Administrator
In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the EntitlementManagement.ReadWrite.All application permission. The Catalog owner role is less privileged than the EntitlementManagement.ReadWrite.All application permission.
Additionally you must also have the following permissions on the resource being added:
- To add a Microsoft Entra group as a resource to a catalog:
- If using delegated permissions, the user requesting to add a group should be an owner of the group or in a directory role that allows them to modify groups.
- If using application permissions, the application requesting to add the group should also be assigned the
Group.ReadWrite.Allpermission.
- To add a Microsoft Entra role as a resource to a catalog:
- If using delegated permissions, the user who wants to add the role to the catalog needs to be a Global Administrator or a Privileged Role Administrator with Catalog Owner permissions.
- Applications with the Entitlement Management.ReadWrite.All permissions cannot add Microsoft Entra roles to catalogs unless they also have Global Administrator or Privilege Role Administrator permissions.
- To add a Microsoft Entra application as a resource to a catalog:
- If using delegated permissions, the user requesting to add an application should be an owner of the application or in a directory role that allows them to modify application role assignments.
- If using application permissions, the application requesting to add the servicePrincipal should also be assigned the Application.ReadWrite.All permission.
- To add a SharePoint Online site as a resource to a catalog:
- If using delegated permissions, the user must be assigned the SharePoint Administrator role or be an administrator of the SharePoint site.
- If using application permissions, the application should also be assigned the
Sites.FullControl.Allpermission. For more information, see Delegation and roles in entitlement management and how to delegate access governance to access package managers in entitlement management.
POST /identityGovernance/entitlementManagement/resourceRequests| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, supply a JSON representation of an accessPackageResourceRequest object. Include the resource relationship with an accessPackageResource object as part of the request, and a catalog object containing its id.
If successful, this method returns a 201 Created response code and a new accessPackageResourceRequest object in the response body.
The following example shows a request.
POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/resourceRequests
Content-type: application/json
{
"requestType": "adminAdd",
"resource": {
"displayName": "Test group",
"originId": "8ab659d0-3839-427d-8c54-5ae92f0b3e2e",
"originSystem": "AadGroup"
},
"catalog": {
"id": "beedadfe-01d5-4025-910b-84abb9369997"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
"requestType": "adminAdd",
"state": "delivered"
}The following example shows a request.
POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/resourceRequests
Content-type: application/json
{
"requestType": "adminAdd",
"resource": {
"originId": "e81d7f57-0840-45e1-894b-f505c1bdcc1f",
"originSystem": "AadApplication"
},
"catalog": {
"id": "beedadfe-01d5-4025-910b-84abb9369997"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
"requestType": "adminAdd",
"state": "delivered"
}The following example shows a request.
POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/resourceRequests
Content-type: application/json
{
"requestType": "adminAdd",
"resource": {
"originId": "https://microsoft.sharepoint.com/sites/Example",
"originSystem": "SharePointOnline"
},
"catalog": {
"id": "beedadfe-01d5-4025-910b-84abb9369997"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
"requestType": "adminAdd",
"state": "delivered"
}The following example shows a request.
POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/resourceRequests
Content-type: application/json
{
"requestType": "adminRemove",
"resource": {
"id": "1d0bb962-5bb0-4b16-a488-fda7a788b9ec"
},
"catalog": {
"id": "beedadfe-01d5-4025-910b-84abb9369997"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
"requestType": "adminRemove",
"state": "delivered"
}Example 5: Create an accessPackageResourceRequest for updating an application as a resource with attributes
The following example shows a request to update a resource in a catalog, for an application that was already added as a resource, with two attributes.
The following example shows a request.
POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/resourceRequests
Content-type: application/json
{
"requestType": "adminUpdate",
"resource": {
"originId": "e81d7f57-0840-45e1-894b-f505c1bdcc1f",
"originSystem": "AadApplication",
"attributes": [
{
"destination": {
"@odata.type": "microsoft.graph.accessPackageUserDirectoryAttributeStore"
},
"name": "officeLocation",
"source": {
"@odata.type": "#microsoft.graph.accessPackageResourceAttributeQuestion",
"question": {
"@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
"sequence": 1,
"isRequired": true,
"isAnswerEditable": true,
"text": "What office do you work at?",
"isSingleLineQuestion": true,
"regexPattern": "[a-zA-Z]+[a-zA-Z\\s]*"
}
}
},
{
"destination": {
"@odata.type": "microsoft.graph.accessPackageUserDirectoryAttributeStore"
},
"name": "extension_e409fedc08ab4807a9eb53ebc0d6cc9f_Expense_CostCenter",
"source": {
"@odata.type": "#microsoft.graph.accessPackageResourceAttributeQuestion",
"question": {
"@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
"isRequired": false,
"text": "What is your cost center number?",
"sequence": 0,
"isSingleLineQuestion": true,
"regexPattern": "[0-9]*"
}
}
}
]
},
"catalog": {
"id": "beedadfe-01d5-4025-910b-84abb9369997"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
"requestType": "adminAdd",
"state": "delivered"
}