Merge pull request #27748 from microsoftgraph/copilot/tame-crawdad

externalOriginResourceConnector and externalTokenBasedSapIagConnectionInfo SAP IAG integration Public Preview

Author: Danipocket

api-reference/beta/api/accesspackagecatalog-list-accesspackageresources.md

@@ -37,7 +37,7 @@ GET /identityGovernance/entitlementManagement/accessPackageCatalogs/{id}/accessP
 
 ## Optional query parameters
 
-This method supports OData query parameters to help customize the response. For example, to retrieve the access package resource scopes and environments for each resource, include `$expand=accessPackageResourceScopes,accessPackageResourceEnvironment` in the query. To retrieve the available roles of a resource, include `$expand=accessPackageResourceRoles`. To retrieve only resources for applications and not groups or sites, include `$filter=resourceType eq 'Application'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
+This method supports OData query parameters to help customize the response. For example, to retrieve the access package resource scopes and environments for each resource, include `$expand=accessPackageResourceScopes,accessPackageResourceEnvironment,externalOriginResourceConnector` in the query. To retrieve the available roles of a resource, include `$expand=accessPackageResourceRoles`. To retrieve only resources for applications and not groups or sites, include `$filter=resourceType eq 'Application'` in the query. For general information, see [OData query parameters](/graph/query-parameters).
 
 ## Request headers
 

api-reference/beta/api/entitlementmanagement-list-externaloriginresourceconnectors.md

@@ -0,0 +1,113 @@
+---
+title: "List externalOriginResourceConnectors"
+description: "Get a list of externalOriginResourceConnector objects and their properties."
+author: "vikama-microsoft"
+ms.date: 02/23/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-id-governance"
+doc_type: apiPageType
+---
+
+# List externalOriginResourceConnectors
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Get a list of [externalOriginResourceConnector](../resources/externaloriginresourceconnector.md) objects and their properties.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- {
+  "blockType": "permissions",
+  "name": "entitlementmanagement-list-externaloriginresourceconnectors-permissions"
+}
+-->
+[!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-list-externaloriginresourceconnectors-permissions.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+GET /identityGovernance/entitlementManagement/externalOriginResourceConnectors
+```
+
+## Optional query parameters
+
+This method supports some of the OData query parameters to help customize the response. For general information, see [OData query parameters](/graph/query-parameters).
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `200 OK` response code and a collection of [externalOriginResourceConnector](../resources/externaloriginresourceconnector.md) objects in the response body.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "list_externaloriginresourceconnector"
+}
+-->
+``` http
+GET https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/externalOriginResourceConnectors
+```
+
+
+### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.externalOriginResourceConnector"
+}
+-->
+``` http
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "value": [
+    {
+      "@odata.type": "#microsoft.graph.externalOriginResourceConnector",
+      "id": "375db7fb-280f-5d24-1abd-c63e0311c131",
+      "displayName": "SAP Access Control",
+      "description": "SAP Access Control connector",
+      "connectorType": "sapAc",
+      "connectionInfo": {
+        "@odata.type": "microsoft.graph.externalTokenBasedSapIagConnectionInfo",
+        "url": "dev.test",
+        "accessTokenUrl": "9e90019f-6256-41fa-a225-5ef9cc1d9bf8",
+        "clientId": "e9ad8b1d-959c-4e86-8ba2-2cbf4d14bc29",
+        "keyVaultName": "Keyvault",
+        "secretName": "Test",
+        "subscriptionId": "5ee98b73-d9df-43a7-8a92-36855054bdee",
+        "resourceGroup": "SAPIAG Group"
+      },
+      "createdBy": "admin@contoso.com",
+      "createdDateTime": "2026-02-23T10:15:30Z",
+      "modifiedBy": "admin@contoso.com",
+      "modifiedDateTime": "2026-02-23T10:15:30Z"
+    }
+  ]
+}
+```
+

api-reference/beta/api/entitlementmanagement-post-accesspackageresourcerequests.md

@@ -626,6 +626,82 @@ Content-type: application/json
   "requestStatus": "Fulfilled"
 }
 ```
+
+
+### Example 7: Create an accessPackageResourceRequest for adding a SAP IAG Access Rights as a resource
+
+#### Request
+
+The following example shows a request for adding an external origin resource connector to a catalog, including specifying a required attribute of that resource connector.
+
+<!-- {
+  "blockType": "request",
+  "name": "create_accesspackageresourcerequest_from_accesspackageresourcerequests_connector"
+}-->
+```http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
+Content-type: application/json
+
+{
+  "catalogId": "bcb19bf7-cdf7-4a70-a106-f6543620b2a5",
+  "accessPackageResource": {
+    "id": "88eb460d-ca08-4eb9-afae-8d60a8b00377",
+    "displayName": "SAP IAG Access Rights",
+    "description": "This resource represents the business roles of SAP IAG",
+    "resourceType": "Business role",
+    "originId": "https://iagintgorg-iag-intg-space-java-rest-arqapi.cfapps.sap.hana.ondemand.com",
+    "originSystem": "External",
+    "accessPackageResourceScopes": [],
+    "externalOriginResourceConnector": {
+      "id": "1a53cea5-48bd-467c-af81-a24245b0df2b",
+      "displayName": "SAP IAG 10.0",
+      "description": "SAP IAG 10.0.0",
+      "connectorType": "sapIag",
+      "connectionInfo": {
+        "@odata.type": "microsoft.graph.externalTokenBasedSapIagConnectionInfo",
+        "url": "https://iagigorg-iag-intg-space-java-rest-arqapi.cfapps.sap.hana.ondemand.com",
+        "subscriptionId": "8e072eb5-73f5-4ed2-9324-a734dcb9728",
+        "resourceGroup": "SAPResourceGroup",
+        "accessTokenUrl": "https://entra-docu-intg-mrrd3gv.authentication.sap.hana.ondemand.com/oauth/token",
+        "clientId": "sb-72062308-a7ae-456f-b9a4-24302b8a4aa!b247012|iagapi-iag-intg-space!b11378",
+        "keyVaultName": "SAPIAG-KV",
+        "secretName": "ClientSecret"
+      }
+    },
+    "accessPackageResourceEnvironment": null
+  },
+  "requestType": "AdminAdd",
+  "history": [],
+  "executeImmediately": true
+}
+
+```
+
+
+
+#### Response
+
+The following example shows the response.
+
+> **Note:** The response object shown here might be shortened for readability.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.accessPackageResourceRequest"
+} -->
+
+```http
+HTTP/1.1 201 Created
+Content-type: application/json
+
+{
+  "id": "0e37f047-c6b9-4d5c-99cd-e3fab4007be4",
+  "requestType": "AdminAdd",
+  "requestState": "Delivered",
+  "requestStatus": "Fulfilled"
+}
+```
 <!-- uuid: 16cd6b66-4b1a-43a1-adaf-3a886856ed98
 2019-02-04 14:57:30 UTC -->
 <!-- {

api-reference/beta/api/entitlementmanagement-post-externaloriginresourceconnectors.md

@@ -0,0 +1,136 @@
+---
+title: "Create externalOriginResourceConnector"
+description: "Create a new externalOriginResourceConnector object."
+author: "vikama-microsoft"
+ms.date: 02/23/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-id-governance"
+doc_type: apiPageType
+---
+
+# Create externalOriginResourceConnector
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Creates a new [externalOriginResourceConnector](../resources/externaloriginresourceconnector.md) object.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- {
+  "blockType": "permissions",
+  "name": "entitlementmanagement-post-externaloriginresourceconnectors-permissions"
+}
+-->
+
+[!INCLUDE [permissions-table](../includes/permissions/entitlementmanagement-post-externaloriginresourceconnectors-permissions.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+POST /identityGovernance/entitlementManagement/externalOriginResourceConnectors
+```
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+|Content-Type|application/json. Required.|
+
+## Request body
+
+In the request body, supply a JSON representation of the [externalOriginResourceConnector](../resources/externaloriginresourceconnector.md) object.
+
+You can specify the following properties when creating an **externalOriginResourceConnector**.
+
+|Property|Type|Description|
+|:---|:---|:---|
+|connectionInfo|[connectionInfo](../resources/connectioninfo.md)|The connection information for the external origin resource connector. Required.|
+|connectorType|connectorType|The type of connector. The possible values are: `sapIag`, `sapAc`, `unknownFutureValue`. Required.|
+|description|String|The description of the external origin resource connector. Optional.|
+|displayName|String|The display name of the external origin resource connector. Optional.|
+
+
+
+## Response
+
+If successful, this method returns a `201 Created` response code and an [externalOriginResourceConnector](../resources/externaloriginresourceconnector.md) object in the response body.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "create_externaloriginresourceconnector_from_"
+}
+-->
+``` http
+POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/externalOriginResourceConnectors
+Content-Type: application/json
+
+{
+  "@odata.type": "#microsoft.graph.externalOriginResourceConnector",
+  "displayName": "SAP Access Control",
+  "description": "SAP Access Control connector",
+  "connectorType": "sapAc",
+  "connectionInfo": {
+    "@odata.type": "microsoft.graph.externalTokenBasedSapIagConnectionInfo",
+    "url": "dev.test",
+    "accessTokenUrl": "9e90019f-6256-41fa-a225-5ef9cc1d9bf8",
+    "clientId": "e9ad8b1d-959c-4e86-8ba2-2cbf4d14bc29",
+    "keyVaultName": "Keyvault",
+    "secretName": "Test",
+    "subscriptionId": "5ee98b73-d9df-43a7-8a92-36855054bdee",
+    "resourceGroup": "SAPIAG Group"
+  }
+}
+```
+
+
+### Response
+
+The following example shows the response.
+>**Note:** The response object shown here might be shortened for readability.
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.externalOriginResourceConnector"
+}
+-->
+``` http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+{
+  "@odata.type": "#microsoft.graph.externalOriginResourceConnector",
+  "id": "375db7fb-280f-5d24-1abd-c63e0311c131",
+  "displayName": "SAP Access Control",
+  "description": "SAP Access Control connector",
+  "connectorType": "sapAc",
+  "connectionInfo": {
+    "@odata.type": "microsoft.graph.externalTokenBasedSapIagConnectionInfo",
+    "url": "dev.test",
+    "accessTokenUrl": "9e90019f-6256-41fa-a225-5ef9cc1d9bf8",
+    "clientId": "e9ad8b1d-959c-4e86-8ba2-2cbf4d14bc29",
+    "keyVaultName": "Keyvault",
+    "secretName": "Test",
+    "subscriptionId": "5ee98b73-d9df-43a7-8a92-36855054bdee",
+    "resourceGroup": "SAPIAG Group"
+  },
+  "createdBy": "admin@contoso.com",
+  "createdDateTime": "2026-02-23T10:15:30Z",
+  "modifiedBy": "admin@contoso.com",
+  "modifiedDateTime": "2026-02-23T10:15:30Z"
+}
+```
+