New-MgEntitlementManagementAssignmentPolicy - Access Package Assignment Requestor On-Behalf-Of not working

[tnsholding]

Describe the bug
We are trying to administer entitlement management using the Graph cmdlets.
Specifically we want to allow some access packages to be assigned by requesting assignment on-behalf-of another user.

It does not seem that setting the onBehalfRequestors property when calling the New-MgEntitlementManagementAssignmentPolicy cmdlets is working.

When trying to create a new assignment for another user (logged in as the user specified in the onBehalfRequestors parameter):

We get a permission issue:

To Reproduce
Steps to reproduce the behavior:
As a catalog owner we are creating an access package policy for an existing access package with the New-MgEntitlementManagementAssignmentPolicy cmdlet.

Specifically we are setting the onBehalfRequestors to a specific user and setting enableOnBehalfRequestorsToAddAccess=true (according to details in https://learn.microsoft.com/en-us/graph/api/resources/accesspackageassignmentrequestorsettings?view=graph-rest-1.0 )

Expected behavior
Being able to assign other users to the access package/policy as the user defined in the onBehalfRequestors parameter.

Module Version
Microsoft.Graph version 2.6.1

Environment Data

Please run $PSVersionTable and paste the output below. If running the Docker container image, indicate the tag of the image used and the version of Docker engine.

Name Value

---

PSVersion 5.1.22621.2428
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.2428
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

[peombwa]

Could you please share:

• The complete snippet of how you are using New-MgEntitlementManagementAssignmentPolicy cmdlet. Specifically, how onBehalfRequestors collection is being constructed.
• A sanitized -Debug output when using New-MgEntitlementManagementAssignmentPolicy.

[tnsholding]

This is how I construct the parameters for New-MgEntitlementManagementAssignmentPolicy:

$params = @"
{
  "requestApprovalSettings": {
    "stages": [
      {
        "primaryApprovers": [
          {
            "userId": "5d6d7dee-f316-xxxx-xxxx-905ac6c9ac1f",
            "@odata.type": "#microsoft.graph.singleUser"
          }
        ],
        "durationBeforeAutomaticDenial": "P14D",
        "isApproverJustificationRequired": true,
        "isEscalationEnabled": false
      }
    ],
    "isApprovalRequiredForUpdate": false,
    "isApprovalRequiredForAdd": true
  },
  "specificAllowedTargets": [
    {
      "@odata.type": "#microsoft.graph.groupMembers",
      "description": "Azure_SG_Cloud_PlatformTeam",
      "groupId": "2f08bb7d-xxxx-xxxx-bb20-a7fd861c4594"
    }
  ],
  "requestorSettings": {
    "enableOnBehalfRequestorsToUpdateAccess": true,
    "onBehalfRequestors": [
      {
        "@odata.type": "#microsoft.graph.singleUser",
        "userId": "5d6d7dee-f316-xxxx-xxxx-905ac6c9ac1f",
        "description": "tns"
      }
    ],
    "enableOnBehalfRequestorsToRemoveAccess": true,
    "enableTargetsToSelfAddAccess": true,
    "enableOnBehalfRequestorsToAddAccess": true,
    "enableTargetsToSelfRemoveAccess": true,
    "allowCustomAssignmentSchedule": false,
    "enableTargetsToSelfUpdateAccess": true
  },
  "displayName": "Default Policy",
  "description": "Default policy created by worload mgmt",
  "expiration": {
    "duration": null,
    "type": "noExpiration",
    "endDateTime": null
  },
  "reviewSettings": {
    "schedule": {
      "expiration": {
        "duration": "P90D",
        "type": "afterDuration"
      },
      "recurrence": {
        "pattern": {
          "interval": 6,
          "type": "absoluteMonthly",
          "dayOfMonth": 0
        },
        "range": {
          "numberOfOccurrences": 0,
          "type": "noEnd"
        }
      },
      "startDateTime": "2023-10-31T09:35:52.9234399Z"
    },
    "isSelfReview": false,
    "isRecommendationEnabled": true,
    "isEnabled": true,
    "isReviewerJustificationRequired": true,
    "fallbackReviewers": null,
    "expirationBehavior": "removeAccess",
    "primaryReviewers": [
      {
        "userId": "5d6d7dee-f316-xxxx-xxxx-905ac6c9ac1f",
        "@odata.type": "#microsoft.graph.singleUser"
      }
    ]
  },
  "allowedTargetScope": "specificDirectoryUsers",
  "accessPackage": {
    "id": "e3cb923b-xxxx-xxxx-83a1-848692da3895"
  }
}
"@

If I then call:
New-MgEntitlementManagementAssignmentPolicy -BodyParameter $params -Debug

I get the following output:

DEBUG: [CmdletBeginProcessing]: - New-MgEntitlementManagementAssignmentPolicy begin processing with parameterSet 'Create'.
DEBUG: [Authentication]: - AuthType: 'UserProvidedAccessToken', TokenCredentialType: 'UserProvidedAccessToken', ContextScope: 'Process', AppName: 'workloadMgmt-dev'.
DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.OwnedBy, Group.Read.All, User.Read.All].

Confirm
Are you sure you want to perform this action?
Performing the operation "New-MgEntitlementManagementAssignmentPolicy_Create" on target "Call remote 'POST /identityGovernance/entitlementManagement/assignmentPolicies'
operation".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; da-DK),PowerShell/7.3.8
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell/2.8.0
client-request-id             : 5bb9927a-3434-4290-a866-426bc9e918d6

Body:
{
  "allowedTargetScope": "specificDirectoryUsers",
  "description": "Default policy created by worload mgmt",
  "displayName": "Default Policy",
  "specificAllowedTargets": [
    {
      "@odata.type": "#microsoft.graph.groupMembers",
      "description": "Azure_SG_Cloud_PlatformTeam",
      "groupId": "2f08bb7d-xxxx-xxxx-bb20-a7fd861c4594"
    }
  ],
  "expiration": {
    "type": "noExpiration"
  },
  "requestApprovalSettings": {
    "isApprovalRequiredForAdd": true,
    "isApprovalRequiredForUpdate": false,
    "stages": [
      {
        "durationBeforeAutomaticDenial": "P14D",
        "isApproverJustificationRequired": true,
        "isEscalationEnabled": false,
        "primaryApprovers": [
          {
            "userId": "5d6d7dee-xxxx-xxxx-926c-905ac6c9ac1f",
            "@odata.type": "#microsoft.graph.singleUser"
          }
        ]
      }
    ]
  },
  "requestorSettings": {
    "allowCustomAssignmentSchedule": false,
    "enableOnBehalfRequestorsToAddAccess": true,
    "enableOnBehalfRequestorsToRemoveAccess": true,
    "enableOnBehalfRequestorsToUpdateAccess": true,
    "enableTargetsToSelfAddAccess": true,
    "enableTargetsToSelfRemoveAccess": true,
    "enableTargetsToSelfUpdateAccess": true,
    "onBehalfRequestors": [
      {
        "@odata.type": "#microsoft.graph.singleUser",
        "userId": "5d6d7dee-xxxx-xxxx-926c-905ac6c9ac1f",
        "description": "tns"
      }
    ]
  },
  "reviewSettings": {
    "expirationBehavior": "removeAccess",
    "isEnabled": true,
    "isRecommendationEnabled": true,
    "isReviewerJustificationRequired": true,
    "isSelfReview": false,
    "primaryReviewers": [
      {
        "userId": "5d6d7dee-xxxx-xxxx-926c-905ac6c9ac1f",
        "@odata.type": "#microsoft.graph.singleUser"
      }
    ],
    "schedule": {
      "startDateTime": "2023-10-31T09:35:52.9234399Z",
      "expiration": {
        "duration": "P90D",
        "type": "afterDuration"
      },
      "recurrence": {
        "pattern": {
          "dayOfMonth": 0,
          "interval": 6,
          "type": "absoluteMonthly"
        },
        "range": {
          "numberOfOccurrences": 0,
          "type": "noEnd"
        }
      }
    }
  },
  "accessPackage": {
    "id": "e3cb923b-xxxx-xxxx-83a1-848692da3895"
  }
}


DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Created

Headers:
Cache-Control                 : private
Transfer-Encoding             : chunked
Location                      : https://igaelm-asev3-ecapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/assignmentPolicies('b36e6b29-xxxx-xxxx-9969-9a287f5f2f6f')
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : 558c401c-2097-4be5-b333-cb6a876ee505
client-request-id             : 5bb9927a-3434-4290-a866-426bc9e918d6
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"AM2PEPF0000BE02"}}
OData-Version                 : 4.0
Date                          : Mon, 30 Oct 2023 09:47:03 GMT

Body:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentPolicies/$entity",
  "id": "b36e6b29-xxxx-xxxx-9969-9a287f5f2f6f",
  "displayName": "Default Policy",
  "description": "Default policy created by worload mgmt",
  "allowedTargetScope": "specificDirectoryUsers",
  "createdDateTime": "2023-10-30T09:47:03.7461881Z",
  "modifiedDateTime": "2023-10-30T09:47:04.6928802Z",
  "automaticRequestSettings": null,
  "specificAllowedTargets": [
    {
      "@odata.type": "#microsoft.graph.groupMembers",
      "groupId": "2f08bb7d-xxxx-xxxx-bb20-a7fd861c4594",
      "description": "Azure_SG_Cloud_PlatformTeam"
    }
  ],
  "expiration": {
    "endDateTime": null,
    "duration": null,
    "type": "noExpiration"
  },
  "requestorSettings": {
    "enableTargetsToSelfAddAccess": true,
    "enableTargetsToSelfUpdateAccess": true,
    "enableTargetsToSelfRemoveAccess": true,
    "allowCustomAssignmentSchedule": false,
    "enableOnBehalfRequestorsToAddAccess": true,
    "enableOnBehalfRequestorsToUpdateAccess": true,
    "enableOnBehalfRequestorsToRemoveAccess": true,
    "onBehalfRequestors": [
      {
        "@odata.type": "#microsoft.graph.singleUser",
        "userId": "5d6d7dee-xxxx-xxxx-926c-905ac6c9ac1f",
        "description": "tns"
      }
    ]
  },
  "requestApprovalSettings": {
    "isApprovalRequiredForAdd": true,
    "isApprovalRequiredForUpdate": false,
    "stages": [
      {
        "durationBeforeAutomaticDenial": "P14D",
        "isApproverJustificationRequired": true,
        "isEscalationEnabled": false,
        "durationBeforeEscalation": null,
        "primaryApprovers": [
          {
            "@odata.type": "#microsoft.graph.singleUser",
            "userId": "5d6d7dee-xxxx-xxxx-926c-905ac6c9ac1f",
            "description": ""
          }
        ],
        "fallbackPrimaryApprovers": [],
        "escalationApprovers": [],
        "fallbackEscalationApprovers": []
      }
    ]
  },
  "reviewSettings": {
    "isEnabled": true,
    "expirationBehavior": "removeAccess",
    "isRecommendationEnabled": true,
    "isReviewerJustificationRequired": true,
    "isSelfReview": false,
    "schedule": {
      "startDateTime": "2023-10-31T09:35:52.9234399Z",
      "expiration": {
        "endDateTime": null,
        "duration": "P90D",
        "type": "afterDuration"
      },
      "recurrence": {
        "pattern": {
          "type": "absoluteMonthly",
          "interval": 6,
          "month": 0,
          "dayOfMonth": 0,
          "daysOfWeek": [],
          "firstDayOfWeek": null,
          "index": null
        },
        "range": {
          "type": "noEnd",
          "numberOfOccurrences": 0,
          "recurrenceTimeZone": null,
          "startDate": null,
          "endDate": null
        }
      }
    },
    "primaryReviewers": [
      {
        "@odata.type": "#microsoft.graph.singleUser",
        "userId": "5d6d7dee-xxxx-xxxx-926c-905ac6c9ac1f",
        "description": ""
      }
    ],
    "fallbackReviewers": []
  },
  "[email protected]": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentPolicies('b36e6b29-xxxx-xxxx-9969-9a287f5f2f6f')/questions",
  "questions": []
}



DEBUG: [CmdletEndProcessing]: - New-MgEntitlementManagementAssignmentPolicy end processing.
Id                                   AllowedTargetScope     CreatedDateTime     Description                            DisplayName    ModifiedDateTime
--                                   ------------------     ---------------     -----------                            -----------    ----------------
b36e6b29-xxxx-xxxx-9969-9a287f5f2f6f specificDirectoryUsers 30-10-2023 09:47:03 Default policy created by worload mgmt Default Policy 30-10-2023 09:47:04

So the command executes correctly and seems to set the onBehalfRequestors. But my question is why I cannot assign any users to the policy when logging in as the onBehalfRequestor after running this command?

[peombwa]

Thanks for providing the details.

The debug log shows that the command sent the expected request and got the expected response from the service.

But my question is why I cannot assign any users to the policy when logging in as the onBehalfRequestor after running this command?

Please open a service question/ticket at https://developer.microsoft.com/graph/support as this is a service inquiry that can only be answered by the API/service experts. Remember to include the requestId and date of the affected call in your question/ticket. See Microsoft Graph PowerShell module troubleshooting guide for more details.

This repository is intended for issues related to the functionality of the SDK (bugs and feature requests). We may not be the best place to answer some queries that are tied to the functionality of the API.

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.