microsoftgraph
Set-MgEntitlementManagementAssignmentPolicy command makes all existing properties null except provided properties
Describe the bug Set-MgEntitlementManagementAssignmentPolicy command makes all existing properties null except provided properties. eg:- Requester Information, Requests, Lifecycle all configs are lost.
Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId "xxxxxxxx-2308-4502-b92d-166e94e7070a" -Expiration @{duration = "PT8H";type = "afterDuration"} -DisplayName "Policy for Team Members"
To Reproduce Steps to reproduce the behavior:
-
Create an access package using the azure portal with an access policy
-
Execute the following PowerShell command to update the expiration duration
Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId "xxxxxxxx-2308-4502-b92d-166e94e7070a" -Expiration @{duration = "PT8H";type = "afterDuration"} -DisplayName "Policy for Team Members"
Expected behavior
All other configs should be preserved after executing
Set-MgEntitlementManagementAssignmentPolicy
Debug Output
PS /Users/dhananjaya.senanayake> Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId "f833dfc1-2308-4502-b92d-166e94e7070a" -Expiration @{duration = "PT8H";type = "afterDuration"} -DisplayName "Policy for Team Members" -Debug
DEBUG: [CmdletBeginProcessing]: - Set-MgEntitlementManagementAssignmentPolicy begin processing with parameterSet 'SetExpanded'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, AppRoleAssignment.ReadWrite.All, email, EntitlementManagement.ReadWrite.All, Group.ReadWrite.All, openid, Organization.Read.All, profile, User.Read, User.Read.All, User.ReadWrite.All].
Confirm
Are you sure you want to perform this action?
Performing the operation "Set-MgEntitlementManagementAssignmentPolicy_SetExpanded" on target "Call remote 'PUT
/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicy-id}' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies/xxxxxxxx-2308-4502-b92d-166e94e7070a
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Macintosh; Darwin 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14:41:43 PDT 2023; root:xnu-10002.1.13~1/RELEASE_ARM64_T6000; en-FI),PowerShell/7.3.3
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.9.0
client-request-id : 26c32e1c-c712-436e-a0ff-96438db115e
Body:
{
"displayName": "Policy for Team Members",
"expiration": {
"duration": "PT8H",
"type": "afterDuration"
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : private
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : dd72dcb7-b083-46ed-9b27-3164644c5013
client-request-id : 26c32e1c-c712-436e-a0ff-96438db115e8
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"011","RoleInstance":"AM2PEPF0001BE80"}}
OData-Version : 4.0
Date : Thu, 09 Nov 2023 14:19:45 GM
Body:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentPolicies/$entity",
"id": "xxxxxxxx-2308-4502-b92d-166e94e7070a",
"displayName": "Policy for Team Members",
"description": "",
"allowedTargetScope": "notSpecified",
"createdDateTime": "0001-01-01T00:00:00Z",
"modifiedDateTime": "0001-01-01T00:00:00Z",
"automaticRequestSettings": null,
"reviewSettings": null,
"specificAllowedTargets": [],
"expiration": {
"endDateTime": null,
"duration": "PT8H",
"type": "afterDuration"
},
"requestorSettings": {
"enableTargetsToSelfAddAccess": false,
"enableTargetsToSelfUpdateAccess": false,
"enableTargetsToSelfRemoveAccess": false,
"allowCustomAssignmentSchedule": true,
"enableOnBehalfRequestorsToAddAccess": false,
"enableOnBehalfRequestorsToUpdateAccess": false,
"enableOnBehalfRequestorsToRemoveAccess": false,
"onBehalfRequestors": []
},
"requestApprovalSettings": {
"isApprovalRequiredForAdd": false,
"isApprovalRequiredForUpdate": false,
"stages": []
},
"[email protected]": "https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/assignmentPolicies('xxxxxxxx-2308-4502-b92d-166e94e7070a')/questions",
"questions": []
}
DEBUG: [CmdletEndProcessing]: - Set-MgEntitlementManagementAssignmentPolicy end processing.
Id AllowedTargetScope CreatedDateTime Description DisplayName ModifiedDateTime
-- ------------------ --------------- ----------- ----------- ----------------
xxxxxxxx-2308-4502-b92d-166e94e7070a notSpecified 1.1.0001 0.00.00 Policy for Team Members 1.1.0001 0.00.00
Module Version
PS /Users/dhananjaya.senanayake> Get-Module Microsoft.Graph*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.9.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext…}
Script 2.9.0 Microsoft.Graph.Identity.Governance {Add-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision, Get-MgAgreement, Get…
Environment Data
PS /Users/dhananjaya.senanayake> $PSVersionTable
Name Value
---- -----
PSVersion 7.3.3
PSEdition Core
GitCommitId 7.3.3
OS Darwin 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14:41:43 PDT 2023; root:xnu-10002.1.13~1/RELEASE_ARM64_T6000
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Additional context Trying to automate the access package creation using terraform. But terraform only allows to set the duration of the access package access policy only in days. So trying to do a workaround with PowerShell to set the field as local-exec. https://github.com/hashicorp/terraform-provider-azuread/issues/1119
@petrhollayms this has been open since November last year, has it been fixed? Is the module calling a PUT instead of a PATCH? I cannot understand why MgGraph was pushed so hard when the thing barely functions.
@Whats-A-MattR thank you for logging this issue and you are right. Indeed, the module is doing a PUT instead of a PATCH, reason being that the service/API owner as per the API reference documentation here specified a PUT operation and that is what the module picked during its generation.
Unfortunately, for API related issues/questions we are not best placed to give an answer. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello!
We are facing the same issue here.
If I want to remove or add an SpecificAllowedTargets with this paramater, the whole policy is destroyed. eg:
`$Params = @{ "@odata.type" = "#microsoft.graph.connectedOrganizationMembers" connectedOrganizationId = "319feb9b-af99-497d-8d52-743c0938f84c" description = "domainname.com" }
Set-MgEntitlementManagementAssignmentPolicy -AccessPackageAssignmentPolicyId 383f663a-da5f-4ec2-91e4-429f0ff1e3cf -SpecificAllowedTargets $Params -DisplayName "Java Initial Policy" ` Also, why do this cmd-lett require that displayName shall be declared when I only want to update the SpecificAllowedTargets?
Microsoft should add "Update-MgEntitlementManagementAssignmentPolicy" cmd lett that is missing in this PowerShell module.
Please assist!
