Reputation: 3
Microsoft Graph - Delete Access Package Assignment
I'm using Microsoft Graph API Beta version to delete an access package. However, for deleting an access package, I need first to remove all its assignments. For doing this, I found on the official doc the accessPackageAssignment object (https://learn.microsoft.com/en-us/graph/api/resources/accesspackageassignment?view=graph-rest-beta). When I perform a get request on the assignment:
result = azureAdBeta.get('/identityGovernance/entitlementManagement/accessPackageAssignments/' + accessPackageAssignmentId)
the response is successful:
{'@odata.context': 'https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageAssignments/$entity', 'accessPackageId': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'assignmentPolicyId': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'assignmentState': 'Delivered', 'assignmentStatus': 'Delivered', 'catalogId': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'expiredDateTime': None, 'id': '2ad2eb61-9baa-45b9-a700-bfef425d7aef', 'isExtended': False, 'schedule': {'expiration': {'duration': None, 'endDateTime': '2022-01-20T23:00:00Z', 'type': 'afterDateTime'}, 'recurrence': None, 'startDateTime': '2021-12-15T11:16:04.663Z'}, 'targetId': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'}
However, when I perform a delete request:
result = azureAdBeta.delete('/identityGovernance/entitlementManagement/accessPackageAssignments/' + accessPackageAssignmentId)
I get the following error:
{'error': {'code': '', 'innerError': {'client-request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx', 'date': '2021-12-15T11:32:37', 'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'}, 'message': 'No HTTP resource was found that matches the request URI ' "'https://igaelm-asev3-ecapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/accessPackageAssignments('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx')'."}}
I suppose this error is due to fact that in doc no delete method is mentioned for the accessPackageAssignment object.
So how can I delete an access package assignment via Microsoft Graph?
Upvotes: 0
Views: 1120
Answers (1)
Reputation: 5165
• You can remove an Access package assignment through Microsoft graph powershell module in the following way: -
First view all the access package assignments through the below powershell command -
‘ Connect-MgGraph -Scopes "EntitlementManagement.Read.All"
Select-MgProfile -Name "beta"
$accesspackage = Get-MgEntitlementManagementAccessPackage -DisplayNameEq "Marketing Campaign"
$assignments = Get-MgEntitlementManagementAccessPackageAssignment -AccessPackageId $accesspackage.Id -ExpandProperty target -All -ErrorAction Stop
$assignments | ft Id,AssignmentState,TargetId,{$_.Target.DisplayName} ’
The above command will display all the assignments for the access package as stated above which correspond to the stated display name. Once, all the access package assignments for the stated access package are displayed, execute the below command to remove the access package assignment for the concerned access package by entering the correct access packageID. Also, enter the correct targetID(objectID of the user/group/resource) of the assignment to be removed.
‘ Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
Select-MgProfile -Name "beta"
$assignments = Get-MgEntitlementManagementAccessPackageAssignment -Filter
"accessPackageId eq '9f573551-f8e2-48f4-bf48-06efbb37c7b8' and
assignmentState eq 'Delivered'" -All -ErrorAction Stop
$toRemove = $assignments | Where-Object {$_.targetId -eq '76fd6e6a-c390-
42f0-879e-93ca093321e7'}
$req = New-MgEntitlementManagementAccessPackageAssignmentRequest -
AccessPackageAssignmentId $toRemove.Id -RequestType "AdminRemove" ’
This will remove the access package assignment for the concerned access package.
Note: - You will have to install the Microsoft Graph Identity Governance module in powershell for executing the above commands. To install the module, please run this command in elevated powershell – ‘Install-Module -Name Microsoft.Graph.Identity.Governance’
Also, you can remove the access package assignment through Microsoft Graph from an application JSON file. To do so, refer the following link and replace the value of "requestType": "AdminAdd" to "requestType": "AdminRemove"
Please refer the below link also for reference: -
Upvotes: 0
Related Questions
- Delete policy using Microsoft Graph Powershell
- Unable to remove app role assignments using Graph API. Getting "EntitlementGrant being updated or deleted is not found." error
- Unable to delete MS Graph Subscription
- Deleting Microsoft graph fails with ExtensionError
- Issue with Remove Application Role in AzureAD using GraphAPI / C#
- How to remove user from Azure Ad , Using Microsoft Graph Client SDK?
- Delete groups in Microsoft Graph API in C#
- Programmatic way to delete users from Azure AD
- Delete user from .NET Graph API
- Deleting Azure AD Applications via Graph API