Edit

Share via

Create accessPackageCustomWorkflowExtension

  • Article

Namespace: microsoft.graph

Create a new accessPackageAssignmentRequestWorkflowExtension or accessPackageAssignmentWorkflowExtension object and add it to an existing accessPackageCatalog object.

You must explicitly provide an @odata.type property that indicates whether the object is an accessPackageAssignmentRequestWorkflowExtension or an accessPackageAssignmentWorkflowExtension.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) EntitlementManagement.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application EntitlementManagement.Read.All EntitlementManagement.ReadWrite.All Not available.

Tip

In delegated scenarios with work or school accounts, the signed-in user must also be assigned an administrator role with supported role permissions through one of the following options:

  • One of the following Azure role assignments are required either on the Logic App itself, or on a higher scope such as the resource group, subscription or management group:
    • Logic App contributor
    • Contributor
    • Owner

And one of the following:

In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the EntitlementManagement.ReadWrite.All application permission. The Catalog owner role is less privileged than the EntitlementManagement.Read.All application permission.. If it's a delegated call without the URL property in logicAppTriggerEndpointConfiguration, the caller also needs to be authorized on the Logic App.

For more information, see Delegation and roles in entitlement management and how to delegate access governance to access package managers in entitlement management.

HTTP request

POST /identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the accessPackageAssignmentRequestWorkflowExtension or accessPackageAssignmentWorkflowExtension object.

You can specify the following properties when creating a accessPackageCustomWorkflowExtension.

Property Type Description
description String Description for the customAccessPackageWorkflowExtension object.
displayName String Required. Display name for the customAccessPackageWorkflowExtension.
endpointConfiguration customExtensionEndpointConfiguration Required. The type and details for configuring the endpoint to call the logic app's workflow.
authenticationConfiguration customExtensionAuthenticationConfiguration Required. Configuration for securing the API call to the logic app. For example, using OAuth client credentials flow.
callbackConfiguration customExtensionCallbackConfiguration The callback configuration for a custom extension. This is supported for accessPackageAssignmentRequestWorkflowExtension.

You must also supply an @odata.type property with a value of the specific access package workflow extension type. For example, "@odata.type": "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension".

Response

If successful, this method returns a 201 Created response code and a accessPackageAssignmentRequestWorkflowExtension or accessPackageAssignmentWorkflowExtension object in the response body.

Examples

Example 1: Create a custom extension for use with an access package assignment request

The following is an example of a access package assignment request custom workflow extension.

Request

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/32efb28c-9a7a-446c-986b-ca6528c6669d/customWorkflowExtensions
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension",
  "displayName": "test_action_0124_email",
  "description": "this is for graph testing only",
  "endpointConfiguration": {
    "@odata.type": "#microsoft.graph.logicAppTriggerEndpointConfiguration",
    "subscriptionId": "38ab2ccc-3747-4567-b36b-9478f5602f0d",
    "resourceGroupName": "test",
    "logicAppWorkflowName": "elm-extension-email"
  },
  "authenticationConfiguration": {
    "@odata.type": "#microsoft.graph.azureAdPopTokenAuthentication"
  },
  "callbackConfiguration": {
    "@odata.type": "microsoft.graph.customExtensionCallbackConfiguration",
    "durationBeforeTimeout": "PT1H"
  }
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
   "value":{
      "@odata.type":"#microsoft.graph.accessPackageAssignmentRequestWorkflowExtension",
      "id":"98ffaec5-ae8e-4902-a434-5ffc5d3d3cd0",
      "displayName":"test_action_0124_email",
      "description":"this is for graph testing only",
      "createdDateTime":"2022-01-24T21:48:57.15Z",
      "lastModifiedDateTime":"2022-01-24T21:55:44.953Z",
      "clientConfiguration":null,
      "endpointConfiguration":{
         "@odata.type":"#microsoft.graph.logicAppTriggerEndpointConfiguration",
         "subscriptionId":"38ab2ccc-3747-4567-b36b-9478f5602f0d",
         "resourceGroupName":"test",
         "logicAppWorkflowName":"elm-extension-email",
         "url":"https://prod-31.eastus.logic.azure.com:443/workflows/8ccffea766ae48e680gd9a22d1549bbc/triggers/manual/paths/invoke?api-version=2016-10-01"
      },
      "authenticationConfiguration":{
         "@odata.type":"#microsoft.graph.azureAdPopTokenAuthentication"
      },
      "callbackConfiguration":{
         "@odata.type":"microsoft.graph.customExtensionCallbackConfiguration",
         "durationBeforeTimeout":"PT1H"
      }
   }
}

Example 2: Create a custom extension for use with an access package assignment

The following is an example of a access package assignment custom workflow extension.

Request

POST https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/32efb28c-9a7a-446c-986b-ca6528c6669d/customWorkflowExtensions
Content-Type: application/json

{
   "value":{
      "@odata.type":"#microsoft.graph.accessPackageAssignmentWorkflowExtension",
      "displayName":"test_action_0127_email",
      "description":"this is for graph testing only",
      "endpointConfiguration":{
         "@odata.type":"#microsoft.graph.logicAppTriggerEndpointConfiguration",
         "subscriptionId":"38ab2ccc-3747-4567-b36b-9478f5602f0d",
         "resourceGroupName":"test",
         "logicAppWorkflowName":"elm-extension-email"
      },
      "authenticationConfiguration":{
         "@odata.type":"#microsoft.graph.azureAdPopTokenAuthentication"
      }
   }
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
   "value":{
      "@odata.type":"#microsoft.graph.accessPackageAssignmentWorkflowExtension",
      "id":"78ffaec5-ae8e-4902-a434-5ffc5d3d3cd0",
      "displayName":"test_action_0127_email",
      "description":"this is for graph testing only",
      "createdDateTime":"2022-01-24T21:48:57.15Z",
      "lastModifiedDateTime":"2022-01-24T21:55:44.953Z",
      "clientConfiguration":null,
      "endpointConfiguration":{
         "@odata.type":"#microsoft.graph.logicAppTriggerEndpointConfiguration",
         "subscriptionId":"38ab2ccc-3747-4567-b36b-9478f5602f0d",
         "resourceGroupName":"test",
         "logicAppWorkflowName":"elm-extension-email",
         "url":"https://prod-31.eastus.logic.azure.com:443/workflows/7ccffea766ae48e680gd9a22d1549bbc/triggers/manual/paths/invoke?api-version=2016-10-01"
      },
      "authenticationConfiguration":{
         "@odata.type":"#microsoft.graph.azureAdPopTokenAuthentication"
      }
   }
}