Create accessPackageResourceRequest

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new accessPackageResourceRequest object to request the addition of a resource to an access package catalog, update of a resource, or the removal of a resource from a catalog. A resource must be included in an access package catalog before a role of that resource can be added to an access package.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) EntitlementManagement.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application EntitlementManagement.ReadWrite.All Not available.

Tip

In delegated scenarios with work or school accounts, the signed-in user must also be assigned an administrator role with supported role permissions through one of the following options:

In app-only scenarios, the calling app can be assigned one of the preceding supported roles instead of the EntitlementManagement.ReadWrite.All application permission. The Catalog owner role is less privileged than the EntitlementManagement.ReadWrite.All application permission.

Additionally you must also have the following permissions on the resource being added:

  • To add a Microsoft Entra group as a resource to a catalog:
  • If using delegated permissions, the user requesting to add a group should be an owner of the group or in a directory role that allows them to modify groups.
  • If using application permissions, the application requesting to add the group should also be assigned the Group.ReadWrite.All permission.
  • To add a Microsoft Entra application as a resource to a catalog:
    • If using delegated permissions, the user requesting to add an application should be an owner of the application or in a directory role that allows them to modify application role assignments.
    • If using application permissions, the application requesting to add the servicePrincipal should also be assigned the Application.ReadWrite.All permission.
  • To add a SharePoint Online site as a resource to a catalog:

HTTP request

POST /identityGovernance/entitlementManagement/accessPackageResourceRequests

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of an accessPackageResourceRequest object. Include the accessPackageResource relationship with an accessPackageResource object as part of the request.

To add a Microsoft Entra group as a resource to a catalog, set the catalogId to be of the ID of the catalog, requestType to be AdminAdd, and an accessPackageResource representing the resource. The value of the originSystem property within the accessPackageResource should be AadGroup and the value of the originId is the identifier of the group. If using delegated permissions, the user requesting to add a group should be an owner of the group or in a directory role which allows them to modify groups. If using application permissions, the application requesting to add the group should also be assigned the Group.ReadWrite.All permission.

To add a Microsoft Entra application as a resource to a catalog, set the catalogId to be of the ID of the catalog, requestType to be AdminAdd, and an accessPackageResource representing the resource. The value of the originSystem property within the accessPackageResource should be AadApplication and the value of the originId is the identifier of the servicePrincipal. If using delegated permissions, the user requesting to add an application should be an owner of the application or in a directory role which allows them to modify application role assignments.

To add a SharePoint Online site as a resource to a catalog, set the catalogId to be of the ID of the catalog, requestType to be AdminAdd, and an accessPackageResource representing the resource. The value of the originSystem property within the accessPackageResource should be SharePointOnline and the value of the originId is the URI of the site. If using delegated permissions, the user should be in the the SharePoint Administrator role. If using application permissions, the application requesting to add the site should also be assigned the Sites.FullControl.All permission. To assign the geolocation environment for a multi-geolocation Sharepoint Online resource, include the accessPackageResourceEnvironment relationship in the accessPackageResource object. This can be done in two ways:

  • Use @odata.bind annotation to assign the id of the accessPackageResourceEnvironment to an accessPackageResourceEnvironment object.
  • Specify the originId parameter of the accessPackageResourceEnvironment in an accessPackageResourceEnvironment object.

To remove a resource from a catalog, set the catalogId to be of the ID of the catalog, requestType to be AdminRemove, and the accessPackageResource the resource object to be removed. The resource object can be retrieved using list accessPackageResources.

Response

If successful, this method returns a 201 Created response code and a new accessPackageResourceRequest object in the response body.

Examples

Example 1: Create an accessPackageResourceRequest for adding a site as a resource

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
Content-type: application/json

{
  "catalogId":"26ac0c0a-08bc-4a7b-a313-839f58044ba5",
  "requestType": "AdminAdd",
  "justification": "",
  "accessPackageResource": {
     "displayName": "Sales",
     "description": "https://contoso.sharepoint.com/sites/Sales",
     "url": "https://contoso.sharepoint.com/sites/Sales",
     "resourceType": "SharePoint Online Site",
     "originId": "https://contoso.sharepoint.com/sites/Sales",
     "originSystem": "SharePointOnline"
  }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
  "catalogId": "26ac0c0a-08bc-4a7b-a313-839f58044ba5",
  "id": "1fe272f0-d463-42aa-a9a8-b07ab50a1c4d",
  "isValidationOnly": false,
  "justification": "",
  "requestState": "Delivered",
  "requestStatus": "Fulfilled",
  "requestType": "AdminAdd"
}

Example 2: Create an accessPackageResourceRequest for adding a site as a resource and assign an accessPackageResourceEnvironment using @odata.bind

Request

The following example shows a request. In this example, the @odata.bind annotation is used to assign the id of the accessPackageResourceEnvironment to an accessPackageResourceEnvironment object.

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
Content-type: application/json

{
    "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
    "accessPackageResource": {
        "displayName": "Community Outreach",
        "description": "https://contoso.sharepoint.com/sites/CSR",
        "resourceType": "SharePoint Online Site",
        "originId": "https://contoso.sharepoint.com/sites/CSR",
        "originSystem": "SharePointOnline",
        "accessPackageResourceEnvironment@odata.bind": "accessPackageResourceEnvironments/615f2218-678f-471f-a60a-02c2f4f80c57"
    },
    "requestType": "AdminAdd"
}

Response

The following example shows the response.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageResourceRequests/$entity",
    "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
    "executeImmediately": false,
    "id": "d3f800d5-0dd6-47f3-9e90-ef562c7551dc",
    "requestType": "AdminAdd",
    "requestState": "Delivered",
    "requestStatus": "Fulfilled",
    "isValidationOnly": false,
    "expirationDateTime": null,
    "justification": null
}

Example 3: Create an accessPackageResourceRequest for adding a site as a resource and assign an accessPackageResourceEnvironment using originId

Request

The following example shows a request. In this example, the parameters of an accessPackageResourceEnvironment are specified in an accessPackageResourceEnvironment object.

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
Content-type: application/json

{
    "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
    "accessPackageResource": {
        "displayName": "Community Outreach",
        "description": "https://contoso.sharepoint.com/sites/CSR",
        "resourceType": "SharePoint Online Site",
        "originId": "https://contoso.sharepoint.com/sites/CSR",
        "originSystem": "SharePointOnline",
        "accessPackageResourceEnvironment": {
            "originId": "https://contoso-admin.sharepoint.com/"
        }
    },
    "requestType": "AdminAdd"
}

Response

The following example shows the response.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageResourceRequests/$entity",
    "catalogId": "de9315c1-272b-4905-924b-cc112ca180c7",
    "executeImmediately": false,
    "id": "eadf3fbb-668c-4c3a-8d84-7c8bd73dc3e4",
    "requestType": "AdminAdd",
    "requestState": "Delivered",
    "requestStatus": "Fulfilled",
    "isValidationOnly": false,
    "expirationDateTime": null,
    "justification": null
}

Example 4: Create an accessPackageResourceRequest for adding a group as a resource

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
Content-type: application/json

{

  "catalogId":"beedadfe-01d5-4025-910b-84abb9369997",
  "requestType": "AdminAdd",
  "accessPackageResource": {
     "originId": "c6294667-7348-4f5a-be73-9d2c65f574f3",
     "originSystem": "AadGroup"
  }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
  "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
  "id": "acc2294e-f37f-42d3-981d-4e83847ed0ce",
  "requestType": "AdminAdd",
  "requestState": "Delivered",
  "requestStatus": "Fulfilled"
}

Example 5: Create an accessPackageResourceRequest for removing a resource

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
Content-type: application/json

{
  "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
  "requestType": "AdminRemove",
  "accessPackageResource": {
    "id": "354078e5-dbce-4894-8af4-0ab274d41662"
  }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
  "catalogId": "beedadfe-01d5-4025-910b-84abb9369997",
  "id": "65c3340d-defb-49a9-8930-63841fda0e68",
  "requestType": "AdminRemove",
  "requestState": "Delivered",
  "requestStatus": "Fulfilled"
}

Example 6: Create an accessPackageResourceRequest for adding an application

Request

The following example shows a request for adding an application to a catalog, including specifying a required attribute of that application.

POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageResourceRequests
Content-type: application/json

{
  "catalogId": "26ac0c0a-08bc-4a7b-a313-839f58044ba5",
  "requestType": "AdminAdd",
  "justification": "",
  "accessPackageResource": {
      "displayName": "Faculty cafeteria ordering",
      "description": "Example application",
      "url": "https://myapps.microsoft.com/example.com/signin/Faculty%20cafeteria%20ordering/f1e3b407-942d-4934-9a3f-cef1975cb988/",
      "resourceType": "Application",
      "originId": "2f1099a6-d4fc-4cc9-a0ef-ddd3f1bf0b7e",
      "originSystem": "AadApplication",
      "attributes": [
        {
          "attributeName": "extension_2b676109c7c74ae2b41549205f1947ed_personalTitle",
          "isEditable": true,
          "isPersistedOnAssignmentRemoval": true,
          "attributeSource": {
              "@odata.type": "#microsoft.graph.accessPackageResourceAttributeQuestion",
              "question": {
                  "@odata.type": "#microsoft.graph.accessPackageTextInputQuestion",
                  "isRequired": false,
                  "sequence": 0,
                  "isSingleLineQuestion": true,
                  "text": {
                      "defaultText": "Title",
                      "localizedTexts": []
                  }
              }
          },
          "attributeDestination": {
              "@odata.type": "#microsoft.graph.accessPackageUserDirectoryAttributeStore"
          }
        }
      ]
  }
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
  "id": "f0e632ed-afd2-41d3-8d6e-ccefda457e5e",
  "requestType": "AdminAdd",
  "requestState": "Delivered",
  "requestStatus": "Fulfilled"
}