MMGraph API- Azure PIM组批准和通知设置

现在，您需要

update规则以更改PIM组批准和通知设置。 我有一个PIM组角色设置，以下用户作为批准者：

要与其他用户作为批准者更改此PIM组角色设置，我在下面使用Microsoft Graph API呼叫：

PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/policyId/rules/Approval_EndUser_Assignment { "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule", "id": "Approval_EndUser_Assignment", "target": { "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget", "caller": "EndUser", "operations": [ "All" ], "level": "Assignment", "inheritableSettings": [], "enforcedSettings": [] }, "setting": { "@odata.type": "microsoft.graph.approvalSettings", "isApprovalRequired": true, "isApprovalRequiredForExtension": false, "isRequestorJustificationRequired": true, "approvalMode": "SingleStage", "approvalStages": [ { "@odata.type": "microsoft.graph.unifiedApprovalStage", "approvalStageTimeOutInDays": 1, "isApproverJustificationRequired": true, "escalationTimeInMinutes": 0, "primaryApprovers": [ { "@odata.type": "#microsoft.graph.singleUser", "userId": "bd892748-axx4-4188-a892-e1xxxxxx" } ], "isEscalationEnabled": false, "escalationApprovers": [] } ] } }

response：

to toconfirm

，我在门户网站上检查了同样的批准者，在该门户网站上成功更改如下：

相似，我的以下是为

PIMgroup01

组配置的通知设置，没有其他收件人：

通过添加其他收件人来更改PIM组通知设置，我使用以下API调用：

PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/policyId/rules/Notification_Admin_Admin_Eligibility { "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_Admin_Eligibility", "target": { "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget" }, "notificationType": "Email", "recipientType": "Admin", "notificationLevel": "All", "isDefaultRecipientsEnabled": "true", "notificationRecipients": [ "[email protected]" ] } response：

当我在门户网站上检查了同样的其他收件人时，成功添加了此类收件人：

要知道要更新哪个角色设置规则，您可以检查此

Microsoftdocument

.

。

如果您使用Python中的客户端凭证流生成访问令牌，请确保授予

RoLemanagementPolicy.ReadWrite.azureadGroup

允许application

application允许同意：

样本Python代码：

import requests import msal CLIENT_ID = "appId" CLIENT_SECRET = "secret" TENANT_ID = "tenantId" AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}" SCOPE = ["https://graph.microsoft.com/.default"] app = msal.ConfidentialClientApplication(CLIENT_ID, authority=AUTHORITY, client_credential=CLIENT_SECRET) token_result = app.acquire_token_for_client(scopes=SCOPE) if "access_token" in token_result: access_token = token_result["access_token"] else: raise Exception("Failed to retrieve access token.") HEADERS = {"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"} GROUP_ID = "groupId" policy_url = f"https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '{GROUP_ID}' and scopeType eq 'Group'&$expand=rules($select=id)" response = requests.get(policy_url, headers=HEADERS) if response.status_code in [200, 204]: policies = response.json().get("value", []) if policies: policy_id = policies[0]["id"] else: raise Exception("No PIM policy found for the group.") else: raise Exception(f"Failed to retrieve policies: {response.status_code} {response.text}") approval_rule_url = f"https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policy_id}/rules/Approval_EndUser_Assignment" approval_payload = { "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule", "id": "Approval_EndUser_Assignment", "target": { "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget", "caller": "EndUser", "operations": ["All"], "level": "Assignment", "inheritableSettings": [], "enforcedSettings": [] }, "setting": { "@odata.type": "microsoft.graph.approvalSettings", "isApprovalRequired": True, "isApprovalRequiredForExtension": False, "isRequestorJustificationRequired": True, "approvalMode": "SingleStage", "approvalStages": [ { "@odata.type": "microsoft.graph.unifiedApprovalStage", "approvalStageTimeOutInDays": 1, "isApproverJustificationRequired": True, "escalationTimeInMinutes": 0, "primaryApprovers": [ { "@odata.type": "#microsoft.graph.singleUser", "userId": "bd892748-axx4-4188-a892-e1xxxxxx" } ], "isEscalationEnabled": False, "escalationApprovers": [] } ] } } response = requests.patch(approval_rule_url, headers=HEADERS, json=approval_payload) if response.status_code in [200, 204]: print("PIM approval settings updated successfully.") else: print(f"Failed to update PIM approval settings: {response.status_code} {response.text}") notification_rule_url = f"https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policy_id}/rules/Notification_Admin_Admin_Eligibility" notification_payload = { "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_Admin_Eligibility", "target": { "@odata.type": "microsoft.graph.unifiedRoleManagementPolicyRuleTarget" }, "notificationType": "Email", "recipientType": "Admin", "notificationLevel": "All", "isDefaultRecipientsEnabled": "true", "notificationRecipients": [ "[email protected]" ] } response = requests.patch(notification_rule_url, headers=HEADERS, json=notification_payload) if response.status_code in [200, 204]: print("PIM notification settings updated successfully.") else: print(f"Failed to update PIM notification settings: {response.status_code} {response.text}")

参考：

UPDATE UNIFIEDROLEMANAGEMTPOLOLULE -MICROSOFTGRAPH