Open
Description
Describe the bug
When using New-MgBetaEntitlementManagementAccessPackageAssignmentRequest there is an option to add the parameter: IsApprovalRequired. This should allow an AdminAdd but without bypassing the approval. However, when using this parameter = $true, the assignments request gets Auto-approved.
When looking at the Graph API call that is being made when doing this manually via the entra ID portal, I would expect this to work.
Expected behavior
When IsApprovalRequired is set to True, I would expect the assignment request to respect the approval flow.
How to reproduce
Example:
$params = @{
requestType = "AdminAdd"
accessPackageAssignment = @{
targetId = "bc78db22-3bbd-4488-1121-XXXXXX"
assignmentPolicyId = "0aba116d-fab3-41a0-2205-XXXX"
accessPackageId = "36c81c22-13e5-4a8e-9efb-XXXXXX"
}
justification = "User needs this Access package"
parameters = @(
@{
name = "IsApprovalRequired"
value = "true"
}
)
}
New-MgBetaEntitlementManagementAccessPackageAssignmentRequest -BodyParameter $params
SDK Version
2.25.0
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
DEBUG: [CmdletBeginProcessing]: - New-MgBetaEntitlementManagementAccessPackageAssignmentRequest begin processing with parameterSet 'Create'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: 'IAM create user'.
DEBUG: [Authentication]: - Scopes: [User.ReadWrite.All, UserAuthenticationMethod.ReadWrite.All, Group.ReadWrite.All, EntitlementManagement.ReadWrite.All, AppRoleAssignment.ReadWrite.All, AccessReview.Read.All, Mail.Send, GroupMember.ReadWrite.All, Sites.FullControl.All].
Confirm
Are you sure you want to perform this action?
Performing the operation "New-MgBetaEntitlementManagementAccessPackageAssignmentRequest_Create" on target "Call remote 'POST /identityGovernance/entitlementManagement/accessPackageAssignmentRequests' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.26100; en-BE),PowerShell/2025.0.0
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.25.0
client-request-id : df5f5742-f28c-433e-9c78-25cc8c38b3a2
Body:
{
"parameters": [
{
"value": "true",
"name": "IsApprovalRequired"
}
],
"justification": "Test",
"requestType": "AdminAdd",
"accessPackageAssignment": {
"accessPackageId": "36c81c89-43e5-4a8e-9efb-XXXX",
"assignmentPolicyId": "0aba566d-fab3-41a0-9205-XXXX",
"targetId": "78bb4b58-4490-48c8-89b9-XXXXX"
}
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : private
Location : https://igaelm-asev3-ecapi-neu.igaelm-asev3-environment-neu.p.azurewebsites.net/api/v1/accessPackageAssignmentRequests
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : e50287c9-1f52-459a-9ff7-cb9f445d43e3
client-request-id : df5f5742-f28c-433e-9c78-25cc8c38b3a2
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"007","RoleInstance":"AM4PEPF000278F3"}}
Link : <https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:MicrosofEntitlementManagementCustomextensions&from=2022-10-01&to=2022-11-01>;rel="deprecation";type="text/html",<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:MicrosofEntitlementManagementCustomextensions&from=2022-10-01&to=2022-11-01>;rel="deprecation";type="text/html",<https://developer.microsoft-tst.com/en-us/graph/changes?$filterby=beta,PrivatePreview:MicrosofEntitlementManagementCustomextensions&from=2022-10-01&to=2022-11-01>;rel="deprecation";type="text/html"
deprecation : Wed, 01 Mar 2023 23:59:59 GMT
sunset : Sat, 01 Mar 2025 23:59:59 GMT
odata-version : 4.0
Date : Wed, 14 May 2025 13:56:34 GMT
Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identityGovernance/entitlementManagement/accessPackageAssignmentRequests/$entity",
"id": "88d39fc4-9969-4964-a958-ae31687b7446",
"requestType": "AdminAdd",
"requestState": "Submitted",
"requestStatus": "Accepted",
"createdDateTime": null,
"completedDate": null,
"justification": "Test",
"isValidationOnly": false,
"schedule": {
"startDateTime": null,
"recurrence": null,
"expiration": {
"endDateTime": null,
"duration": null,
"type": "notSpecified"
}
},
"answers": [],
"history": [
{
"action": "Accepted",
"userDisplayName": "XXXXX",
"userPrincipalName": "XXXXX",
"actionDateTime": "2025-05-14T13:56:34.3962453Z",
"scheduledDateTime": null,
"detail": null
}
],
"verifiedCredentialsData": [],
"customExtensionHandlerInstances": [],
"customExtensionCalloutInstances": []
}
DEBUG: [CmdletEndProcessing]: - New-MgBetaEntitlementManagementAccessPackageAssignmentRequest end processing.
Id CompletedDate CreatedDateTime ExpirationDateTime IsValidationOnly Justification RequestState RequestStatus RequestType
-- ------------- --------------- ------------------ ---------------- ------------- ------------ ------------- -----------
88d39fc4-9969-4964-a958-ae31687b7446 False Test Submitted Accepted AdminAdd
Configuration
No response
Other information
No response