Working with the Azure AD entitlement management API

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users as well as users outside your organization.

By creating access packages with the roles users need to have across those resources, and defining policies for who can request an access package and how long they can have an assignment to an access package, you can govern the lifecycle of access for both internal and external users.

The entitlement management resource types include:

In addition, role assignments for entitlement management-specific roles can be managed through entitlement management role definitions.

For a tutorial that shows you how to use entitlement management to create a package of resources that internal users can self-service request, see Create an access package using Microsoft Graph APIs.

Note that the entitlement management feature, including the API, is included in Azure AD Premium P2. The tenant where entitlement management is being used must have a valid purchased or trial Azure AD Premium P2 or EMS E5 subscription. For more information about license requirements for the entitlement management feature, see Entitlement management license requirements.

Methods

The following table lists the methods that you can use to interact with entitlement management-related resources.

Method Return type Description
Get entitlementManagementSettings Read the properties of an entitlementManagementSettings object.
Update entitlementManagementSettings Update the properties of an entitlementManagementSettings object.
List accessPackages accessPackage collection Retrieve a list of accessPackage objects.
Create accessPackage accessPackage Create a new accessPackage object.
Get accessPackage accessPackage Read properties and relationships of an accessPackage object.
Update accessPackage None Update the properties of an accesspackage object.
Delete accessPackage Delete accessPackage.
FilterByCurrentUser accessPackage collection Retrieve a list of accessPackage objects filtered on the signed-in user.
List accessPackageResourceRoleScopes accessPackageResourceRoleScope collection Retrieve a list of accessPackageResourceRoleScope objects for an access package.
Create accessPackageResourceRoleScope Create a new accessPackageResourceRoleScope object for an access package.
List incompatibleAccessPackages accessPackage collection Retrieve a list of the incompatible accesspackage objects for this access package.
Add accessPackage to incompatibleAccessPackages None Add a link to indicate another accesspackage is incompatible with a specified access package.
Remove accessPackage from incompatibleAccessPackages None Remove a link that indicated an accesspackage was incompatible.
List incompatibleGroups group collection Retrieve a list of the incompatible group objects for this access package.
Add group to incompatibleGroups None Add a link to indicate membership of a group is incompatible with a specified access package.
Remove group from incompatibleGroups None Remove a link that indicated a group membership was incompatible.
List accessPackagesIncompatibleWith accessPackage collection Retrieve a list of the accesspackage objects which list this access package as incompatible.
List accessPackageAssignmentPolicies accessPackageAssignmentPolicy collection Retrieve a list of accessPackageAssignmentPolicy objects.
Create accessPackageAssignmentPolicy accessPackageAssignmentPolicy Create a new accessPackageAssignmentPolicy object.
Get accessPackageAssignmentPolicy accessPackageAssignmentPolicy Read properties and relationships of an accessPackageAssignmentPolicy object.
Update accessPackageAssignmentPolicy accessPackageAssignmentPolicy Update the properties of an accessPackageAssignmentPolicy object.
Delete accessPackageAssignmentPolicy Delete an accessPackageAssignmentPolicy.
List accessPackageAssignmentRequests accessPackageAssignmentRequest collection Retrieve a list of accessPackageAssignmentRequest objects.
Create accessPackageAssignmentRequest accessPackageAssignmentRequest Create a new accessPackageAssignmentRequest.
Get accessPackageAssignmentRequest accessPackageAssignmentRequest Read properties and relationships of an accessPackageAssignmentRequest object.
Delete accessPackageAssignmentRequest None Delete an accessPackageAssignmentRequest.
FilterByCurrentUser accessPackageAssignmentRequest collection Retrieve the list of accessPackageAssignmentRequest objects filtered on the signed-in user.
cancel accessPackageAssignmentRequest collection Cancel an accessPackageAssignmentRequest object that is in a cancellable state: accepted, pendingApproval, pendingNotBefore, pendingApprovalEscalated.
List accessPackageAssignments accessPackageAssignment collection Retrieve a list of accessPackageAssignment objects.
FilterByCurrentUser accessPackageAssignment collection Retrieve the list of accessPackageAssignment objects filtered on the signed-in user.
reprocess None Automatically reevaluate and enforce a user’s assignments for a specific access package.
additionalAccess accessPackageAssignment collection Retrieve the list of accessPackageAssignment objects for users who have assignments to incompatible access packages.
List accessPackageAssignmentResourceRoles accessPackageAssignmentResourceRole collection Retrieve a list of accessPackageAssignmentResourceRole objects.
Get accessPackageAssignmentResourceRole accessPackageAssignmentResourceRole Retrieve a accessPackageAssignmentResourceRole object.
List accessPackageCatalogs accessPackageCatalog collection Retrieve a list of accessPackageCatalogs objects.
Create accessPackageCatalog accessPackageCatalog Create a new accessPackageCatalog object.
Get accessPackageCatalog accessPackageCatalog Read properties and relationships of an accessPackageCatalog object.
Update accessPackageCatalog None Update the properties of an accessPackageCatalog object.
Delete accessPackageCatalog Delete an accessPackageCatalog.
List accessPackageCatalog resources accessPackageResource collection Retrieve a list of accessPackageResource objects.
List accessPackageCatalog resource roles accessPackageResourceRole collection Retrieve a list of accessPackageResourceRole objects.
List accessPackageResourceRequests accessPackageResourceRequest collection Read properties and relationships of accessPackageResourceRequest objects.
Create accessPackageResourceRequest accessPackageCatalog Create a new accessPackageResourceRequest object.
List accessPackageResourceEnvironments accessPackageResourceEnvironment collection Retrieve a list of accessPackageResourceEnvironment objects.
Get accessPackageResourceEnvironment accessPackageResourceEnvironment Read the properties and relationships of an accessPackageResourceEnvironment object.
List connectedOrganizations connectedOrganization collection Retrieve a list of connectedOrganization objects.
Create connectedOrganization connectedOrganization Create a new connectedOrganization object.
Get connectedOrganization connectedOrganization Read properties and relationships of a connectedOrganization object.
Update connectedOrganization None Update a connectedOrganization.
Delete connectedOrganization None Delete a connectedOrganization.
List internalSponsors directoryObject collection Retrieve a list of a connectedOrganization's internal sponsors.
List externalSponsors directoryObject collection Retrieve a list of a connectedOrganization's external sponsors.
Add internalSponsors None Add a user or group to a connectedOrganization's internal sponsors.
Add externalSponsors None Add a user or group to a connectedOrganization's external sponsors.
Remove internalSponsors None Remove a user or group from a connectedOrganization's internal sponsors.
Get approval approval Retrieve the properties of an approval object.
List approvalSteps approvalStep collection List the approvalStep objects associated with an approval object.
Get approvalStep approvalStep Retrieve the properties of an approvalStep object.
Update approvalStep None Apply approve or deny decision on an approvalStep object.

Types

See also