DEV Community

Cover image for Automate Entitlement Management in Azure AD Identity Governance using Microsoft Graph Powershell
Arindam Mitra
Arindam Mitra

Posted on • Updated on

Automate Entitlement Management in Azure AD Identity Governance using Microsoft Graph Powershell

#azure #devops #powershell #community

Greetings to my fellow Technology Advocates and Specialists.

In this Session, I will demonstrate How to create Catalog and Access Package in Entitlement Management using Microsoft Graph Powershell.

I had the Privilege to talk on this topic in THREE Azure Communities:-

NAME OF THE AZURE COMMUNITY TYPE OF SPEAKER SESSION
Azure Spring Clean 2023 Virtual
Cloud Lunch and Learn Virtual
Azure Back To School 2023 Virtual
EVENT ANNOUNCEMENTS:-
Image description
Image description
Image description
VIRTUAL SESSION:-
LIVE DEMO was Recorded as part of my Presentation in CLOUD LUNCH AND LEARN Forum/Platform
Duration of My Demo = 53 Mins 28 Secs
AUTOMATION OBJECTIVES:-
# TOPICS
1. Create a Catalog.
2. Add an existing Azure Active Directory (AAD) Group as an Resource in the Catalog.
3. Create Azure Active Directory (AAD) Group(s).
4. Assign the Azure Active Directory (AAD) Group(s) as "Catalog Owner", "Catalog Reader", "Access Package Manager", and "Access Package Client Assignment Manager" respectively.
5. Create a Access Package.
6. Add the already added existing Azure Active Directory (AAD) Group in the Catalog to the Access Package as "Member".
7. Create Access Package Policy.
INTRODUCTION:-
Azure Active Directory (AAD) entitlement management using Microsoft Graph PowerShell enables you to manage access to all the resources that users need, such as groups, applications, and sites. Entitlement management helps to create a package of resources that internal users can use for self-service requests. Requests that does not require approval and user access expires after 365 days.
Here, in this session, resources are just member in a single group, but it could be a collection of groups, applications, or SharePoint Online sites.
REQUIREMENTS:-
  1. Azure Tenant by type "Azure Active Directory (AAD)" with one of the Licenses in order to use "Azure AD Entitlement Management": a.) Azure AD Premium P2, OR b.) Enterprise Mobility + Security (EMS) E5 license.
  2. Microsoft Graph PowerShell SDK.
  3. "User Administrator", "Identity Governance Administrator" or "Global Administrator" PIM role is required to configure catalogs, access packages, or policies in entitlement management.
  4. A test Azure Active Directory (AAD) Group to onboard as a Catalog Resource and Access Package Member.
USE CASES:-
Assigning and Removing one or more users from one or more AAD Groups at the same time.
CODE REPOSITORY:-

GitHub logo arindam0310018 / 24-Feb-2023-Microsoft-Graph-Powershell_Create-Catalog-AccessPackage-Roles-Policies

Automate Entitlement Management in Azure AD Identity Governance using Microsoft Graph Powershell

Automate Entitlement Management in Azure AD Identity Governance using Microsoft Graph Powershell:-

Greetings to my fellow Technology Advocates and Specialists.

In this Session, I will demonstrate How to create Catalog and Access Package in Entitlement Management using Microsoft Graph Powershell.

I had the Privilege to talk on this topic in THREE Azure Communities:-

NAME OF THE AZURE COMMUNITY TYPE OF SPEAKER SESSION
Azure Spring Clean 2023 Virtual
Cloud Lunch and Learn Virtual
Azure Back To School 2023 Virtual
EVENT ANNOUNCEMENTS:-
Image description
Image description
Image description
VIRTUAL SESSION:-
LIVE DEMO was Recorded as part of my Presentation in CLOUD LUNCH AND LEARN Forum/Platform
Duration of My Demo = 53 Mins 28 Secs
IMAGE ALT TEXT HERE
AUTOMATION OBJECTIVES:-
# TOPICS
1. Create a Catalog.
2. Add an existing Azure Active Directory (AAD) Group as an Resource in the Catalog.
3. Create Azure Active Directory (AAD) Group(s).
4. Assign the Azure Active Directory (AAD) Group(s) as "Catalog Owner", "Catalog Reader", "Access
View on GitHub
BELOW FOLLOWS THE CODE SNIPPET:- 


###############
# VARIABLES:- 
###############
$CatalogName = "AM-LAB"
$CatalogDesc = "AM Lab Environment Catalog"
$AADGroupname = "AM-Lab-OpsSupport"
$AccessPackageName = "AM-Lab-Access-Pkge"
$AccessPackageDesc = "AM Lab Environment Access Package"
$scopetype = "NoSubjects"
$acceptrequests = "$true"
$accesspkgapprovalreq = "$false"
$accesspkgapprovalreqext = "$false"
$accesspkgrequestorjustify = "$false"
$AccessPackagePolicyName = "Administrator managed (365 days)"
$AccessPackagePolicyDesc = "admin managed policy"
$duration = "365"
$AADGrpCatalogowner = "AM-Lab-Catalog-Owner"
$AADGrpCatalogreader = "AM-Lab-Catalog-Reader"
$AADGrpCatalogaccesspackagemanager = "AM-Lab-Catalog-AccessPackage-Manager"
$AADGrpCatalogaccesspackageassignmentmanager = "AM-Lab-Catalog-AccessPackage-Assignment-Manager"
#############################################
# The below Role Ids are constant values:-
#############################################
$roleidCatalogowner = "ae79f266-94d4-4dab-b730-feca7e132178"
$roleidCatalogreader = "44272f93-9762-48e8-af59-1b5351b1d6b3"
$roleidAccesspackagemanager = "7f480852-ebdc-47d4-87de-0d8498384a83"
$roleidAccesspackageassignmentmanager = "e2182095-804a-4656-ae11-64734e9b7ae5"

#################
# CORE SCRIPT:- 
#################

#########################################
#1. Connect to MS Graph Powershell SDK:-
#########################################

Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
Select-MgProfile -Name "beta"
Import-Module Microsoft.Graph.DeviceManagement.Enrolment

####################################################
#2. Create Catalog and get the Catalog Identifier:-
####################################################

$catalogid = New-MgEntitlementManagementAccessPackageCatalog -DisplayName $CatalogName -Description $CatalogDesc | Select -ExpandProperty Id

echo "##############################################"
echo "Catalog $CatalogName created successfully."
echo "##############################################"

########################################################################
#3. Create AAD Groups and configure Catalog Roles and Administrator:- 
########################################################################

$AADGrpCatalogownerid = az ad group create --display-name $AADGrpCatalogowner --mail-nickname $AADGrpCatalogowner --query "id" -o tsv
$AADGrpCatalogreaderid = az ad group create --display-name $AADGrpCatalogreader --mail-nickname $AADGrpCatalogreader --query "id" -o tsv
$AADGrpCatalogaccesspackagemanagerid = az ad group create --display-name $AADGrpCatalogaccesspackagemanager --mail-nickname $AADGrpCatalogaccesspackagemanager --query "id" -o tsv
$AADGrpCatalogaccesspackageassignmentmanagerid = az ad group create --display-name $AADGrpCatalogaccesspackageassignmentmanager --mail-nickname $AADGrpCatalogaccesspackageassignmentmanager --query "id" -o tsv

echo "###################################################################################"
echo "Pausing the Script for 60 Secs for the newly created AAD Group to be populated."
echo "###################################################################################"
Start-Sleep 60

$catalogownerrole = @{
    PrincipalId = "$AADGrpCatalogownerid"
    RoleDefinitionId = "$roleidCatalogowner"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

$catalogreaderrole = @{
    PrincipalId = "$AADGrpCatalogreaderid"
    RoleDefinitionId = "$roleidCatalogreader"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

$catalogaccesspackagemanagerrole = @{
    PrincipalId = "$AADGrpCatalogaccesspackagemanagerid"
    RoleDefinitionId = "$roleidAccesspackagemanager"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

$catalogaccesspackageassignmentmanagerrole = @{
    PrincipalId = "$AADGrpCatalogaccesspackageassignmentmanagerid"
    RoleDefinitionId = "$roleidAccesspackageassignmentmanager"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogownerrole
echo "#######################################################################################################################"
echo "AAD Group $AADGrpCatalogowner created successfully and has been added in the Catalog $CatalogName as Catalog Owner."
echo "#######################################################################################################################"

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogreaderrole
echo "#######################################################################################################################"
echo "AAD Group $AADGrpCatalogreader created successfully and has been added in the Catalog $CatalogName as Catalog Reader."
echo "#######################################################################################################################"

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogaccesspackagemanagerrole
echo "#######################################################################################################################################################"
echo "AAD Group $AADGrpCatalogaccesspackagemanager created successfully and has been added in the Catalog $CatalogName as Catalog Access Package Manager."
echo "#######################################################################################################################################################"

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogaccesspackageassignmentmanagerrole
echo "###########################################################################################################################################################################"
echo "AAD Group $AADGrpCatalogaccesspackageassignmentmanager created successfully and has been added in the Catalog $CatalogName as Catalog Access Package Assignment Manager."
echo "###########################################################################################################################################################################"

#############################################
#4. Add AAD Group to the Catalog Resource:-
#############################################

$aadgrpid = az ad group show -g "$AADGroupname" --query "id" -o tsv

$accessPackageResource = @{
  "originSystem" = "AadGroup"
  "OriginId" = $aadgrpid
}
New-MgEntitlementManagementAccessPackageResourceRequest -CatalogId $catalogid -RequestType "AdminAdd" -AccessPackageResource $accessPackageResource | select Id, RequestState | ConvertTo-Json
echo "###################################################################################"
echo "AAD Group $AADGroupname has been added to the Catalog $CatalogName successfully."
echo "###################################################################################"

##################################################
#5. Get ID of the AAD Group as Catalog Resource:-
##################################################

$catalogresourceid = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResource -AccessPackageCatalogId $catalogid -Filter "DisplayName eq '$AADGroupname'" | Select -ExpandProperty Id

###################################################
#6. Get the Origin ID of the member Resource Role:-
###################################################

$catalogresourceoriginid = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResourceRole -AccessPackageCatalogId $catalogid -Filter "originSystem eq 'AadGroup' and accessPackageResource/id eq '$catalogresourceid' and DisplayName eq 'Member'" | Select -ExpandProperty OriginId

################################
#7. Create Access Package:-
################################

$accesspkgid = New-MgEntitlementManagementAccessPackage -CatalogId $catalogid -DisplayName $AccessPackageName -Description $AccessPackageDesc | Select -ExpandProperty Id
echo "#############################################################################################"
echo "Access Package $AccessPackageName has been added to the Catalog $CatalogName successfully."
echo "#############################################################################################"

############################################################
#8. Add Resource Role (Member Role) in the Access Package:-
############################################################

$accessPackageResource = @{
  "id" = $catalogresourceid
  "resourceType" = "Security Group"
  "originId" = $aadgrpid
  "originSystem" = "AadGroup"
  }

$accessPackageResourceRole = @{
  "originId" = $catalogresourceoriginid
  "displayName" = "Member"
  "originSystem" = "AadGroup"
  "accessPackageResource" = $accessPackageResource
  }

$accessPackageResourceScope = @{
  "originId" = $aadgrpid
  "originSystem" = "AadGroup"
  }

New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $accesspkgid -AccessPackageResourceRole $accessPackageResourceRole -AccessPackageResourceScope $accessPackageResourceScope | Format-List
echo "#################################################################################################################"
echo "AAD Group $AADGroupname has been added successfully to the Access Package $AccessPackageName with Member Role."
echo "#################################################################################################################"

####################################
#9. Create Access Package Policy:-
####################################

$requestorSettings =@{
  "scopeType" = $scopetype
  "acceptRequests" = $acceptrequests
  }

$requestApprovalSettings = @{
  "isApprovalRequired" = $accesspkgapprovalreq
  "isApprovalRequiredForExtension" = $accesspkgapprovalreqext
  "isRequestorJustificationRequired" = $accesspkgrequestorjustify
  "approvalMode" = 'NoApproval'
  "approvalStages" = '[]'
  }

New-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageId $accesspkgid -DisplayName $AccessPackagePolicyName -Description $AccessPackagePolicyDesc -DurationInDays $duration -RequestorSettings $requestorSettings -RequestApprovalSettings $requestApprovalSettings | Format-List

echo "################################################################################"
echo "Access Package Policy $AccessPackagePolicyName has been created successfully."
echo "################################################################################"
Enter fullscreen mode Exit fullscreen mode
EXPLANATION OF THE CODE SNIPPET:-
Define Variables:- 


$CatalogName = "AM-LAB"
$CatalogDesc = "AM Lab Environment Catalog"
$AADGroupname = "AM-Lab-OpsSupport"
$AccessPackageName = "AM-Lab-Access-Pkge"
$AccessPackageDesc = "AM Lab Environment Access Package"
$scopetype = "NoSubjects"
$acceptrequests = "$true"
$accesspkgapprovalreq = "$false"
$accesspkgapprovalreqext = "$false"
$accesspkgrequestorjustify = "$false"
$AccessPackagePolicyName = "Administrator managed (365 days)"
$AccessPackagePolicyDesc = "admin managed policy"
$duration = "365"
$AADGrpCatalogowner = "AM-Lab-Catalog-Owner"
$AADGrpCatalogreader = "AM-Lab-Catalog-Reader"
$AADGrpCatalogaccesspackagemanager = "AM-Lab-Catalog-AccessPackage-Manager"
$AADGrpCatalogaccesspackageassignmentmanager = "AM-Lab-Catalog-AccessPackage-Assignment-Manager"
#############################################
# The below Role Ids are constant values:-
#############################################
$roleidCatalogowner = "ae79f266-94d4-4dab-b730-feca7e132178"
$roleidCatalogreader = "44272f93-9762-48e8-af59-1b5351b1d6b3"
$roleidAccesspackagemanager = "7f480852-ebdc-47d4-87de-0d8498384a83"
$roleidAccesspackageassignmentmanager = "e2182095-804a-4656-ae11-64734e9b7ae5"
Enter fullscreen mode Exit fullscreen mode
Connect to MS Graph Powershell SDK:- 


Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
Select-MgProfile -Name "beta"
Import-Module Microsoft.Graph.DeviceManagement.Enrolment
Enter fullscreen mode Exit fullscreen mode
Create Catalog and get the Catalog Identifier:- 


$catalogid = New-MgEntitlementManagementAccessPackageCatalog -DisplayName $CatalogName -Description $CatalogDesc | Select -ExpandProperty Id

echo "##############################################"
echo "Catalog $CatalogName created successfully."
echo "##############################################"
Enter fullscreen mode Exit fullscreen mode
Create AAD Groups and configure Catalog Roles and Administrator:-
Note:-
The script is paused for 60 secs in order for the newly created AAD Groups to be populated. Later, these AAD Groups were used to assign Catalog Roles and Administrators. 


AADGrpCatalogownerid = az ad group create --display-name $AADGrpCatalogowner --mail-nickname $AADGrpCatalogowner --query "id" -o tsv
$AADGrpCatalogreaderid = az ad group create --display-name $AADGrpCatalogreader --mail-nickname $AADGrpCatalogreader --query "id" -o tsv
$AADGrpCatalogaccesspackagemanagerid = az ad group create --display-name $AADGrpCatalogaccesspackagemanager --mail-nickname $AADGrpCatalogaccesspackagemanager --query "id" -o tsv
$AADGrpCatalogaccesspackageassignmentmanagerid = az ad group create --display-name $AADGrpCatalogaccesspackageassignmentmanager --mail-nickname $AADGrpCatalogaccesspackageassignmentmanager --query "id" -o tsv

echo "###################################################################################"
echo "Pausing the Script for 60 Secs for the newly created AAD Group to be populated."
echo "###################################################################################"
Start-Sleep 60

$catalogownerrole = @{
    PrincipalId = "$AADGrpCatalogownerid"
    RoleDefinitionId = "$roleidCatalogowner"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

$catalogreaderrole = @{
    PrincipalId = "$AADGrpCatalogreaderid"
    RoleDefinitionId = "$roleidCatalogreader"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

$catalogaccesspackagemanagerrole = @{
    PrincipalId = "$AADGrpCatalogaccesspackagemanagerid"
    RoleDefinitionId = "$roleidAccesspackagemanager"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

$catalogaccesspackageassignmentmanagerrole = @{
    PrincipalId = "$AADGrpCatalogaccesspackageassignmentmanagerid"
    RoleDefinitionId = "$roleidAccesspackageassignmentmanager"
    AppScopeId = "/AccessPackageCatalog/$catalogid"
}

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogownerrole
echo "#######################################################################################################################"
echo "AAD Group $AADGrpCatalogowner created successfully and has been added in the Catalog $CatalogName as Catalog Owner."
echo "#######################################################################################################################"

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogreaderrole
echo "#######################################################################################################################"
echo "AAD Group $AADGrpCatalogreader created successfully and has been added in the Catalog $CatalogName as Catalog Reader."
echo "#######################################################################################################################"

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogaccesspackagemanagerrole
echo "#######################################################################################################################################################"
echo "AAD Group $AADGrpCatalogaccesspackagemanager created successfully and has been added in the Catalog $CatalogName as Catalog Access Package Manager."
echo "#######################################################################################################################################################"

New-MgRoleManagementEntitlementManagementRoleAssignment -BodyParameter $catalogaccesspackageassignmentmanagerrole
echo "###########################################################################################################################################################################"
echo "AAD Group $AADGrpCatalogaccesspackageassignmentmanager created successfully and has been added in the Catalog $CatalogName as Catalog Access Package Assignment Manager."
echo "###########################################################################################################################################################################"
Enter fullscreen mode Exit fullscreen mode
Add AAD Group to the Catalog Resource:- 


$aadgrpid = az ad group show -g "$AADGroupname" --query "id" -o tsv

$accessPackageResource = @{
  "originSystem" = "AadGroup"
  "OriginId" = $aadgrpid
}
New-MgEntitlementManagementAccessPackageResourceRequest -CatalogId $catalogid -RequestType "AdminAdd" -AccessPackageResource $accessPackageResource | select Id, RequestState | ConvertTo-Json
echo "###################################################################################"
echo "AAD Group $AADGroupname has been added to the Catalog $CatalogName successfully."
echo "###################################################################################"
Enter fullscreen mode Exit fullscreen mode
Get ID of the AAD Group as Catalog Resource:- 


$catalogresourceid = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResource -AccessPackageCatalogId $catalogid -Filter "DisplayName eq '$AADGroupname'" | Select -ExpandProperty Id
Enter fullscreen mode Exit fullscreen mode
Get the Origin ID of the member Resource Role:- 


$catalogresourceoriginid = Get-MgEntitlementManagementAccessPackageCatalogAccessPackageResourceRole -AccessPackageCatalogId $catalogid -Filter "originSystem eq 'AadGroup' and accessPackageResource/id eq '$catalogresourceid' and DisplayName eq 'Member'" | Select -ExpandProperty OriginId
Enter fullscreen mode Exit fullscreen mode
Create Access Package:- 


$accesspkgid = New-MgEntitlementManagementAccessPackage -CatalogId $catalogid -DisplayName $AccessPackageName -Description $AccessPackageDesc | Select -ExpandProperty Id
echo "#############################################################################################"
echo "Access Package $AccessPackageName has been added to the Catalog $CatalogName successfully."
echo "#############################################################################################"
Enter fullscreen mode Exit fullscreen mode
Add Resource Role (Member Role) in the Access Package:- 


$accessPackageResource = @{
  "id" = $catalogresourceid
  "resourceType" = "Security Group"
  "originId" = $aadgrpid
  "originSystem" = "AadGroup"
  }

$accessPackageResourceRole = @{
  "originId" = $catalogresourceoriginid
  "displayName" = "Member"
  "originSystem" = "AadGroup"
  "accessPackageResource" = $accessPackageResource
  }

$accessPackageResourceScope = @{
  "originId" = $aadgrpid
  "originSystem" = "AadGroup"
  }

New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $accesspkgid -AccessPackageResourceRole $accessPackageResourceRole -AccessPackageResourceScope $accessPackageResourceScope | Format-List
echo "#################################################################################################################"
echo "AAD Group $AADGroupname has been added successfully to the Access Package $AccessPackageName with Member Role."
echo "#################################################################################################################"
Enter fullscreen mode Exit fullscreen mode
Create Access Package Policy:- 


$requestorSettings =@{
  "scopeType" = $scopetype
  "acceptRequests" = $acceptrequests
  }

$requestApprovalSettings = @{
  "isApprovalRequired" = $accesspkgapprovalreq
  "isApprovalRequiredForExtension" = $accesspkgapprovalreqext
  "isRequestorJustificationRequired" = $accesspkgrequestorjustify
  "approvalMode" = 'NoApproval'
  "approvalStages" = '[]'
  }

New-MgEntitlementManagementAccessPackageAssignmentPolicy -AccessPackageId $accesspkgid -DisplayName $AccessPackagePolicyName -Description $AccessPackagePolicyDesc -DurationInDays $duration -RequestorSettings $requestorSettings -RequestApprovalSettings $requestApprovalSettings | Format-List

echo "################################################################################"
echo "Access Package Policy $AccessPackagePolicyName has been created successfully."
echo "################################################################################"
Enter fullscreen mode Exit fullscreen mode

NOW ITS TIME TO TEST:-

TEST CASES:-
1. Connect to MS Graph Powershell SDK:-
Image description
2. Script executed successfully:-
Image description
3. Validate creation of Catalog:-
Image description
4. Validate adding existing AAD group to Catalog resource:-
Image description
5. Validate creation of AAD groups:-
Image description
6. Validate Catalog Roles and Administrator:-
Image description
7. Validate creation of Access Package:-
Image description
8. Validate existing AAD group under Catalog Resource as Member of Access Package:-
Image description
9. Validate creation of Access Package Policies:-
Image description
Image description
Image description
Image description
Image description
Image description
Image description
10. Validate Assignment of a test user to the AAD Group using Access Package:-
Image description
Image description
Image description
Image description

Hope You Enjoyed the Session!!!

Stay Safe | Keep Learning | Spread Knowledge

Top comments (0)

Read next

devops_den profile image

Common NGINX Commands

Devops Den -

apilover profile image

Github Spark: The AI Tool That Creates Apps with Spoken Language

Wanda -

cloudfromide profile image

Navigating Azure Hierarchy

Bamidele Kolawole -

rflpazini profile image

Estratégias para diagnosticar problemas em containers Docker em Produção

Rafael Pazini -