Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Create a new accessPackageResourceRoleScope for adding a resource role to an access package. The access package resource, for a group, an app, or a SharePoint Online site, must already exist in the access package catalog, and the originId for the resource role retrieved from the list of the resource roles. Once you add the resource role scope to the access package, the user will receive this resource role through any current and future access package assignments.
This API is available in the following national cloud deployments.
| Global service |
US Government L4 |
US Government L5 (DOD) |
China operated by 21Vianet |
| ✅ |
✅ |
✅ |
✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type |
Least privileged permissions |
Higher privileged permissions |
| Delegated (work or school account) |
EntitlementManagement.ReadWrite.All |
Not available. |
| Delegated (personal Microsoft account) |
Not supported. |
Not supported. |
| Application |
EntitlementManagement.ReadWrite.All |
Not available. |
HTTP request
POST /identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes
Request body
In the request body, supply a JSON representation of an accessPackageResourceRoleScope object. Include in the object the relationships to an accessPackageResourceRole object, which can be obtained from a request to list access package resource roles of a resource in a catalog, and an accessPackageResourceScope object, which can be obtained from a request to list access package resources with $expand=accessPackageResourceScopes.
Response
If successful, this method returns a 200-series response code and a new accessPackageResourceRoleScope object in the response body.
Examples
Example 1: Add group membership as a resource role to an access package
Request
The following example shows a request. Previous to this request, the access package resource 1d08498d-72a1-403f-8511-6b1f875746a0 for the group b31fe1f1-3651-488f-bd9a-1711887fd4ca must already have been added to the access package catalog containing this access package. The resource could have been added to the catalog by creating an access package resource request.
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes
Content-type: application/json
{
"accessPackageResourceRole":{
"originId":"Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca",
"displayName":"Member",
"originSystem":"AadGroup",
"accessPackageResource":{"id":"1d08498d-72a1-403f-8511-6b1f875746a0","resourceType":"O365 Group","originId":"b31fe1f1-3651-488f-bd9a-1711887fd4ca","originSystem":"AadGroup"}
},
"accessPackageResourceScope":{
"originId":"b31fe1f1-3651-488f-bd9a-1711887fd4ca","originSystem":"AadGroup"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new AccessPackageResourceRoleScope
{
AccessPackageResourceRole = new AccessPackageResourceRole
{
OriginId = "Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca",
DisplayName = "Member",
OriginSystem = "AadGroup",
AccessPackageResource = new AccessPackageResource
{
Id = "1d08498d-72a1-403f-8511-6b1f875746a0",
ResourceType = "O365 Group",
OriginId = "b31fe1f1-3651-488f-bd9a-1711887fd4ca",
OriginSystem = "AadGroup",
},
},
AccessPackageResourceScope = new AccessPackageResourceScope
{
OriginId = "b31fe1f1-3651-488f-bd9a-1711887fd4ca",
OriginSystem = "AadGroup",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].AccessPackageResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAccessPackageResourceRoleScope()
accessPackageResourceRole := graphmodels.NewAccessPackageResourceRole()
originId := "Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca"
accessPackageResourceRole.SetOriginId(&originId)
displayName := "Member"
accessPackageResourceRole.SetDisplayName(&displayName)
originSystem := "AadGroup"
accessPackageResourceRole.SetOriginSystem(&originSystem)
accessPackageResource := graphmodels.NewAccessPackageResource()
id := "1d08498d-72a1-403f-8511-6b1f875746a0"
accessPackageResource.SetId(&id)
resourceType := "O365 Group"
accessPackageResource.SetResourceType(&resourceType)
originId := "b31fe1f1-3651-488f-bd9a-1711887fd4ca"
accessPackageResource.SetOriginId(&originId)
originSystem := "AadGroup"
accessPackageResource.SetOriginSystem(&originSystem)
accessPackageResourceRole.SetAccessPackageResource(accessPackageResource)
requestBody.SetAccessPackageResourceRole(accessPackageResourceRole)
accessPackageResourceScope := graphmodels.NewAccessPackageResourceScope()
originId := "b31fe1f1-3651-488f-bd9a-1711887fd4ca"
accessPackageResourceScope.SetOriginId(&originId)
originSystem := "AadGroup"
accessPackageResourceScope.SetOriginSystem(&originSystem)
requestBody.SetAccessPackageResourceScope(accessPackageResourceScope)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageResourceRoleScopes, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackages().ByAccessPackageId("accessPackage-id").AccessPackageResourceRoleScopes().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
AccessPackageResourceRole accessPackageResourceRole = new AccessPackageResourceRole();
accessPackageResourceRole.setOriginId("Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca");
accessPackageResourceRole.setDisplayName("Member");
accessPackageResourceRole.setOriginSystem("AadGroup");
AccessPackageResource accessPackageResource = new AccessPackageResource();
accessPackageResource.setId("1d08498d-72a1-403f-8511-6b1f875746a0");
accessPackageResource.setResourceType("O365 Group");
accessPackageResource.setOriginId("b31fe1f1-3651-488f-bd9a-1711887fd4ca");
accessPackageResource.setOriginSystem("AadGroup");
accessPackageResourceRole.setAccessPackageResource(accessPackageResource);
accessPackageResourceRoleScope.setAccessPackageResourceRole(accessPackageResourceRole);
AccessPackageResourceScope accessPackageResourceScope = new AccessPackageResourceScope();
accessPackageResourceScope.setOriginId("b31fe1f1-3651-488f-bd9a-1711887fd4ca");
accessPackageResourceScope.setOriginSystem("AadGroup");
accessPackageResourceRoleScope.setAccessPackageResourceScope(accessPackageResourceScope);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").accessPackageResourceRoleScopes().post(accessPackageResourceRoleScope);
const options = {
authProvider,
};
const client = Client.init(options);
const accessPackageResourceRoleScope = {
accessPackageResourceRole: {
originId: 'Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca',
displayName: 'Member',
originSystem: 'AadGroup',
accessPackageResource: {id: '1d08498d-72a1-403f-8511-6b1f875746a0',resourceType: 'O365 Group',originId: 'b31fe1f1-3651-488f-bd9a-1711887fd4ca',originSystem: 'AadGroup'}
},
accessPackageResourceScope: {
originId: 'b31fe1f1-3651-488f-bd9a-1711887fd4ca',originSystem: 'AadGroup'
}
};
await client.api('/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes')
.version('beta')
.post(accessPackageResourceRoleScope);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRoleScope;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRole;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResource;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceScope;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessPackageResourceRoleScope();
$accessPackageResourceRole = new AccessPackageResourceRole();
$accessPackageResourceRole->setOriginId('Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca');
$accessPackageResourceRole->setDisplayName('Member');
$accessPackageResourceRole->setOriginSystem('AadGroup');
$accessPackageResourceRoleAccessPackageResource = new AccessPackageResource();
$accessPackageResourceRoleAccessPackageResource->setId('1d08498d-72a1-403f-8511-6b1f875746a0');
$accessPackageResourceRoleAccessPackageResource->setResourceType('O365 Group');
$accessPackageResourceRoleAccessPackageResource->setOriginId('b31fe1f1-3651-488f-bd9a-1711887fd4ca');
$accessPackageResourceRoleAccessPackageResource->setOriginSystem('AadGroup');
$accessPackageResourceRole->setAccessPackageResource($accessPackageResourceRoleAccessPackageResource);
$requestBody->setAccessPackageResourceRole($accessPackageResourceRole);
$accessPackageResourceScope = new AccessPackageResourceScope();
$accessPackageResourceScope->setOriginId('b31fe1f1-3651-488f-bd9a-1711887fd4ca');
$accessPackageResourceScope->setOriginSystem('AadGroup');
$requestBody->setAccessPackageResourceScope($accessPackageResourceScope);
$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->accessPackageResourceRoleScopes()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
accessPackageResourceRole = @{
originId = "Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca"
displayName = "Member"
originSystem = "AadGroup"
accessPackageResource = @{
id = "1d08498d-72a1-403f-8511-6b1f875746a0"
resourceType = "O365 Group"
originId = "b31fe1f1-3651-488f-bd9a-1711887fd4ca"
originSystem = "AadGroup"
}
}
accessPackageResourceScope = @{
originId = "b31fe1f1-3651-488f-bd9a-1711887fd4ca"
originSystem = "AadGroup"
}
}
New-MgBetaEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $accessPackageId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
from msgraph_beta.generated.models.access_package_resource_role import AccessPackageResourceRole
from msgraph_beta.generated.models.access_package_resource import AccessPackageResource
from msgraph_beta.generated.models.access_package_resource_scope import AccessPackageResourceScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
access_package_resource_role = AccessPackageResourceRole(
origin_id = "Member_b31fe1f1-3651-488f-bd9a-1711887fd4ca",
display_name = "Member",
origin_system = "AadGroup",
access_package_resource = AccessPackageResource(
id = "1d08498d-72a1-403f-8511-6b1f875746a0",
resource_type = "O365 Group",
origin_id = "b31fe1f1-3651-488f-bd9a-1711887fd4ca",
origin_system = "AadGroup",
),
),
access_package_resource_scope = AccessPackageResourceScope(
origin_id = "b31fe1f1-3651-488f-bd9a-1711887fd4ca",
origin_system = "AadGroup",
),
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').access_package_resource_role_scopes.post(request_body)
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageResourceRoleScopes/$entity",
"id": "ad5c7636-e481-4528-991f-198e3b38dd56_ffd4004a-f4a9-4b22-b027-759e55c0d1db",
"createdBy": "admin@example.com",
"createdDateTime": "2019-12-11T01:35:26.4754081Z",
"modifiedBy": "admin@example.com",
"modifiedDateTime": "2019-12-11T01:35:26.4754081Z"
}
Example 2: Add a SharePoint Online site role to an access package
Request
The following example shows a request for a non-root scope resource. The access package resource for the site must already have been added to the access package catalog containing this access package.
The request contains an accessPackageResourceRole object, which can be obtained from an earlier request to list access package resource roles of a resource in a catalog. Each type of resource defines the format of the originId field in a resource role. For a SharePoint Online site, the originId is the sequence number of the role in the site.
If the accessPackageResourceScope object obtained from an earlier request to list access package resources has the resource as a root scope (isRootScope set to true), include the isRootScope property in the accessPackageResourceScope object of the request.
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes
Content-type: application/json
{
"accessPackageResourceRole": {
"originId": "4",
"originSystem": "SharePointOnline",
"accessPackageResource": {
"id": "53c71803-a0a8-4777-aecc-075de8ee3991"
}
},
"accessPackageResourceScope": {
"id": "5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33",
"originId": "https://microsoft.sharepoint.com/portals/Community",
"originSystem": "SharePointOnline"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new AccessPackageResourceRoleScope
{
AccessPackageResourceRole = new AccessPackageResourceRole
{
OriginId = "4",
OriginSystem = "SharePointOnline",
AccessPackageResource = new AccessPackageResource
{
Id = "53c71803-a0a8-4777-aecc-075de8ee3991",
},
},
AccessPackageResourceScope = new AccessPackageResourceScope
{
Id = "5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33",
OriginId = "https://microsoft.sharepoint.com/portals/Community",
OriginSystem = "SharePointOnline",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].AccessPackageResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAccessPackageResourceRoleScope()
accessPackageResourceRole := graphmodels.NewAccessPackageResourceRole()
originId := "4"
accessPackageResourceRole.SetOriginId(&originId)
originSystem := "SharePointOnline"
accessPackageResourceRole.SetOriginSystem(&originSystem)
accessPackageResource := graphmodels.NewAccessPackageResource()
id := "53c71803-a0a8-4777-aecc-075de8ee3991"
accessPackageResource.SetId(&id)
accessPackageResourceRole.SetAccessPackageResource(accessPackageResource)
requestBody.SetAccessPackageResourceRole(accessPackageResourceRole)
accessPackageResourceScope := graphmodels.NewAccessPackageResourceScope()
id := "5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33"
accessPackageResourceScope.SetId(&id)
originId := "https://microsoft.sharepoint.com/portals/Community"
accessPackageResourceScope.SetOriginId(&originId)
originSystem := "SharePointOnline"
accessPackageResourceScope.SetOriginSystem(&originSystem)
requestBody.SetAccessPackageResourceScope(accessPackageResourceScope)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageResourceRoleScopes, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackages().ByAccessPackageId("accessPackage-id").AccessPackageResourceRoleScopes().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
AccessPackageResourceRole accessPackageResourceRole = new AccessPackageResourceRole();
accessPackageResourceRole.setOriginId("4");
accessPackageResourceRole.setOriginSystem("SharePointOnline");
AccessPackageResource accessPackageResource = new AccessPackageResource();
accessPackageResource.setId("53c71803-a0a8-4777-aecc-075de8ee3991");
accessPackageResourceRole.setAccessPackageResource(accessPackageResource);
accessPackageResourceRoleScope.setAccessPackageResourceRole(accessPackageResourceRole);
AccessPackageResourceScope accessPackageResourceScope = new AccessPackageResourceScope();
accessPackageResourceScope.setId("5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33");
accessPackageResourceScope.setOriginId("https://microsoft.sharepoint.com/portals/Community");
accessPackageResourceScope.setOriginSystem("SharePointOnline");
accessPackageResourceRoleScope.setAccessPackageResourceScope(accessPackageResourceScope);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").accessPackageResourceRoleScopes().post(accessPackageResourceRoleScope);
const options = {
authProvider,
};
const client = Client.init(options);
const accessPackageResourceRoleScope = {
accessPackageResourceRole: {
originId: '4',
originSystem: 'SharePointOnline',
accessPackageResource: {
id: '53c71803-a0a8-4777-aecc-075de8ee3991'
}
},
accessPackageResourceScope: {
id: '5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33',
originId: 'https://microsoft.sharepoint.com/portals/Community',
originSystem: 'SharePointOnline'
}
};
await client.api('/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes')
.version('beta')
.post(accessPackageResourceRoleScope);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRoleScope;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRole;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResource;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceScope;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessPackageResourceRoleScope();
$accessPackageResourceRole = new AccessPackageResourceRole();
$accessPackageResourceRole->setOriginId('4');
$accessPackageResourceRole->setOriginSystem('SharePointOnline');
$accessPackageResourceRoleAccessPackageResource = new AccessPackageResource();
$accessPackageResourceRoleAccessPackageResource->setId('53c71803-a0a8-4777-aecc-075de8ee3991');
$accessPackageResourceRole->setAccessPackageResource($accessPackageResourceRoleAccessPackageResource);
$requestBody->setAccessPackageResourceRole($accessPackageResourceRole);
$accessPackageResourceScope = new AccessPackageResourceScope();
$accessPackageResourceScope->setId('5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33');
$accessPackageResourceScope->setOriginId('https://microsoft.sharepoint.com/portals/Community');
$accessPackageResourceScope->setOriginSystem('SharePointOnline');
$requestBody->setAccessPackageResourceScope($accessPackageResourceScope);
$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->accessPackageResourceRoleScopes()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
accessPackageResourceRole = @{
originId = "4"
originSystem = "SharePointOnline"
accessPackageResource = @{
id = "53c71803-a0a8-4777-aecc-075de8ee3991"
}
}
accessPackageResourceScope = @{
id = "5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33"
originId = "https://microsoft.sharepoint.com/portals/Community"
originSystem = "SharePointOnline"
}
}
New-MgBetaEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $accessPackageId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
from msgraph_beta.generated.models.access_package_resource_role import AccessPackageResourceRole
from msgraph_beta.generated.models.access_package_resource import AccessPackageResource
from msgraph_beta.generated.models.access_package_resource_scope import AccessPackageResourceScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
access_package_resource_role = AccessPackageResourceRole(
origin_id = "4",
origin_system = "SharePointOnline",
access_package_resource = AccessPackageResource(
id = "53c71803-a0a8-4777-aecc-075de8ee3991",
),
),
access_package_resource_scope = AccessPackageResourceScope(
id = "5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33",
origin_id = "https://microsoft.sharepoint.com/portals/Community",
origin_system = "SharePointOnline",
),
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').access_package_resource_role_scopes.post(request_body)
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "6646a29e-da03-49f6-bcd9-dec124492de3_5ae0ae7c-d0a5-42aa-ab37-1f15e9a61d33"
}
Example 3: Add a Microsoft Entra role as a resource in an access package
Request
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes
Content-type: application/json
{
"role": {
"originId": "Eligible",
"displayName": "Eligible Member",
"originSystem": "DirectoryRole",
"resource": {
"id": "ea036095-57a6-4c90-a640-013edf151eb1"
}
},
"scope": {
"description": "Root Scope",
"displayName": "Root",
"isRootScope": true,
"originSystem": "DirectoryRole",
"originId": "c4e39bd9-1100-46d3-8c65-fb160da0071f"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
using Microsoft.Kiota.Abstractions.Serialization;
var requestBody = new AccessPackageResourceRoleScope
{
AdditionalData = new Dictionary<string, object>
{
{
"role" , new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"originId", new UntypedString("Eligible")
},
{
"displayName", new UntypedString("Eligible Member")
},
{
"originSystem", new UntypedString("DirectoryRole")
},
{
"resource", new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"id", new UntypedString("ea036095-57a6-4c90-a640-013edf151eb1")
},
})
},
})
},
{
"scope" , new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"description", new UntypedString("Root Scope")
},
{
"displayName", new UntypedString("Root")
},
{
"isRootScope", new UntypedBoolean(true)
},
{
"originSystem", new UntypedString("DirectoryRole")
},
{
"originId", new UntypedString("c4e39bd9-1100-46d3-8c65-fb160da0071f")
},
})
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].AccessPackageResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAccessPackageResourceRoleScope()
additionalData := map[string]interface{}{
role := graph.New()
originId := "Eligible"
role.SetOriginId(&originId)
displayName := "Eligible Member"
role.SetDisplayName(&displayName)
originSystem := "DirectoryRole"
role.SetOriginSystem(&originSystem)
resource := graph.New()
id := "ea036095-57a6-4c90-a640-013edf151eb1"
resource.SetId(&id)
role.SetResource(resource)
requestBody.SetRole(role)
scope := graph.New()
description := "Root Scope"
scope.SetDescription(&description)
displayName := "Root"
scope.SetDisplayName(&displayName)
isRootScope := true
scope.SetIsRootScope(&isRootScope)
originSystem := "DirectoryRole"
scope.SetOriginSystem(&originSystem)
originId := "c4e39bd9-1100-46d3-8c65-fb160da0071f"
scope.SetOriginId(&originId)
requestBody.SetScope(scope)
}
requestBody.SetAdditionalData(additionalData)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageResourceRoleScopes, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackages().ByAccessPackageId("accessPackage-id").AccessPackageResourceRoleScopes().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
role = new ();
role.setOriginId("Eligible");
role.setDisplayName("Eligible Member");
role.setOriginSystem("DirectoryRole");
resource = new ();
resource.setId("ea036095-57a6-4c90-a640-013edf151eb1");
role.setResource(resource);
additionalData.put("role", role);
scope = new ();
scope.setDescription("Root Scope");
scope.setDisplayName("Root");
scope.setIsRootScope(true);
scope.setOriginSystem("DirectoryRole");
scope.setOriginId("c4e39bd9-1100-46d3-8c65-fb160da0071f");
additionalData.put("scope", scope);
accessPackageResourceRoleScope.setAdditionalData(additionalData);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").accessPackageResourceRoleScopes().post(accessPackageResourceRoleScope);
const options = {
authProvider,
};
const client = Client.init(options);
const accessPackageResourceRoleScope = {
role: {
originId: 'Eligible',
displayName: 'Eligible Member',
originSystem: 'DirectoryRole',
resource: {
id: 'ea036095-57a6-4c90-a640-013edf151eb1'
}
},
scope: {
description: 'Root Scope',
displayName: 'Root',
isRootScope: true,
originSystem: 'DirectoryRole',
originId: 'c4e39bd9-1100-46d3-8c65-fb160da0071f'
}
};
await client.api('/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackageResourceRoleScopes')
.version('beta')
.post(accessPackageResourceRoleScope);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRoleScope;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessPackageResourceRoleScope();
$additionalData = [
'role' => [
'originId' => 'Eligible',
'displayName' => 'Eligible Member',
'originSystem' => 'DirectoryRole',
'resource' => [
'id' => 'ea036095-57a6-4c90-a640-013edf151eb1',
],
],
'scope' => [
'description' => 'Root Scope',
'displayName' => 'Root',
'isRootScope' => true,
'originSystem' => 'DirectoryRole',
'originId' => 'c4e39bd9-1100-46d3-8c65-fb160da0071f',
],
];
$requestBody->setAdditionalData($additionalData);
$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->accessPackageResourceRoleScopes()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
role = @{
originId = "Eligible"
displayName = "Eligible Member"
originSystem = "DirectoryRole"
resource = @{
id = "ea036095-57a6-4c90-a640-013edf151eb1"
}
}
scope = @{
description = "Root Scope"
displayName = "Root"
isRootScope = $true
originSystem = "DirectoryRole"
originId = "c4e39bd9-1100-46d3-8c65-fb160da0071f"
}
}
New-MgBetaEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $accessPackageId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
additional_data = {
"role" : {
"origin_id" : "Eligible",
"display_name" : "Eligible Member",
"origin_system" : "DirectoryRole",
"resource" : {
"id" : "ea036095-57a6-4c90-a640-013edf151eb1",
},
},
"scope" : {
"description" : "Root Scope",
"display_name" : "Root",
"is_root_scope" : True,
"origin_system" : "DirectoryRole",
"origin_id" : "c4e39bd9-1100-46d3-8c65-fb160da0071f",
},
}
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').access_package_resource_role_scopes.post(request_body)
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "ea036095-57a6-4c90-a640-013edf151eb1_c4e39bd9-1100-46d3-8c65-fb160da0071f",
"createdDateTime": "2023-06-28T01:19:48.4216782Z"
}
Example 4: Add a PIM-managed group as a resource role to an access package
Request
The following example shows a request to add a PIM-managed group as a resource role to an access package. The group's members are eligible to the group.
Before this request, you must have already added the access package resource b86a1828-3171-409e-8343-32a224f324a0 for the PIM-managed group bcfae74a-91a6-46e9-99bf-89d6487cc3f3 to the access package catalog containing this access package. The resource could have been added to the catalog by creating an access package resource request.
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/b86a1828-3171-409e-8343-32a224f324a0/accessPackageResourceRoleScopes
Content-type: application/json
{
"accessPackageResourceRole":{
"originId":"EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18",
"displayName":"Eligible Member",
"originSystem":"AadGroup",
"accessPackageResource":{"id":"b86a1828-3171-409e-8343-32a224f324a0","resourceType":"O365 Group","originId":"bcfae74a-91a6-46e9-99bf-89d6487cc3f3","originSystem":"AadGroup"}
},
"accessPackageResourceScope":{
"originId":"bcfae74a-91a6-46e9-99bf-89d6487cc3f3","originSystem":"AadGroup"
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new AccessPackageResourceRoleScope
{
AccessPackageResourceRole = new AccessPackageResourceRole
{
OriginId = "EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18",
DisplayName = "Eligible Member",
OriginSystem = "AadGroup",
AccessPackageResource = new AccessPackageResource
{
Id = "b86a1828-3171-409e-8343-32a224f324a0",
ResourceType = "O365 Group",
OriginId = "bcfae74a-91a6-46e9-99bf-89d6487cc3f3",
OriginSystem = "AadGroup",
},
},
AccessPackageResourceScope = new AccessPackageResourceScope
{
OriginId = "bcfae74a-91a6-46e9-99bf-89d6487cc3f3",
OriginSystem = "AadGroup",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.IdentityGovernance.EntitlementManagement.AccessPackages["{accessPackage-id}"].AccessPackageResourceRoleScopes.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAccessPackageResourceRoleScope()
accessPackageResourceRole := graphmodels.NewAccessPackageResourceRole()
originId := "EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18"
accessPackageResourceRole.SetOriginId(&originId)
displayName := "Eligible Member"
accessPackageResourceRole.SetDisplayName(&displayName)
originSystem := "AadGroup"
accessPackageResourceRole.SetOriginSystem(&originSystem)
accessPackageResource := graphmodels.NewAccessPackageResource()
id := "b86a1828-3171-409e-8343-32a224f324a0"
accessPackageResource.SetId(&id)
resourceType := "O365 Group"
accessPackageResource.SetResourceType(&resourceType)
originId := "bcfae74a-91a6-46e9-99bf-89d6487cc3f3"
accessPackageResource.SetOriginId(&originId)
originSystem := "AadGroup"
accessPackageResource.SetOriginSystem(&originSystem)
accessPackageResourceRole.SetAccessPackageResource(accessPackageResource)
requestBody.SetAccessPackageResourceRole(accessPackageResourceRole)
accessPackageResourceScope := graphmodels.NewAccessPackageResourceScope()
originId := "bcfae74a-91a6-46e9-99bf-89d6487cc3f3"
accessPackageResourceScope.SetOriginId(&originId)
originSystem := "AadGroup"
accessPackageResourceScope.SetOriginSystem(&originSystem)
requestBody.SetAccessPackageResourceScope(accessPackageResourceScope)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
accessPackageResourceRoleScopes, err := graphClient.IdentityGovernance().EntitlementManagement().AccessPackages().ByAccessPackageId("accessPackage-id").AccessPackageResourceRoleScopes().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AccessPackageResourceRoleScope accessPackageResourceRoleScope = new AccessPackageResourceRoleScope();
AccessPackageResourceRole accessPackageResourceRole = new AccessPackageResourceRole();
accessPackageResourceRole.setOriginId("EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18");
accessPackageResourceRole.setDisplayName("Eligible Member");
accessPackageResourceRole.setOriginSystem("AadGroup");
AccessPackageResource accessPackageResource = new AccessPackageResource();
accessPackageResource.setId("b86a1828-3171-409e-8343-32a224f324a0");
accessPackageResource.setResourceType("O365 Group");
accessPackageResource.setOriginId("bcfae74a-91a6-46e9-99bf-89d6487cc3f3");
accessPackageResource.setOriginSystem("AadGroup");
accessPackageResourceRole.setAccessPackageResource(accessPackageResource);
accessPackageResourceRoleScope.setAccessPackageResourceRole(accessPackageResourceRole);
AccessPackageResourceScope accessPackageResourceScope = new AccessPackageResourceScope();
accessPackageResourceScope.setOriginId("bcfae74a-91a6-46e9-99bf-89d6487cc3f3");
accessPackageResourceScope.setOriginSystem("AadGroup");
accessPackageResourceRoleScope.setAccessPackageResourceScope(accessPackageResourceScope);
AccessPackageResourceRoleScope result = graphClient.identityGovernance().entitlementManagement().accessPackages().byAccessPackageId("{accessPackage-id}").accessPackageResourceRoleScopes().post(accessPackageResourceRoleScope);
const options = {
authProvider,
};
const client = Client.init(options);
const accessPackageResourceRoleScope = {
accessPackageResourceRole: {
originId: 'EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18',
displayName: 'Eligible Member',
originSystem: 'AadGroup',
accessPackageResource: {id: 'b86a1828-3171-409e-8343-32a224f324a0',resourceType: 'O365 Group',originId: 'bcfae74a-91a6-46e9-99bf-89d6487cc3f3',originSystem: 'AadGroup'}
},
accessPackageResourceScope: {
originId: 'bcfae74a-91a6-46e9-99bf-89d6487cc3f3',originSystem: 'AadGroup'
}
};
await client.api('/identityGovernance/entitlementManagement/accessPackages/b86a1828-3171-409e-8343-32a224f324a0/accessPackageResourceRoleScopes')
.version('beta')
.post(accessPackageResourceRoleScope);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRoleScope;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceRole;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResource;
use Microsoft\Graph\Beta\Generated\Models\AccessPackageResourceScope;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AccessPackageResourceRoleScope();
$accessPackageResourceRole = new AccessPackageResourceRole();
$accessPackageResourceRole->setOriginId('EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18');
$accessPackageResourceRole->setDisplayName('Eligible Member');
$accessPackageResourceRole->setOriginSystem('AadGroup');
$accessPackageResourceRoleAccessPackageResource = new AccessPackageResource();
$accessPackageResourceRoleAccessPackageResource->setId('b86a1828-3171-409e-8343-32a224f324a0');
$accessPackageResourceRoleAccessPackageResource->setResourceType('O365 Group');
$accessPackageResourceRoleAccessPackageResource->setOriginId('bcfae74a-91a6-46e9-99bf-89d6487cc3f3');
$accessPackageResourceRoleAccessPackageResource->setOriginSystem('AadGroup');
$accessPackageResourceRole->setAccessPackageResource($accessPackageResourceRoleAccessPackageResource);
$requestBody->setAccessPackageResourceRole($accessPackageResourceRole);
$accessPackageResourceScope = new AccessPackageResourceScope();
$accessPackageResourceScope->setOriginId('bcfae74a-91a6-46e9-99bf-89d6487cc3f3');
$accessPackageResourceScope->setOriginSystem('AadGroup');
$requestBody->setAccessPackageResourceScope($accessPackageResourceScope);
$result = $graphServiceClient->identityGovernance()->entitlementManagement()->accessPackages()->byAccessPackageId('accessPackage-id')->accessPackageResourceRoleScopes()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.Governance
$params = @{
accessPackageResourceRole = @{
originId = "EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18"
displayName = "Eligible Member"
originSystem = "AadGroup"
accessPackageResource = @{
id = "b86a1828-3171-409e-8343-32a224f324a0"
resourceType = "O365 Group"
originId = "bcfae74a-91a6-46e9-99bf-89d6487cc3f3"
originSystem = "AadGroup"
}
}
accessPackageResourceScope = @{
originId = "bcfae74a-91a6-46e9-99bf-89d6487cc3f3"
originSystem = "AadGroup"
}
}
New-MgBetaEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $accessPackageId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.access_package_resource_role_scope import AccessPackageResourceRoleScope
from msgraph_beta.generated.models.access_package_resource_role import AccessPackageResourceRole
from msgraph_beta.generated.models.access_package_resource import AccessPackageResource
from msgraph_beta.generated.models.access_package_resource_scope import AccessPackageResourceScope
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AccessPackageResourceRoleScope(
access_package_resource_role = AccessPackageResourceRole(
origin_id = "EligibleMember_89590e41-f49d-4792-b531-6ed6fe6cfe18",
display_name = "Eligible Member",
origin_system = "AadGroup",
access_package_resource = AccessPackageResource(
id = "b86a1828-3171-409e-8343-32a224f324a0",
resource_type = "O365 Group",
origin_id = "bcfae74a-91a6-46e9-99bf-89d6487cc3f3",
origin_system = "AadGroup",
),
),
access_package_resource_scope = AccessPackageResourceScope(
origin_id = "bcfae74a-91a6-46e9-99bf-89d6487cc3f3",
origin_system = "AadGroup",
),
)
result = await graph_client.identity_governance.entitlement_management.access_packages.by_access_package_id('accessPackage-id').access_package_resource_role_scopes.post(request_body)
Response
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#accessPackageResourceRoleScopes/$entity",
"id": "ad5c7636-e481-4528-991f-198e3b38dd56_ffd4004a-f4a9-4b22-b027-759e55c0d1db",
"createdBy": "admin@example.com",
"createdDateTime": "2019-12-11T01:35:26.4754081Z",
"modifiedBy": "admin@example.com",
"modifiedDateTime": "2019-12-11T01:35:26.4754081Z"
}