1

我是stackoverflow的新手,所以如果您有任何反馈,请告诉我!我创建了一个 powershell 脚本,通过使用 Microsoft (beta) Graph API for PIM 在 ResourceGroups 设置符合条件的角色分配。我使用invoke-restmethod来调用api,如:

$queryApiUri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$ResourceID/roleAssignments"
$Headers = @{}
$Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
$query = Invoke-RestMethod -Method Get -Uri $queryApiUri -Headers $Headers

这很好用,但是在激活角色时,所有作为通知发送的电子邮件都会让人们和管理员抓狂。在创建和激活时间以及需要批准者时发送通知。可以在门户中手动将通知设置为“仅限关键电子邮件”,以消除电子邮件泛滥。有人知道这是否可以通过使用 Graph API 来做到这一点?

4

1 回答 1

1

When we modify the 'Critical emails only' at the portal and try to get governanceRoleSetting, we will see that there is no change in the result.

Obviously Microsoft Graph hasn't exposed the method to update 'Critical emails only'.

But in fact, we can make it via Microsoft Graph. Here I'll share my steps. Please note it's not mentioned in Microsoft Graph document. It's just for your reference.

Take subscription owner role as the example.

Open the edit role setting page of subscription owner in the browser and press F12 to open developer tool. Click on Update. Then we will see a request named 'roleSettingsv2'. (It is not Microsoft Graph API)

enter image description here

Looking into the response, we will find such a 'NotificationRule' in it.

{
    "ruleIdentifier": "NotificationRule",
    "setting": "{\"policies\":[{\"deliveryMechanism\":\"email\",\"setting\":[{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":2},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":0},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":1}]}]}"
}

It is missing in Microsoft Graph API.

So we just need to update this 'NotificationRule' in Microsoft Graph using Update governanceRoleSetting.

For example:

PATCH https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleSettings/b12d879d-e521-4b0b-971c-7a2b6ac979ba

{
    "adminEligibleSettings": [{
            "ruleIdentifier": "ExpirationRule",
            "setting": "{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":525600}"
        }, {
            "ruleIdentifier": "MfaRule",
            "setting": "{\"mfaRequired\":false}"
        }, {
            "ruleIdentifier": "NotificationRule",
            "setting": "{\"policies\":[{\"deliveryMechanism\":\"email\",\"setting\":[{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":2},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":0},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":1}]}]}"
        }
    ]
}

You should set the value for notificationlevel.

Please note that \"notificationlevel\":2 is setting 'Critical emails only' as False and \"notificationlevel\":1 is True.

于 2020-06-17T09:44:28.630 回答