AADRoleManagementPolicyRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| id | Key | String | The unique identifier for an entity. Read-only. | |
| roleDisplayName | Key | String | Role display name. | |
| ruleType | Write | String | Rule Type. | |
| policyId | Write | String | Policy Id. | |
| expirationRule | Write | MSFT_AADRoleManagementPolicyExpirationRule | Expiration Rule. | |
| notificationRule | Write | MSFT_AADRoleManagementPolicyNotificationRule | Notification Rule. | |
| enablementRule | Write | MSFT_AADRoleManagementPolicyEnablementRule | Enablement Rule. | |
| approvalRule | Write | MSFT_AADRoleManagementPolicyApprovalRule | Approval Rule. | |
| authenticationContextRule | Write | MSFT_AADRoleManagementPolicyAuthenticationContextRule | Authentication Context Rule. | |
| Credential | Write | PSCredential | Credentials of the Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_AADRoleManagementPolicyExpirationRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| isExpirationRequired | Write | Boolean | Specifies if expiration is required. | |
| maximumDuration | Write | String | The maximum duration for the expiration. |
MSFT_AADRoleManagementPolicyNotificationRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| notificationType | Write | String | Notification type for the rule. | |
| recipientType | Write | String | Type of the recipient for the notification. | |
| notificationLevel | Write | String | Level of the notification. | |
| isDefaultRecipientsEnabled | Write | Boolean | Indicates if default recipients are enabled. | |
| notificationRecipients | Write | StringArray[] | List of notification recipients. |
MSFT_AADRoleManagementPolicyEnablementRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| enabledRules | Write | StringArray[] | List of enabled rules. |
MSFT_AADRoleManagementPolicySubjectSet¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| odataType | Write | String | The type of the subject set. |
MSFT_AADRoleManagementPolicyApprovalStage¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| approvalStageTimeOutInDays | Write | UInt32 | The number of days that a request can be pending a response before it is automatically denied. | |
| escalationTimeInMinutes | Write | UInt32 | The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers. | |
| isApproverJustificationRequired | Write | Boolean | Indicates whether the approver must provide justification for their reponse. | |
| isEscalationEnabled | Write | Boolean | Indicates whether escalation if enabled. | |
| escalationApprovers | Write | MSFT_AADRoleManagementPolicySubjectSet[] | The escalation approvers for this stage when the primary approvers don't respond. | |
| primaryApprovers | Write | MSFT_AADRoleManagementPolicySubjectSet[] | The primary approvers of this stage. |
MSFT_AADRoleManagementPolicyApprovalSettings¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| approvalMode | Write | String | One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false. | |
| approvalStages | Write | MSFT_AADRoleManagementPolicyApprovalStage[] | If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required. | |
| isApprovalRequired | Write | Boolean | Indicates whether approval is required for requests in this policy. | |
| isApprovalRequiredForExtension | Write | Boolean | Indicates whether approval is required for a user to extend their assignment. | |
| isRequestorJustificationRequired | Write | Boolean | Indicates whether the requestor is required to supply a justification in their request. |
MSFT_AADRoleManagementPolicyApprovalRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| setting | Write | MSFT_AADRoleManagementPolicyApprovalSettings | Settings for approval requirements. |
MSFT_AADRoleManagementPolicyAuthenticationContextRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| isEnabled | Write | Boolean | Indicates if the authentication context rule is enabled. | |
| claimValue | Write | String | Claim value associated with the rule. |
Description¶
Azure AD Role Management Policy Rule
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All
-
Update
- RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
Application permissions¶
-
Read
- RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All
-
Update
- RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADRoleManagementPolicyRule "AADRoleManagementPolicyRule-Expiration_Admin_Eligibility"
{
expirationRule = MSFT_AADRoleManagementPolicyExpirationRule{
isExpirationRequired = $False
maximumDuration = 'P180D'
};
id = "Expiration_Admin_Eligibility";
roleDisplayName = "Global Administrator";
ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule";
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}