AADRoleManagementPolicyRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| id |
Key |
String |
The unique identifier for an entity. Read-only. |
|
| roleDisplayName |
Key |
String |
Role display name. |
|
| ruleType |
Write |
String |
Rule Type. |
|
| policyId |
Write |
String |
Policy Id. |
|
| expirationRule |
Write |
MSFT_AADRoleManagementPolicyExpirationRule |
Expiration Rule. |
|
| notificationRule |
Write |
MSFT_AADRoleManagementPolicyNotificationRule |
Notification Rule. |
|
| enablementRule |
Write |
MSFT_AADRoleManagementPolicyEnablementRule |
Enablement Rule. |
|
| approvalRule |
Write |
MSFT_AADRoleManagementPolicyApprovalRule |
Approval Rule. |
|
| authenticationContextRule |
Write |
MSFT_AADRoleManagementPolicyAuthenticationContextRule |
Authentication Context Rule. |
|
| Credential |
Write |
PSCredential |
Credentials of the Admin |
|
| ApplicationId |
Write |
String |
Id of the Azure Active Directory application to authenticate with. |
|
| TenantId |
Write |
String |
Id of the Azure Active Directory tenant used for authentication. |
|
| ApplicationSecret |
Write |
PSCredential |
Secret of the Azure Active Directory tenant used for authentication. |
|
| CertificateThumbprint |
Write |
String |
Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
|
| ManagedIdentity |
Write |
Boolean |
Managed ID being used for authentication. |
|
| AccessTokens |
Write |
StringArray[] |
Access token used for authentication. |
|
MSFT_AADRoleManagementPolicyExpirationRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| isExpirationRequired |
Write |
Boolean |
Specifies if expiration is required. |
|
| maximumDuration |
Write |
String |
The maximum duration for the expiration. |
|
MSFT_AADRoleManagementPolicyNotificationRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| notificationType |
Write |
String |
Notification type for the rule. |
|
| recipientType |
Write |
String |
Type of the recipient for the notification. |
|
| notificationLevel |
Write |
String |
Level of the notification. |
|
| isDefaultRecipientsEnabled |
Write |
Boolean |
Indicates if default recipients are enabled. |
|
| notificationRecipients |
Write |
StringArray[] |
List of notification recipients. |
|
MSFT_AADRoleManagementPolicyEnablementRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| enabledRules |
Write |
StringArray[] |
List of enabled rules. |
|
MSFT_AADRoleManagementPolicySubjectSet
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| odataType |
Write |
String |
The type of the subject set. |
|
MSFT_AADRoleManagementPolicyApprovalStage
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| approvalStageTimeOutInDays |
Write |
UInt32 |
The number of days that a request can be pending a response before it is automatically denied. |
|
| escalationTimeInMinutes |
Write |
UInt32 |
The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers. |
|
| isApproverJustificationRequired |
Write |
Boolean |
Indicates whether the approver must provide justification for their reponse. |
|
| isEscalationEnabled |
Write |
Boolean |
Indicates whether escalation if enabled. |
|
| escalationApprovers |
Write |
MSFT_AADRoleManagementPolicySubjectSet[] |
The escalation approvers for this stage when the primary approvers don't respond. |
|
| primaryApprovers |
Write |
MSFT_AADRoleManagementPolicySubjectSet[] |
The primary approvers of this stage. |
|
MSFT_AADRoleManagementPolicyApprovalSettings
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| approvalMode |
Write |
String |
One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false. |
|
| approvalStages |
Write |
MSFT_AADRoleManagementPolicyApprovalStage[] |
If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required. |
|
| isApprovalRequired |
Write |
Boolean |
Indicates whether approval is required for requests in this policy. |
|
| isApprovalRequiredForExtension |
Write |
Boolean |
Indicates whether approval is required for a user to extend their assignment. |
|
| isRequestorJustificationRequired |
Write |
Boolean |
Indicates whether the requestor is required to supply a justification in their request. |
|
MSFT_AADRoleManagementPolicyApprovalRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| setting |
Write |
MSFT_AADRoleManagementPolicyApprovalSettings |
Settings for approval requirements. |
|
MSFT_AADRoleManagementPolicyAuthenticationContextRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| isEnabled |
Write |
Boolean |
Indicates if the authentication context rule is enabled. |
|
| claimValue |
Write |
String |
Claim value associated with the rule. |
|
Description
Azure AD Role Management Policy Rule
Permissions
Microsoft Graph
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions
-
Read
- RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory
-
Update
- RoleManagementPolicy.ReadWrite.Directory, RoleManagement.Read.Directory
Application permissions
-
Read
- RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory
-
Update
- RoleManagementPolicy.ReadWrite.Directory, RoleManagement.Read.Directory
Examples
Example 1
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADRoleManagementPolicyRule "AADRoleManagementPolicyRule-Expiration_Admin_Eligibility"
{
expirationRule = MSFT_AADRoleManagementPolicyExpirationRule{
isExpirationRequired = $False
maximumDuration = 'P180D'
};
id = "Expiration_Admin_Eligibility";
roleDisplayName = "Global Administrator";
ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule";
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}