AADRoleManagementPolicyRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
id |
Key |
String |
The unique identifier for an entity. Read-only. |
|
roleDisplayName |
Key |
String |
Role display name. |
|
ruleType |
Write |
String |
Rule Type. |
|
policyId |
Write |
String |
Policy Id. |
|
expirationRule |
Write |
MSFT_AADRoleManagementPolicyExpirationRule |
Expiration Rule. |
|
notificationRule |
Write |
MSFT_AADRoleManagementPolicyNotificationRule |
Notification Rule. |
|
enablementRule |
Write |
MSFT_AADRoleManagementPolicyEnablementRule |
Enablement Rule. |
|
approvalRule |
Write |
MSFT_AADRoleManagementPolicyApprovalRule |
Approval Rule. |
|
authenticationContextRule |
Write |
MSFT_AADRoleManagementPolicyAuthenticationContextRule |
Authentication Context Rule. |
|
Credential |
Write |
PSCredential |
Credentials of the Admin |
|
ApplicationId |
Write |
String |
Id of the Azure Active Directory application to authenticate with. |
|
TenantId |
Write |
String |
Id of the Azure Active Directory tenant used for authentication. |
|
ApplicationSecret |
Write |
PSCredential |
Secret of the Azure Active Directory tenant used for authentication. |
|
CertificateThumbprint |
Write |
String |
Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
|
ManagedIdentity |
Write |
Boolean |
Managed ID being used for authentication. |
|
AccessTokens |
Write |
StringArray[] |
Access token used for authentication. |
|
MSFT_AADRoleManagementPolicyExpirationRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
isExpirationRequired |
Write |
Boolean |
Specifies if expiration is required. |
|
maximumDuration |
Write |
String |
The maximum duration for the expiration. |
|
MSFT_AADRoleManagementPolicyNotificationRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
notificationType |
Write |
String |
Notification type for the rule. |
|
recipientType |
Write |
String |
Type of the recipient for the notification. |
|
notificationLevel |
Write |
String |
Level of the notification. |
|
isDefaultRecipientsEnabled |
Write |
Boolean |
Indicates if default recipients are enabled. |
|
notificationRecipients |
Write |
StringArray[] |
List of notification recipients. |
|
MSFT_AADRoleManagementPolicyEnablementRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
enabledRules |
Write |
StringArray[] |
List of enabled rules. |
|
MSFT_AADRoleManagementPolicySubjectSet
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
odataType |
Write |
String |
The type of the subject set. |
|
MSFT_AADRoleManagementPolicyApprovalStage
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
approvalStageTimeOutInDays |
Write |
UInt32 |
The number of days that a request can be pending a response before it is automatically denied. |
|
escalationTimeInMinutes |
Write |
UInt32 |
The time a request can be pending a response from a primary approver before it can be escalated to the escalation approvers. |
|
isApproverJustificationRequired |
Write |
Boolean |
Indicates whether the approver must provide justification for their reponse. |
|
isEscalationEnabled |
Write |
Boolean |
Indicates whether escalation if enabled. |
|
escalationApprovers |
Write |
MSFT_AADRoleManagementPolicySubjectSet[] |
The escalation approvers for this stage when the primary approvers don't respond. |
|
primaryApprovers |
Write |
MSFT_AADRoleManagementPolicySubjectSet[] |
The primary approvers of this stage. |
|
MSFT_AADRoleManagementPolicyApprovalSettings
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
approvalMode |
Write |
String |
One of SingleStage, Serial, Parallel, NoApproval (default). NoApproval is used when isApprovalRequired is false. |
|
approvalStages |
Write |
MSFT_AADRoleManagementPolicyApprovalStage[] |
If approval is required, the one or two elements of this collection define each of the stages of approval. An empty array if no approval is required. |
|
isApprovalRequired |
Write |
Boolean |
Indicates whether approval is required for requests in this policy. |
|
isApprovalRequiredForExtension |
Write |
Boolean |
Indicates whether approval is required for a user to extend their assignment. |
|
isRequestorJustificationRequired |
Write |
Boolean |
Indicates whether the requestor is required to supply a justification in their request. |
|
MSFT_AADRoleManagementPolicyApprovalRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
setting |
Write |
MSFT_AADRoleManagementPolicyApprovalSettings |
Settings for approval requirements. |
|
MSFT_AADRoleManagementPolicyAuthenticationContextRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
isEnabled |
Write |
Boolean |
Indicates if the authentication context rule is enabled. |
|
claimValue |
Write |
String |
Claim value associated with the rule. |
|
Description
Azure AD Role Management Policy Rule
Permissions
Microsoft Graph
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions
-
Read
- RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All
-
Update
- RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
Application permissions
-
Read
- RoleManagementPolicy.Read.Directory, RoleManagement.Read.Directory, RoleManagement.Read.All
-
Update
- RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory
Examples
Example 1
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADRoleManagementPolicyRule "AADRoleManagementPolicyRule-Expiration_Admin_Eligibility"
{
expirationRule = MSFT_AADRoleManagementPolicyExpirationRule{
isExpirationRequired = $False
maximumDuration = 'P180D'
};
id = "Expiration_Admin_Eligibility";
roleDisplayName = "Global Administrator";
ruleType = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule";
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}