azurepowershellgraphrolespim

Is it possible to use Azure Graph API to change Notifications in PIM

I'm new to stackoverflow so if you have any feedback please let me know ! I have created a powershell script to set eligible role assignments at ResourceGroups by using the Microsoft (beta) Graph API for PIM. I use invoke-restmethod to call the api like : 

$queryApiUri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$ResourceID/roleAssignments"
$Headers = @{}
$Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
$query = Invoke-RestMethod -Method Get -Uri $queryApiUri -Headers $Headers

This works fine but people and admins get crazy by all the email that's sent as notification when activating roles. Notifications are sent at creation and activation times and when approvers are needed. It is possible to set Notifications to 'Critical emails only' at the portal by hand, to eliminate email flooding. Does someone know if this is possible to do this by use of the Graph API ?

Solution

  • When we modify the 'Critical emails only' at the portal and try to get governanceRoleSetting, we will see that there is no change in the result.

    Obviously Microsoft Graph hasn't exposed the method to update 'Critical emails only'.

    But in fact, we can make it via Microsoft Graph. Here I'll share my steps. Please note it's not mentioned in Microsoft Graph document. It's just for your reference.

    Take subscription owner role as the example.

    Open the edit role setting page of subscription owner in the browser and press F12 to open developer tool. Click on Update. Then we will see a request named 'roleSettingsv2'. (It is not Microsoft Graph API)

    enter image description here

    Looking into the response, we will find such a 'NotificationRule' in it.

    {
    "ruleIdentifier": "NotificationRule",
    "setting": "{\"policies\":[{\"deliveryMechanism\":\"email\",\"setting\":[{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":2},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":0},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":1}]}]}"
}

    It is missing in Microsoft Graph API.

    So we just need to update this 'NotificationRule' in Microsoft Graph using Update governanceRoleSetting.

    For example:

    PATCH https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleSettings/b12d879d-e521-4b0b-971c-7a2b6ac979ba

{
    "adminEligibleSettings": [{
            "ruleIdentifier": "ExpirationRule",
            "setting": "{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":525600}"
        }, {
            "ruleIdentifier": "MfaRule",
            "setting": "{\"mfaRequired\":false}"
        }, {
            "ruleIdentifier": "NotificationRule",
            "setting": "{\"policies\":[{\"deliveryMechanism\":\"email\",\"setting\":[{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":2},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":0},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":1}]}]}"
        }
    ]
}

    You should set the value for notificationlevel.

    Please note that \"notificationlevel\":2 is setting 'Critical emails only' as False and \"notificationlevel\":1 is True.