I'm writing a simple frontend app to allow my team to work with PIM for Groups without needing to access Azure Portal. I'm using delegated permissions model to make requests on behalf of the signed in user.
I want to fetch the current pending PIM for groups approval requests, and display the details of those requests.
The following call to get all the pending approval requests works just fine:
GET /identityGovernance/privilegedAccess/group/assignmentApprovals/filterByCurrentUser(on='approver')}
As per MS Graph API 1.0 docs, this returns an object that doesn't contain anything meaningful that I could display to the user:
{
"value": [
{
"@odata.type": "#microsoft.graph.approval",
"id": "46bc634a-0696-43c5-bc99-d568bc3c27f5",
"stages": [
{
"id": "46bc634a-0696-43c5-bc99-d568bc3c27f5",
"displayName": null,
"reviewedDateTime": null,
"reviewResult": "NotReviewed",
"status": "Completed",
"assignedToMe": true,
"justification": "",
"reviewedBy": null
}
]
}
]
}
Is there a way to get some additional details for this approval object, like the group name, principal name, justification message?
I tried making bunch of calls using Graph API, for example:
GET /identityGovernance/privilegedAccess/group/assignmentScheduleRequests/{privilegedAccessGroupAssignmentScheduleRequestId}
but I'm getting 403 as it looks like one needs to be Global Administrator or something to be able to obtain details of assignmentScheduleRequests for other users.
EDIT:
Sridevi asked if I could add a screenshot of what the details I'd like to fetch look like in Azure Portal. Here it is:
For an existing approval object, I'd like to get at least the Requestor, Resource and Reason fields.
I agree with @user2250152, the correct endpoint to get PIM group request approval details is:
GET https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests/id/
I have one approval request pending with below details in Azure Portal:
Initially, I ran below Graph API call to fetch the ID of privileged access group assignment schedule request by signing in with approver account:
GET https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentApprovals/filterByCurrentUser(on='approver')
Response:
When I ran below Graph API call by signing in with user having "Global Administrator" role, I got the response with groupId, principalId and justification successfully like this:
GET https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests/id/
Response:
I tried creating custom roles with different permissions and checked with other roles but it did not work.
AFAIK, the only way to read PIM group requests details of other users is to sign in with user account having "Global Administrator" role.