Skip to content

Commit 5b1212e

Browse files
authored
Merge pull request #249050 from billmath/pim3
updating
2 parents 2a4620c + 8691895 commit 5b1212e

File tree

7 files changed

+52
-28
lines changed

7 files changed

+52
-28
lines changed
1.03 MB
Loading
681 KB
Loading
50.3 KB
Loading
683 KB
Loading
1.03 MB
Loading

articles/active-directory/privileged-identity-management/pim-approval-workflow.md

Lines changed: 13 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@ ms.collection: M365-identity-device-management
2121

2222
With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.
2323

24+
25+
2426
## View pending requests
2527

2628
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
@@ -96,18 +98,15 @@ GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSche
9698
>[!NOTE]
9799
>Approvers are not able to approve their own role activation requests.
98100
99-
1. Find and select the request that you want to approve. An approve or deny page appears.
100-
101-
![Screenshot that shows the "Approve requests - Azure AD roles" page.](./media/azure-ad-pim-approval-workflow/resources-approve-pane.png)
102-
103-
1. In the **Justification** box, enter the business justification.
104-
105-
1. Select **Approve**. You will receive an Azure notification of your approval.
106-
107-
![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
101+
1. Find and select the request that you want to approve. An approve or deny page appears.
102+
2. In the **Justification** box, enter the business justification.
103+
3. Select **Submit**. You will receive an Azure notification of your approval.
108104

109105
## Approve pending requests using Microsoft Graph API
110106

107+
>[!NOTE]
108+
> Approval for **extend and renew** requests is currently not supported by the Microsoft Graph API
109+
111110
### Get IDs for the steps that require approval
112111

113112
For a specific activation request, this command gets all the approval steps that need approval. Multi-step approvals are not currently supported.
@@ -148,8 +147,8 @@ GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentAppr
148147
PATCH
149148
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/<request-ID-GUID>/steps/<approval-step-ID-GUID>
150149
{
151-
"reviewResult": "Approve",
152-
"justification": "abcdefg"
150+
"reviewResult": "Approve", // or "Deny"
151+
"justification": "Trusted User"
153152
}
154153
````
155154

@@ -159,13 +158,9 @@ Successful PATCH calls generate an empty response.
159158

160159
## Deny requests
161160

162-
1. Find and select the request that you want to deny. An approve or deny page appears.
163-
164-
![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
165-
166-
1. In the **Justification** box, enter the business justification.
167-
168-
1. Select **Deny**. A notification appears with your denial.
161+
1. Find and select the request that you want to approve. An approve or deny page appears.
162+
2. In the **Justification** box, enter the business justification.
163+
3. Select **Deny**. A notification appears with your denial.
169164

170165
## Workflow notifications
171166

articles/active-directory/privileged-identity-management/pim-resource-roles-approval-workflow.md

Lines changed: 39 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,14 @@ With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD),
2323

2424
Follow the steps in this article to approve or deny requests for Azure resource roles.
2525

26+
2627
## View pending requests
2728

2829
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
2930

3031
As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.
3132

33+
3234
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).
3335

3436
1. Browse to **Identity governance** > **Privileged Identity Management** > **Approve requests**.
@@ -37,27 +39,54 @@ As a delegated approver, you'll receive an email notification when an Azure reso
3739

3840
In the **Requests for role activations** section, you'll see a list of requests pending your approval.
3941

42+
4043
## Approve requests
4144

42-
1. Find and select the request that you want to approve. An approve or deny page appears.
45+
1. Find and select the request that you want to approve. An approve or deny page appears.
46+
2. In the **Justification** box, enter the business justification.
47+
3. Select **Approve**. You will receive an Azure notification of your approval.
4348

44-
![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
4549

46-
1. In the **Justification** box, enter the business justification.
50+
## Approve pending requests using Microsoft ARM API
4751

48-
1. Select **Approve**. You will receive an Azure notification of your approval.
52+
>[!NOTE]
53+
> Approval for **extend and renew** requests is currently not supported by the Microsoft ARM API
4954
50-
![Approve notification showing request was approved](./media/pim-resource-roles-approval-workflow/resources-approve-notification.png)
55+
### Get IDs for the steps that require approval
5156

52-
## Deny requests
57+
To get the details of any stage of a role assignment approval, you can use [Role Assignment Approval Step - Get By ID](/rest/api/authorization/role-assignment-approval-step/get-by-id?tabs=HTTP) REST API.
58+
59+
#### HTTP request
60+
61+
````HTTP
62+
GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentApprovals/{approvalId}/stages/{stageId}?api-version=2021-01-01-preview
63+
````
5364

54-
1. Find and select the request that you want to deny. An approve or deny page appears.
5565

56-
![Approve requests - approve or deny pane with details and Justification box](./media/pim-resource-roles-approval-workflow/resources-approve-pane.png)
66+
### Approve the activation request step
5767

58-
1. In the **Justification** box, enter the business justification.
68+
#### HTTP request
69+
70+
````HTTP
71+
PATCH
72+
PATCH https://management.azure.com/providers/Microsoft.Authorization/roleAssignmentApprovals/{approvalId}/stages/{stageId}?api-version=2021-01-01-preview
73+
{
74+
"reviewResult": "Approve", // or "Deny"
75+
"justification": "Trusted User"
76+
}
77+
````
78+
79+
#### HTTP response
80+
81+
Successful PATCH calls generate an empty response.
82+
83+
For more information, see [Use Role Assignment Approvals to approve PIM role activation requests with REST API](/rest/api/authorization/privileged-approval-sample)
84+
85+
## Deny requests
5986

60-
1. Select **Deny**. A notification appears with your denial.
87+
1. Find and select the request that you want to approve. An approve or deny page appears.
88+
2. In the **Justification** box, enter the business justification.
89+
3. Select **Deny**. A notification appears with your denial.
6190

6291
## Workflow notifications
6392

0 commit comments

Comments
 (0)