Merge pull request #220512 from markwahl-msft/mwahl-em-pshadvanced

entitlement management: even more example psh

Author: denrea

articles/active-directory/governance/entitlement-management-access-package-auto-assignment-policy.md

@@ -70,7 +70,42 @@ To create a policy for an access package, you need to start from the access pack
 
 ## Create an automatic assignment policy programmatically (Preview)
 
-You can also create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API.  In your [request payload](/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-1.0&preserve-view=true), include the `displayName`, `description`, `specificAllowedTargets`, [`automaticRequestSettings`](/graph/api/resources/accesspackageautomaticrequestsettings?view=graph-rest-1.0&preserve-view=true) and `accessPackage` properties of the policy.
+There are two ways to create an access package assignment policy for automatic assignment programmatically, through Microsoft Graph and through the PowerShell cmdlets for Microsoft Graph.
+
+### Creating an access package assignment policy through Graph
+
+You can create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API. In your [request payload](/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-1.0&preserve-view=true), include the `displayName`, `description`, `specificAllowedTargets`, [`automaticRequestSettings`](/graph/api/resources/accesspackageautomaticrequestsettings?view=graph-rest-1.0&preserve-view=true) and `accessPackage` properties of the policy.
+
+### Creating an access package assignment policy through PowerShell
+
+You can also create a policy in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.
+
+This script below illustrates using the `v1.0` profile, to create a policy for automatic assignment to an access package.  See [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-v1.0&preserve-view=true) for more examples.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
+Select-MgProfile -Name "v1.0"
+
+$apid = "cdd5f06b-752a-4c9f-97a6-82f4eda6c76d"
+
+$pparams = @{
+	DisplayName = "Sales department users"
+	Description = "All users from sales department"
+	AllowedTargetScope = "specificDirectoryUsers"
+	SpecificAllowedTargets = @( @{
+        "@odata.type" = "#microsoft.graph.attributeRuleMembers"
+        description = "All users from sales department"
+        membershipRule = '(user.department -eq "Sales")'
+	} )
+	AutomaticRequestSettings = @{
+        RequestAccessForAllowedTargets = $true
+	}
+    AccessPackage = @{
+      Id = $apid
+    }
+}
+New-MgEntitlementManagementAssignmentPolicy -BodyParameter $pparams
+```
 
 ## Next steps
 

articles/active-directory/governance/entitlement-management-access-package-create.md

@@ -197,7 +197,7 @@ $rparams = @{
 New-MgEntitlementManagementAccessPackageResourceRoleScope -AccessPackageId $ap.Id -BodyParameter $rparams
 ```
 
-Finally, create the policies.  In this policy, only the administrator can assign access, and there are no access reviews.  See [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.
+Finally, create the policies.  In this policy, only the administrator can assign access, and there are no access reviews.  See [create an assignment policy through PowerShell](entitlement-management-access-package-request-policy.md#creating-an-access-package-assignment-policy-through-powershell) and [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.
 
 ```powershell
 

articles/active-directory/governance/entitlement-management-access-package-incompatible.md

@@ -67,10 +67,28 @@ Follow these steps to change the list of incompatible groups or other access pac
 
 1.  If you wish to prevent users who have an existing group membership from requesting this access package, then select on **Add group** and select the group that the user would already be in.
 
-### Configure incompatible access packages programmatically
+### Configure incompatible access packages programmatically through Graph
 
-You can also configure the groups and other access packages that are incompatible with access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to add, remove, and list the incompatible groups and access packages [of an access package](/graph/api/resources/accesspackage).
+You can configure the groups and other access packages that are incompatible with an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application with that application permission, can call the API to add, remove, and list the incompatible groups and access packages [of an access package](/graph/api/resources/accesspackage).
 
+### Configure incompatible access packages through Microsoft PowerShell
+
+You can also configure the groups and other access packages that are incompatible with an access package in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.
+
+This script below illustrates using the `v1.0` profile of Graph to create a relationship to indicate another access package as incompatible.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
+Select-MgProfile -Name "v1.0"
+
+$apid = "5925c3f7-ed14-4157-99d9-64353604697a"
+$otherapid = "cdd5f06b-752a-4c9f-97a6-82f4eda6c76d"
+
+$params = @{
+   "@odata.id" = "https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackages/" + $otherapid
+}
+New-MgEntitlementManagementAccessPackageIncompatibleAccessPackageByRef -AccessPackageId $apid -BodyParameter $params
+```
 
 ## View other access packages that are configured as incompatible with this one
 

articles/active-directory/governance/entitlement-management-access-package-request-policy.md

@@ -221,7 +221,7 @@ You can create a policy using Microsoft Graph. A user in an appropriate role wit
 
 You can also create an access package in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.  
 
-This script below illustrates using the `beta` profile, to create a policy for direct assignment to an access package. In this policy, only the administrator can assign access, and there are no access reviews.  See [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.
+This script below illustrates using the `beta` profile, to create a policy for direct assignment to an access package. In this policy, only the administrator can assign access, and there are no access reviews. See [Create an automatic assignment policy](entitlement-management-access-package-auto-assignment-policy.md#creating-an-access-package-assignment-policy-through-powershell) for an example of how to create an automatic assignment policy, and [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-beta&preserve-view=true) for more examples.
 
 ```powershell
 Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"

articles/active-directory/governance/entitlement-management-organization.md

@@ -142,6 +142,19 @@ If you no longer have a relationship with an external Azure AD directory or doma
 
 You can also create, list, update, and delete connected organizations using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to manage [connectedOrganization](/graph/api/resources/connectedorganization) objects and set sponsors for them.
 
+### Manage connected organizations through Microsoft PowerShell
+
+You can also manage connected organizations in PowerShell with the cmdlets from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 1.16.0 or later.
+
+This script below illustrates using the `v1.0` profile of Graph to retrieve all the connected organizations.
+
+```powershell
+Connect-MgGraph -Scopes "EntitlementManagement.ReadWrite.All"
+Select-MgProfile -Name "v1.0"
+
+$co = Get-MgEntitlementManagementConnectedOrganization -all
+```
+
 ## State properties of connected organizations
 
 There are two different types of state properties for connected organizations in Microsoft Entra entitlement management currently, configured and proposed: