Merge pull request #103418 from markwahl-msft/mwahl-elm-api

PRMerger20 · web-flow · commit c050da3edfbd · 2020-02-10T10:58:08.000-08:00
add initial links for using Graph in entitlement management
diff --git a/articles/active-directory/governance/entitlement-management-access-package-assignments.md b/articles/active-directory/governance/entitlement-management-access-package-assignments.md
@@ -23,7 +23,7 @@ ms.collection: M365-identity-device-management
 ---
 # View, add, and remove assignments for an access package in Azure AD entitlement management
 
-In Azure AD entitlement management, you can see who has been assigned to access packages, their policy, and status. If an access package has an appropriate policy, you can also directly assign user to an access package. This article describes how to view, add, and remove assignments for an access packages.
+In Azure AD entitlement management, you can see who has been assigned to access packages, their policy, and status. If an access package has an appropriate policy, you can also directly assign user to an access package. This article describes how to view, add, and remove assignments for access packages.
 
 ## View who has an assignment
 
@@ -47,6 +47,10 @@ In Azure AD entitlement management, you can see who has been assigned to access
 
 1. To download a CSV file of the filtered list, click **Download**.
 
+### Viewing assignments programmatically
+
+You can also retrieve assignments in an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](https://docs.microsoft.com/graph/api/accesspackageassignment-list?view=graph-rest-beta).
+
 ## Directly assign a user
 
 In some cases, you might want to directly assign specific users to an access package so that users don't have to go through the process of requesting the access package. To directly assign users, the access package must have a policy that allows administrator direct assignments.
@@ -75,6 +79,10 @@ In some cases, you might want to directly assign specific users to an access pac
 
     After a few moments, click **Refresh** to see the users in the Assignments list.
 
+### Directly assigning users programmatically
+
+You can also directly assign a user to an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageAssignmentRequest](https://docs.microsoft.com/graph/api/accesspackageassignmentrequest-post?view=graph-rest-beta).
+
 ## Remove an assignment
 
 **Prerequisite role:** Global administrator, User administrator, Catalog owner, or Access package manager
diff --git a/articles/active-directory/governance/entitlement-management-access-package-create.md b/articles/active-directory/governance/entitlement-management-access-package-create.md
@@ -129,7 +129,18 @@ On the **Review + create** tab, you can review your settings and check for any v
 
     The new access package appears in the list of access packages.
 
+## Creating an access package programmatically
+
+You can also create an access package using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to
+
+1. [List the accessPackageResources in the catalog](https://docs.microsoft.com/graph/api/accesspackagecatalog-list-accesspackageresources?view=graph-rest-beta) and [create an accessPackageResourceRequest](https://docs.microsoft.com/graph/api/accesspackageresourcerequest-post?view=graph-rest-beta) for any resources that are not yet in the catalog.
+1. [List the accessPackageResourceRoles](https://docs.microsoft.com/graph/api/accesspackagecatalog-list-accesspackageresourceroles?view=graph-rest-beta) of each accessPackageResource in an accessPackageCatalog. This list of roles will then be used to select a role, when subsequently creating an accessPackageResourceRoleScope.
+1. [Create an accessPackage](https://docs.microsoft.com/graph/api/accesspackage-post?view=graph-rest-beta).
+1. [Create an accessPackageAssignmentPolicy](https://docs.microsoft.com/graph/api/accesspackageassignmentpolicy-post?view=graph-rest-beta).
+1. [Create an accessPackageResourceRoleScope](https://docs.microsoft.com/graph/api/accesspackage-post-accesspackageresourcerolescopes?view=graph-rest-beta) for each resource role needed in the access package.
+
 ## Next steps
 
 - [Share link to request an access package](entitlement-management-access-package-settings.md)
 - [Change resource roles for an access package](entitlement-management-access-package-resources.md)
+- [Directly assign a user to the access package](entitlement-management-access-package-assignments.md)
diff --git a/articles/active-directory/governance/entitlement-management-catalog-create.md b/articles/active-directory/governance/entitlement-management-catalog-create.md
@@ -49,6 +49,10 @@ A catalog is a container of resources and access packages. You create a catalog
 
 1. Click **Create** to create the catalog.
 
+### Creating a catalog programmatically
+
+You can also create a catalog using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageCatalog](https://docs.microsoft.com/graph/api/accesspackagecatalog-post?view=graph-rest-beta).
+
 ## Add resources to a catalog
 
 To include resources in an access package, the resources must exist in a catalog. The types of resources you can add are groups, applications, and SharePoint Online sites. The groups can be cloud-created Office 365 Groups or cloud-created Azure AD security groups. The applications can be Azure AD enterprise applications, including both SaaS applications and your own applications federated to Azure AD. The sites can be SharePoint Online sites or SharePoint Online site collections.
@@ -75,6 +79,10 @@ To include resources in an access package, the resources must exist in a catalog
 
     These resources can now be included in access packages within the catalog.
 
+### Adding a resource to a catalog programmatically
+
+You can also add a resource to a catalog using Microsoft Graph.  A user in an appropriate role, or a catalog and resource owner, with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [create an accessPackageResourceRequest](https://docs.microsoft.com/graph/api/accesspackageresourcerequest-post?view=graph-rest-beta).
+
 ## Remove resources from a catalog
 
 You can remove resources from a catalog. A resource can only be removed from a catalog if it is not being used in any of the catalog's access packages.
@@ -143,6 +151,10 @@ You can delete a catalog, but only if it does not have any access packages.
 
 1. In the message box that appears, click **Yes**.
 
+### Deleting a catalog programmatically
+
+You can also delete a catalog using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the API to [delete an accessPackageCatalog](https://docs.microsoft.com/graph/api/accesspackagecatalog-delete?view=graph-rest-beta).
+
 ## Next steps
 
 - [Delegate access governance to access package managers](entitlement-management-delegate-managers.md)
diff --git a/articles/active-directory/governance/entitlement-management-delegate-catalog.md b/articles/active-directory/governance/entitlement-management-delegate-catalog.md
@@ -24,7 +24,9 @@ ms.collection: M365-identity-device-management
 
 # Delegate access governance to catalog creators in Azure AD entitlement management
 
-To delegate to users who aren't administrators, so that they can create their own catalogs, you can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group, whose members are then able to create catalogs.
+A catalog is a container of resources and access packages. You create a catalog when you want to group related resources and access packages. By default, a Global administrator or a User administrator can [create a catalog](entitlement-management-catalog-create.md), and can add additional users as catalog owners.
+
+To delegate to users who aren't administrators, so that they can create their own catalogs, you can add those users to the Azure AD entitlement management-defined catalog creator role. You can add individual users, or you can add a group, whose members are then able to create catalogs.  After creating a catalog, they can subsequently add resources they own to their catalog.
 
 ## As an IT administrator, delegate to a catalog creator
 
diff --git a/articles/active-directory/governance/entitlement-management-scenarios.md b/articles/active-directory/governance/entitlement-management-scenarios.md
@@ -149,6 +149,10 @@ There are several ways that you can configure entitlement management for your or
 1. [View access packages for a user](entitlement-management-reports.md#view-access-packages-for-a-user)
 1. [View resource assignments for a user](entitlement-management-reports.md#view-resource-assignments-for-a-user)
 
+## Programmatic administration
+
+You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph.  A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission can call the [entitlement management API](https://docs.microsoft.com/graph/api/resources/entitlementmanagement-root?view=graph-rest-beta).
+
 ## Next steps
 
 - [Delegation and roles](entitlement-management-delegate.md)
