Description
using the SDK Entitlement Management Catalog resources are created without role properties. The role properties are mandatory for adding the group/role to an access package.
Example of a new catalog group post "New-MgEntitlementManagementResourceRequest" with empty Role properties:
$a = Get-MgEntitlementManagementCatalogResource -AccessPackageCatalogId
$a | fl
Attributes : {}
CreatedDateTime : 6/19/2024 11:14:19 PM
Description : For Development of AP automation only, then can be deleted.
DisplayName : AzureIAM-DEV_Group
Environment : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAccessPackageResourceEnvironment
Id : c15b9b94-fdc3-414c-a818-dcdca81cc05d
ModifiedDateTime :
OriginId : 3acf4b9f-5601-4eed-8f40-180aa9282f82
OriginSystem : AadGroup
Roles :
Scopes : {e0b1d2cb-0774-4272-a27e-ee2a6d825f74}
AdditionalProperties : {[[email protected], https://graph.microsoft.com/v1.0/$metadata#identityGovernance/entitlementManagement/catalogs('d1d12211-49c5-4a14-9ad0-b2eb2b44
1363')/resources('c15b9b94-fdc3-414c-a818-dcdca81cc05d')/scopes]}
Graph API documentation for "accessPackageResourceRole resource type" states the following:
In Microsoft Entra entitlement management, an access package resource role is a reference to a role defined in a resource. These roles are automatically present after a resource is added to an access package catalog. A group can have two roles, one for the owner and another for the member.
Subsequently, the Catalog group cannot be assigned to an access package via New-MgEntitlementManagementAccessPackageResourceRoleScope because the Resource Role ID does not exist.
SDK Documentation here:
https://learn.microsoft.com/en-us/graph/api/accesspackage-post-resourcerolescopes?view=graph-rest-1.0&preserve-view=true&tabs=powershell