Is it possible to use Azure Graph API to change Notifications in PIM

Question

I'm new to stackoverflow so if you have any feedback please let me know ! I have created a powershell script to set eligible role assignments at ResourceGroups by using the Microsoft (beta) Graph API for PIM. I use invoke-restmethod to call the api like :

$queryApiUri = "https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/$ResourceID/roleAssignments"
$Headers = @{}
$Headers.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
$query = Invoke-RestMethod -Method Get -Uri $queryApiUri -Headers $Headers

This works fine but people and admins get crazy by all the email that's sent as notification when activating roles. Notifications are sent at creation and activation times and when approvers are needed. It is possible to set Notifications to 'Critical emails only' at the portal by hand, to eliminate email flooding. Does someone know if this is possible to do this by use of the Graph API ?

Hi, do you have a chance to look into my answer? If there is any further question please let me know. — Allen Wu, Jun 18 '20 at 09:17
Hi Allen , yes it took al while to figure all out. But this was definitively helpfull. If I strip the json return ( F12 at the browser ) I found what I was looking for. Also helpfull to check other changes like ExpirationRule settings. Thank you so much !! — Bas Janssen, Jun 26 '20 at 06:05

score 1 · Accepted Answer · answered Jun 17 '20 at 09:44

When we modify the 'Critical emails only' at the portal and try to get governanceRoleSetting, we will see that there is no change in the result.

Obviously Microsoft Graph hasn't exposed the method to update 'Critical emails only'.

But in fact, we can make it via Microsoft Graph. Here I'll share my steps. Please note it's not mentioned in Microsoft Graph document. It's just for your reference.

Take subscription owner role as the example.

Open the edit role setting page of subscription owner in the browser and press F12 to open developer tool. Click on Update. Then we will see a request named 'roleSettingsv2'. (It is not Microsoft Graph API)

Looking into the response, we will find such a 'NotificationRule' in it.

{
    "ruleIdentifier": "NotificationRule",
    "setting": "{\"policies\":[{\"deliveryMechanism\":\"email\",\"setting\":[{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":2},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":0},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":1}]}]}"
}

It is missing in Microsoft Graph API.

So we just need to update this 'NotificationRule' in Microsoft Graph using Update governanceRoleSetting.

For example:

PATCH https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleSettings/b12d879d-e521-4b0b-971c-7a2b6ac979ba

{
    "adminEligibleSettings": [{
            "ruleIdentifier": "ExpirationRule",
            "setting": "{\"permanentAssignment\":false,\"maximumGrantPeriodInMinutes\":525600}"
        }, {
            "ruleIdentifier": "MfaRule",
            "setting": "{\"mfaRequired\":false}"
        }, {
            "ruleIdentifier": "NotificationRule",
            "setting": "{\"policies\":[{\"deliveryMechanism\":\"email\",\"setting\":[{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":2},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":0},{\"customreceivers\":null,\"isdefaultreceiverenabled\":true,\"notificationlevel\":2,\"recipienttype\":1}]}]}"
        }
    ]
}

You should set the value for notificationlevel.

Please note that \"notificationlevel\":2 is setting 'Critical emails only' as False and \"notificationlevel\":1 is True.

Fantastic! Could you also add what recipienttype values 0/1/2 correspond to? — Hardoman, Jul 22 '21 at 20:13
OK, I have found the missing detials myself in case someone needs them: **"caller":"Admin","operation":"ALL","level":"Eligible"** -> send notifications when members are assigned as eligible **"caller":"Admin","operation":"ALL","level":"Member"** -> send notifications when members are assigned as active **"caller":"EndUser","operation":"ALL","level":"Member"** -> end notifications when members activate role; **\"recipienttype\":2** -> Admin **\"recipienttype\":0** -> Assignee **\"recipienttype\":1** -> Approver — Hardoman, Jul 23 '21 at 09:33

Is it possible to use Azure Graph API to change Notifications in PIM

1 Answers1