Feature Request: Identity.Governance show configured approvers in AssignmentPolicy overview

[BasWassenaar]

Hi! Thanks for the Identity.Governance Module. I have a request.
Our goal
We want to create an overview (.csv-file) where we show the available access packages and who the approvers are.
Possible solution
Option 1
Expand the Get-MgEntitlementManagementAccessPackageAssignmentPolicy command output with the approvers from both stages.
Option 2
Create a separate command to show the approval stage details for a policy.

I hope I didn't miss the command that already does this. :-)

AB#9226

[markwahl-msft]

We haven't yet added a cmdlet to do this but it is in our plan. Perhaps try something like this code sample? Send the output to export-csv...

function Add-SplitOfPolicyColumn($aObj,$addl,$key)
{
    if ($addl.ContainsKey($key) -eq $false) {
        $aObj | Add-Member -MemberType NoteProperty -Name $key -Value ""
    }
}

function Write-SplitPolicyApprover($stageObj,$a,$isEscalation)
{
    $addl = $a.AdditionalProperties

    $aObj = $stageObj.PSObject.Copy()

    $aObj | Add-Member -MemberType NoteProperty -Name isBackup -Value $a.isBackup
    $aObj | Add-Member -MemberType NoteProperty -Name isEscalation -Value $isEscalation

    foreach ($k in $addl.Keys) {
        $aObj | Add-Member -MemberType NoteProperty -Name $k -Value $addl[$k] -Force
    }

    Add-SplitOfPolicyColumn $aObj $addl "id"
    Add-SplitOfPolicyColumn $aObj $addl "description"
    Add-SplitOfPolicyColumn $aObj $addl "managerLevel"
    
    write-output $aObj

}

$apall = get-mgentitlementmanagementaccesspackage -expandproperty accessPackageAssignmentPolicies -all 

foreach ($ap in $apall) {
    foreach ($p in $ap.AccessPackageAssignmentPolicies) {
        if ($p.RequestApprovalSettings) {
            if ($p.RequestApprovalSettings.ApprovalStages) {
                $stageCount = $p.RequestApprovalSettings.ApprovalStages.Count

                $stageNumber = 0
                while ($stageNumber -lt $stageCount) {

                    $thisStage = $p.RequestApprovalSettings.ApprovalStages[$stageNumber]
                    $stageNumber++


                    $stageObj = [pscustomobject]@{
                        accessPackageId = $ap.id
                        policyId = $p.id
                        stageCount = $stageCount
                        stageNumber = $stageNumber
                    }

                    if ($thisStage.PrimaryApprovers) {
                        foreach ($a in $thisStage.PrimaryApprovers) {
                            Write-SplitPolicyApprover $stageObj $a $false
                        }
                    }

                    if ($thisStage.EscalationApprovers) {
                        foreach ($a in $thisStage.EscalationApprovers) {
                            Write-SplitPolicyApprover $stageObj $a $true
                        }
                    }
                }
            }
        }
    }
}

[BasWassenaar]

Thanks Mark, this was really helpful! Do you want me to close this or leave it here for future reference?

[peombwa]

Thanks @markwahl-msft. Can I add this sample to our samples - https://github.com/microsoftgraph/msgraph-sdk-powershell/tree/dev/samples?

@BasWassenaar, we can close this once we've added it to our samples.

[markwahl-msft]

I do not think this should be in samples as the above was an excerpt from a cmdlet that we are waiting to integrate into custom path, once the prerequisites have been addressed in this module.