# Identity - List access packages

<table align="left">
    <tr>
        <th>Permission type</th>
        <th>Permissions (from least to most privileged)</th>
    <tr align="center">
        <td>Delegated (work or school account)</td>
        <td>EntitlementManagement.Read.All, EntitlementManagement.ReadWrite.All</td>
    </tr>
    <tr align="center">
        <td>Delegated (personal Microsoft Account)</td>
        <td>Not Supported</td>
    </tr>
    <tr align="center">
        <td>Application</td>
        <td>Not Supported</td>
</table>

## Initialize variables
Required Variables

In [17]:
$config = @{
    tenantDomain = "domain.com"
    tenantID = "xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxx"          ## Azure AD Tenant ID
    appID = "xxxxxx-23af-4ae5-a6ed-xxxxxx"                   ## Usually known as Client ID or Application ID            ## This is the secretKey. Important only authorized users have this 
    resourceURI = "https://graph.microsoft.com"   ## This is the resource endpoint for MDATP
}

## Import variables

In [6]:
$credentialPath = ".\graph.credential"

if (!$config) {  ## Checks to see if config file exist and if not export credential file from above.
    Try {
        $config = (Import-CliXml -Path $credentialPath)
        Write-Host -Foreground Green "Imported credentials from $credentialPath"
    } catch {
        Write-Host -foreground yellow "`nNo Credential found or in memory or stored in $credentialPath.`nPlease provide credentials in cell (1) or specify path in $credentialpath"
    }
} else {
    Write-host "New Credentials provided in Cell (1) instead of importing credentials. `nStore credentials in $credentialPath (Y or N)" -ForegroundColor Yellow 
        $Readhost = Read-Host " ( Y / N ) " 
        Switch ($ReadHost) 
         { 
           Y {Write-host "Storing credentials"; $config | Export-CliXml -Path $storagePath} 
           N {Write-Host "Okay, I wont store the credentials"; $PublishSettings=$false} 
           Default {Write-Host "No action taken"; $PublishSettings=$false} 
         } 
}

[93mNew Credentials provided in Cell (1) instead of importing credentials. 
Store credentials in .\graph.credential (Y or N)[0m


 ( Y / N ) :  N


Okay, I wont store the credentials


## Check Variables

In [11]:
$config.authUrl = "https://login.microsoftonline.com/$($config.tenantDomain)";
Write-Host -ForeGroundColor Yellow "`nAuthentication Parameters that will be used"
Write-Host "Resource URL: $($config.resourceURI)"
Write-Host "Client APP ID: $($config.appID)"
Write-Host "AuthUrl: $($config.authUrl)"

[93m
Authentication Parameters that will be used[0m
Resource URL: https://graph.microsoft.com/
Client APP ID: ae4fa870-23af-4ae5-a6ed-5ab1811858c7
AuthUrl: https://login.microsoftonline.com/jingtoso.com


## Import Graph Authentication module to authenticate by Device Code
##### We will be importing the Device Code Authentication Module. To learn about this module go to notebook [here](https://demoloaderpowershellnotebook-skyserver.msappproxy.net/lab/tree/Graph-API/Authentication%20-%20Rest%20API%20-%20Device%20Code.ipynb)

In [13]:
Import-Module ".\modules\GraphAuthentication.psm1" -Force  ## Imports the module
#Get-Command -Module "GraphAuthentication"                  ## Shows what commands were imported

$tokenResponse = Invoke-GraphAuthenticateDeviceCode -clientAppId $config.appID -tenantDomain $config.tenantDomain

Authentication Parameters
Service Root URL: https://graph.microsoft.com//jingtoso.com
Authentication URL: https://login.microsoftonline.com/jingtoso.com
Resource URL: https://graph.microsoft.com/
Powershell Redirect URL: urn:ietf:wg:oauth:2.0:oob
Client APP ID: ae4fa870-23af-4ae5-a6ed-5ab1811858c7
Tenant Domain: jingtoso.com

 To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code EGJX6C8ZJ to authenticate. 
Double click this code and CTRL-V to copy: [91mEGJX6C8ZJ [0m
[93m
Waiting for code[0m
[92m
Received Token![0m
[92mConnected and Access Token received and will expire 1592342109[0m


## Make your Request Parameters for Graph Rest Call

In [14]:
## Request Parameters
$URI = "https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages" ## URL of what resource to query on Graph API
$authHeader = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $($tokenResponse.access_token)" 
}

Write-Host "`nURI:",$URI
Write-Host "AUth Header:", ($authHeader | ConvertTo-JSON)


URI: https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages
AUth Header: {
  "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkhrQzlMMW1rQ19GS3h4aUFydlIzaTh6cnYxVzBDLTA4eGIwaEdlVmtzcWMiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNzWnNCTmhaY0YzUTlTNHRycFFCVEJ5TlJSSSIsImtpZCI6IlNzWnNCTmhaY0YzUTlTNHRycFFCVEJ5TlJSSSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZGU0MGNmN2UtYWQ1Zi00MjQ1LWEzMTctMTRiZTM5Y2JiMGVmLyIsImlhdCI6MTU5MjMzODIwOSwibmJmIjoxNTkyMzM4MjA5LCJleHAiOjE1OTIzNDIxMDksImFjY3QiOjAsImFjciI6IjEiLCJhaW8iOiJBVVFBdS84UEFBQUFGZ0hiVEd3bElLMElsWWZpZTdmcEhiZHZlS3Y1eSt4Wit2MW9vN25JbTFyYnI3WnBQWjY1OFpvcVhnbkdnK3VyZnNiRER6YnBmYVdTNUJjM1U4bW5xUT09IiwiYW1yIjpbInB3ZCIsIm1mYSJdLCJhcHBfZGlzcGxheW5hbWUiOiJEZW1vLUxvYWRlciBSZWFkT25seUFjY2VzcyIsImFwcGlkIjoiYWU0ZmE4NzAtMjNhZi00YWU1LWE2ZWQtNWFiMTgxMTg1OGM3IiwiYXBwaWRhY3IiOiIwIiwiZ2l2ZW5fbmFtZSI6IkppbmciLCJpcGFkZHIiOiIzNS4xOTQuMzQuMTUyIiwibmFtZSI6IkppbmciLCJvaWQiOiI0Y2RiNDJmNy1hZT

## Call Graph API for list of access packages
Calling the url ```https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages```

In [18]:
$Result = (Invoke-RestMethod -Method Get -Uri $URI -Headers $authHeader -ErrorAction Stop)

Write-Host -ForeGroundColor Cyan "`nHere is an example of one retrieved access package"
$Result.value | Select-Object -First 1 | FL  ## This will take the results and limit it to 1 item.

[96m
Here is an example of one retrieved access package[0m

id                  : e1c1bc0a-bf98-4370-97bb-752f00bac575
catalogId           : 11bb3d92-8dac-4d66-9d7e-15c68fd9c7e7
displayName         : Demo-Loader Access Package
description         : This is to gain access to the Demo-Loader Access Package with web apps for 
                      Microsoft FTE to use. 
isHidden            : False
isRoleScopesVisible : False
createdBy           : jing@skyserver.cc
createdDateTime     : 6/5/2020 6:13:44 PM
modifiedBy          : jing@skyserver.cc
modifiedDateTime    : 6/5/2020 6:13:44 PM




## Parse Results

In [35]:
#query Graph API and insert into $graphresponse variable
$filterObjects = @('displayName','id','catalogId','description')
$Result = (Invoke-RestMethod -Method Get -Uri $URI -Headers $authHeader -ErrorAction Stop)
$Result.value | Select-Object -Property $filterObjects


displayName                id                                   catalogId
-----------                --                                   ---------                          
Demo-Loader Access Package e1c1bc0a-bf98-4370-97bb-752f00bac575 11bb3d92-8dac-4d66-9d7e-15c68fd9c7…
Skyserver.cc               36efa2d9-939b-46c3-afcb-d13cd77323d7 9c7a2ba0-5c7f-4b7e-8f3f-e087d7ab4b…



In [39]:
$endpoint = "$($config.resourceURI)/beta/identityGovernance/entitlementManagement/accessPackages/e1c1bc0a-bf98-4370-97bb-752f00bac575"; $endPoint
$Response = (Invoke-RestMethod -Method Get -Uri $endpoint -Headers $authHeader -ErrorAction Stop)

https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackages/e1c1bc0a-bf98-4370-97bb-752f00bac575


In [40]:
$Response


@odata.context      : https://graph.microsoft.com/beta/$metadata#accessPackages/$entity
id                  : e1c1bc0a-bf98-4370-97bb-752f00bac575
catalogId           : 11bb3d92-8dac-4d66-9d7e-15c68fd9c7e7
displayName         : Demo-Loader Access Package
description         : This is to gain access to the Demo-Loader Access Package with web apps for 
                      Microsoft FTE to use. 
isHidden            : False
isRoleScopesVisible : False
createdBy           : jing@skyserver.cc
createdDateTime     : 6/5/2020 6:13:44 PM
modifiedBy          : jing@skyserver.cc
modifiedDateTime    : 6/5/2020 6:13:44 PM


