Search code examples
azuremicrosoft-entra-id

Access Package Endpoint doesn't seem to be working

I am currently trying to implement access packages with ServiceNow request. The whole workflow should be as follows: Access Package gets created> AP gets approved > Logic App triggers on approved status and sends the data to SNOW> Request is opened in SNOW> Once request is completed in SNOW a POST request is sent to Azure to complete the access package. I've been following this article https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-ticketed-provisioning#requesting-access-to-an-access-package-as-an-end-user.

However, I have been getting Bad request when I try to ping the endpoint. At first, I thought the issue was from SNOW not being able to map the correct ID, however I tested the POST in Postman and I still get the BadRequest error:

enter image description here

The endpoint has a variable in it, I took it from the article https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/${AccessPackageAssignmentRequestId}/resume and the HTTP body is:

{
"data": {
    "@odata.type": "#microsoft.graph.accessPackageAssignmentRequestCallbackData",
    "customExtensionStageInstanceDetail": "Resuming-Assignment for user",
    "customExtensionStageInstanceId": "${StageInstanceId}",
    "stage": "${Stage}"
          },
          "source": "ServiceNow",
            "type": "microsoft.graph.accessPackageCustomExtensionStage.${Stage}"
            }

Output:

{
    "error": {
        "code": "BadRequest",
        "message": "Resource not found for the segment 'accessPackageAssignmentRequests'.",
        "innerError": {
            "date": "2024-04-17T07:51:11",
            "request-id": "2662a872-1251-4889-96c2-c8fd4220c24b",
            "client-request-id": "2662a872-1251-4889-96c2-c8fd4220c24b"
        }
    }
}

Seems that the endpoint is either not correct as I tried directly inputting the IDs into the body and endpoint but I get the same result. Any ideas?

I tried using the IDs directly into the body and endpoint but I still got the same issue.

Solution

  • We managed to fix the issue with Microsoft Support. It appears that the endpoint is wrong. It should be:

    https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/AssignmentRequests/${AccessPackageAssignmentRequestId}/resume

    Also, it wasn't mentioned in the article that my API needs the EntitlementManagement.ReadWrite.All permissions.

    Lastly, I needed to change the Content-Type in the REST message in ServiceNow to application/json.