Making Specific Entitlements Requestable in Bulk Using the PowerShell SDK

There was a post in the discussion and questions category where the OP wanted to only make entitlements with specific attributes be requestable. I figured this could be applied to multiple use cases, so I decided to make a post here about it.

In this case, OP wanted to mark only AD security groups as requestable, ensuring that distribution groups were not marked as requestable.

Another use case one might have with something like the MS Entra ID Connector, which notably does not filter out on-prem sync’d groups. One might want to only make Teams-enabled groups be requestable. All these use cases can be covered with the same basic script.

If you haven’t already, make sure you install and configure the PowerShell SDK

We probably want to make updates to entitlements in a specific source, but you could of course do this across multiple if you wanted, since the list-entitlements API allows filtering on multiple sources (source.id eq (“sourceid1”,“sourceid2”))

First, we need to get the source Id with the entitlements we’d like to update. In this case, my source is called Active Directory

$source_id = (get-sources -filters 'name eq "Active Directory"').id

Next, we need to get all the relevant entitlements to update. We are filtering on the client side for the specific attributes of the entitlements, which will vary on your use case. Here, for example, is filtering for security groups in an Active Directory Source

$security_groups = Invoke-Paginate -function "Get-BetaEntitlements" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= "source.id eq `"$($source_id)`""} | where-object {$_.attributes.GroupType -eq "Security"}

If instead you want to pull only Teams groups from an Entra ID source, you’d simply change your where clause at the end

$security_groups = Invoke-Paginate -function "Get-BetaEntitlements" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= "source.id eq `"$($source_id)`""} | where-object {$_.attributes.teamsEnabled -eq $true}

Since the update-entitlements-in-bulk API endpoint has a limit of 50, we’re going to do an old fashioned loop action. First, we need to build the patch body, which will be the same for each entitlement

$patch_operation = Initialize-JsonPatchOperation -Op "add" -Path "/requestable" -Value $true

And now our loop

foreach($security_group in $security_groups){
    Update-BetaEntitlement -Id $security_group.id -JsonPatchOperation $patch_operation
}

Ok, let’s put it all together

$source_id = (get-sources -filters 'name eq "Active Directory"').id
$security_groups = Invoke-Paginate -function "Get-BetaEntitlements" -increment 250 -limit 10000 -initialoffset 0 -parameters @{"Filters"= "source.id eq `"$($source_id)`""} | where-object {$_.attributes.GroupType -eq "Security"}

$patch_operation = Initialize-JsonPatchOperation -Op "add" -Path "/requestable" -Value $true

foreach($security_group in $security_groups){
    Update-BetaEntitlement -Id $security_group.id -JsonPatchOperation $patch_operation
}
1 Like