search
DownloadsPricingRequest a trial

Set-AmsComputerAuthorizationRule

hashtag
SYNOPSIS

Sets the properties of an AMS authorization rule

hashtag
SYNTAX

hashtag
None (Default)

Set-AmsComputerAuthorizationRule -Id <String> [-JitGroupName <String>] [-JitMaximumAccessDuration <TimeSpan>]
 [-JitAllowExtension] [-LapsMaximumAccessDuration <TimeSpan>] [-LapsAllowExtension] [-Description <String>]
 [-RuleExpiryDate <DateTime>] [-Disable] [-Enable] [-Notes <String>]
 [-UserRequestReasonRequirement <AuditReasonFieldState>] [-NotificationChannelsSuccess <String[]>]
 [-NotificationChannelsFailure <String[]>] [<CommonParameters>]

hashtag
Set the rule target to an Azure AD tenant

Set-AmsComputerAuthorizationRule -Id <String> -AadTenantId <String> [-JitGroupName <String>]
 [-JitMaximumAccessDuration <TimeSpan>] [-JitAllowExtension] [-LapsMaximumAccessDuration <TimeSpan>]
 [-LapsAllowExtension] [-Description <String>] [-RuleExpiryDate <DateTime>] [-Disable] [-Enable]
 [-Notes <String>] [-UserRequestReasonRequirement <AuditReasonFieldState>]
 [-NotificationChannelsSuccess <String[]>] [-NotificationChannelsFailure <String[]>] [<CommonParameters>]

hashtag
Set the rule target to an Azure AD group

hashtag
Set the rule target to an Azure AD computer

hashtag
Set the rule target to an AD computer

hashtag
Set the rule target to an AD group

hashtag
Set the rule target to an AD container

hashtag
Set the rule target to an AMS computer

hashtag
Set the rule target to an AMS group

hashtag
Modify the rule ACL

hashtag
Modify the rule authorization script

hashtag
DESCRIPTION

This cmdlet allows you to modify the properties of an authorization rule, such as updating the target of the rule, adding and removing authorized users, and configuring LAPS and JIT settings.

hashtag
EXAMPLES

hashtag
Example 1

Adds the specified principal to the list of allowed JIT users

hashtag
Example 2

Updates the rule to use the specified authorization script

hashtag
Example 3

Targets the rule to the AccountingServers AD group

hashtag
PARAMETERS

hashtag
-AadComputerId

The object ID of an Azure AD computer

hashtag
-AadGroupId

The object ID of an Azure AD group

hashtag
-AadTenantId

The tenant ID of a registered Azure AD tenant

hashtag
-AdComputer

The fully qualified name or SID of an Active Directory computer

hashtag
-AdContainer

The DN of an Active Directory container object such as an organizational unit

hashtag
-AdGroup

The fully qualified name or SID of an Active Directory group

hashtag
-AddPrincipalsAllowedBitLocker

Principals to add to the allow BitLocker access list

hashtag
-AddPrincipalsAllowedJit

Principals to add to the allow JIT access list

hashtag
-AddPrincipalsAllowedLaps

Principals to add to the allow LAPS access list

hashtag
-AddPrincipalsAllowedLapsHistory

Principals to add to the allow LAPS history access list

hashtag
-AddPrincipalsDeniedBitLocker

Principals to add to the deny BitLocker access list

hashtag
-AddPrincipalsDeniedJit

Principals to add to the deny JIT access list

hashtag
-AddPrincipalsDeniedLaps

Principals to add to the deny LAPS access list

hashtag
-AddPrincipalsDeniedLapsHistory

Principals to add to the deny LAPS history access list

hashtag
-AmsComputerId

The object ID of an AMS-registered computer

hashtag
-AmsGroupId

The SID of an AMS group

hashtag
-AuthorizationScriptPath

The path to the authorization script to import

hashtag
-Description

A description of the rule

hashtag
-Disable

Indicates if the rule should be disabled

hashtag
-Enable

Indicates if the rule should be enabled

hashtag
-Id

The unique ID of the rule

hashtag
-JitAllowExtension

Specifies if the user is allowed to extend their JIT access request before it expires

hashtag
-JitGroupName

The name of the group that users will be added to when granted access to this role

hashtag
-JitMaximumAccessDuration

The maximum amount of time the user can request access to this computer via JIT

hashtag
-LapsAllowExtension

Specifies if the user is allowed to extend their LAPS access request before it expires

hashtag
-LapsMaximumAccessDuration

The maximum amount of time the user can request access to this computer's LAPS password before it is changed

hashtag
-Notes

A custom field to store notes

hashtag
-NotificationChannelsFailure

A list of channel IDs or names that should be notified when a user is denied access by this rule

hashtag
-NotificationChannelsSuccess

A list of channel IDs or names that should be notified when a user is granted access by this rule

hashtag
-RemovePrincipalsAllowedBitLocker

Principals to remove from the allow BitLocker access list

hashtag
-RemovePrincipalsAllowedJit

Principals to remove from the allow JIT access list

hashtag
-RemovePrincipalsAllowedLaps

Principals to remove from the allow LAPS access list

hashtag
-RemovePrincipalsAllowedLapsHistory

Principals to remove from the allow LAPS history access list

hashtag
-RemovePrincipalsDeniedBitLocker

Principals to remove from the deny BitLocker access list

hashtag
-RemovePrincipalsDeniedJit

Principals to remove from the deny JIT access list

hashtag
-RemovePrincipalsDeniedLaps

Principals to remove from the deny LAPS access list

hashtag
-RemovePrincipalsDeniedLapsHistory

Principals to remove from the deny LAPS history access list

hashtag
-RuleExpiryDate

A date and time when this rule will expire, expressed in local time

hashtag
-UserRequestReasonRequirement

Specifies if the user must provide a reason for the request, if they can optionally provide a reason, or are not prompted at all for a reason

hashtag
CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParametersarrow-up-right.

hashtag
INPUTS

hashtag
System.String

hashtag
OUTPUTS

hashtag
Lithnet.AccessManager.PowerShell.ComputerAuthorizationRulePSObject

hashtag
NOTES

Use of this cmdlet requires an Enterprise Edition license.

hashtag
RELATED LINKS

PreviousSet-AmsActiveDirectoryJitOptionsNextSet-AmsDevice

Last updated

Was this helpful?