Skip to main content

Profile JSON Reference

JSON Syntax for /Profile endpoints.

Profile

The Profile defines a set of modifications for governed objects.

{
  // Profile ID
  "id": "string",

  // Profile restrictions to restrict usage to certain objects
  "restrictions": #Profile.restrictions,

  // List of rules to apply when the profile is added to an object
  "addRules": [ #ProfileRule, ... ],

  // List of rules to apply when the profile is removed from an object
  "removeRules": [ #ProfileRule, ... ],

  // Is the profile assignable via ChangeRequests?
  "availableForChangeRequests": true | false,
}

Profile.restrictions

The restrictions defines to which kind of objects the profile is applicable.

{
  "restrictions": {
    // You can specifiy either: allowedSchemas OR allowedObjectTypes OR allowedConfigurationTypes.

    // a list of schemas: the profile is applicable only to objects with one of those schemas
    "allowedSchemas": [ #Schema.id, ... ],

    // a list of object types: the profile is applicable to objects with one of those object types
    "allowedObjectTypes": [ #ObjectType.id, ... ],

    // a list of configuration types: the profile is applicable to objects with one of those configuration types
    "allowedConfigurationTypes": [ #ConfigurationType.id, ... ]
  }
}

allowedSchemas

To restrict profile usage to certain Schemas, you need to list those Schema.Id's in allowedSchemas.

You must use Schema.Id to mention a schema in allowedSchemas.

{
  "id": ...,
  "restrictions": {
    "allowedSchemas": [ "SchemaId1", "SchemaId2", ... ]
  },
  ...
}

allowedObjectTypes

To restrict profile usage to certain Object Types, you need to list those ObjectType.Id's in allowedObjectTypes.

{
  "id": ...,
  "restrictions": {
    "allowedObjectTypes": [ "ObjectTypeId1", "ObjectTypeId2", ... ],
  },
  ...
}

allowedConfigurationTypes

To restrict profile usage to certain Configuration Types, you need to list those ConfigurationType.Id's in allowedConfigurationTypes.

{
  "id": ...,
  "restrictions": {
    "allowedConfigurationTypes": [ "ConfigurationTypeId1", "ConfigurationTypeId2", ... ]
  }
}

Profile Rules

Profile rules can be used in Profile.addRules and Profile.removeRules sections.

addRules

addRules are applied when the profile is being added to an object.

{
  "id": ...,
  "restrictions": { ... },
  "addRules": [
    {
      // Rule type
      "type": "DefineChild" | "DefineSelf" | "AddProfiles" | "RemoveProfiles",

    // Schema, needed for "DefineChild"
      "schema": #Schema.id,

      // Lifecycle for the object
      "lifecycle": "Apply" | "Destroy" | "Ignore" | ...,

      // Property Setters
      "properties": #ProfileRule.properties,

      // List of profiles
      "profiles": [ #Profile.id, ... ],

      // Child rules
      "childRules": [ #Profile.rule ]
    }, ...
  ],
  "removeRules": [ ... ]
}

removeRules

removeRules are applied when the profile is being removed from an object.

{
  "id": ...,
  "restrictions": { ... },
  "addRules": [ ... ],
  "removeRules": [
    {
      // Rule type
      "type": "DefineChild" | "DefineSelf" | "AddProfiles" | "RemoveProfiles",

    // Schema, needed for "DefineChild"
      "schema": #Schema.id,

      // Lifecycle for the object
      "lifecycle": "Apply" | "Destroy" | "Ignore" | ...,

      // Property Setters
      "properties": #ProfileRule.properties,

      // List of profiles
      "profiles": [ #Profile.id, ... ],

      // Child rules
      "childRules": [ #Profile.rule ]
    }, ...
  ]
}

type="DefineChild"

Define a child object and attach it to the context object.

{
  // Define a child object
  "type": "DefineChild",
  // ... with schema "UserMailbox"
  "schema": "UserMailbox",
  // ... with lifecycle set to "Ignore"
  "lifecycle": "Ignore",
  "properties": [
    {
      // ... set ExoMailbox.Alias = ParentObject.AzureADUser.mailNickname
      "type": "Inherit",
      "field": "ExoMailbox.Alias",
      "value": "AzureADUser.mailNickname"
    },
    {
      // ... set ExoMailbox.DisplayName = ParentObject.AzureADUser.displayName
      "type": "Inherit",
      "field": "ExoMailbox.DisplayName",
      "value": "AzureADUser.displayName"
    },
    {
      // ... set ExoMailbox.UserPrincipalName = ParentObject.AzureADUser.userPrincipalName
      "type": "Inherit",
      "field": "ExoMailbox.UserPrincipalName",
      "value": "AzureADUser.userPrincipalName"
    },
    {
      // ... set ExoMailbox.PrimarySmtpAddress = ParentObject.AzureADUser.mail
      "type": "Inherit",
      "field": "ExoMailbox.PrimarySmtpAddress",
      "value": "AzureADUser.mail"
    }
  ],

  // ... add "CompanyMailbox" Profile
  "profiles": ["CompanyMailbox"],

  // Child rules
  "childRules": []
}

type="DefineSelf"

Define the context object.

{
  // Define for current object
  "type": "DefineSelf",
  "properties": [
    {
      // ... AzureADUser.usageLocation = "CH"
      "type": "Literal",
      "field": "AzureADUser.usageLocation",
      "value": "CH"
    }
  ],
  "childRules": []
}

type="AddProfiles"

Add profile(s) to the context object.

{
  // Add profiles to the current object
  "type": "AddProfiles",

  // ... add "CompanyMailbox" Profile
  "profiles": ["CompanyMailbox"],

  // Child rules
  "childRules": []
}

type="RemoveProfiles"

Remove profile(s) from the context object.

{
  // Remove profiles from the current object
  "type": "RemoveProfiles",

  // ... remove "CompanyMailbox" Profile
  "profiles": ["CompanyMailbox"],

  // Child rules
  "childRules": []
}

Property Setters

Syntax for properties section in addRules and removeRules.

The content of the properties section allows you to specify the attribute values for the target object. When a profile rule is applied to a governed object, the object's property values are modified accordingly.

{
  // List of property setters
  "properties": [
    {
      // Modifier type
      "type": "Literal" | "Inherit" | "Expression",
      // Affected field: "<ConfigurationType>.<Property>"
      "field": "<ConfigurationType>.<Property>",
      // field value (Literal), parent property (Inherit) or powershell computation function (Expression)
      "value": "string" | number | boolean | ...,
      // make the field readonly (cannot be changed via object update, object patch or change request)
      "lock": true | false
    }
  ]
}

type=Literal

You can set property values to a constant value.

{
  "type": "Literal",
  "field": "ExoMailbox.UseSecurityGroups",
  "value": true
}

type=Inherit

You can inherit property values from the parent object to child objects.

{
  "type": "Inherit",
  "field": "M365UserLicense.user",
  "value": "AzureADUser.userPrincipalName"
}

type=Expression

You can compute property values with Expression type. The formula is written in PowerShell.

All property values of the Governed Object are available via $ConfigurationType.Property notation.

Be aware that the Expression Script must return a strong-typed value that matches the property native type. If you return an integer value into a string property, the engine will detect the type mismatch and produce an error.

{
  "type": "Expression",
  "field": "ExoMailbox.FullAccessGroupName",
  "value": "return ('MBX-FA-{0}' -f $ExoMailbox.Alias)"
}