Create an eligible assignment for an admin role using microsoft.graph powershell module
Question
Objective
Using the microsoft.graph PowerShell module (v1.0), add a security group as an eligible assignment to the Azure AD Global Reader role. I can successfully add a group as a permanent assignment.
Successful code (permanent assignment)
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
PrincipalId = $PrincipalId
RoleDefinitionId = $role.Id
DirectoryScopeId = "/"
}
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
What I can validate
Get-MgRoleManagementDirectoryRoleAssignment - gets permanent assignments
New-MgRoleManagementDirectoryRoleAssignment - creates permanent assignments
Get-MgRoleManagementDirectoryRoleEligibilitySchedule - gets eligible assignments
My assumption
New-MgRoleManagementDirectoryRoleAssignmentSchedule - creates eligible assignments?
I think I have this wrong.
Failing code (eligible assignment):
$params = @{
"@odata.type" = "#microsoft.graph.UnifiedRoleAssignmentSchedule"
PrincipalId = $azGroup.Id
RoleDefinitionId = $role.Id
DirectoryScopeId = "/"
ScheduleInfo = @{
"@odata.type" = "#microsoft.graph.RequestSchedule"
StartDateTime = Get-Date
}
}
New-MgRoleManagementDirectoryRoleAssignmentSchedule -BodyParameter $params
Error
"message":"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleAssignmentSchedules?'."
Thoughts
Based on the documentation only Get-MgRoleManagementDirectoryRoleAssignment creates an assignment the New-MgRoleManagementDirectoryRoleAssignmentSchedule cmdlet creates a navigation property.
1 answers
solution1
0 2023-01-09 08:41:48
I tried to reproduce the same in my environment and got below results:
I have one security group named Srigroup01 with below Object ID:
I ran same code as you and successfully added permanent assignment as below:
$params = @{
"@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
PrincipalId = "Group ID"
RoleDefinitionId = "f2ef992c-3afb-46b9-b7cf-a126ee74c451" #Global Reader role ID
DirectoryScopeId = "/"
}
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params
Response:
To confirm that, I ran below command that lists active directory role assignments:
Get-MgRoleManagementDirectoryRoleAssignment
Response:
When I checked the same in Portal, role activated successfully like below:
Now I ran your eligible assignment code and got same error as below:
$params = @{
"@odata.type" = "#microsoft.graph.UnifiedRoleAssignmentSchedule"
PrincipalId = "Group ID"
RoleDefinitionId = "62e90394-69f5-4237-9190-012177145e10" #Global Administrator role ID
DirectoryScopeId = "/"
ScheduleInfo = @{
"@odata.type" = "#microsoft.graph.RequestSchedule"
StartDateTime = Get-Date
}
}
New-MgRoleManagementDirectoryRoleAssignmentSchedule -BodyParameter $params
Response:
To create eligible role assignments, you can make use of below commands:
Import-Module Microsoft.Graph.DeviceManagement.Enrolment
$params = @{
Action = "adminAssign"
Justification = "Assign Global Admin eligibility to group"
RoleDefinitionId = "62e90394-69f5-4237-9190-012177145e10" #Global admin role ID
DirectoryScopeId = "/"
PrincipalId = "Group ID"
ScheduleInfo = @{
StartDateTime = Get-Date
Expiration = @{
Type = "afterDateTime"
EndDateTime = [System.DateTime]::Parse("2024-04-10T00:00:00Z")
}
}
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params
Response:
When I checked the same in Portal, eligible role assignment is created to the group successfully like below:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.