Issue setting PIM role settings via powershell using Azure Automation Runas account

Mark Preston 1 Reputation point
2022-09-19T23:13:18.34+00:00

I currently have a runas account that is connecting to AzureAD and trying to run the following command:

Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $rolesettingid -ResourceId $subscriptionPIMID -RoleDefinitionId $owner_roleDefinitionID -AdminEligibleSettings $setting

I get the error:

Error occurred while executing SetAzureADMSPrivilegedRoleSetting
Code: UnauthorizedAccessException
Message: Attempted to perform an unauthorized operation.
InnerError:
RequestId: 86e08426-85b4-443e-a25f-b6fec49e3652
DateTimeStamp: Mon, 19 Sep 2022 23:02:28 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed

I have assigned the account basically every permission that I can think of including Owner/User Access Administrator and GA in AzureAD

For more context here is more of the script:

$SubscriptionPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID'").Id
$guid = new-guid
$RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$owner_roleDefinitionID'" -ResourceId $subscriptionPIMID).Id
$rolesettingid = (Get-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Filter "(roledefinitionid eq '$owner_roleDefinitionID') and (ResourceId eq '$SubscriptionPIMID')").id
get-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $rolesettingid
Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $rolesettingid -ResourceId $subscriptionPIMID -RoleDefinitionId $owner_roleDefinitionID -AdminEligibleSettings $setting

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,113 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,455 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2022-09-20T20:36:12.157+00:00

    Hi @Mark Preston ,

    Thanks for your post! The Powershell (old v2 graph APIs) do not support application write permission, so when calls are made with a service principal, it will fail with an “UnauthorizedAccessException” error.

    This is by design. When using this operation, you need to switch to the new APIs. The Azure AD roles are behind GRAPH and Azure RBAC roles are behind ARM. For more details, see below:

    Privileged Identity Management - Microsoft Graph beta | Microsoft Learn

    AAD role assignment request

    Let me know if this helps and if you have further questions.

    -
    If the information helped you, please *accept the answer**. This will help us and other community members as well.

    0 comments