I currently have a runas account that is connecting to AzureAD and trying to run the following command:
Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $rolesettingid -ResourceId $subscriptionPIMID -RoleDefinitionId $owner_roleDefinitionID -AdminEligibleSettings $setting
I get the error:
Error occurred while executing SetAzureADMSPrivilegedRoleSetting
Code: UnauthorizedAccessException
Message: Attempted to perform an unauthorized operation.
InnerError:
RequestId: 86e08426-85b4-443e-a25f-b6fec49e3652
DateTimeStamp: Mon, 19 Sep 2022 23:02:28 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
I have assigned the account basically every permission that I can think of including Owner/User Access Administrator and GA in AzureAD
For more context here is more of the script:
$SubscriptionPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID'").Id
$guid = new-guid
$RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$owner_roleDefinitionID'" -ResourceId $subscriptionPIMID).Id
$rolesettingid = (Get-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Filter "(roledefinitionid eq '$owner_roleDefinitionID') and (ResourceId eq '$SubscriptionPIMID')").id
get-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $rolesettingid
Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $rolesettingid -ResourceId $subscriptionPIMID -RoleDefinitionId $owner_roleDefinitionID -AdminEligibleSettings $setting