AzureAD Resource roles (PIM) - "code":"InvalidRoleAssignmentRequestSchedule","message":"The role assignment request schedule is invalid.

Krupa Gundraju (Larsen & Toubro Infotech Limit) 126 Reputation points
2022-10-19T10:44:06.233+00:00

Hi Team,

We are trying to automate creation of azure resource roles assignment creation using Microsoft graph API, when we hit below URI it gives "Invoke-WebRequest : {"error":{"code":"InvalidRoleAssignmentRequestSchedule","message":"The role assignment request schedule is invalid."}}"

$uri = "https://management.azure.com/providers/Microsoft.Subscription/subscriptions/XXXX/providers/Microsoft.Authorization/roleAssignmentScheduleRequests?api-version=2020-10-01"

whatever GUID we generate for roleEligibilityScheduleRequestName it gives same above error. What is the actual problem here? 

$method = "PUT"  
  
$createURI =  "https://management.azure.com/providers/Microsoft.Subscription/subscriptions/xxx7eaf/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/54b598da-fd4d-4f8d-a247-33ab4079ff78?api-version=2020-10-01"  
  
$body = '{  
  "properties": {  
    "principalId": "xxx",  
    "roleDefinitionId": "/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",  
    "requestType": "AdminAssign",  
      
  }  
}'  
  
$response = Invoke-WebRequest -Headers $Header -Uri $createURI -Method $method -UseBasicParsing -Body $body

kindly help!!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,562 questions
Accepted answer
  1. Zehui Yao_MSFT 5,831 Reputation points
    2022-10-20T10:00:26.19+00:00

    Hi @Krupa Gundraju (Larsen & Toubro Infotech Limit) , you can use the POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments endpoint of Microsoft Graph API to create RoleAssignment, like I tested locally.
    Here is documentation for your reference: https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http
    Hope this helps. Best Wishes.

    252442-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jaime Polo 0 Reputation points
    2023-06-16T08:22:37.04+00:00

    I've been trying to add a role assignment for an azure resource but can't get it to work.

    I've tried:

    POST "https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignmentRequests/"

{
    "PrincipalId": "7334fc34-925d-4328-b1cf-652deca2c191",
    "resourceId": "2fae4754-c4a5-4252-a33f-bff081cdbf83",
    "RoleDefinitionId": "456a51f5-d86a-4a6d-8aef-cfde6e99879f",
    "Justification": "Assigning as per Managed Services onboarding",
    "Action": "AdminAssign",
    "ScheduleInfo": {
        "StartDateTime": "2023-07-14T18:43:00.000Z",
        "Expiration": {
            "Type": "AfterDuration",
            "Duration": "P30D"
        }
    },
    "assignmentState": "Active"
}

also tried:

$url = "https://management.azure.com/subscriptions/4aafaf98-961c-4f63-b9b6-58b4e7285eb6/providers/Microsoft.Authorization/roleAssignments/456a51f5-d86a-4a6d-8aef-cfde6e99879f?api-version=2022-04-01"

$params = @{
  "properties" = @{
    "roleDefinitionId" = "/subscriptions/4aafaf98-961c-4f63-b9b6-58b4e7285eb6/providers/Microsoft.Authorization/roleDefinitions/456a51f5-d86a-4a6d-8aef-cfde6e99879f"
    "principalId" = "d6dace65-acac-4d24-8d5f-b71af850da1a"
    "principalType" = "Group"
  }
}

and if I use:

Invoke-MgGraphRequest -Method Put -Uri $url -Body $params -Headers $headers


Any help is appreciated.
    0 comments