Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,190 questions
How to cancel a PIM group assignment made with New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 69%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
tbwork
26
Reputation points
We are trying to mimic the cancel action on an active assignment in PIM for Groups using Microsoft.Graph. We cannot figure out what command to use to cancel the active assignment:
We are able to use Microsoft.Graph.Identity.Governance to create an Active member assignment in a PIM group, using a syntax like the following:
$params = @{
accessId = "member"
principalId = "$($user.Id)"
groupId = "$($group.Id)"
action = "AdminAssign"
scheduleInfo = @{
startDateTime = $startDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
expiration = @{
type = "AfterDateTime"
endDateTime = $endDate.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
}
}
justification = "{0}{1:M/d h:mmtt} - {2:M/d h:mmtt}" -f $country,$startDate,$endDate
}
## Executing the assignment AS ACTIVE
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
If that assignment status is "Granted", that means it is still pending (aka start date is still in the future) and we are able to STOP the request as follows (which changes the assignment status to 'Canceled'):
Stop-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -PrivilegedAccessGroupAssignmentScheduleRequestId $request.id
However, if that same assignment status is "Provisioned", it is currently actively assigned (start date is before [now] and end date is later).
While we can use the Entra admin portal's PIM area to cancel the request, and it shows the status as Canceled in Graph, we are unable to make the same call within Graph: We cannot use the same Stop-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -PrivilegedAccessGroupAssignmentScheduleRequestId $request.id
The only calls that seem to work on the active assignment are like this:
$params = @{
accessId = "member"
principalId = "$($user.Id)"
groupId = "$($group.Id)"
action = "adminRemove"
justification = "It is time to go."
}
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params
However this becomes a separate request, and when viewing the original request audit, we now have to factor both requests in to see what's going on. The original request will still show "Provisioned".
Can someone please confirm what Microsoft.Graph.Identity.Governance command would CANCEL the current Provisioned request? Perhaps we can do an Update-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest somehow?
Thanks!
{count} votes
-
tbwork 26 Reputation points
2024-06-29T00:19:01.3066667+00:00 Perhaps my need to mark the request "canceled" and my confusion is also from trying to understand if the user is "currently assigned" when only doing Graph calls such as this:
@(Get-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -Filter "groupId eq '$($group.Id)' and principalId eq '$($user.Id)' and accessId eq 'member'") | select *and parsing the request history: When the request start date has passed, but end dates have not occurred yet, but the status of the request is still Provisioned, on the surface it sounds like that user is still in the PIM group, whereas a status of canceled on the request is clear to interpret: for that request, that user is not actively assigned and will not be scheduled to be assigned.
Sign in to comment