How to generate a user token with the same permissions as a user with a PIM role

Joseph Leiber 0 Reputation points
2023-04-19T01:52:41.1933333+00:00

I'm using az account get-access-token to get a token to be used in a script. I need to generate a token with permissions equal to that of a user who has assumed a role via Privileged Identity Management. Due to restrictions in my environment, I cannot use an App Registration.

When I specify --scope EntitlementManagement.ReadWrite.All , I get an error that I need preauthorization from the API owner before requesting a token. What's the best way to generate a token with the permissions required from az?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-04-19T06:09:22.8033333+00:00

    Hello @Joseph Leiber , in order to generate an access token with a specific user permissions, you need to authenticate with the same user. Regarding az cli, it's only possible get an access tokens for some well knows resources and scopes. EntitlementManagement.ReadWrite.All is not part of them. You will need to create an app registration, register the aformentioned scope and obtain an access token using MSAL.PS:

    $MsalToken=Get-MsalToken -ClientId # required `
    -Scopes https://graph.microsoft.com/EntitlementManagement.ReadWrite.All -RedirectUri http://localhost `
    -UseEmbeddedWebView:$false
    $AccessToken=$MsalToken.AccessToken
    

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.