Scoped PIM assignment (schedules) do not show up in API

Stefan Boerner 0 Reputation points
2023-01-25T14:56:08.64+00:00

Active assignments of certain directory roles (for example "Application Administrator") that are limited to the scope of a service principal or application do not show up in /rolemanagement/directory/roleAssignmentScheduleRequests or /rolemanagement/directory/roleAssignmentScheduleInstances. Assignments with scope "Directory" however, do show up.

The assignments were done in the PIM portal. Assignment_in_portal

When using the Graph Explorer, the roleAssignmentRequests for those assignments do show up (https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests)

Role: Application Administrator
Scope: Azure AD Identity Governance - Dynamics 365 Management (ServicePrincipal)
Principal: Bianca Pisani (User):

{
	"id": "7b27f620-40f6-4820-9d6b-52aa47e87a16",
	"status": "Provisioned",
	"createdDateTime": "2023-01-25T13:31:33.537Z",
	"completedDateTime": "2023-01-25T13:31:33.627Z",
	"approvalId": null,
	"customData": null,
	"action": "adminAssign",
	"principalId": "d74749ec-b59f-40db-91fa-1ffb3193da38",
	"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
	"directoryScopeId": "/16f0f7f3-a69a-4a4f-94f5-5f43c71e95f5",
	"appScopeId": null,
	"isValidationOnly": false,
	"targetScheduleId": "7b27f620-40f6-4820-9d6b-52aa47e87a16",
	"justification": "Test 2",
	"createdBy": {
		"application": null,
		"device": null,
		"user": {
			"displayName": null,
			"id": "f60dbb25-9126-49b7-90f7-2bb7071015a0"
		}
	},
	"scheduleInfo": {
		"startDateTime": "2023-01-25T13:31:33.6253103Z",
		"recurrence": null,
		"expiration": {
			"type": "noExpiration",
			"endDateTime": null,
			"duration": null
		}
	},
	"ticketInfo": {
		"ticketNumber": null,
		"ticketSystem": null
	}
}

Role: Application Administrator
Scope: AppRoleTestApp (Application)
Principal: Irvin Sayers (User)

{
	"id": "856ca662-0724-4a1c-b70e-187888ff8983",
	"status": "Provisioned",
	"createdDateTime": "2023-01-25T12:05:13.11Z",
	"completedDateTime": "2023-01-25T12:05:13.133Z",
	"approvalId": null,
	"customData": null,
	"action": "adminAssign",
	"principalId": "3b6b1d1d-cbaa-4012-a121-c5a9513df3e3",
	"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
	"directoryScopeId": "/6021b74b-58f2-4ea1-ae9b-1430aed60cd2",
	"appScopeId": null,
	"isValidationOnly": false,
	"targetScheduleId": "856ca662-0724-4a1c-b70e-187888ff8983",
	"justification": "Test",
	"createdBy": {
		"application": null,
		"device": null,
		"user": {
			"displayName": null,
			"id": "f60dbb25-9126-49b7-90f7-2bb7071015a0"
		}
	},
	"scheduleInfo": {
		"startDateTime": "2023-01-25T12:05:13.1317387Z",
		"recurrence": null,
		"expiration": {
			"type": "noExpiration",
			"endDateTime": null,
			"duration": null
		}
	},
	"ticketInfo": {
		"ticketNumber": null,
		"ticketSystem": null
	}
}

Allthough the status of those requests is "provisioned", corresponding schedule objects are not returned in

https://graph.microsoft.com/v1.0/roleManagement/directory/**roleAssignmentSchedules** or
https://graph.microsoft.com/v1.0/roleManagement/directory/**roleAssignmentScheduleInstances**

When reading assignments via https://graph.microsoft.com/v1.0/roleManagement/directory/**roleAssignments** however, they are returned:

Role: Application Administrator
Scope: Azure AD Identity Governance - Dynamics 365 Management (ServicePrincipal)
Principal: Bianca Pisani (User):

{
	"id": "kl2Jm9Msx0SdAqasLV6lw-xJR9eftdtAkfof-zGT2jjz9_AWmqZPSpT1X0PHHpX1-1",
	"principalId": "d74749ec-b59f-40db-91fa-1ffb3193da38",
	"directoryScopeId": "/16f0f7f3-a69a-4a4f-94f5-5f43c71e95f5",
	"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
}

Role: Application Administrator
Scope: AppRoleTestApp (Application)
Principal: Irvin Sayers (User)

{
	"id": "kl2Jm9Msx0SdAqasLV6lwx0dazuqyxJAoSHFqVE98-NLtyFg8lihTq6bFDCu1gzS-1",
	"principalId": "3b6b1d1d-cbaa-4012-a121-c5a9513df3e3",
	"directoryScopeId": "/6021b74b-58f2-4ea1-ae9b-1430aed60cd2",
	"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
}

Is this an intended behavior?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,453 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 141.5K Reputation points MVP
    2023-01-25T16:10:07.6566667+00:00