Share via

"code":"MalformedRoleAssignmentRequest","message":"PASRP RoleAssignment request is malformed"

Johnathan Welker 106 Reputation points
2023-05-17T21:26:55.2633333+00:00

Hey there. While using the Role Assignments - Create documentation to try and create a role assignment (via PowerShell Invoke-RestMethod command), I'm running into this error:

Invoke-RestMethod : {"error":{"code":"MalformedRoleAssignmentRequest","message":"PASRP RoleAssignment request is malformed"}}

I'm not finding anything for the PASRP portion specifically online. I know it's not a permission-based issue because I've tried the code as is with another command and I specifically get a permission error at that point.

Code below (The 'Select development language' feature of this site wouldn't work but it's PowerShell):

$token = (Get-AzAccessToken).Token

$headers = @{
    "Authorization" = "Bearer {0}" -f ($token)
}

$APIUri = "https://management.azure.com/subscriptions/71842a2a-a468-4be0-ae53-db3293f22007/resourceGroups/OK-RG-My-Development/providers/Microsoft.Authorization/roleAssignments/ca161a04-3519-42fa-b6b4-117a2157d98b?api-version=2022-04-01"

$parameters = @"
{
  "properties": {
    "roleDefinitionId": "/subscriptions/71842a2a-a468-4be0-ae53-db3293f22007/resourceGroups/OK-RG-My-Development/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "principalId": "ae2620bc-453e-4e5b-b164-fd68ada93334"
  }
}
"@

$JSONParams = $parameters | ConvertFrom-Json

Invoke-RestMethod -Headers $headers -Uri $APIUri -Method PUT -Body $JSONParams

I've replaced the sub IDs with random guids and altered RG name above to obscure, but I wanted to keep them generally rather than replacing with {scope} in case therein lies part of the issue. I've double, triple checked it's the right scope though. Sub and RG.

I've also used this walkthrough and noticed that it omits the "principalType": "User" (it is a user object Id I'm using) property in the body that the other has. I've tried both ways, same error.

Any help would be much appreciated, thank you!

Note: I know this is ARM rather than graph, but couldn't find a good tag for it.

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

Microsoft Security | Microsoft Graph
0 comments

Answer accepted by question author

TP 157.6K Reputation points Volunteer Moderator
2023-05-17T22:48:09.71+00:00

Hi,

Tested and code similar to below works fine:


$token = (Get-AzAccessToken).Token

$headers = @{
    "Authorization" = "Bearer {0}" -f ($token)
}

$APIUri = "https://management.azure.com/subscriptions/71842a2a-a468-4be0-ae53-db3293f22007/resourceGroups/OK-RG-My-Development/providers/Microsoft.Authorization/roleAssignments/ca161a04-3519-42fa-b6b4-117a2157d98b?api-version=2022-04-01"

$parameters = @"
{
  "properties": {
    "roleDefinitionId": "/subscriptions/71842a2a-a468-4be0-ae53-db3293f22007/resourceGroups/OK-RG-My-Development/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
    "principalId": "ae2620bc-453e-4e5b-b164-fd68ada93334"
  }
}
"@

Invoke-RestMethod -Headers $headers -Uri $APIUri -Method PUT -Body $parameters -ContentType "application/json"

If the above was useful please click Accept Answer.

Thanks.

-TP

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.