Graph query for eligible roles

Andrew (AJ) Draper 0 Reputation points
2023-06-15T21:24:47.6333333+00:00

I have been using the Graph API with PowerShell for a while now, and I am trying to get all eligible roles for a user, not necessarily what is currently assigned to them. After looking at the documentation I believe I found the correct URI, but I am getting PermissionScopeNotGranted errors. I have confirmed that I 100% have the correct permissions listed in the error message, so I am unsure why I am still getting the error message. Has anyone else had this issue, or is there maybe a different way to get eligible roles?

Here are the API permissions in AAD:

User's image

And here is the full Powershell:

C:\> $Params = @{

>> Uri = "https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests"

>> Headers = @{

>> Authorization = "Bearer $Token"

>> ConsistencyLevel = "eventual"

>> }

>> ErrorAction = 'Stop'

>> }

C:\> $Results = (Invoke-RestMethod @Params)

Invoke-RestMethod: {"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope RoleEligibilitySchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory.\",\"instanceAnnotations\":[]}","innerError":{"date":"2023-06-15T14:06:39","request-id":"xxxxxxxxxxxxxxxx","client-request-id":"xxxxxxxxxxxxxxxxxx"}}}

C:\>

Has anybody else run into this permission issue, or

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,981 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.