Graph query for eligible roles
I have been using the Graph API with PowerShell for a while now, and I am trying to get all eligible roles for a user, not necessarily what is currently assigned to them. After looking at the documentation I believe I found the correct URI, but I am getting PermissionScopeNotGranted errors. I have confirmed that I 100% have the correct permissions listed in the error message, so I am unsure why I am still getting the error message. Has anyone else had this issue, or is there maybe a different way to get eligible roles?
Here are the API permissions in AAD:
And here is the full Powershell:
C:\> $Params = @{
>> Uri = "https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests"
>> Headers = @{
>> Authorization = "Bearer $Token"
>> ConsistencyLevel = "eventual"
>> }
>> ErrorAction = 'Stop'
>> }
C:\> $Results = (Invoke-RestMethod @Params)
Invoke-RestMethod: {"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope RoleEligibilitySchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory.\",\"instanceAnnotations\":[]}","innerError":{"date":"2023-06-15T14:06:39","request-id":"xxxxxxxxxxxxxxxx","client-request-id":"xxxxxxxxxxxxxxxxxx"}}}
C:\>
Has anybody else run into this permission issue, or