Graph API to query Privilege Identity Management| AzureAD roles for group and Administrative Unit

Question

Graph API to query Privilege Identity Management| AzureAD roles for group and Administrative Unit

Alex You 25

I can query from https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources/{tenantID}/roleAssignments

But these are for Service Principal and Users in Scope of Directory

But there are users and groups show in the Authentication Administrator from Privileged Identity Management

Their Type show as User, but Scope show as Administrative unit, how do I get a list of these?

Alex You 25

https://graph.microsoft.com/v1.0/directory/administrativeUnits/{AdminUnitID}/scopedRoleMembers

If I using this, I get a perfect JSON, but have no idea what roleId for, as I have list from https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$select=id,displayName" none of them matching roleId

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#scopedRoleMemberships",
    "value": [
        {
            "id": "{String}",
            "roleId": "63d4a4a1-4bb1-4814-815a-f571528af638",
            "administrativeUnitId": "{administrativeUnitId}",
            "roleMemberInfo": {
                "id": "{Omitted}",
                "displayName": "{Omitted}",
                "userPrincipalName": "{Omitted}"
            }
        },
        {
            "id": "{String}",
            "roleId": "63d4a4a1-4bb1-4814-815a-f571528af638",
            "administrativeUnitId": "{administrativeUnitId}",
            "roleMemberInfo": {
                "id": "{Omitted}",
                "displayName": "{Omitted}",
                "userPrincipalName": "{Omitted}"
            }
        }
}

Accepted answer

0 additional answers

Your answer

Alex You 25 Reputation points

2023-08-01T07:08:47.6966667+00:00

https://graph.microsoft.com/v1.0/directory/administrativeUnits/{AdminUnitID}/scopedRoleMembers

If I using this, I get a perfect JSON, but have no idea what roleId for, as I have list from https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$select=id,displayName" none of them matching roleId

{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#scopedRoleMemberships", "value": [ { "id": "{String}", "roleId": "63d4a4a1-4bb1-4814-815a-f571528af638", "administrativeUnitId": "{administrativeUnitId}", "roleMemberInfo": { "id": "{Omitted}", "displayName": "{Omitted}", "userPrincipalName": "{Omitted}" } }, { "id": "{String}", "roleId": "63d4a4a1-4bb1-4814-815a-f571528af638", "administrativeUnitId": "{administrativeUnitId}", "roleMemberInfo": { "id": "{Omitted}", "displayName": "{Omitted}", "userPrincipalName": "{Omitted}" } } }

Answer 1

Vasil Michev 119.6K MVP Volunteer Moderator

You can use the /roleManagement/directory/roleEligibilityScheduleRequests endpoint (or the corresponding Get-MgRoleManagementDirectoryRoleEligibilitySchedule cmdlet) to list them: https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityschedulerequests?view=graph-rest-beta&tabs=http

Scoped assignments will show up with /administrativeUnits/blabla value for the DirectoryScopeId property.

Alex You 25 Reputation points

2023-08-01T07:13:20.75+00:00

Thank you. roleDefinitionId seems more promising. I will check it out.
Alex You 25 Reputation points

2023-08-02T09:45:43.1633333+00:00

Thank you so much, I replicated the in my Dev Environment and that's what I want.

Share via

Graph API to query Privilege Identity Management| AzureAD roles for group and Administrative Unit

0 additional answers

Your answer