Share via

Enabling PIM Role Using Group ID as PrincipalID is Enabling Role for Entire Group, not just the current user. Is there a way to is to self activate eligible pim roles for for group based role assignment using graph api call ?

Suryendu Bhattacharyya 11 Reputation points
2023-08-16T03:26:39.88+00:00

Enabling PIM Role Using Group ID as PrincipalID is Enabling Role for Entire Group, not just the current user.

Is there a way to is to self activate eligible pim roles for for group based role assignment using graph api call. Graph api call with principalid as group object ID,activates the role for all users in group.

This will activate the role for all users who are member of the group.

$params = [ordered]@{

        action           = "selfActivate"

        justification    = "Assign Attribute Assignment Admin eligibility to restricted user"

        roleDefinitionId = $EligibleAssignment.roleDefinitionId

        directoryScopeId = "/"

        principalId      = $EligibleAssignment.principalId #Group ID as it is the Principal ID of the role Assignment

        scheduleInfo     = @{

            startDateTime = $startDateTime

            expiration    = @{

                type        = "AfterDuration"

                endDateTime = $null

                duration    = "PT7H"

            }

        }

        ticketInfo       = $ticketInfo

    }

    New-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params -ErrorAction Stop
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,210 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 20,786 Reputation points Microsoft Employee
    2023-08-17T11:37:22.26+00:00

    @Suryendu Bhattacharyya

    This is expected behaviour. If you activate any of the PIM Role Using Group ID, it will activate the role for all users who are part of that group.

    If you want to activate a specific role only to specific user, then you will have to make the role eligible for that user only.

    Other thing is you can permanently assign the role to one particular group and make the group membership activated in PIM. Whoever is eligible for the group membership they will have to activate it in PIM blade in Azure portal. And users who will be added as group members will by default get the role assigned which is assigned to the group in Azure portal.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.