Using REST API, how can we enable PIM roles with Justification and Ticketing information enabled?

Neel Darji 86 Reputation points
2024-02-24T02:36:55.12+00:00

Hello Everyone, I am working on PIM Project. Using Portal, when we enable any role for PIM, it asks for various info, such as MFA, Conditional Access Policy, Justification, Ticketing, Approval etc. But when I use REST API, as mentioned in below article, there is no option to configure above settings. So, If anyone has any script or API developed for Eligibility for PIM with all these customizable settings, can you share with me? Following is URL I am referring for API: https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-eligibility-rest-sample Following is API To create an eligible role assignment: URL : PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{roleEligibilityScheduleRequestName}?api-version=2020-10-01 Body: { "Properties": { "RoleDefinitionId": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionId}", "PrincipalId": "{principalId}", "RequestType": "AdminAssign", "ScheduleInfo": { "StartDateTime": "2020-09-09T21:31:27.91Z", "Expiration": { "Type": "AfterDuration", // Values: AfterDuration, AfterDateTime, NoExpiration "EndDateTime": null, "Duration": "P365D" // Use ISO 8601 format } } } } As we can see here, only Duration and start time are configurable, but there is no info on MFA, Justification, Ticketing etc. Any help will be much appeciated,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,317 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Navya 9,320 Reputation points Microsoft Vendor
    2024-02-27T09:01:14.1466667+00:00

    Hi @Neel Darji

    Thank you for posting this in Microsoft Q&A.

    I understand you are looking for a way to enable PIM roles with Justification and Ticketing information enabled using REST API.

    To create an eligible role assignment along with Justification and Ticketing information using RESTAPI.

    Below is the Sample Request

    POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
    Content-Type: application/json
    {
        "action": "adminAssign",
        "justification": "Assign Attribute Assignment Admin eligibility to restricted user",
        "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
        "directoryScopeId": "/",
        "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
        "scheduleInfo": {
            "startDateTime": "2022-04-10T00:00:00Z",
            "expiration": {
                "type": "afterDateTime",
                "endDateTime": "2024-04-10T00:00:00Z"
            }
        },
    "ticketInfo": {
            "ticketNumber": "Normal-67890",
            "ticketSystem": "Project"
        }
    }
    
    
    

    Please refer this document to create an eligible and active role using REST API : PIM Roles

    To Activate Microsoft entra PIM roles along with Justification and Ticketing information use below API.

    POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests 
    {
        "action": "selfActivate",
        "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
        "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
        "directoryScopeId": "/",
        "justification": "I need access to the Attribute Administrator role to manage attributes to be assigned to restricted AUs",
        "scheduleInfo": {
            "startDateTime": "2022-04-14T00:00:00.000Z",
            "expiration": {
                "type": "AfterDuration",
                "duration": "PT5H"
            }
        },
        "ticketInfo": {
            "ticketNumber": "Normal-67890",
            "ticketSystem": Project"
        }
    }
    

    For your reference: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role#self-activate-a-role-eligibility-with-justification

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.