2,589 questions
How to activate PIM Eligible Role using Powershell script accepting user inputs?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 35%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN7%3C/text%3E%3C/svg%3E)
NeelDarji-7992
91
Reputation points
Hello,
I have implemented PIM for 3 Roles. Assigned Identity as well to these 3 PIM Roles. I have configured Justification for 1 Role, MFA for another Role and Ticket information for 3rd Role.
Now, I need to prepare a script where when end user executes the script, script should ask for inputs: Such as Role name, depending on Role setting it should ask Justification, MFA and Ticket info.
Can anyone help me to prepare such script?
I tried my level best and below is the script I wrote, but giving error message for API version:
Script:
Generate a GUID
function Generate-GUID {
$guid = [guid]::NewGuid()
return $guid
}
Prompt user for Role Definition ID, Justification, and Ticket Information
$RoleDefinitionId = Read-Host -Prompt "Enter Role Definition ID"
$Justification = Read-Host -Prompt "Enter Justification for Role Activation"
$TicketSystem = Read-Host -Prompt "Enter Ticket System"
$TicketNumber = Read-Host -Prompt "Enter Ticket Number"
Generate a GUID for the role assignment schedule request
$DynamicGuid = Generate-GUID
Get the current time in ISO 8601 format
$CurrentTime = Get-Date -Format s
Construct the request body
$RequestBody = @{
Properties = @{
RoleDefinitionId = "/subscriptions/<Sub ID>/providers/Microsoft.Authorization/roleDefinitions/$RoleDefinitionId"
PrincipalId = "<Object ID>"
RequestType = "SelfActivate"
ScheduleInfo = @{
StartDateTime = $CurrentTime
Expiration = @{
Type = "AfterDuration"
EndDateTime = $null
Duration = "PT8H"
}
}
Justification = $Justification
TicketInfo = @{
TicketSystem = $TicketSystem
TicketNumber = $TicketNumber
}
}
}
$apiversion = "2020-10-01"
Convert the request body to JSON
$JsonBody = $RequestBody | ConvertTo-Json
Construct the URI
$URI = "https://management.azure.com/subscriptions/<Sub ID>/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/$DynamicGuid?api-version=$apiversion"
Invoke the Azure REST API to activate the eligible role
Invoke-RestMethod -Method Put -Uri $URI -Body $JsonBody
Error:
Line |
50 | Invoke-RestMethod -Method Put -Uri $URI -Body $JsonBody
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| { "error": { "code": "MissingApiVersionParameter", "message": "The api-version query parameter (?api-version=) is required for all requests." } }
Microsoft Security Microsoft Entra Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator2024-03-11T14:58:55.7966667+00:00 Hello @Neel Darji
I am checking this and will get back to you with further inputs.
Thanks,
Akhilesh.
-
NeelDarji-7992 91 Reputation points
2024-03-14T20:44:28.93+00:00 Any updates Akhilesh??
Sign in to comment
Sign in to answer