I want to update the PIM activation settings for an Entra role programmatically. Let's say "Global Administrator".
First, I make a call to learn the role id of the Entra role with the display name "Global Administrator:
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Next, I get all PIM role management policy assignments for Entra roles and find the PIM policy ID mapped to the role id I found above:
GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'
At this point I have the role management policy id which applies to my role. I'm able to successfully retrieve all the rules which apply to my policy:
GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policyId}/rules
Great!
But I'm seeing a problem when I update the activation rules for this policy:
PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policyId}/rules/Enablement_Admin_Eligibility
content-type: application/json
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
"enabledRules": ["MultiFactorAuthentication"],
}
Though I get a successful response from Graph and see the updates I make in future GET calls to this endpoint, this configuration never gets reflected in the Portal. It doesn't matter what values I provide in the enabledRules array: nothing, or any combination of MultiFactorAuthentication
, Ticketing
, and Justification
. The update will "stick" in Graph but different settings will be reflected when viewing the configuration in the Portal UI.
Is there a bug here or am I misunderstanding something?
By the way - I can see in the Portal that the policy for the role is being updated even though the settings aren't honored there, because the "Last updated" timestamp for the role changes (as seen on the PIM > Entra roles > Settings page).
Furthermore, I've been able to successfully update other policy rules and immediately see the changes reflected in the Portal. E.g., for notification settings:
PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policyId}/rules/Notification_Admin_EndUser_Assignment
content-type: application/json
{
"@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
"isDefaultRecipientsEnabled": false,
"recipientType": "Admin",
"notificationType": "Email",
"notificationLevel": "All",
}