PIM activation settings for an Entra role exposed through Graph are not honored?

Question

I want to update the PIM activation settings for an Entra role programmatically. Let's say "Global Administrator".

First, I make a call to learn the role id of the Entra role with the display name "Global Administrator:

GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions

Next, I get all PIM role management policy assignments for Entra roles and find the PIM policy ID mapped to the role id I found above:

GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'

At this point I have the role management policy id which applies to my role. I'm able to successfully retrieve all the rules which apply to my policy:

GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policyId}/rules

Great!

But I'm seeing a problem when I update the activation rules for this policy:

PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policyId}/rules/Enablement_Admin_Eligibility 
content-type: application/json

{
    "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule",
    "enabledRules": ["MultiFactorAuthentication"],
}

Though I get a successful response from Graph and see the updates I make in future GET calls to this endpoint, this configuration never gets reflected in the Portal. It doesn't matter what values I provide in the enabledRules array: nothing, or any combination of MultiFactorAuthentication, Ticketing, and Justification. The update will "stick" in Graph but different settings will be reflected when viewing the configuration in the Portal UI.

Is there a bug here or am I misunderstanding something?

By the way - I can see in the Portal that the policy for the role is being updated even though the settings aren't honored there, because the "Last updated" timestamp for the role changes (as seen on the PIM > Entra roles > Settings page).

Furthermore, I've been able to successfully update other policy rules and immediately see the changes reflected in the Portal. E.g., for notification settings:

PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/{policyId}/rules/Notification_Admin_EndUser_Assignment 
content-type: application/json

{
    "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
    "isDefaultRecipientsEnabled": false,
    "recipientType": "Admin",
    "notificationType": "Email",
    "notificationLevel": "All",
}

Answer 1

Hi @Ashton Mickey , sorry for the late reply. We can try some troubleshooting steps. If those don't work we can open a support ticket to look into your environment. Please try the following steps and let me know your results:

1. Wait for some time after making the changes through the Graph API and check if the changes are reflected in the Portal UI. It is possible that the changes may take some time to propagate to the Portal UI.
2. Check if there are any errors or warnings in the response from the Graph API when you make the changes. If there are any errors or warnings, this could indicate that there is an issue with the request.
3. Try updating other policy rules using the Graph API and check if the changes are reflected in the Portal UI. If the changes are reflected for other policy rules, then this could indicate that there is an issue with the activation settings.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James