Add eligible assignment for Azure resources in PIM

AH 0

We have implemented PIM to assign Microsoft Entra roles and PIM is working normally. To extend PIM for Azure resources, I'm trying to add eligible assignment for Azure resources (Owner of a subscription) in PIM but hit an error message:

Role assignment failed for member 'GroupName' to role 'Owner' in 'Subscription'

The requestor object-ID-of-my-azure-account does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.

Any idea to resolve this issue?

My account is the subscription Owner; and also has Global Administrator role in Microsoft Entra ID.

Deepanshu katara 5,145 Reputation points

2024-04-27T04:38:32.88+00:00

Please check once
Navya 4,005 Reputation points Microsoft Vendor

2024-05-02T14:51:45.8633333+00:00

Hi @AH

Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.

1 answer

Deepanshu katara 5,145 Reputation points

2024-04-27T04:38:15.5566667+00:00

Hi AH,

I think when activating the role one must pass the user's own object Id, rather than that of an AAD group the user may belong to.

So at this step (below snap) if you are giving your group name/id then please change it to your individual object ID and try

Please check this for more ref https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles

Kindly accept answer if it helps , Thanks
Please sign in to rate this answer.
Deepanshu katara 5,145 Reputation points

2024-04-29T09:51:56.8233333+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

AH 0 Reputation points

2024-04-29T16:56:25.27+00:00

@Deepanshu katara Thanks for the comment. I got the error message when setting up Eligible assignment but not activating an assignment.

Also , when setting up, I tried adding Group and individual user but still got same error message

And error is that the requestor (my azure account) does not have permissions for this request. This is strange because my account has both Global administrator for MS Entra; and Owner on the related Azure subscription.

I'd appreciate for any further comment ?

Deepanshu katara 5,145 Reputation points

2024-04-30T06:50:41.35+00:00

Hi , I think if facing issue with Portal , can you please try using PowerShell once

Please perform below steps

To get these details via PowerShell, can you please run below Az commands and check the response
Connect-AzAccount -SubscriptionId "xxxxxxx" Get-AzRoleEligibilitySchedule -Scope "/" -Filter "asTarget()" | Select-Object "RoleDefinitionDisplayName","ScopeType", "ScopeDisplayName","PrincipalDisplayName"

if needed To activate the first eligible assignments, you can ran below updated PowerShell script:

# Retrieve eligible assignments

For detailed step --> please check this once https://stackoverflow.com/questions/77601811/how-to-read-the-my-roles-from-the-privileged-identity-management-in-microsoft-en

Kindly check and let us know
Sign in to comment