Share via

Received error while deploying Bicep. Error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)"

Murali R 245 Reputation points
2024-05-06T11:49:58.59+00:00

Hi Team,

I'm currently utilizing Bicep to enable Azure AD Privileged Identity Management (PIM) with a custom role. I've created an AD Group and assigned a Custom Role to it, which includes the following actions:

"Microsoft.Authorization//read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/"

Upon deploying the resources using Bicep and Azure PowerShell commands, I encountered the following error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)". To troubleshoot, I verified whether the Service account has the necessary permissions to deploy Bicep and found that it has owner-level access. Kindly find the below bicep and ps script FYR

$deploymentName = (Get-Date).ToString('yyyyMMdd-HHmm')New-AzDeployment -Name $deploymentName -Location northcentralus -TemplateFile .\pim.bicep -TemplateParameterFile .\agdev-PreProd.parameters.json

targetScope = 'subscription'

param startTime string = utcNow()

@description('Object Id of the AD Group')
param principalId string = ''

@description('Custom role definition ID being assigned to the AD group')
param roleDefinitionId string = ''

@description('Unique name for the roleAssignment in the format of a guid')
var roleName = guid(principalId, roleDefinitionId, subscription().id)

resource pimRoleAssignment 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: roleName
  scope: subscription()
  properties: {
    principalId: principalId
    requestType: 'AdminAssign'
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
    scheduleInfo: {
      startDateTime: startTime
    }
  }
}

Kindly assist in providing a solution for this issue.

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,396 Reputation points Microsoft Employee Moderator
    2024-05-06T17:41:10.0066667+00:00

    Hi @Murali R ,

    I understand that you are receiving an error that the role assignment request is invalid.

    I would recommend checking if the Request ID is correct. You can do this using Powershell: Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId <Tenant ID>

    Also, double-check that you have the resource ID in the request URI and can access privileged resources such as GET /privilegedAccess/azureResources/resources/

    Let me know if this helps and if you still run into this error.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.