Share via

Facing issue while creating PIM request using managed identity using graph sdk

Pavan Kumar 5 Reputation points Microsoft Employee
2024-09-18T06:42:46.1833333+00:00

Hi Team,

I am using managed identity-based authentication to create a PIM role using power shell script. Below is the code snippet used.

function Get-ManagedIdentityToken {
    param (
        [string]$resource = "https://graph.microsoft.com"
    )
    $tokenResponse = Invoke-RestMethod -Method Get -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=$resource&client_id=$clientId" -Headers @{Metadata="true"}
    return $tokenResponse.access_token
}

$clientId = "xx23xx18-xxxx-4621-xxxx-xxxxxxxxxxxx"
$userPrincipalName = "xx@domain.com"
$roleName = "Contributor"


$token = Get-ManagedIdentityToken


$roleDefinitionUri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayName eq '$roleName'"
$roleDefinitionResponse = Invoke-RestMethod -Uri $roleDefinitionUri -Method Get -Headers @{Authorization = "Bearer $token"}
$roleDefinitionId = $roleDefinitionResponse.value[0].id




$userUri = "https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName eq '$userPrincipalName'"
$userResponse = Invoke-RestMethod -Uri $userUri -Method Get -Headers @{Authorization = "Bearer $token"}
$principalId = $userResponse.value[0].id


$params = @{
	action = "adminAssign"
	justification = "Assign Groups Admin to IT Helpdesk group"
	roleDefinitionId = "ba92f5b4-2d11-453d-a403-e96b0029c9fe"
	directoryScopeId = "/subscriptions/<sub-id>/resourceGroups/<rg name>/providers/Microsoft.Storage/storageAccounts/<storage name>"
	principalId = "f51c6684-ffe4-444a-a41a-30c99e710822"
	scheduleInfo = @{
		startDateTime = [System.DateTime]::Parse("2022-04-10T00:00:00Z")
		expiration = @{
			type = "NoExpiration"
		}
	}
}



$roleAssignmentUri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"




$roleAssignmentResponse = Invoke-RestMethod -Uri $roleAssignmentUri -Method Post -Body ($roleAssignmentBody | ConvertTo-Json) -Headers @{Authorization = "Bearer $token"; "Content-Type" = "application/json"}

Error

Invoke-RestMethod:

{

"error": {

"code": "UnknownError",

"message": "{\u0022errorCode\u0022:\u0022PermissionScopeNotGranted\u0022,\u0022message\u0022:\u0022Authorization failed due to missing permission scope RoleAssignmentSchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleAssignmentSchedule.Remove.Directory.\u0022,\u0022instanceAnnotations\u0022:[]}",

"innerError": {

  "date": "2024-09-18T06:27:35",

  "request-id": "996dec67-c3e7-41c4-997e-62f72ddd6f42",

  "client-request-id": "996dec67-c3e7-41c4-997e-62f72ddd6f42"

}
  }

}
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,113 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,552 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 106.6K Reputation points MVP
    2024-09-18T07:33:33.7033333+00:00

    As far as error messages go, this one is clear - you're missing the required permissions to perform this operation. Make sure the managed identity you are using has been granted the required RoleAssignmentSchedule.ReadWrite.Directory/RoleManagement.ReadWrite.Directory permission and retry. You can also use a tool such as jwt.ms to decode the token you've obtained ($token) - make sure it lists the required permissions.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.