As far as error messages go, this one is clear - you're missing the required permissions to perform this operation. Make sure the managed identity you are using has been granted the required RoleAssignmentSchedule.ReadWrite.Directory/RoleManagement.ReadWrite.Directory permission and retry. You can also use a tool such as jwt.ms to decode the token you've obtained ($token) - make sure it lists the required permissions.
Facing issue while creating PIM request using managed identity using graph sdk
Pavan Kumar
5
Reputation points Microsoft Employee
Hi Team,
I am using managed identity-based authentication to create a PIM role using power shell script. Below is the code snippet used.
function Get-ManagedIdentityToken {
param (
[string]$resource = "https://graph.microsoft.com"
)
$tokenResponse = Invoke-RestMethod -Method Get -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=$resource&client_id=$clientId" -Headers @{Metadata="true"}
return $tokenResponse.access_token
}
$clientId = "xx23xx18-xxxx-4621-xxxx-xxxxxxxxxxxx"
$userPrincipalName = "xx@domain.com"
$roleName = "Contributor"
$token = Get-ManagedIdentityToken
$roleDefinitionUri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayName eq '$roleName'"
$roleDefinitionResponse = Invoke-RestMethod -Uri $roleDefinitionUri -Method Get -Headers @{Authorization = "Bearer $token"}
$roleDefinitionId = $roleDefinitionResponse.value[0].id
$userUri = "https://graph.microsoft.com/v1.0/users?$filter=userPrincipalName eq '$userPrincipalName'"
$userResponse = Invoke-RestMethod -Uri $userUri -Method Get -Headers @{Authorization = "Bearer $token"}
$principalId = $userResponse.value[0].id
$params = @{
action = "adminAssign"
justification = "Assign Groups Admin to IT Helpdesk group"
roleDefinitionId = "ba92f5b4-2d11-453d-a403-e96b0029c9fe"
directoryScopeId = "/subscriptions/<sub-id>/resourceGroups/<rg name>/providers/Microsoft.Storage/storageAccounts/<storage name>"
principalId = "f51c6684-ffe4-444a-a41a-30c99e710822"
scheduleInfo = @{
startDateTime = [System.DateTime]::Parse("2022-04-10T00:00:00Z")
expiration = @{
type = "NoExpiration"
}
}
}
$roleAssignmentUri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
$roleAssignmentResponse = Invoke-RestMethod -Uri $roleAssignmentUri -Method Post -Body ($roleAssignmentBody | ConvertTo-Json) -Headers @{Authorization = "Bearer $token"; "Content-Type" = "application/json"}
Error
Invoke-RestMethod:
{
"error": {
"code": "UnknownError",
"message": "{\u0022errorCode\u0022:\u0022PermissionScopeNotGranted\u0022,\u0022message\u0022:\u0022Authorization failed due to missing permission scope RoleAssignmentSchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleAssignmentSchedule.Remove.Directory.\u0022,\u0022instanceAnnotations\u0022:[]}",
"innerError": {
"date": "2024-09-18T06:27:35",
"request-id": "996dec67-c3e7-41c4-997e-62f72ddd6f42",
"client-request-id": "996dec67-c3e7-41c4-997e-62f72ddd6f42"
}
}
}