Share via

Creating a group using powershell that allows for PIM Azure roles to be assigned

MrFlinstone 711 Reputation points
2024-10-15T23:04:04.7+00:00

I have got the snippet of code below. The objective is to create a group that allows Microsoft Entra roles to be assigned to the group. The snippet below creates the group, however it doesnt work with entra ID role assignment for PIM.

New-MgGroup -DisplayName $groupfullname  -MailNickName $groupfullname -MailEnabled:$false -SecurityEnabled -IsAssignableToRole:$true

I find that if I create the group using the PowerShell code below, the group gets created, I find that any user that gets added to the group after assigning an Entra/Azure resource role to the group gets such roles permanently rather than via the privilege identity management solution.

If I create the group manually, it works as expected i.e via PIM role assignment etc.

User's image

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 159.7K Reputation points MVP Volunteer Moderator
    2024-10-15T23:12:58.42+00:00

    You would need to use commands such as these to set the PIM group eligible versus assigned.

    https://learn.microsoft.com/en-us/graph/api/unifiedrolemanagementpolicy-update?view=graph-rest-1.0&tabs=powershell

    Import-Module Microsoft.Graph.Identity.SignIns

    $params = @{

    rules = @(

	@{

		"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"

		id = "Approval_EndUser_Assignment"

		target = @{

			caller = "EndUser"

			operations = @(

			"All"

		)

		level = "Assignment"

		inheritableSettings = @(

		)

		enforcedSettings = @(

		)

	}

	setting = @{

		isApprovalRequired = $false

		isApprovalRequiredForExtension = $false

		isRequestorJustificationRequired = $true

		approvalMode = "SingleStage"

		approvalStages = @(

			@{

				approvalStageTimeOutInDays = 

				isApproverJustificationRequired = $true

				escalationTimeInMinutes = 

				isEscalationEnabled = $false

				primaryApprovers = @(

				)

				escalationApprovers = @(

				)

			}

		)

	}

}

@{

	"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule"

	id = "AuthenticationContext_EndUser_Assignment"

	isEnabled = $false

	claimValue = ""

	target = @{

		caller = "EndUser"

		operations = @(

		"All"

	)

	level = "Assignment"

	inheritableSettings = @(

	)

	enforcedSettings = @(

	)

}

    }

    @{

    "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule"

id = "Enablement_Admin_Eligibility"

enabledRules = @(

)

target = @{

	caller = "Admin"

	operations = @(

	"All"

)

level = "Eligibility"

inheritableSettings = @(

)

enforcedSettings = @(

)

    }

    }

    @{

    "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"

    id = "Expiration_Admin_Eligibility"

    isExpirationRequired = $false

    maximumDuration = "P365D"

    target = @{

    caller = "Admin"

operations = @(

"All"

    )

    level = "Eligibility"

    inheritableSettings = @(

    )

    enforcedSettings = @(

    )

    }

    }

    @{

    "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule"

    id = "Notification_Admin_Admin_Eligibility"

    notificationType = "Email"

    recipientType = "Admin"

    notificationLevel = "All"

    isDefaultRecipientsEnabled = $true

    notificationRecipients = @(

    )

    target = @{

    caller = "Admin"

    operations = @(

    "All"

    )

    level = "Eligibility"

    inheritableSettings = @(

    )

    enforcedSettings = @(

    )

    }

    }

    )

    }

    Update-MgPolicyRoleManagementPolicy -UnifiedRoleManagementPolicyId $unifiedRoleManagementPolicyId -BodyParameter $params

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.