Removing PIM approvers from Entra using powershell, code doesnt fail but approvers still present

Question

Removing PIM approvers from Entra using powershell, code doesnt fail but approvers still present

MrFlinstone 686

I am currently using powershell to add approvers for PIM settings, however I am trying to remove the approvers using powershell, the code i am using can be found below. For reasons unknown to me, it doesnt appear to work. It doesnt fail, but doesnt make the required change either.

$policyid = "Group_xxx"


$body = @{
    "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"
    id = "Approval_EndUser_Assignment"
    target = @{
        "@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
        caller = "EndUser"
        operations = @("All")
        level = "Assignment"
        inheritableSettings = @()
        enforcedSettings = @()
    }
    setting = @{
        "@odata.type" = "microsoft.graph.approvalSettings"
        isApprovalRequired = $false
        isApprovalRequiredForExtension = $false
        isRequestorJustificationRequired = $false
        approvalMode = "SingleStage"
        approvalStages = @(
            @{
                "@odata.type" = "microsoft.graph.unifiedApprovalStage"
                approvalStageTimeOutInDays = 1
                isApproverJustificationRequired = $false
                escalationTimeInMinutes = 0
                primaryApprovers = @()  # Removes all approvers
                isEscalationEnabled = $false
                escalationApprovers = @()
            }
        )
    }
}


Update-MgPolicyRoleManagementPolicyRule `
    -UnifiedRoleManagementPolicyId $policyid `
    -UnifiedRoleManagementPolicyRuleId "Approval_EndUser_Assignment" `
    -Body $body

1 answer

Your answer

Answer 1

Vigneshwar Duvva 2,300 Microsoft External Staff Moderator

Hello @MrFlinstone

To remove approvers from a PIM role management policy using PowerShell, ensure you're using the correct parameter name (-Body Parameter instead of -Body) and validate the structure of your approval settings. Here's the corrected approach:

$policyid = "Group_xxx"

$ruleId = "Approval_EndUser_Assignment"

$body = @{

Copy

"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"

id = $ruleId

target = @{

"@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"

caller = "EndUser"

operations = @("All")

level = "Assignment"

inheritableSettings = @()

enforcedSettings = @()

}

setting = @{

"@odata.type" = "microsoft.graph.approvalSettings"

isApprovalRequired = $false  # Disables approval requirement

isApprovalRequiredForExtension = $false

isRequestorJustificationRequired = $false

approvalMode = "NoApproval"  # Explicitly set approval mode

approvalStages = @()  # Remove all approval stages

}

Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $policyid -UnifiedRoleManagementPolicyRuleId $ruleId -BodyParameter $body

Confirm permissions with Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

https://learn.microsoft.com/en-us/powershell/microsoftgraph/how-to-manage-pim-policies?view=graph-powershell-1.0

Check policy rules using:

PowerShell

Get-MgPolicyRoleManagementPolicy -UnifiedRoleManagementPolicyId $policyid | Select-Object -ExpandProperty Rules

Hope this helps.

MrFlinstone 686

Thanks for this, I was able to use the code to remove approvers but found another issue, when the approver was removed, I then later tried to add approvers programmatically, it wouldn't work for the Attack Payload Author role, but works for the Attribute Log Administrator role, I have shown the code below. where it works and where it doesn't work. is there a reason for this ?

$rolename = "Attribute Log Administrator"
[array]$DirectoryRoles = Get-MgRoleManagementDirectoryRoleDefinition | Sort-Object DisplayName
$UserRoleId = $DirectoryRoles | Where-Object { $_.DisplayName -eq $roleName } | Select-Object -ExpandProperty Id
$policyID = (Get-MgPolicyRoleManagementPolicyAssignment -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '$UserRoleId'").PolicyId
write-host "The policy ID is $policyID"
$params = @{
	"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"
	id = "Approval_EndUser_Assignment"
	target = @{
		"@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
		caller = "EndUser"
		operations = @(
		"All"
	)
	level = "Assignment"
	inheritableSettings = @(
	)
	enforcedSettings = @(
	)
}
setting = @{
	"@odata.type" = "microsoft.graph.approvalSettings"
	isApprovalRequired = $true
	isApprovalRequiredForExtension = $false
	isRequestorJustificationRequired = $true
	approvalMode = "SingleStage"
	approvalStages = @(
		@{
			"@odata.type" = "microsoft.graph.unifiedApprovalStage"
			approvalStageTimeOutInDays = 1
			isApproverJustificationRequired = $true
			escalationTimeInMinutes = "0"
			primaryApprovers = @(
				@{
					"@odata.type" = "#microsoft.graph.groupMembers"
					groupId = "xxx"
				}
			)
			isEscalationEnabled = $false
			escalationApprovers = @(
			)
		}
	)
}
}
Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $policyID -UnifiedRoleManagementPolicyRuleId "Approval_EndUser_Assignment" -BodyParameter $params -debug
##Works
#######################
#Does not work
$rolename = "Attack Payload Author"
[array]$DirectoryRoles = Get-MgRoleManagementDirectoryRoleDefinition | Sort-Object DisplayName
$UserRoleId = $DirectoryRoles | Where-Object { $_.DisplayName -eq $roleName } | Select-Object -ExpandProperty Id
$policyID = (Get-MgPolicyRoleManagementPolicyAssignment -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '$UserRoleId'").PolicyId
write-host "The policy ID is $policyID"
$params = @{
	"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"
	id = "Approval_EndUser_Assignment"
	target = @{
		"@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
		caller = "EndUser"
		operations = @(
		"All"
	)
	level = "Assignment"
	inheritableSettings = @(
	)
	enforcedSettings = @(
	)
}
setting = @{
	"@odata.type" = "microsoft.graph.approvalSettings"
	isApprovalRequired = $true
	isApprovalRequiredForExtension = $false
	isRequestorJustificationRequired = $true
	approvalMode = "SingleStage"
	approvalStages = @(
		@{
			"@odata.type" = "microsoft.graph.unifiedApprovalStage"
			approvalStageTimeOutInDays = 1
			isApproverJustificationRequired = $true
			escalationTimeInMinutes = "0"
			primaryApprovers = @(
				@{
					"@odata.type" = "#microsoft.graph.groupMembers"
					groupId = "xxx"
				}
			)
			isEscalationEnabled = $false
			escalationApprovers = @(
			)
		}
	)
}
}
#Does not work
Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $policyID -UnifiedRoleManagementPolicyRuleId "Approval_EndUser_Assignment" -BodyParameter $params -debug

Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-06-05T08:02:46.22+00:00

Hello @MrFlinstone

The difference in behavior when adding approvers programmatically to the Attack Payload Author role versus the Attribute Log Administrator role is likely due to the specific permissions, restrictions, and management model of the Attack Payload Author role.

Key Reasons Attack Payload Author Role Restrictions and Attribute Log Administrator

Hope this helps. Do let us know if you have any further queries
MrFlinstone 686 Reputation points

2025-06-06T09:06:55.68+00:00

Is this a bug or by design, and is it possible to have some confirmation from Microsoft that this is by design as I find it strange.
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-06-09T06:31:51.44+00:00

Hello MrFlinstone

This is not a bug. As i mentioned previously difference between the roles. The two roles have different privileges and permissions, so the code will work with the specified roles.
MrFlinstone 686 Reputation points

2025-06-09T07:35:40.11+00:00

Thank you for the clarification, do we know any other roles that show such behaviour ?
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-06-10T07:26:25.1666667+00:00

Hello MrFlinstone

Below reference documentation explain least privileged roles by task in Microsoft Entra ID.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment"
Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator

2025-06-11T08:45:59.38+00:00

Hello MrFlinstone

If this addresses your question, kindly confirm.

Thank you.

Share via

Removing PIM approvers from Entra using powershell, code doesnt fail but approvers still present

1 answer

Your answer