Share via

Graph api call to make AAD role assignment request not working

ravishekharreddy yanamala 21 Reputation points
2021-02-03T15:38:48.09+00:00

Running the below powershell script by fetching access token generated using a NPA and service principal with below permission's to assignment an object to Directory readers AAD role.

Code was working till last week and from Monday getting the UnauthorizedAccessException when the call is made to make the assignment request. Still with access token, other api calls to get roleDefinitions and roleAssignments are working fine.

Please let us know if there are any breaking changes with this api call or what permissions required to make roleAssignmentRequest as this was working till last week.

NPA is Privileged Role Admin and Service principal (used to fetch token) has Api permission : Directory.AccessAsUser.All (Delegated scope)

Code snippet

$body = @'
{
'roleDefinitionId': '$($roleDefinitionId)',
'resourceId': '$($TenantId)',
'subjectId': '$($PrincipalId)',
'assignmentState': '$($AssignmentState)',
'type': 'AdminAdd',
'reason': 'SQLMI Role Assignment to Directory Reade',
'schedule': {
'type': 'Once'
}
}
'@
$roleAssignmentRequestParams = @{
'ContentType' = 'application/json'
'Headers' = @{
'Authorization' = 'Bearer $($GraphAccessToken)'
'accept' = 'application/json'
}
'Body' = $body
'Method' = 'Post'
'URI' = 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignmentRequests'
}
Try {
Invoke-RestMethod @roleAssignmentRequestParams -UseBasicParsing
}
Catch {
Write-Error 'Error creating new role assignment request: ($_.Exception.Message)'
}

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,025 questions
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,571 Reputation points
    2021-02-08T13:40:54.043+00:00

    Thanks for reaching out.

    Sorry for delayed response as I was testing few scenario on my lab as well checking with respective team internally.

    I hope you are using this flow Get access on behalf of a user from service principal and accessing Graph API to make AAD role assignment request. You must define appropriate “PrivilegedAccess” in scope when you request an access token code. This may vary based on type of call you make through graph API, for an example if you make a call to AAD role assignment request then it must contain “PrivilegedAccess.ReadWrite.AzureAD”.

    I had used below format for requesting an access token code, and when I tried to make a graph API call to assign "AAD role" which worked fine for me without any issue. In similar way, if you don’t mentioned respective “PrivilegedAccess” in scope then I get “Code: UnauthorizedAccessException Message: Attempted to perform an unauthorized operation”

    In my lab I had assigned this role "Privileged role Administrator" for user and service principal with Directory.AccessAsUser.All (Delegated scope)

    Authorization request and Token Request:

    GET https://login.microsoftonline.com/e3bcda0c-dafb-4640-975a-3af8d1d63a27/oauth2/v2.0/authorize?
    &client_id=8eb4a445-25f5-40f4-9f54-8ef85d324255
    &response_type=code
    &redirect_uri=https%3A%2F%2Fjwt.ms
    &response_mode=query
    &scope=PrivilegedAccess.Read.AzureAD+PrivilegedAccess.Read.AzureADGroup+PrivilegedAccess.Read.AzureResources+
    PrivilegedAccess.ReadWrite.AzureAD +PrivilegedAccess.ReadWrite.AzureADGroup+PrivilegedAccess.ReadWrite.AzureResources+
    Directory.AccessAsUser.All
    &state=12345

    POST https://login.microsoftonline.com/atriumph.onmicrosoft.com/oauth2/v2.0/token

    Body

    client_id=6731de76-14a6-49ae-97bc-6eba6914391e
    &scope=PrivilegedAccess.Read.AzureAD+PrivilegedAccess.Read.AzureADGroup+PrivilegedAccess.Read.AzureResources+
    PrivilegedAccess.ReadWrite.AzureAD +PrivilegedAccess.ReadWrite.AzureADGroup+PrivilegedAccess.ReadWrite.AzureResources+
    Directory.AccessAsUser.All
    &code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
    &grant_type=authorization_code
    &client_secret=************ // NOTE: Only required for web apps

    Graph API roleAssignmentRequests call

    POST: https://graph.microsoft.com/beta/privilegedAccess/aadRoles/roleAssignmentRequests

    Body

    {
    "resourceId": "e3bcda0c-dafb-4640-975a-3af8d1d63a27",
    "roleDefinitionId": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f",
    "subjectId": "1972af6f-fa92-441e-865a-615b4485f426",
    "type": "AdminAdd",
    "assignmentState": "Eligible",
    "schedule": {
    "startDateTime": "2021-04-27T02:19:11.77+05:30",
    "endDateTime": "2021-07-26T02:19:11.77+05:30",
    "type": "Once"
    }
    }

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest