Microsoft Entra
A group of Microsoft multicloud identity and access solutions.
2,560 questions
Nobody ever faced this issue or can someone show me a working example?
Azure Role Assignment Approval On PIM Resources
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 98%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
Michael Burschel
1
Reputation point
Hi,
currently I'm trying to create and approve requests for the Privileged Identity Management in Azure.
Both of these are working fine over the Azure Portal and I wanted to do the same with the from Microsoft provided APIs.
Creating these requests is no problem, but I am not able to approve the created requests. The requests are for Azure Resources (not AD Roles, these are working).
Here my attempts:
- Graph API
Create Request: https://learn.microsoft.com/en-us/graph/api/governanceroleassignmentrequest-post?view=graph-rest-beta&tabs=csharp
Update/Approve Request: https://learn.microsoft.com/en-us/graph/api/governanceroleassignmentrequest-update?view=graph-rest-beta&tabs=http
In here there is one thing that confuses me, the status "PendingAdminDecision". When I create my requests inside of the Azure Portal and through the Graph API the status is always "PendingApproval". With this status I can get all the open requests that are not yet approved. The status "PendingAdminDecision" described in the Graph API is nowhere found. When I try to approve one of my open requests (in status "PendingApproval"), I get the message "The role assignment request has already been approved or denied". Either from Graph Explorer, C# Code or PowerShell.
- Azure REST API - Authorization
Here I can find my pending approval by listing all Role Assignment Approvals (https://learn.microsoft.com/en-us/rest/api/authorization/role-assignment-approval/list)
With the gathered information I wanted to approve my request (https://learn.microsoft.com/en-us/rest/api/authorization/role-assignment-approval-step/patch) or PUT
Sadly it does not work here either. I tried the "Try It" functionality and I gave it a try via Postman.
The only thing that I get back is: Response Code 500 - Internal Server Error --> Message - An error has occurred
---------
Can you provide any suggestions for this problem?
I checked my AD Roles for this account.
Best regards
Michael