Azure Role Assignment Approval On PIM Resources

Michael Burschel 1 Reputation point
2021-08-12T14:44:17.097+00:00

Hi,

currently I'm trying to create and approve requests for the Privileged Identity Management in Azure.

Both of these are working fine over the Azure Portal and I wanted to do the same with the from Microsoft provided APIs.
Creating these requests is no problem, but I am not able to approve the created requests. The requests are for Azure Resources (not AD Roles, these are working).
Here my attempts:

  1. Graph API

Create Request: https://learn.microsoft.com/en-us/graph/api/governanceroleassignmentrequest-post?view=graph-rest-beta&tabs=csharp
Update/Approve Request: https://learn.microsoft.com/en-us/graph/api/governanceroleassignmentrequest-update?view=graph-rest-beta&tabs=http

In here there is one thing that confuses me, the status "PendingAdminDecision". When I create my requests inside of the Azure Portal and through the Graph API the status is always "PendingApproval". With this status I can get all the open requests that are not yet approved. The status "PendingAdminDecision" described in the Graph API is nowhere found. When I try to approve one of my open requests (in status "PendingApproval"), I get the message "The role assignment request has already been approved or denied". Either from Graph Explorer, C# Code or PowerShell.

  1. Azure REST API - Authorization

Here I can find my pending approval by listing all Role Assignment Approvals (https://learn.microsoft.com/en-us/rest/api/authorization/role-assignment-approval/list)
With the gathered information I wanted to approve my request (https://learn.microsoft.com/en-us/rest/api/authorization/role-assignment-approval-step/patch) or PUT

Sadly it does not work here either. I tried the "Try It" functionality and I gave it a try via Postman.
The only thing that I get back is: Response Code 500 - Internal Server Error --> Message - An error has occurred

---------

Can you provide any suggestions for this problem?
I checked my AD Roles for this account.

Best regards

Michael

Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Michael Burschel 1 Reputation point
    2021-08-16T06:20:01.04+00:00

    Nobody ever faced this issue or can someone show me a working example?

    0 comments No comments