What additional permissions are required to update privilegedRoles?

Question

Firstly I'm aware this is a Preview/Beta feature.

I'm trying to set the approverIds of a PIM Role, however I am getting a 403 failure and according to https://learn.microsoft.com/en-us/graph/api/privilegedrolesettings-update?view=graph-rest-beta&tabs=http all I require is PrivilegedAccess.ReadWrite.AzureAD, Directory.AccessAsUser.All and be a member of either Privileged Role Administrator, Global Administrator, Security Administrator, or Security Reader (bold = current member).

At this stage I am trying to get it working via the graph explorer.

https://developer.microsoft.com/en-us/graph/graph-explorer#

I am able to retrieve all the settings via:

GET https://graph.microsoft.com/beta/privilegedRoles/f023fd81-a637-4b56-95fd-791ac0226033/settings

However as soon as I try to set the settings it fails

PUT https://graph.microsoft.com/beta/privilegedRoles/f023fd81-a637-4b56-95fd-791ac0226033/settings

I've tried various combinations of the request body, including limiting it just to the approverIds.

Request Body

{
    "approverIds": [
        "862a56d5-d987-462b-95a5-85ef174b149e"
    ],
    "minElevationDuration": "PT0S",
    "maxElavationDuration": "PT0S",
    "elevationDuration": "PT4H",
    "id": "f023fd81-a637-4b56-95fd-791ac0226033",
    "notificationToUserOnElevation": true,
    "ticketingInfoOnElevation": false,
    "mfaOnElevation": true,
    "lastGlobalAdmin": false,
    "isMfaOnElevationConfigurable": true,
    "approvalOnElevation": true
}

This results in:

Failure - Status Code 403, 1807ms Looks like you may not have the permissions for this call. Please modify your permissions.

If I click "modify your permissions" I can see that the required permissions (as per the documentation) are consented.

What additional permissions are required to update privilegedRoles?

Answers (1)

Related Questions