Reputation: 1
Retrieve users/groups eligible for AzureAD PIM roles using Microsoft Graph API
I am trying to retrieve using Microsoft Graph API the list of users/groups with PIM eligible assignments to Azure AD roles.
I would like to make the API calls from Python or from Graph Explorer, not from the PowerShell script Get-MgRoleManagementDirectoryRoleEligibilitySchedule provided by Microsoft.
My script is able to connect with Microsoft Graph API, has the necessary API permissions, and can retrieve the complete list of AzureAD users and groups.
The issue is that I don't know how to map the output of API calls to roleEligibilitySchedules or roleEligibilityScheduleInstances to users or groups.
Example of output from https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilitySchedules",
"value": [
{
"id": "0c9c21ed-9569-42a4-9d72-810ad8063985",
"principalId": "ef7b01fd-3d84-4338-a8c4-1aa6bb8c6021",
"roleDefinitionId": "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
"directoryScopeId": "/",
"appScopeId": null,
"createdUsing": "0c9c21ed-9569-42a4-9d72-810ad8063985",
"createdDateTime": "2023-04-21T19:50:09.013Z",
"modifiedDateTime": "0001-01-01T08:00:00Z",
"status": "Provisioned",
"memberType": "Direct",
"scheduleInfo": {
"startDateTime": "2023-04-21T19:50:09.013Z",
"recurrence": null,
"expiration": {
"type": "afterDateTime",
"endDateTime": "2024-04-20T19:49:44.26Z",
"duration": null
}
}
},
[...]
Example of output from https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleInstances
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleInstances",
"value": [
{
"id": "kl2Jm9Msx0SdAqasLV6lw8xwLnAVMmVCog68uCf1hnk-1-e",
"principalId": "702e70cc-3215-4265-a20e-bcb827f58679",
"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"directoryScopeId": "/",
"appScopeId": null,
"startDateTime": "2023-03-31T19:17:37.163Z",
"endDateTime": null,
"memberType": "Direct",
"roleEligibilityScheduleId": "ee8673e5-f1b6-42f7-956e-1c297d82f480"
},
[...]
What are the next steps to map the values retrieved above to user or group names, like in the Portal image?
Thank you
Upvotes: 0
Views: 1409
Answers (1)
Reputation: 1
In the odata you receive, the "principalId": "ef7b01fd-3d84-4338-a8c4-1aa6bb8c6021" refers to the Entity that is elgible to activate this role assignment.
Hope that helps
Upvotes: 0
Related Questions
- Does Microsoft Graph API support 'createddatetime' property for contacts?
- How to filter users in microsoft graph list?
- ResourceNotFound Microsoft Graph Api with correct token
- List mail transport rules of Admin using Microsoft Graph API
- Display a list of upcoming birthdays of Office 365 users using Microsoft Graph API
- microsoft-graph api users endpoint with filter provides NextLink Token Expired
- Get root groups only using Microsoft Graph
- image URL of a signed-in user using Microsoft Graph