CODEWITHSUNDEEP
azurepowershellazure-active-directory
shadowz1337
shadowz1337

Reputation: 889

Activate PIM role for Azure resources via REST / Powershell?

I'm trying to automate the activation of my PIM role for Azure resources via Powershell or REST API and I can't seem to figure this out. I can activate PIM role for AAD just fine, but not Azure resources. Does anyone how an example of this working?

I found this and tried it, but it doesn't work for activating PIM role configured at the management group level for some reason. Works fine for PIM roles on the subscription level.

Unable to activate a PIM role

For AAD role activation, this is what I used:https://learn.microsoft.com/en-us/powershell/microsoftgraph/tutorial-pim?view=graph-powershell-1.0&WT.mc_id=AZ-MVP-5004796

Upvotes: 2

Views: 5247

Answers (1)

Sridevi
Sridevi

Reputation: 22597

To activate PIM role for Azure resources under management group via REST API, you can make use of below call:

PUT https://management.azure.com/providers/Microsoft.Management/managementGroups/mgname/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/<new_guid>?api-version=2020-10-01

 {
  "properties": {
    "principalId": "userObjId",
    "roleDefinitionId": "/providers/Microsoft.Management/managementGroups/mgname/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    "requestType": "SelfActivate",
    "justification": "test purpose",
    "scheduleInfo": {
      "startDateTime": "2023-10-09T18:11:53.8442481+05:30",
      "expiration": {
        "type": "AfterDuration",
        "endDateTime": null,
        "duration": "PT1H"
      }
    }
  }
}

Response:

enter image description here

When I checked the same in Portal, PIM role activated successfully under management group like this:

enter image description here

To activate PIM role for Azure resources under management group via PowerShell, you can make use of below script:

$guid = "fcffe158-978e-4125-be75-xxxxx" 
$startTime = Get-Date -Format o 
$scope = "//providers/Microsoft.Management/managementGroups/mgname/"
$principalID = "userObjId"
$roledefinitionid = "/providers/Microsoft.Management/managementGroups/Samplegroup1/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"

New-AzRoleAssignmentScheduleRequest -Name $guid -Scope $scope -ExpirationDuration PT1H -ExpirationType AfterDuration -PrincipalId $principalID -RequestType SelfActivate -RoleDefinitionId $roledefinitionID -ScheduleInfoStartDateTime $startTime -Justification "demo purpose"

Response:

enter image description here

References:

Activate Azure resource roles in PIM - Microsoft Entra

Enable role fails with permission error (github.com) by chaoscreater

Upvotes: 2

Related Questions