Converting Azure Resource RBAC to PIM via PowerShell

alexl_2397 

Update:
I've added some more lines to find the resource id, I believe the issue at first was subscriptions don't have a ResourceID, so it needed an if statement to match the subscriptionid variable to the scope column in the csv

I've added that if statement however no luck in getting them all to apply at a subscription level - it only seems to be running the else section, and not the if.

ForEach ($Row in $AzurePIM)
{
If ($Row.Scope -match "/subscriptions/$subscriptionID") {
    #For every role definition id
    $RoleDefId = $Row.RoleDefinitionId
    #Convert to a PIM ID
    $RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$RoleDefid'" -ResourceId $subscriptionPIMID).Id
    #Assign that role
    Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'AzureResources' -ResourceId "$subscriptionPIMID" -RoleDefinitionId $RoleDefinitionPIMID -SubjectId $TargetUserID2 -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "testing"
    }
Else {
    #For every role definition id and Scope
    $RoleDefId = $Row.RoleDefinitionId,
    $ResId = $Row.Scope
    #Convert to a PIM ID
    $ResPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '$ResId'").Id
    $RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$RoleDefid'" -ResourceId "$ResId").Id
    #Assign that role
    Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'AzureResources' -ResourceId $ResPIMID -RoleDefinitionId $RoleDefinitionPIMID -SubjectId $TargetUserID2 -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "testing"
    }
}