Forum Discussion

_CM_'s avatar
_CM_
Copper Contributor
Aug 15, 2023
Solved

PermissionScopeNotGranted

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest returns errorCode "PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope"

I'm authenticating using an Service Principal with Certificate, and to my knowledge this should have all the required API permissions. Not sure if this is the issue or if the error points to the DirectoryScopeId in the Params, currently being "/subscriptions/$($Subscription.Id)"

 

Any ideas?

 

For role Global Reader, I'm using this

 

$params = @{
"PrincipalId" = "3630920c-hidden" 
"RoleDefinitionId" = "f2ef992c-3afb-46b9-b7cf-a126ee74c451" 
"Justification" = "Approved in EISP-2655"
"DirectoryScopeId" = "/"
"Action" = "AdminAssign"
"ScheduleInfo" = @{
"StartDateTime" = Get-Date
"Expiration" = @{
"Type" = "AfterDuration"
"Duration" = "PT8H"
}
}
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params

 

Returns ErrorCode: RoleAssignmentExists - expected.

Doing the same for Contributor role (b24988ac-6180-42a0-ab88-20f7382dd24c) fails with

ErrorCode: RoleNotFound

  • _CM_'s avatar
    _CM_
    Aug 16, 2023
    Resolved.

    This grants User a new eligible PIM entry for role 'Application Administrator'

    Get role id from
    Get-MgRoleManagementDirectoryRoleDefinition | select Id, DisplayName | sort DisplayName

    this now works

    $params = @{
    "PrincipalId" = "{user Object ID}"
    "RoleDefinitionId" = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" # App Admin role
    "Justification" = "Justification text"
    "directoryScopeId" = "/{AAD resource ObjectId for e.g. Azure AD app}" # use "/" for Tenant wide
    "Action" = "AdminAssign"
    "ScheduleInfo" = @{
    "StartDateTime" = Get-Date
    "Expiration" = @{
    "Type" = "AfterDuration"
    "Duration" = "PT8H"
    }
    }
    }

    New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params


1 Reply

  • _CM_'s avatar
    _CM_
    Copper Contributor
    Aug 16, 2023
    Resolved.

    This grants User a new eligible PIM entry for role 'Application Administrator'

    Get role id from
    Get-MgRoleManagementDirectoryRoleDefinition | select Id, DisplayName | sort DisplayName

    this now works

    $params = @{
    "PrincipalId" = "{user Object ID}"
    "RoleDefinitionId" = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" # App Admin role
    "Justification" = "Justification text"
    "directoryScopeId" = "/{AAD resource ObjectId for e.g. Azure AD app}" # use "/" for Tenant wide
    "Action" = "AdminAssign"
    "ScheduleInfo" = @{
    "StartDateTime" = Get-Date
    "Expiration" = @{
    "Type" = "AfterDuration"
    "Duration" = "PT8H"
    }
    }
    }

    New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params