Forum Discussion

_CM_'s avatar
_CM_
Copper Contributor
Aug 15, 2023
Solved

PermissionScopeNotGranted

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest returns errorCode "PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope" I'm authenticating using an...
  • _CM_'s avatar
    _CM_
    Aug 16, 2023
    Resolved.

    This grants User a new eligible PIM entry for role 'Application Administrator'

    Get role id from
    Get-MgRoleManagementDirectoryRoleDefinition | select Id, DisplayName | sort DisplayName

    this now works

    $params = @{
    "PrincipalId" = "{user Object ID}"
    "RoleDefinitionId" = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" # App Admin role
    "Justification" = "Justification text"
    "directoryScopeId" = "/{AAD resource ObjectId for e.g. Azure AD app}" # use "/" for Tenant wide
    "Action" = "AdminAssign"
    "ScheduleInfo" = @{
    "StartDateTime" = Get-Date
    "Expiration" = @{
    "Type" = "AfterDuration"
    "Duration" = "PT8H"
    }
    }
    }

    New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params


_CM_'s avatar
_CM_
Copper Contributor
Aug 16, 2023
Resolved.

This grants User a new eligible PIM entry for role 'Application Administrator'

Get role id from
Get-MgRoleManagementDirectoryRoleDefinition | select Id, DisplayName | sort DisplayName

this now works

$params = @{
"PrincipalId" = "{user Object ID}"
"RoleDefinitionId" = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" # App Admin role
"Justification" = "Justification text"
"directoryScopeId" = "/{AAD resource ObjectId for e.g. Azure AD app}" # use "/" for Tenant wide
"Action" = "AdminAssign"
"ScheduleInfo" = @{
"StartDateTime" = Get-Date
"Expiration" = @{
"Type" = "AfterDuration"
"Duration" = "PT8H"
}
}
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params