Forum Discussion

Qonnect's avatar
Qonnect
Copper Contributor
Jun 15, 2024

unresolvable roledefinitionId in roleEligibilitySchedules

I query roleManagement/directory/roleEligibilitySchedules to make an inventory of all assigned Entra ID roles through Priviledged Identity Management.


Each role assignment has a property RoleDefinitionId, which refers to the id of the Entra ID role (a list I got from roleManagement/directory/roleDefinitions, it includes custom roles).

 

My problem is that a RoleDefinitionId can only be found for builtin roles, not for custom roles. 

A custom role has a Guid that cannot be found/resolved anywhere it seems.

 

Is this a bug ? Or am I missing something? 

Cheers,

Sem

  • roleDefinitionId within the roleEligibilitySchedule object matches the ID value of the role, not its templateId. Do an $expand when fetching the schedules to get the full set of properties:

    /roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition

    This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.
    • Qonnect's avatar
      Qonnect
      Copper Contributor

      VasilMichev 

       

      Thanks for your reply,

      I think I didn’t explain it very well. Allow me a retry:

       

      I wrote a script that makes an inventory of which principals are assigned to which EntraID roles,

      roleEligibilitySchedules is the cross table for eligible assignments that glues roles to principals (like users and groups).

      For built-in roles, it works exactly as you suggest. But for custom roles it doesn’t, that’s my problem.

       

      Before I can resolve those ID I query all roles. I focus on one custom role:

      /roleManagement/directory/roleDefinitions/6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0

      I retrieve :

       

      "id": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",

      "displayName": "Bitlocker Read"
      "isBuiltIn": false,

      "templateId": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",

      When I query  roleManagement/directory/roleEligibilitySchedules, and get all eligibility assignments.

      I cannot find 6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0 as templateId, but I know which test user is member

      of my custom "bitlocker read" role. So I filter on the user's principalId

      This is the only roleEligibilitySchedule with my test user's principalId:

       

      id               : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
      principalId      : 6f8622c4-4f60-4072-af68-6b59191680c1
      roleDefinitionId : 32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4
      directoryScopeId : /
      appScopeId       :
      createdUsing     : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
      createdDateTime  : 2022-11-18T09:46:58.217Z
      modifiedDateTime : 0001-01-01T08:00:00Z
      status           : Provisioned
      memberType       : Direct
      scheduleInfo     : @{startDateTime=2022-11-18T09:46:58.217Z; recurrence=; expiration=}

      RoledefinitionId for this assignment (32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4)does not equal the TemplateID (6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0).

      For all built-in roles the roleDefinionId does equal the templateId, and I can resolve which principal is assigned to which role.

      But for custom roles I can't.

       

      Am I overlooking something? Or did I find a bug 🙂

      Cheers,

      Sem

      • roleDefinitionId within the roleEligibilitySchedule object matches the ID value of the role, not its templateId. Do an $expand when fetching the schedules to get the full set of properties:

        /roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition

        This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.

Resources