Forum Discussion
Solved
unresolvable roledefinitionId in roleEligibilitySchedules
I query roleManagement/directory/roleEligibilitySchedules to make an inventory of all assigned Entra ID roles through Priviledged Identity Management. Each role assignment has a property RoleDefin...
- roleDefinitionId within the roleEligibilitySchedule object matches the ID value of the role, not its templateId. Do an $expand when fetching the schedules to get the full set of properties:
/roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition
This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.
Thanks for your reply,
I think I didn’t explain it very well. Allow me a retry:
I wrote a script that makes an inventory of which principals are assigned to which EntraID roles,
roleEligibilitySchedules is the cross table for eligible assignments that glues roles to principals (like users and groups).
For built-in roles, it works exactly as you suggest. But for custom roles it doesn’t, that’s my problem.
Before I can resolve those ID I query all roles. I focus on one custom role:
/roleManagement/directory/roleDefinitions/6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0
I retrieve :
"id": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",
…
"displayName": "Bitlocker Read"
"isBuiltIn": false,
…
"templateId": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",
…
When I query roleManagement/directory/roleEligibilitySchedules, and get all eligibility assignments.
I cannot find 6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0 as templateId, but I know which test user is member
of my custom "bitlocker read" role. So I filter on the user's principalId
This is the only roleEligibilitySchedule with my test user's principalId:
id : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
principalId : 6f8622c4-4f60-4072-af68-6b59191680c1
roleDefinitionId : 32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4
directoryScopeId : /
appScopeId :
createdUsing : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
createdDateTime : 2022-11-18T09:46:58.217Z
modifiedDateTime : 0001-01-01T08:00:00Z
status : Provisioned
memberType : Direct
scheduleInfo : @{startDateTime=2022-11-18T09:46:58.217Z; recurrence=; expiration=}
RoledefinitionId for this assignment (32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4)does not equal the TemplateID (6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0).
For all built-in roles the roleDefinionId does equal the templateId, and I can resolve which principal is assigned to which role.
But for custom roles I can't.
Am I overlooking something? Or did I find a bug 🙂
Cheers,
Sem
roleDefinitionId within the roleEligibilitySchedule object matches the ID value of the role, not its templateId. Do an $expand when fetching the schedules to get the full set of properties:
/roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition
This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.
/roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition
This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.
- YES! that's it! thank you so much for helping me!
the $expand saves me to look up the name too, brilliant!
