Jun 15 2024 01:47 AM
I query roleManagement/directory/roleEligibilitySchedules to make an inventory of all assigned Entra ID roles through Priviledged Identity Management.
Each role assignment has a property RoleDefinitionId, which refers to the id of the Entra ID role (a list I got from roleManagement/directory/roleDefinitions, it includes custom roles).
My problem is that a RoleDefinitionId can only be found for builtin roles, not for custom roles.
A custom role has a Guid that cannot be found/resolved anywhere it seems.
Is this a bug ? Or am I missing something?
Cheers,
Sem
Jun 15 2024 08:56 AM
Jun 15 2024 11:20 AM
Thanks for your reply,
I think I didn’t explain it very well. Allow me a retry:
I wrote a script that makes an inventory of which principals are assigned to which EntraID roles,
roleEligibilitySchedules is the cross table for eligible assignments that glues roles to principals (like users and groups).
For built-in roles, it works exactly as you suggest. But for custom roles it doesn’t, that’s my problem.
Before I can resolve those ID I query all roles. I focus on one custom role:
/roleManagement/directory/roleDefinitions/6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0
I retrieve :
"id": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",
…
"displayName": "Bitlocker Read"
"isBuiltIn": false,
…
"templateId": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",
…
When I query roleManagement/directory/roleEligibilitySchedules, and get all eligibility assignments.
I cannot find 6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0 as templateId, but I know which test user is member
of my custom "bitlocker read" role. So I filter on the user's principalId
This is the only roleEligibilitySchedule with my test user's principalId:
id : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
principalId : 6f8622c4-4f60-4072-af68-6b59191680c1
roleDefinitionId : 32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4
directoryScopeId : /
appScopeId :
createdUsing : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
createdDateTime : 2022-11-18T09:46:58.217Z
modifiedDateTime : 0001-01-01T08:00:00Z
status : Provisioned
memberType : Direct
scheduleInfo : @{startDateTime=2022-11-18T09:46:58.217Z; recurrence=; expiration=}
RoledefinitionId for this assignment (32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4)does not equal the TemplateID (6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0).
For all built-in roles the roleDefinionId does equal the templateId, and I can resolve which principal is assigned to which role.
But for custom roles I can't.
Am I overlooking something? Or did I find a bug 🙂
Cheers,
Sem
Jun 16 2024 07:58 AM
SolutionJun 16 2024 08:11 AM
Jun 16 2024 07:58 AM
Solution