SOLVED

unresolvable roledefinitionId in roleEligibilitySchedules

Copper Contributor

I query roleManagement/directory/roleEligibilitySchedules to make an inventory of all assigned Entra ID roles through Priviledged Identity Management.


Each role assignment has a property RoleDefinitionId, which refers to the id of the Entra ID role (a list I got from roleManagement/directory/roleDefinitions, it includes custom roles).

 

My problem is that a RoleDefinitionId can only be found for builtin roles, not for custom roles. 

A custom role has a Guid that cannot be found/resolved anywhere it seems.

 

Is this a bug ? Or am I missing something? 

Cheers,

Sem

4 Replies
Within RoleDefinitionId, you will find the templateId value. Use it against the /roleManagement/directory/roleDefinitions/ endopoint:

# Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions/6c903547-9b1f-4a36-85aa-4a...?"

Name Value
---- -----
assignmentMode
isBuiltIn False
isEnabled True
displayName test

@VasilMichev 

 

Thanks for your reply,

I think I didn’t explain it very well. Allow me a retry:

 

I wrote a script that makes an inventory of which principals are assigned to which EntraID roles,

roleEligibilitySchedules is the cross table for eligible assignments that glues roles to principals (like users and groups).

For built-in roles, it works exactly as you suggest. But for custom roles it doesn’t, that’s my problem.

 

Before I can resolve those ID I query all roles. I focus on one custom role:

/roleManagement/directory/roleDefinitions/6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0

I retrieve :

 

"id": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",

"displayName": "Bitlocker Read"
"isBuiltIn": false,

"templateId": "6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0",

When I query  roleManagement/directory/roleEligibilitySchedules, and get all eligibility assignments.

I cannot find 6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0 as templateId, but I know which test user is member

of my custom "bitlocker read" role. So I filter on the user's principalId

This is the only roleEligibilitySchedule with my test user's principalId:

 

id               : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
principalId      : 6f8622c4-4f60-4072-af68-6b59191680c1
roleDefinitionId : 32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4
directoryScopeId : /
appScopeId       :
createdUsing     : 0d6c6077-15fc-48e1-a055-4ce91f1a4aa2
createdDateTime  : 2022-11-18T09:46:58.217Z
modifiedDateTime : 0001-01-01T08:00:00Z
status           : Provisioned
memberType       : Direct
scheduleInfo     : @{startDateTime=2022-11-18T09:46:58.217Z; recurrence=; expiration=}

RoledefinitionId for this assignment (32b1dc3c-00af-4da1-9044-6fcfbd2ba4d4)does not equal the TemplateID (6a0fa8c8-20bb-4a87-ab9b-935f1572d1a0).

For all built-in roles the roleDefinionId does equal the templateId, and I can resolve which principal is assigned to which role.

But for custom roles I can't.

 

Am I overlooking something? Or did I find a bug 🙂

Cheers,

Sem

best response confirmed by Qonnect (Copper Contributor)
Solution
roleDefinitionId within the roleEligibilitySchedule object matches the ID value of the role, not its templateId. Do an $expand when fetching the schedules to get the full set of properties:

/roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition

This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.
YES! that's it! thank you so much for helping me!
the $expand saves me to look up the name too, brilliant!
1 best response

Accepted Solutions
best response confirmed by Qonnect (Copper Contributor)
Solution
roleDefinitionId within the roleEligibilitySchedule object matches the ID value of the role, not its templateId. Do an $expand when fetching the schedules to get the full set of properties:

/roleManagement/directory/roleEligibilitySchedules?$expand=roleDefinition

This will give you both the ID (irrelevant) and the templateId for the role. The latter you can use against the /roleManagement/directory/roleDefinitions/ endpoint to get the custom role name/details.

View solution in original post