Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance fails when Authentication Context is enabled on Group #2800

Open
jeremyhagan opened this issue Jun 19, 2024 · 1 comment
Open

New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance fails when Authentication Context is enabled on Group #2800

jeremyhagan opened this issue Jun 19, 2024 · 1 comment
Labels
Status: Needs Investigation

Comments

@jeremyhagan
Copy link

jeremyhagan commented Jun 19, 2024
edited
Loading

Describe the bug

I am trying to submit a new group activation request using MgGraph. The group has the setting On activation, require: Authentication context: PIM Activation configured.

I have used Get-MsalToken to acquire an access token which includes the acrs claim c1 and if I decode the token using https://jwt.ms/ I can see the acrs = c1 in the token and the auth log show that the login trigger the CA policy with the auth context.

However, when I attempt to use New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance to elevate I get the error: RoleAssignmentRequestAcrsValidationFailed

Expected behavior

The cmdlet succeeds

How to reproduce

$graph = "https://graph.microsoft.com"
$scopes = @(
    "$graph/PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup",
    "$graph/PrivilegedEligibilitySchedule.Read.AzureADGroup",
    "$graph/RoleManagementPolicy.Read.AzureADGroup"
)
$tenantId = "TENANT_ID"
$appId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"

$connectionDetails = @{
    'TenantId'              = $tenantId
    'ClientId'              = $appId
    'Interactive'           = $true
    'scopes'                = $scopes
    'ExtraQueryParameters'  = @{'claims' = '%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22c1%22%7D%7D%7D'}
}
Clear-MsalTokenCache
$token = Get-MsalToken @connectionDetails
Connect-MgGraph -NoWelcome -AccessToken ($token.AccessToken | ConvertTo-SecureString -AsPlainText)
$myAccount = Get-MgUser -UserId (Get-MgContext).Account
$requestParams = @{
    accessId = "member"
    principalId = $myAccount.Id
    groupId = "GROUP_ID"
    action = "selfActivate"
    scheduleInfo = @{
        startDateTime = (Get-Date)
        expiration = @{
            type = "afterDuration"
            duration = "PT1H"
        }
    }
}
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $requestParams

SDK Version

2.19.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log ```

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests

Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; en-AU),PowerShell/2024.2.2
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.19.0
client-request-id : 9d2707d8-b797-439a-a30e-d94c7e16a61b

Body:
{
"action": "selfActivate",
"scheduleInfo": {
"expiration": {
"duration": "PT5M",
"type": "afterDuration"
}
},
"accessId": "member",
"groupId": "GROUP_ID",
"principalId": "PRINCIPAL_ID"
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : ef737aa5-0d1d-43ad-bc4f-844e05171c08
client-request-id : 9d2707d8-b797-439a-a30e-d94c7e16a61b
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SY2PEPF00006466"}}
Date : Wed, 19 Jun 2024 06:48:51 GMT

Body:
{
"error": {
"code": "RoleAssignmentRequestAcrsValidationFailed",
"message": "&claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%20%22value%22%3A%22c1%22%7D%7D%7D",
"innerError": {
"date": "2024-06-19T06:48:51",
"request-id": "ef737aa5-0d1d-43ad-bc4f-844e05171c08",
"client-request-id": "9d2707d8-b797-439a-a30e-d94c7e16a61b"
}
}
}

</details>


### Configuration


Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.17763
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0



### Other information

_No response_
@jeremyhagan jeremyhagan added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Jun 19, 2024
@jeremyhagan
Copy link
Author

Added missing cmdlet syntax on steps to reporduce

@timayabi2020 timayabi2020 added Status: Needs Investigation and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Needs Investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timayabi2020 @jeremyhagan