Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG | Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest #3062

Open
pangjaa opened this issue Dec 23, 2024 · 3 comments
Open

BUG | Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest #3062

pangjaa opened this issue Dec 23, 2024 · 3 comments
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience

Comments

@pangjaa
Copy link

pangjaa commented Dec 23, 2024
edited
Loading

Describe the bug

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest does not return all schedule

Expected behavior

All Eligible assignments return

How to reproduce

  1. Create Role assignable Security group
  2. Assign permanent eligibility for Yammer Administrator and Attribute Definition Reader
  3. Run code below
  4. Output only returns Attribute Definition Reader
import-module Microsoft.Graph.Beta.Identity.Governance
$TenantId = 'cd0036eb-1e0c-4496-bf8f-8eca88154645'
$AppId ="ff3521f3-6043-4ef5-a7da-7ba2f87a66f2" #customRoleCreator
$Thumbprint = Get-ChildItem "cert:\CurrentUser\My" |
            Where-Object {$_.Subject -like "CN=monkey01CustomRoleCreator00*" } | 
                Select-Object -ExpandProperty Thumbprint



Connect-MgGraph -TenantId $TenantId -ClientId $AppId -CertificateThumbprint $Thumbprint # -ContextScope 'Process'
Get-MgContext



$PrincipalInstance = 'e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27' # role assignable group
$RoleDefinitionId = '810a2642-a034-447f-a5e8-41beaa378541' # Yammer Administrator
$DirectoryScopeId = '/' # directory scope
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'"

image

PS C:\Users\Administrator\Desktop>
>> Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'"

ApprovalId CompletedDateTime     CreatedDateTime       CustomData Id                                   Status      Action      AppScopeId DirectoryScopeId IsValidationOnly Justification PrincipalId                          RoleDefinitionId
---------- -----------------     ---------------       ---------- --                                   ------      ------      ---------- ---------------- ---------------- ------------- -----------                          ----------------  
           12/23/2024 7:03:02 PM 12/23/2024 7:03:02 PM            d0ab367c-546e-4d53-a5fa-64aafe9a619a Provisioned AdminUpdate            /                False            test          e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 9b895d92-2cd3-44…

Diving deeper, I performed graph calls which return the expected role schedule asignments.

$HeaderParams = @{}
$HeaderParams.Add('ConsistencyLevel', "$ConsistencyLevel")
$Uri = "/beta/roleManagement/directory/roleDefinitions"
$Uri = "https://graph.microsoft.com$Uri"

$URI = "https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests?`$filter=PrincipalId eq 'e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27'"
$Method = 'GET'
$OutputType = "PSObject"

$QueryRequest = Invoke-MgGraphRequest -Headers $HeaderParams -Uri $Uri -Method $Method -ContentType "application/json" -OutputType $OutputType


PS C:\Users\Administrator\Desktop> $queryrequest.value | ft

id                                   status      createdDateTime       completedDateTime     approvalId customData action      principalId                          roleDefinitionId                     directoryScopeId
--                                   ------      ---------------       -----------------     ---------- ---------- ------      -----------                          ----------------                     ----------------
ffbe8107-8b0a-4eab-81f6-7c2f8b9ba07b Provisioned 12/23/2024 6:59:01 PM 12/23/2024 6:59:01 PM                       AdminAssign e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 /
40ccf9b4-e577-4ae4-88ca-0da1c4d2c0cd Provisioned 12/23/2024 6:29:09 PM 12/23/2024 6:29:09 PM                       AdminUpdate e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 810a2642-a034-447f-a5e8-41beaa378541 /
82d7ba49-6852-474d-a370-adedb7b0be88 Provisioned 12/23/2024 6:59:27 PM 12/23/2024 6:59:27 PM                       AdminAssign e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c /
1126afa4-8d7e-4711-82fb-46b1b965e2c7 Revoked     12/23/2024 9:19:41 PM                                             AdminRemove e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 810a2642-a034-447f-a5e8-41beaa378541 /
6606bcf2-14ba-4bd6-a35c-fe4d3c4d57a0 Provisioned 12/23/2024 9:23:27 PM 12/23/2024 9:23:27 PM                       AdminAssign e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 810a2642-a034-447f-a5e8-41beaa378541 /

SDK Version

2.24

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log ``` 
</details>


### Configuration

Name Value

PSVersion 7.4.6
PSEdition Core
GitCommitId 7.4.6
OS Microsoft Windows 10.0.20348
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0


### Other information

_No response_
@pangjaa pangjaa added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Dec 23, 2024
@NikCharlebois
Copy link

The filter looks incorrect. Try removing the hardcoded '/' and just keep the variable part:

-Filter "PrincipalId eq '$($PrincipalInstance)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '$($DirectoryScopeId)'"

Instead of:

-Filter "PrincipalId eq '$($PrincipalInstance)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

@pangjaa
Copy link
Author

pangjaa commented Dec 24, 2024

Yammer Admin is not returned via the powershe cmdlet Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'"

PS C:\Users\Administrator\Desktop> Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'" 

ApprovalId CompletedDateTime     CreatedDateTime       CustomData Id                                   Status      Action      AppScopeId DirectoryScopeId IsValidationOnly Justification PrincipalId                          RoleDefinitionId
---------- -----------------     ---------------       ---------- --                                   ------      ------      ---------- ---------------- ---------------- ------------- -----------                          ----------------   
           12/23/2024 7:03:02 PM 12/23/2024 7:03:02 PM            d0ab367c-546e-4d53-a5fa-64aafe9a619a Provisioned AdminUpdate            /                False            test          e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 9b895d92-2cd3-44c…

There are 2 role schedules assigned to the security group. Yammer Admin and Attribute Definition Reader.

@pangjaa
Copy link
Author

pangjaa commented Dec 24, 2024

Another datapoint, role eligibility assigned via api call aren't returned with Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest

$builtinRoles = $AadRoleDefinitions.value | Where-Object {$_.isBuiltIn -eq $True}


New-MgBetaGroup -DisplayName "sg-TestAllPIM" -MailNickName 'sg-TestAllPIM' -IsAssignableToRole:$True -SecurityEnabled:$True -mailEnabled:$False
$principal = "3feac498-eb82-4f38-9bdf-f90fcee036df"
# $roleDefinitionId =  "810a2642-a034-447f-a5e8-41beaa378541" #yammer admin

$Method = 'POST'
$uri = https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests

$PostRequestStatus = @()
foreach ($role in $builtinRoles) {
    write-host "Assigining `'$($role.displayName)`' to $principal (sg-TestAllPIM)"
    $Body = @{
        Action = "adminAssign"
        directoryScopeId = "/"
        isValidationOnly = "false"
        justification = "Testing all role assignments"
        principalId = $principal
        roleDefinitionId = $role.id
        scheduleInfo = @{
            startDateTime = "2024-11-04T06:10Z"
            expiration = @{
                type = "noExpiration"
            }
        }
    } | ConvertTo-Json
    
    $QueryRequest = Invoke-MgGraphRequest -Headers $HeaderParams -Uri $Uri -Method $Method -ContentType "application/json" -OutputType $OutputType -Body $Body
    $PostRequestStatus  += $QueryRequest
    start-sleep 0.3
}

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($principal)'"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NikCharlebois @pangjaa