Skip to content

PIM group roles listing error through REST API #28854

Open
Open
PIM group roles listing error through REST API#28854
Assignees
jiasli
Labels
Accountaz login/accountAuto-AssignAuto assign by botService AttentionThis issue is responsible by Azure service team.act-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@jalvarezit

Description

@jalvarezit
jalvarezit
opened on Apr 29, 2024

Describe the bug

I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.

I should be able to enum the PIM role asignments the same way I do through portal:

image

The request that it does is the following `
https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true

Related command

az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'

Errors

Forbidden({"error":{"code":"UnknownError","message":"{"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.","instanceAnnotations":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})

Issue script & Debug output

There is no script is just a single command

Expected behavior

The command should list the PIM groups

Environment Summary

{
  "azure-cli": "2.59.0",
  "azure-cli-core": "2.59.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "account": "0.2.5",
    "az-cli-pim": "Unknown",
    "azext-pim": "Unknown"
  }
}

Additional context

  • I used az login --use-device-code to login with the same account as the browser.
  • There is another endpoint in the portal that returns Microsoft Entra Roles that uses the following endpoint https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true which I managed to retrieve using the cli az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
  • Replaced ids with REDACTED

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botService AttentionThis issue is responsible by Azure service team.act-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions