Enable role fails with permission error

Question

Enable role fails with permission error

Opened this issue 3 years ago · 5 comments

With version 0.0.8 of the module, i am trying to activate a role using this syntax:
Enable-JAzRole -RoleName 'Contributor -> Scope (Guid)'

But that fails with the following error message:
Enable-JAzRole: The requestor "id" does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.

Have tried using -Verbose flag, but that did not bring any additional info.

Answer 1 · 2022-05-26T17:35:15.000Z

It is most likely this unresolved issue that is the root cause:
Azure/azure-powershell#18163

Answer 2 · 2022-07-07T04:55:05.000Z

I work with multiple tenants and ran into this issue in one of them

Answer 3 · 2022-07-27T07:33:08.000Z

Is there any estimate on when this will work, the module is unfortunately not very useful without this bugfix.

Answer 4 · 2023-10-08T09:48:15.000Z

I read the issue mentioned here:
Azure/azure-powershell#18163

If I run this, I can get the output just fine:
Get-AzRoleAssignmentScheduleInstance -scope "/providers/Microsoft.Management/managementGroups/xxxxxxxxxxxxxxxxxxxxxxxxx"

so I'm not quite sure why I'm getting the error with the permission when using this module.

Having said that, the output from Get-AzRoleAssignmentScheduleInstance doesn't show my eligible PIM role in the result.

If I run this script, then I get a better result:



function Set-HeaderWithToken {
    $pimtoken = Get-AzAccessToken -ResourceUrl '01fc33a7-78ba-4d2f-a4b7-768e336e890e' <#MS-PIM#> -ErrorAction Stop
    $headers = @{
        "Authorization" = "Bearer {0}" -f ($pimtoken.Token)
    }
    return $headers
}

function Query-PIMObjectWithChildren {
    #Returns PIM objects for both Azure Resource and AAD roles. If you pass aadRoles for the $roleType param, you do not need to specify $resourceIdentifier as it will default to the tenant ID needed for that call, since there's only one call to make for the AAD roles.
    param(
        [Parameter(Mandatory)]
        $header,
        [Parameter(Mandatory)]
        [ValidateSet("azureResources", "aadRoles")] #Passed parameter can only be one of these two options
        [string] $roleType,
        [string] $resourceIdentifier,
        [Parameter(Mandatory)]
        [ValidateSet("yes", "no")] #Passed parameter can only be one of these two options
        [string] $outputToCSV,
        [string] $subName
    )

    if ($roleType -eq "aadRoles") {
        $resourceIdentifier = "<tenant id>"
        $subName = "Tenant"
        $APIUri = "https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadRoles/roleAssignments/exportWithChildren"
    }
    elseif ($roleType -eq "azureResources") {
        $APIUri = "https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/azureResources/roleAssignments/exportWithChildren"
    }

    $parameters = @{
        '$expand' = 'subject,roleDefinition($expand=resource)'
        '$filter' = "(roleDefinition/resource/id eq '$resourceIdentifier')"
    }

    if ($outputToCSV -eq "yes") {
        Invoke-WebRequest -Headers $header -Uri $APIUri  -Method Get -Body $parameters -OutFile "C://Output.csv"
    }
    elseif ($outputToCSV -eq "no") {
        $result = Invoke-WebRequest -Headers $header -Uri $APIUri  -Method Get -Body $parameters -UseBasicParsing

        #Decode the raw result data as UTF-8 and skip the BOM (2 BOMs)
        $stringDecoded = [Text.Encoding]::UTF8.GetString($result.RawContentStream.ToArray()).Substring(2)

        #Now that it is decoded properly, we can convert to PSObjects
        $properResult = $stringDecoded | ConvertFrom-Csv

        return $properResult
    }
}

#Grab token and set header
$header = Set-HeaderWithToken

<# Need to have a list of subs and the id of them for the below to work.
foreach ($sub in $subs){

    $subPIMId = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq //subscriptions/$subscriptionId/'").Id
}
#>

# $finalResult = Query-PIMObjectWithChildren -header $header -roleType azureResources -resourceIdentifier "xxxxxxxxxxxxxxxxxxxxxxxxx" -outputToCSV no

Answer 5 · 2023-10-08T11:36:18.000Z

I got it to work.

$guid = "12f8978c-5d8d-4fbf-b4b6-2f455eb43e3a" ---> make this up. Can be any GUID. Can use this command "New-Guid"
$startTime = Get-Date -Format o 
$scope = "//providers/Microsoft.Management/managementGroups/your management group ID/"
  $principalID = "your AAD user's objectID. Can find this in AAD"
$roledefinitionid = "/providers/Microsoft.Management/managementGroups/your management group ID/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"

New-AzRoleAssignmentScheduleRequest -Name $guid -Scope $scope -ExpirationDuration PT1H -ExpirationType AfterDuration -PrincipalId $principalID -RequestType SelfActivate -RoleDefinitionId $roledefinitionID -ScheduleInfoStartDateTime $startTime -Justification "test script"

The role definition "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" is Owner and can be found here:
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles