PIM group roles listing error through REST API

jalvarezit commented 2 months ago

Describe the bug

I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.

I should be able to enum the PIM role asignments the same way I do through portal:

The request that it does is the following ` https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true

Related command

az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'

Errors

Forbidden({"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.\",\"instanceAnnotations\":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})

Issue script & Debug output

There is no script is just a single command

Expected behavior

The command should list the PIM groups

Environment Summary

{
  "azure-cli": "2.59.0",
  "azure-cli-core": "2.59.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "account": "0.2.5",
    "az-cli-pim": "Unknown",
    "azext-pim": "Unknown"
  }
}

Additional context

I used az login --use-device-code to login with the same account as the browser.
There is another endpoint in the portal that returns Microsoft Entra Roles that uses the following endpoint https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true which I managed to retrieve using the cli az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
Replaced ids with REDACTED

yonzhan commented 2 months ago

Thank you for opening this issue, we will look into it.

cveld commented 3 weeks ago

What I get from https://github.com/Azure/azure-cli/issues/22775 is that the az cli app registration does not request for these permissions (with delegated access tokens) and a custom app registration should be required. A workaround is provided which involves using a service principal (non-delegated access grant). This proposed workaround is far from ideal as we mainly use user identities on our privileged workstations and secret free service principals in Azure Pipelines. The workaround would involve introducing a secret on a service principal so that authentication can happen on our privileged workstations.

az rest --uri "https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'"

yields

Forbidden({"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope RoleManagementPolicy.Read.Directory,RoleManagementPolicy.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleManagement.Read.Directory,RoleManagement.Read.All.\",\"instanceAnnotations\":[]}","innerError":{"date":"2024-06-11T15:57:50","request-id":"87329a3d-8ace-4031-a334-66e8912d4286","client-request-id":"87329a3d-8ace-4031-a334-66e8912d4286"}}})

Azure / azure-cli