Open jalvarezit opened 2 months ago
Thank you for opening this issue, we will look into it.
What I get from https://github.com/Azure/azure-cli/issues/22775 is that the az cli app registration does not request for these permissions (with delegated access tokens) and a custom app registration should be required. A workaround is provided which involves using a service principal (non-delegated access grant). This proposed workaround is far from ideal as we mainly use user identities on our privileged workstations and secret free service principals in Azure Pipelines. The workaround would involve introducing a secret on a service principal so that authentication can happen on our privileged workstations.
az rest --uri "https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'"
yields
Forbidden({"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope RoleManagementPolicy.Read.Directory,RoleManagementPolicy.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleManagement.Read.Directory,RoleManagement.Read.All.\",\"instanceAnnotations\":[]}","innerError":{"date":"2024-06-11T15:57:50","request-id":"87329a3d-8ace-4031-a334-66e8912d4286","client-request-id":"87329a3d-8ace-4031-a334-66e8912d4286"}}})
Describe the bug
I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.
I should be able to enum the PIM role asignments the same way I do through portal:
Related command
az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
Errors
Forbidden({"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.\",\"instanceAnnotations\":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})
Issue script & Debug output
There is no script is just a single command
Expected behavior
The command should list the PIM groups
Environment Summary
Additional context
az login --use-device-code
to login with the same account as the browser.https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true
which I managed to retrieve using the cliaz rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'