Open irrelevant-123 opened 1 month ago
Thank you for opening this issue, we will look into it.
The API mentioned by https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups is Create assignmentScheduleRequest.
Calling this API requires PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
or PrivilegedAssignmentSchedule.Remove.AzureADGroup
delegated permission. However, as explained in https://github.com/Azure/azure-cli/issues/22775#issuecomment-1935450043, Azure CLI's first party application doesn't have these permissions.
I will discuss within the team.
I am already raised tickets to the ms-graph team but they pointed me to here.
I am trying to activate my eligible assignment for PIM for Groups:
https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-assignmentschedulerequests?view=graph-rest-1.0&tabs=http#example-2-user-activates-their-eligible-assignment-for-pim-for-groups
If I log in into graph explorer ist no problem to activate my eligible assignment from there. Also it is working with HTTP from bash if i use the existing token at the graph explorer.
If I try to get a graph token from azure cli it seems to work with:
az account get-access-token --resource-type ms-graph
With this token i ve not the right permissions to do the activation:
Authorization failed due to missing permission scope PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedAssignmentSchedule.Remove.AzureADGroup.
If i try to set the scope (ive tried a few formats) than i only get those errors:
az account get-access-token --resource-type ms-graph --scope https://graph.microsoft.com/.PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
oraz account get-access-token --resource-type ms-graph --scope .PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup
Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API.
We are not able to find a way to edit permissions to app '04b07795-8ddb-461a-bbee-02f9e1bf7b46' which seems to be Azure-CLI.