search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.26k stars 3.86k forks source link

New-AzRoleAssignmentScheduleRequest cmdlet does not work when a PIM eligible role assignment has Conditional Access authentication context enabled #25421

Open charlie-swing opened 4 months ago

charlie-swing commented 4 months ago

Description

I am able to get the New-AzRoleAssignmentScheduleRequest to work on some PIM eligible assignments, however I noticed I get an error message when trying this on eligible assignments that have the Conditional Access authentication context setting enabled. Is there any way to get around this?

Script or Debug output

No response

Environment data

No response

Module versions

Az.Resources 5.6.0

Error output

New-AzRoleAssignmentScheduleRequest : &claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%20%22value%22%3A%22c1%22%7D%7D%7D
At line:21 char:1
+ New-AzRoleAssignmentScheduleRequest -Name $guid -Scope $scope -Expira ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ Scope = /subs...heduleRequest }:<>f__AnonymousType53) [New-AzRoleAssig..._CreateExpanded], Exception
    + FullyQualifiedErrorId : RoleAssignmentRequestAcrsValidationFailed,Microsoft.Azure.PowerShell.Cmdlets.Resources.Authorization.Cmdlets.NewAzRoleAssignmentScheduleRequest_CreateExpanded
microsoft-github-policy-service[bot] commented 4 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

microsoft-github-policy-service[bot] commented 4 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

brwilkinson commented 4 months ago

Also discussed here:

Added some recent thoughts there as well.