Closed janegilring closed 2 years ago
JustinGrote
commented
2 years ago @janegilring hmm not sure why asTarget() didn't get added to your command,
In terms of MFA, as long as you are in a connect-azaccount or connect-mgaccount where you did an MFA then it'll be fine, it actually won't prompt again for MFA at command run, that's just how the API works. However, if you are in a non-mfa account, it will fail with 'MFARule' policy error.
janegilring
commented
2 years ago I see, thanks.
I`ll see if I find some time, later on, to debug further.
JustinGrote
commented
2 years ago @janegilring try just Get-JazRole and let me know if it throws same error.
janegilring
commented
2 years ago That works fine:
Get-JazRole
PrincipalEmail RoleDefinitionDisplayName ScopeDisplayName ScopeType EndDateTime
-------------- ------------------------- ---------------- --------- -----------
Contributor IT managementgroup
Owner IT managementgroup
Owner Production managementgroup
me@somedomain.onmicrosoft.com User Access Administrator IT managementgroup @janegilring try the latest module (0.0.5), I can tell by the formatting you still have the old one.
janegilring
commented
2 years ago Good call. Updated to 0.5, seems like the error has changed:
Enable-JAzRole 'Owner -> IT (59938e56-554d-4cf5-84c3-529766c42548)'
Exception: /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.5/Private/Resolve-RoleByName.ps1:16:23
$Role) { throw "RoleGuid $roleGuid from $RoleName was not found as
RoleGuid 59938e56-554d-4cf5-84c3-529766c42548 from Owner -> IT (59938e56-554d-4cf5-84c3-529766c42548) was not found as an eligible role for this user Get-JAzRole (and tab completion) works fine:
Get-JAzRole
PrincipalDisplayName RoleDefinitionDisplayName ScopeDisplayName ScopeType EndDateTime
-------------------- ------------------------- ---------------- --------- -----------
some-group Owner IT managementgroup Also tested this problem in another environment, Get-JAzRole works fine:
Get-JAzRole
PrincipalDisplayName RoleDefinitionDisplayName ScopeDisplayName ScopeType EndDateTime
-------------------- ------------------------- ---------------- --------- -----------
Admin - Jan Egil Ring Owner democrayon subscription Tab-completion works fine as well, but Enable-JAzRole fails:
Enable-JAzRole 'Owner -> democrayon (641eac54-cc6a-48d1-98ea-6834911db638)'
Exception: /home/vscode/.local/share/powershell/Modules/JAz.PIM/0.0.5/Private/Resolve-RoleByName.ps1:16:23
Line |
16 | … ot $Role) { throw "RoleGuid $roleGuid from $RoleName was not found as …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| RoleGuid 641eac54-cc6a-48d1-98ea-6834911db638 from Owner -> democrayon (641eac54-cc6a-48d1-98ea-6834911db638) was not found as
| an eligible role for this userInteresting, it works when piping a role into Enable-JAzRole:
Get-JAzRole | Select -First 1 | Enable-JAzRole -Justification 'Daily elevation'Show me your Get-JAzRole | fl entry for the role you want to enable, there might be a matching problem in the lookup.
janegilring
commented
2 years ago Get-JAzRole | fl
Condition :
ConditionVersion :
CreatedOn : 5/16/2022 7:21:54 PM
EndDateTime :
ExpandedPropertiesPrincipalId : 27a72d40-6214-4198-97b4-8c6fd1bfd243
ExpandedPropertiesPrincipalType : User
ExpandedPropertiesRoleDefinitionId : /subscriptions/b7f543e7-29f0-4e13-8b16-e8e94170be88/providers/Microsoft.Authorization/roleDefinitions/8e3af
657-a8ff-443c-a75c-2fe8c4bcb635
Id : /subscriptions/b7f543e7-29f0-4e13-8b16-e8e94170be88/providers/Microsoft.Authorization/roleEligibilitySchedu
les/641eac54-cc6a-48d1-98ea-6834911db638
MemberType : Direct
Name : 641eac54-cc6a-48d1-98ea-6834911db638
PrincipalDisplayName : Admin - Jan Egil Ring
PrincipalEmail : adm_jan@demo.contoso.com
PrincipalId : 27a72d40-6214-4198-97b4-8c6fd1bfd243
PrincipalType : User
RequestId : /subscriptions/b7f543e7-29f0-4e13-8b16-e8e94170be88/providers/Microsoft.Authorization/roleEligibilitySchedu
leRequests/641eac54-cc6a-48d1-98ea-6834911db638
ResourceGroupName :
RoleDefinitionDisplayName : Owner
RoleDefinitionId : /subscriptions/b7f543e7-29f0-4e13-8b16-e8e94170be88/providers/Microsoft.Authorization/roleDefinitions/8e3af
657-a8ff-443c-a75c-2fe8c4bcb635
RoleDefinitionType : BuiltInRole
Scope : /subscriptions/b7f543e7-29f0-4e13-8b16-e8e94170be88
ScopeDisplayName : democrayon
ScopeId : /subscriptions/b7f543e7-29f0-4e13-8b16-e8e94170be88
ScopeType : subscription
StartDateTime : 5/16/2022 7:21:54 PM
Status : Provisioned
Type : Microsoft.Authorization/roleEligibilitySchedules
UpdatedOn : 5/16/2022 7:21:54 PMI must have broke something, not working for me either, let me look into it
JustinGrote
commented
2 years ago I must have broke something, not working for me either, let me look into it
Yup I was swallowing the object, whoops. Test again with 0.0.6 which should be out shortly and let me know if it still breaks.
janegilring
commented
2 years ago Works like a charm 👍
janegilring
commented
2 years ago I ran into this again today with the exact same error as initially reported:
Enable-JAzRole: The requestor d3493a29-cc6e-46f1-b5ca-876bb0e53bf5 does not have permissions for this request. Please use $filter=asTarget() to filter on the requestor's assignments.
This was due to the PIM role having the "Require MFA on activation" setting enabled, and there is no MFA enforcement via Conditional Access in this tenant. It is rather enforced via PIM, so I wasn't prompted for MFA during the initial authentication - which lead to the above error.
In order to force an MFA authentication, I found this:
# Install msal.ps
Install-Module msal.ps
# Get token for MS Graph by prompting for MFA
$MsResponse = Get-MSALToken -Scopes @("https://graph.microsoft.com/.default") -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -RedirectUri "urn:ietf:wg:oauth:2.0:oob" -Authority "https://login.microsoftonline.com/common" -Interactive -ExtraQueryParameters @{claims='{"access_token" : {"amr": { "values": ["mfa"] }}}'}
Connect-MgGraph -AccessToken $MsResponse.AccessTokenAfter this authentication, Enable-JAzRole ran without issues.
Maybe it is possible to check whether a role requires MFA, and if so add the extra query parameters when authenticating? On the other side, this may be an edge case - as most tenants are enforcing MFA via Conditional Access.
JustinGrote
commented
2 years ago I would say it's quite a rarity to be using PIM but not use MFA, so I'm open to PRs to this regard but I'm not going to actively work on it. I'm also up for modifying the error message with a suggestion to check for this.
janegilring
commented
2 years ago I would say it's quite a rarity to be using PIM but not use MFA, so I'm open to PRs to this regard but I'm not going to actively work on it. I'm also up for modifying the error message with a suggestion to check for this.
That makes sense, I will look into creating a PR if there is interest from others in the same tenant (or others "+1"-ing in this issue)
I've been using Enable-JAzRole without issues in one tenant but trying it against a different tenant results in:
Activating the same role from the Azure portal works fine. Any idea what might be the reason for the above error?
Side question: What happens if the "Require MFA on activation" setting is enabled for a role?