search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.24k stars 21.41k forks source link

PIM API Without Delegated Permissions #55913

Open pratima-cloudknox opened 4 years ago

pratima-cloudknox commented 4 years ago

We are trying to use Azure PIM API with Azure Resources (NOT Azure AD). The documentation seemed to indicate we only need Application permission and it doesnt have to be delegated. https://docs.microsoft.com/en-us/graph/api/governanceroleassignment-list?view=graph-rest-beta

However we are unable to get access without using a delegated user. Also we are being forced to give PrivilegedAccess.ReadWrite.AzureResources rather than just PrivilegedAccess.Read.AzureResources --> the list API call throws an error saying it needs R/W.

@amanmcse I see that you had replied to this earlier question specifically pointing to the PIM for Azure AD roles. We are specifically trying to use PIM for Azure Resources so this should in theory not require delegated permissions?

Thank you In advance!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Mike-Ubezzi-MSFT commented 4 years ago

@pratima-cloudknox Thank you for bringing this to our attention. This issue along with the other issue (https://github.com/MicrosoftDocs/azure-docs/issues/55911) are being investigated.

pratima-cloudknox commented 4 years ago

Checking in to see if there is an update - Can I provide any further debug information?

maya-cnx commented 3 years ago

@Mike-Ubezzi-MSFT Any update on this ticket? Could this graph API be invoked by application without needing a delegated user permission?

maya-cnx commented 3 years ago

Any update on this ticket? Could this graph API for PIM data read permissions be invoked by application without needing a delegated user permission?

shauliu commented 3 years ago

PIM API should work with app-only permission for read only. To perform write operation / post operation, you must have delegated permission.

maya-cnx commented 3 years ago

Currently even for Read access it needs delegated user not just for write. https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/5448 mentions "No @maya-cnx , as the Engineer clarified and as per the docs, you do require delegated user permissions."