Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest Not returning correct results

[TheKrisSodroski]

Describe the bug

I used to have a script that would search for eligibility requests using Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest. Today it stopped working, and it has some odd results. I suspect it's on the api side.

Some results aren't returned. For instance, I know I have eligible assignments for particular group, since I see them in the Azure Portal, but filtering by groupId returns nothing. Filtering only on status eq 'Provisioned', I can see some results there, but not all records that should be there are returned.

Filtering by only principalId throws an error for some reason, so I can't check that way.

Since my script assumes that policy assignment doesn't exist, it attempts to create it and request returns with "Role assignment already exists."

These groups and policies have been around for months at this point, so I'm not sure what changed to cause this behavior, but its critical for our release process and we don't have a solution that would be reliable.

Verification that eligibility request exists:

$filter = "groupId eq 'ece6de44-7ed6-4358-a67f-661c46e6ed88'"
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -Filter $filter 
--Returns no results, but from the above picture, you can see there should be results

--Pick another group in the list
$filter2 = "groupId eq '584ad8b1-335a-4b5b-8cd1-06799460c920'"
Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -Filter $filter2
--This one returns results for some reason 

Results:

Version info:

ModuleType Version Name ExportedCommands

---

Script 2.12.0 Microsoft.Graph.Authentication {Add-MgEnvironment, Connect-MgGraph, Disconnect-MgGraph, Get-MgContext...}
Script 2.12.0 Microsoft.Graph.Groups {Add-MgGroupDriveListContentTypeCopy, Add-MgGroupDriveListContentTypeCopyFromContentTypeHub, Add-MgGroupFavorite, Add-M... Script 2.12.0 Microsoft.Graph.Identity.Governance {Add-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision, Get-MgAgreement, Get-MgAgreementAcceptance, Get-MgAgre... Script 2.12.0 Microsoft.Graph.Identity.SignIns {Confirm-MgRiskyServicePrincipalCompromised, Confirm-MgRiskyUserCompromised, Get-MgDataPolicyOperation, Get-MgDataPolic...

Expected behavior

Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest should return the correct results.

How to reproduce

I'm not exactly sure how to reproduce it. I can see the policy assignment in the portal along with the other policy assignments, but some are not returned by the commandlet and throw and error when trying to create them.

SDK Version

2.12.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

``` ```ps Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -Filter $filter -Debug DEBUG: [CmdletBeginProcessing]: - Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest begin processing with parameterSet 'List'. Confirm Continue with this operation? [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): a DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'. DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, Directory.AccessAsUser.All, Directory.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, GroupMember.Read.All, GroupMember.ReadWrite.All, Mail.Send, Mail.Send.Shared, openid, PrivilegedAccess.Read.AzureADGroup, PrivilegedAccess.ReadWrite.AzureADGroup, PrivilegedEligibilitySchedule.Read.AzureADGroup, PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup, profile, RoleManagement.ReadWrite.Directory, RoleManagementPolicy.Read.AzureADGroup, RoleManagementPolicy.ReadWrite.AzureADGroup, User.Read, User.Read.All, User.ReadWrite.All, email]. DEBUG: ============================ HTTP REQUEST ============================ HTTP Method: GET Absolute Uri: https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/eligibilityScheduleRequests?$filter=principalId eq '408ef5c0-7e92-490b-acfe-06e575177856' and status eq 'Provisioned' Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; en-US),PowerShell/5.1.22621.2506 Accept-Encoding : gzip SdkVersion : graph-powershell/2.12.0 client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda Body: DEBUG: ============================ HTTP RESPONSE ============================ Status Code: Forbidden Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 41c0b5a5-d7ca-4180-8436-0f78d67aa578 client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL6PEPF0002399A"}} Date : Wed, 05 Jun 2024 15:29:05 GMT Body: { "error": { "code": "UnauthorizedAccessException", "message": "Attempted to perform an unauthorized operation.", "innerError": { "date": "2024-06-05T15:29:06", "request-id": "41c0b5a5-d7ca-4180-8436-0f78d67aa578", "client-request-id": "7d3047ed-b236-47a0-a31f-16f3911cbcda" } } } Confirm Attempted to perform an unauthorized operation. Status: 403 (Forbidden) ErrorCode: UnauthorizedAccessException Date: 2024-06-05T15:29:06 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 41c0b5a5-d7ca-4180-8436-0f78d67aa578 client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL6PEPF0002399A"}} Date : Wed, 05 Jun 2024 15:29:05 GMT [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): a Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest : Attempted to perform an unauthorized operation. Status: 403 (Forbidden) ErrorCode: UnauthorizedAccessException Date: 2024-06-05T15:29:06 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : 41c0b5a5-d7ca-4180-8436-0f78d67aa578 client-request-id : 7d3047ed-b236-47a0-a31f-16f3911cbcda x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"BL6PEPF0002399A"}} Date : Wed, 05 Jun 2024 15:29:05 GMT At line:1 char:1 + Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleReque ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: ({ Top = , Skip ...ndProperty = }:<>f__AnonymousType24`8) [Get-MgIdentityG...uleRequest_List], Exception + FullyQualifiedErrorId : UnauthorizedAccessException,Microsoft.Graph.PowerShell.Cmdlets.GetMgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest_List DEBUG: [CmdletEndProcessing]: - Get-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest end processing. ``` ```

Configuration

Name Value

---

PSVersion 5.1.22621.2506
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.2506
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Other information

No response

[TheKrisSodroski]

Is there any update with this? Still noticing that it's impossible to get all the results back.

Calling the cmdlet with no arguments returns nothing. The only thing filterable seems to be status eq 'Provisioned'. There's also no way to find out the different status values. I see in the UI it shows 'Eligible', but trying to filter by this throws an error saying it's an invalid status.

Page Sizes and -All do absolutely nothing. -All actually returns less results than status eq 'Provisioned'.

Being able to export the PIM eligibility list is important for auditing and compliance.