Entra ID PIM - Powershell + Graph Rest API - create role assignments

Question

I need to create powershell code for adding PIM role assignments on azure subscription scope. I have prepared below presented code:

$subscriptionid = "subID"
$tenantId = "tenantID"
$clientId = "ClientID"
$clientSecret = "ClientSecret"

$secureClientSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($clientId, $secureClientSecret)
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId $tenantId -Subscription $subscriptionid

Connect-MgGraph -TenantID $tenantId -ClientSecretCredential $credential
$auth_token = (Get-AzAccessToken).Token

I am using $auth_token, my registered application is added to Global Administrator group in EntraID. I am trying to use Microsoft Graph Rest API (MS documentation - Graph rest API documentation). I have code prepared:

$body_json = @"
    "roleDefinitionId": "Azure RBAC Contributor role ID",
    "resourceId": "My Azure Subscription ID",
    "subjectId": "My Entra ID group ID",
    "assignmentState": "Eligible",
    "type": "AdminAdd",
    "schedule": {
      "type": "Once",
      "startDateTime": "2023-11-12T23:37:43.356Z",
      "endDateTime": "2024-11-08T23:37:43.356Z"
    }
"@

$response = Invoke-RestMethod -method POST `
    -uri "https://graph.microsoft.com/privilegedAccess/azureResources/roleAssignmentRequests" `
    -Body $body_json `
    -Headers @{"Content-type"="application/json";"Authorization"="Bearer $auth_token"}

Once I run the script I am still facing error code

Invoke-RestMethod: {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2023-10-30T18:29:03","request-id":"cdbbd9ac-aead-4f5f-9e55-8013d4b6a554","client-request-id":"cdbbd9ac-aead-4f5f-9e55-8013d4b6a554"}}}

Answer 1

Note that: To create governance role assignment request for the group, the application or the user must have PrivilegedAccess.ReadWrite.AzureADGroup delegated API permission.

• Application permissions are not supported to perform the action as per the MsDoc. Hence user interaction is needed to create the role assignments.
• Hence, if you want to use the Azure AD Application to create roles then use of access on behalf of a user flow to generate access token.
• Make sure the access token contains the required scopes.

I assigned the user Privileged role Administrator like below:

And directly use the below script to create role assignments:

Connect-MgGraph -Scopes "Directory.AccessAsUser.All", "PrivilegedAccess.Read.AzureAD", "PrivilegedAccess.Read.AzureADGroup", "PrivilegedAccess.Read.AzureResources", "PrivilegedAccess.ReadWrite.AzureAD", "PrivilegedAccess.ReadWrite.AzureADGroup", "PrivilegedAccess.ReadWrite.AzureResources"

$params = @{
    roleDefinitionId = "e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477"
    resourceId = "226cf998-ddcc-4005-acfb-xxxx"
    subjectId = "d0e182b5-0fed-4f44-9916-xxxx"
    assignmentState = "Eligible"
    type = "AdminAdd"
    reason = "Assign an eligible role"
    schedule = @{
        startDateTime = [System.DateTime]::Parse("2023-10-31T02:19:11.77+05:30")
        endDateTime = [System.DateTime]::Parse("2024-07-26T02:19:11.77+05:30")
        type = "Once"
    }
}

$privilegedAccessId= "aadRoles"
New-MgBetaPrivilegedAccessRoleAssignmentRequest -PrivilegedAccessId $privilegedAccessId -BodyParameter $params

If still the issue persists, change azureResources with aadroles as suggested by SaurabhSharma in this SO Thread

I tried to create the governance role assignment request via Rest API with above permissions using access token and roles and the request is successful:

POST https://graph.microsoft.com/beta/privilegedAccess/aadRoles/roleAssignmentRequests

{
"resourceId": "226cf998-ddcc-4005-acfb-xxxx",
"roleDefinitionId": "644ef478-e28f-4e28-b9dc-3fdde9aa0b1f",
"subjectId": "10468df0-7214-4ef8-8ec3-xxxx",
"type": "AdminAdd",
"assignmentState": "Eligible",
"schedule": {
"startDateTime": "2023-10-31T02:19:11.77+05:30",
"endDateTime": "2024-07-26T02:19:11.77+05:30",
"type": "Once"
}
}

Reference:

Graph api call to make AAD role assignment request not working - Microsoft Q&A by Siva-kumar-selvaraj