What is a Eligible Schedule Instance in Privileged Identity Management?

Question

I am working with the Az and the Graph Powershell Module, getting information about role assignments in Entra ID and Azure Resource Manager. I found that there is two commands each I can use to query information about what user has which eligible role assignments.

For Entra ID:

Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance

For Azure Resource Manager:

Get-AzRoleEligibilitySchedule
Get-AzRoleEligibilityScheduleInstance

So what is the difference between a schedule and a schedule instance? Which one represents the role assignment I see in the Azure Portal (UI)? Is one deprecated and preferred over the other?

Answer 1

The portal shows you role eligibility schedule instances.

If you create a role eligibility schedule with a start time in the future:

PUT https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{{$randomUUID}}?api-version=2020-10-01
{
    "properties": {
        "principalId": "721e3492-6665-4731-8884-e161fb727951",
        "requestType": "AdminAssign",
        "roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
        "scheduleInfo": {
            "expiration": {
                "type": "AfterDuration",
                "duration": "P180d"
            },
            "startDateTime": "2023-12-04T11:15:00Z"
        }
    }
}

..and then check portal, it's empty.

If you query role eligibility schedules, you see the Granted schedule:

GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01
{
    "value": [
        {
            "properties": {
                "roleEligibilityScheduleRequestId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/25213440-0863-436d-abde-c37c7b05001a",
                "scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
                "roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                "principalId": "721e3492-6665-4731-8884-e161fb727951",
                "principalType": "Group",
                "status": "Granted",
                "startDateTime": "2023-12-04T11:15:00Z",
                "endDateTime": "2024-12-03T11:15:00Z",
                "memberType": "Direct",
                "createdOn": "2023-12-04T11:02:12.167Z",
                "updatedOn": "2023-12-04T11:02:12.167Z",
                "expandedProperties": {
                    "principal": {
                        "id": "721e3492-6665-4731-8884-e161fb727951",
                        "displayName": "CSG-RBAC-Test",
                        "type": "Group"
                    },
                    "roleDefinition": {
                        "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                        "displayName": "Contributor",
                        "type": "BuiltInRole"
                    },
                    "scope": {
                        "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
                        "displayName": "sub-sbx-sbx",
                        "type": "subscription"
                    }
                }
            },
            "name": "25213440-0863-436d-abde-c37c7b05001a",
            "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
            "type": "Microsoft.Authorization/roleEligibilitySchedules"
        }
    ]
}

..but if you query role eligibility schedule instances (again before the start time), the response is empty:

GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
{
    "value": []
}

Checking portal again after the start time (plus a few mins for something to happen behind the scenes in PIM) you see the role eligibility schedule instance:

Same in the role eligibility schedule instances API:

GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
{
    "value": [
        {
            "properties": {
                "roleEligibilityScheduleId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
                "scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
                "roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                "principalId": "721e3492-6665-4731-8884-e161fb727951",
                "principalType": "Group",
                "status": "Provisioned",
                "startDateTime": "2023-12-04T11:15:16.823Z",
                "endDateTime": "2024-12-03T11:15:16.773Z",
                "memberType": "Direct",
                "createdOn": "2023-12-04T11:15:16.823Z",
                "expandedProperties": {
                    "principal": {
                        "id": "721e3492-6665-4731-8884-e161fb727951",
                        "displayName": "CSG-RBAC-Test",
                        "type": "Group"
                    },
                    "roleDefinition": {
                        "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                        "displayName": "Contributor",
                        "type": "BuiltInRole"
                    },
                    "scope": {
                        "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
                        "displayName": "sub-sbx-sbx",
                        "type": "subscription"
                    }
                }
            },
            "name": "da93a041-529e-45ac-a095-ee314398ca5d",
            "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleInstances/da93a041-529e-45ac-a095-ee314398ca5d",
            "type": "Microsoft.Authorization/roleEligibilityScheduleInstances"
        }
    ]
}

I'm unaware of any way to see future-dated schedules in the portal.

Interestingly, if you go back to the role eligibility schedules after the start time passes, the status, startDateTime, createdOn and updatedOn fields have all been touched:

GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01
{
    "value": [
        {
            "properties": {
                "roleEligibilityScheduleRequestId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/25213440-0863-436d-abde-c37c7b05001a",
                "scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
                "roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                "principalId": "721e3492-6665-4731-8884-e161fb727951",
                "principalType": "Group",
                "status": "Provisioned",
                "startDateTime": "2023-12-04T11:15:16.823Z",
                "endDateTime": "2024-12-03T11:15:16.773Z",
                "memberType": "Direct",
                "createdOn": "2023-12-04T11:15:16.823Z",
                "updatedOn": "2023-12-04T11:15:16.823Z",
                "expandedProperties": {
                    "principal": {
                        "id": "721e3492-6665-4731-8884-e161fb727951",
                        "displayName": "CSG-RBAC-Test",
                        "type": "Group"
                    },
                    "roleDefinition": {
                        "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                        "displayName": "Contributor",
                        "type": "BuiltInRole"
                    },
                    "scope": {
                        "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
                        "displayName": "sub-sbx-sbx",
                        "type": "subscription"
                    }
                }
            },
            "name": "25213440-0863-436d-abde-c37c7b05001a",
            "id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
            "type": "Microsoft.Authorization/roleEligibilitySchedules"
        }
    ]
}

Only words I've ever found to describe the difference are here: https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-eligibility-rest-sample#list-eligible-assignments

HTH

Answer 2

What is a Eligible Schedule Instance in Privileged Identity Management?

The Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule/Get-AzRoleEligibilitySchedule-: The command retrieves the eligibility schedule for a resource scope in Azure Active Directory

Using this cmdlet, administrators can gather information about when certain roles can be assigned to users, helping them plan and manage role assignments efficiently within their Azure AD environment.

The Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance/Get-AzRoleEligibilityScheduleInstance : The command retrieves the specified role eligibility schedule instance in Azure Active Directory

It's important to note that the Beta in Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule and Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance indicates that these are in the Microsoft Graph Beta API, which means they are not yet generally available and could be subject to changes. On the Azure side, Get-AzRoleEligibilitySchedule and Get-AzRoleEligibilityScheduleInstance are part of the stable Az module for Azure PowerShell.

Reference : Get-AzRoleEligibilitySchedule & Get-AzRoleEligibilityScheduleInstance

Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule