Describe the bug
I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.
I should be able to enum the PIM role asignments the same way I do through portal:

The request that it does is the following `
https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true
Related command
az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
Errors
Forbidden({"error":{"code":"UnknownError","message":"{"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.","instanceAnnotations":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})
Issue script & Debug output
There is no script is just a single command
Expected behavior
The command should list the PIM groups
Environment Summary
{
"azure-cli": "2.59.0",
"azure-cli-core": "2.59.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"az-cli-pim": "Unknown",
"azext-pim": "Unknown"
}
}
Additional context
- I used
az login --use-device-code to login with the same account as the browser.
- There is another endpoint in the portal that returns Microsoft Entra Roles that uses the following endpoint
https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true which I managed to retrieve using the cli az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
- Replaced ids with REDACTED
Describe the bug
I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.
I should be able to enum the PIM role asignments the same way I do through portal:
Related command
az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'Errors
Forbidden({"error":{"code":"UnknownError","message":"{"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.","instanceAnnotations":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})
Issue script & Debug output
There is no script is just a single command
Expected behavior
The command should list the PIM groups
Environment Summary
{ "azure-cli": "2.59.0", "azure-cli-core": "2.59.0", "azure-cli-telemetry": "1.1.0", "extensions": { "account": "0.2.5", "az-cli-pim": "Unknown", "azext-pim": "Unknown" } }Additional context
az login --use-device-codeto login with the same account as the browser.https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=truewhich I managed to retrieve using the cliaz rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'