Skip to content

PIM group roles listing error through REST API #28854

Description

@jalvarezit

Describe the bug

I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.

I should be able to enum the PIM role asignments the same way I do through portal:

image

The request that it does is the following `
https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true

Related command

az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'

Errors

Forbidden({"error":{"code":"UnknownError","message":"{"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.","instanceAnnotations":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})

Issue script & Debug output

There is no script is just a single command

Expected behavior

The command should list the PIM groups

Environment Summary

{
  "azure-cli": "2.59.0",
  "azure-cli-core": "2.59.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "account": "0.2.5",
    "az-cli-pim": "Unknown",
    "azext-pim": "Unknown"
  }
}

Additional context

  • I used az login --use-device-code to login with the same account as the browser.
  • There is another endpoint in the portal that returns Microsoft Entra Roles that uses the following endpoint https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true which I managed to retrieve using the cli az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
  • Replaced ids with REDACTED

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botService AttentionThis issue is responsible by Azure service team.act-identity-squadcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions