PIM group roles listing error through REST API

[jalvarezit]

Describe the bug

I am able to list PIM roles using portal but cannot get it using azure rest api over az cli.

I should be able to enum the PIM role asignments the same way I do through portal:

The request that it does is the following ` https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true

Related command

az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadgroups/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'

Errors

Forbidden({"error":{"code":"UnknownError","message":"{"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.","instanceAnnotations":[]}","innerError":{"date":"2024-04-29T23:01:01","request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18","client-request-id":"c6ad582d-b575-4da9-892b-f86a7e354c18"}}})

Issue script & Debug output

There is no script is just a single command

Expected behavior

The command should list the PIM groups

Environment Summary

{
  "azure-cli": "2.59.0",
  "azure-cli-core": "2.59.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "account": "0.2.5",
    "az-cli-pim": "Unknown",
    "azext-pim": "Unknown"
  }
}

Additional context

• I used az login --use-device-code to login with the same account as the browser.
• There is another endpoint in the portal that returns Microsoft Entra Roles that uses the following endpoint https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true which I managed to retrieve using the cli az rest --method GET --uri 'https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27REDACTED%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true'
• Replaced ids with REDACTED

[yonzhan]

Thank you for opening this issue, we will look into it.

[cveld]

What I get from https://github.com/Azure/azure-cli/issues/22775 is that the az cli app registration does not request for these permissions (with delegated access tokens) and a custom app registration should be required. A workaround is provided which involves using a service principal (non-delegated access grant). This proposed workaround is far from ideal as we mainly use user identities on our privileged workstations and secret free service principals in Azure Pipelines. The workaround would involve introducing a secret on a service principal so that authentication can happen on our privileged workstations.

az rest --uri "https://graph.microsoft.com/v1.0/policies/roleManagementPolicies?$filter=scopeId eq '/' and scopeType eq 'DirectoryRole'"

yields

Forbidden({"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope RoleManagementPolicy.Read.Directory,RoleManagementPolicy.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleManagement.Read.Directory,RoleManagement.Read.All.\",\"instanceAnnotations\":[]}","innerError":{"date":"2024-06-11T15:57:50","request-id":"87329a3d-8ace-4031-a334-66e8912d4286","client-request-id":"87329a3d-8ace-4031-a334-66e8912d4286"}}})

[TeamDman]

Here's the script I've been using in my investigation

Write-Host "Getting your object id"
$object_id = az ad signed-in-user show --query "id" -o tsv

Write-Host "Patching URL"
$content = @'
https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27~~ID HERE~~%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true
'@
$content = $content -replace "~~ID HERE~~",$object_id
New-Item -ItemType Directory -Path ignore -ErrorAction SilentlyContinue | Out-Null
Set-Content -Path .\ignore\url_roleAssignments.txt -Value $content

Write-Host "Fetching"
az rest --method GET --url '@ignore/url_roleAssignments.txt'

# This github issue details some of the problems involved in Entra PIM activation
# https://github.com/Azure/azure-cli/issues/28854
#
# The Microsoft-controlled app registration is missing some scopes to hit some of the endpoints
#
# GET https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,scopedResource,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27~~ID HERE~~%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true
# GET https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/eligibilitySchedules?`$filter=PrincipalId eq '~~ID HERE~~'
# az account get-access-token --resource-type ms-graph --scope "PrivilegedEligibilitySchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.ReadWrite.AzureADGroup"
# 
# This one works tho
# 
# https://graph.microsoft.com/beta/privilegedAccess/aadroles/roleAssignments?$expand=linkedEligibleRoleAssignment,subject,roleDefinition($expand=resource)&$filter=(subject/id%20eq%20%27~~ID HERE~~%27)+and+(assignmentState%20eq%20%27Eligible%27)&$count=true

Big thanks for including that beta graph endpoint in your additional context 💓

I'd prefer if the CLI supported the api.azrbac.mspim.azure.com endpoint since I like to match my tooling to what the portal does.

My understanding is that there are two issues:

1. The Microsoft app registration needs to add to its list of delegated API scopes

Acceptance criteria: this command should succeed

az account get-access-token --resource-type ms-graph --scope "PrivilegedEligibilitySchedule.Read.AzureADGroup PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup PrivilegedAccess.Read.AzureADGroup PrivilegedAccess.ReadWrite.AzureADGroup"

2. The az cli should update its list of known endpoints

Acceptance criteria:

a. This command response should include an entry with value: "https://api.azrbac.mspim.azure.com"

az cloud show --query endpoints

b. This command should succeed

az rest --method GET --url 'https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadroles/roleAssignments'