maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

Get-MtRoleMember not returning all eligible members

Open momurray365 opened this issue 1 year ago • 3 comments

Hi,

I'm working on a test that needs to get all eligible members of a specific roles. The command Get-MtRoleMember returns nothing in our environment.

The command implantation in Get-MtRoleMember.ps1 seems to use the roleEligibilityScheduleRequests Graph endpoint. To the best of my knowledge, this endpoint only returns role elevation requests. If users are made permanently eligible, this endpoint will not return them.

See at line 103 : https://github.com/maester365/maester/blob/d67de01cd7286e4207a9fa6fdcef5b646517247c/powershell/public/Get-MtRoleMember.ps1#L103

I think we should use the roleEligibilitySchedules endpoint instead for this function. I used the following command in my test to get all eligible users in our environment : Invoke-MtGraphRequest -RelativeUri "roleManagement/directory/roleEligibilitySchedules" -Filter "RoleDefinitionId eq '$($PrivilegedRole.RoleTemplateId)'"

Am I missing something here?

Thanks for you work guys!

momurray365 avatar Dec 23 '24 21:12 momurray365

The addition as another type would allow for it to process both endpoints. I am not certain offhand the different combinations that may be possible to occur, but I don't see an issue in adding an additional endpoint and returning a unique list of principals.

soulemike avatar Jan 07 '25 01:01 soulemike

More info here on what needs to be fixed. https://x.com/IAMERICAbooted/status/1918342156525138101

merill avatar May 12 '25 11:05 merill

Has this been fixed as of #1255 and 1.3.96 (if not already)?

SamErde avatar Oct 23 '25 20:10 SamErde