Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

AADRoleAssignmentScheduleRequest and AADRoleEligibilityScheduleRequest

Open bartvermeersch opened this issue 7 months ago • 6 comments

I'm a bit confused by the the resources AADRoleAssignmentScheduleRequest and AADRoleEligibilityScheduleRequest

It would seem more logical to me to have the following resources instead AADRoleAssignmentSchedules and AADRoleEligibilitySchedules

I was wondering if the Request and Schedules were mixed up or merged together?

The "Request" objects are more transient (audit log like), while the "Schedules" objects are more configuration like.

If you go to the Azure portal GUI (https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/), you will see Schedules objects

bartvermeersch avatar Jun 12 '25 09:06 bartvermeersch

https://learn.microsoft.com/en-us/graph/api/resources/unifiedroleeligibilityschedulerequest?view=graph-rest-1.0 https://learn.microsoft.com/en-us/graph/api/resources/unifiedroleeligibilityschedule?view=graph-rest-1.0

Don't quote me on this but the 'schedulerequest' is used to make someone eligible, the 'schedule' is the record of the eligibility.

So to be able to make a user/group/etc eligible it has to use schedulerequest.

n9294651 avatar Jun 13 '25 03:06 n9294651

You're correct, there is no New/POST available on the "schedule" resources, but on the other hand, to retrieve them, the "schedule" resources seem better suited. I will have to dig some deeper.

I tried exporting the PIM role assignments, but couldn't retrieve all of them using the schedulerequest resource. However when using the graph API, I could retrieve them using the schedule endpoint.

bartvermeersch avatar Jun 13 '25 10:06 bartvermeersch

Is there anyway to make the Role active? I can make roles eligible via AADRoleEligibilityScheduleRequest and export active roles with AADRoleAssignmentScheduleRequest but wanted some way to set a role as permanently active against the group via DSC code. I could then use PIM for group membership.

Or would this not be possible unless it was selfActivate rather than the DSC application ? If it is possible it would be great to add as an example to the docs as its not clear. (well not for me anyway)

tayhall avatar Jun 16 '25 20:06 tayhall

https://microsoft365dsc.com/resources/azure-ad/AADGroup/

Obviously the below DSC isn't all the required (or optional) fields but I assign permanently active permissions on groups like below

AADGroup 'MyGroups'
{
    DisplayName     = "DSCGroup"
    Description     = "Microsoft DSC Group"
    SecurityEnabled = $True
    IsAssignableToRole = $True
    AssignedToRole = @("Directory Readers") # or whatever role(s) you want to assign it
    Ensure          = "Present"
}

n9294651 avatar Jun 16 '25 20:06 n9294651

Thanks, I'll give that a go.

On Mon, 16 Jun 2025, 21:52 Jeremy, @.***> wrote:

n9294651 left a comment (microsoft/Microsoft365DSC#6167) https://github.com/microsoft/Microsoft365DSC/issues/6167#issuecomment-2978098582

https://microsoft365dsc.com/resources/azure-ad/AADGroup/

Obviously the below DSC isn't all the required (or optional) fields but I assign permanently active permissions on groups like below

AADGroup 'MyGroups' { DisplayName = "DSCGroup" Description = "Microsoft DSC Group" SecurityEnabled = $True IsAssignableToRole = $True AssignedToRole = @("Directory Readers") # or whatever role(s) you want to assign it Ensure = "Present" }

— Reply to this email directly, view it on GitHub https://github.com/microsoft/Microsoft365DSC/issues/6167#issuecomment-2978098582, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMKOMXDIRYXPNPWIMUCSZ4L3D4VBFAVCNFSM6AAAAAB7E2I5FGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDSNZYGA4TQNJYGI . You are receiving this because you commented.Message ID: @.***>

tayhall avatar Jun 16 '25 21:06 tayhall

Fixing this issue could also be useful https://github.com/microsoft/Microsoft365DSC/issues/5710

bartvermeersch avatar Jun 17 '25 17:06 bartvermeersch

I agree on this too. For AssignmentScheduleRequest - first the export is not exporting all Assigned PIMs. Even though I have more permanatly assigned PIMs are there, only 1 or 2 are returned. Also, it returns 'self activated' PIMs too. In my opinion, that is not required. Because, self activated PIMs are not configurations, they are a kind of logs. If I export that entry, I shuold not re-import the same entry later on as configuration. We do some permanant assignments for some App regs (service principals) that are used for other purposes to read the data from azure. ElgibleScheduleRequest - seems working some extent. still to test further. Especially the cases where , role assignable group members to be retrieved from another onpremises group dynamically.

subhashvinjamuri avatar Aug 01 '25 13:08 subhashvinjamuri