msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance fails when Authentication Context is enabled on Group
Describe the bug
I am trying to submit a new group activation request using MgGraph. The group has the setting On activation, require: Authentication context: PIM Activation configured.
I have used Get-MsalToken to acquire an access token which includes the acrs claim c1 and if I decode the token using https://jwt.ms/ I can see the acrs = c1 in the token and the auth log show that the login trigger the CA policy with the auth context.
However, when I attempt to use New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance to elevate I get the error: RoleAssignmentRequestAcrsValidationFailed
Expected behavior
The cmdlet succeeds
How to reproduce
$graph = "https://graph.microsoft.com"
$scopes = @(
"$graph/PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup",
"$graph/PrivilegedEligibilitySchedule.Read.AzureADGroup",
"$graph/RoleManagementPolicy.Read.AzureADGroup"
)
$tenantId = "TENANT_ID"
$appId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
$connectionDetails = @{
'TenantId' = $tenantId
'ClientId' = $appId
'Interactive' = $true
'scopes' = $scopes
'ExtraQueryParameters' = @{'claims' = '%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22c1%22%7D%7D%7D'}
}
Clear-MsalTokenCache
$token = Get-MsalToken @connectionDetails
Connect-MgGraph -NoWelcome -AccessToken ($token.AccessToken | ConvertTo-SecureString -AsPlainText)
$myAccount = Get-MgUser -UserId (Get-MgContext).Account
$requestParams = @{
accessId = "member"
principalId = $myAccount.Id
groupId = "GROUP_ID"
action = "selfActivate"
scheduleInfo = @{
startDateTime = (Get-Date)
expiration = @{
type = "afterDuration"
duration = "PT1H"
}
}
}
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $requestParams
SDK Version
2.19.0
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
Click to expand log
```DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: POST
Absolute Uri: https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests
Headers: FeatureFlag : 00000043 Cache-Control : no-store, no-cache User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; en-AU),PowerShell/2024.2.2 Accept-Encoding : gzip SdkVersion : graph-powershell/2.19.0 client-request-id : 9d2707d8-b797-439a-a30e-d94c7e16a61b
Body: { "action": "selfActivate", "scheduleInfo": { "expiration": { "duration": "PT5M", "type": "afterDuration" } }, "accessId": "member", "groupId": "GROUP_ID", "principalId": "PRINCIPAL_ID" }
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: BadRequest
Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : ef737aa5-0d1d-43ad-bc4f-844e05171c08 client-request-id : 9d2707d8-b797-439a-a30e-d94c7e16a61b x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SY2PEPF00006466"}} Date : Wed, 19 Jun 2024 06:48:51 GMT
Body: { "error": { "code": "RoleAssignmentRequestAcrsValidationFailed", "message": "&claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%20%22value%22%3A%22c1%22%7D%7D%7D", "innerError": { "date": "2024-06-19T06:48:51", "request-id": "ef737aa5-0d1d-43ad-bc4f-844e05171c08", "client-request-id": "9d2707d8-b797-439a-a30e-d94c7e16a61b" } } }
</details>
### Configuration
Name Value
---- -----
PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.17763
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
### Other information
_No response_
