Fix issue #103 not being able to fetch policyId for Entra Id custom role eligible assignments #105
Conversation
|
I was ready to publish the same fix now, but glad someone has already fixed it. I can confirm this is the correct fix for this issue. |
|
This PR might fix #109 as well? |
There was a problem hiding this comment.
Pull request overview
This PR aims to fix issue #103 where Get-AzurePIMDirectoryRoles.ps1 cannot resolve the PIM policy for Entra ID custom roles because the roleDefinitionId from schedule instances is not suitable for querying roleManagementPolicyAssignments.
Changes:
- In
Get-PIMDirectoryRoleEligibleAssignment, changed the value passed intoGet-PIMDirectoryRoleAssignmentSettingfrom$.roleDefinitionIdto$.roleDefinition.templateIdto align with the ID expected by the policy assignment query. - Minor formatting change at the file’s closing brace.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $_ | select *, @{n = 'PrincipalName'; e = { $_.principal.displayName } }, @{n = 'RoleName'; e = { $_.roleDefinition.displayName } } | ||
| } else { | ||
| $rules = Get-PIMDirectoryRoleAssignmentSetting -roleId $_.roleDefinitionId -dontBeautify | ||
| $rules = Get-PIMDirectoryRoleAssignmentSetting $_.roleDefinition.templateId -dontBeautify |
There was a problem hiding this comment.
Changing the call here to Get-PIMDirectoryRoleAssignmentSetting $_.roleDefinition.templateId -dontBeautify drops the -roleId named parameter and passes templateId positionally, which will bind to the roleName parameter rather than roleId. Given the implementation of Get-PIMDirectoryRoleAssignmentSetting only uses $roleName to look up a role by display name and never assigns $roleID from $roleId, this means the subsequent roleManagementPolicyAssignments query will execute with a null/empty roleDefinitionId filter and fail to return a policy for both built‑in and custom roles. To preserve the intended behavior, this call should still use the -roleId parameter (with the updated templateId value), and Get-PIMDirectoryRoleAssignmentSetting should be updated so that when the roleId parameter set is used it assigns $roleID from $roleId before querying policy assignments.
| $rules = Get-PIMDirectoryRoleAssignmentSetting $_.roleDefinition.templateId -dontBeautify | |
| $rules = Get-PIMDirectoryRoleAssignmentSetting -roleId $_.roleDefinition.templateId -dontBeautify |
There was a problem hiding this comment.
This fix looks good 👍 but the comment from GitHub Copilot also deserves a review. In short, it is best to reference parameter names explicitly instead of relying on positional, implicit parameter selection.
$rules = Get-PIMDirectoryRoleAssignmentSetting -roleId $_.roleDefinition.templateId -dontBeautify
4 participants
Fix the issue in #103
The script Get-AzurePIMDirectoryRoles.ps1 is fetching all roleEligibilityScheduleInstances then using the roleDefinitionId to fetch the policyId using this graph endpoint v1.0/policies/roleManagementPolicyAssignments to then get the rules for the role
The roleDefinitionId for Entra Id Custom Roles received from the "roleEligibilityScheduleInstances" call cannot be used for fetching the roleManagementPolicyAssignments
I've changed the
$rules = Get-PIMDirectoryRoleAssignmentSetting -roleId $_.roleDefinitionId -dontBeautifyto use
$rules = Get-PIMDirectoryRoleAssignmentSetting $_.roleDefinition.templateId -dontBeautifyI've tested the change in my environment, but please verify my PR in a environment with both eligible PIM assignments on BuiltIn role and on a Entra Id custom role