write role assignment schedule request

Good Workaround!

Assigning PIM Azure RBAC permissions using Terraform and ARM template

Currently, Terraform does not support eligible assignments of permissions in Azure RBAC, and only active assignments using the azurerm_role_assignment resource. Continue reading if you want to be able to assign your eligible assignments using ARM or Terraform (Terraform willl use the ARM template).

With the 3rd version of the PIM APIs, we have something called Role Eligibility Schedule Request, available through documented through the API documentation and the ARM documentation . However, the documentation can be a bit difficult to understand, especially because the roleDefinitionId in the ARM template must be provided differently than the when using the API.

Let’s first define an ARM template, as below, that can be used to assign eligible permissions:

Parameter – principalId

This should be the objectid of the principal you are granting the access to. If you are assigning permissions to user [email protected], use the following value:

Parameter – roleDefinitionId

I spent way too much time to figure out the format of the value for this parameter, but it should be like this:

The first guid (1272951b-df54-45eb-9c08-a8c93ea18302) should be changed to the subscription i d of your subscription, while the second guid (b24988ac-6180-42a0-ab88-20f7382dd24) is the Azure RBAC role id, found here . The example provided is “Contributor”.

Parameter – id

All eligible schedule requests have a unique ID, defined client side, so this should basically just be a unique guid. The ARM template generates ut automatically.

Parameter – requestType

I have defaulted this to AdminUpdate, as that will also work with new assignments. However, due to how PIM works, in order to actually remove an assignment, you must deploy the ARM template with the value “AdminRemove”. This is super anoying, from a Terraform perspective. Also, when deploying with AdminRemove for a second time, it fails with RoleAssignmentDoesNotExist.

Deploying using ARM template

Here is how to deploy eligible contributor permission to a user with objectid e9176fb9-63d3-480a-a51f-e5399059b588 on subscription level:

And this is how to do the same thing on resource group level:

Now that we have things going with ARM template, let’s do it with Terraform aswell.

Deploying using Terraform

Some say it’s cheating, but we need to use the ARM template here aswell. This is because currently no Terraform resource exist for eligible role assignments.

Also, Terraform does not support comments in JSON documents, so remove them before saving the file.

Go to https://github.com/goodworkaround/terraform-az-rbac-pim-assignment and clone my Terraform example. The example uses the Azure AD provider to create groups, which is not necessary. You can get away with only the AzureRM provider, but then you need to specify the objectids of the principals you are granting access to.

There are two modules available:

PIM Assignment – Subscription

The following code will create an Azure AD group called “subscription_owner_group_1” and assign it eligible “Owner”

As an admin in PIM, you will find the following assignment:

Members of the group should see this in PIM:

It is worth noting that simply unloading the module will not remove the assignment. Instead, the module must be used with request_type = “AdminRemove”, as it will remove the permission. Then you can remove the module.

PIM Assignment – Resource Group

The following code will create an Azure AD group called “rg_contributor_group_1”, a resource group “rg1” and delegate the group eligible Contributor on the resource group:

Share this:

Published by Marius Solbakken

View all posts by Marius Solbakken

16 thoughts on “ Assigning PIM Azure RBAC permissions using Terraform and ARM template ”

Nice article, could you please tell me the Role that is assigned to the service principle doing this task?

Hi, if you mean the role of the principal that deploys the ARM template, it is either Owner or User Access Administrator. 🙂

thank you! I will try with that.

Have you tried using AdminRemove test for the same principle ID which was added by AdminAdd step? It fails every time.

I have, with success – what is your error message?

Error: removing items provisioned by this Template Deployment: `properties.OutputResources` was nil – insufficient data to clean up this Template Deployment

Ah yes, can you try to disable the delete_nested_items_during_deletion setting of the azurerm provider to see if that resolves things?

yup that worked, I don’t really use ARM deployment with TF, but your article has been quite helpful.

one more thing I noticed, after assigning az resource PIM role to principleID, If I run the same release again, it fails with error that { “code”: “Conflict”, “message”: “A role assignment request with Id: a2d47b66-96d6-16d4-5b35-29b3139cae94 already exists” } . I thought it would just pass through

Yes I know. The API expects a unique is each time. Terrible design on the Microsoft side

Will this work for ADRoles like “User Administrator” or “Application Administrator” . I am trying to work make PIM for Azure AD roles

No, this is for RBAC only. Azure AD PIM roles is a completely different api 🙂

That is right, also make sure yours SPN has the right api permissions and Rbac to do this via code for Az Resource Roles or AD roles 🙂 For Resource Roles I was able to get it working with User Access Admin on the subscription as well as Contributor Access with User.Read, PrivilegedAccess.Read.AzureResources and PrivilegedAccess.Write.AzureResources access with Grant persimmons as least .

Great solution! A couple of questions if you don’t mind!

1/ we were thinking to use ‘az rest’ to achieve the same but all of our testing using: https://docs.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-requests/create#requesttype

with basically an identical payload it didn’t create the assignment, it left it in a strange ‘pending’ state

any thoughts on why this might be?

2/ any ideas on setting the role policy via ARM or REST? eg MFA required, 4 hours, etc… it uses PATCH method: https://docs.microsoft.com/en-us/rest/api/authorization/privileged-role-policy-rest-sample#update-a-role-management-policy

This is great solution but I am facing an issue when running AdminRemove on resource group template, it fails by saying below error:

Error: removing items provisioned by this Template Deployment: deleting Nested Resource “/subscriptions/***/resourceGroups/***/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/***”: resources.Client#DeleteByID: Failure sending request: StatusCode=405 — Original Error: Code=”Failed” Message=”The async operation failed.” AdditionalInfo=[{“message”:”The requested resource does not support http method ‘DELETE’.”}]

Hi, for this you will need to disable the delete_nested_items_during_deletion feature tag. This was defaulted to true some point in the past.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Navigation Menu

Search code, repositories, users, issues, pull requests..., provide feedback.

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly.

To see all available qualifiers, see our documentation .

• Notifications

Manage Azure Role Assignments Like a Pro with PowerShell

Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.

PowerShell examples for managing Azure Role assignments

List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.

And now there is a script that combines some of these examples into one usable function:

I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.

Vukasin Terzic

Recent Update

• Writing your first Azure Terraform Configuration
• Transition from ARM Templates to Terraform with AI
• Getting started with Terraform for Azure
• Terraform Configuration Essentials: File Types, State Management, and Provider Selection
• Dynamically Managing Azure NSG Rules with PowerShell

Trending Tags

Retrieve azure resource group cost with powershell api.

The Future Of Azure Governance: Trends and Predictions

Further Reading

In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...

Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency

As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...

Custom PowerShell API for Azure Naming Policy

To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...

• Español – América Latina
• Português – Brasil
• GKE Enterprise
• Documentation
• GKE on Azure

Create Azure role assignments

In this section, you grant permissions to GKE on Azure to access Azure APIs.

To save your service principal and subscription IDs to a shell variable, run the following command. Replace APPLICATION_NAME with a name for your application.

Assign permissions to the service principal. GKE on Azure requires permissions to provision required roles for the managed Azure resources at the subscription level.

To create a custom role with required subscription scoped permissions:

Create a new file named RoleAssignmentCreator.json .

Open RoleAssignmentCreator.json in an editor and add the following permissions:

Create the new custom role with the following command:

Assign the role to the service principal using the following command:

When assigning permissions, you can scope them either at the Azure subscription level, which applies to all resources within the subscription, or at the resource group level, which limits permissions to a specific resource group.

Subscription

Assign the Contributor, User Access Administrator, and Key Vault Administrator roles to your subscription:

Resource group

Create Role assignments scoped to the cluster resource group. Replace CLUSTER_RESOURCE_GROUP_NAME with the name of the resource group for your GKE on Azure.

If your Azure Virtual Network is in a different resource group, create Role assignments scoped to the virtual network resource group.

Replace the following:

• VNET_RESOURCE_GROUP_NAME : the name for the resource group for your GKE on Azure VNet

What's next

• Create a client certificate

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-04-24 UTC.

• Microsoft. Authorization

Role Assignment Schedule Requests

Link to resource definition: Microsoft.Authorization/roleAssignmentScheduleRequests

RoleAssignmentSchedule.ReadWrite.Directory

Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Delegate Permission

Application permission, accesspackageassignmentrequest, entitlementmanagement-overview, privilegedaccessgroupassignmentschedulerequest, privilegedidentitymanagement-for-groups-api-overview, privilegedidentitymanagementv3-overview, unifiedroleassignmentschedulerequest.

• Preparing search index...
• The search index is not available
• Public/Protected
• RoleAssignmentSchedule

Interface RoleAssignmentSchedule

Package version

Role Assignment schedule

• assignment Type
• condition Version
• end Date Time
• expanded Properties
• linked Role Eligibility Schedule Id
• member Type
• principal Id
• principal Type
• role Assignment Schedule Request Id
• role Definition Id
• start Date Time

Optional assignment Type

Assignment type of the role assignment schedule

Optional condition

The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'

Optional condition Version

Version of the condition. Currently accepted value is '2.0'

Optional created On

DateTime when role assignment schedule was created

Optional end Date Time

End DateTime when role assignment schedule

Optional expanded Properties

Additional properties of principal, scope and role definition

Optional id

The role assignment schedule Id. NOTE: This property will not be serialized. It can only be populated by the server.

Optional linked Role Eligibility Schedule Id

The id of roleEligibilitySchedule used to activated this roleAssignmentSchedule

Optional member Type

Membership type of the role assignment schedule

Optional name

The role assignment schedule name. NOTE: This property will not be serialized. It can only be populated by the server.

Optional principal Id

The principal ID.

Optional principal Type

The principal type of the assigned principal ID.

Optional role Assignment Schedule Request Id

The id of roleAssignmentScheduleRequest used to create this roleAssignmentSchedule

Optional role Definition Id

The role definition ID.

Optional scope

The role assignment schedule scope.

Optional start Date Time

Start DateTime when role assignment schedule

Optional status

The status of the role assignment schedule.

Optional type

The role assignment schedule type. NOTE: This property will not be serialized. It can only be populated by the server.

Optional updated On

DateTime when role assignment schedule was modified

Generated using TypeDoc

Create an assignment rule

Create an assignment rule and apply it to a single table. Assignment rules are\n designed to run at the time you open a record.

• \n Navigate to All > System Policy > Rules > Assignment and click New . \n
• Assignment lookup rules example
• Assignment rules module
• Condition editor example
• Data lookup rules
• Precedence between data lookup, assignment, and business rules
• Workflow assignments
• Define assignment rules
• Configuring the form layout
• Baseline assignment rules example

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Get unifiedRoleAssignmentScheduleRequest

• 7 contributors

Namespace: microsoft.graph

In PIM, read the details of a request for an active and persistent role assignment made through the unifiedRoleAssignmentScheduleRequest object.

This API is available in the following national cloud deployments .

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it . For details about delegated and application permissions, see Permission types . To learn more about these permissions, see the permissions reference .

For delegated scenarios, the signed-in user must also be assigned at least one of the following Microsoft Entra roles :

• For read operations: Global Reader, Security Operator, Security Reader, Security Administrator, or Privileged Role Administrator
• For write operations: Privileged Role Administrator

HTTP request

Optional query parameters.

This method supports the $select and $expand OData query parameters to help customize the response. For general information, see OData query parameters .

Request headers

Request body.

Don't supply a request body for this method.

If successful, this method returns a 200 OK response code and an unifiedRoleAssignmentScheduleRequest object in the response body.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .

Note: The response object shown here might be shortened for readability.

Example 2: Retrieve specified properties of a role assignment request and expand the relationships

Was this page helpful?

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .

Submit and view feedback for

Additional resources