-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: add group assignment to AADRoleEligibilityScheduleRequest #3744
Comments
@techthoughts2 we're on it. The challenge is that the API doesn't differentiate between a user or a group. If we were accepting the Principal ID as GUID, this would be a no brainer, but we need to use the display name in order to support the tenant cloning scenario (where GUIDs would not match). My recommendation would be to add an additional parameter named "PrincipalType" that would default to user. If it is set to 'Group' then we would retrieve the group's principal. Would that solution work for you guys? Thanks |
Yeah, I'm good with the That would look like this based on your description: #------------------------------------------------------
# I want to assign a group
#------------------------------------------------------
AADRoleEligibilityScheduleRequest 'MyRequest' {
Principal = 'group-name-here'
PrincipalType = 'Group'
RoleDefinition = 'Security Administrator'
DirectoryScopeId = "/";
Action = 'AdminAssign'
IsValidationOnly = $false
ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule {
startDateTime = '2023-09-01T02:40:44Z'
expiration = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
type = 'noExpiration'
}
}
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $Thumbprint
}
#------------------------------------------------------
# I want to assign a User
#------------------------------------------------------
AADRoleEligibilityScheduleRequest 'MyRequest' {
Principal = '[email protected]'
PrincipalType = 'User'
RoleDefinition = 'Security Administrator'
DirectoryScopeId = "/";
Action = 'AdminAssign'
IsValidationOnly = $false
ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule {
startDateTime = '2023-09-01T02:40:44Z'
expiration = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
type = 'noExpiration'
}
}
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $Thumbprint
}
#------------------------------------------------------
# I want to assign a User default behavior
#------------------------------------------------------
AADRoleEligibilityScheduleRequest 'MyRequest' {
Principal = '[email protected]'
RoleDefinition = 'Security Administrator'
DirectoryScopeId = "/";
Action = 'AdminAssign'
IsValidationOnly = $false
ScheduleInfo = MSFT_AADRoleEligibilityScheduleRequestSchedule {
startDateTime = '2023-09-01T02:40:44Z'
expiration = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
type = 'noExpiration'
}
}
Ensure = 'Present'
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $Thumbprint
} If the above aligns with your thoughts that's pretty straight-forward to me! |
Yes, this is exactly what I had in mind. While GUID would make it easier for the scenario where you are trying to monitor an existing tenant where you already know all the GUIDs for, it doesn't make the configuration generic enough for multi-tiers environments (dev, qa, prod) or for cloning the config across other horizontal prod instances. Thanks |
Description of the issue
It is not currently possible to assign a group using the
AADRoleEligibilityScheduleRequest
resource.This is because MSFT_AADRoleEligibilityScheduleRequest.psm1 presently only supports retrieving a user principal.
However, PIM supports assignments of Groups as well as users.
New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest also supports the addition of groups via PrincipalId:
but because its not added to the
AADRoleEligibilityScheduleRequest
resource, the underlying cmdlet is not able to assign a group.Microsoft 365 DSC Version
v1.23.927.1
Which workloads are affected
Azure Active Directory
The DSC configuration
Environment Information + PowerShell Version
The text was updated successfully, but these errors were encountered: