Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AADRoleEligibilityScheduleRequest - ENHANCEMENT - DirectoryScopeID requires Object GUID #5415

Closed
pangjaa opened this issue Nov 17, 2024 · 0 comments · Fixed by #5426 or #5435
Closed

Comments

@pangjaa
Copy link

pangjaa commented Nov 17, 2024

Description of the issue

Currently, AADRoleEligibilityScheduleRequest allows PIM Role assignments to be scoped to a Directory Object. DirectoryScopeId = "/<guid>"; The method used to define the role scope requires that the object in question is defined prior to assignment. This is not ideal as it requires the configuration to be applied twice (once for resource provisioning, and the second for role assignment), and this makes the configuration specific to a tenant.

Recommended modifying DirectoryScopeId to accept an object in addition to a string.

@{
     ScopeType = [STRING] # allowable @('Application', 'Device', 'Group', 'Service Principal', 'User')
     Scope = [LIST] @('AppName','AppName2',...)
}

Image

Microsoft 365 DSC Version

1.24.1113.1

Which workloads are affected

Azure Active Directory (Entra ID)

The DSC configuration

AADRoleEligibilityScheduleRequest 'assignment' {
    DependsOn             = @(
        '[AADRoleDefinition]AADRoleDefinition-CustomeRole'
        '[AADGroup]sg-test'
    )
    Principal             = 'sg-test'  assignment
    RoleDefinition        = '[Custom Role]' 
    PrincipalType         = 'Group' 
    DirectoryScopeId      = "/<guid>"; 
    # Id
    # AppScopeId
    Action                = 'AdminAssign' request.
    # IsValidationOnly
    Justification         = 'Assigning permanent eligibility for Entra ID operators team' 
    IsValidationOnly      = $false
    ScheduleInfo          = MSFT_AADRoleEligibilityScheduleRequestSchedule {
        startDateTime = '2023-09-01T02:40:44Z'
        expiration    = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
            type = 'noExpiration'
        }
    }
    # TicketInfo
    Ensure                = 'Present'
    ApplicationId         = $ApplicationId
    TenantId              = $TenantId
    CertificateThumbprint = $Thumbprint
}

Verbose logs showing the problem

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant