Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: add group assignment to AADRoleEligibilityScheduleRequest #3744

Closed
techthoughts2 opened this issue Oct 3, 2023 · 3 comments · Fixed by #3773 or #3778
Closed

Enhancement: add group assignment to AADRoleEligibilityScheduleRequest #3744

techthoughts2 opened this issue Oct 3, 2023 · 3 comments · Fixed by #3773 or #3778
Assignees
@NikCharlebois
Labels
Enhancement New feature or request Entra ID

Comments

@techthoughts2
Copy link

Description of the issue

It is not currently possible to assign a group using the AADRoleEligibilityScheduleRequest resource.

This is because MSFT_AADRoleEligibilityScheduleRequest.psm1 presently only supports retrieving a user principal.

However, PIM supports assignments of Groups as well as users.

image

New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest also supports the addition of groups via PrincipalId:

Identifier of the principal that has been granted the role eligibility. Can be a user or a role-assignable group. You can grant only active assignments service principals. Supports $filter (eq, ne).

but because its not added to the AADRoleEligibilityScheduleRequest resource, the underlying cmdlet is not able to assign a group.

Microsoft 365 DSC Version

v1.23.927.1

Which workloads are affected

Azure Active Directory

The DSC configuration

AADRoleEligibilityScheduleRequest 'MyRequest' {
    Principal             = 'group-name-here'
    RoleDefinition        = 'Security Administrator'
    DirectoryScopeId      = "/";
    Action                = 'AdminAssign'
    IsValidationOnly      = $false
    ScheduleInfo          = MSFT_AADRoleEligibilityScheduleRequestSchedule {
        startDateTime = '2023-09-01T02:40:44Z'
        expiration    = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
            type = 'noExpiration'
        }
    }
    Ensure                = 'Present'
    ApplicationId         = $ApplicationId
    TenantId              = $TenantId
    CertificateThumbprint = $Thumbprint
}


### Verbose logs showing the problem

```powershell
N/A - not currently supported

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2022 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 20348.1.amd64fre.fe_release.210507-1500
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Name                           Value
----                           -----
PSVersion                      5.1.20348.1850
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1850
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@NikCharlebois NikCharlebois self-assigned this Oct 4, 2023
@NikCharlebois
Copy link
Collaborator

@techthoughts2 we're on it. The challenge is that the API doesn't differentiate between a user or a group. If we were accepting the Principal ID as GUID, this would be a no brainer, but we need to use the display name in order to support the tenant cloning scenario (where GUIDs would not match). My recommendation would be to add an additional parameter named "PrincipalType" that would default to user. If it is set to 'Group' then we would retrieve the group's principal. Would that solution work for you guys? Thanks

@NikCharlebois NikCharlebois added Bug Something isn't working Entra ID Enhancement New feature or request and removed Bug Something isn't working labels Oct 4, 2023
@techthoughts2
Copy link
Author

Yeah, GUID would simplify things on this topic.

I'm good with the PrincipalType approach.

That would look like this based on your description:

#------------------------------------------------------
# I want to assign a group
#------------------------------------------------------
AADRoleEligibilityScheduleRequest 'MyRequest' {
    Principal             = 'group-name-here'
    PrincipalType         = 'Group'
    RoleDefinition        = 'Security Administrator'
    DirectoryScopeId      = "/";
    Action                = 'AdminAssign'
    IsValidationOnly      = $false
    ScheduleInfo          = MSFT_AADRoleEligibilityScheduleRequestSchedule {
        startDateTime = '2023-09-01T02:40:44Z'
        expiration    = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
            type = 'noExpiration'
        }
    }
    Ensure                = 'Present'
    ApplicationId         = $ApplicationId
    TenantId              = $TenantId
    CertificateThumbprint = $Thumbprint
}
#------------------------------------------------------
# I want to assign a User
#------------------------------------------------------
AADRoleEligibilityScheduleRequest 'MyRequest' {
    Principal             = 'user@domain.com'
    PrincipalType         = 'User'
    RoleDefinition        = 'Security Administrator'
    DirectoryScopeId      = "/";
    Action                = 'AdminAssign'
    IsValidationOnly      = $false
    ScheduleInfo          = MSFT_AADRoleEligibilityScheduleRequestSchedule {
        startDateTime = '2023-09-01T02:40:44Z'
        expiration    = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
            type = 'noExpiration'
        }
    }
    Ensure                = 'Present'
    ApplicationId         = $ApplicationId
    TenantId              = $TenantId
    CertificateThumbprint = $Thumbprint
}
#------------------------------------------------------
# I want to assign a User default behavior
#------------------------------------------------------
AADRoleEligibilityScheduleRequest 'MyRequest' {
    Principal             = 'user@domain.com'
    RoleDefinition        = 'Security Administrator'
    DirectoryScopeId      = "/";
    Action                = 'AdminAssign'
    IsValidationOnly      = $false
    ScheduleInfo          = MSFT_AADRoleEligibilityScheduleRequestSchedule {
        startDateTime = '2023-09-01T02:40:44Z'
        expiration    = MSFT_AADRoleEligibilityScheduleRequestScheduleExpiration {
            type = 'noExpiration'
        }
    }
    Ensure                = 'Present'
    ApplicationId         = $ApplicationId
    TenantId              = $TenantId
    CertificateThumbprint = $Thumbprint
}

If the above aligns with your thoughts that's pretty straight-forward to me!

@NikCharlebois
Copy link
Collaborator

NikCharlebois commented Oct 5, 2023
edited

Yes, this is exactly what I had in mind. While GUID would make it easier for the scenario where you are trying to monitor an existing tenant where you already know all the GUIDs for, it doesn't make the configuration generic enough for multi-tiers environments (dev, qa, prod) or for cloning the config across other horizontal prod instances. Thanks

NikCharlebois added a commit to NikCharlebois/Microsoft365DSC that referenced this issue Oct 10, 2023
@NikCharlebois
Fixes microsoft#3744
f079ce5
@NikCharlebois NikCharlebois mentioned this issue Oct 10, 2023
Merged
NikCharlebois added a commit that referenced this issue Oct 10, 2023
@NikCharlebois
Merge pull request #3773 from NikCharlebois/PIM-Fixes
1bd0218 
Fixes #3744
@NikCharlebois NikCharlebois mentioned this issue Oct 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NikCharlebois NikCharlebois

Labels
Enhancement New feature or request Entra ID
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #3744 NikCharlebois/Microsoft365DSC
Release 1.23.1011.1 NikCharlebois/Microsoft365DSC
2 participants
@NikCharlebois @techthoughts2