0

I figured out role assignment in a past post, but eligibility is still giving me a little difficulty.

I use the following to assign the built in Auth admin role to a group, and scope it to an Admin Unit.

$params = @{
    Action = "adminAssign"
    Justification = "Assign Auth Admin eligibility to group"
    RoleDefinitionId = "c4e39bd9-1100-46d3-8c65-fb160da0071f" #Auth admin role ID
    DirectoryScopeId = '/administrativeUnits/{0}' -f $AdminUnit
    PrincipalId = $Id
    ScheduleInfo = @{
        StartDateTime = Get-Date
        Expiration = @{
            Type = "noExpiration"
         }
    }
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params

However despite adapting my prior code I keep getting the following error.

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest : The subject is not found.
Status: 404 (NotFound)
ErrorCode: SubjectNotFound

I'm not sure exactly what is not found, nor why it's not finding it. Can I request some guidance here?

My prior code was successful:

$params = @{
      "@odata.type" = "#microsoft.graph.unifiedRoleAssignment"
      #Auth Admin
    roleDefinitionId = "c4e39bd9-1100-46d3-8c65-fb160da0071f"
      principalId = $Id
      directoryScopeId = '/administrativeUnits/"{0}"' -f $AdminUnit
}

New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params```
Improve this question
6
  • 1
    Error code suggests it failed to resolve one of the identifiers (eg. for the role definition, the principal, or the scope) - what does $AdminUnit contain? If it contains a response from Get-MgDirectoryAdministrativeUnit then you probably want to use just the id, eg: '/administrativeUnits/{0}' -f $AdminUnit.Id Commented Feb 10 at 17:24
  • That is output pulled from earlier in the script: $AdminUnit = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq '$AuName'" | Select -Expand Id Commented Feb 10 at 17:29
  • 1
    Right, so you want DirectoryScopeId = '/administrativeUnits/{0}' -f $AdminUnit.Id Commented Feb 10 at 17:46
  • 1
    Make sure you dont have the issue as in your previous question, ensure that $AdminUnit and $Id are GUIDs instead of an object having an Id property. The rest, the Body for the request looks fine so that could be the only issue. Commented Feb 10 at 17:49
  • 1
    Hmmm, ok there are 2 things you can test, first use [datetime]::UtcNow instead of Get-Date. And if that fails, test with Invoke-MgGraphRequest POST 'v1.0/roleManagement/directory/roleEligibilityScheduleRequests' -Body $params, the API might give a better error response that can help us determine what is wrong Commented Feb 10 at 18:25

1 Answer 1

Reset to default
0

I added Start-Sleep -Seconds 5 between the creation of the group and the provisioning of the role and it works. It appears there is enough latency that the role provisioning really was not finding the group because Entra did not provision it yet.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

In general with anything related to Microsoft 365 or Azure, you should expect anywhere from 15 minutes to a couple of hours between any action to rely on it being completed.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.