Search code examples
azureazure-active-directorymicrosoft-graph-api

Deactivate user assignment to a group with PIM

I activated PIM for an eligible group using the command

New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter

Now, After completing my task I want to exit the role by deactivating this assignment. From the documentation, I figured I could use the below command. But this is not working and is giving me a bad request error.

enter image description here

Stop-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -PrivilegedAccessGroupAssignmentScheduleRequestId

enter image description here

Solution

  • The error occurred as you are using wrong command to deactivate the user assignment from PIM group.

    I have one active assignment to group in PIM under Groups tab as below:

    enter image description here

    When I ran your command to deactivate the above assignment, I too got same error as below:

    Stop-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -PrivilegedAccessGroupAssignmentScheduleRequestId xxxxxx

    Response:

    enter image description here

    To deactivate the active assignment of user from PIM group, you need to use below PowerShell commands with action as selfDeactivate like this:

    Connect-MgGraph -Scope "PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup"

$params = @{
    accessId = "member"
    principalId = "userId"
    groupId = "groupId"
    action = "selfDeactivate"
}

New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params

    Response:

    enter image description here

    When I checked the same in Portal, active user assignment deactivated successfully from PIM group as below:

    enter image description here

    Reference: Create assignmentScheduleRequest - Microsoft Graph