microsoft-entra-idazure-rest-apiazure-rbacpim
How to get the condition value for creating an eligible role assignment with excluding roles?
I’m automating Azure eligible role assignments using REST API calls and currently have a setup where Owner eligible role assignment restricts users to assign roles like Reader and Storage Blob Data Contributor only.
PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/subId/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/random_guid?api-version=2020-10-01-preview
{
"properties": {
"principalId": "userId",
"roleDefinitionId":
"/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"requestType": "AdminAssign",
"scheduleInfo": {
"startDateTime": "2024-07-31T00:00:00Z",
"expiration": {
"type": "AfterDuration",
"endDateTime": null,
"duration": "P365D"
}
},
"condition":
"((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))
OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7,
ba92f5b4-2d11-453d-a403-e96b0029c9fe})) AND
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'}))
OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7,
ba92f5b4-2d11-453d-a403-e96b0029c9fe}))",
"conditionVersion": "2.0"
}
}
I need to adjust this condition so that users can assign any role except Owner and User Access Administrator roles to avoid role assignments to others. Tried changing its value to exclude role definition ids by negating them, but throwing errors:
{"error": { "code": "InvalidCreateOrUpdateRoleAssignmentRequest", "message": "The given role assignment condition is invalid." } }
Solution
In Portal, you can find below option that allows users to assign all roles except specific roles:
You can click on Configure button and select roles that you want to exclude like this:
In the next screen, you can find condition value for creating an eligible role assignment with excluding roles like this:
You can use this condition value to create eligible role assignments excluding roles with below sample API request:
PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/subId/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/random_guid?api-version=2020-10-01-preview
{
"properties": {
"principalId": "userId",
"roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"requestType": "AdminAssign",
"scheduleInfo": {
"startDateTime": "2024-07-28T19:29:00.91Z",
"expiration": {
"type": "AfterDuration",
"endDateTime": null,
"duration": "P365D"
}
},
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635, 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9}))",
"conditionVersion": "2.0"
}
}
Response:
To confirm that, I checked the same in Portal where eligible role assignment created successfully with condition as below:
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- How to periodically sync and clean up Keycloak users with Entra ID?
- Use delegated permissions with Client App Registration
- Authorized Client Applications not working with azure-cli
- External Identities - Customize Verification Code mail on signup
- MSGraph Query Not returning group info
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- How can I filter via Get-MgAuditLogDirectoryAudit (through the Microsoft Entra Audit Logs) for a specific IP address?
- Expose api on an app registration using a script
- Entra ID OIDC Failed Auth Attempt Logs
- Get a refresh token of an SPA application using Microsoft Entra(Azure AD)
- How to get the user flow ID from Azure Entra ID?
- How to create an only invitation user flow in Entra External ID
- How to implement user authentication in Blazor Server with Entra External ID?
- Automation Account Script to delete Stale Devices
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Microsoft Entra ID Oauth2 Client Credentials and Group claims
- Microsoft Azure: How to get the Auth Token after SAML authentication on a enterprise application
- Entra ID - Adding actor claim to the token via client credential flow
- SCIM / Entra ID Provisioning: How to remove user attributes in the target system?
- How to access an API with an Azure identity provider from a Python notebook?
- Active Directory Groups on QuestDB
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- generating common access token for MS graph api and custom api
- How to Listen for MSAL Access Token Expiration
- How can I make a powershell script work in an Azure function with PowerShell 5 and module AzureADPreview?
- Enforce MFA on MS Entra only for specific users
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Permission based access control using Entra ID with ASP.NET core
- How to assign Entra user User.Read.All and Group.Read.All from Graph Explorer