Skip to content

New command: 'm365 entra pim role assignment eligibility list' - Retrieves a list of roles a user or group is eligible to be assigned. #5783

Closed
Closed
New command: 'm365 entra pim role assignment eligibility list' - Retrieves a list of roles a user or group is eligible to be assigned.#5783
Assignees
MartinM85
Labels
good first issuenew featurework in progress
Milestone
v7.10
@martinlingstuyl

Description

@martinlingstuyl
martinlingstuyl
opened on Jan 16, 2024

Aside from checking the list of active pim roles, an important part of pim is checking what roles you are eligible for.

Usage

m365 entra pim role assignment eligibility list [options]

Description

Retrieves a list of eligible roles a user or group can be assigned to

Options

Option Description
--userId [userId] Id of the user for which to list eligible roles. Specify either userId, userName, groupId or groupName. If not specified, all eligible roles will be listed.
--userName [userName] UPN of the user for which to list eligible roles. Specify either userId, userName, groupId or groupName. If not specified, all eligible roles will be listed.
--groupId [groupId] Id of the group for which to list eligible roles. Specify either userId, userName, groupId or groupName. If not specified, all eligible roles will be listed.
--groupName [groupName] Display name of the group for which to list eligible roles. Specify either userId, userName, groupId or groupName. If not specified, all eligible roles will be listed.
--includePrincipalDetails An optional flag to include details of the principals

Examples

Get a list of eligible roles for any user

m365 entra pim role assignment eligibility list

Get a list of eligible roles for the current user.

m365 entra pim role assignment eligibility list --userId '@meID'

Response

[
        {
            "id": "8MYkhImhnkm70CbBdTyW1BbHHAdHgZdDpbqyEFlRzAs-1-e",
            "principalId": "071cc716-8147-4397-a5ba-b2105951cc0b",
            "roleDefinitionId": "8424c6f0-a189-499e-bbd0-26c1753c96d4",
            "directoryScopeId": "/",
            "appScopeId": null,
            "startDateTime": "2022-04-12T14:44:50.287Z",
            "endDateTime": "2024-04-10T00:00:00Z",
            "memberType": "Direct",
            "roleEligibilityScheduleId": "77f71919-62f3-4d0c-9f88-0a0391b665cd",
            "roleDefinitionName": "Global Administrator"
        }
    ]

The roleDefinitionName property will need to be added to the objects, based on the expanded property roleDefinition.

Default properties

From the response output in text mode we'll show roleDefinitionId and roleDefinitionName and principalId

Additional information

Needs Entra permission scopes "RoleAssignmentSchedule.ReadWrite.Directory" and/or "RoleManagement.Read.Directory" OR "Directory.ReadWrite.All" which we already may have. (I'm using ReadWrite, as we're also writing in other subcommands of pim.)

https://learn.microsoft.com/en-us/graph/api/rbacapplication-list-roleeligibilityscheduleinstances?view=graph-rest-1.0&tabs=http

And maybe use this one for the current user:
https://learn.microsoft.com/en-us/graph/api/unifiedroleeligibilityscheduleinstance-filterbycurrentuser?view=graph-rest-1.0&tabs=http

By default, we need to expand/request the displayName of the role definition when calling the endpoint, using ?$expand=roleDefinition($select=displayName)

Metadata

Metadata

Assignees

Labels

good first issuenew featurework in progress

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions