Activate PIM Entra ID role with Azure CLI or PowerShell [closed]

Question

Closed. This question is not about programming or software development. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 29 days ago.

The community is reviewing whether to reopen this question as of 25 days ago.

Improve this question

I'm trying to automate the activation of my PIM Entra ID role for Azure Tenant with either Azure CLI or PowerShell.

I've followed the answers in Activate PIM role for Azure resources via REST / Powershell? but I suspect the problem here is that my role is a tenant-wide, Entra Id role of Global Administrator

$UserId = az ad signed-in-user show --query id -o tsv
$GlobalAdminRoleId = "62e90394-69f5-4237-9190-012177145e10"
# JSON body
@{
    principalId      = $UserId
    roleDefinitionId = $GlobalAdminRoleId
    requestType      = 'selfActivate'
    justification    = "Temporary Global Admin access for deployment purposes"
    principalType    = "User"
    assignmentState  = "Active"
    directoryScopeId = "/"
    scheduleInfo     = @{
        startDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
        expiration    = @{
            type     = "AfterDuration"
            duration = "PT1H"
        }
    }
} | `
    ConvertTo-Json -Compress | `
    Set-Content -Path "$PSScriptRoot/roleAssignmentBody.json" -Encoding utf8 -Force

# Activate the role
az rest --method POST `
    --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments" `
    --headers "Content-Type=application/json" `
    --body "@$PSScriptRoot/roleAssignmentBody.json"

After running the script I always get Authorization_RequestDenied:

Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2025-10-30T13:34:44","request-id":"ced3a465-4dc8-4974-bc64-f81f3586db46","client-request-id":"ced3a465-4dc8-4974-bc64-f81f3586db46"}}})

But the role is available in Azure Portal and I've verified I can activate it there, so this error can't be due to missing privileges:

Santiago Squarzon · Accepted Answer · 2025-11-04 20:57:36Z

1

Looking at Activate a Microsoft Entra role in PIM, your request is using the incorrect endpoint, you should be using the Create roleAssignmentScheduleRequests API (/roleAssignmentScheduleRequests instead of /roleAssignments) and, in the request body, requestType should be action.

Using the Microsoft.Graph.Authentication Module, the below code worked well for me, presumably using the az CLI the request should be similar and should also work.

Lastly, do note, in order to call this API in delegated scenarios, you will need one of the permissions noted in Permissions, RoleAssignmentSchedule.ReadWrite.Directory being the least privileged one, thus used in this example.

Connect-MgGraph -Scopes RoleAssignmentSchedule.ReadWrite.Directory

$invokeMgGraphRequestSplat = @{
    Method = 'POST'
    Uri    = 'v1.0/roleManagement/directory/roleAssignmentScheduleRequests'
    Body   = @{
        principalId      = (Invoke-MgGraphRequest GET v1.0/me).id
        roleDefinitionId = '62e90394-69f5-4237-9190-012177145e10'
        action           = 'selfActivate'
        justification    = 'API test'
        principalType    = 'User'
        assignmentState  = 'Active'
        directoryScopeId = '/'
        scheduleInfo     = @{
            startDateTime = [datetime]::UtcNow.ToString('o')
            expiration    = @{
                type     = 'AfterDuration'
                duration = 'PT1H'
            }
        }
    }
}
Invoke-MgGraphRequest @invokeMgGraphRequestSplat

edited Nov 4 at 20:57

answered Oct 30 at 14:30

Santiago Squarzon

65.6k5 gold badges26 silver badges60 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

Daniel M. Oct 30 at 16:13

Got the following error

{"error":{"code":"UnknownError","message":"{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope RoleAssignmentSchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleAssignmentSchedule.Remove.Directory.\",\"instanceAnnotations\":[]}","innerError":{"date":"2025-10-30T16:07:08","request-id":"28852098-65d9-422d-a585-9b2ff8918614","client-request-id":"e197490e-54a0-4163-9165-9eebf19b9e83"}}}

Santiago Squarzon Oct 30 at 16:26

see the update. your user requires one of the permissions to call this API.

Collectives™ on Stack Overflow

Activate PIM Entra ID role with Azure CLI or PowerShell [closed]

1 Answer 1

2 Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

2 Comments

Linked

Related