BUG | Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest

[pangjaa]

Describe the bug

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest does not return all schedule

Expected behavior

All Eligible assignments return

How to reproduce

1. Create Role assignable Security group
2. Assign permanent eligibility for Yammer Administrator and Attribute Definition Reader
3. Run code below
4. Output only returns Attribute Definition Reader

import-module Microsoft.Graph.Beta.Identity.Governance
$TenantId = 'cd0036eb-1e0c-4496-bf8f-8eca88154645'
$AppId ="ff3521f3-6043-4ef5-a7da-7ba2f87a66f2" #customRoleCreator
$Thumbprint = Get-ChildItem "cert:\CurrentUser\My" |
            Where-Object {$_.Subject -like "CN=monkey01CustomRoleCreator00*" } | 
                Select-Object -ExpandProperty Thumbprint



Connect-MgGraph -TenantId $TenantId -ClientId $AppId -CertificateThumbprint $Thumbprint # -ContextScope 'Process'
Get-MgContext



$PrincipalInstance = 'e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27' # role assignable group
$RoleDefinitionId = '810a2642-a034-447f-a5e8-41beaa378541' # Yammer Administrator
$DirectoryScopeId = '/' # directory scope
Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'"

PS C:\Users\Administrator\Desktop>
>> Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'"

ApprovalId CompletedDateTime     CreatedDateTime       CustomData Id                                   Status      Action      AppScopeId DirectoryScopeId IsValidationOnly Justification PrincipalId                          RoleDefinitionId
---------- -----------------     ---------------       ---------- --                                   ------      ------      ---------- ---------------- ---------------- ------------- -----------                          ----------------  
           12/23/2024 7:03:02 PM 12/23/2024 7:03:02 PM            d0ab367c-546e-4d53-a5fa-64aafe9a619a Provisioned AdminUpdate            /                False            test          e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 9b895d92-2cd3-44… 

Diving deeper, I performed graph calls which return the expected role schedule asignments.

$HeaderParams = @{}
$HeaderParams.Add('ConsistencyLevel', "$ConsistencyLevel")
$Uri = "/beta/roleManagement/directory/roleDefinitions"
$Uri = "https://graph.microsoft.com$Uri"

$URI = "https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests?`$filter=PrincipalId eq 'e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27'"
$Method = 'GET'
$OutputType = "PSObject"

$QueryRequest = Invoke-MgGraphRequest -Headers $HeaderParams -Uri $Uri -Method $Method -ContentType "application/json" -OutputType $OutputType


PS C:\Users\Administrator\Desktop> $queryrequest.value | ft

id                                   status      createdDateTime       completedDateTime     approvalId customData action      principalId                          roleDefinitionId                     directoryScopeId
--                                   ------      ---------------       -----------------     ---------- ---------- ------      -----------                          ----------------                     ----------------
ffbe8107-8b0a-4eab-81f6-7c2f8b9ba07b Provisioned 12/23/2024 6:59:01 PM 12/23/2024 6:59:01 PM                       AdminAssign e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3 /
40ccf9b4-e577-4ae4-88ca-0da1c4d2c0cd Provisioned 12/23/2024 6:29:09 PM 12/23/2024 6:29:09 PM                       AdminUpdate e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 810a2642-a034-447f-a5e8-41beaa378541 /
82d7ba49-6852-474d-a370-adedb7b0be88 Provisioned 12/23/2024 6:59:27 PM 12/23/2024 6:59:27 PM                       AdminAssign e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 1d336d2c-4ae8-42ef-9711-b3604ce3fc2c /
1126afa4-8d7e-4711-82fb-46b1b965e2c7 Revoked     12/23/2024 9:19:41 PM                                             AdminRemove e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 810a2642-a034-447f-a5e8-41beaa378541 /
6606bcf2-14ba-4bd6-a35c-fe4d3c4d57a0 Provisioned 12/23/2024 9:23:27 PM 12/23/2024 9:23:27 PM                       AdminAssign e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 810a2642-a034-447f-a5e8-41beaa378541 /

SDK Version

2.24

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

```

</details>


### Configuration

Name Value

---

PSVersion 7.4.6
PSEdition Core
GitCommitId 7.4.6
OS Microsoft Windows 10.0.20348
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

### Other information

_No response_

[NikCharlebois]

The filter looks incorrect. Try removing the hardcoded '/' and just keep the variable part:

-Filter "PrincipalId eq '$($PrincipalInstance)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '$($DirectoryScopeId)'"

Instead of:

-Filter "PrincipalId eq '$($PrincipalInstance)' and RoleDefinitionId eq '$($RoleDefinitionId)' and DirectoryScopeId eq '/$($DirectoryScopeId)'"

[pangjaa]

Yammer Admin is not returned via the powershe cmdlet Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'"

PS C:\Users\Administrator\Desktop> Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($PrincipalInstance)'" 

ApprovalId CompletedDateTime     CreatedDateTime       CustomData Id                                   Status      Action      AppScopeId DirectoryScopeId IsValidationOnly Justification PrincipalId                          RoleDefinitionId
---------- -----------------     ---------------       ---------- --                                   ------      ------      ---------- ---------------- ---------------- ------------- -----------                          ----------------   
           12/23/2024 7:03:02 PM 12/23/2024 7:03:02 PM            d0ab367c-546e-4d53-a5fa-64aafe9a619a Provisioned AdminUpdate            /                False            test          e2cd15bb-aa73-4e8b-85ae-fcca0ebe1c27 9b895d92-2cd3-44c… 

There are 2 role schedules assigned to the security group. Yammer Admin and Attribute Definition Reader.

[pangjaa]

Another datapoint, role eligibility assigned via api call aren't returned with Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest

$builtinRoles = $AadRoleDefinitions.value | Where-Object {$_.isBuiltIn -eq $True}


New-MgBetaGroup -DisplayName "sg-TestAllPIM" -MailNickName 'sg-TestAllPIM' -IsAssignableToRole:$True -SecurityEnabled:$True -mailEnabled:$False
$principal = "3feac498-eb82-4f38-9bdf-f90fcee036df"
# $roleDefinitionId =  "810a2642-a034-447f-a5e8-41beaa378541" #yammer admin

$Method = 'POST'
$uri = https://graph.microsoft.com/beta/roleManagement/directory/roleEligibilityScheduleRequests

$PostRequestStatus = @()
foreach ($role in $builtinRoles) {
    write-host "Assigining `'$($role.displayName)`' to $principal (sg-TestAllPIM)"
    $Body = @{
        Action = "adminAssign"
        directoryScopeId = "/"
        isValidationOnly = "false"
        justification = "Testing all role assignments"
        principalId = $principal
        roleDefinitionId = $role.id
        scheduleInfo = @{
            startDateTime = "2024-11-04T06:10Z"
            expiration = @{
                type = "noExpiration"
            }
        }
    } | ConvertTo-Json
    
    $QueryRequest = Invoke-MgGraphRequest -Headers $HeaderParams -Uri $Uri -Method $Method -ContentType "application/json" -OutputType $OutputType -Body $Body
    $PostRequestStatus  += $QueryRequest
    start-sleep 0.3
}

Get-MgBetaRoleManagementDirectoryRoleAssignmentScheduleRequest -Filter "PrincipalId eq '$($principal)'"