Home > Blockchain >  Graph API List RBAC RoleAssignments Members
Graph API List RBAC RoleAssignments Members

Time:10-20

I am trying to get the members of the RBAC groups from Endpoint Manager. I am using the Graph API with the following documentation from Microsoft: Get roleDefinition Get roleAssignment

I have noticed several forums online stating that the documentation is incorrect. Here is one from github.

I am able to get the RoleAssignments property using the following Uri: https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions/$($roleID)?`$expand=*

However, the Members property is always null, even though I can view the members in Endpoint Manager:

PS C:\> $tmpobj

RoleID          : c56d53a2-73d0-4502-b6bd-4a9d3dba28d5
DisplayName     : Endpoint Security Manager
Description     : Manages security and compliance features such as security baselines, device compliance, conditional access, and Microsoft Defender ATP.
RolePermissions : {Microsoft.Intune_MobileApps_Read, Microsoft.Intune_TermsAndConditions_Read, Microsoft.Intune_ManagedApps_Read, Microsoft.Intune_ManagedDevices_Delete…}
AssignmentID    : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx
RoleAssignments : {@{@odata.type=#microsoft.graph.deviceAndAppManagementRoleAssignment; id=yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyy; displayName=MDATP endpoint security managers;
                  description=; resourceScopes=System.Object[]; members=System.Object[]}}


PS C:\> $tmpobj.roleassignments

@odata.type    : #microsoft.graph.deviceAndAppManagementRoleAssignment
id             : yyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyy
displayName    : MDATP endpoint security managers
description    :
resourceScopes : {}
members        : {}


PS C:\> $tmpobj.roleassignments.members
PS C:\>

I am assuming that I will need a separate API call using the ID from the roleAssignments call above (the yyyy id), but given that Microsoft's documentation is outdated I am unsure how to proceed. Below is what happens when I follow the documentation:

Uri: https://graph.microsoft.com/v1.0/deviceManagement/roleDefinitions/$($roleID)/roleAssignments/$($assignmentID) Error:

    "error": {
        "code": "No method match route template",
        "message": "No OData route exists that match template ~/singleton/navigation/key/navigation/key with http verb GET for request /StatelessRoleAdministrationFEService/deviceManagement/roleDefinitions('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx')/roleAssignments('xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx').",
        "innerError": {
        "date": "2022-10-18T13:50:48",
        "request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx",
        "client-request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
        }
    }
}

Has anybody encountered this issue before? To my knowledge you cannot use multiple expand parameters, so I cannot dive any deeper given that the documentation is incorrect. I can also confirm that there are indeed members to the roles, as I can view them in EPM.

CodePudding user response:

There is another endpoint to get role assignment

GET /deviceManagement/roleAssignments/{roleAssignmentId}

But I'm not sure whether it will work for ID from the roleAssignments property from the previous call

deviceManagement/roleDefinitions/$($roleID)?`$expand=*

Uri:

https://graph.microsoft.com/v1.0/deviceManagement/roleAssignments/$($assignmentID)

Page link:https//www.codepudding.com/Blockchain/582109.html

Prev:Update SharePoint metadata from C# / Visual Studio
Next:delete first row of multiple csv in a folder windows command line
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding