Bonjour !
I want to use Update-MgPrivilegedAccessResourceRoleSetting cmdlet, from the Microsoft.Graph PowerShell module, in my Azure portal.
I want to update some settings of my PIM role (for example MfaRule or ExpirationRule)
But I obtain this error :
{"message":"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v2/governanceResources('********-****-****-****-************')/roleSettings('********-****-****-****-************')?'."}
What is this URL ??
In the debug log (I can't copy/paste the .jpg here), I have :
DEBUG: [CmdletBeginProcessing]: - Update-MgPrivilegedAccessResourceRoleSetting begin processing with parameterSet 'UpdateExpanded'.
DEBUG: [Authentication]: - AuthType: 'Delegated', AuthProviderType: 'InteractiveAuthenticationProvider', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph PowerShell'.
DEBUG: [Authentication]: - Scopes: [Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, Directory.Read.All, Domain.Read.All, Group.Read.All, openid, Policy.Read.All, Policy.Read.ConditionalAccess, Policy.ReadWrite.ConditionalAccess, PrivilegedAccess.Read.AzureAD, PrivilegedAccess.Read.AzureADGroup, PrivilegedAccess.Read.AzureResources, PrivilegedAccess.ReadWrite.AzureResources, profile, RoleAssignmentSchedule.Read.Directory, RoleEligibilitySchedule.Read.Directory, RoleEligibilitySchedule.ReadWrite.Directory, RoleManagement.Read.All, RoleManagement.Read.Directory, RoleManagement.ReadWrite.Directory, User.Read, User.ReadWrite.All, email].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PATCH
Absolute Uri:
https://graph.microsoft.com/beta/privilegedAccess/azureResources/resources/********-****-****-****-************/roleSettings/********-****-****-****-************
Headers:
FeatureFlag : 00000047
Cache-Control : no-store, no-cache
SdkVersion : graph-powershell/1.18.0,Graph-dotnet-1.25.1
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.22621; fr-CA),PowerShell/7.3.1
Accept-Encoding : gzip
Body:
{}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
NotFound
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 5fb90750-367b-4976-8913-659c5b5863ba
client-request-id : 5fb90750-367b-4976-8913-659c5b5863ba
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada East","Slice":"E","Ring":"2","ScaleUnit":"002","RoleInstance":"QB1PEPF00001038"}}
Date : Fri, 16 Dec 2022 21:00:48 GMT
Body:
{
"error": {
"code": "UnknownError",
"message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v2/governanceResources('********-****-****-****-************')/roleSettings('********-****-****-****-************')?'.\"}",
"innerError": {
"date": "2022-12-16T21:00:48",
"request-id": "5fb90750-367b-4976-8913-659c5b5863ba",
"client-request-id": "5fb90750-367b-4976-8913-659c5b5863ba"
}
}
}
Update-MgPrivilegedAccessResourceRoleSetting_UpdateExpanded:
Line |
20 | … Update-MgPrivilegedAccessResourceRoleSetting -PrivilegedA …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"message":"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v2/governanceResources('********-****-****-****-************')/roleSettings('********-****-****-****-************')?'."}
DEBUG: [CmdletEndProcessing]: - Update-MgPrivilegedAccessResourceRoleSetting end processing.
The first Id is always the rigth resource id, and the second the rolesettings id
My exact command is :
Update-MgPrivilegedAccessResourceRoleSetting -PrivilegedAccessId azureResources -GovernanceResourceId $RoleSetting.ResourceId -GovernanceRoleSettingId $RoleSetting.Id
And I'm sure to have the right Ids for ResourceId and RoleSettingsId.
Maybe I forgot something ?
That works with AzureAD module, but I don't want to use it anymore :
Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $RoleSetting.Id -ResourceId $RoleSetting.ResourceId -RoleDefinitionId $RoleSetting.RoleDefinitionId -UserMemberSettings $setting
Is there someone to help me ?
Microsoft documentation page is not very complete !
Thanks, a lot
CodePudding user response:
Install Governance module to run Graph Powershell Cmd.
Module Name:
Import-Module Microsoft.Graph.Identity.Goverance
Follow the MS Doc here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.governance/update-mgprivilegedaccessrolesetting?view=graph-powershell-beta
CodePudding user response:
FYI, I had my response (here).
I have to use this cmdlet : Update-MgPrivilegedAccessRoleSetting
This one is not functionnal : Update-MgPrivilegedAccessResourceRoleSetting
So, just use :
$setting = @{
UserMemberSettings = @(
@{
RuleIdentifier = "MfaRule"
Setting = '{"mfaRequired":true}'
}
)
}
Update-MgPrivilegedAccessRoleSetting -PrivilegedAccessId "azureResources" -GovernanceRoleSettingId $RoleSetting.Id -BodyParameter $setting