Objective
Using the microsoft.graph PowerShell module (v1.0), add a security group as an eligible assignment to the Azure AD Global Reader role. I can successfully add a group as a permanent assignment.

Successful code (permanent assignment)

$params = @{
      "@odata.type"    = "#microsoft.graph.unifiedRoleAssignment"
      PrincipalId      = $PrincipalId
      RoleDefinitionId = $role.Id
      DirectoryScopeId = "/"
}
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params

What I can validate
Get-MgRoleManagementDirectoryRoleAssignment - gets permanent assignments
New-MgRoleManagementDirectoryRoleAssignment - creates permanent assignments
Get-MgRoleManagementDirectoryRoleEligibilitySchedule - gets eligible assignments

My assumption
New-MgRoleManagementDirectoryRoleAssignmentSchedule - creates eligible assignments?
I think I have this wrong.

Failing code (eligible assignment):

$params = @{
    "@odata.type" = "#microsoft.graph.UnifiedRoleAssignmentSchedule"
    PrincipalId = $azGroup.Id
    RoleDefinitionId = $role.Id
    DirectoryScopeId = "/"
    ScheduleInfo = @{
        "@odata.type" = "#microsoft.graph.RequestSchedule"
        StartDateTime = Get-Date
    }
}
New-MgRoleManagementDirectoryRoleAssignmentSchedule -BodyParameter $params

Error
"message":"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleAssignmentSchedules?'."

Thoughts
Based on the documentation only Get-MgRoleManagementDirectoryRoleAssignment creates an assignment the New-MgRoleManagementDirectoryRoleAssignmentSchedule cmdlet creates a navigation property.

CodePudding user response：

I tried to reproduce the same in my environment and got below results:

I have one security group named Srigroup01 with below Object ID:

I ran same code as you and successfully added permanent assignment as below:

$params = @{
      "@odata.type"    = "#microsoft.graph.unifiedRoleAssignment"
      PrincipalId      = "Group ID"
      RoleDefinitionId = "f2ef992c-3afb-46b9-b7cf-a126ee74c451" #Global Reader role ID
      DirectoryScopeId = "/"
}
New-MgRoleManagementDirectoryRoleAssignment -BodyParameter $params

Response:

To confirm that, I ran below command that lists active directory role assignments:

Get-MgRoleManagementDirectoryRoleAssignment

Response:

When I checked the same in Portal, role activated successfully like below:

Now I ran your eligible assignment code and got same error as below:

$params = @{
    "@odata.type" = "#microsoft.graph.UnifiedRoleAssignmentSchedule"
    PrincipalId = "Group ID"
    RoleDefinitionId = "62e90394-69f5-4237-9190-012177145e10" #Global Administrator role ID
    DirectoryScopeId = "/"
    ScheduleInfo = @{
        "@odata.type" = "#microsoft.graph.RequestSchedule"
        StartDateTime = Get-Date
    }
}
New-MgRoleManagementDirectoryRoleAssignmentSchedule -BodyParameter $params

Response:

To create eligible role assignments, you can make use of below commands:

Import-Module Microsoft.Graph.DeviceManagement.Enrolment

$params = @{
    Action = "adminAssign"
    Justification = "Assign Global Admin eligibility to group"
    RoleDefinitionId = "62e90394-69f5-4237-9190-012177145e10" #Global admin role ID
    DirectoryScopeId = "/"
    PrincipalId = "Group ID"
    ScheduleInfo = @{
        StartDateTime = Get-Date
        Expiration = @{
            Type = "afterDateTime"
            EndDateTime = [System.DateTime]::Parse("2024-04-10T00:00:00Z")
        }
    }
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params

Response:

When I checked the same in Portal, eligible role assignment is created to the group successfully like below: