GET List of Privileged Role Assignments fails with "UnknownError"

Question

I've got an app registration in Azure with the required permission - Directory.AccessAsUser.All (delegated) and that registration has Security Reader over all of my subscriptions.

When I GET https://graph.microsoft.com/beta/privilegedRoles/{id}/assignments with my access token (bearer auth), I get the following response:

{
  error: { 
    code: 'UnknownError',
    message: '',
    innerError: { 
      'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
        date: '2020-03-13T11:53:41' 
    } 
  }
}

The {id} in this case is the ID of the permission I want check the assignments of.

I'm using this as a reference: https://learn.microsoft.com/en-us/graph/api/privilegedrole-list-assignments?view=graph-rest-beta&tabs=http

Sadly no in my case. I was after an automated review with my implementation - so just used the builtin AAD PIM access reviews — hjfitz, Apr 27 '20 at 08:49

score 0 · Answer 1 · answered Mar 16 '20 at 02:47

This is a beta version API, the current endpoints of AAD roles have been disabled for your tenant for migration purpose, see this link.

When customers have the updated version rolled out to their Azure AD organization, the existing graph API will stop working. You must transition to use the Graph API for Azure resource roles. To manage Azure AD roles using that API, swap /azureResources with /aadroles in the signature and use the Directory ID for the resourceId.

So you need to use this API currently, swap /azureResources with /aadroles, test it in the Graph Explorer.

GET https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources/<tenant-id>/roleAssignments?$filter=RoleDefinitionId+eq+'RoleDefinitionId'

GET List of Privileged Role Assignments fails with "UnknownError"

1 Answers1