I am working with the Az and the Graph Powershell Module, getting information about role assignments in Entra ID and Azure Resource Manager. I found that there is two commands each I can use to query information about what user has which eligible role assignments.
For Entra ID:
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance
For Azure Resource Manager:
Get-AzRoleEligibilitySchedule
Get-AzRoleEligibilityScheduleInstance
So what is the difference between a schedule and a schedule instance? Which one represents the role assignment I see in the Azure Portal (UI)? Is one deprecated and preferred over the other?
The portal shows you role eligibility schedule instances.
If you create a role eligibility schedule with a start time in the future:
PUT https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{{$randomUUID}}?api-version=2020-10-01
{
"properties": {
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"requestType": "AdminAssign",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"scheduleInfo": {
"expiration": {
"type": "AfterDuration",
"duration": "P180d"
},
"startDateTime": "2023-12-04T11:15:00Z"
}
}
}
..and then check portal, it's empty.
If you query role eligibility schedules, you see the Granted
schedule:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01
{
"value": [
{
"properties": {
"roleEligibilityScheduleRequestId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/25213440-0863-436d-abde-c37c7b05001a",
"scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"principalType": "Group",
"status": "Granted",
"startDateTime": "2023-12-04T11:15:00Z",
"endDateTime": "2024-12-03T11:15:00Z",
"memberType": "Direct",
"createdOn": "2023-12-04T11:02:12.167Z",
"updatedOn": "2023-12-04T11:02:12.167Z",
"expandedProperties": {
"principal": {
"id": "721e3492-6665-4731-8884-e161fb727951",
"displayName": "CSG-RBAC-Test",
"type": "Group"
},
"roleDefinition": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"scope": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"displayName": "sub-sbx-sbx",
"type": "subscription"
}
}
},
"name": "25213440-0863-436d-abde-c37c7b05001a",
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
"type": "Microsoft.Authorization/roleEligibilitySchedules"
}
]
}
..but if you query role eligibility schedule instances (again before the start time), the response is empty:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
{
"value": []
}
Checking portal again after the start time (plus a few mins for something to happen behind the scenes in PIM) you see the role eligibility schedule instance:
Same in the role eligibility schedule instances API:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
{
"value": [
{
"properties": {
"roleEligibilityScheduleId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
"scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"principalType": "Group",
"status": "Provisioned",
"startDateTime": "2023-12-04T11:15:16.823Z",
"endDateTime": "2024-12-03T11:15:16.773Z",
"memberType": "Direct",
"createdOn": "2023-12-04T11:15:16.823Z",
"expandedProperties": {
"principal": {
"id": "721e3492-6665-4731-8884-e161fb727951",
"displayName": "CSG-RBAC-Test",
"type": "Group"
},
"roleDefinition": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"scope": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"displayName": "sub-sbx-sbx",
"type": "subscription"
}
}
},
"name": "da93a041-529e-45ac-a095-ee314398ca5d",
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleInstances/da93a041-529e-45ac-a095-ee314398ca5d",
"type": "Microsoft.Authorization/roleEligibilityScheduleInstances"
}
]
}
I'm unaware of any way to see future-dated schedules in the portal.
Interestingly, if you go back to the role eligibility schedules after the start time passes, the status
, startDateTime
, createdOn
and updatedOn
fields have all been touched:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01
{
"value": [
{
"properties": {
"roleEligibilityScheduleRequestId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/25213440-0863-436d-abde-c37c7b05001a",
"scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"principalType": "Group",
"status": "Provisioned",
"startDateTime": "2023-12-04T11:15:16.823Z",
"endDateTime": "2024-12-03T11:15:16.773Z",
"memberType": "Direct",
"createdOn": "2023-12-04T11:15:16.823Z",
"updatedOn": "2023-12-04T11:15:16.823Z",
"expandedProperties": {
"principal": {
"id": "721e3492-6665-4731-8884-e161fb727951",
"displayName": "CSG-RBAC-Test",
"type": "Group"
},
"roleDefinition": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"scope": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"displayName": "sub-sbx-sbx",
"type": "subscription"
}
}
},
"name": "25213440-0863-436d-abde-c37c7b05001a",
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
"type": "Microsoft.Authorization/roleEligibilitySchedules"
}
]
}
Only words I've ever found to describe the difference are here: https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-eligibility-rest-sample#list-eligible-assignments
HTH