What is a Eligible Schedule Instance in Privileged Identity Management?
I am working with the Az and the Graph Powershell Module, getting information about role assignments in Entra ID and Azure Resource Manager. I found that there is two commands each I can use to query information about what user has which eligible role assignments.
For Entra ID:
Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule
Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleInstance
For Azure Resource Manager:
Get-AzRoleEligibilitySchedule
Get-AzRoleEligibilityScheduleInstance
So what is the difference between a schedule and a schedule instance? Which one represents the role assignment I see in the Azure Portal (UI)? Is one deprecated and preferred over the other?
Solution
The portal shows you role eligibility schedule instances.
If you create a role eligibility schedule with a start time in the future:
PUT https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/{{$randomUUID}}?api-version=2020-10-01
{
"properties": {
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"requestType": "AdminAssign",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"scheduleInfo": {
"expiration": {
"type": "AfterDuration",
"duration": "P180d"
},
"startDateTime": "2023-12-04T11:15:00Z"
}
}
}
..and then check portal, it's empty.
If you query role eligibility schedules, you see the Granted schedule:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01
{
"value": [
{
"properties": {
"roleEligibilityScheduleRequestId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/25213440-0863-436d-abde-c37c7b05001a",
"scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"principalType": "Group",
"status": "Granted",
"startDateTime": "2023-12-04T11:15:00Z",
"endDateTime": "2024-12-03T11:15:00Z",
"memberType": "Direct",
"createdOn": "2023-12-04T11:02:12.167Z",
"updatedOn": "2023-12-04T11:02:12.167Z",
"expandedProperties": {
"principal": {
"id": "721e3492-6665-4731-8884-e161fb727951",
"displayName": "CSG-RBAC-Test",
"type": "Group"
},
"roleDefinition": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"scope": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"displayName": "sub-sbx-sbx",
"type": "subscription"
}
}
},
"name": "25213440-0863-436d-abde-c37c7b05001a",
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
"type": "Microsoft.Authorization/roleEligibilitySchedules"
}
]
}
..but if you query role eligibility schedule instances (again before the start time), the response is empty:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
{
"value": []
}
Checking portal again after the start time (plus a few mins for something to happen behind the scenes in PIM) you see the role eligibility schedule instance:
Same in the role eligibility schedule instances API:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilityScheduleInstances?api-version=2020-10-01
{
"value": [
{
"properties": {
"roleEligibilityScheduleId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
"scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"principalType": "Group",
"status": "Provisioned",
"startDateTime": "2023-12-04T11:15:16.823Z",
"endDateTime": "2024-12-03T11:15:16.773Z",
"memberType": "Direct",
"createdOn": "2023-12-04T11:15:16.823Z",
"expandedProperties": {
"principal": {
"id": "721e3492-6665-4731-8884-e161fb727951",
"displayName": "CSG-RBAC-Test",
"type": "Group"
},
"roleDefinition": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"scope": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"displayName": "sub-sbx-sbx",
"type": "subscription"
}
}
},
"name": "da93a041-529e-45ac-a095-ee314398ca5d",
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleInstances/da93a041-529e-45ac-a095-ee314398ca5d",
"type": "Microsoft.Authorization/roleEligibilityScheduleInstances"
}
]
}
I'm unaware of any way to see future-dated schedules in the portal.
Interestingly, if you go back to the role eligibility schedules after the start time passes, the status, startDateTime, createdOn and updatedOn fields have all been touched:
GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Authorization/roleEligibilitySchedules?api-version=2020-10-01
{
"value": [
{
"properties": {
"roleEligibilityScheduleRequestId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/25213440-0863-436d-abde-c37c7b05001a",
"scope": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"roleDefinitionId": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"principalId": "721e3492-6665-4731-8884-e161fb727951",
"principalType": "Group",
"status": "Provisioned",
"startDateTime": "2023-12-04T11:15:16.823Z",
"endDateTime": "2024-12-03T11:15:16.773Z",
"memberType": "Direct",
"createdOn": "2023-12-04T11:15:16.823Z",
"updatedOn": "2023-12-04T11:15:16.823Z",
"expandedProperties": {
"principal": {
"id": "721e3492-6665-4731-8884-e161fb727951",
"displayName": "CSG-RBAC-Test",
"type": "Group"
},
"roleDefinition": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"scope": {
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2",
"displayName": "sub-sbx-sbx",
"type": "subscription"
}
}
},
"name": "25213440-0863-436d-abde-c37c7b05001a",
"id": "/subscriptions/9033657c-5138-4300-a892-4b6dead220c2/providers/Microsoft.Authorization/roleEligibilitySchedules/25213440-0863-436d-abde-c37c7b05001a",
"type": "Microsoft.Authorization/roleEligibilitySchedules"
}
]
}
Only words I've ever found to describe the difference are here: https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-eligibility-rest-sample#list-eligible-assignments
HTH
- ADF Out of memory exception
- Azure DevOps pipeline is throwing a "##[error]Project file(s) matching the specified pattern were not found". when publishing my app?
- Microsoft Entra ID: Receiving Old Token Version Despite Setting accessTokenAcceptedVersion to 2
- Rule Syntax for Azure user.memberof
- (unknown) Precondition failed when trying to create MS Graph Subscription
- Azure Function App Service Bus Trigger: Process 1 message at a time
- Azure HTTP Trigger - How to extract query parameter value from input binding- cosmosDB
- Python app deployment to Azure web app from pipeline not including requirement packages
- Force Azure Function using Service Bus Queues to only process one mesage at a time
- Azure Web Role with Transient Fault Handling Block exception: The path is too long after being fully qualified
- Azure Bicep - How to create diagnostic settings for NetworkInterface of private endpoint
- Is there a way to get static ip address for Azure Data Factory
- azure key vault - lag on secret changes
- How to create connection to create - queue item - HTTP Trigger - local - Azurite - Azure Queue Storage
- Getting error "404 The specified blob does not exist" when downlading blob using Uri
- How scopes are added to token in Azure Entra ID?
- Why does my Azure Cosmos DB SQL API Container Refuse Multiple Items With Same Partition Key Value?
- Postgres on Azure kubernetes volume permission error
- Azure: Subscribing to an external MQTT Broker
- azure.storage.blob._shared.authentication.AzureSigningError: Incorrect padding - Argo workflow
- Bash variable in JMESPath query expression
- Azure Devops pipeline failing due to AZ.Accounts Module update by MSFT
- Is it possible to use email name other than "DoNotReply" in Azure Email Communication Services?
- AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
- Access Package Endpoint doesn't seem to be working
- install docker bash script doesn't work when used as Custom Data for Azure VM
- Docker image is not updating on Azure container registry via gitlab
- Terraform - How to find Azure Kubernetes AKS vnet ID for network peering
- Using Azure DataLakeServiceClient to download a file got forbidden response after few minutes success
- Verify that Bicep can return values from Azure Key vault