I want to via powershell to make an Azure role (Network Contributor) eligible in PIM under a specific scope (tenant root group actually).
I can assign normal entra roles (global admin) as eligible using: New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest
But what is the equivalent for azure roles?
I have tried New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest and New-AzRoleAssignment (but could not get it to work)
Initially, I created Security group TestPIMRole
and added two members to it:
To assign an eligible role assignment of Network Contributor
use below powershell script:
$guid = "<guid>"
$startTime = Get-Date -Format o
$scope = "/subscriptions/<subscription_id>/"
New-AzRoleEligibilityScheduleRequest -Name $guid -Scope $scope -ExpirationDuration P365D -ExpirationType AfterDuration -PrincipalId <Object_id of Group> -RequestType AdminAssign -RoleDefinitionId /subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7 -ScheduleInfoStartDateTime $startTime
Output:
References: