microsoft-entra-idazure-rest-apiazure-rbacpim

REST API for Eligible role assignment with conditions for Azure resources

I'm working on automating eligible role assignments with conditions for Azure resources via REST calls. Specifically to add condition when assigning Owner role to allow users for assigning only roles like Reader, Storage blob contributor.

In Azure portal this is possible by adding conditions under "Role assignment conditions" for Owner role but I want to automate it via REST API. Could someone please confirm if it's possible to define such conditions using API?

Solution

  • Initially, I generated one bearer token for service principal having "Owner" access under subscription via Postman like this:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default

    Response:

    enter image description here

    To create "Owner" eligible role assignment with conditions to allow users for assigning only roles like Reader and Storage Blob Data Contributor, make use of below sample API call:

    PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/subId/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/random_guid?api-version=2020-10-01-preview

{
  "properties": {
    "principalId": "userId",
    "roleDefinitionId": "/subscriptions/subId/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    "requestType": "AdminAssign",
    "scheduleInfo": {
      "startDateTime": "2024-07-28T19:29:00.91Z",
      "expiration": {
        "type": "AfterDuration",
        "endDateTime": null,
        "duration": "P365D"
      }
    },
    "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {acdd72a7-3385-48ef-bd42-f606fba81ae7, ba92f5b4-2d11-453d-a403-e96b0029c9fe}))",
    "conditionVersion": "2.0"
  }
}

    Response:

    enter image description here

    When I checked the same in Portal, eligible role assignment created successfully with condition as below:

    enter image description here

    To confirm that, I clicked on View/Edit option under Condition which has Reader and Storage Blob Data Contributor roles:

    enter image description here