powershellazure-active-directorymicrosoft-entra-id

Error with Azure PIM API subscription setup The subject is not found

According to the documentation here it is possible to call Azure API's to configure PIM for Azure resources, I am trying to set this up at the subscription level, i.e contributor for a subscription.

I have the script as follows.

Connect-AzAccount

# Variables
$subscriptionId = "xxxxx" # Your subscription ID
$principalId = "xxxx"   # User or group object ID
$roleDefinitionId = "b24988ac-6180-42a0-ab88-20f7382dd24c" # Contributor Role
$apiVersion = "2020-10-01-preview"
$requestId = (New-Guid).Guid # Unique ID for the roleEligibilityScheduleRequest

# Get current access token for Azure Resource Manager
$token = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token

# Construct the request body
$body = @{
    properties = @{
        principalId = $principalId
        roleDefinitionId = "/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleDefinitionId"
        requestType = "AdminAssign"
        scheduleInfo = @{
            startDateTime = (Get-Date).ToString("o") # ISO 8601 format
            expiration = @{
                type = "AfterDuration"
                endDateTime = $null
                duration = "P365D"
            }
        }
    }
} | ConvertTo-Json -Depth 5

# API URL
$url = "https://management.azure.com/providers/Microsoft.Subscription/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/$($subscriptionId)?api-version=$apiVersion"

# Headers
$headers = @{
    "Authorization" = "Bearer $token"
    "Content-Type"  = "application/json"
}

# Make the PUT request
$response = Invoke-RestMethod -Method Put -Uri $url -Headers $headers -Body $body

# Output response
$response

I get the error below.

Invoke-RestMethod : {"error":{"code":"SubjectNotFound","message":"The subject is not found."}}
At line:1 char:13
+ $response = Invoke-RestMethod -Method Put -Uri $url -Headers $headers ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Solution

  • Your subject, i.e. PrincipalId cannot be found. Make sure you are using the correct ID. In my scripts I use the following:

    $principalId = Get-AzADUser -mail $userEmail | Select-Object -ExpandProperty Id

    Also you are defining a requestId but it seems you are not using it.

    You have:

    $url = "https://management.azure.com/providers/Microsoft.Subscription/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/$($subscriptionId)?api-version=$apiVersion"

    This works for me:

    $url = "https://management.azure.com/subscriptions/$($subscriptionId)/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/$($requestId)?api-version=2020-10-01-preview"