Description
Describe the bug
I am trying to submit a new group activation request using MgGraph. The group has the setting On activation, require: Authentication context: PIM Activation configured.
I have used Get-MsalToken to acquire an access token which includes the acrs claim c1 and if I decode the token using https://jwt.ms/ I can see the acrs = c1 in the token and the auth log show that the login trigger the CA policy with the auth context.
However, when I attempt to use New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleInstance to elevate I get the error: RoleAssignmentRequestAcrsValidationFailed
Expected behavior
The cmdlet succeeds
How to reproduce
$graph = "https://graph.microsoft.com"
$scopes = @(
"$graph/PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup",
"$graph/PrivilegedEligibilitySchedule.Read.AzureADGroup",
"$graph/RoleManagementPolicy.Read.AzureADGroup"
)
$tenantId = "TENANT_ID"
$appId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"
$connectionDetails = @{
'TenantId' = $tenantId
'ClientId' = $appId
'Interactive' = $true
'scopes' = $scopes
'ExtraQueryParameters' = @{'claims' = '%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22c1%22%7D%7D%7D'}
}
Clear-MsalTokenCache
$token = Get-MsalToken @connectionDetails
Connect-MgGraph -NoWelcome -AccessToken ($token.AccessToken | ConvertTo-SecureString -AsPlainText)
$myAccount = Get-MgUser -UserId (Get-MgContext).Account
$requestParams = @{
accessId = "member"
principalId = $myAccount.Id
groupId = "GROUP_ID"
action = "selfActivate"
scheduleInfo = @{
startDateTime = (Get-Date)
expiration = @{
type = "afterDuration"
duration = "PT1H"
}
}
}
New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $requestParams
SDK Version
2.19.0
Latest version known to work for scenario above?
No response
Known Workarounds
No response
Debug output
Click to expand log
```DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
POST
Absolute Uri:
https://graph.microsoft.com/v1.0/identityGovernance/privilegedAccess/group/assignmentScheduleRequests
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Windows NT 10.0; Microsoft Windows 10.0.17763; en-AU),PowerShell/2024.2.2
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.19.0
client-request-id : 9d2707d8-b797-439a-a30e-d94c7e16a61b
Body:
{
"action": "selfActivate",
"scheduleInfo": {
"expiration": {
"duration": "PT5M",
"type": "afterDuration"
}
},
"accessId": "member",
"groupId": "GROUP_ID",
"principalId": "PRINCIPAL_ID"
}
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
BadRequest
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : ef737aa5-0d1d-43ad-bc4f-844e05171c08
client-request-id : 9d2707d8-b797-439a-a30e-d94c7e16a61b
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Australia East","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"SY2PEPF00006466"}}
Date : Wed, 19 Jun 2024 06:48:51 GMT
Body:
{
"error": {
"code": "RoleAssignmentRequestAcrsValidationFailed",
"message": "&claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%20%22value%22%3A%22c1%22%7D%7D%7D",
"innerError": {
"date": "2024-06-19T06:48:51",
"request-id": "ef737aa5-0d1d-43ad-bc4f-844e05171c08",
"client-request-id": "9d2707d8-b797-439a-a30e-d94c7e16a61b"
}
}
}
</details>
### Configuration
Name Value
---- -----
PSVersion 7.4.2
PSEdition Core
GitCommitId 7.4.2
OS Microsoft Windows 10.0.17763
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
### Other information
_No response_