Could we have an extra parameter "-d" or "--debug" to enable debug for any sub-commands when facing issues?

My initial guess is that this resource requires a limited window of activation (default is 480 min, i.e. 8 hours). Could you retry with the parameter --duration <MINUTES>, e.g. --duration 30, and see if that helps?

From the help message:

  -d, --duration int           Duration in minutes that the role should be activated for (default 480)

Edit:

Based on Common errors returned by Azure Privileged Identity Management API, it seems that the error code XX is indeed due to a limitation in the maximum duration for a given role activation:

The ScheduleInfo specified in the request exceeds the maximum allowed duration

Try lowering the duration (e.g. --duration 30), and it should be resolved.

Could we have an extra parameter "-d" or "--debug" to enable debug for any sub-commands when facing issues?

I'm working on an improved logging solution with this goal in mind. Stay tuned!

Try lowering the duration (e.g. --duration 30), and it should be resolved.

Thanks, it works after add -d 30.

And I test with -d 480, it shows the error The following policy rules failed: [\"ExpirationRule\"]" again.

After manually check in Azure Console, I found the reason is, in our company, the max Duration is 6 hours ( 360 mins) , maybe that's the reason , it is failed with 480

Another problem with role

When I run the command without -r , it only activates the first role.

Is this the design?

If I need activate the rest, I have to run as command

az-pim-cli activate role -n "Azure Subscrioption 1" -r "Application Administrator" -d 60

But got a new issue The following policy rules failed: [\"TicketingRule\"]"

2024/10/23 22:38:01 Activating role 'Application Administrator' for Entra role 'Azure Subscrioption 1' with reason 'config' (ticket:  [])
2024/10/23 22:38:15 The upstream API responded with status 400 Bad Request: {"error":{"code":"RoleAssignmentRequestPolicyValidationFailed","message":"The following policy rules failed: [\"TicketingRule\"]"}}

Update

for below roles:

	 - Groups Administrator
	 - User Administrator
	 - Application Administrator
	 - Security Reader

I am fine to activate the rest 3, except role of Application Administrator with error The following policy rules failed: [\"TicketingRule\"]"

I have fixed the issue by add -T

az-pim-cli activate role -n "Azure Subscrioption 1" -r "Application Administrator" -T "ticket" -d 30

Could we have an extra parameter "-d" or "--debug" to enable debug for any sub-commands when facing issues?

Hi @ozbillwang ,

I have now implemented a --debug flag to ease the process of troubleshooting (as part of #68). It is included in release v1.4.0

Could we have an extra parameter "-d" or "--debug" to enable debug for any sub-commands when facing issues?

Hi @ozbillwang ,

I have now implemented a --debug flag to ease the process of troubleshooting (as part of #68). It is included in release v1.4.0

Thanks, with --debug I got more information now.