Remove-MgRoleManagementDirectoryRoleEligibilitySchedule for Azure MS Graph SDK

VincentM
April 23, 2024
127 views
0 votes
2 Answers

I want to remove an EntraID (AzureAD) role for a user, me.
I try to use Remove-MgRoleManagementDirectoryRoleEligibilitySchedule command.

I get the UnifiedRoleEligibilityScheduleId with :

$SearchId = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$($me.Id)'"

I can verify me ID with :

Get-MgRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $SearchId.Id

But when I use

Remove-MgRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $SearchId.Id

I have this error :

DEBUG
DEBUG: [Authentication]: - Scopes: [...,RoleManagement.ReadWrite.Directory,...]
...
HTTP Method:
DELETE
Absolute Uri:
https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilitySchedules/$SearchId.Id
...
"message": "{"message":"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleEligibilitySchedules('$SearchId.Id')?'."}"

Is the command Remove-MgRoleManagementDirectoryRoleEligibilitySchedule really functionnal ?
Thanks !

Tags: azure charts

Answers

Chosen as BEST ANSWER
- VincentM
- April 23, 2024 at 7:58 pm
- 0 votes
0
Aaaaaaaaaah I didn't check this part of the doc ! New-something to remove something, it is not intuitive :)

Thanks a lot Sridevi !

(Edit)

- Sridevi
- April 23, 2024 at 6:30 pm
- 0 votes
0
I have one Entra ID (Azure AD) eligibility role "Application Administrator" assigned to me:

When I ran the same commands to remove the above eligibility assignment, I too got same error like this:
```
$SearchId = Get-MgRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq 'userId'"
Get-MgRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $SearchId.Id
Remove-MgRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $SearchId.Id
```
Response:

Note that, Microsoft Graph PowerShell SDK calls MS Graph API queries in the backend while executing the code. You can confirm that by adding -Debug at the end of command like this:
```
Remove-MgRoleManagementDirectoryRoleEligibilitySchedule -UnifiedRoleEligibilityScheduleId $SearchId.Id -Debug
```
Response:

The DELETE API call that the command running in the backend does not exist currently which throws error "404 Not Found".

Alternatively, make use of below PowerShell script to remove the eligibility role like this:
```
Import-Module Microsoft.Graph.Identity.Governance

$params = @{
    action = "adminRemove"
    roleDefinitionId = "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" #Application admin role ID
    directoryScopeId = "/"
    principalId = "userId"
}

New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -BodyParameter $params
```
Response:

When I checked the same in Portal, eligibility role removed successfully as below:

Reference:
Create roleEligibilityScheduleRequest – Microsoft Graph
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.