Quick blogpost today, showing how to batch create privileged access groups for the Privileged Identity Management feature in Azure AD. The endpoint used is not currently documented in the Graph documentation.
First thing you need to do is get yourself an access token. Follow my guide for this. This script will use a hardcoded variable for the token.
# Get your access token somehow, not in scope for this example
$accesstoken = "eyJ0eXAiOiJKVGtHUniJSUzI1NiIs--- snip ---wFzrJUYkOm37KY27WJvQ"
# Groups to create
$groups = "test12345","test123468","test9577","test304934089"
# No need to edit below this line
# Build header value
$headers = @{Authorization = "Bearer $accesstoken"}
$groups | Foreach {
# Check if group already created
$matching = Invoke-RestMethod "https://graph.microsoft.com/beta/groups?`$filter=displayName eq '$($_)'" -Headers $headers
$id = $null
# Create if no group was found
if(!$matching.value) {
Write-Verbose "Creating group: $($_)" -Verbose
$body = @{
displayName = $_
isAssignableToRole = $true
mailEnabled = $false
mailNickname = $_
securityEnabled = $true
} | ConvertTo-Json
$creation = Invoke-RestMethod "https://graph.microsoft.com/beta/groups" -Headers $headers -Method Post -Body $body -ContentType "application/json"
Write-Verbose "Group '$($_)' created with object id $($creation.id)" -Verbose
$id = $creation.id
} else {
Write-Verbose "Group '$($_)' already created" -Verbose
$id = $matching.value[0].id
}
# Check for PIM registration of group
$pimmatching = Invoke-RestMethod "https://graph.microsoft.com/beta/privilegedAccess/aadGroups/resources?`$filter=externalId eq '$id'" -Headers $headers
# Register group in PIM, if not already registered
if(!$pimmatching.value) {
Write-Verbose "Registering group $($_) ($id) in PIM" -Verbose
$body = @{
externalId = $id
} | ConvertTo-Json
$registration = Invoke-RestMethod "https://graph.microsoft.com/beta/privilegedAccess/aadGroups/resources/register" -Headers $headers -Method Post -Body $body -ContentType "application/json"
} else {
Write-Verbose "Group $($_) already registered in PIM" -Verbose
}
}
Hello,
Your code is working fine as long as I get the token from Graph Explorer, other options seem to end with a 401 although the account permissions look like 🙂
Directory.AccessAsUser.All
PrivilegedAccess.ReadWrite.AzureADGroup
PrivilegedAccess.ReadWrite.AzureAD
Directory.ReadWrite.All
Directory.Read.All
Directory.AccessAsUser.All
Can do many things with the permissions on the non beta graph with same token, have you tested your code using something other than graph explorer?
Hi,
Yes absolute tested. Which application the token is issued to is not relevant, as long as you have the correct consent for the Microsoft Graph. Feel free to paste your access token here (just wait an hour until it has expired), and I can check it out 🙂
Marius
From the reference here, I dont think (the register call) works for applications (yet): https://docs.microsoft.com/en-us/graph/api/governanceresource-register?view=graph-rest-beta
I think thats the reason for 401 unauthorized error, even with the correct consent.
I have been trying to get it working with a service principal/application consent and I think its just not possible currently (same 401 error). It definitely works with delegated permissions (user token) with the above code. Let me know if I am wrong or if you know another way Marius. Thanks!
Hello, I was wondering if this workaround is still working? I’m getting a 403 forbidden error on every request
I got this to work but now i’m wondering if there is a programmatic way to add eligible members to the group(s) i just created?
The PIM APIs are all very complex to work with, and currently in its “third iteration”. I don’t think an endpoint for adding eligible members to a group currently exists, only Azure AD roles are Azure resources.