Welcome to EasyPIM Discussions!

[kayasax]

👋 Welcome!

Hey, I'm Loïc, currently working at Microsoft as a support engineer in the Azure identity team.
I noticed this is not easy to find where to start when you want to automate PIM management. After struggling with the API I thought I can share a script to demonstrate the API usage.
This script was transformed to a module and hosted on the PowerShell gallery for your convenience.
Feel free to suggest any improvement that could be added, and consider staring this project if you find it useful!

[Azure365Addict]

Great project!

I also wrote few automation scripts for PIM management on my own.

Here are the things you could consider to add:

• bulk assign/unassign roles (based on the input from file)
• bulk modify role settings (I often need to set the same settings for all roles within newly created subscription)
• copy roles from another user
• I also have a separate mechanism which checks if PIM users have P2 license assigned. Not sure if it needs to be added in your project.

[kayasax]

Hi @Azure365Addict, thank you for your interest in this module.
Your suggestions make sense, the good news is that you can already do this with EasyPIM :

1. I will not add this feature directly but you can simply pipe your objectID to a cmdlet like
   get-content c:\temp\users.txt |foreach{ new-pimentraroleeligibleAssignment -tenantID $tenantID -rolename "testrole" -principalID $_ }
2. The EasyPIM cmdlets support configuring muliple role at once, ex

set-pimazureResourcePolicy -tenantID $env:tenantID -subscriptionID $env:subscriptionId `
  -rolename "testrole","reader" `
  -Notification_Activation_Alert @{
     "isDefaultRecipientEnabled"="true";
     "notificationLevel"="All";
     "Recipients" = @("email1@domain.com","email2@domain.com")
}

You can also use the backup (for all roles) or export (for selected roles) cmdlets to create a csv file, update in excel and upload back your changes

3. You can configure a role as a template and apply the setting to others with copy-PIM* cmdlet, check https://github.com/kayasax/EasyPIM/wiki/Copy%E2%80%90PIMAzureResourcePolicy

4. This module is for now focusing on the administrative taks which does not require a license https://learn.microsoft.com/en-us/entra/id-governance/licensing-fundamentals#licenses-you-must-have-for-pim.

Thank you for the suggestions I hope you can achieve your tasks with the cmdlets already available, if something is missing or you have a scenario wich is not covered, please let me know!

[kayasax]

I misread 3), I see now you want to copy the role assignment from one user to others.
Yes this might be something I can check, but I believe a better way to do this is to assign the role to a group, then you add you users to this group... That being said there are some issues with some roles not working as expected when assigned from a group...
So I'll add this to the backlog :)

[Azure365Addict]

Thank you for the suggestions on points 1, 2 and 4. I will manage :)

When it comes to point 3, idea with groups is great but PIM can't be enabled for groups synchronized from on-premises environment so this is a no go in my case. This is the main reason why copying role assignments from one user to others would be useful. Especially, that we have a really diverse sets of roles + very often users request the same roles as user X.

[kayasax]

@Azure365Addict please check #75 and tell me if it's what you asked

[artorro]

Hi, great job.
I was thinking of making my own script so this saved me a ton of hours.
However, I identified one bug it seems. The export file is exporting everything but the importing doesn't take all values.

To be more precise:
The ActiveAssignmentRequirement column in the csv file is not being processed in the Import-EntraRoleSettings.ps1 and therefore the PIM settings: Require Azure Multi-Factor Authentication on active assignment & Require justification on active assignment, do not get updated.

[kayasax]

Hi @artorro thanks for reporting this with all details, I've created an issue: #107
Have little time to work on this right now but will check.
Thanks again

[kcobbva]

Reading through the project today, in the (https://github.com/kayasax/EasyPIM/blob/main/EasyPIM/Documentation/Invoke-EasyPIMOrchestrator.md) document I see you call out Delta Mode under the local configuration file yet in the example code it has -mode "initial" included. See below. I believe, if I'm reading this correctly, there should be no <-Mode "initial"> in that line so it is in default delta mode.

From Local Configuration File
Delta mode (default): Invoke-EasyPIMOrchestrator -ConfigFilePath "C:\Config\pim-config.json" -TenantId "11111111-1111-1111-1111-111111111111" -SubscriptionId "22222222-2222-2222-2222-222222222222" -Mode "initial"

[kayasax]

Hi @kcobbva thanks for the heads up yes no need to specify a mode as delta is the default, will update doc.

[Benjam1nIT]

Hi,

Am I supposed to be able to configure additional recipients on an Entra role ? I'm using successfuly this command... but the settings are never configured ; (Success, policy updated)

Set-PIMEntraRolePolicy -tenantID $tenantID -rolename "Security Administrator" -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@("email1@domain1.com","email2domain2.com")}
-Notification_ActiveAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@("email1@domain1.com","email2domain2.com")} `
-Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@("email2domain2.com")}

In Entra, the additionnal recipients values remain empty.
When looking at the role using this command, the recipients value remain empty; Get-PIMEntraRolePolicy -tenantID $tenantID -rolename "Security Administrator"

[kayasax]

Hi @Benjam1nIT it should work fine if you provide valid email addresses (there is missing @ in your sample)

[Benjam1nIT]

Hi @Benjam1nIT it should work fine if you provide valid email addresses (there is missing @ in your sample)

It's just a typo when I edited the email adresses. It doesn't work.

[kayasax]

please add -verbose at the end of the command to see if you get more info.
Here is what I have on my side:

SC:\Windows\System32> Set-PIMEntraRolePolicy -tenantID $env:tenantID -rolename "testrole" -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@("email1@domain1.com","email2@domain2.com")} -Notification_ActiveAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@("email1@domain1.com","email2@domain2.com")}  -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@("email2@domain2.com")} -verbose

VERBOSE: Function Set-PIMEntraRolePolicy is starting with parameters: tenantID =>***
rolename =>testrole, Notification_EligibleAssignment_Alert =>System.Collections.Hashtable, Notification_ActiveAssignment_Alert =>System.Collections.Hashtable, Notification_Activation_Alert =>System.Collections.Hashtable, Verbose =>True
VERBOSE: uri = https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'testrole'
VERBOSE: Fetching data from: https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'testrole'
VERBOSE: GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'testrole' with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: roleID = c2314e04-b23a-4dd5-915f-b0ab7487c9d9
VERBOSE: endpoint = policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/'
VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/'
VERBOSE: Fetching data from: https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/'
VERBOSE: GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/' with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: policyID = DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b
VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b/rules
VERBOSE: Fetching data from: https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b/rules
VERBOSE: GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b/rules with 0-byte payload
VERBOSE: received -byte response of content type application/json
VERBOSE: Set-Notification_EligibleAssignment_Alert(System.Collections.Hashtable)
VERBOSE: end function notif elligible alert
VERBOSE: Performing the operation "Udpdating policy" on target "testrole".
VERBOSE:
>> PATCH body:

        {
            "rules": [

    {
        "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
        "id": "Notification_Admin_Admin_Eligibility",
        "notificationType": "Email",
        "recipientType": "Admin",
        "isDefaultRecipientsEnabled": true,
        "notificationLevel": "All",
        "notificationRecipients": [
            "email1@domain1.com","email2@domain2.com"
        ],
        "target": {
            "caller": "Admin",
            "operations": [
                "all"
            ],
            "level": "Eligibility",
            "inheritableSettings": [],
            "enforcedSettings": []
        }
    }
    ,
        {
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Admin_Admin_Assignment",
            "notificationType": "Email",
            "recipientType": "Admin",
            "isDefaultRecipientsEnabled": true,
            "notificationLevel": "All",
            "notificationRecipients": [
                "email1@domain1.com","email2@domain2.com"
            ],
            "target": {
                "caller": "Admin",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }
        ,{
            "@odata.type": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule",
            "id": "Notification_Admin_EndUser_Assignment",
            "notificationType": "Email",
            "recipientType": "Admin",
            "isDefaultRecipientsEnabled": true,
            "notificationLevel": "All",
            "notificationRecipients": ["email2@domain2.com"],
            "target": {
                "caller": "EndUser",
                "operations": [
                    "all"
                ],
                "level": "Assignment",
                "inheritableSettings": [],
                "enforcedSettings": []
            }
        }]
    }
VERBOSE: Patch endpoint : policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b
VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b
VERBOSE: PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b with 2153-byte payload
VERBOSE: received -byte response of content type application/json
Success, policy updated

[Benjam1nIT]

Here is my verbose output. I notice at the end that the PATCH URLs seem wrong compare to yours. Thanks VERBOSE: Function Set-PIMEntraRolePolicy is starting with parameters: tenantID =>--REDACTED--, rolename =>Security Operator, Notification_EligibleAssignment_Alert =>System.Collections.Hashtable, Notification_ActiveAssignment_Alert =>System.Collections.Hashtable, Notification_Activation_Alert =>System.Collections.Hashtable, Verbose =>True VERBOSE: uri = https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'Security Operator' VERBOSE: GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'Security Operator' with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: roleID = 5f2222b1-57c3-48ba-8ad5-d4759f1fde6f VERBOSE: endpoint = policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq '5f2222b1-57c3-48ba-8ad5-d4759f1fde6f' and scopeId eq '/' VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq '5f2222b1-57c3-48ba-8ad5-d4759f1fde6f' and scopeId eq '/' VERBOSE: GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq '5f2222b1-57c3-48ba-8ad5-d4759f1fde6f' and scopeId eq '/' with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: policyID = VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicies//rules VERBOSE: GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies//rules with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: Set-Notification_EligibleAssignment_Alert(System.Collections.Hashtable) VERBOSE: end function notif elligible alert VERBOSE: Performing the operation "Udpdating policy" on target "Security Operator". VERBOSE:

> PATCH body:

{ "rules": [ { ***@***.***": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_Admin_Eligibility", "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": true, "notificationLevel": "All", "notificationRecipients": [ ***@***.******@***.***" ], "target": { "caller": "Admin", "operations": [ "all" ], "level": "Eligibility", "inheritableSettings": [], "enforcedSettings": [] } } , { ***@***.***": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_Admin_Assignment", "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": true, "notificationLevel": "All", "notificationRecipients": [ ***@***.******@***.***" ], "target": { "caller": "Admin", "operations": [ "all" ], "level": "Assignment", "inheritableSettings": [], "enforcedSettings": [] } } ,{ ***@***.***": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_EndUser_Assignment", "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": true, "notificationLevel": "All", "notificationRecipients": ***@***.***"], "target": { "caller": "EndUser", "operations": [ "all" ], "level": "Assignment", "inheritableSettings": [], "enforcedSettings": [] } }] } VERBOSE: Patch endpoint : policies/roleManagementPolicies/ VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/ VERBOSE: PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/ with 2153-byte payload VERBOSE: received -byte response of content type application/json Success, policy updated

…

On Mon, Jul 14, 2025 at 4:07 PM Loïc MICHEL - MSFT ***@***.***> wrote: please add -verbose at the end of the command to see if you get more info. Here is what I have on my side: SC:\Windows\System32> Set-PIMEntraRolePolicy -tenantID $env:tenantID -rolename "testrole" -Notification_EligibleAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@***@***.******@***.***")} -Notification_ActiveAssignment_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@***@***.******@***.***")} -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="All"; "Recipients"=@***@***.***")} -verbose VERBOSE: Function Set-PIMEntraRolePolicy is starting with parameters: tenantID =>*** rolename =>testrole, Notification_EligibleAssignment_Alert =>System.Collections.Hashtable, Notification_ActiveAssignment_Alert =>System.Collections.Hashtable, Notification_Activation_Alert =>System.Collections.Hashtable, Verbose =>True VERBOSE: uri = https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'testrole' VERBOSE: Fetching data from: https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'testrole' VERBOSE: GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions?$filter=displayname eq 'testrole' with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: roleID = c2314e04-b23a-4dd5-915f-b0ab7487c9d9 VERBOSE: endpoint = policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/' VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/' VERBOSE: Fetching data from: https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/' VERBOSE: GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq 'c2314e04-b23a-4dd5-915f-b0ab7487c9d9' and scopeId eq '/' with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: policyID = DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b/rules VERBOSE: Fetching data from: https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b/rules VERBOSE: GET https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b/rules with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: Set-Notification_EligibleAssignment_Alert(System.Collections.Hashtable) VERBOSE: end function notif elligible alert VERBOSE: Performing the operation "Udpdating policy" on target "testrole". VERBOSE: >> PATCH body: { "rules": [ { ***@***.***": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_Admin_Eligibility", "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": true, "notificationLevel": "All", "notificationRecipients": [ ***@***.******@***.***" ], "target": { "caller": "Admin", "operations": [ "all" ], "level": "Eligibility", "inheritableSettings": [], "enforcedSettings": [] } } , { ***@***.***": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_Admin_Assignment", "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": true, "notificationLevel": "All", "notificationRecipients": [ ***@***.******@***.***" ], "target": { "caller": "Admin", "operations": [ "all" ], "level": "Assignment", "inheritableSettings": [], "enforcedSettings": [] } } ,{ ***@***.***": "#microsoft.graph.unifiedRoleManagementPolicyNotificationRule", "id": "Notification_Admin_EndUser_Assignment", "notificationType": "Email", "recipientType": "Admin", "isDefaultRecipientsEnabled": true, "notificationLevel": "All", "notificationRecipients": ***@***.***"], "target": { "caller": "EndUser", "operations": [ "all" ], "level": "Assignment", "inheritableSettings": [], "enforcedSettings": [] } }] } VERBOSE: Patch endpoint : policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b VERBOSE: uri = https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b VERBOSE: PATCH https://graph.microsoft.com/v1.0/policies/roleManagementPolicies/DirectoryRole_9b08d26c-2c4e-45c8-9313-b700c2ee6e3d_0b6de493-d03a-4fe0-8c85-bfaf9e9da00b with 2153-byte payload VERBOSE: received -byte response of content type application/json Success, policy updated — Reply to this email directly, view it on GitHub <#67 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BJI7LDVWOVEHFLXQJUZY2633IQEZVAVCNFSM6AAAAABPKEMJESVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZVGY3DGMQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[kayasax]

that is failing at this step where no policyID is received....

https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType
eq 'DirectoryRole' and roleDefinitionId eq
'5f2222b1-57c3-48ba-8ad5-d4759f1fde6f' and scopeId eq '/' with 0-byte
payload
VERBOSE: received -byte response of content type application/json
VERBOSE: policyID =
VERBOSE: uri =

I'm wondering if this could be due to missing permision ( https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicyassignments?view=graph-rest-1.0&tabs=http#for-pim-for-microsoft-entra-roles ) ; you need for write operations: Privileged Role Administrator
can you double check ?

[Benjam1nIT]

I'm using an account with Global Administrator privilege

…

On Tue, Jul 15, 2025 at 2:59 AM Loïc MICHEL - MSFT ***@***.***> wrote: that is failing at this step where no policyID is received.... https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType eq 'DirectoryRole' and roleDefinitionId eq '5f2222b1-57c3-48ba-8ad5-d4759f1fde6f' and scopeId eq '/' with 0-byte payload VERBOSE: received -byte response of content type application/json VERBOSE: policyID = VERBOSE: uri = I'm wondering if this could be due to missing permision ( https://learn.microsoft.com/en-us/graph/api/policyroot-list-rolemanagementpolicyassignments?view=graph-rest-1.0&tabs=http#for-pim-for-microsoft-entra-roles ) ; you need for write operations: Privileged Role Administrator can you double check ? — Reply to this email directly, view it on GitHub <#67 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BJI7LDV7D4VM2CIZM445SFL3ISRDJAVCNFSM6AAAAABPKEMJESVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZWGEYTKNA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[kayasax]

hum...
I'm wondering if you can try from graph explorer:

https://graph.microsoft.com/v1.0/policies/roleManagementPolicyAssignments?$filter=scopeType
eq 'DirectoryRole' and roleDefinitionId eq
'5f2222b1-57c3-48ba-8ad5-d4759f1fde6f' and scopeId eq '/'

Also, can you try to assign this role to a dummy user first in PIM then retry?

[Benjam1nIT]

Same result :(

…

On Tue, Jul 15, 2025 at 8:24 AM Loïc MICHEL - MSFT ***@***.***> wrote: hum... Can you try to assign this role to a dummy user first in PIM then retry? — Reply to this email directly, view it on GitHub <#67 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BJI7LDV6FJKC3SEN3KD4PDL3ITXHBAVCNFSM6AAAAABPKEMJESVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTGNZWGQZTAMQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>