question

christmascactus avatar image
0 Votes"
christmascactus asked SaurabhSharma-msft commented

script granting pim admin role in Azure AD with MFA


Hi,

I'm trying to script some maintenance tasks in Exchange, and to make the changes I need to grant myself the exchange admin role in PIM and authenticate using MFA.

I've followed this but I still get an error relating to MFA:

Open-AzureADMSPrivilegedRoleAssignmentRequest : Error occurred while executing
OpenAzureADMSPrivilegedRoleAssignmentRequest
Code: RoleAssignmentRequestPolicyValidationFailed
Message: The following policy rules failed: ["MfaRule"]

I'm not sure if the clientid I've used is right, where do I get this from? does that relate to an specific application?

Thanks


windows-server-powershellazure-ad-privileged-identity-management
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @christmascactus,

Thanks for using Microsoft Q&A !!
I have tried using the cmdlet and it works fine. I have used the command like below -

 $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
 $schedule.Type = "Once"
 $schedule.StartDateTime = "2021-04-26T20:49:11.770Z"
 $schedule.endDateTime = "2022-07-25T20:49:11.770Z"
 Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -Schedule $schedule -ResourceId "<TenantId>" -RoleDefinitionId "29232cdf-9323-42fd-ade2-1d097af3e4de" -SubjectId "fd30f582-5613-450e-a75a-73f279aa82da" -AssignmentState "Eligible" -Type "AdminAdd"

Here, I am passing Tenant Guid as -ResourceId and user object id from Azure Portal as SubjectId.

Result -
100366-image.png

Thanks
Saurabh


0 Votes 0 ·
image.png (98.4 KiB)

Hi,
I'm using MFA and usually the authenticator app on my phone. I'm using this article to get the token. I think it's not working as Azure is expecting my to authenticate using MFA which the powershell isn't doing (the link doesn't seem to have worked in my original post, apologies). The get-MSALToken cmd seems to work but i don't know what the ClientId should be, does this relate to an app in Azure?


0 Votes 0 ·

Hi @christmascactus,
Thanks for sharing this one. I am checking on this and get back to you.

Thanks
Saurabh

0 Votes 0 ·

Hi @christmascactus,

Sorry for the delay. Client id - 1b730954-1685-4b74-9bfd-dac224a7b894 which is for the Azure AD PowerShell client app and you can use the same in your script.
How are you currently running the script. Are you passing any other client id ?

Also, you may be getting this error because the role setting would have MFA required set. The solution is to login with MFA as shown in the blog. So, can you please check and change it before running the script.

Thanks
Saurabh

0 Votes 0 ·
Show more comments

ok, maybe i've misunderstood what it was doing.
Is there a recommended way of automating maintenance scripts in Office365? maybe a service account without MFA?

0 Votes 0 ·

@christmascactus sorry, none which I am aware to automate with bypassing MFA.
Service Accounts excluded with MFA accounts may put you in risk if these credentials are leaked and thus I will not suggest you to use it.
Can you please look into this post if Runbooks could help you on the same.

Thanks
Saurabh

0 Votes 0 ·

0 Answers