Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get-MtRoleMember not returning all eligible members #600

Open
momurray365 opened this issue Dec 23, 2024 · 1 comment
Open

Get-MtRoleMember not returning all eligible members #600

momurray365 opened this issue Dec 23, 2024 · 1 comment

Comments

@momurray365
Copy link

Hi,

I'm working on a test that needs to get all eligible members of a specific roles. The command Get-MtRoleMember returns nothing in our environment.

The command implantation in Get-MtRoleMember.ps1 seems to use the roleEligibilityScheduleRequests Graph endpoint. To the best of my knowledge, this endpoint only returns role elevation requests. If users are made permanently eligible, this endpoint will not return them.

See at line 103 :

if ($dirAssignmentsSplat.RelativeUri -eq "roleManagement/directory/roleEligibilityScheduleRequests") {

I think we should use the roleEligibilitySchedules endpoint instead for this function. I used the following command in my test to get all eligible users in our environment :
Invoke-MtGraphRequest -RelativeUri "roleManagement/directory/roleEligibilitySchedules" -Filter "RoleDefinitionId eq '$($PrivilegedRole.RoleTemplateId)'"

Am I missing something here?

Thanks for you work guys!

@soulemike
Copy link
Contributor

The addition as another type would allow for it to process both endpoints. I am not certain offhand the different combinations that may be possible to occur, but I don't see an issue in adding an additional endpoint and returning a unique list of principals.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants