AzureRoleEligibilityScheduleRequest¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Principal | Key | String | User Principal Name of the Azure role eligibility request. | |
| RoleDefinition | Key | String | Azure role associated with the eligibility request (e.g., 'Owner', 'Contributor'). | |
| PrincipalType | Write | String | Represented the type of principal to assign the request to. Accepted values are: Group, User and ServicePrincipal. | Group, User, ServicePrincipal |
| DirectoryScopeId | Key | String | Identifier of the scope representing the Azure resource (e.g., /subscriptions/{id}, /providers/Microsoft.Management/managementGroups/{id}). The scope determines the set of Azure resources for which the principal is eligible to access. | |
| Id | Write | String | Identifier for the Role Eligibility Schedule Request. | |
| AppScopeId | Write | String | Identifier of the app-specific scope when the role eligibility is scoped to an app. Not commonly used for Azure RBAC roles. | |
| Justification | Write | String | A message provided by users and administrators when they create the role eligibility schedule request. | |
| ScheduleInfo | Write | MSFT_AzureRoleEligibilityScheduleRequestSchedule | The period of the role eligibility. The period of eligibility is dependent on the settings of the Azure role. | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Present, Absent |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Embedded Instances¶
MSFT_AzureRoleEligibilityScheduleRequestScheduleRecurrenceRange¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| endDate | Required | String | The date to stop applying the recurrence pattern. Depending on the recurrence pattern of the event, the last occurrence of the meeting may not be this date. | |
| numberOfOccurrences | Write | UInt32 | The number of times to repeat the event. Required and must be positive if type is numbered. | |
| recurrenceTimeZone | Write | String | Time zone for the startDate and endDate properties. | |
| startDate | Required | String | The date to start applying the recurrence pattern. The first occurrence of the meeting may be this date or later, depending on the recurrence pattern of the event. Must be the same value as the start property of the recurring event. | |
| type | Required | String | The recurrence range. The possible values are: endDate, noEnd, numbered. | endDate, noEnd, numbered |
MSFT_AzureRoleEligibilityScheduleRequestScheduleRecurrencePattern¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| dayOfMonth | Write | UInt32 | The day of the month on which the event occurs. | |
| daysOfWeek | Write | StringArray[] | A collection of the days of the week on which the event occurs. The possible values are: sunday, monday, tuesday, wednesday, thursday, friday, saturday | sunday, monday, tuesday, wednesday, thursday, friday, saturday |
| firstDayOfWeek | Write | String | The first day of the week. | sunday, monday, tuesday, wednesday, thursday, friday, saturday |
| index | Write | String | Specifies on which instance of the allowed days specified in daysOfWeek the event occurs, counted from the first instance in the month. The possible values are: first, second, third, fourth, last. | first, second, third, fourth, last |
| interval | Write | UInt32 | The number of units between occurrences, where units can be in days, weeks, months, or years, depending on the type. | |
| month | Write | UInt32 | The month in which the event occurs. This is a number from 1 to 12. | |
| type | Write | String | The recurrence pattern type: daily, weekly, absoluteMonthly, relativeMonthly, absoluteYearly, relativeYearly. | daily, weekly, absoluteMonthly, relativeMonthly, absoluteYearly, relativeYearly |
MSFT_AzureRoleEligibilityScheduleRequestScheduleRecurrence¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| pattern | Write | MSFT_AzureRoleEligibilityScheduleRequestScheduleRecurrencePattern | The frequency of an event. | |
| range | Write | MSFT_AzureRoleEligibilityScheduleRequestScheduleRecurrenceRange | The duration of an event. |
MSFT_AzureRoleEligibilityScheduleRequestScheduleExpiration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| duration | Write | String | The requestor's desired duration of access represented in ISO 8601 format for durations. For example, PT3H refers to three hours. If specified in a request, endDateTime should not be present and the type property should be set to afterDuration. | |
| endDateTime | Write | String | Timestamp of date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | |
| type | Write | String | The requestor's desired expiration pattern type. The possible values are: notSpecified, noExpiration, afterDateTime, afterDuration. | notSpecified, noExpiration, afterDateTime, afterDuration |
MSFT_AzureRoleEligibilityScheduleRequestSchedule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| expiration | Write | MSFT_AzureRoleEligibilityScheduleRequestScheduleExpiration | When the eligible or active assignment expires. | |
| recurrence | Write | MSFT_AzureRoleEligibilityScheduleRequestScheduleRecurrence | The frequency of the eligible or active assignment. This property is currently unsupported in PIM. | |
| startDateTime | Write | String | When the eligible or active assignment becomes active. |
Description¶
This resource manages Azure PIM (Privileged Identity Management) role eligibility schedule requests for Azure RBAC roles. It supports role assignments and eligibility at all scope levels including subscription, management group, resource group, and resource-specific scopes.
Key Differences from AADRoleEligibilityScheduleRequest¶
- AADRoleEligibilityScheduleRequest: Manages Entra ID (Azure AD) directory roles via Microsoft Graph API
- AzureRoleEligibilityScheduleRequest: Manages Azure RBAC roles via Azure Resource Manager API
Supported Scope Levels¶
Subscription Scope¶
Format: /subscriptions/{subscriptionId}
Example: Assign "Owner" eligibility on subscription
Management Group Scope¶
Format: /providers/Microsoft.Management/managementGroups/{managementGroupId}
Example: Assign "Reader" eligibility on management group
Resource Group Scope¶
Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}
Example: Assign "Contributor" eligibility on resource group
Resource Scope¶
Format: /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
Example: Assign "Key Vault Administrator" eligibility on specific key vault
Azure Government Cloud Support¶
This resource automatically detects the tenant region and uses the appropriate Azure Management endpoint:
- Global Azure:
https://management.azure.com - Azure US Government:
https://management.usgovcloudapi.net - Azure US Government DoD:
https://management.usgovcloudapi.net
Required Permissions¶
To manage Azure PIM role eligibility schedules, you need one of the following:
- Privileged Role Administrator role in Azure AD
- Owner or User Access Administrator role at the appropriate Azure scope
- Custom role with permissions:
Microsoft.Authorization/roleEligibilityScheduleRequests/writeMicrosoft.Authorization/roleEligibilitySchedules/readMicrosoft.Authorization/roleDefinitions/read
Known Limitations¶
- The resource creates new schedule requests rather than directly modifying existing schedules
- Schedule changes may take a few minutes to propagate
- Some built-in roles may have restrictions on eligibility assignments
- Management group scope requires appropriate permissions at the management group level
Examples¶
See the Examples folder for comprehensive usage scenarios.
Permissions¶
Examples¶
Example 1¶
This example creates a new Azure PIM role eligibility schedule at subscription level.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$Credential
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AzureRoleEligibilityScheduleRequest "SubscriptionOwnerEligibility"
{
Principal = "AdeleV@contoso.onmicrosoft.com"
RoleDefinition = "Owner"
DirectoryScopeId = "/subscriptions/12345678-1234-1234-1234-123456789012"
PrincipalType = "User"
Ensure = "Present"
ScheduleInfo = MSFT_AzureRoleEligibilityScheduleRequestSchedule {
startDateTime = '2024-01-15T08:00:00Z'
expiration = MSFT_AzureRoleEligibilityScheduleRequestScheduleExpiration
{
type = 'afterDateTime'
endDateTime = '2025-12-31T23:59:59Z'
}
}
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 2¶
This example updates an existing Azure PIM role eligibility schedule.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$Credential
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AzureRoleEligibilityScheduleRequest "ResourceGroupContributorEligibility"
{
Principal = "SecurityGroup@contoso.onmicrosoft.com"
RoleDefinition = "Contributor"
DirectoryScopeId = "/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/rg-production"
PrincipalType = "Group"
Ensure = "Present"
ScheduleInfo = MSFT_AzureRoleEligibilityScheduleRequestSchedule {
startDateTime = '2024-01-01T00:00:00Z'
expiration = MSFT_AzureRoleEligibilityScheduleRequestScheduleExpiration
{
type = 'noExpiration'
}
}
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 3¶
This example removes an Azure PIM role eligibility schedule.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$Credential
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AzureRoleEligibilityScheduleRequest "RemoveEligibility"
{
Principal = "AdeleV@contoso.onmicrosoft.com"
RoleDefinition = "Owner"
DirectoryScopeId = "/subscriptions/12345678-1234-1234-1234-123456789012"
PrincipalType = "User"
Ensure = "Absent"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 4¶
This example creates an Azure PIM role eligibility schedule at management group level.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$Credential
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AzureRoleEligibilityScheduleRequest "ManagementGroupReaderEligibility"
{
Principal = "AdeleV@contoso.onmicrosoft.com"
RoleDefinition = "Reader"
DirectoryScopeId = "/providers/Microsoft.Management/managementGroups/MyManagementGroup"
PrincipalType = "User"
Ensure = "Present"
ScheduleInfo = MSFT_AzureRoleEligibilityScheduleRequestSchedule {
startDateTime = '2024-01-15T08:00:00Z'
expiration = MSFT_AzureRoleEligibilityScheduleRequestScheduleExpiration
{
type = 'afterDateTime'
endDateTime = '2025-12-31T23:59:59Z'
}
}
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 5¶
This example creates an Azure PIM role eligibility schedule at the root management group level.
Configuration Example
{
param
(
[Parameter(Mandatory = $true)]
[PSCredential]
$Credential
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AzureRoleEligibilityScheduleRequest "RootManagementGroupOwnerEligibility"
{
Principal = "AdeleV@contoso.onmicrosoft.com"
RoleDefinition = "Owner"
DirectoryScopeId = "/providers/Microsoft.Management/managementGroups/rootGroup"
PrincipalType = "User"
Ensure = "Present"
ScheduleInfo = MSFT_AzureRoleEligibilityScheduleRequestSchedule {
startDateTime = '2024-01-15T08:00:00Z'
expiration = MSFT_AzureRoleEligibilityScheduleRequestScheduleExpiration
{
type = 'noExpiration'
}
}
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}