@Ruslan Rahozhkin I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: need to configure "RoleManagementPolicyApprovalRule" rule for updating role management policy on resource group scope for Contributor role in PIM settings automatically from Powershell code. I'm following this documentation pages:
At the moment I have following code:
$approvers = @("user1@sbx.onmicrosoft.com", "user2@sbx.onmicrosoft.com")
Write-Host "Getting Role Management Policies:"
$roleManagementPoliciesAssignments = Get-AzRoleManagementPolicyAssignment -Scope $scopePimRoleAssignment | Where-Object { $_.Name -like "$($contributorRoleDefinition.Id)" }
$roleManagementPolicyId = ($roleManagementPoliciesAssignments.PolicyId -split "/")[8]
$approvalRule = [RoleManagementPolicyApprovalRule]@{
id = "Require_Approval_To_Activate";
ruleType = RoleManagementPolicyRuleType;
settingIsApprovalRequired = $true;
}
$rules = [IRoleManagementPolicyRule[]]@($approvalRule)
Update-AzRoleManagementPolicy -Scope $resourceGroup -Name $roleManagementPolicyId -Rule $rules As I see the rule definition in cmdlet Update-AzRoleManagementPolicy doesn't have "Approvers" in settings. If consider the MS Graph powershell command Update-MgPolicyRoleManagementPolicy from this page:
https://zcusa.951200.xyz/en-us/graph/api/unifiedrolemanagementpolicy-update?view=graph-rest-1.0&tabs=powershell#request there is possibility to set approvers. But with this solution I cannot get policy ID for Contributor role on resource groups scope. As I understand Graph cmdlet provides possibility to configure policies only for PIM for MS Entra ID roles and PIM for groups, not Azure resources. And it's difficult to convince Entra ID administrators in our organisation to use "RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory" permissions for App registrations to use MG Graph cmdlets. So, the main question is: How to set approvers in Role Management Policy approval rule for "Require approval to activate" possibility in PIM role settings by Powershell using Update-AzRoleManagementPolicy command? I will appreciate any assistance.
Resolution: Resolved by @Ruslan Rahozhkin by following the below steps
"RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory" permissions for App registrations to use MG Graph cmdlets as I mentioned in my post. Because of organisation policy restrictions.
In my case I set approvers by configuring PATCH API request.
I followed to links: https://zcusa.951200.xyz/en-us/rest/api/authorization/privileged-role-policy-rest-sample#update-a-role-management-policy
This example of the solution was useful to configure the body for the request. https://github.com/thedevopsjedi/azure-pim/blob/main/PIMConfigureEligibleAzureResource.ps1#L452
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.