Received error while deploying Bicep. Error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)"

Murali R 245 Reputation points
2024-05-06T11:49:58.59+00:00

Hi Team,

I'm currently utilizing Bicep to enable Azure AD Privileged Identity Management (PIM) with a custom role. I've created an AD Group and assigned a Custom Role to it, which includes the following actions:

"Microsoft.Authorization//read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/"

Upon deploying the resources using Bicep and Azure PowerShell commands, I encountered the following error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)". To troubleshoot, I verified whether the Service account has the necessary permissions to deploy Bicep and found that it has owner-level access. Kindly find the below bicep and ps script FYR

$deploymentName = (Get-Date).ToString('yyyyMMdd-HHmm')New-AzDeployment -Name $deploymentName -Location northcentralus -TemplateFile .\pim.bicep -TemplateParameterFile .\agdev-PreProd.parameters.json

targetScope = 'subscription'

param startTime string = utcNow()

@description('Object Id of the AD Group')
param principalId string = ''

@description('Custom role definition ID being assigned to the AD group')
param roleDefinitionId string = ''

@description('Unique name for the roleAssignment in the format of a guid')
var roleName = guid(principalId, roleDefinitionId, subscription().id)

resource pimRoleAssignment 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: roleName
  scope: subscription()
  properties: {
    principalId: principalId
    requestType: 'AdminAssign'
    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
    scheduleInfo: {
      startDateTime: startTime
    }
  }
}

Kindly assist in providing a solution for this issue.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
708 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,149 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,352 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 36,141 Reputation points Microsoft Employee
    2024-05-06T17:41:10.0066667+00:00

    Hi @Murali R ,

    I understand that you are receiving an error that the role assignment request is invalid.

    I would recommend checking if the Request ID is correct. You can do this using Powershell: Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId <Tenant ID>

    Also, double-check that you have the resource ID in the request URI and can access privileged resources such as GET /privilegedAccess/azureResources/resources/

    Let me know if this helps and if you still run into this error.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.