Hi Team,
I'm currently utilizing Bicep to enable Azure AD Privileged Identity Management (PIM) with a custom role. I've created an AD Group and assigned a Custom Role to it, which includes the following actions:
"Microsoft.Authorization//read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/"
Upon deploying the resources using Bicep and Azure PowerShell commands, I encountered the following error: "The role assignment request schedule is invalid. (InvalidRoleAssignmentRequestSchedule)". To troubleshoot, I verified whether the Service account has the necessary permissions to deploy Bicep and found that it has owner-level access. Kindly find the below bicep and ps script FYR
$deploymentName = (Get-Date).ToString('yyyyMMdd-HHmm')New-AzDeployment -Name $deploymentName -Location northcentralus -TemplateFile .\pim.bicep -TemplateParameterFile .\agdev-PreProd.parameters.json
targetScope = 'subscription'
param startTime string = utcNow()
@description('Object Id of the AD Group')
param principalId string = ''
@description('Custom role definition ID being assigned to the AD group')
param roleDefinitionId string = ''
@description('Unique name for the roleAssignment in the format of a guid')
var roleName = guid(principalId, roleDefinitionId, subscription().id)
resource pimRoleAssignment 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
name: roleName
scope: subscription()
properties: {
principalId: principalId
requestType: 'AdminAssign'
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
scheduleInfo: {
startDateTime: startTime
}
}
}
Kindly assist in providing a solution for this issue.