I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.
A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.
I tried to reach the following endpoints in Graph Explorer and even there I get an error:
- https://graph.microsoft.com/beta/privilegedRoles
- https://graph.microsoft.com/beta/privilegedRoleAssignments
Graph Explorer states the following error:
{
"error": {
"code": "UnknownError",
"message": "{"message":"An error has occurred."}",
"innerError": {
"request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
"date": "2018-11-12T12:40:15"
}
}
}
While PowerShell throws an Internal Server Error (500)
There is also a Github Issue related to that error:
https://github.com/MicrosoftDocs/feedback/issues/845
Strange thing was that while I get an error with Graph Explorer in my tenant, it worked well in the customer tenant, only PowerShell failed at customers tenant. hmmmmm.
Reason!
I talked to the product group and was told there where some changes to the PIM Graph API as they added a scope check against the token.
Resolution!
My script uses a Username/Password Flow to get a token from Azure AD so I used a generic (well-known) client_id (1950a258-227b-4e31-a9cf-717495945fc2) instead of an applicationId from a registered app in my tenant.
But the client_id used in my script needs to have the following permissions to Graph API:
- Directory.AccessAsUser.All
- Directory.Read.All
- Directory.ReadWrite.All
- PrivilegedAccess.ReadWrite.AzureAD (The new one for the scope check)
So the solution was the to do the following to get my script and therefore the MIM Connector back working:
- Create an app registration (Native Client) in Azure AD
- Set the permissions above for Microsoft Graph
(don’t forget to hit the grant permission button) - Use the applicationId as client_Id in my PowerShell script.
And the Connector starts working properly like before.
Currently at time of writing this blog post the official PIM Graph API documentation does not state anything about that.
JustIDM 
Does PIM API require delegated access? Can at least the read operations be done with just App permissions? It is unclear from the documentation. But I am unable to access without delegation.
The currrent Azure AD PIM API only allows delegated permissions, however, the whole API switches to the Azure resources namespace currently.
For those API endpoints most of the endpoints (example List Roles) allow also appilication permissions what I can see from the API docs.
See: https://docs.microsoft.com/en-us/graph/api/governanceroledefinition-list?view=graph-rest-beta
That is what I assumed. Unfortunately doesn’t seem to be working that way in practice. Maybe it is a bug? It results in an error like this: { “error”: { “code”: “UnknownError”, “message”: “{\”errorCode\”:\”GraphTokenValidationFail\”,\”message\”:\”MS Graph token validation fail\”,\”target\”:null,\”details\”:null,\”innerError\”:null,\”instanceAnnotations\”:[],\”typeAnnotation\”:null}” ….
And then I found https://docs.microsoft.com/en-us/graph/permissions-reference where they only list PrivilegedAccess.ReadWrite.AzureAD & PrivilegedAccess.ReadWrite.AzureResources as Delegated Permissions.
PrivilegedAccess.Read.AzureResources & PrivilegedAccess.Read.AzureAD are not even listed here.