Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.

Eligible Azure Directory Roles (Entra ID)

tmschiller
New Contributor III
New Contributor III

We are currently importing the Azure Directory Roles, but in Saviynt, this is only showing users that actually have the "Active" role, where as we want to see all the users that are "Eligible".tmschiller_0-1715364861503.png

tmschiller_1-1715364907172.png

Our use case is to be able for users to request access to these Directory Roles as "Eligible". For example, We want to allow our users to request access to the "Global Reader" role, but we want it to be provisioned as "Eligible". This would also include that the imports from Azure show the "Eligible" users in this role. Once the access has been granted, the user would the "Activate" the role via Azure PIM.

 

6 REPLIES 6

Dhruv_S
Saviynt Employee
Saviynt Employee

Hi @tmschiller 

Could you please provide more information on the requirement. What do you mean by provision as "eligible" ?

Regards,

Dhruv Sharma

tmschiller
New Contributor III
New Contributor III

Look at the screenshots from my initial post. You will see there is an "Eligible", "Active", and "Expired" assignments.

Hi @tmschiller 

Could you please confirm if you are using REST connector or Azure AD out of the box connector?

Also, can you please confirm if these eligible roles can be fetched in postman using Azure API. 

Regards,

Dhruv Sharma

tmschiller
New Contributor III
New Contributor III

We are using both a REST and OOTB connector.

"confirm if these eligible roles can be fetched in postman using Azure API." I have no idea, which is why I made this post.

Fetch Eligible Roles

  1. Create a new request in Postman:
  2. Send the request.

This request should return the eligible role assignments for the signed-in user or service principal.

 

Permission Required to SPN

  • RoleManagement.Read.All
  • Directory.Read.All

Refer https://learn.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-instances/get?vie...


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

@tmschiller 

These assignments are managed by below APIs.

Manage Microsoft Entra role assignments using the privileged identity management (PIM) APIs - Micros...

Could you please confirm if you are able to assign active assignments? Can you please share the current JSON which you are using for the active assignments. 

Regards,

Dhruv Sharma