Per Microsoft's documentation here: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#rest-api
By making this POST request, you can elevate your privileges from AAD into Azure RBAC. This request, when successfull, will add the user to the "User Access Administrator" role.
I'm attempting to do this for an application with a service principal that is a Global Administrator in my tenant, however I'm getting an error:
Invoke-RestMethod : {"error":{"code":"AuthorizationFailed","message":"The client '1234567890' with object id
'1234567890' does not have authorization to perform action 'Microsoft.Authorization/elevateAccess/read' over scope
'/providers/Microsoft.Authorization' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
My code is here:
$TenantId = "12345"
$ClientId = "1234567890"
$ClientSecret = "test12345"
$Resource = "https://management.core.windows.net/"
$RequestAccessTokenUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"
$Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'
$Token
$Header = @{}
$Header.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
Invoke-RestMethod -Headers $Header https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01 -verbose
If I the SP is a Global Administrator, why would I be getting a permissions error?