如何使用 BICEP 将 Azure AD PIM 分配给自定义 RBAC 角色

如何使用 BICEP 将 Azure AD PIM 分配给自定义 RBAC 角色

我正在尝试使用下面的 BICEP 模板将 PIM 分配给范围订阅级别的自定义 RBAC 角色。 targetScope = '订阅' 参数开始时间字符串 = utcNow()

resource symbolicname 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = {
  name: 'string'
  scope: subscription()
  properties: {
    principalId: 'xxxx'
    requestType: 'AdminAssign'
    roleDefinitionId:'xxxx'  
    scheduleInfo: {
      expiration: {
        duration: 'P365D'
        //endDateTime: 'string'
        type: 'AfterDuration'
      }
      startDateTime: startTime
    }
   /* targetRoleEligibilityScheduleId: 'xxxxx'
    targetRoleEligibilityScheduleInstanceId: 'string'
    ticketInfo: {
      ticketNumber: 'string'
      ticketSystem: 'string' 
    }*/
  }
}

对于PrincipalID，我提供了Azure AD 组的对象ID。 对于 roleDefinitionID，我提供了自定义角色的角色定义 ID。

但是，我在通过 Azure CLI 部署时遇到了错误：

{
  "status": "Failed",
  "error": {
    "code": "DeploymentFailed",
    "target": "/subscriptions/xxxx/providers/Microsoft.Resources/deployments/Mscript",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
      {
        "code": "InvalidRoleAssignmentRequest",
        "message": "The role assignment request id is invalid."
      }
    ]
  }
}

请提供此问题的解决方案。