The client '' with object id '' does not have authorization to perform action 'Microsoft.Authorization/elevateAccess/read' over scope '/providers/Microsoft.Authorization' or the scope is invalid.

[hausec]

Attempting to follow documentation here: https://docs.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#rest-api

I am attempting to have a Service Principal elevate their permissions via the following PowerShell code:

    $TenantId = "12345"
    $ClientId = "1234567890" 
    $ClientSecret = "test12345" 
    $Resource = "https://management.core.windows.net/"
    $RequestAccessTokenUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"  
    $body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"
    $Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'
    $Token
    $Header = @{}
    $Header.Add("Authorization","$($Token.token_type) "+ " " + "$($Token.access_token)")
    Invoke-RestMethod -Headers $Header https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01 -verbose

The Application/Service Principal is in the Global Administrators role.

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

[hausec]

Any update on this?

[jflieben]

Could also use this for when the MFA enforcement for admins goes live....