roleEligibilityScheduleRequests API works with "null" Duration attribute, but roleAssignmentScheduleRequests throws error

[jwelker9]

When creating a "Role Eligibility Schedule Request", expiration attribute allows a duration: null along with type: AfterDuration. See body below (note, using Invoke-Method cmdlet of PowerShell):

$parameters = @{
        Properties = @{
            RoleDefinitionId = "/subscriptions/2ea60f7e-ff84-4ddb-a6e6-b0e064c7b8fe/resourceGroups/Test-RG/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
            PrincipalId      = "0c589a97-daac-42a8-8ba8-ec2756c48747"
            RequestType      = "AdminAssign"
            ScheduleInfo     = @{
                StartDateTime = "2023-05-22T21:31:27Z"
                Expiration    = @{
                    Type        = "AfterDuration"
                    EndDateTime = $null
                    Duration    = $null
                }   
            }
        }
    }

This successfully creates an eligible, permanent assignment (essentially, expire after never). However, when I attempt the same thing for the Role Assignment Schedule Request, see body below:

$parameters = @{
        Properties = @{
            RoleDefinitionId = "/subscriptions/2ea60f7e-ff84-4ddb-a6e6-b0e064c7b8fe/resourceGroups/Test-RG/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
            PrincipalId      = "0c589a97-daac-42a8-8ba8-ec2756c48747"
            Justification    = "Testing, will remove"
            RequestType      = "AdminAssign"
            ScheduleInfo     = @{
                StartDateTime = "2023-05-22T21:31:27Z"
                Expiration    = @{
                    Type        = "AfterDuration"
                    EndDateTime = $null
                    Duration    = $null
                }   
            }
        }
    }

I get the below error:

Invoke-RestMethod : {"error":{"code":"ActiveDurationTooShort","message":"The Active duration is too short. Miniumum Required is 5 minutes."}}
At C:\Users\adm-johnathan.welker\Desktop\NewScripts\Operational\VariousPIMAPI.ps1:74 char:15
+ ...   $result = Invoke-RestMethod -Headers $headers -Uri $APIUri -Method  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

I understand that intended functionality of AfterDuration is to have a ISO 8601 formatted date, IE: P365D. But it was handy being able to leave Type as AfterDuration, and then turning Duration into a variable, where I could provide an actual time or pass $null if I wanted the assignment to be permanent. The only difference between the two Param blocks is the required Justification field for an Assignment request.

Regardless of what's convenient or not, any idea why the Eligible request would succeed in this format and the Assignment (or "Active") would fail?

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @darshanhs90, @AshishGargMicrosoft.

Issue Details

---

When creating a "Role Eligibility Schedule Request", expiration attribute allows a duration: null along with type: AfterDuration. See body below (note, using Invoke-Method cmdlet of PowerShell):

$parameters = @{
        Properties = @{
            RoleDefinitionId = "/subscriptions/2ea60f7e-ff84-4ddb-a6e6-b0e064c7b8fe/resourceGroups/Test-RG/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
            PrincipalId      = "0c589a97-daac-42a8-8ba8-ec2756c48747"
            RequestType      = "AdminAssign"
            ScheduleInfo     = @{
                StartDateTime = "2023-05-22T21:31:27Z"
                Expiration    = @{
                    Type        = "AfterDuration"
                    EndDateTime = $null
                    Duration    = $null
                }   
            }
        }
    }

This successfully creates an eligible, permanent assignment (essentially, expire after never). However, when I attempt the same thing for the Role Assignment Schedule Request, see body below:

$parameters = @{
        Properties = @{
            RoleDefinitionId = "/subscriptions/2ea60f7e-ff84-4ddb-a6e6-b0e064c7b8fe/resourceGroups/Test-RG/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7"
            PrincipalId      = "0c589a97-daac-42a8-8ba8-ec2756c48747"
            Justification    = "Testing, will remove"
            RequestType      = "AdminAssign"
            ScheduleInfo     = @{
                StartDateTime = "2023-05-22T21:31:27Z"
                Expiration    = @{
                    Type        = "AfterDuration"
                    EndDateTime = $null
                    Duration    = $null
                }   
            }
        }
    }

I get the below error:

Invoke-RestMethod : {"error":{"code":"ActiveDurationTooShort","message":"The Active duration is too short. Miniumum Required is 5 minutes."}}
At C:\Users\adm-johnathan.welker\Desktop\NewScripts\Operational\VariousPIMAPI.ps1:74 char:15
+ ...   $result = Invoke-RestMethod -Headers $headers -Uri $APIUri -Method  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

I understand that intended functionality of AfterDuration is to have a ISO 8601 formatted date, IE: P365D. But it was handy being able to leave Type as AfterDuration, and then turning Duration into a variable, where I could provide an actual time or pass $null if I wanted the assignment to be permanent. The only difference between the two Param blocks is the required Justification field for an Assignment request.

Regardless of what's convenient or not, any idea why the Eligible request would succeed in this format and the Assignment (or "Active") would fail?

Author:	jwelker9
Assignees:	-
Labels:	question, Authorization, Service Attention, customer-reported, needs-team-attention
Milestone:	-

[navba-MSFT]

Adding Service team to look into this.