Assign Azure Privileged Identity Management Roles using Bicep
Azure Privileged Identity Management (PIM) is a tool that allows you to provide Just In Time (JIT) access to Azure RBAC roles. Using PIM, you can create a role assignment to make a user or group eligible for a role. This assignment doesn’t mean that the user or group has the role, but instead that they can request the role when they need it. When this occurs, the user can trigger an elevation request to be granted the role for a short period (usually hours, but definable). Rules can then be applied to their request, such as requiring approval, requiring a ticket number and so on, and then the rights are granted. PIM is a great tool for removing many permanent access rights to users, but it does require an Azure AD P2 licence for each user.
PIM is an Azure AD feature, so I assumed it wouldn’t be possible to create PIM assignments using Bicep (or ARM), but it is possible. PIM roles are often application or service-specific, so being able to create them as part of your Infrastructure as Code is quite helpful.
Creating PIM Assignments
To create a PIM assignment, we are going to use the Microsoft.Authorization/roleEligibilityScheduleRequests , the full API sec for this can be found here . This object can be used for more than just creating an assignment, it can, in theory, be used to activate an assignment, remove assignments and more. We’ll focus on creating and updating assignments.
To be able to use this, we are going to need a couple of pieces of information:
The object ID of the user or group you want to assign the role to. This can be found by looking at the user or group in AAD. You’re looking for the object ID field
The complete ID of the role you want to assign. This is usually in the format:
Subscription ID is the ID of the subscription holding the role you want to assign. The role ID is the GUID of the role. You can find the GUID’s for all the built-in roles in the MS docs here , or you can also use the handy AzRoleAdvertizer site . If you’re applying the assignment at the management group rather than subscription or resource, you will replace this with the ID of the management group role.
With this information, we can create the Bicep code we need. First, we need to get the start date for the role in the correct format. The format is 2022-04-10T14:40:08.067566 but fortunately, the Bicep utcNow function gets this in the correct format, so we can use that. This function can only be used as a default value for a parameter, so we need to create a parameter in our template that we assign this to and won’t override in the future.
Now we have that we can create the actual resource:
A few things to note:
- The name needs to be a GUID, so I am using the guid function to generate one, passing the resource group and a string as a seed to ensure a consistent GUID generation should I run this again
- The request type is set to AdminUpdate. This will create a role if it doesn’t exist and update it if it does. You can use AdminCreate if you want only to create it.
- The schedule info section is setting that the user or group should be eligible to elevate for a year (the max allowed) before the role needs to be reviewed
- I have set the scope to be the resource group. This defines that the PIM role should be for this resource group only. If I wanted to assign rights to elevate over a whole subscription or management group, then I would adjust the scope
The whole template looks like this:
Once deployed, you should be able to go to the PIM UI in the portal and see that the designated user or group is now eligible to elevate to this role.
Updating and Removing Existing Role Assignments
At a time when security breaches seem to be an everyday occurrence, it’s become more and more important to protect resources with more than just a username and password. It’s even more important to protect resources from INTERNAL threats. By implementing Azure AD Privileged Identity Management, organizations can protect their resources with improved security features, and even keep an eye on what legitimate administrators are doing.
In this lesson, you’ll learn how to implement Azure AD Privileged Identity Management. We’ll start the lesson by touching on an overview of what Azure AD Privileged Identity Management is and what it offers. We will then work through the deployment of PIM and how it works with multi-factor authentication. As we work through some demos, you will learn how to enable PIM and how to navigate tasks in PIM.
We’ll then cover the activation of roles and the assignment of those roles, including permanent roles and just-in-time roles. We’ll also cover the concepts of updating and removing role assignments, reinforcing these concepts through demonstrations.
We’ll round out the lesson with supported management scenarios, configuring PIM management access, and how to process requests.
Learning Objectives
- Activate a PIM role
- Configure just-in-time resource access
- Configure permanent access to resources
- Configure PIM management access
- Configure time-bound resource access
- Create a Delegated Approver account
- Process pending approval requests
Intended Audience
- People who want to become Azure cloud architects
- People who are preparing to take Microsoft’s AZ-101 exam
Prerequisites
- Moderate knowledge of Azure Active Directory
To see the full range of Microsoft Azure Content, visit the Azure Training Library .
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions. In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs. In his spare time, Tom enjoys camping, fishing, and playing poker.
Cloudy with a chance of Hybrid
Master & CmdR
PowerShell: Manage Privileged Roles (PIM)
Edit: The PIM PowerShell module has been deprecated now, and you need to use the Graph API to elevate PIM roles .
—————————————————————————————————————
I’ve done some work recently with Azure AD Privileged Identity Management , and I wanted to find a way to streamline the request process for an administrator who needs to run some PowerShell scripts or commands so that the whole request/approval process can be simplified and streamlined.
Enabling Privileged Identity Management
Note that if you haven’t activated or configured PIM for your tenant yet, you need to have Azure AD Premium P2 to enable and use this feature.
If you don’t have Azure AD P2 on your tenant, you can add a 30 day trial that will allow you to configure PIM and start checking out the functionality. You’ll need to assign the AAD P2 license to everyone that needs to interact with PIM – both approvers and requesters. After you’ve activated AAD P2, come back and refresh the PIM sign-up blade, and complete the sign up process.
Activating a Privileged Role – GUI Style
Once you roles have been assigned and configured, you would typically need to navigate to the Azure Portal ( https://portal.azure.com/#blade/Microsoft_Azure_PIM/CommonMenuBlade/QuickStart ), then to the PIM blade, and then click on your eligible roles, and then click through the Activation process.
After the request has been submitted, you need to wait for approval – or you can start working if auto-approval is configured for that role.
PowerShell and the PIM Module
Thankfully, we can use PowerShell to automate this request process – it takes a few moments to install the PIM PowerShell module due to it being published on the PowerShell Gallery .
From an admin prompt, run the following command:
Install-Module Microsoft.Azure.ActiveDirectory.PIM.PSModule
Once the module is installed, you can view all your available commands using Get-Command:
Get-Command -Module Microsoft.Azure.ActiveDirectory.PIM.PSModule
There’s not that many commands included in the module, but we still have all we need for this little task of ours:
Now that you’re all ready to go, connect to the PIM Service using Connect-PimService. The connect command supports both the -credentials and the -username switch.
Using -credentials allows you to capture and store the admin creds and connect using basic authentication:
The – username switch will start the connection process using modern authentication.
Don’t forget that you’ll need to use the Modern Auth path if you have MFA enabled on your account, but you can still use basic auth if there’s no MFA in the picture.
Now that we’re connected, get a list of all the privileged roles assigned to you by running Get-PrivilegedRoleAssignment .
Putting it all together
Ok, now we have all the pieces we need, let’s apply this process to a real-world scenario. Let’s say I have a number of Exchange scripts that I use on a regular basis, and I don’t want to go in to the Azure Portal to request elevation every time I need to run a script. Simply incorporate the following commands into your Exchange scripts:
# Connect to the PIM Service
Connect-PimService
Connecting like this will open an interactive auth window for you to type in your username and password (Modern Auth) – don’t forget to add the -username or -credentials if you want to reduce the typing you need to do when authenticating.
From the list above, we already know that the role ID for Exchange Administrator is 29232cdf-9323-42fd-ade2-1d097af3e4de, so we’re going to use that in our elevation request:
Enable-PrivilegedRoleAssignment -RoleId 29232cdf-9323-42fd-ade2-1d097af3e4de -Reason “I need to update transport rules”
You can easily update this command to use target whatever RoleId you need to activate, and even provide your reason at the same time. Since we’re activating an admin role, you’ll be prompted for MFA (another setting you can configure in PIM):
If you’re curious to check, you can now verify that your role has been assigned, and you can initiate your Exchange connection :
When you’re finished running your scripts, you can easily disable your Role Assignment like so:
Disable-PrivilegedRoleAssignment -RoleId 29232cdf-9323-42fd-ade2-1d097af3e4de
You don’t have to add the disconnect piece if you don’t want to, since your admin access should be configured to age out automatically – I just like the idea of holding to the Just In Time ideology, and disabling my elevated role as soon as I’m finished my tasks. This reduces your risk even further, as your admin access will only be assigned for the duration of your scripts, and then your account goes back to normal right afterwards.
Nice and clean, nice and quick! 😀
Share this:
4 thoughts on “ powershell: manage privileged roles (pim) ”.
Is there a command to approve the PIM request via powershell as well?
Unfortunately, there isn’t any – not that I’ve been able to find at least!
Is this this working? I get an error after: Get-PrivilegedRoleAssignment saying basically nothing
It looks like this cmdlet has been deprecated, and you need to use the Graph API now: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role#activate-a-role-using-microsoft-graph-api
Leave a comment Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed .
- Already have a WordPress.com account? Log in now.
- Subscribe Subscribed
- Copy shortlink
- Report this content
- View post in Reader
- Manage subscriptions
- Collapse this bar
Get PIM Role Assignment Status For Azure AD Using Powershell
If you’re like me and you love to run reports to get valuable information for your tenant and settings, the get PIM role assignment status is the script for you. Recently I was running a report to audit user permissions in Azure AD and realized that my data was off by a bit. I knew some users were added to Privilege Identity Management (PIM) roles but they weren’t showing up in my report.
The reason they weren’t showing up is because I was using the Get-AzureADDirectoryRoleMember cmdlet and that only shows users with current or activated access. If a user was not elevated in PIM, they basically didn’t have access so it skewing my results.
To give you a better idea of what I’m talking about, the above is a sample of the Helpdesk Administrators role. In the Azure AD GUI, the user is added as an eligible role, meaning he can elevate his just in time access. However in Powershell, since the role is not activated, it is not going to display.
Therefore we are going to use the Get-AzureADMSPrivilegedRoleDefinition Azure AD cmdlet to display the list of roles available and the Get-AzureADMSPrivilegedRoleAssignment to filter for the user we’re specifying.
Requirements for this script to work
In order to make this work you’ll need the following:
- AzureADPreview Powershell module .
I want to emphasize the “preview” in the name of the module. Using just the regular AzureAD module is not not going to work so that’s something to keep in mind.
Script Parameters
Userprincipalname.
Specify the UserPrincipalName for the user you want to check roles for.
Specify the RoleName you want to filter for. This will display all PIM roles that are granted directly or through a group.
By default it will use the TenantId from your current session. If you’re connected to a multi-tenant, you can specify the tenant here.
By using this script you’ll be able to see all the people who have standing access as well as PIM eligible roles.
We can now see that the Helpdesk Administrator is now showing up in our output and in the Assignment column it is labeled as Eligible. We’ll also take note that we can see if the member type is added through a group or if it was added directly. This script will support that option.
Get PIM role assignment status for Azure AD using Powershell will now be in your arsenal of cool tips and tricks for your Syadmin role. If you’re interested in more scripts like this, be sure to check out our Powershell Gallery or Azure Content . Finally, be sure to check out our Youtube Channel for any video content.
Paul Contreras
Hi, my name is Paul and I am a Sysadmin who enjoys working on various technologies from Microsoft, VMWare, Cisco and many others. Join me as I document my trials and tribulations of the daily grind of System Administration.
Is there a possibility we could get an updated version of this using Microsoft Graph or Graph API? I cannot find any suitable alternatives now that the azure cmdlets are depreciated.
Yes. I have the script already created, just need to create an article
Could you upload this script, please? This is wonderfull.
See my updated post for the Graph API version. https://thesysadminchannel.com/get-entra-id-pim-role-assignment-using-graph-api/
See my updated post for the Graph API script. https://thesysadminchannel.com/get-entra-id-pim-role-assignment-using-graph-api/
it was a great job but riles are changed and groups extract cannot work
What about a similar Script for Azure resource roles?
Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Extend or renew Microsoft Entra role assignments in Privileged Identity Management
- 12 contributors
Microsoft Entra Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for roles in Microsoft Entra ID. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to Microsoft Entra administrators to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.
Who can extend and renew?
Only Global Administrators or Privileged Role administrators can extend or renew Microsoft Entra role assignments. The affected user or group can ask to extend roles that are about to expire and request to renew roles that are already expired.
When are notifications sent?
Privileged Identity Management sends email notifications to administrators and affected user or groups of roles that are expiring within 14 days and one day prior to expiration. It sends another email when an assignment officially expires.
Administrators receive notifications when a user or group assigned an expiring or expired role requests to extend or renew. When an administrator resolves a request as approved or denied, all other administrators are notified of the decision. Then the requesting user or group is notified of the decision.
Extend role assignments
The following steps outline the process for requesting, resolving, or administering an extension or renewal of a role assignment.
Self-extend expiring assignments
Users assigned to a role can extend expiring role assignments directly from the Eligible or Active tab on the My roles page, either under Microsoft Entra roles or from the top level My roles page of the Privileged Identity Management portal. In the portal, users can request to extend eligible or active (assigned) roles that expire in the next 14 days.
When the assignment end date and time is within 14 days, the button to Extend becomes an active link in the user interface. In the following example, assume the current date is March 27.
For a group assigned to a role, the Extend link never becomes available so that a user with an inherited assignment can't extend the group assignment.
To request an extension of this role assignment, select Extend to open the request form.
Enter a reason for the extension request, and then select Extend .
We recommend including the details of why the extension is necessary, and for how long the extension should be granted (if you have this information).
Administrators receive an email notification to review the extension request. If a request to extend has already been submitted, an Azure notification appears in the portal.
Go to the Pending requests page to view the status of your request or to cancel it.
Admin approved extension
When a user or group submits a request to extend a role assignment, administrators receive an email notification that contains the details of the original assignment and the reason for the request. The notification includes a direct link to the request for the administrator to approve or deny.
In addition to using following the link from email, administrators can approve or deny requests by going to the Privileged Identity Management administration portal and selecting Approve requests in the left pane.
When an Administrator selects Approve or Deny , the details of the request are shown, along with a field to provide a business justification for the audit logs.
When approving a request to extend role assignment, administrators can choose a new start date, end date, and assignment type. Changing assignment type might be necessary if the administrator wants to provide limited access to complete a specific task (one day, for example). In this example, the administrator can change the assignment from Eligible to Active . This means they can provide access to the requestor without requiring them to activate.
Admin initiated extension
If a user assigned to a role doesn't request an extension for the role assignment, an administrator can extend an assignment on behalf of the user. Administrative extensions of role assignment do not require approval, but notifications are sent to all other administrators after the role has been extended.
To extend a role assignment, browse to the role or assignment view in Privileged Identity Management. Find the assignment that requires an extension. Then select Extend in the action column.
Extend role assignments using Microsoft Graph API
In the following request, an administrator extends an active assignment using Microsoft Graph API.
HTTP request
Http response, renew role assignments.
While conceptually similar to the process for requesting an extension, the process to renew an expired role assignment is different. Using the following steps, assignments and administrators can renew access to expired roles when necessary.
Users who can no longer access resources can access up to 30 days of expired assignment history. To do this, they browse to My Roles in the left pane, and then select the Expired roles tab in the Microsoft Entra roles section.
The list of roles shown defaults to Eligible roles . Select Eligible or Active assigned roles.
To request renewal for any of the role assignments in the list, select the Renew action. Then provide a reason for the request. It's helpful to provide a duration in addition to any additional context or a business justification that can help the administrator decide whether to approve or deny.
After the request has been submitted, administrators are notified of a pending request to renew a role assignment.
Admin approves
Microsoft Entra administrators can access the renewal request from the link in the email notification, or by accessing Privileged Identity Management from the Microsoft Entra admin center and selecting Approve requests in PIM.
When an administrator selects Approve or Deny , the details of the request are shown along with a field to provide a business justification for the audit logs.
When approving a request to renew role assignment, administrators must enter a new start date, end date, and assignment type.
Admin renew
They can also renew expired role assignments from within the Expired roles tab of a Microsoft Entra role. To view a list of all expired role assignments, on the Assignments screen, select Expired roles .
- Approve or deny requests for Microsoft Entra roles in Privileged Identity Management
- Configure Microsoft Entra role settings in Privileged Identity Management
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .
Submit and view feedback for
Additional resources
Navigation Menu
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azurerm_pim_eligible_role_assignment waiting for Role Management Policy to become ready: couldn't find resource #23775
ChrisTav424 commented Nov 3, 2023
- 👍 12 reactions
smokedlinq commented Nov 4, 2023
Sorry, something went wrong.
ChrisTav424 commented Nov 4, 2023
jcframil commented Nov 6, 2023 • edited
MohnJadden commented Nov 6, 2023
xinfli commented Nov 22, 2023 • edited
- 👍 1 reaction
drdamour commented Jan 13, 2024
TeamDman commented Mar 25, 2024
No branches or pull requests
IMAGES
VIDEO
COMMENTS
I think there should be something to make sure about the role assignment. For the same scope or resource, you can only assign the same role to a service principal once. In this case, it means you can only assign the role "Storage Blob Data Contributor" of the storage account to your app identity once.
To do this, they browse to My Roles in the left pane, and then select the Expired roles tab in the Azure resource roles section. The list of roles shown defaults to Eligible roles. Use the drop-down menu to toggle between Eligible and Active assigned roles. To request renewal for any of the role assignments in the list, select the Renew action.
This is a list of common errors that you may encounter while creating a new request through Azure Privileged Identity Management API and how to mitigate them
The following screenshot lists the roles of an Azure Storage account. Select the role that you want to update or remove. Find the role assignment on the Eligible roles or Active roles tabs. To add or update a condition to refine Azure resource access, select Add or View/Edit in the Condition column for the role assignment. Currently, the ...
Only the Owner role has the permissions to do role assignment. So, you need to check and ensure the service principal has the Owner role within the subscription. Similarly, if you want to use the service principal to do role assignment on AAD (Microsoft Entra ID) level, it needs the Privileged Role Administrator or Global Administrator role in ...
Azure Privileged Identity Management (PIM) is a tool that allows you to provide Just In Time (JIT) access to Azure RBAC roles. Using PIM, you can create a role assignment to make a user or group eligible for a role. This assignment doesn't mean that the user or group has the role, but instead that they can request the role when they need it.
We'll also cover the concepts of updating and removing role assignments, reinforcing these concepts through demonstrations. We'll round out the lesson with supported management scenarios, configuring PIM management access, and how to process requests. Learning Objectives. Enable PIM; Activate a PIM role; Configure just-in-time resource access
Role Assignment template. Issue Details. I was wondering about a technical issue with this template. When you deploy a web app or storage account with an ARM and it already exists, there is no error; the ARM just skips or updates the resource. With role assignments, if you try running it multiple times, you get an error:
From an admin prompt, run the following command: Install-Module Microsoft.Azure.ActiveDirectory.PIM.PSModule. Once the module is installed, you can view all your available commands using Get-Command: Get-Command -Module Microsoft.Azure.ActiveDirectory.PIM.PSModule. There's not that many commands included in the module, but we still have all ...
When a role assignment is activated, you see a Deactivate option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation. Activate PIM roles using the Azure mobile app. PIM is now available in the Microsoft Entra ID and Azure resource roles mobile apps in both iOS and Android.
What happened: Cluster creation failed because Role Assignment failed; RoleAssignmentExists. What you expected to happen: Cluster creation to succeed, with perhaps a warning about the existing Role Assignment; choose another Role Assignment identifier if the default one is already in use. How to reproduce it (as minimally and precisely as possible): ...
I am using the correct resource type and having the same issue. The azurerm_pim_eligible_role_assignment has been buggy from the start in my case, a lot of times seemingly out of nowhere stating that it needs to be created, even though it has already been created via terraform. I know imports have worked previously for me, not sure where the issue comes from.
In this article. With Microsoft Entra ID, a Global administrator can make permanent Microsoft Entra admin role assignments. These role assignments can be created using the Microsoft Entra admin center or using PowerShell commands.. The Microsoft Entra Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments.
Get PIM Role Assignment Status For Azure AD Using Powershell. By using this script you'll be able to see all the people who have standing access as well as PIM eligible roles. Function Get-PIMRoleAssignment { <# .SYNOPSIS This will check if a user is added to PIM or standing access. For updated help and examples refer to -Online version. .
PIM Role assignment should create on first Apply, and on subsequent applies it should exist and recreation not attempted. ... Terraform attempts to recreate it and fails as it already exists. Steps to Reproduce. Update PIM settings to allow permanent role assignments, Create a PIM Role assignment without expiry, Wait circa 45 days, reapply ...
To do this, they browse to My Roles in the left pane, and then select the Expired roles tab in the Microsoft Entra roles section. The list of roles shown defaults to Eligible roles. Select Eligible or Active assigned roles. To request renewal for any of the role assignments in the list, select the Renew action.
Proper solution should be checking if role assignment with the same roleDefinitionId already exists (role name is resolved to role ID at the very beginning of execution) during the existence check, probably only in case name is not provided and role_definition_name or role_definition_id is provided.
So, in short the azurerm_pim_eligible_role_assignment must use only information from the roleEligibilitySchedules to create the object in the terraform state and to check if the resource exists during the state refreshes.
Error: Cannot import non-existent remote object While attempting to import an existing object to " azurerm_pim_eligible_role_assignment.test ", the provider detected that no object exists with the given id.