Powershell Enable PIM Role Assignment
We plan to utilize PIM for Azure Resources (Resource Groups), however it is currently not possible to automate thorugh Powershell. It would be nice if existing Roles could be made eligable and configurated with it's settings thorugh powershell when creating resources/resource groups through powershell.
Ben Hatton commented
There are some significant omissions from the ADMSPrivilegedRole commandlets that affect deprovisioning, I hope this can be fed into the development:
a) There is no remove- commandlet
b) Limiting resource query to 200 is a potential show stopper - PIM is most useful assigned at resource group level, not subscription level
c) There is no way to query all eligible assignments for a specific user without a grand iteration through everything
The best workflow currently possible is to run the export for each subscription through the portal and then manually deprovision each assignment in portal.
Maybe the microsoft.graph module is a better way to go... Is AzureAD module going to continue to be developed?
Andy Ball commented
Confused about direction of this
Below preview has cmdlets for managing PIM , but only supports Azure Resources not Azure AD
Below supports AzureAD , but not Azure Resources and is targetted at managing your own assignments
Update on my last comment: It looks like the script in Anuj's blog post now supports MFA, which is great! A true PowerShell module for PIM is still a necessity for assigning roles, reporting on roles, etc.
We really need this feature to activate, configure, and apply roles for Azure Resource Manager. The app in the blog post does not work when MFA is required to activate the role. We require MFA on most of our roles. So, we are stuck configuring, applying, and activating in the portal.
If you're looking for some tips on using PIM for Azure resources, check out a blog post from one of our engineers here: http://www.anujchaudhary.com/2018/02/powershell-sample-for-privileged.html
stephen richardson commented
... and add the ability to use service principals to connect to pim.
Björn Lagerwall commented
Agreed. If it can be done in a safe manner. We have a powershell script with a GUI to activate the roles. It works, but we also get an high alert that roles was activated outside Azure portal.
This should either be fixed or blocked.
I agree that this should be available. This may be useful as a workaround: