Powershell Enable PIM Role Assignment
We plan to utilize PIM for Azure Resources (Resource Groups), however it is currently not possible to automate thorugh Powershell. It would be nice if existing Roles could be made eligable and configurated with it's settings thorugh powershell when creating resources/resource groups through powershell.
Andy Ball commented
Confused about direction of this
Below preview has cmdlets for managing PIM , but only supports Azure Resources not Azure AD
Below supports AzureAD , but not Azure Resources and is targetted at managing your own assignments
Update on my last comment: It looks like the script in Anuj's blog post now supports MFA, which is great! A true PowerShell module for PIM is still a necessity for assigning roles, reporting on roles, etc.
We really need this feature to activate, configure, and apply roles for Azure Resource Manager. The app in the blog post does not work when MFA is required to activate the role. We require MFA on most of our roles. So, we are stuck configuring, applying, and activating in the portal.
If you're looking for some tips on using PIM for Azure resources, check out a blog post from one of our engineers here: http://www.anujchaudhary.com/2018/02/powershell-sample-for-privileged.html
stephen richardson commented
... and add the ability to use service principals to connect to pim.
Bjorn L commented
Agreed. If it can be done in a safe manner. We have a powershell script with a GUI to activate the roles. It works, but we also get an high alert that roles was activated outside Azure portal.
This should either be fixed or blocked.
I agree that this should be available. This may be useful as a workaround: