Add support to group multiple Azure Resource Role assignments for one single activation
We're using Azure AD PIM to assign permissions for our admins and developers. We're using Resource Groups as the scope for all role assignments. We have divided our Azure resources in a different resource groups depending on the application or service life-cycles.
Using Resource Groups as the scope in PIM works good but sometimes it results in many activations for our users. If we have an app service in one RG that relies on an App Service Environment that's located in another RG that relies on a vNet located in a third RG the users needs to activate three role assignments to enable all the permissions needed for full visibility and permissions to perform changes or troubleshoot issues.
I would like to see support for activating multiple Eligible roles for Azure Resources at the same time. Or the possibility to create Role Groups in PIM where I can create a custom scope that targets one to many Resource Groups.
Completely agree and support Joel. It is very important improvement we must have!
PIM for Azure resources is missing important functionalities. Currently it assigns roles at subscription scope only. There must be an option for enterprise organizations to utilize the least privileges model by narrow down the assignment scope of specific roles to only one or more resource groups. Currently it can be done only from Azure resource manager RBAC assignment role option but not from PIM. This prevents a lot of companies to adopt PIM so they stay with RBAC managed by Azure resource manager directly. For example providing a storage contributor role over PIM will grant this role to all storage accounts inside the subscription instead only to the specific resource group needed.
In addition activating multiple role at once must be possible if not we have to create custom roles combining multiple build-in roles in order to provide this functionality which in-fact is not the least-privilege model we try to put in place.
Yes, this! I'm amazed this doesn't have more votes, which makes me think not many people are leveraging PIM for Azure Resource Manager, or maybe they assign roles at the subscription scope.
For those of us who truly want to utilize a least-privileges model, assigning access at the Resource Group scope is the way to go. Activating multiple roles one-at-a-time is a long, tedious process for our users.
Ideally, we could have role groups that would allow a single role at multiple scopes, or even multiple roles at multiple scopes. Then users could activate that role group with one single activation.