Add support to group multiple Azure Resource Role assignments for one single activation
We're using Azure AD PIM to assign permissions for our admins and developers. We're using Resource Groups as the scope for all role assignments. We have divided our Azure resources in a different resource groups depending on the application or service life-cycles.
Using Resource Groups as the scope in PIM works good but sometimes it results in many activations for our users. If we have an app service in one RG that relies on an App Service Environment that's located in another RG that relies on a vNet located in a third RG the users needs to activate three role assignments to enable all the permissions needed for full visibility and permissions to perform changes or troubleshoot issues.
I would like to see support for activating multiple Eligible roles for Azure Resources at the same time. Or the possibility to create Role Groups in PIM where I can create a custom scope that targets one to many Resource Groups.
Yes, this! I'm amazed this doesn't have more votes, which makes me think not many people are leveraging PIM for Azure Resource Manager, or maybe they assign roles at the subscription scope.
For those of us who truly want to utilize a least-privileges model, assigning access at the Resource Group scope is the way to go. Activating multiple roles one-at-a-time is a long, tedious process for our users.
Ideally, we could have role groups that would allow a single role at multiple scopes, or even multiple roles at multiple scopes. Then users could activate that role group with one single activation.