Azure Devop Roles for PIM to control
Currently, using Azure Devops with PIM is not supported at the moment.
We can connect our Active Directory to Azure Devops; but not really control the users; as it is managed via the Devops Administrator.
Right now only one Azure Devop Admin role exists in AAD; with which you can't manage much in Devops; except the AAD Policy in the Organization Settings.
Why not to to add the Azure Devop Roles like Project administrators
, Project Contributors and Project Readers in Azure Active Directory; so one can enforce the PIM concept also to the the Azure Devops Tenants environment.
Goodday. We'are using PIM to elevate to higher privileged account in Azure DevOps. Not sure if this is what you mean. We use a PIM Preview option for it.
Create a DevOps team AAD group with the setting isAssignableToRole
Create a DevOps administrator AAD group with the setting isAssignableToRole
Use PIM with Privileged access groups https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features
Assign the AAD DevOps administrator group in Azure Devops Premission tab to Project Administrators.
Off course you can do this for any Permission group / Roll you want.
Some things we came across and allready created tickets for at Microsoft.
When automating group creating and assign the AAD group to the Azure DevOps Permission group the AAD group needs a member or you get a Azure Graph error.
Sometimes there is a delay with assigning the roll in Azure DevOps. Your tokens doenst get refreshed. You can Force this as a user on https://dev.azure.com/<orginisationanme>/_usersSettings/permissionsRefresh