How to automate rbac binding parameter allow permanent eligible assignment for owner

john lear 1 Reputation point
2022-11-30T17:06:02.31+00:00

How can this parameter (Allow permanent eligible assignment) be automated with Terraform or Powershell to toggle from No (default) to Yes for the roles Owner, Contributor and/or Reader?

Under Home->Privileged Identity Management|Azure resources -> <subscription_name>|Settings

Under Assignment
Setting = Allow permanent eligible assignment
State = No (default) or Yes

Where subscription name is the actual name of the subscription

Here's a screen shot:265853-screen-shot-2022-11-30-at-95731-am-copy.jpg

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Microsoft Entra
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,371 Reputation points Microsoft Employee
    2022-12-02T22:24:05.677+00:00

    @john lear
    Thank you for your post and I apologize for the delayed response!

    When it comes to configuring Azure resource role settings in PIM, specifically changing the Assignment duration - Allow permanent eligible assignment state to "Yes", I didn't find a direct way to do this via PowerShell. However, there's a way to Allow permanent eligible assignment via the Azure PIM REST API to manage eligible access.

    Note: When it comes to using Azure PIM to manage Azure resource roles (RBAC), you'll need to use the ARM APIs for PIM. For more info - Role management through the PIM API

    Grant eligible assignment:
    When you grant eligible assignment to an Azure RBAC Role (i.e. Contributor, Owner, Reader), you can directly set the Expiration Type to NoExpiration
    266707-image.png

    I've also reached out our PIM team to see if they can take a look into this issue and will update as soon as possible.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

  2. Lear, John 1 Reputation point
    2022-12-13T17:59:01.437+00:00

    James,

    Thanks for all your help on this. I appreciate it a lot.

    So, I'm trying to run either the API solution through an Azure DevOps pipeline or as a powershell script from the pipeline since the pipeline will login, authenticate and run this as the appropriate user with permissions. I've run into the following issues:

    1. The API fails (404) to find the Role Definition ID path which is in a variable like so:
      $pimRoleDefinitionId = "/subscriptions/<my_new_subscription>/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" # the GUID is from the built-in Owner role
    2. The latest option - Update-AzRoleManagementPolicy - fails in the pipeline with either AzurePowerShell@5 (the latest I can use is 5.209.0 I believe) and I see the docs are written for AzurePowerShell@8 and 9. I say that because I get this error: "Unable to find type [RoleManagementPolicyExpirationRule]." RoleManagementPolicyExpirationRule shows up a Java class or my Powershell Version (5) doesn't recognize it. Or the pipeline wants ConnectedServiceNameARM set in the yaml file which may also require azureSubscription set (which doesn't accept the name of my new subscription) when I set AzurePowerShell@5 in the pipeline.

    Is Update-AzRoleManagementPolicy meant to be an Inline script in the pipeline or can it be a script I call???

    Also, I really like the option for the API call because it explicitly sets type to NoExpiration but the API won't run because of #1 above - error 404 - doesn't like something in the role definition id path which is a copy and paste from my az cli:

    az role definition list --scope /subscriptions/<my_new_subscription_id> --name Owner
    [
    {
    "assignableScopes": [
    "/"
    ],
    "description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
    "id": "/subscriptions/<my_new_subscription_id>/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
    ....

    API Call in PS:
    Invoke-WebRequest -Method 'PUT' -Uri https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/$roleEligibilityScheduleRequestName`?api-version=$apiVersion -Headers $headers -Body $roleEligibilityScheduleRequestBody | ConvertTo-Json -Depth 100

    Do you have any working API code anywhere that does anything close to this? Should I be using Microsoft Graph? https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleeligibilityschedulerequests?view=graph-rest-1.0&tabs=powershell

    0 comments