Azure PIM expire eligible assignment after 3 year

Question

I am trying confgure Azure Roles for Azure priviledged identity management. I am just wondering, if there is way to increase the eligible or active assignment for more than a year.

Answer 1

Hello, you can set higher than 1 year (actually, 365 days) expire after values using MS Graph, one of its SDKs or Azure AD (Preview) PowerShell.

Follows an AzureAD (Preview) PowerShell sample:

   AzureADPreview\ConnectAzureAD  
   $Settings=Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Id "string"  
   $ExpirationRule=$Settings.AdminEligibleSettings[number] # Index usually 3  
   $ExpirationRule.Setting = "string" # Eg.  {"maximumGrantPeriod":"730.00:00:00","maximumGrantPeriodInMinutes":1051200,"permanentAssignment":false} for 2 years  
   Set-AzureADMSPrivilegedRoleSetting -ResourceId "string" -RoleDefinitionId "string" -AdminEligibleSettings $Settings.AdminEligibleSettings -ProviderId "aadRoles" -Id "string"  

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Answer 2

Hi,

I've not tested it, but there is a decent chance it will work if you use PowerShell instead of the portal. I read the REST api documentation and there is no mention about maximum date into the future (although that doesn't mean it will allow 3 years). See article below, which shows how to use PowerShell to work with PIM. You could modify their example code to set an expiration date 3 years into the future and see if it works.

PowerShell for Azure AD roles in Privileged Identity Management

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/powershell-for-azure-ad-roles#assign-a-role

Please reply back with your results, whether positive or negative.

Thanks.

-TP