Exporting Azure PIM Approvers

H Raja 221 Reputation points
2023-01-19T16:48:38.0333333+00:00

How do you export a list of all PIM Approvers from all Azure Built in Roles. As an example screenshot for User Admin, the approval list. How do I export these at once for all roles.

D9E532CA-C23F-4DAA-9BD3-6659AD2025DD

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,447 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,096 Reputation points MVP
    2023-01-19T17:49:03.5066667+00:00

    You can get them via the Graph API's approvalStage property: https://learn.microsoft.com/en-us/graph/api/resources/approvalstage?view=graph-rest-beta

    For example, this query returns the policy associated with the Attribute Definition Reader role:

    GET https://graph.microsoft.com/beta/policies/roleManagementPolicyAssignments?$filter=scopeId eq '/' and scopeType eq 'Directory' and roleDefinitionId eq '1d336d2c-4ae8-42ef-9711-b3604ce3fc2c'

    Once you have the policyID, get the rules and in particular, the Approval requirements:

    GET https://graph.microsoft.com/beta/policies/roleManagementPolicies/Directory_923712ba-352a-4eda-bece-09d0684d0cfb_54587f2b-c596-41bc-a576-149c3430d49a/rules/Approval_EndUser_Assignment

    Therein, under the Settings > ApprovalStage > primaryApprovers you will find the list of users.

    User's image

    Additional details here: https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-beta#role-settings-and-pim