Assign PIM role to the service connection

Lisa Palathingal 6 Reputation points Microsoft Employee
2023-05-19T22:25:11.3833333+00:00
I would like to create a lock for SQL database in my resource group. For that, as per this documentation, https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#who-can-create-or-delete-locks, I need access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. This is possible only for the Owner and the User Access Administrator built-in roles. 

The issue is regarding https://github.com/azsk/DevOpsKit-docs/blob/master/01-Subscription-Security/Readme.md#use-set-azskpimconfiguration-alias-setpim-for-configuringchanging-pim-settings-at-management-group-level

I'm running this PowerShell command:

Set-AzSKPIMConfiguration -AssignRole ` -SubscriptionId

Azure SQL Database
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,641 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Sedat SALMAN 13,345 Reputation points
    2023-05-20T15:06:08.2033333+00:00

    The Set-AzSKPIMConfiguration cmdlet is a part of the AzSK (Azure Secure DevOps Kit) and is used to manage Privileged Identity Management (PIM) settings at the management group level.

    Before you run this command, make sure you have the necessary permissions to do so. You need to be a privileged role administrator or a global administrator in your Azure AD tenant to manage PIM.

    The -AssignRole switch in the Set-AzSKPIMConfiguration cmdlet is used to specify the role you want to assign. The -SubscriptionId switch specifies the subscription to which the role assignment applies.

    Here is a basic example of how you could use these options:

    Set-AzSKPIMConfiguration -AssignRole "User Access Administrator" -SubscriptionId "your_subscription_id"
    

    This command would attempt to assign the "User Access Administrator" role to the subscription specified by "your_subscription_id".

    If you are looking to assign a role to a specific service connection, you will need to make sure that the service connection is set up as a user in your Azure AD tenant. If it is, you can assign the role to that user (service connection) in a similar way.

    1 person found this answer helpful.
    0 comments No comments