Where can i find role management policies?

Michael 20 Reputation points
2023-06-01T16:07:44.53+00:00

Hi,

I'm currently creating Azure PIM schedules via the create roleAssignmentScheduleRequests API (https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignmentschedulerequests?view=graph-rest-1.0&tabs=http).

This should create a PIM assigned schedule that will not expire.

 {
   "properties": {
     "requestType": "AdminAssign",
     "roleDefinitionId": "/subscriptions/9590199c-256a-484d-ae83-f197332d1ac6/providers/Microsoft.Authorization/roleDefinitions/243959b5-de59-4940-86e4-821cce8ad156",
     "scheduleInfo": {
       "expiration": {
         "type": "NoExpiration"
       }
     },
     "principalId": "a6f864c0-2d5b-49b3-9997-781016316a34",
     "justification": "Create always-active PIM Package"
   }
}

When i attempt this i get an error that states i'm failing a role management policy.

{
"error": {
    "code":"RoleAssignmentRequestPolicyValidationFailed",
     "message": "The following policy rules failed: [\"ExpirationRule\"]"
 }
}

thats fine, i understand this and if i call the roleManagementPolicies endpoint (https://learn.microsoft.com/en-us/rest/api/authorization/role-management-policies/list-for-scope?tabs=HTTP) i can see the following policy:

          {
            "isExpirationRequired": true,
            "maximumDuration": "P180D",
            "id": "Expiration_Admin_Assignment",
            "ruleType": "RoleManagementPolicyExpirationRule",
            "target": {
              "caller": "Admin",
              "operations": [
                "All"
              ],
              "level": "Assignment"
            }
          },

my question is, where can i manage this policy in the portal? i can't find any documentation on this. only the API documents.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,381 questions
0 comments No comments
{count} votes

Accepted answer
  1. VasimTamboli 4,785 Reputation points
    2023-06-02T15:39:46.6366667+00:00

    Azure role management policies are not directly configurable through the Azure portal. These policies are enforced by the Azure Role-Based Access Control (RBAC) system to ensure compliance and governance of role assignments.

    To manage role management policies, you need to use the Azure REST API or Azure PowerShell cmdlets. The API endpoint you mentioned, role-management-policies/list-for-scope, allows you to retrieve the role management policies defined for a specific scope.

    Here's how you can manage role management policies using Azure PowerShell:

    Install and configure Azure PowerShell: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps

    1. Use the Get-AzRoleManagementPolicy cmdlet to retrieve the role management policies for a specific scope. For example, to retrieve policies for the subscription scope:

    Powershell -

    Get-AzRoleManagementPolicy -Scope "/subscriptions/{subscriptionId}"

    Replace {subscriptionId} with the ID of your subscription.

    You can use other Azure PowerShell cmdlets to create, update, or remove role assignments based on the defined policies.

    Keep in mind that role management policies are designed to enforce specific rules, such as requiring expiration for role assignments. These policies help ensure compliance and good governance practices. If the policy specifies an expiration rule, you need to include an appropriate expiration duration in your role assignment requests.

    Remember to exercise caution when modifying or removing role management policies, as they play a critical role in maintaining the security and compliance of your Azure environment.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful