Microsoft Entra
A group of Microsoft multicloud identity and access solutions.
2,554 questions
To provide PIM access using BICEP
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
How to add custom RBAC role to Privileged Identity Management using BICEP template at a subscription scope?
Presently, I am using this BICEP template to create a custom role at the subscription level of scope. Kindly let me know how to define a PIM for the below mentioned template.
targetScope = 'subscription'
@description('Array of actions for the roleDefinition')
param actions array = [
'Microsoft.Authorization/*/read'
'Microsoft.Resources/subscriptions/resourceGroups/read'
'Microsoft.Support/*'
'Microsoft.Authorization/roleAssignments/delete'
'Microsoft.Authorization/roleAssignments/write'
'Microsoft.Resources/deployments/*'
]
@description('ID of the role definition')
param roleDefName string = 'xxxxx'
@description('Array of notActions for the roleDefinition')
param notActions array = []
@description('Friendly name of the role definition')
param roleName string = 'Custom Role - Support Req Contributor'
@description('Detailed description of the role definition')
param roleDescription string = 'Subscription Level Deployment of a Role Definition'
//var roleDefName = guid(subscription().id, string(actions), string(notActions))
resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
name: roleDefName
properties: {
roleName: roleName
description: roleDescription
type: 'customRole'
permissions: [
{
actions: actions
notActions: notActions
}
]
assignableScopes: [
subscription().id
]
}
}
{count} vote
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,511 Reputation points2023-10-02T23:41:15.8133333+00:00 Hello @Anonymous , Entra ID (formerly Azure AD) role assigments and settings can be managed by PIM. What management operation do you want to perform using bicep?
-
Anonymous
2023-10-03T04:49:28.0433333+00:00 Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , I have created a custom role for support request contributor and need to use PIM to allow time bound role assignment to the users.
I am trying to assign PIM through the below mentioned BICEP, to the custom role that I created.
And for this, I am receiving the following error.
targetScope = 'subscription' param startTime string = utcNow() param principalId string = 'xxxxxxxxx' param roleDefinitionId string = 'xxxxxxxxxxxxx' resource createPIMAssignment 'Microsoft.Authorization/roleEligibilityScheduleRequests@2022-04-01-preview' = { name: guid(subscription().id, 'Custom Role - Support Request Contributor') scope: subscription() properties: { principalId: principalId requestType: 'AdminAssign' roleDefinitionId: roleDefinitionId scheduleInfo: { expiration: { duration: 'P365D' type: 'AfterDuration' } startDateTime: startTime } } } Error Received {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/xxxxxxxxx/providers/Microsoft.Resources/deployments/pim_old","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see
Sign in to comment
Sign in to answer