Restricting managed identity rights in Azure

Bombbe 1,401 Reputation points
2023-11-01T13:54:18.28+00:00

We are planning to create Azure automation that need high privileges to all subscription (contributor) and we are planning to use managed identity for this task.

Because automation is not running everyday (maybe weekly or even monthly) we are thinking ways to remove those rights while it not running (manually removing and adding is not really option). Do managed identities support some kind of feature were it would get/claim those right just before running a bit like people would take rbac from PIM before doing things so that it would not have contributor 24/7/365?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
837 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,268 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 33,861 Reputation points Microsoft Employee
    2023-11-07T11:12:18.53+00:00

    @Bombbe Thank you for reaching out to us, discussed your ask with my team. Its not possible to restrict manage identities via PIM. PIM is meant for Users, only when limiting with a time interval is possible for SP or MI.

    User's image

    Let me know if you have any further questions, feel free to post back.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.