Inefficient PIM-Managed AAD Group Endpoints making custom reporting impossible.

Alexis Moyse 0 Reputation points
2023-12-08T16:47:13.72+00:00

Key Issue:

  • The current LTS endpoint for evaluating PIM groups (v1.0/identityGovernance/privilegedAccess/group/*schedules) requires filtering by groupId, but there's no way to distinguish PIM-managed groups from non-PIM groups beforehand. This necessitates inefficient iterations over all groups, leading to performance bottlenecks.

Desired Enhancements:

Promote beta endpoint to LTS:

  • Include the beta/privilegedAccess/aadGroups/resources endpoint, which directly lists PIM-managed AAD groups, in the v1.0/LTS version.

Remove filter requirement:

  • Allow filterless calls to the v1.0/identityGovernance/privilegedAccess/group/*schedules endpoints, as supported by PIM-managed role endpoints, for efficient pagination and retrieval of all PIM-managed groups.

Benefits:

  • Streamlined reporting: Facilitate efficient generation of reports on assignment and eligibility schedules for PIM-managed groups.
  • Optimized performance: Eliminate unnecessary iterations, significantly reducing query time and enhancing overall system performance.
  • Consistency with PIM-managed role endpoints: Maintain consistency in API design and functionality across PIM features.

Call to Action:

  • Please consider implementing one or both of these enhancements to significantly improve the usability and efficiency of PIM-managed AAD group management.
Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Entra | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-12-18T23:08:28.75+00:00

    @Alexis Moyse ,

    Thank you for reporting this feature enhancement and providing so many details. I agree that the endpoint should be included and this is planned for future support pending stability testing. Based on the information you provided, I filed an internal design change request with the PIM team to prioritize this feature.

    Note that the https://feedback.azure.com is the correct forum for feature requests and Microsoft Q&A is only scoped for product questions. If you leave an additional request in feedback.azure.com, the product team will directly reply and prioritize your feedback based on impact, upvotes, scope, and number of requests.

    Your request is being tracked internally but I would also recommend leaving feedback in the feedback forum. https://feedback.azure.com/

    To get updates about Microsoft Graph beta version updates, you can also check the changelog web site which contains a link to an RSS feed.

    https://developer.microsoft.com/en-us/graph/changelog/rss
    

    When you subscribe to the RSS feed you will receive notifications about changes.

    Thanks again for sharing your feedback!

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.