Discussion around different ways to implement PIM for Azure resources

KFM 86 Reputation points
2024-01-30T07:07:38.8133333+00:00

I've found there are two ways to use PIM to grant access to Azure resources and I'd like to understand the differences, if any, between the two. The outcome is the same however the process/workflow to achieve it is different.

Method 1

Create an Entra ID group, assign it to a specific scope (e.g. management group) and role (e.g. Contributor) and use PIM to manage just-in-time membership in the group. The user, when activating their eligible PIM assignment will then be a member of that group and inherit whatever role that group has been assigned.

When viewing the "Access control (IAM)" property of a resource, you will not see the user in the list as they're a member of the Entra ID group, but clicking on "View my access" will show the effective access/role.

This is using the Assign eligibility for a group in Privileged Identity Management method.

Method 2

Create an Entra ID group and add users to it. Use PIM to assign the group an Azure role (e.g. Contributor) to a specific scope (e.g. management group). The user, when activating their eligible PIM assignment, will then have the specified role at the defined scope.

When viewing the "Access control (IAM)" property of a resource, you will see the user has a direct role assignment at the specified scope.

This is using the Assign Azure resource roles in Privileged Identity Management method.

So as you can see, there are two methods. Apart from the initial configuration, are there any security, or any other implications, of choosing one over the other? Thank you!

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
833 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
603 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,659 questions
{count} votes