Azure PIM for global reader role - No resources to discover

Arnaud Rigole 126 Reputation points
2021-08-18T15:08:00.467+00:00

Hi everyone,

I'm currently testing Azure PIM to delegate read permissions to our Azure tenant.

I've assigned with PIM the "Global reader" role for a test account, which has validated the access.
The scope defined is "Directory" and i cannot change it as it's greyed out.

124352-chrome-fz0qdxug7i.png

Once done & logged on that account, i can confirm that my account has the global reader role:

124342-chrome-89htk32x1y.png

I cannot discover any resources, as it says...

124363-chrome-dbf8poy40j.png

So how to proceed ?

If you tell me that i have to give as well some RBAC permission, what the use of that "Global reader" we assign in PIM ? By the way, i could give owner (write) permissions
on a subscription or management group, like my original "Global reader" would mean nothing, no?

Thanks in advance!
Arnaud

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
682 questions
Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Arnaud Rigole 126 Reputation points
    2021-08-30T15:22:39.543+00:00

    Late comeback but some interesting infos...

    There is a preview feature on Azure which permit to grant RBAC-based roles with PIM: "Privileged Access groups".
    It can be used to put users in custom AAD groups, which you can bind to Azure resources.
    Consider that the AAD group attribute "Azure AD Roles can be assigned to the group" must be set to "YES" when you create the group.
    More infos here : https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

    Thanks for the help.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Vasil Michev 96,436 Reputation points MVP
    2021-08-18T16:29:35.347+00:00

    Global Reader is an Azure AD/Office 365 role, thus the "directory" scope. It doesnt give you access to any Azure resources.

    0 comments No comments

  2. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2021-08-18T17:12:18.33+00:00

    The Global Reader role allows the user to view all Azure Active Directory resources in the same way that the Global Admin role can do this. If you are trying to give read-only to Azure subscription Resources, add the users to the Azure Role: "Readers".

    The screenshot you posted is in the Privileged Identity Management tab, where subscription resources would reside. PIM resources are only visible when you have an active role assignment, and they are managed by PIM. Otherwise they will not be seen in the console. The roles for each resource are managed separately.

    124368-image.png

    So yes, as you correctly observed, the Global Reader role isn't intended for subscription resources alone and you would need to add an Azure Role here.

    https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources

    https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-reader

    0 comments No comments

  3. Arnaud Rigole 126 Reputation points
    2021-08-19T10:01:24.143+00:00

    Thanks for your answers. So if if understand correctly :
    I cannot use PIM to manage **read only ** access to Azure Resources ?

    Edit : ok, as seen here : https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-reader, "Privileged Access Management (PAM) doesn't support the Global Reader role." It's a shame :(

    So how do you delegate that kind of read only privilege for a defined period of time (like for service providers...) and with just-on-time / validation system ?

    0 comments No comments