Privileged Identity Management - Azure resources

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Caution

This version of the Privileged Identity Management (PIM) API for Azure resources will be deprecated soon. Please use the new Azure REST PIM API for Azure resource roles.

You can use Microsoft Entra Privileged Identity Management (PIM) for Azure resources to set up just-in-time access workflow for your Azure infrastructure roles at a management group, subscription, resource group, and resource level. These include built-in roles like Owner and Contributor as well as custom RBAC roles.

Common use cases for PIM and Azure resources using a REST API

Use case	Resource	See also
Onboard a resource (subscriptions, resource group, resource etc.) for PIM management, list all the managed resources requester have access to, and retrieve relationships of a managed resource.	governanceResource	Role discovery and management
List all the roles for a resource or get details of a particular role in a specified resource.	governanceRoleDefinition
Retrieve all role settings for a resource or make an update to a role setting	governanceRoleSetting	Configure role setting
List and export all role assignments for a resource.	governanceRoleAssignment	Export role assignments
Create or remove an eligible or active role assignment, activate/deactivate an eligible assignment, view a list of pending requests, approve or deny a pending request or cancel your own pending request.	governanceRoleAssignmentRequest	Role Assignment Role activation Approve requests

Migrate to the Azure Resource Manager PIM APIs for Azure resource roles

The PIM iteration 3 API to manage Azure resources is now available through the Azure Resource Manager REST APIs. Use this guidance to migrate your existing APIs to the new Azure Resource Manager APIs.

The following table describes how the Azure Resource Manager PIM APIs map to the existing Microsoft Graph APIs.

Operation	Microsoft Graph API (iteration 2)	Azure Resource Manager API (iteration 3)
Register a resource	Register	Resource Manager doesn't require resources to be explicitly registered or onboarded to be managed. You can perform operations by directly using the resource scope.
List role definitions	List Role definitions	Role Definitions - List
Create role assignment requests	Create governanceRoleAssignmentRequest	Use Role Eligibility Schedule Requests - Create to create eligible role assignments Use Role Assignment Schedule Requests - Create to create active role assignments
List role assignments	List governanceRoleAssignments	Use Role Eligibility Schedule Instances - List to get eligible role assignments Use Role Assignment Schedule Instances - List to get active role assignments
Manage Role Settings	List governanceRoleSettings Update governanceRoleSetting	Manage policies through Azure Resource Manager