| Microsoft | Entra | Azure | Security

/ Privileged Identity Management

PIM for Groups + PIM for Azure Resource

This is a short post about PIM activations for reference purposes. (Because I tend to forget things and refer to my own blogs for reminders)

If a user is “eligible” for membership into a group, and that group is “eligible” for an Azure resource role. The user can elevate as a member of the group (PIM activation #1), then is eligible to activate the Azure resource role through their membership in the group (PIM activation #2). Sure, this means 2 PIM activations, but that’s not the point – more on that at the end.

Obviously, activations #1 and #2 can have different durations – end times. My observation is that if activation #2 ends later than activation #1 (or if activation #1 is deactivated), the user will still have the Azure resource role (#2) until it’s end time is reached, despite having been removed from the group which made them eligible for the role in the first place.

In the screenshot below, you can see PIM Activation #1 has an End time of 12:08:08 PM for the group membership assignment.

Then, in PIM activation #2 for the Azure resources assignment, the end time is 2:20:50 PM that same day.

After the group assignment was deactivated, the user is still “Active time-bound” in the reader role until 14:20:50 (Azure IAM displays time differently for some reason), as can be seen below:

I would say that these are 2 good reasons why you should rather active-assign a group a role rather than eligible-assign a group. Then eligible-assign users as members of the group. Because:

  1. The user only needs to request one activation to get membership (and inherit the role) and no other activations.
  2. Due to the fact that there is only one activation, the expiry applies to the access as well as the membership of the group.

So, in other words:

  • Group is assigned the Azure resource RBAC role permanently* either through IAM or PIM.
  • The group can be assigned multiple roles combining Entra Roles with Azure resource roles even.
  • The user is assigned an eligible assignment to become a member of the group through a PIM activation request.
  • The user inherits (and gets revoked) all the roles of the group in one activation only.
  • Neat and tidy.

*By permanent, it could mean indefinitely, or only active for a period of 15 days, 1 month, 3 months, 6 months or 1 year depending on the role’s setting in PIM.

Permanent active assignment vs expiring active assignment

I haven’t tested this with Entra Roles yet, but I’m sure the same will apply.

In conclusion, rather active-assign the role to the group and eligible-assign the user as member of the group – This way, only 1 activation request with 1 end time that applies.

Let me know if you have had similar experiences or have any questions about PIM in the comments below.

Leave a Reply

Verified by MonsterInsights