Azure PIM Configuration

Attribute

Details

enablePIM

Select the Enable Privileged Identity Management checkbox to define the scope of the Microsoft Entra ID PIM roles (Microsoft Entra ID as well as Azure). You can also enable PIM by adding the following entry to the application Debug page:

<entry key="enablePIM"> <value> <Boolean>true</Boolean> </value> </entry>

azureADRolesFilter

In the Microsoft Entra PIM Active and Eligible Roles Filter field, enter a filter to define the scope of the Microsoft Entra ID PIM roles aggregated during entitlement aggregation. For example, isBuiltIn eq true For more information on filtering conditions and values, refer to the Microsoft Documentation.

You can also add the filter by adding the following entry to the application Debug page:

<entry key="azureADRolesFilter" value="isBuiltIn eq true"/>

azureRolesFilter

In the Azure PIM Active and Eligible Roles Filter field, enter a filter to define the scope of the Azure PIM roles aggregated during entitlement aggregation. For example, type eq 'CustomRole' For more information on filtering conditions and values, refer to the Microsoft Documentation.

You can also add the filter by adding the following entry to the application Debug page:

<entry key="azureRolesFilter" value="type eq 'CustomRole'"/>

eligibleRoleExpiresAfter

Specifies the default duration for which Azure and Microsoft Entra ID eligible roles must be assigned to user. The values must be in the ISO_8601 duration format.

For example, if eligible role needs to be assigned for 180 Days, use <entry key="eligibleRoleExpiresAfter" value="P180D" />

activeRoleExpiresAfter

Specifies the default duration for which Azure and Microsoft Entra ID Active roles must be assigned to user. The values must be in the ISO_8601 format.

For example, if eligible role must be assigned for 10 Hours, use <entry key="activeRoleExpiresAfter" value="PT10H" />