Azure Privileged Identity Management (PIM)

The Azure Active Directory connector supports Privileged Identity Management (PIM) as a service in Azure Active Directory. PIM enables you to manage, control, and monitor access to important resources in your organization.

These resources include resources in Azure Active Directory, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. It reduces the chance of a malicious actor getting access to the resource or an authorized user accidentally impacting a sensitive resource.

Supported Features

  • Aggregation of PIM Role Assignment objects for Azure and Azure Active Directory during entitlement aggregation of type "Groups"

  • Aggregation of PIM Role Assignment objects for Azure and Azure Active Directory during Account aggregation

  • Aggregation of Azure and Azure Active Directory PIM roles during Entitlement Aggregation

  • Provisioning of eligible role assignment on user for Azure or Azure Active Directory PIM role

Operations

Group Objects

Entitlement Aggregation of type "Groups"

The following group objects are aggregated as entitlements: Azure Eligible Roles, Azure Active Directory Eligible Roles, Azure Active Roles, and Azure Active Directory Active Roles.

Entitlement Aggregation

Azure Eligible Roles, Azure Active Directory Eligible Roles, Azure Active Roles, and Azure Active Directory Active Roles (These are custom group objects)

Account Aggregation

The following group objects are aggregated as entitlements: Azure Eligible Roles, Azure Active Directory Eligible Roles, Azure Active Roles, and Azure Active Directory Active Roles.

Add or Remove Entitlement

Azure Eligible Roles, Azure Active Directory Eligible Roles

Permissions

Azure Active Directory Roles

To communicate with the PIM Graph API for Azure Active Directory roles, you must have at least one of the following permissions:

  • RoleManagement.ReadWrite.Directory

  • RoleManagement.Read.Directory

Azure Resource Roles

The PIM API for Azure resource roles is developed on top of the Azure Resource Manager framework. You will need to give consent to Azure Resource Management but won’t need any Graph API permission. You must ensure that the user or the service principal communicating with the API has at least the Owner or User Access Administrator role on the resource.