Azure Privileged Identity Management (PIM)

The Microsoft Entra ID connector supports Privileged Identity Management (PIM) as a service in Microsoft Entra ID. PIM enables you to manage, control, and monitor access to important resources in your organization.

These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources. It reduces the chance of a malicious actor getting access to the resource or an authorized user accidentally impacting a sensitive resource.

Supported Features

  • Aggregation of PIM Role Assignment objects for Azure and Microsoft Entra ID during entitlement aggregation of type "Groups"

  • Aggregation of PIM Role Assignment objects for Azure and Microsoft Entra ID during Account aggregation

  • Aggregation of Azure and Microsoft Entra ID PIM roles during Entitlement Aggregation

  • Provisioning of eligible role assignment on user for Azure or Microsoft Entra ID PIM role

Operations

Group Objects

Entitlement Aggregation of type "Groups"

The following group objects are aggregated as entitlements: Azure Eligible Roles, Microsoft Entra ID Eligible Roles, Azure Active Roles, and Microsoft Entra ID Active Roles.

Entitlement Aggregation

Azure Eligible Roles, Microsoft Entra ID Eligible Roles, Azure Active Roles, and Microsoft Entra ID Active Roles (These are custom group objects)

Account Aggregation

The following group objects are aggregated as entitlements: Azure Eligible Roles, Microsoft Entra ID Eligible Roles, Azure Active Roles, and Microsoft Entra ID Active Roles.

Add or Remove Entitlement

Azure Eligible Roles, Microsoft Entra ID Eligible Roles , Azure Active Roles, Microsoft Entra ID Active Roles

Permissions

Microsoft Entra ID Roles (azureADActiveRoles and azureADEligibleRoles)

To communicate with the PIM Graph API for Microsoft Entra ID roles, you must have at least one of the following permissions:

  • RoleManagement.ReadWrite.Directory

  • RoleManagement.Read.Directory

To grant these permissions to the client application, refer to the steps in the Required Permissions topic.

Azure Resource Roles (azureActiveRoles and azureEligibleRoles

The PIM API for Azure resource roles is developed on top of the Azure Resource Manager framework. You will need to give consent to Azure Resource Management but won’t need any Graph API permission. You must ensure that the user or the service principal communicating with the API has at least the Owner or User Access Administrator role on the resource.

To assign the Owner or User Access Administrator role, complete the following:

  1. Login to portal.azure.com and go to All Services > Management Groups or <CU Subscription> (CU tenant).

  2. On the left-hand side of the screen, select Access Control (IAM).

  3. Select Role Assignments and then the +Add button to assign the Owner or User Access Administrator role on the resource.