Azure PIM Provisioning Policy

There is no requirement of addition/removal of the existing Create Profile (Provisioning Policy). However, while assigning/removing Azure /Microsoft Entra ID Eligible/Active Role assignment, additional request details can be provided through additional attributes such as the following:

Specifies the duration for which role needs to be assigned to user from current time.

Details: For example, if role needs to be assigned for 6 months duration should be provided as P180D.

Default Values - For Eligible Role: P365D

For Active Role: P180D

Example/Format: ISO 8601 duration format must be used. For example:

  • 6 months: P180D

  • 1 week: P7D

  • 8 hours: PT8H

  • Permanent : permanent

Details:It specifies the start date time from which role needs to be assigned to user. It is optional when duration is provided but required when endDatetime is provided.

Example/Format: The timestamp type represents date and time information using ISO 8601 format and is always in UTC time.

For example, 2021-11-19T09:40:27.91Z

Details: It specifies the end date time for role assignment of the user. startDateTime must be provided along with this attribute.

Example/Format:The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, 2022-11-19T09:40:27.91Z

Details: It specifies the reason for role assignment/removal operation. Default Value: Admin Action for user id <user id>

Sample Provisioning Requests

Copy 
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ProvisioningPlan nativeIdentity="8cb133a4-0cea-XXXX-8c02-XXXXXXXX">

  <AccountRequest application="Azure PIM" nativeIdentity="8cb133a4-0cea-XXXX-8c02-XXXXXXXX" op="Modify">

    <AttributeRequest name="azureActiveRoles" op="Add">

        <Value>

            <List>

                <String>/subscriptions/3XXXXXXX8-c792-1212-9b4a-8cXXXXXXX4:c2f4ef07-c644-48eb-af81-4b1b4947fb11</String>

                <String>/subscriptions/3XXXXXXX8-c792-1212-9b4a-8cXXXXXXX4:a2138dac-4907-4679-a376-736901ed8ad8</String>

            </List>

           </Value>

        <Attributes>

            <Map>

                <entry key="duration" value="P10D"/>

                <entry key="justification" value="Role Required to Manage Subscription"/>

            </Map>

        </Attributes>

    </AttributeRequest>

    <AttributeRequest name="azureEligibleRoles" op="Add">

        <Value>

            <List>

                <String>/subscriptions/3XXXXXXX8-c792-1212-9b4a-8cXXXXXXX4/resourceGroups/DEV-ENV-RG:5e467623-bb1f-42f4-a55d-6e525e11384b</String>

                <String>/subscriptions/3XXXXXXX8-c792-1212-9b4a-8cXXXXXXX4/resourceGroups/DEV-ENV-RG:4f8fab4f-1852-4a58-a46a-8eaf358af14a</String>

                <entry key="justification" value="Role Required to Manage Dev Resource Group"/>

            </List>

        </Value>

        <Attributes>

            <Map>

                <entry key="startDateTime" value="2021-11-19T09:40:27.91Z"/>

                <entry key="endDateTime" value="2021-12-19T09:40:27.91Z"/>

            </Map>

        </Attributes>

    </AttributeRequest>

  </AccountRequest>

</ProvisioningPlan>