Azure PIM Attributes
Add the following attributes to connector schema.
|
Name |
Type |
Details |
|---|---|---|
|
azureEligibleRoles |
String : Multivalued : Entitlement |
List of Azure Roles for which user is eligible |
|
azureADEligibleRoles |
String : Multivalued : Entitlement |
List of Microsoft Entra ID Roles for which user is eligible |
|
azureActiveRoles |
String : Multivalued : Entitlement |
List of Azure Roles assigned to user |
|
azureADActiveRoles |
String : Multivalued : Entitlement |
List of Microsoft Entra ID Roles assigned to user |
Membership Aggregation
Membership Aggregation is part of account aggregation. PIM Membership aggregation will be added to existing membership aggregation flow and will be triggered only if flag is ON and required attributes are present in account schema Memberships will be aggregated if flag is true and account attributes are present in schema.
For example:
-
If the enablePIM attribute is true and only Microsoft Entra ID Roles : Active is present in schema, only Microsoft Entra ID Roles membership for active assignments are aggregated.
-
PIM Memberships are aggregated per page. For example, membership is fetched for users aggregated in a page.
-
PIM Memberships for Azure resources are aggregated if Azure Management is enabled and respective attributes are present in the schema.
Membership Aggregation of PIM Roles for Microsoft Entra ID Groups
Azure / Microsoft Entra ID PIM Role assignments / membership for Microsoft Entra ID groups will be visible as entitlement attributes after running group / entitlement aggregation ONLY when relevant role attributes (mentioned above as Azure PIM attributes) are added to group schema and PIM flag is true.
Note
The PIM membership for such groups would show only the native identity of the assigned PIM roles.
Group Schema Objects
The following new group schema objects are supported.
Microsoft Entra ID Eligible Role
Object Type is azureADEligibleRole, Identity Attribute is id, and the Display Attribute is displayName.
displayName
Eligible role display name.
id
Microsoft Entra ID eligible role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.
Microsoft Entra ID Active Role
Object Type is azureADActiveRole, Identity Attribute is id, and the Display Attribute is displayName.
displayName
Active AD role display name.
id
Microsoft Entra ID active role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.
Azure Active Role
Object Type is azureActiveRole, Identity Attribute is id, and the Display Attribute is displayName.
displayName
Active role display name.
id
Azure active role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.
Azure Eligible Role
Object Type is azureEligibleRole, Identity Attribute is id , and the Display Attribute is displayName.
displayName
Eligible role display name.
id
Azure eligible role ID.
This is an Account ID which must not be changed.
isBuiltIn
Indicates whether role is custom or built-in.
roleName
Name of the role.
scope
Scope at which role can be assigned.