Good Workaround!
Assigning PIM Azure RBAC permissions using Terraform and ARM template
Currently, Terraform does not support eligible assignments of permissions in Azure RBAC, and only active assignments using the azurerm_role_assignment resource. Continue reading if you want to be able to assign your eligible assignments using ARM or Terraform (Terraform willl use the ARM template).
With the 3rd version of the PIM APIs, we have something called Role Eligibility Schedule Request, available through documented through the API documentation and the ARM documentation . However, the documentation can be a bit difficult to understand, especially because the roleDefinitionId in the ARM template must be provided differently than the when using the API.
Let’s first define an ARM template, as below, that can be used to assign eligible permissions:
Parameter – principalId
This should be the objectid of the principal you are granting the access to. If you are assigning permissions to user [email protected], use the following value:
Parameter – roleDefinitionId
I spent way too much time to figure out the format of the value for this parameter, but it should be like this:
The first guid (1272951b-df54-45eb-9c08-a8c93ea18302) should be changed to the subscription i d of your subscription, while the second guid (b24988ac-6180-42a0-ab88-20f7382dd24) is the Azure RBAC role id, found here . The example provided is “Contributor”.
Parameter – id
All eligible schedule requests have a unique ID, defined client side, so this should basically just be a unique guid. The ARM template generates ut automatically.
Parameter – requestType
I have defaulted this to AdminUpdate, as that will also work with new assignments. However, due to how PIM works, in order to actually remove an assignment, you must deploy the ARM template with the value “AdminRemove”. This is super anoying, from a Terraform perspective. Also, when deploying with AdminRemove for a second time, it fails with RoleAssignmentDoesNotExist.
Deploying using ARM template
Here is how to deploy eligible contributor permission to a user with objectid e9176fb9-63d3-480a-a51f-e5399059b588 on subscription level:
And this is how to do the same thing on resource group level:
Now that we have things going with ARM template, let’s do it with Terraform aswell.
Deploying using Terraform
Some say it’s cheating, but we need to use the ARM template here aswell. This is because currently no Terraform resource exist for eligible role assignments.
Also, Terraform does not support comments in JSON documents, so remove them before saving the file.
Go to https://github.com/goodworkaround/terraform-az-rbac-pim-assignment and clone my Terraform example. The example uses the Azure AD provider to create groups, which is not necessary. You can get away with only the AzureRM provider, but then you need to specify the objectids of the principals you are granting access to.
There are two modules available:
PIM Assignment – Subscription
The following code will create an Azure AD group called “subscription_owner_group_1” and assign it eligible “Owner”
As an admin in PIM, you will find the following assignment:
Members of the group should see this in PIM:
It is worth noting that simply unloading the module will not remove the assignment. Instead, the module must be used with request_type = “AdminRemove”, as it will remove the permission. Then you can remove the module.
PIM Assignment – Resource Group
The following code will create an Azure AD group called “rg_contributor_group_1”, a resource group “rg1” and delegate the group eligible Contributor on the resource group:
Share this:
Published by Marius Solbakken
View all posts by Marius Solbakken
16 thoughts on “ Assigning PIM Azure RBAC permissions using Terraform and ARM template ”
Nice article, could you please tell me the Role that is assigned to the service principle doing this task?
Hi, if you mean the role of the principal that deploys the ARM template, it is either Owner or User Access Administrator. 🙂
thank you! I will try with that.
Have you tried using AdminRemove test for the same principle ID which was added by AdminAdd step? It fails every time.
I have, with success – what is your error message?
Error: removing items provisioned by this Template Deployment: `properties.OutputResources` was nil – insufficient data to clean up this Template Deployment
Ah yes, can you try to disable the delete_nested_items_during_deletion setting of the azurerm provider to see if that resolves things?
yup that worked, I don’t really use ARM deployment with TF, but your article has been quite helpful.
one more thing I noticed, after assigning az resource PIM role to principleID, If I run the same release again, it fails with error that { “code”: “Conflict”, “message”: “A role assignment request with Id: a2d47b66-96d6-16d4-5b35-29b3139cae94 already exists” } . I thought it would just pass through
Yes I know. The API expects a unique is each time. Terrible design on the Microsoft side
Will this work for ADRoles like “User Administrator” or “Application Administrator” . I am trying to work make PIM for Azure AD roles
No, this is for RBAC only. Azure AD PIM roles is a completely different api 🙂
That is right, also make sure yours SPN has the right api permissions and Rbac to do this via code for Az Resource Roles or AD roles 🙂 For Resource Roles I was able to get it working with User Access Admin on the subscription as well as Contributor Access with User.Read, PrivilegedAccess.Read.AzureResources and PrivilegedAccess.Write.AzureResources access with Grant persimmons as least .
Great solution! A couple of questions if you don’t mind!
1/ we were thinking to use ‘az rest’ to achieve the same but all of our testing using: https://docs.microsoft.com/en-us/rest/api/authorization/role-eligibility-schedule-requests/create#requesttype
with basically an identical payload it didn’t create the assignment, it left it in a strange ‘pending’ state
any thoughts on why this might be?
2/ any ideas on setting the role policy via ARM or REST? eg MFA required, 4 hours, etc… it uses PATCH method: https://docs.microsoft.com/en-us/rest/api/authorization/privileged-role-policy-rest-sample#update-a-role-management-policy
This is great solution but I am facing an issue when running AdminRemove on resource group template, it fails by saying below error:
Error: removing items provisioned by this Template Deployment: deleting Nested Resource “/subscriptions/***/resourceGroups/***/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/***”: resources.Client#DeleteByID: Failure sending request: StatusCode=405 — Original Error: Code=”Failed” Message=”The async operation failed.” AdditionalInfo=[{“message”:”The requested resource does not support http method ‘DELETE’.”}]
Hi, for this you will need to disable the delete_nested_items_during_deletion feature tag. This was defaulted to true some point in the past.
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group_template_deployment
Leave a comment Cancel reply
- Already have a WordPress.com account? Log in now.
- Subscribe Subscribed
- Copy shortlink
- Report this content
- View post in Reader
- Manage subscriptions
- Collapse this bar
Navigation Menu
Search code, repositories, users, issues, pull requests..., provide feedback.
We read every piece of feedback, and take your input very seriously.
Saved searches
Use saved searches to filter your results more quickly.
To see all available qualifiers, see our documentation .
- Notifications
Manage Azure Role Assignments Like a Pro with PowerShell
Today’s blog post is a little bit different. I have a couple of examples of how you can use PowerShell snippets and simple commandlets to get or set role assignmnets in your Azure Subscriptions.
PowerShell examples for managing Azure Role assignments
List all role assignments in a subscription, get all role assignments for a specific resource group, get all role assignments for a specific user, add a role assignment to a user, remove a role assignment for a user, remove all role assignments for a specific user, list all built-in roles, list all custom roles, create a custom role, update a custom role, delete a custom role, list all users or groups assigned to a specific role, list all permissions granted by a specific role, list all resource groups that a user has access to, create a role assignment for a service principal, powershell script to manage azure role assignments.
And now there is a script that combines some of these examples into one usable function:
I hope this was useful. Let me know if you liked the format of this blog and if you want me to include more of these examples.
Vukasin Terzic
Recent Update
- Writing your first Azure Terraform Configuration
- Transition from ARM Templates to Terraform with AI
- Getting started with Terraform for Azure
- Terraform Configuration Essentials: File Types, State Management, and Provider Selection
- Dynamically Managing Azure NSG Rules with PowerShell
Trending Tags
Retrieve azure resource group cost with powershell api.
The Future Of Azure Governance: Trends and Predictions
Further Reading
In my previous blog posts, I wrote about how simple PowerShell scripts can help speed up daily tasks for Azure administrators, and how you can convert them to your own API. One of these tasks is...
Azure Cost Optimization: 30 Ways to Save Money and Increase Efficiency
As organizations continue to migrate their applications and workloads to the cloud, managing and controlling cloud costs has become an increasingly critical issue. While Azure provides a robust s...
Custom PowerShell API for Azure Naming Policy
To continue our PowerShell API series, we have another example of a highly useful API that you can integrate into your environment. Choosing names for Azure resources can be a challenging task. ...
- Español – América Latina
- Português – Brasil
- GKE Enterprise
- Documentation
- GKE on Azure
Create Azure role assignments
In this section, you grant permissions to GKE on Azure to access Azure APIs.
To save your service principal and subscription IDs to a shell variable, run the following command. Replace APPLICATION_NAME with a name for your application.
Assign permissions to the service principal. GKE on Azure requires permissions to provision required roles for the managed Azure resources at the subscription level.
To create a custom role with required subscription scoped permissions:
Create a new file named RoleAssignmentCreator.json .
Open RoleAssignmentCreator.json in an editor and add the following permissions:
Create the new custom role with the following command:
Assign the role to the service principal using the following command:
When assigning permissions, you can scope them either at the Azure subscription level, which applies to all resources within the subscription, or at the resource group level, which limits permissions to a specific resource group.
Subscription
Assign the Contributor, User Access Administrator, and Key Vault Administrator roles to your subscription:
Resource group
Create Role assignments scoped to the cluster resource group. Replace CLUSTER_RESOURCE_GROUP_NAME with the name of the resource group for your GKE on Azure.
If your Azure Virtual Network is in a different resource group, create Role assignments scoped to the virtual network resource group.
Replace the following:
- VNET_RESOURCE_GROUP_NAME : the name for the resource group for your GKE on Azure VNet
What's next
- Create a client certificate
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-04-24 UTC.
- Microsoft. Authorization
Role Assignment Schedule Requests
Link to resource definition: Microsoft.Authorization/roleAssignmentScheduleRequests
RoleAssignmentSchedule.ReadWrite.Directory
Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
Application permission, accesspackageassignmentrequest, entitlementmanagement-overview, privilegedaccessgroupassignmentschedulerequest, privilegedidentitymanagement-for-groups-api-overview, privilegedidentitymanagementv3-overview, unifiedroleassignmentschedulerequest.
- Preparing search index...
- The search index is not available
- Public/Protected
- RoleAssignmentSchedule
Interface RoleAssignmentSchedule
Package version
Role Assignment schedule
- assignment Type
- condition Version
- end Date Time
- expanded Properties
- linked Role Eligibility Schedule Id
- member Type
- principal Id
- principal Type
- role Assignment Schedule Request Id
- role Definition Id
- start Date Time
Optional assignment Type
Assignment type of the role assignment schedule
Optional condition
The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'
Optional condition Version
Version of the condition. Currently accepted value is '2.0'
Optional created On
DateTime when role assignment schedule was created
Optional end Date Time
End DateTime when role assignment schedule
Optional expanded Properties
Additional properties of principal, scope and role definition
Optional id
The role assignment schedule Id. NOTE: This property will not be serialized. It can only be populated by the server.
Optional linked Role Eligibility Schedule Id
The id of roleEligibilitySchedule used to activated this roleAssignmentSchedule
Optional member Type
Membership type of the role assignment schedule
Optional name
The role assignment schedule name. NOTE: This property will not be serialized. It can only be populated by the server.
Optional principal Id
The principal ID.
Optional principal Type
The principal type of the assigned principal ID.
Optional role Assignment Schedule Request Id
The id of roleAssignmentScheduleRequest used to create this roleAssignmentSchedule
Optional role Definition Id
The role definition ID.
Optional scope
The role assignment schedule scope.
Optional start Date Time
Start DateTime when role assignment schedule
Optional status
The status of the role assignment schedule.
Optional type
The role assignment schedule type. NOTE: This property will not be serialized. It can only be populated by the server.
Optional updated On
DateTime when role assignment schedule was modified
Generated using TypeDoc
Create an assignment rule
Create an assignment rule and apply it to a single table. Assignment rules are\n designed to run at the time you open a record.
- \n Navigate to All > System Policy > Rules > Assignment and click New . \n
- Assignment lookup rules example
- Assignment rules module
- Condition editor example
- Data lookup rules
- Precedence between data lookup, assignment, and business rules
- Workflow assignments
- Define assignment rules
- Configuring the form layout
- Baseline assignment rules example
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Get unifiedRoleAssignmentScheduleRequest
- 7 contributors
Namespace: microsoft.graph
In PIM, read the details of a request for an active and persistent role assignment made through the unifiedRoleAssignmentScheduleRequest object.
This API is available in the following national cloud deployments .
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it . For details about delegated and application permissions, see Permission types . To learn more about these permissions, see the permissions reference .
For delegated scenarios, the signed-in user must also be assigned at least one of the following Microsoft Entra roles :
- For read operations: Global Reader, Security Operator, Security Reader, Security Administrator, or Privileged Role Administrator
- For write operations: Privileged Role Administrator
HTTP request
Optional query parameters.
This method supports the $select and $expand OData query parameters to help customize the response. For general information, see OData query parameters .
Request headers
Request body.
Don't supply a request body for this method.
If successful, this method returns a 200 OK response code and an unifiedRoleAssignmentScheduleRequest object in the response body.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Note: The response object shown here might be shortened for readability.
Example 2: Retrieve specified properties of a role assignment request and expand the relationships
Was this page helpful?
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback .
Submit and view feedback for
IMAGES
VIDEO
COMMENTS
Operations. Cancels a pending role assignment schedule request. Creates a role assignment schedule request. Get the specified role assignment schedule request. Gets role assignment schedule requests for a scope. Validates a new role assignment schedule request. Learn more about [Authorization Role Assignment Schedule Requests Operations].
With the 3rd version of the PIM APIs, we have something called Role Eligibility Schedule Request, available through documented through the API documentation and the ARM documentation.However, the documentation can be a bit difficult to understand, especially because the roleDefinitionId in the ARM template must be provided differently than the when using the API.
Step 2: On the Members tab, select the user you want to delegate the role assignments task to. Figure 3: Select members. Step 3: On the Condition tab, click Add condition to add the condition to the role assignment. Figure 4: Add condition to role assignment. Step 4: On the Add role assignment condition page, specify how you want to constrain ...
The approvalId of the role assignment schedule request. NOTE: This property will not be serialized. It can only be populated by the server. Defined in models/index.ts:668; Optional condition. condition?: string. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage ...
Setup of Sample Resources. Create the test resource group. az group create --name ado-role-assignment-test-rg--location westus. Create the test storage account. az storage account create -n ...
I am trying to understand why there is two different commands (Get-*Schedule and Get-*ScheduleInstance) which seemingly do the same. The Microsoft document does not explain much. What is the difference between Schedule and Schedule Instance? And which one is the more "correct" one for the task at hand (find eligible role assignments). -
The name of the role assignment to create. It can be any valid GUID.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window.
Learn how to manage Azure Role assignments using PowerShell snippets and simple commandlets. Discover examples for listing all role assignments, adding and removing assignments for users or service principals, creating custom roles, and more. Plus, check out a script that combines some of these examples into a single function.
Create Azure role assignments. In this section, you grant permissions to GKE on Azure to access Azure APIs. To save your service principal and subscription IDs to a shell variable, run the following command. Replace APPLICATION_NAME with a name for your application. APPLICATION_ID=$(az ad app list --all \.
The approvalId of the role assignment schedule request. NOTE: This property will not be serialized. It can only be populated by the server. Optional condition. condition: undefined | string. Defined in models/index.ts:250; The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage ...
Example 1: Admin assigning a directory role to a principal. In the following request, the admin creates a request to assign a role identified by fdd7a751-b60b-444a-984c-02652fe8fa1c to a principal identified by ID 071cc716-8147-4397-a5ba-b2105951cc0b. The scope of their role is all directory objects in the tenant and the assignment is permanent.
Default Path Alias; properties.approvalId: Microsoft.Authorization/roleAssignmentScheduleRequests/approvalId: properties.condition: Microsoft.Authorization ...
RoleAssignmentSchedule.ReadWrite.Directory. Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.
The role assignment schedule Id. NOTE: This property will not be serialized. It can only be populated by the server. ... role Assignment Schedule Request Id: undefined | string. Defined in models/index.ts:45; The id of roleAssignmentScheduleRequest used to create this roleAssignmentSchedule.
Loading... Loading...
In PIM, read the details of a request for an active and persistent role assignment made through the unifiedRoleAssignmentScheduleRequest object.