💡 Feature Request - Add options for Privileged Role Assignment as part of Landing Zone deployment

[tulpy]

Describe the solution you'd like

Thanks for the community update session earlier this week, it was good to see the direction of ALZ and future focus on expanding the offering. I have been using the Vending approach recently and had some feedback from customers to compliment the role assignment with privileged role assignments as part of the deployment.

Describe alternatives you've considered

Follow a similar concept to the role assignment but include Azure AD PIM role assignments.

• optional
• boolean true / false
• pass in an array of objects for role assignments
• applied to the subscription or Resource Group context

Additional context

This approach can address permanent assigned access for "read" type access using role assignments and eligible access for "write" access using Azure AD PIM.

[jtracey93]

Hey @tulpy,

Good feature ask. We will add to our backlog and track in AB#26622.

cc: @matt-FFFFFF

[MilesCameron-DMs]

Hey @jtracey93 or @matt-FFFFFF is there any publicly accessible visibility of this feature request?

If not and its not on the horizon, i will tackle it now.

My first thought was to use what has been set out in the alz-bicep repo for RBAC access but i haven't looked yet.

[jtracey93]

Hey @MilesCameron-DMs,

It's up there, we are just getting the RP registration feature out first on the bicep front and then we have the following to prioritise and work on:

• PIM (this)
• RBAC Constrained Delegation
• UMI and OIDC deployment/configuration

What would you order them in?

[MilesCameron-DMs]

@jtracey93 i think i would probably put them in the order you have them 👍