-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add commands for PIM (Privileged Identity Management) in the context of users activating Microsoft Entra Roles #5669
Comments
Is the auto approval a part of the command or rather a config setting on the service? If it's the former, we should consider using |
It's a config setting on the service. Some companies for instance would allow me to auto-assign myself the sharepoint admin role, but for the global admin role they'd want to approve manually. |
Got it. In that case let's stick with request. Thanks for clarifying. |
Instead of creating a new command group, shouldn't we move this under the The documentation seems to follow me on this: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
|
Good point, let's do that! |
@MartinM85, @pnp/cli-for-microsoft-365-maintainers , I've been doubting a bit the last few days, what the best command structure would be here. I'm kind of leaning differently again now. No big change, just what nouns to use. You can use PIM with roles and with groups. With roles it's quite simple: you need a role assignment. You request it, it's activated. You can deactivate it, etc. With PIM for rolesm365 entra pim role request list [options] - To list pending requests (requests may be activations or deactivations, etc) With PIM for groupsm365 entra pim group request list [options] - To list pending requests (requests may be activations or deactivations, etc) Thoughts? |
Any thoughts @pnp/cli-for-microsoft-365-maintainers, @MartinM85? |
Naming looks fine. I would suggest to add |
I don't know much about PIM but the naming looks ok. No comments. |
Same here |
@milanholemans, @Jwaegebaert, do you use PIM? |
@appieschot probably does, what do you think about this? |
Not a lot to be honest, so I'm not very familiar with the behind-the-scenes namings. What you already specced out looks pretty clear. |
I know the essentials of it yeah. Not an expert in it. I wanted to have a look at the commands, but haven't had much time to be honest. |
When working with the CLI to manage your Microsoft 365 tenant, it's not at all unthinkable that you'd have to leave the context of the terminal to request access to an Entra ID Role. For example: For some customers I have to activate (or request to activate) the SharePoint Admin Role or Global Admin role before I can execute actions relating to that role.
It would be nice if I would not have to leave context, and can just execute a simple CLI command to request activation of my role, using the CLI for Microsoft 365. IT Admins would benefit from this.
Source
Commands to implement
We could add the following commands I think:
What I did not find was graph support for PIM requesting access to Azure Resources... Not currently available it seems.
I'm also missing support to approve requests.
More information
https://learn.microsoft.com/en-us/graph/api/resources/unifiedroleassignmentschedulerequest?view=graph-rest-1.0
The text was updated successfully, but these errors were encountered: