Add commands for PIM (Privileged Identity Management) in the context of users activating Microsoft Entra Roles

[martinlingstuyl]

When working with the CLI to manage your Microsoft 365 tenant, it's not at all unthinkable that you'd have to leave the context of the terminal to request access to an Entra ID Role. For example: For some customers I have to activate (or request to activate) the SharePoint Admin Role or Global Admin role before I can execute actions relating to that role.

It would be nice if I would not have to leave context, and can just execute a simple CLI command to request activation of my role, using the CLI for Microsoft 365. IT Admins would benefit from this.

Privileged Identity Management (PIM) is a feature of Microsoft Entra ID Governance that enables you to manage, control, and monitor access to important resources in your organization. One method through which principals such as users, groups, and service principals (applications) are granted access to important resources is through assignment of Microsoft Entra roles.

The PIM for Microsoft Entra roles APIs allow you to govern privileged access and limit excessive access to Microsoft Entra roles. This article introduces the governance capabilities of PIM for Microsoft Entra roles APIs in Microsoft Graph.

Source

Commands to implement

This issue is specifically about PIM in the context of users requesting role activation. So not in the context of Admins approving role activations of users, though we may add that later if there would be interest.

We could add the following commands I think:

• New command: 'm365 entra pim role request list' - Retrieves a list of PIM requests for roles #5781
• New command: 'm365 entra pim role assignment set' - Update/renew an active Entra role assignment.
• New command: 'm365 entra pim role assignment add' - Request activation of an Entra role assignment #5766
• New command: 'm365 entra pim role assignment remove' - Request deactivation of an Entra role assignment #5841
• New command: 'm365 entra pim role assignment list' - Retrieves a list of role assignments for a user or group #5782
• New command: 'm365 entra pim role assignment eligibility list' - Retrieves a list of roles a user or group is eligible to be assigned. #5783
• New command: 'm365 entra pim group assignment add' - Requests activation of a group-based Entra role assignment.
• New command: 'm365 entra pim group assignment set' - Update/renew an active group-based Entra role assignment.
• New command: 'm365 entra pim group assignment remove' - Request deactivation of a group-based Entra role assignment.
• New command: 'm365 entra pim group assignment list' - Retrieves a list of group-based role assignments
• New command: 'm365 entra pim group assignment eligibility list' - Retrieves a list of group-based roles a user or group is eligible to be assigned.

What I did not find was graph support for PIM requesting access to Azure Resources... Not currently available it seems.
I'm also missing support to approve requests.

More information

https://learn.microsoft.com/en-us/graph/api/resources/unifiedroleassignmentschedulerequest?view=graph-rest-1.0

[waldekmastykarz]

I'm using request add here, as the PIM roleassignment can be auto-approved or sent for approval to an admin.

Is the auto approval a part of the command or rather a config setting on the service? If it's the former, we should consider using m365 pim roleassignment add because there's no request, similarly to how you add a permission grant on SPFx.

[martinlingstuyl]

Is the auto approval a part of the command or rather a config setting on the service? If it's the former, we should consider using m365 pim roleassignment add because there's no request, similarly to how you add a permission grant on SPFx.

It's a config setting on the service. Some companies for instance would allow me to auto-assign myself the sharepoint admin role, but for the global admin role they'd want to approve manually.

[waldekmastykarz]

Got it. In that case let's stick with request. Thanks for clarifying.

[milanholemans]

Instead of creating a new command group, shouldn't we move this under the aad umbrella?

The documentation seems to follow me on this: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

What is Microsoft Entra Privileged Identity Management?

Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization.

[martinlingstuyl]

Good point, let's do that!

[martinlingstuyl]

@MartinM85, @pnp/cli-for-microsoft-365-maintainers , I've been doubting a bit the last few days, what the best command structure would be here.

I'm kind of leaning differently again now. No big change, just what nouns to use.

You can use PIM with roles and with groups. With roles it's quite simple: you need a role assignment. You request it, it's activated. You can deactivate it, etc.
For PIM with Groups its similar but different. PIM for Groups enables users to activate the ownership or membership of a Microsoft Entra security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Microsoft Entra roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.

With PIM for roles

m365 entra pim role request list [options] - To list pending requests (requests may be activations or deactivations, etc)
m365 entra pim role assignment list [options] - Get a list of role assignments
m365 entra pim role assignment list --eligible [options] - Get a list of eligible roles (we need to check the output though, it's two endpoints.)
m365 entra pim role assignment eligibility list [options] - Alternative to the above.
m365 entra pim role assignment add [options] - Request e roleassignment for a user/group. (adminAssign and selfActivate)
m365 entra pim role assignment remove [options] - Request revocation of a roleassignment for a user/group. (adminRemove and selfDeactivate)

With PIM for groups

m365 entra pim group request list [options] - To list pending requests (requests may be activations or deactivations, etc)
m365 entra pim group assignment list [options] - Get a list of role assignments for groups
m365 entra pim role assignment list --eligible [options] - Get a list of eligible group roles (we need to check the output though, it's two endpoints.)
m365 entra pim group assignment eligibility list [options] - Alternative to the above.
m365 entra pim group assignment add [options] - Request a group roleassignment for a user.
m365 entra pim group assignment remove [options] - Request revocation of a group roleassignment for a user.

Thoughts?

[martinlingstuyl]

Any thoughts @pnp/cli-for-microsoft-365-maintainers, @MartinM85?

[MartinM85]

Naming looks fine. I would suggest to add
m365 entra pim role assignment set [options] and m365 entra pim group assignment set [options] for update/renew assignment

[waldekmastykarz]

I don't know much about PIM but the naming looks ok. No comments.

[Adam-it]

I don't know much about PIM but the naming looks ok. No comments.

Same here

[martinlingstuyl]

@milanholemans, @Jwaegebaert, do you use PIM?

[martinlingstuyl]

@appieschot probably does, what do you think about this?

[Jwaegebaert]

@milanholemans, @Jwaegebaert, do you use PIM?

Not a lot to be honest, so I'm not very familiar with the behind-the-scenes namings. What you already specced out looks pretty clear.

[milanholemans]

I know the essentials of it yeah. Not an expert in it. I wanted to have a look at the commands, but haven't had much time to be honest.