Privileged Identity Management (PIM)

[Lachlan-White]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Ability to Create PIM Policies and Configure PIM access via Terraform

New or Affected Resource(s)

New data source would be required

• azuread_privileged_identity_management

Potential Terraform Configuration

resource "azurerm_priviliged_identity_management" "PIM-Group-1" {
  scope = "Subscription_PIM_1"
  role_definition_name = "Contributor"
  aad_group_id = "${var.aad_group_id}"
}

References

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

[mharrison365]

What would also be super helpful here would be support for "Azure Resources" PIM.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles

[manicminer]

Thanks for requesting this feature! It looks like PIM management is only available via the MS Graph API which we are currently not in a position to use as we're waiting on SDK support. I've marked this request as upstream-dependent and we'll revisit as soon as we are able.

[khole]

maybe add the assignment type (eligible/active)
and assignment duration (start/end)
as parameters?

[christophetd]

This would be tremendously useful to have in Terraform. The API docs are here: https://docs.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-resources?view=graph-rest-beta (beta)

[MarkBooks]

Agreed; this would be a very welcome addition!

[LudoNieuwenhuizen]

Would be super handy for our production setup. Currently, this missing functionality means quite some manual work

[manicminer]

This feature is currently waiting on implementation of MS Graph. We are actively working on it and this issue will receive priority as soon as we are able. See hashicorp/terraform-provider-azurerm#323 for more details. Thanks!

[frazhamid]

+1
Me too

A few use cases I would like to see met:

• Adding Subscriptions
• Configuring Role Settings for both Azure AD and Azure Resources
• Configuring Alerts
• Configuring Access Reviews
• Managing Role Assignments (Add/Update/Remove)

Presently I am resorting to using the AzureAD Preview PowerShell cmdlets. These work well but it is not as elegant as tf.

[darren-johnson]

We create all our RBAC groups using terraform when a resource group is provisioned, but they need manually onboarding to PIM so this would be very useful.

Any update?

[schlbra]

@manicminer , it appears that MS Graph was implemented in azuread version 1.5.0 (LINK HERE).

Does this mean that this issue can receive priority now or maybe it's already in progress?

[manicminer]

In order to maintain compatibility, new features will only be merged in v2.0 (or later), which we're working on right now.

Privileged Identity Management is a reasonably large feature that will likely not make it into 2.0, but will hopefully come soon thereafter as it's the highest voted feature on our backlog.

[JonZeolla]

I'm already subscribed to this issue but whenever it's ready I'm happy to volunteer testing time.

[Threpio]

I am interested in this feature as-well - Happy to implement the resources and datasources myself if help is needed.

@manicminer - Let me know by ping, this is required by my workplace aswell.

[manicminer]

Thanks for the interest, but please stick to +1 on the original message. Help is always very welcome, however this particular feature is nontrivial - for context, there are 3 distinct iterations of this service, incompatible with each other and none of which have yet made it out of beta.

[pbeckendorf-gkgab]

Dear All, as Microsoft changed it's PIM API in October (https://docs.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-root?view=graph-rest-beta), it might be a good thing to ask once again how the Status for the Azure PIM Terraform Provider is at the Moment? Anything planed or is there nothing on the horizon? Just wondering, as i think this would be a great thing for AAD PIM and Azure Resources PIM to be able to enroll it with Terraform.

[RenatoMartins-tomtom]

This would be really helpful, as we are planning to onboard management group structure into PIM, and we keep the RBAC assignments on the MG scope in TF state.

[petr-stupka]

Seems like there is already work in progress - #547

[kehindeakala]

Hi all. Would love to know if any updates on this issue.. Would love to see this implemented in tf as soon as possible.

[ZarakiKenpachi7]

Hello, checking up on this one as we need it via tf rather than regular clickops. Any updates, please?

[archmangler]

Hi, what's the status of this much desired and valuable feature ?

[Satak]

Just want to say that this Entra ID role PIM support for Terraform Azure AD provider is really needed and waited feature in our organization. I wish we could have some ETA? There are over 400 up votes for this issue so I'm assuming our organization is not the only one waiting for this. 🤞 🙏

[tim-chaffin]

PIM for Groups in my opinion, in general, is a challenging feature to automate, even without Terraform. From trying to get this to work, using PowerShell, or a chain of API calls from Postman, I've ended up with this workflow, which I'm sharing here as others may glean at least some automation on this front.

At the core of the automation, the following happens:

• Create two Entra ID Security Groups:
  • The first group may already be present in your tenant, but its main purpose is to be a logical organization of team members who will be eligible to activate a PIM assignment, thus elevating their privileges.
  • The second group will be "Onboarded" as a PIM group later on.
  • Ensure that the Microsoft Entra roles can be assigned to the group flag is enabled on both groups. Note: Your identity will need the Privileged Role Administrator role, as well as a P1 or P2 license in order to tick this flag.
• Configure the second group (our future PIM group) so that the first group (our team group) is a Member of the second group. doc
• Then use the unifiedRoleManagementPolicy Graph API endpoint to PATCH the second group, with appropriate settings.
  • This is the weirdest thing about PIM for Groups. "You can't onboard a group to PIM for groups explicitly." source But you can send a PIM for Groups setting call, which then in turn onboards the PIM group implicitly. So confusing!
  • Within the crazy lengthy rules payload, indicate that the first group has PIM settings on the second group per your discretion and standards.
  • Once this call is successfully completed, the second group turns into a PIM group with defined settings for the first group.
• Then use a standard Terraform azurerm_role_assignment resource block to associate the new PIM Group as the principal_id over any desired scope with privileges that match your standards.
• A user then logs in to Azure, and navigates to the Microsoft Entra Privileged Identity Management blade → My Roles → Groups → and activates membership into the newly configured PIM Group.

The challenge for Terraform right now, is that none of the PIM for Groups API methods are in the azurerm provider at this time. So, the only way to automate is by devising your own system to make these calls in an automated fashion.

[cpressland]

Looks like manicminer/hamilton#277 got merged, any word on when this work is planned @oWretch?

[oWretch]

The PR for this is waiting review. @manicminer is away this week, so I'm hoping it will be released at the end of next week.

[kkadiyam]

PIM for Groups in my opinion, in general, is a challenging feature to automate, even without Terraform. From trying to get this to work, using PowerShell, or a chain of API calls from Postman, I've ended up with this workflow, which I'm sharing here as others may glean at least some automation on this front.

At the core of the automation, the following happens:

• Create two Entra ID Security Groups:

  • The first group may already be present in your tenant, but its main purpose is to be a logical organization of team members who will be eligible to activate a PIM assignment, thus elevating their privileges.
  • The second group will be "Onboarded" as a PIM group later on.
  • Ensure that the Microsoft Entra roles can be assigned to the group flag is enabled on both groups. Note: Your identity will need the Privileged Role Administrator role, as well as a P1 or P2 license in order to tick this flag.

• Configure the second group (our future PIM group) so that the first group (our team group) is a Member of the second group. doc

• Then use the unifiedRoleManagementPolicy Graph API endpoint to PATCH the second group, with appropriate settings.

  • This is the weirdest thing about PIM for Groups. "You can't onboard a group to PIM for groups explicitly." source But you can send a PIM for Groups setting call, which then in turn onboards the PIM group implicitly. So confusing!
  • Within the crazy lengthy rules payload, indicate that the first group has PIM settings on the second group per your discretion and standards.
  • Once this call is successfully completed, the second group turns into a PIM group with defined settings for the first group.

• Then use a standard Terraform azurerm_role_assignment resource block to associate the new PIM Group as the principal_id over any desired scope with privileges that match your standards.

• A user then logs in to Azure, and navigates to the Microsoft Entra Privileged Identity Management blade → My Roles → Groups → and activates membership into the newly configured PIM Group.

The challenge for Terraform right now, is that none of the PIM for Groups API methods are in the azurerm provider at this time. So, the only way to automate is by devising your own system to make these calls in an automated fashion.

Can someone please confirm , How to use "Then use the unifiedRoleManagementPolicy Graph API endpoint to PATCH the second group, with appropriate settings" ?

I am in the same boat, I need to enable PIM for groups, After creating the AAD Group would like to run powershell with unified policy to have minimal updates any policy changes and enable the PIM for groups

As provided in the documentation, I did updated to have scoped and scope type, But still doesn't work, running into provider missing errror

https://learn.microsoft.com/en-us/graph/api/resources/unifiedrolemanagementpolicy?view=graph-rest-1.0

Below is my code

$policies = Get-MgPolicyRoleManagementPolicyAssignment

Placeholder for the right policy ID

$policyId = $null

foreach ($policy in $policies) {

}

if ($null -eq $policyId) {

} else {
# Define minimal settings to update PIM policy
$params = @{
rules = @(
@{
"@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyApprovalRule"
id = "Minimal_Changes_Approval"
target = @{
caller = "EndUser"
operations = @("All")
}
level = "Assignment"
setting = @{
isApprovalRequired = $false
isRequestorJustificationRequired = $true
}
# scopeId = "my-group-id"
# scopeType= "Group"
}
)
}

# Update the unified role management policy with minimal changes
Update-MgPolicyRoleManagementPolicy -UnifiedRoleManagementPolicyId $policyId -BodyParameter $params -scopeId = "04abf3cb-fec5-4bd5-87b3-7a7a08efcecd" -scopeType= "Group"

[MathewJohnsonIPO]

At this point you are probably better to wait until this PR gets merged and released. I doubt it will be long now...

[tim-chaffin]

Its interesting they're moving it to AzureAD, where the other PIM stuff lives in AzureRM.

[MohnJadden]

@tim-chaffin I'm hoping the AzureAD part is meant to handle Azure AD/Entra ID roles, while AzureRM will handle Azure resource roles.

I'm still running into issues with the AzureRM counterpart but that's a whole other resource provider.

[oWretch]

@MohnJadden you are correct. #1327 is there to handle PIM assignments of one group to another Entra ID group. There is already support (with an outstanding issue) for Entra ID roles in the Azure AD provider. And there are probably fixes required for the Azure role assignments, as you have mentioned.

[hales8181]

Do we have an ETA on this at all? I can't tell you how much I am eagerly awaiting this!

[MohnJadden]

I just @ed the one remaining reviewer in the other thread. I'm not with HCP but hopefully this gets done and working before the acquisition completes and everyone cashes out.

[kkadiyam]

Hello, Any update on this ?, It would really help to have this deployed soon. Thanks!

[tim-chaffin]

[tim-chaffin]

@manicminer I saw that we've merged the much anticipated PR. This is excellent news! I know I for am very grateful for this.

However, can anyone shed some light on how these modules work? I checked the docs, and I didn't see anything yet. If someone could help us see how we'd create a PIM group through these modules, and configure the attributes, that would be amazing.

[hales8181]

It's not been released yet. You need to wait for 2.49.0 to drop

https://github.com/hashicorp/terraform-provider-azuread/releases

[manicminer]

Yep that'll be released tomorrow. In the meantime, the docs are in the repo and have good examples to start from (if you wanted to build from source in the meantime).

[davidng1996]

Looks like this is targeting AD group only? Can it be used to target SP/User level?

[manicminer]

PIM for Azure AD / Entra ID can apply group memberships or role memberships. The recently merged #1327 supports group memberships via PIM. I've opened a new issue #1369 to track PIM for roles - please subscribe to that issue for updates on that.

[karts499]

Spread the news!

[jakubigla]

So here's the thing. Based on the documentation and the fact that I can do this via Portal without any of the RoleManagementPolicy.ReadWrite.AzureADGroup type of the permissions, an owner of the group can enable the PIM for groups without extra permissions. Anyone had a luck to use API based on the above conditions?