Skip to content

fredrkl/entra-pim-group-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
.github
.github
 
 
ps
ps
 
 
terraform
terraform
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Entra PIM Group Demo

⚠️ Terraform support was merged into main 08.Mai.2024. Please see #32 issue for up to date migration information.

This repo´s intent to demonstrate the use of Entra PIM for Group using Infrastructure as Code (IaC).

The repo will setup up the following group and PIM settings:

graph TD
    %% Entities
    prod[team-abc-pim]
    team-demo[team-abc]
    aks-prod-owners[team-abc-owners]

    %% Relations
    team-demo --Eligible member-->prod
    aks-prod-owners --Approve member requests-->prod
Loading

Acompaning blog post can be found at: my blog.

Setup

The Service Principal (SP) used by Terraform need the following permissions:

  • Group.ReadWrite.All
  • Directory.ReadWrite.All
  • RoleManagementPolicy.Read.AzureADGroup
  • RoleManagementPolicy.ReadWrite.AzureADGroup
  • PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup
  • PrivilegedEligibilitySchedule.Remove.AzureADGroup

Notes

We will use the Microsoft Graph API documentation to make API requests and programmatically setup PIM for Groups. Espesially, we will be using the unifiedRoleManagementPolicy API.

There are ongoing Azure Entra PIM Terraform support issues:

The issues have been open for many years. One reason is the complexity of the PIM API and its versions: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-apis.

Following the example at https://learn.microsoft.com/en-us/graph/api/unifiedrolemanagementpolicy-update?view=graph-rest-1.0&tabs=powershell#example-2-update-the-details-of-a-policy-defined-in-pim-for-groups.

Powershell

pwsh
  • Install Az.Resources module
  • Install-Module -Name Microsoft.Graph -Scope CurrentUser -AllowClobber
Install-Module -Name Az -AllowClobber -Scope CurrentUser
  • Login using
Connect-AzAccount
  • Connect to Microsoft Graph
Connect-MgGraph -Scopes "RoleManagementPolicy.Read.AzureADGroup", "RoleManagementPolicy.ReadWrite.AzureADGroup", "PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup", "PrivilegedAccess.ReadWrite.AzureADGroup"
  • Run the script
update-pim-rules.ps1

Pre-commit hooks for terraform files (optional)

❗ The pre-commit hooks are only running on staged files.

To set up pre-commit hooks for terraform files, run the following commands:

brew install pre-commit
pre-commit install

If you want to uninstall the pre-commit hooks, run the following command:

pre-commit uninstall

Lessons learned

  • You can't onboard a group to PIM for groups explicitly. When you request to add assignment to group using Create assignmentScheduleRequest or Create eligibilityScheduleRequest, or you update PIM policy (role settings) for a group using Update unifiedRoleManagementPolicy or Update unifiedRoleManagementPolicyRule, the group is onboarded to PIM automatically if it wasn't onboarded before.
  • Once a group is onboarded to PIM, you can't remove it from PIM. The pim group still shows up even if you remove the underlying group.

Resources

Build

Terraform

About

PIM for Group IaC Demo

Topics

powershell gitmoji pim ms-graph

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages