Tag: Azure AD

Automatic Azure AD PIM Role Micromanagement Based on Role Impact

Azure AD Privileged Identity Management makes it possible to configure activation and expiration settings on a per-role basis. This is very powerful since the 90+ Azure AD roles provides varying levels of permissions in your tenant. The PIM-portal currently provides little to no bulk-management of roles and you basically need to go in and configure each role to match your requirements.

Luckily there are better ways to manage role configuration at scale!

Classify Azure AD Roles Based on Impact

If credentials belonging to an account with the Viva Engage admin role gets stolen, it is not as bad as if an account with the Global Admin role gets stolen. There are so many roles these days and for that reason I recommend that you start by classifying the roles based on their impact when stolen (low, medium, high). “What can happen if the role gets into the wrong hands?”. This will help you to decide role configuration in the next step.

Ones the roles have been classified, it’s a lot easier to decide what role configuration you want for the different impact levels in PIM. I have prepared an Excel file with all Azure AD roles. You can use is as is, or to modify it to suite your needs. You can download the Excel file here:

azureadrolesDownload

Automate Role Configuration With PowerShell

To configure Azure AD role configuration in PIM you need Global Admin or Privileged Role Admin permissions.

# Authenticate to Microsoft Graph:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

If you don’t want to use my example Excel file from above, you can generate your own and start from scratch using the following script snippet (this will also include roles that Microsoft added after the time of writing this blog post). 

# GENERATE BASE CSV FILE (OPTIONAL)

$AzureAdRoleTemplates = Get-MgDirectoryRoleTemplate | Select-Object DisplayName, Description | Sort-Object DisplayName

# Add roles to CSV output:
$AzureADRoles = foreach ($Role in $AzureAdRoleTemplates) {
    $CustomObject = New-Object -TypeName psobject
    $CustomObject | Add-Member -MemberType NoteProperty -Name "AzureADRole" -Value $Role.DisplayName
    $CustomObject | Add-Member -MemberType NoteProperty -Name "ImpactLevel" -Value "High"
    $CustomObject | Add-Member -MemberType NoteProperty -Name "MaximumActivationDurationHours" -Value "8"
    $CustomObject | Add-Member -MemberType NoteProperty -Name "RequireMFAOnActivation" -Value "True"
    $CustomObject | Add-Member -MemberType NoteProperty -Name "RequireJustificationOnActivation" -Value "True"
    $CustomObject | Add-Member -MemberType NoteProperty -Name "RequireApprovalToActivate" -Value "False"
    $CustomObject | Add-Member -MemberType NoteProperty -Name "AllowPermanentActiveAssignment" -Value "True"
    $CustomObject | Add-Member -MemberType NoteProperty -Name "RoleDescription" -Value $Role.Description
    $CustomObject
}

$AzureADRoles | Export-Csv -Delimiter ';' -Encoding UTF8 -Path 'AzureADRoles.csv'

When you are happy with your CSV-file, no matter if you based it on my Excel example or generated your own, we are ready to run the automation that will set the configuration. This script snippet will load the CSV file, get all Azure AD roles available in the tenant, and finally loop through them and set the configuration based on the columns in the CSV file. This is where the magic happens!

# SET PIM CONFIGURATION FROM CSV

# Load CSV file content:
$CsvContent = Import-Csv -Delimiter ';' -Path "AzureADRoles.csv"

# Get all Azure AD role templates available in tenant:
$AzureAdRoleTemplates = Get-MgDirectoryRoleTemplate | Select-Object DisplayName, Description, Id | Sort-Object DisplayName

# For each role mentioned in the CSV file, set role configuration in Azure AD:
foreach ($Role in $CsvContent) {
    $Role

    # Get the role managemnet policy assignment for this role:
    $PolicyAssignment = Get-MgPolicyRoleManagementPolicyAssignment -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '$(($AzureAdRoleTemplates | where DisplayName -eq $Role.AzureADRole).Id)'" -ExpandProperty "policy(`$expand=rules)"

    # Get the role management policy that's been assigned:
    $Policy = Get-MgPolicyRoleManagementPolicy -UnifiedRoleManagementPolicyId $PolicyAssignment.PolicyId

    # Get all policy rules belonging to this role management policy:
    $PolicyRules = Get-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Id

    # Configure rule: 'Expiration_EndUser_Assignment':
    $params = @{
        "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
        Id = "Expiration_EndUser_Assignment"
        isExpirationRequired = $false
        maximumDuration = "PT$($Role.MaximumActivationDurationHours)H"
        Target = @{
            "@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
            Caller = "EndUser"
            Operations = @(
                "all"
                )
            Level = "Assignment"
            InheritableSettings = @(
            )
            EnforcedSettings = @(
        )
        }
    }

    Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Id -UnifiedRoleManagementPolicyRuleId 'Expiration_EndUser_Assignment' -BodyParameter $params

    # Configure rule: 'Enablement_EndUser_Assignment':
    $EnabledRules = @()
    if ($Role.RequireMFAOnActivation -eq 'True' -and $Role.RequireJustificationOnActivation -eq 'True') {
        $EnabledRules = "MultiFactorAuthentication", "Justification"
    } elseif ($Role.RequireMFAOnActivation -eq 'True') {
        $EnabledRules = "MultiFactorAuthentication"
    } elseif ($Role.RequireJustificationOnActivation -eq 'True') {
        $EnabledRules = "Justification"
    } else {
        $EnabledRules = @()
    }

    $params = @{
        "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyEnablementRule"
        Id = "Enablement_EndUser_Assignment"
        enabledRules = $EnabledRules
        Target = @{
            "@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
            Caller = "EndUser"
            Operations = @(
                "all"
                )
            Level = "Assignment"
            InheritableSettings = @(
            )
            EnforcedSettings = @(
        )
        }
    }

    Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Id -UnifiedRoleManagementPolicyRuleId 'Enablement_EndUser_Assignment' -BodyParameter $params

    # Configure rule: 'Expiration_Admin_Eligibility':
    $ExpirationRequired = $true
    if ($Role.AllowPermanentActiveAssignment -eq 'True') {
        $ExpirationRequired = $false
    } else {
        $ExpirationRequired = $true
    }

    $params = @{
        "@odata.type" = "#microsoft.graph.unifiedRoleManagementPolicyExpirationRule"
        Id = "Expiration_Admin_Eligibility"
        isExpirationRequired = $ExpirationRequired
        maximumDuration = "P30D"
        Target = @{
            "@odata.type" = "microsoft.graph.unifiedRoleManagementPolicyRuleTarget"
            Caller = "EndUser"
            Operations = @(
                "all"
                )
            Level = "Assignment"
            InheritableSettings = @(
            )
            EnforcedSettings = @(
        )
        }
    }

    Update-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Id -UnifiedRoleManagementPolicyRuleId 'Expiration_Admin_Eligibility' -BodyParameter $params
}

The script will take a couple of minutes to run but after that, all your Azure AD roles should be configured according to your preferences. The script will output the setting it configures for each role. This is an example output:

What Else?

Configuring PIM roles with the Microsoft Graph PowerShell module can be quite a hazel. It took me some time to figure all this out. If you want to expand on this and add additional features I recommend that you read the documentation, and also running this script that will list all current PIM configuration policies for a specific Azure AD role.

# GET A LIST OF ALL AVAILABLE POLICY RULES AND SETTINGS

# Get the role managemnet policy assignment for this role:
$AzureADRole = 'Application Administrator'

$PolicyAssignment = Get-MgPolicyRoleManagementPolicyAssignment -Filter "scopeId eq '/' and scopeType eq 'DirectoryRole' and roleDefinitionId eq '$(($AzureAdRoleTemplates | where DisplayName -eq $AzureADRole).Id)'" -ExpandProperty "policy(`$expand=rules)"

# Get all policy rules belonging to this role management policy:
$PolicyRules = Get-MgPolicyRoleManagementPolicyRule -UnifiedRoleManagementPolicyId $Policy.Id

$PolicyRules | Select-Object Id | Sort-Object Id

foreach ($Rule in ($PolicyRules | Sort-Object Id)) {
  Write-Host "------------------------------"
  $Rule.Id
  Write-Host ""
  $Rule.ToJsonString()
}

I hope this saves you some time managing the many Azure AD roles that pops up all over the place. Try to limit the use of high impact roles and be careful when assigning roles overall.

Please follow me here, on LinkedIn, and on Twitter!

@DanielChronlund