Traversing Azure PIM Roles for Review

Question

Azure PIM just add a temporary RBAC to the resource, and role assignment goes away after the allowed time slot (maximum of 8 hrs).

So, wanted to understand if there is a way to conduct user access reviews on all Azure PIM roles - like how can I know who all users can elevate PIM roles & what roles & at what scope. I understand there is "Access Review" of PIM but that needs admin level permissions, hence wondering if there is a way through powershell or CLI to create such report for periodic reviews.

Answer 1

Yes, there is a command Get-AzureADMSPrivilegedRoleAssignment in AzureADPreview module that calls the Microsoft Graph - List governanceRoleAssignments, it should meet your requirement, but it is in preview and I believe there is a bug in this command/api, as when you run the command/call the api, there is always an UnknownError(I have tested it with the Global admin in AAD tenant and Owner role in subscription, so there should be no permission issue). So to use it successfully, I think you may need to wait for it to be GA.

Get-AzureADMSPrivilegedRoleAssignment -ProviderId AzureResources -ResourceId <tenant-id>

I understand there is "Access Review" of PIM but that needs admin level permissions

Besides, even it becomes GA in the future, I think it needs admin permissions, because the feature in the portal and the powershell should both call the same API, it needs the same permission. So if you don't have the enough permission, anyway you could not do this.