Azure AD: PIM - modifying Azure built-in roles

modifying Privileged Identity Management (PIM) Settings of Azure built-in roles using powershell

Azure AD: PIM - modifying Azure built-in roles
Photo by Brett Jordan / Unsplash

A customer asked me recently how to modify the Privileged Identity Management (PIM) Settings of Azure built-in roles using a script. Specifically, the request was to be able to influence the "Activation maximum duration (hours)" by using a script.

To make this possible I developed the following script:

### ### ###
### Proof of Concept Script
### Name: adjustPrivRoleSetting.ps1
###
### Adjusting Azure AD built-in role Setting using PowerShell
### (19. Dec. 2022 - Christoph Ernst)  
### ### ###
### Role Definition ID
### See Azure Role Definitions List: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
### for example: b24988ac-6180-42a0-ab88-20f7382dd24c = Contributor
### ### ###

Write-Host "This is a Proof of Concept Script to Adjusting Azure AD built-in roles setting using PowerShell" -fore red 
Write-Host "Use with Caution!" -fore red 
Write-Host ""

$subscriptionID = Read-Host "Please enter subscription ID"
Write-Host "For a complete list of Azure Role Definitions visit https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles!" -fore blue
$roleDefinitionID = Read-Host "Which role would you like to adjust? (default: b24988ac-6180-42a0-ab88-20f7382dd24c = Contributor)" 

if (!$roleDefinitionID) {
    Write-Host "Using Role Definition for Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c"
    $roleDefinitionID = "b24988ac-6180-42a0-ab88-20f7382dd24c"
} else {    
    Write-Host "Using Role Definition: '$roleDefinitionID'"
}

$hours = Read-Host "how long should the 'Activation maximum duration' be configured (in hours)?"
$min = [int]$hours*60
# Write-Host "Minutes: $min"

Write-Host ""
Write-Host "Summary:" -fore green 
Write-Host "Subscription: $subscriptionID"
Write-Host "Role Definition ID: $roleDefinitionID"
Write-Host "Activation maximum duration (h): $hours"
$confirmation = Read-Host "Are you Sure You Want To Proceed? Press 'y'"
if ($confirmation -eq 'y') {
# proceed
    $setting = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedRuleSetting
    $setting.RuleIdentifier = "ExpirationRule"
    $setting.Setting = "{`"permanentAssignment`":false,`"maximumGrantPeriodInMinutes`":$min}"

    $SubscriptionPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID'").Id
    # echo $SubscriptionPIMID
    $AzureADMSPrivilegedRoleID = (Get-AzureADMSPrivilegedRoleSetting -ProviderId 'AzureResources' -Filter "ResourceId eq '$SubscriptionPIMID' and RoleDefinitionId eq '$roleDefinitionID'").Id
    Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $AzureADMSPrivilegedRoleID -ResourceId $SubscriptionPIMID -RoleDefinitionId $roleDefinitionID -UserMemberSettings $setting
} else {
    Write-Host "aborted - nothing has changed"
}

for the script to run correctly, note the following procedure:
As a first step you need to connect to AAD using:

> Connect-AzureAD

Then you can run the script:

> .\adjustPrivRoleSetting.ps1

The Scripts asks for three details:

  1. Subscription-ID
  2. Role Definition ID you’d like to adjust.
    Get a complete list in learn.microsoft.com.
  3. Activation maximum duration in hours

After successful execution, the “Activation maximum duration (hours)” is adjusted to your needs.

Links that I used frequently during development: