Azure AD: PIM - modifying Azure built-in roles
modifying Privileged Identity Management (PIM) Settings of Azure built-in roles using powershell
A customer asked me recently how to modify the Privileged Identity Management (PIM) Settings of Azure built-in roles using a script. Specifically, the request was to be able to influence the "Activation maximum duration (hours)" by using a script.
To make this possible I developed the following script:
### ### ###
### Proof of Concept Script
### Name: adjustPrivRoleSetting.ps1
###
### Adjusting Azure AD built-in role Setting using PowerShell
### (19. Dec. 2022 - Christoph Ernst)
### ### ###
### Role Definition ID
### See Azure Role Definitions List: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
### for example: b24988ac-6180-42a0-ab88-20f7382dd24c = Contributor
### ### ###
Write-Host "This is a Proof of Concept Script to Adjusting Azure AD built-in roles setting using PowerShell" -fore red
Write-Host "Use with Caution!" -fore red
Write-Host ""
$subscriptionID = Read-Host "Please enter subscription ID"
Write-Host "For a complete list of Azure Role Definitions visit https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles!" -fore blue
$roleDefinitionID = Read-Host "Which role would you like to adjust? (default: b24988ac-6180-42a0-ab88-20f7382dd24c = Contributor)"
if (!$roleDefinitionID) {
Write-Host "Using Role Definition for Contributor: b24988ac-6180-42a0-ab88-20f7382dd24c"
$roleDefinitionID = "b24988ac-6180-42a0-ab88-20f7382dd24c"
} else {
Write-Host "Using Role Definition: '$roleDefinitionID'"
}
$hours = Read-Host "how long should the 'Activation maximum duration' be configured (in hours)?"
$min = [int]$hours*60
# Write-Host "Minutes: $min"
Write-Host ""
Write-Host "Summary:" -fore green
Write-Host "Subscription: $subscriptionID"
Write-Host "Role Definition ID: $roleDefinitionID"
Write-Host "Activation maximum duration (h): $hours"
$confirmation = Read-Host "Are you Sure You Want To Proceed? Press 'y'"
if ($confirmation -eq 'y') {
# proceed
$setting = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedRuleSetting
$setting.RuleIdentifier = "ExpirationRule"
$setting.Setting = "{`"permanentAssignment`":false,`"maximumGrantPeriodInMinutes`":$min}"
$SubscriptionPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID'").Id
# echo $SubscriptionPIMID
$AzureADMSPrivilegedRoleID = (Get-AzureADMSPrivilegedRoleSetting -ProviderId 'AzureResources' -Filter "ResourceId eq '$SubscriptionPIMID' and RoleDefinitionId eq '$roleDefinitionID'").Id
Set-AzureADMSPrivilegedRoleSetting -ProviderId AzureResources -Id $AzureADMSPrivilegedRoleID -ResourceId $SubscriptionPIMID -RoleDefinitionId $roleDefinitionID -UserMemberSettings $setting
} else {
Write-Host "aborted - nothing has changed"
}
for the script to run correctly, note the following procedure:
As a first step you need to connect to AAD using:
> Connect-AzureAD
Then you can run the script:
> .\adjustPrivRoleSetting.ps1
The Scripts asks for three details:
- Subscription-ID
- Role Definition ID you’d like to adjust.
Get a complete list in learn.microsoft.com. - Activation maximum duration in hours
After successful execution, the “Activation maximum duration (hours)” is adjusted to your needs.
Links that I used frequently during development: