Roger Carson

Just click it… what’s the worst that could happen?

1 minute read

Helping people not hurt their Azure environments by restricting access to a time based period making clickOps more of an effort.

The Setting

Since we all want to not YoloIT-it… whith regards to security, lowering exposure of privileged accounts by following a least privilege princiapal and implementing just in time access is a couple of important steps. In Azure we can use Privileged Identity Management (PIM) for this to help with this. PIM provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Read more about it What does it do?
In short “NO! you do not need permanent owner 24/7 to do your job. If so you are doing it wrong (according to how to Azure LINK)”

The Goal

Be able to programatically create eligible assignments in PIM or in other words connecting the dots between user/group, Azure Resource and a Role. Doing this clickOps style does not scale and… is a little on the Yolo side of things.

The Problem

  • How to programatically make someone eligible for a role.
  • For Yolo’s sake… all these Y#¤%& emails each time basically anything happes to any assignment in PIM. How do i configure a PIM role with code.
  • There are many blogs that tackle these problems but mainly for Azure AD, not so much for Azure.

One way to do solve it

Some references and articles for further reading: summary of PIM + rest API
Github issue that explained
the Get-AccessToken
invoke web request
Reference for finding policy
Reference for updating policy

firstly - onbarding

second - finding the settings to modify

thrid - how to find the roleAssignment

soon there - making and update to the roleconfiguration

finally - making users eligible

The Future

I hope this also is can be done using a template. It would be much easier that way. For now i have not handled onboarding This is no longer needed however you will find your subscriptions as unmanaged and that is borderline YoloITing even if it does work.

The End

Questions, comments and so on, send it: i.need.permanent.owner@yoloit.no
Live long and Yolo!