Entra ID Privileged Identity Management (PIM) is a feature of Entra ID that helps you manage, control, and monitor access to important resources in your organization. With PIM, you can enable just-in-time access for users, set up approval workflows for access requests, and monitor active access to ensure that it is being used by your organization’s policies. This can help you reduce the risk of security breaches and ensure that your critical resources are only accessed by authorized users.
A few days ago, I published a script that lists all the Entra ID roles and from there, you can see that we have a lot of built-in Entra ID roles.
Strengthen Your Security with Entra ID Assessment
If you have completed all the Entra ID Privileged Identity Management roles configuration, it would be beneficial to verify if the settings align with your organization’s policies and if anything has been missed. I have created a PowerShell script that can generate a CSV file. This includes Role ID, Role Name, Permanent Assignment status, Maximum Grant Period in Minutes, MFA Required status, Approval status, and the users who can approve access requests. This script can help you ensure that your settings are properly configured and help you identify any potential gaps.
PS! This script is still based on the AzureADPreview PowerShell Module.
Audit-AzureADPIMRoleSettings.ps1 PowerShell Script
This script reads all the Azure AD roles from my GitHub account and then uses the Get-AzureADMSPrivilegedRoleSetting cmdlet to get role settings. You can always combine Microsoft Graph and AzureADPreview modules together too.
#Install AzureADPreview PowerShell Module
Install-module AzureADPreview -Force -Verbose
#Connect Azure AD
Connect-AzureAD
#Audit file location. It creates a CSV file
$AuditFileLocation = "C:\AADAudit.csv"
#Get Azure AD Tenant ID
$AzureADTenantDID = (Get-AzureADTenantDetail).ObjectId
#Azure AD Role names and IDs on my GitHub account
$URL = "https://raw.githubusercontent.com/Kaidja/AzureActiveDirectory/main/AzureADRoles.json"
#Convert Azure AD Roles from JSON
$AADGitHubRoles = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json
#Process the AD roles and gather the data for each role
foreach($AADRole in $AADGitHubRoles){
Write-Output -InputObject "---- Processing $($AADRole.DisplayName)"
#Define the query filter
$Filter = "ResourceId eq '$($AzureADTenantDID)' and RoleDefinitionId eq '$($AADRole.ID)'"
$PIMADRoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Filter $Filter
#Get the PIM role settings
$ExpirationRule = $PIMADRoleSettings.UserMemberSettings[0].Setting | ConvertFrom-Json
$MfaRule = $PIMADRoleSettings.UserMemberSettings[1].Setting | ConvertFrom-Json
$JustificationRule = $PIMADRoleSettings.UserMemberSettings[2].Setting | ConvertFrom-Json
$TicketingRule = $PIMADRoleSettings.UserMemberSettings[3].Setting | ConvertFrom-Json
$ApprovalRule = $PIMADRoleSettings.UserMemberSettings[4].Setting | ConvertFrom-Json
#Build object for each role
$PIMProperties = $null
$PIMProperties = [ORDERED]@{
RoleID = $AADRole.Id
RoleName = $AADRole.DisplayName
PermanentAssignment = $ExpirationRule.permanentAssignment
MaximumGrantPeriodInMinutes = $ExpirationRule.maximumGrantPeriodInMinutes
MfaRequired = $MfaRule.mfaRequired
Required = $JustificationRule.required
TicketingRequired = $TicketingRule.ticketingRequired
}
#Add Approvals, if exist
$i = 1
foreach($Approval in $ApprovalRule.Approvers){
$PIMProperties += @{
"Approval $i" = $Approval.DisplayName
}
$i++
}
$Object = New-Object -TypeName PSObject -Property $PIMProperties
#Convert to CSV
$Object | ConvertTo-Csv -OutVariable ExportData -NoTypeInformation -Delimiter ";" | Out-Null
#Export Role settings to a CSV file
$ExportData[1..($ExportData.count - 1)] | ForEach-Object { Add-Content -Value $PSItem -Path $AuditFileLocation }
}
