Audit Entra ID Privileged Identity Management Role Settings

Entra ID Privileged Identity Management (PIM) is a feature of Entra ID that helps you manage, control, and monitor access to important resources in your organization. With PIM, you can enable just-in-time access for users, set up approval workflows for access requests, and monitor active access to ensure that it is being used by your organization’s policies. This can help you reduce the risk of security breaches and ensure that your critical resources are only accessed by authorized users.

A few days ago, I published a script that lists all the Entra ID roles and from there, you can see that we have a lot of built-in Entra ID roles.

 

Strengthen Your Security with Entra ID Assessment

Take control of your organization's security posture with an Entra ID assessment. Identify risks, and implement effective security measures. Contact us now to schedule your assessment and protect your digital assets.
Call to Action

If you have completed all the Entra ID Privileged Identity Management roles configuration, it would be beneficial to verify if the settings align with your organization’s policies and if anything has been missed. I have created a PowerShell script that can generate a CSV file. This includes Role IDRole NamePermanent Assignment statusMaximum Grant Period in MinutesMFA Required statusApproval status, and the users who can approve access requests. This script can help you ensure that your settings are properly configured and help you identify any potential gaps.

PS! This script is still based on the AzureADPreview PowerShell Module.

Audit-AzureADPIMRoleSettings.ps1 PowerShell Script

This script reads all the Azure AD roles from my GitHub account and then uses the Get-AzureADMSPrivilegedRoleSetting cmdlet to get role settings. You can always combine Microsoft Graph and AzureADPreview modules together too.

				
					#Install AzureADPreview PowerShell Module
Install-module AzureADPreview -Force -Verbose

#Connect Azure AD
Connect-AzureAD

#Audit file location. It creates a CSV file
$AuditFileLocation = "C:\AADAudit.csv"
#Get Azure AD Tenant ID
$AzureADTenantDID = (Get-AzureADTenantDetail).ObjectId

#Azure AD Role names and IDs on my GitHub account
$URL = "https://raw.githubusercontent.com/Kaidja/AzureActiveDirectory/main/AzureADRoles.json"
#Convert Azure AD Roles from JSON
$AADGitHubRoles = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json

#Process the AD roles and gather the data for each role
foreach($AADRole in $AADGitHubRoles){

    Write-Output -InputObject "---- Processing $($AADRole.DisplayName)"
    
    #Define the query filter
    $Filter = "ResourceId eq '$($AzureADTenantDID)' and RoleDefinitionId eq '$($AADRole.ID)'"
    $PIMADRoleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId 'aadRoles' -Filter $Filter
    
    #Get the PIM role settings
    $ExpirationRule = $PIMADRoleSettings.UserMemberSettings[0].Setting | ConvertFrom-Json
    $MfaRule = $PIMADRoleSettings.UserMemberSettings[1].Setting | ConvertFrom-Json
    $JustificationRule = $PIMADRoleSettings.UserMemberSettings[2].Setting | ConvertFrom-Json
    $TicketingRule = $PIMADRoleSettings.UserMemberSettings[3].Setting | ConvertFrom-Json
    $ApprovalRule = $PIMADRoleSettings.UserMemberSettings[4].Setting | ConvertFrom-Json

    #Build object for each role
    $PIMProperties = $null
    $PIMProperties = [ORDERED]@{
        RoleID = $AADRole.Id
        RoleName = $AADRole.DisplayName
        PermanentAssignment = $ExpirationRule.permanentAssignment
        MaximumGrantPeriodInMinutes = $ExpirationRule.maximumGrantPeriodInMinutes
        MfaRequired = $MfaRule.mfaRequired
        Required = $JustificationRule.required
        TicketingRequired = $TicketingRule.ticketingRequired
    }

    #Add Approvals, if exist
    $i = 1
    foreach($Approval in $ApprovalRule.Approvers){
        
        $PIMProperties += @{
            "Approval $i" = $Approval.DisplayName
        }

        $i++
    }

    $Object = New-Object -TypeName PSObject -Property $PIMProperties
    #Convert to CSV
    $Object | ConvertTo-Csv -OutVariable ExportData -NoTypeInformation -Delimiter ";" | Out-Null
    #Export Role settings to a CSV file
    $ExportData[1..($ExportData.count - 1)] | ForEach-Object { Add-Content -Value $PSItem -Path $AuditFileLocation }

}
				
			
Audit Azure Active Directory Privileged Identity Role Settings

Leave a Reply

Contact me

If you’re interested in learning about Audit Entra ID Privileged Identity Management Role Settings. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents