forked from MicrosoftDocs/entra-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpim-resource-roles-activate-your-roles.yml
258 lines (213 loc) · 15.8 KB
/
pim-resource-roles-activate-your-roles.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
### YamlMime:HowTo
metadata:
title: Activate Azure resource roles in PIM
description: Learn how to activate your Azure resource roles in Microsoft Entra Privileged Identity Management (PIM).
author: barclayn
ms.author: barclayn
manager: amycolannino
ms.reviewer: rianakarim
ms.date: 12/19/2024
ms.service: entra-id-governance
ms.subservice: privileged-identity-management
ms.topic: how-to
ms.custom:
- pim
- ge-structured-content-pilot
title: |
Activate my Azure resource roles in Privileged Identity Management
introduction: |
Use Microsoft Entra Privileged Identity Management (PIM), to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).
This article is for members who need to activate their Azure resource role in Privileged Identity Management.
>[!NOTE]
>As of March 2023, you may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal. Read more [here](pim-resource-roles-activate-your-roles.yml#activate-with-azure-portal).
>[!IMPORTANT]
>When a role is activated, Microsoft Entra PIM temporarily adds active assignment for the role. Microsoft Entra PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Microsoft Entra PIM removes the active assignment within seconds as well.
>
>Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.
procedureSection:
- title: |
Activate a role
summary: |
[!INCLUDE [portal updates](~/includes/portal-update.md)]
When you need to take on an Azure resource role, you can request activation by using the **My roles** navigation option in Privileged Identity Management.
>[!NOTE]
> PIM is now available in the Azure mobile app (iOS | Android) for Microsoft Entra ID and Azure resource roles. Easily activate eligible assignments, request renewals for ones that are expiring, or check the status of pending requests. [Read more below](#activate-pim-roles-using-the-azure-mobile-app)
steps:
- |
Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com)
- |
Browse to **Identity governance** > **Privileged Identity Management** > **My roles**.
[  ](./media/pim-resource-roles-activate-your-roles/resources-my-roles.png#lightbox)
- |
Select **Azure resource roles** to see a list of your eligible Azure resource roles.
- |
In the **Azure resource roles** list, find the role you want to activate.
[  ](./media/pim-resource-roles-activate-your-roles/resources-my-roles-activate.png#lightbox)
- |
Select **Activate** to open the Activate page.
- |
If your role requires multifactor authentication, select **Verify your identity before proceeding**. You only have to authenticate once per session.
- |
Select **Verify my identity** and follow the instructions to provide additional security verification.
- |
If you want to specify a reduced scope, select **Scope** to open the Resource filter pane.
It's a best practice to only request access to the resources you need. On the Resource filter pane, you can specify the resource groups or resources that you need access to.
- |
If necessary, specify a custom activation start time. The member would be activated after the selected time.
- |
In the **Reason** box, enter the reason for the activation request.
- |
Select **Activate**.
>[!NOTE]
>If the [role requires approval](pim-resource-roles-approval-workflow.md) to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.
- title: |
Activate a role with Azure Resource Manager API
summary: |
Privileged Identity Management supports Azure Resource Manager API commands to manage Azure resource roles, as documented in the [PIM ARM API reference](/rest/api/authorization/role-eligibility-schedule-requests). For the permissions required to use the PIM API, see [Understand the Privileged Identity Management APIs](pim-apis.md).
To activate an eligible Azure role assignment and gain activated access, use the [Role Assignment Schedule Requests - Create REST API](/rest/api/authorization/role-assignment-schedule-requests/create?tabs=HTTP) to create a new request and specify the security principal, role definition, requestType = SelfActivate and scope. To call this API, you must have an eligible role assignment on the scope.
Use a GUID tool to generate a unique identifier for the role assignment identifier. The identifier has the format: 00000000-0000-0000-0000-000000000000.
Replace {roleAssignmentScheduleRequestName} in the PUT request with the GUID identifier of the role assignment.
For more information about eligible roles for Azure resources management, see [PIM ARM API tutorial](/rest/api/authorization/privileged-role-assignment-rest-sample?source=docs#activate-an-eligible-role-assignment).
This is a sample HTTP request to activate an eligible assignment for an Azure role.
### Request
````HTTP
PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/{roleAssignmentScheduleRequestName}?api-version=2020-10-01
````
### Request body
````JSON
{
"properties": {
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"roleDefinitionId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"requestType": "SelfActivate",
"linkedRoleEligibilityScheduleId": "b1477448-2cc6-4ceb-93b4-54a202a89413",
"scheduleInfo": {
"startDateTime": "2020-09-09T21:35:27.91Z",
"expiration": {
"type": "AfterDuration",
"endDateTime": null,
"duration": "PT8H"
}
},
"condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'",
"conditionVersion": "1.0"
}
}
````
### Response
Status code: 201
code: |
````HTTP
{
"properties": {
"targetRoleAssignmentScheduleId": "c9e264ff-3133-4776-a81a-ebc7c33c8ec6",
"targetRoleAssignmentScheduleInstanceId": null,
"scope": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
"roleDefinitionId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
"principalType": "User",
"requestType": "SelfActivate",
"status": "Provisioned",
"approvalId": null,
"scheduleInfo": {
"startDateTime": "2020-09-09T21:35:27.91Z",
"expiration": {
"type": "AfterDuration",
"endDateTime": null,
"duration": "PT8H"
}
},
"ticketInfo": {
"ticketNumber": null,
"ticketSystem": null
},
"justification": null,
"requestorId": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
"createdOn": "2020-09-09T21:35:27.91Z",
"condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'",
"conditionVersion": "1.0",
"expandedProperties": {
"scope": {
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
"displayName": "Pay-As-You-Go",
"type": "subscription"
},
"roleDefinition": {
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"displayName": "Contributor",
"type": "BuiltInRole"
},
"principal": {
"id": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
"displayName": "User Account",
"email": "user@my-tenant.com",
"type": "User"
}
}
},
"name": "fea7a502-9a96-4806-a26f-eee560e52045",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/RoleAssignmentScheduleRequests/fea7a502-9a96-4806-a26f-eee560e52045",
"type": "Microsoft.Authorization/RoleAssignmentScheduleRequests"
}
````
- title: |
View the status of your requests
summary: |
You can view the status of your pending requests to activate.
steps:
- |
Open Microsoft Entra Privileged Identity Management.
- |
Select **My requests** to see a list of your Microsoft Entra role and Azure resource role requests.
[  ](./media/pim-resource-roles-activate-your-roles/resources-my-requests.png#lightbox)
- |
Scroll to the right to view the **Request Status** column.
- title: |
Cancel a pending request
summary: |
If you don't require activation of a role that requires approval, you can cancel a pending request at any time.
steps:
- |
Open Microsoft Entra Privileged Identity Management.
- |
Select **My requests**.
- |
For the role that you want to cancel, select the **Cancel** link.
When you select Cancel, the request will be canceled. To activate the role again, you will have to submit a new request for activation.
- title: |
Deactivate a role assignment
summary: |
When a role assignment is activated, you see a **Deactivate** option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.
## Activate with Azure portal
Privileged Identity Management role activation is integrated into the Billing and Access Control (AD) extensions within the Azure portal. Shortcuts to Subscriptions (billing) and Access Control (AD) allow you to activate PIM roles directly from these blades.
From the Subscriptions blade, select “View eligible subscriptions” in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane.
In Access control (IAM) for a resource, you can now select “View my access” to see your currently active and eligible role assignments and activate directly.
By integrating PIM capabilities into different Azure portal blades, this new feature allows you to gain temporary access to view or edit subscriptions and resources more easily.
## Activate PIM roles using the Azure mobile app
PIM is now available in the Microsoft Entra ID and Azure resource roles mobile apps in both iOS and Android.
steps:
- |
To activate an eligible Microsoft Entra role assignment, start by downloading the Azure mobile app ([iOS](https://apps.apple.com/us/app/microsoft-azure/id1219013620) | [Android](https://play.google.com/store/apps/details?id=com.microsoft.azure)). You can also download the app by selecting **Open in mobile** from Privileged Identity Management > My roles > Microsoft Entra roles.
:::image type="content" source="./media/pim-resource-roles-activate-your-roles/download-mobile-app.png" alt-text="Screenshot shows how to download the mobile app." lightbox="./media/pim-resource-roles-activate-your-roles/download-mobile-app.png":::
- |
Open the Azure mobile app and sign in. Click on the ‘Privileged Identity Management’ card and select **My Azure Resource roles** to view your eligible and active role assignments.
:::image type="content" source="./media/pim-resource-roles-activate-your-roles/mobile-select-role.png" alt-text="Screenshot of the mobile app showing privileged identity managementand the user's roles." lightbox="./media/pim-resource-roles-activate-your-roles/mobile-select-role.png":::
- |
Select the role assignment and click on **Action > Activate** under the role assignment details. Complete the steps to active and fill in any required details before clicking **Activate** at the bottom.
:::image type="content" source="./media/pim-resource-roles-activate-your-roles/mobile-activate-role.png" alt-text="Screenshot of the mobile app showing the validation process has completed. The image shows an Activate button." lightbox="./media/pim-resource-roles-activate-your-roles/mobile-activate-role.png":::
- |
View the status of your activation requests and your role assignments under ‘My Azure Resource roles’.
:::image type="content" source="./media/pim-resource-roles-activate-your-roles/mobile-activation-processing.png" alt-text="Screenshot of the mobile app showing the activation in progress message." lightbox="./media/pim-resource-roles-activate-your-roles/mobile-activation-processing.png":::
relatedContent:
- text: Extend or renew Azure resource roles in Privileged Identity Management
url: pim-resource-roles-renew-extend.md
- text: Activate my Microsoft Entra roles in Privileged Identity Management
url: pim-how-to-activate-role.yml