Feature: Include PIM eligible users

Question

m8r1us opened this issue 4 years ago · comments

Include PIM eligible users. Currently only permanent assigned users via Azure AD are in the report.

Dirk-jan · Answer 1 · Wed Jun 10 2020 16:31:41 GMT+0800 (China Standard Time)

I'd love to include this, but PIM isn't included in the Azure AD graph. It is present in the Microsoft Graph but that data model isn't compatible with ROADtools currently. Plus according to the docs you can only enumerate this if you're in an admin role: https://docs.microsoft.com/en-us/graph/api/privilegedrole-get?view=graph-rest-beta&tabs=http

Long story short: will have a look at implementing this but it's not something that will be feasible on a short term

m8r1us · Answer 2 · Wed Jun 10 2020 16:56:54 GMT+0800 (China Standard Time)

You are right. I will also dig a bit.

For the Azure IaaS/Paas part:
The following endpoint would work for Azure RBAC PIM if you have read rights on the subscription/mgmt group:
https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess

Dirk-jan · Answer 3 · Tue May 02 2023 22:14:18 GMT+0800 (China Standard Time)

To my surprise this was actually possible to add to ROADtools, implemented in cc0fd8e