Povratne informacije Uredi

Activate my Azure resource roles in Privileged Identity Management

  • Članak
  • 3 min. za čitanje

Use Privileged Identity Management (PIM) to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).

This article is for members who need to activate their Azure resource role in Privileged Identity Management.

Activate a role

When you need to take on an Azure resource role, you can request activation by using the My roles navigation option in Privileged Identity Management.

  1. Sign in to the Azure portal.

  2. Open Azure AD Privileged Identity Management. For information about how to add the Privileged Identity Management tile to your dashboard, see Start using Privileged Identity Management.

  3. Select My roles.

    My roles page showing roles you can activate

  4. Select Azure resource roles to see a list of your eligible Azure resource roles.

    My roles - Azure resource roles page

  5. In the Azure resource roles list, find the role you want to activate.

    Azure resource roles - My eligible roles list

  6. Select Activate to open the Activate page.

    The opened Activate pane with scope, start time, duration, and reason

  7. If your role requires multi-factor authentication, select Verify your identity before proceeding. You only have to authenticate once per session.

    Verify my identity with MFA before role activation

  8. Select Verify my identity and follow the instructions to provide additional security verification.

    Screen to provide security verification such as a PIN code

  9. If you want to specify a reduced scope, select Scope to open the Resource filter pane.

    It's a best practice to only request access to the resources you need. On the Resource filter pane, you can specify the resource groups or resources that you need access to.

    Activate - Resource filter pane to specify scope

  10. If necessary, specify a custom activation start time. The member would be activated after the selected time.

  11. In the Reason box, enter the reason for the activation request.

    Completed Activate pane with scope, start time, duration, and reason

  12. Select Activate.

    If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.

    Activation request is pending approval notification

Activate a role with ARM API

Privileged Identity Management supports Azure Resource Manager (ARM) API commands to manage Azure resource roles, as documented in the PIM ARM API reference. For the permissions required to use the PIM API, see Understand the Privileged Identity Management APIs.

The following is a sample HTTP request to activate an eligible assignment for an Azure role.

Request

PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f/providers/Microsoft.Authorization/roleEligibilityScheduleRequests/64caffb6-55c0-4deb-a585-68e948ea1ad6?api-version=2020-10-01-preview

Request body

{
  "properties": {
    "principalId": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
    "roleDefinitionId": "/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
    "requestType": "SelfActivate",
    "linkedRoleEligibilityScheduleId": "b1477448-2cc6-4ceb-93b4-54a202a89413",
    "scheduleInfo": {
      "startDateTime": "2020-09-09T21:35:27.91Z",
      "expiration": {
        "type": "AfterDuration",
        "endDateTime": null,
        "duration": "PT8H"
      }
    },
    "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'",
    "conditionVersion": "1.0"
  }
}

Response

Status code: 201

{
  "properties": {
    "targetRoleAssignmentScheduleId": "c9e264ff-3133-4776-a81a-ebc7c33c8ec6",
    "targetRoleAssignmentScheduleInstanceId": null,
    "scope": "/providers/Microsoft.Subscription/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f",
    "roleDefinitionId": "/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
    "principalId": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
    "principalType": "User",
    "requestType": "SelfActivate",
    "status": "Provisioned",
    "approvalId": null,
    "scheduleInfo": {
      "startDateTime": "2020-09-09T21:35:27.91Z",
      "expiration": {
        "type": "AfterDuration",
        "endDateTime": null,
        "duration": "PT8H"
      }
    },
    "ticketInfo": {
      "ticketNumber": null,
      "ticketSystem": null
    },
    "justification": null,
    "requestorId": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
    "createdOn": "2020-09-09T21:35:27.91Z",
    "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'",
    "conditionVersion": "1.0",
    "expandedProperties": {
      "scope": {
        "id": "/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f",
        "displayName": "Pay-As-You-Go",
        "type": "subscription"
      },
      "roleDefinition": {
        "id": "/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
        "displayName": "Contributor",
        "type": "BuiltInRole"
      },
      "principal": {
        "id": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea",
        "displayName": "User Account",
        "email": "user@my-tenant.com",
        "type": "User"
      }
    }
  },
  "name": "fea7a502-9a96-4806-a26f-eee560e52045",
  "id": "/providers/Microsoft.Subscription/subscriptions/dfa2a084-766f-4003-8ae1-c4aeb893a99f/providers/Microsoft.Authorization/RoleAssignmentScheduleRequests/fea7a502-9a96-4806-a26f-eee560e52045",
  "type": "Microsoft.Authorization/RoleAssignmentScheduleRequests"
}

View the status of your requests

You can view the status of your pending requests to activate.

  1. Open Azure AD Privileged Identity Management.

  2. Select My requests to see a list of your Azure AD role and Azure resource role requests.

    My requests - Azure resource page showing your pending requests

  3. Scroll to the right to view the Request Status column.

Cancel a pending request

If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

  1. Open Azure AD Privileged Identity Management.

  2. Select My requests.

  3. For the role that you want to cancel, select the Cancel link.

    When you select Cancel, the request will be canceled. To activate the role again, you will have to submit a new request for activation.

    My request list with Cancel action highlighted

Deactivate a role assignment

When a role assignment is activated, you'll see a Deactivate option in the PIM portal for the role assignment. When you select Deactivate, there's a short time lag before the role is deactivated. Also, you can't deactivate a role assignment within five minutes after activation.

Troubleshoot

Permissions are not granted after activating a role

When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.

  1. Sign out of the Azure portal and then sign back in.
  2. In Privileged Identity Management, verify that you are listed as the member of the role.

Next steps