question

ArnaudRigole-0792 avatar image
0 Votes"
ArnaudRigole-0792 asked ArnaudRigole-0792 answered

Azure PIM for global reader role - No resources to discover

Hi everyone,

I'm currently testing Azure PIM to delegate read permissions to our Azure tenant.

I've assigned with PIM the "Global reader" role for a test account, which has validated the access.
The scope defined is "Directory" and i cannot change it as it's greyed out.

124352-chrome-fz0qdxug7i.png


Once done & logged on that account, i can confirm that my account has the global reader role:


124342-chrome-89htk32x1y.png


I cannot discover any resources, as it says...

124363-chrome-dbf8poy40j.png



So how to proceed ?

If you tell me that i have to give as well some RBAC permission, what the use of that "Global reader" we assign in PIM ? By the way, i could give owner (write) permissions
on a subscription or management group, like my original "Global reader" would mean nothing, no?

Thanks in advance!
Arnaud

azure-rbacazure-ad-privileged-identity-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ArnaudRigole-0792 avatar image
0 Votes"
ArnaudRigole-0792 answered

Late comeback but some interesting infos...

There is a preview feature on Azure which permit to grant RBAC-based roles with PIM: "Privileged Access groups".
It can be used to put users in custom AAD groups, which you can bind to Azure resources.
Consider that the AAD group attribute "Azure AD Roles can be assigned to the group" must be set to "YES" when you create the group.
More infos here : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features

Thanks for the help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ArnaudRigole-0792 avatar image
0 Votes"
ArnaudRigole-0792 answered ArnaudRigole-0792 edited

Thanks for your answers. So if if understand correctly :
I cannot use PIM to manage read only access to Azure Resources ?

Edit : ok, as seen here : https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-reader, "Privileged Access Management (PAM) doesn't support the Global Reader role." It's a shame :(

So how do you delegate that kind of read only privilege for a defined period of time (like for service providers...) and with just-on-time / validation system ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered MarileeTurscak-MSFT edited

The Global Reader role allows the user to view all Azure Active Directory resources in the same way that the Global Admin role can do this. If you are trying to give read-only to Azure subscription Resources, add the users to the Azure Role: "Readers".

The screenshot you posted is in the Privileged Identity Management tab, where subscription resources would reside. PIM resources are only visible when you have an active role assignment, and they are managed by PIM. Otherwise they will not be seen in the console. The roles for each resource are managed separately.

124368-image.png

So yes, as you correctly observed, the Global Reader role isn't intended for subscription resources alone and you would need to add an Azure Role here.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources

https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-reader



image.png (27.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered

Global Reader is an Azure AD/Office 365 role, thus the "directory" scope. It doesnt give you access to any Azure resources.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.