Privileged Identity Management - Azure resources
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Caution
This version of the Privileged Identity Management (PIM) API for Azure resources will be deprecated soon. Please use the new Azure REST PIM API for Azure resource roles.
You can use Microsoft Entra Privileged Identity Management (PIM) for Azure resources to set up just-in-time access workflow for your Azure infrastructure roles at a management group, subscription, resource group, and resource level. These include built-in roles like Owner and Contributor as well as custom RBAC roles.
Common use cases for PIM and Azure resources using a REST API
| Use case | Resource | See also |
|---|---|---|
| Onboard a resource (subscriptions, resource group, resource etc.) for PIM management, list all the managed resources requester have access to, and retrieve relationships of a managed resource. | governanceResource | Role discovery and management |
| List all the roles for a resource or get details of a particular role in a specified resource. | governanceRoleDefinition | |
| Retrieve all role settings for a resource or make an update to a role setting | governanceRoleSetting | Configure role setting |
| List and export all role assignments for a resource. | governanceRoleAssignment | Export role assignments |
| Create or remove an eligible or active role assignment, activate/deactivate an eligible assignment, view a list of pending requests, approve or deny a pending request or cancel your own pending request. | governanceRoleAssignmentRequest | Role Assignment Role activation Approve requests |
Migrate to the Azure Resource Manager (ARM) PIM API for Azure resource roles
The PIM iteration 3 API to manage Azure resources is now available through the Azure Resource Manager (ARM) REST API. Use this guidance to migrate your existing APIs to the new Azure Resource Manager (ARM) APIs.
The following table describes how the new ARM APIs map to the existing APIs.
| Operation | Microsoft Graph API (iteration 2) | ARM API (iteration 3) |
|---|---|---|
| Register a resource | Register | ARM doesn't require resources to be explicitly registered or onboarded to be managed. You can perform operations by directly using the resource scope. |
| List role definitions | List Role definitions | Role Definitions - List |
| Create role assignment requests | Create governanceRoleAssignmentRequest | Use Role Eligibility Schedule Requests - Create to create eligible role assignments Use Role Assignment Schedule Requests - Create to create active role assignments |
| List role assignments | List governanceRoleAssignments | Use Role Eligibility Schedule Instances - List to get eligible role assignments Use Role Assignment Schedule Instances - List to get active role assignments |
| Manage Role Settings | List governanceRoleSettings Update governanceRoleSetting |
Manage policies through ARM |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for