Set‐PIMAzureResourcePolicy
Configure the rules of rolename at the specified subscription/scope.
🔷 Require justification, ticketing and MFA when activating the role "Webmaster" Warning options are case sensitive
Set-PIMAzureResourcePolicy -ActivationRequirement "Justification","Ticketing","MultiFactorAuthentication" -TenantID $tenantID -SubscriptionId $subscriptionID -rolename "webmaster"🔷 Require approval and set approvers for roles webmaster and contributor
Set-PIMAzureResourcePolicy -Approvers @(@{"Id"="00b34bb3-8a6b-45ce-a7bb-c7f7fb400507";"Name"="John";"Type"="user"}) -ApprovalRequired $true -TenantID $tenantID -SubscriptionId $subscriptionID -rolename "webmaster","contributor"🔷 Set maximum activation duration to 12h at a resource group level
$scope = "subscriptions/eedcaa84-3756-4da9-bf87-40068c3dd2a2/resourceGroups/RG-FR-ADDS"
Set-PIMAzureResourcePolicy -TenantID $tenantID -Scope $scope -rolename "webmaster" -ActivationDuration "PT12H"🔷 Set critical email only and add notification recipient when the eligible role "webmaster" is activated
Set-PIMAzureResourcePolicy -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true"; "notificationLevel"="Critical";"Recipients" = @("alert1@domain.com","alert3@domain.com")} -TenantID $tenantID -subscriptionID $subscriptionID -rolename webmaster 🔷 Enable authentication context and set value to "c1"
Set-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID -rolename "webmaster" -AuthenticationContext_Enabled $true -AuthenticationContext_Value "c1"🔷 Require justification and MFA for active assignments
Set-PIMAzureResourcePolicy -TenantID $tenantID -SubscriptionId $subscriptionID -rolename "contributor" -ActiveAssignationRequirement "Justification","MultiFactorAuthentication"| Parameter | description |
|---|---|
$TenantID |
Entra ID TenantID |
$SubscriptionId |
Subscription ID |
$scope |
scope if different from subscription |
$rolename |
name of the roles to update |
$AuthenticationContext_Enabled |
Is authentication context required? ($true/$false) |
$AuthenticationContext_Value |
Authentication context value (e.g., "c1") |
$ActiveAssignationRequirement |
Accepted values: "None" or one or more options from "Justification", "MultiFactorAuthentication" ex -ActiveAssignationRequirement "Justification","MultiFactorAuthentication" WARNING: options are CASE SENSITIVE! |
$ActivationDuration |
Maximum activation duration (Duration ref https://en.wikipedia.org/wiki/ISO_8601#Durations) |
$ActivationRequirement |
Accepted values: "None" or one or more options from "Justification", "MultiFactorAuthentication", "Ticketing" ex -ActivationRequirement "justification","Ticketing" WARNING: options are CASE SENSITIVE! |
$ApprovalRequired |
Is approval required to activate a role? ($true/$false) |
$Approvers |
Array of approvers in the format: @(@{"Id"="XXXXXX";"Name"="John":"Type"="user/group"}, .... ) |
$MaximumEligibilityDuration |
Maximum Eligility Duration (ref https://en.wikipedia.org/wiki/ISO_8601#Durations) |
$AllowPermanentEligibility |
Allow permanent eligibility? ($true/$false) |
$MaximumActiveAssignmentDuration |
Maximum active assignment duration (# Duration )ref https://en.wikipedia.org/wiki/ISO_8601#Durations) |
$AllowPermanentActiveAssignment |
Allow permanent active assignement? ($true/$false) |
$Notification_EligibleAssignment_Alert |
Admin Notification when eligible role is assigned, rule 9 see Notification Format |
$Notification_EligibleAssignment_Assignee |
End-user notification when eligible role is assigned, rule 10 see Notification Format |
$Notification_EligibleAssignment_Approver |
Approver notification when eligible role is assigned, rule 11 see Notification Format |
$Notification_ActiveAssignment_Alert |
Admin Notification when an active role is assigned, rule 12 see Notification Format |
$Notification_ActiveAssignment_Assignee |
End user Notification when an active role is assigned, rule 13 see Notification Format |
$Notification_ActiveAssignment_Approver |
Approver Notification when an active role is assigned, rule 14see Notification Format |
$Notification_Activation_Alert |
Admin Notification when a role is activated, rule 15 see Notification Format |
$Notification_Activation_Assignee |
End user Notification when a role is activated, rule 16 see Notification Format |
$Notification_Activation_Approver |
Approvers Notification when a role is activated, rule 17 see Notification Format |
All Notifications parameters accept value with the following format:
Set-PIMAzureResourcePolicy -tenantID $tid -subscriptionId $sid -Notification_Activation_Alert @{"isDefaultRecipientEnabled"="true|false"; "notificationLevel"="All|Critical";"Recipients" = @("email1@domain.com","email2@domain.com")} 