Open martinlingstuyl opened 7 months ago
waldekmastykarz
commented
7 months ago I'm using
request addhere, as the PIM roleassignment can be auto-approved or sent for approval to an admin.
Is the auto approval a part of the command or rather a config setting on the service? If it's the former, we should consider using m365 pim roleassignment add because there's no request, similarly to how you add a permission grant on SPFx.
martinlingstuyl
commented
7 months ago Is the auto approval a part of the command or rather a config setting on the service? If it's the former, we should consider using
m365 pim roleassignment addbecause there's no request, similarly to how you add a permission grant on SPFx.
It's a config setting on the service. Some companies for instance would allow me to auto-assign myself the sharepoint admin role, but for the global admin role they'd want to approve manually.
waldekmastykarz
commented
7 months ago Got it. In that case let's stick with request. Thanks for clarifying.
milanholemans
commented
7 months ago Instead of creating a new command group, shouldn't we move this under the aad umbrella?
The documentation seems to follow me on this: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
What is Microsoft Entra Privileged Identity Management?
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization.
martinlingstuyl
commented
7 months ago Good point, let's do that!
martinlingstuyl
commented
4 months ago @MartinM85, @pnp/cli-for-microsoft-365-maintainers , I've been doubting a bit the last few days, what the best command structure would be here.
I'm kind of leaning differently again now. No big change, just what nouns to use.
You can use PIM with roles and with groups. With roles it's quite simple: you need a role assignment. You request it, it's activated. You can deactivate it, etc. For PIM with Groups its similar but different. PIM for Groups enables users to activate the ownership or membership of a Microsoft Entra security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Microsoft Entra roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.
m365 entra pim role request list [options] - To list pending requests (requests may be activations or deactivations, etc) m365 entra pim role assignment list [options] - Get a list of role assignments m365 entra pim role assignment list --eligible [options] - Get a list of eligible roles (we need to check the output though, it's two endpoints.) m365 entra pim role assignment eligibility list [options] - Alternative to the above. m365 entra pim role assignment add [options] - Request e roleassignment for a user/group. (adminAssign and selfActivate) m365 entra pim role assignment remove [options] - Request revocation of a roleassignment for a user/group. (adminRemove and selfDeactivate)
m365 entra pim group request list [options] - To list pending requests (requests may be activations or deactivations, etc) m365 entra pim group assignment list [options] - Get a list of role assignments for groups m365 entra pim role assignment list --eligible [options] - Get a list of eligible group roles (we need to check the output though, it's two endpoints.) m365 entra pim group assignment eligibility list [options] - Alternative to the above. m365 entra pim group assignment add [options] - Request a group roleassignment for a user. m365 entra pim group assignment remove [options] - Request revocation of a group roleassignment for a user.
Thoughts?
martinlingstuyl
commented
4 months ago Any thoughts @pnp/cli-for-microsoft-365-maintainers, @MartinM85?
MartinM85
commented
4 months ago Naming looks fine. I would suggest to add
m365 entra pim role assignment set [options] and m365 entra pim group assignment set [options] for update/renew assignment
waldekmastykarz
commented
4 months ago I don't know much about PIM but the naming looks ok. No comments.
Adam-it
commented
4 months ago I don't know much about PIM but the naming looks ok. No comments.
Same here
martinlingstuyl
commented
4 months ago @milanholemans, @Jwaegebaert, do you use PIM?
martinlingstuyl
commented
4 months ago @appieschot probably does, what do you think about this?
Jwaegebaert
commented
4 months ago @milanholemans, @Jwaegebaert, do you use PIM?
Not a lot to be honest, so I'm not very familiar with the behind-the-scenes namings. What you already specced out looks pretty clear.
milanholemans
commented
4 months ago I know the essentials of it yeah. Not an expert in it. I wanted to have a look at the commands, but haven't had much time to be honest.
When working with the CLI to manage your Microsoft 365 tenant, it's not at all unthinkable that you'd have to leave the context of the terminal to request access to an Entra ID Role. For example: For some customers I have to activate (or request to activate) the SharePoint Admin Role or Global Admin role before I can execute actions relating to that role.
It would be nice if I would not have to leave context, and can just execute a simple CLI command to request activation of my role, using the CLI for Microsoft 365. IT Admins would benefit from this.
Source
Commands to implement
We could add the following commands I think:
What I did not find was graph support for PIM requesting access to Azure Resources... Not currently available it seems. I'm also missing support to approve requests.
More information
https://learn.microsoft.com/en-us/graph/api/resources/unifiedroleassignmentschedulerequest?view=graph-rest-1.0