'How to force user to access via pim in Azure
While creating access package or group, How can I force uses to get access (for any resources) via PIM in Azure?
While creating the group there is a option called "Azure AD roles can be assigned to the group". What is this all about? If I say "Yes", its showing up the "Roles".
I'm bit confused about the additional settings. Is this the setting to do this?
Solution 1:[1]
I don't know about access packages or access groups. But for my PIM setup I have Azure AD groups where users are added. And once they get access to the group they become eligible for requesting roles through PIM.
I have then a role in PIM, I make it eligible, and assign it to the group. Users can open PIM, go to My Roles, and then activate the role. Activating the role gives them permissions for one hour to access resources in a resource group. (This is all depending on what settings you put on the role in PIM). Outside of PIM they have no permissions whatsoever, so if they need access to resources they must request it via PIM.
- PIM
- Azure Resource
- Change the default filter on Resource Type from Subscription to Resource Group or Resource if you want to assign permissions on smaller scopes
- Do the things.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Marco |