Introduction
In my blog post, https://fredrkl.com/blog/privileged-identity-management-for-azure-resources/, I looked at privileged identity management in Azure, specifically for Azure resources. This gives users time-limited access to certain Azure roles for specific resources, e.g., a storage account. However, there are scenarios where we instead want to control user access through their Entra ID Group membership, e.g., using Kubernetes (K8s) native RBAC. The https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups is one relatively new feature that enables exactly that. This blog post will examine how to use it and configure its policies using Powershell.
Overview
PIM for Groups allows you to grant users just-in-time group ownership or membership. In K8s, we typically bind Entra ID Groups to particular internal roles: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. Without PIM for Groups, a specific set of users would potentially have too much access all the time.
As with PIM for Azure Resources, you need the Microsoft Entra Identity Protection Plan 2(P2) license.
One difference from Azure PIM for Resources is that instead of creating a temporary connection between a user, role, and resource, we create a connection between a user and group membership/ownership.
We access PIM for group management in the same way as PIM for Resources:
Demo setup
I have created a demo setup and repo at https://github.com/fredrkl/entra-pim-group-demo. The demo showcases the following setup:
Here, team-abc
, team-abc-owners
, and team-abc-pim
are all Azure Entra ID groups, where team-abc-pim
is a PIM for Groups enabled group.
Clicking team-abc-pim
from the previous screenshot presenters:
We can activate team-abc-pim
group membership since we are team-abc
group members and that group is Eligible for team-abc-pim
membership. Looking at the Roles shows us:
Furthermore, after clicking the Member row and then Eligible assignments:
Although a member of team-abc
activates the team-abc-pim
membership does not give the rest of the group members the same membership. It is possible to provide individual users with eligible access instead of groups. However, in my current project, we avoid giving individual users access and only use groups. Members are placed in those groups using access packages, which is outside the scope of this blog post.
Managing PIM for Groups
Ideally, we would like to use Terraform to control PIM for Groups. However, it is not finished at the time of this writing. You can track the progress at https://github.com/hashicorp/terraform-provider-azuread/issues/1257.
The demo repo mainly consists of 2 Powershell scripts:
- pim-group-rules.ps1
- assignEligibleGroup.ps1
PIM Group Rules
If we go into the team-abc-pim
Entra ID Group, click settings, and then choose Member, we see:
This screen is not supported with Terraform. Unlike the PIM for Resources, we use the MS Graph Role Management Policy API. We first get the Policy assignment scoped to this membership using:
Once we have it, we update it with new rules using:
Please see the pim-group-rules.ps1 Powershell source code for more information.
The script sets who should approve any PIM Group Membership requests and enables us to make groups permanently eligible for group membership.
PIM Eligible Assignment
Now, we can run the assignEligibleGroup.ps1 script, which sets the team-abc
Entra ID Group as non-expire Eligible for the team-abc-pim
PIM Group membership.
The team-abc
members will see the following in the Azure PIM:
Conclusion
The blog post focuses on Privileged Identity Management (PIM) for Groups in Azure, an important feature for securely managing user access within a system. PIM for Groups allows you to grant users just-in-time group ownership or membership, ensuring that users only have the access they need when needed, which can help prevent misuse of access privileges.
To use PIM for Groups, you need the Microsoft Entra Identity Protection Plan 2 (P2) license. One key difference between Azure PIM for Resources and PIM for Groups is the type of connections created. Instead of creating a temporary connection between a user, role, and resource, PIM for Groups creates a connection between a user and group membership or ownership.
The blog post provides a detailed guide on how to use and configure PIM for Groups' policies using Powershell. It provides a step-by-step demonstration, including a demo setup that showcases the PIM for Groups feature in action.
These scripts, pim-group-rules.ps1
and assignEligibleGroup.ps1
, allow you to set who should approve any PIM Group Membership requests and make groups permanently eligible for group membership.
In conclusion, Azure's PIM for Groups feature offers a secure way to manage user access, ensuring that users only have the access they need when needed. While Terraform's use of this feature has limitations, Powershell scripts provide a viable workaround.