Another day another problem to work on, We have implemented Azure AD Privileged Identity Management for multiple clients.
One of our client requested us to generate the report of all the Admins that are enabled as eligible Roles under Privileged Identity Management.
To get such a report, What we need is a PowerShell Module that can make it super easy but unfortunately that does not exist.
There is PIM module that exists but that can only extract the role assignment of logged in user as shown below
Launch PowerShell and Run below command to install it on your machine.
Connect-PimService is the first cmdlet that you will utilize to connect to PIM Service same as you do with other powershell modules and connect to respective services.
After you are connected, you can run Get-PrivilegedRoleAssignment to get all your roles.
This does not resolve the problem in hand, this is in user voice as well so vote below so that Microsoft adds it in the module.
Our next option is graph as we have heard that beta version can achieve this.
Lets log on to Graph explorer and test it out.
Your account needs to have Directory.AccessAsUser.All rights in order to retrieve the PIM assignment information.
Directory.AccessAsUser.All –> Allows the app to have the same access to information in the directory as the signed-in user.
Your account should also be member of one of the below roles.
- Privileged Role Administrator
- Global Administrator
- Security Administrator
- Security Reader
Now in graph explorer lets enter the query : https://graph.microsoft.com/beta/privilegedRoleAssignments
You can see that it has retrieved the results we want but still there is lot of work that needs to be done to generate a report that can be presented to the client.
I have left that for next part of this blog in which I will share a Powershell script that will utilize GRAPH api and above graph resource to generate the required report.
Thanks for Reading