Extract Report – Azure AD Privileged Identity Management – Part 1

Another day another problem to work on, We have implemented Azure AD Privileged Identity Management for multiple clients.

One of our client requested us to generate the report of all the Admins that are enabled as eligible Roles under Privileged Identity Management.

To get such a report, What we need is a PowerShell Module that can make it super easy but unfortunately that does not exist.

There is PIM module that exists but that can only extract the role assignment of logged in user as shown below

Launch PowerShell and Run below command to install it on your machine.

Install-Module Microsoft.Azure.ActiveDirectory.PIM.PSModule

https://www.powershellgallery.com/packages/Microsoft.Azure.ActiveDirectory.PIM.PSModule

Connect-PimService is the first cmdlet that you will utilize to connect to PIM Service same as you do with other powershell modules and connect to respective services.

After you are connected, you can run Get-PrivilegedRoleAssignment to get all your roles.

This does not resolve the problem in hand, this is in user voice as well so vote below so that Microsoft adds it in the module.

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/35832328-get-privilege-role-with-their-eligible-and-permane

Our next option is graph as we have heard that beta version can achieve this.

https://docs.microsoft.com/en-us/graph/api/resources/privilegedroleassignment?view=graph-rest-beta

Lets log on to Graph explorer and test it out.

https://developer.microsoft.com/en-us/graph/graph-explorer

Your account needs to have Directory.AccessAsUser.All rights in order to retrieve the PIM assignment information.

Directory.AccessAsUser.All –> Allows the app to have the same access to information in the directory as the signed-in user.

Your account should also be member of one of the below roles.

  • Privileged Role Administrator
  • Global Administrator
  • Security Administrator
  • Security Reader

Now in graph explorer lets enter the query : https://graph.microsoft.com/beta/privilegedRoleAssignments

You can see that it has retrieved the results we want but still there is lot of work that needs to be done to generate a report that can be presented to the client.

I have left that for next part of this blog in which I will share a Powershell script that will utilize GRAPH api and above graph resource to generate the required report.

 

Thanks for Reading

Tech Wizard

http://TechWizard.cloud

 

 

 

 

 

Advertisements

One thought on “Extract Report – Azure AD Privileged Identity Management – Part 1

  1. Pingback: Extract Report – Azure AD Privileged Identity Management – Part 2 | Tech Wizard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s