DEV Community

Cover image for How do you automate PIM for Groups? (Part 2. Playing with PIM for Groups via API)
Roman Kiprin
Roman Kiprin

Posted on • Updated on

How do you automate PIM for Groups? (Part 2. Playing with PIM for Groups via API)

In my previous text, we sufficiently discussed the PIM for Group's technology. In the first part of this article How do you automate PIM for Groups? (Part 1 - Setup) we prepared our 'infrastructure' and defined our plans.

Let us start with something meaningful! :)

How do we make the user (pim-user-play-01) PIM eligible to activate membership in the PIM Group (PIM-GROUP-PLAY-01)?

You remember that "PIM eligible" means "provided with the ability to activate something via PIM," right?

Here is a .gif video of this action performed 'manually', using Azure Portal:

Image description

Now, let's take the same action via Microsoft Graph API.

Here is the link to the API call documentation: Create eligibilityScheduleRequest and the PowerShell module documentation: New-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest


 PowerShell 
pwsh> $u01                                                             

DisplayName      Id                                   Mail UserPrincipalName
-----------      --                                   ---- -----------------
pim-user-play-01 c8816325-d172-44f5-b72d-a1b8de5673c2      pim-user-play-01@Selflearning527.onmicrosoft.com


pwsh> $pg01 

DisplayName       Id                                   MailNickname      Description          GroupTypes
-----------       --                                   ------------      -----------          ----------
PIM-GROUP-PLAY-01 853d7402-51b4-4cd4-9b8d-9f159311859d PIM-GROUP-PLAY-01 PIM for Groups tests {}

pwsh> $params = @{
    accessId = "member"
    principalId = "$($u01.Id)"
    groupId = "$($pg01.Id)"
    action = "AdminAssign"
    scheduleInfo = @{
        startDateTime = $(Get-Date)
        expiration = @{
            type = "AfterDateTime"
            endDateTime = $((Get-date).AddDays(7))
        }
    }
    justification = "$($u01.DisplayName) always deserved to be part of $($pg01.DisplayName)! Stand up, Sir $($u01.DisplayName). You have time until $((Get-date).AddDays(7))!"
}

pwsh> New-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -BodyParameter $params

Action      ApprovalId CompletedDateTime     CreatedDateTime       CustomData Id                                   IsValidationOnly Justification
------      ---------- -----------------     ---------------       ---------- --                                   ---------------- -------------                                                                                             
adminAssign            4/20/2024 11:18:51 PM 4/20/2024 11:18:51 PM            55067776-3b6d-44eb-8337-b0a2ad101bae False            pim-user-play-01 always deserved to be part of PIM-GROUP-PLAY-01! Stand up, Sir pim-user-play-01. You hav…




Enter fullscreen mode Exit fullscreen mode

Let's look at the PIM interface in the Azure Portal:

Image description

How do we make ALL security group members (GROUP-PLAY-01) be PIM eligible to activate membership in the PIM Group (PIM-GROUP-PLAY-01)?

That operation is very similar to the previous one. However, instead of assigning PIM eligibility to a User, you can do the same to a Group.

Here is how the 'manual' process looks like:

Image description

We will use the same API call.


 PowerShell
pwsh> $g01                                                               

DisplayName   Id                                   MailNickname  Description          GroupTypes
-----------   --                                   ------------  -----------          ----------
GROUP-PLAY-01 d8800de8-1e79-4881-8cb3-814c0f6cd935 GROUP-PLAY-01 PIM for Groups tests {}

pwsh> $pg01 

DisplayName       Id                                   MailNickname      Description          GroupTypes
-----------       --                                   ------------      -----------          ----------
PIM-GROUP-PLAY-01 853d7402-51b4-4cd4-9b8d-9f159311859d PIM-GROUP-PLAY-01 PIM for Groups tests {}

pwsh> $params = @{
    accessId = "member"
    principalId = "$($g01.Id)"
    groupId = "$($pg01.Id)"
    action = "AdminAssign"
    scheduleInfo = @{
        startDateTime = $(Get-Date)
        expiration = @{
            type = "AfterDateTime"
            endDateTime = $((Get-date).AddDays(7))
        }
    }
    justification = "Members of $($g01.DisplayName) always deserved to be part of $($pg01.DisplayName)! You have time until $((Get-date).AddDays(7))!"
}

pwsh> New-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -BodyParameter $params

Action      ApprovalId CompletedDateTime     CreatedDateTime       CustomData Id                                   IsValidationOnly Justification
------      ---------- -----------------     ---------------       ---------- --                                   ---------------- -------------                                                                                             
adminAssign            4/20/2024 11:48:15 PM 4/20/2024 11:48:15 PM            ed7561c6-54af-4a71-8d7e-f31cee64fc19 False            Members of GROUP-PLAY-01 always deserved to be part of PIM-GROUP-PLAY-01! You have time until 04/27/2024 …



Enter fullscreen mode Exit fullscreen mode

Let's have a look at the Azure Portal:

Image description

Nice! Both the user (pim-user-play-01) and the group (GROUP-PLAY-01) are now PIM eligible to activate membership in PIM group (PIM-GROUP-PLAY-01).

I had to open the Azure Portal and take screenshots to prove this. But is it not possible to perform that operation via Microsoft Graph API? The question urges us to the next topic!

How do we check whether the specific user or group is PIM eligible?

To perform that, we will call to List eligibilitySchedules using PowerShell function Get-MgIdentityGovernancePrivilegedAccessGroupEligibilitySchedule.


 PowerShell
pwsh> Get-MgIdentityGovernancePrivilegedAccessGroupEligibilitySchedule -Filter ("groupId eq '{0}' and principalId eq '{1}'" -f $($pg01.Id), $($u01.Id))

CreatedDateTime       CreatedUsing                         Id                                                                               ModifiedDateTime    Status      AccessId GroupId                              MemberType Principal
                                                                                                                                                                                                                                     Id
---------------       ------------                         --                                                                               ----------------    ------      -------- -------                              ---------- ---------
4/20/2024 11:18:51 PM 55067776-3b6d-44eb-8337-b0a2ad101bae 853d7402-51b4-4cd4-9b8d-9f159311859d_member_55067776-3b6d-44eb-8337-b0a2ad101bae 1/1/0001 8:00:00 AM Provisioned member   853d7402-51b4-4cd4-9b8d-9f159311859d direct     c8816325…

pwsh> Get-MgIdentityGovernancePrivilegedAccessGroupEligibilitySchedule -Filter ("groupId eq '{0}' and principalId eq '{1}'" -f $($pg01.Id), $($g01.Id))

CreatedDateTime       CreatedUsing                         Id                                                                               ModifiedDateTime    Status      AccessId GroupId                              MemberType Principal
                                                                                                                                                                                                                                     Id
---------------       ------------                         --                                                                               ----------------    ------      -------- -------                              ---------- ---------
4/20/2024 11:48:15 PM ed7561c6-54af-4a71-8d7e-f31cee64fc19 853d7402-51b4-4cd4-9b8d-9f159311859d_member_ed7561c6-54af-4a71-8d7e-f31cee64fc19 1/1/0001 8:00:00 AM Provisioned member   853d7402-51b4-4cd4-9b8d-9f159311859d direct     d8800de8…



Enter fullscreen mode Exit fullscreen mode

Yes! We have the same results as the 'manual' path already shown.

How do we activate PIM eligibility?

This is precisely why all the technology was created: temporarily activating a role or group membership.

Here is the .gif video of how a user can activate his/her PIM eligibility:

Image description

This is how activation is performed via Microsoft Graph API. Here is a link to Graph API Documentation: Create assignmentScheduleRequest and PowerShell Documentation New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest


 PowerShell
pwsh> $params = @{
    accessId = "member"
    principalId = "$($u01.Id)"
    groupId = "$($pg01.Id)"
    action = "adminAssign"
    scheduleInfo = @{
        startDateTime = $(Get-Date)
        expiration = @{
            type = "afterDuration"
            duration = "PT2H"
        }
    }
    justification = "Always wanted to try this group!"
}

pwsh> New-MgIdentityGovernancePrivilegedAccessGroupAssignmentScheduleRequest -BodyParameter $params

Action      ApprovalId CompletedDateTime    CreatedDateTime      CustomData Id                                   IsValidationOnly Justification                    Status      AccessId GroupId                              PrincipalId
------      ---------- -----------------    ---------------      ---------- --                                   ---------------- -------------                    ------      -------- -------                              -----------      
adminAssign            4/21/2024 2:25:19 AM 4/21/2024 2:25:18 AM            a24ebfc9-45ac-49bc-ad81-d0d7d3eb6d51 False            Always wanted to try this group! Provisioned member   853d7402-51b4-4cd4-9b8d-9f159311859d c8816325-d172-44…



Enter fullscreen mode Exit fullscreen mode

Here it is! The membership in PIM-GROUP-PLAY-01 is activated!

Image description

Perfect! The next question is...

How do we remove PIM eligibility?

What if we need to revoke the ability to activate membership? Is it possible?

Of course! Here is how one could do it 'manually':

Image description

In automation, Microsoft Graph API call Create eligibilityScheduleRequest or PowerShell function New-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest will help you.

And yes, I have not made a mistake. The same call and PowerShell function created the PIM eligibility! The difference in the parameters of the call.


PowerShell
pwsh> $params = @{
accessId = "member"
principalId = "$($u01.Id)"
groupId = "$($pg01.Id)"
action = "adminRemove"
justification = "It is time to go."
}

pwsh> New-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest -BodyParameter $params

Action ApprovalId CompletedDateTime CreatedDateTime CustomData Id IsValidationOnly Justification Status AccessId GroupId PrincipalId Target ScheduleId


adminRemove 4/21/2024 2:41:21 AM 9f1bd851-83a9-4a29-b1f7-ff4e8e362b14 False It is time to go. Revoked member 853d7402-51b4-4cd4-9b8d-9f159311859d c8816325-d172-44f5-b72d-a1b8de5673c2

Enter fullscreen mode Exit fullscreen mode




The exciting bonus stuff!

About that... You know the post is already embarrassingly long.

Let's meet again in 'How do you automate PIM for Groups? (Part 3. Expiration time, Policies, and experiments)' post!

:)

Meanwhile, I don't pretend to cover everything; I am sure there might be mistakes or typos. Please don't hesitate to comment!

All the '.gif videos' are made with LICEcap

Top comments (0)