PIM: How to set approvers in Role Management Policy approval rule for "Require approval to activate" possibility in PIM role settings by Powershell using Update-AzRoleManagementPolicy command?

Ruslan Rahozhkin 25 Reputation points
2024-12-09T10:34:17.2666667+00:00

Hello everyone,

I need to configure "RoleManagementPolicyApprovalRule" rule for updating role management policy on resource group scope for Contributor role in PIM settings automatically from Powershell code. I'm following this documentation pages:

https://zcusa.951200.xyz/en-us/powershell/module/az.resources/update-azrolemanagementpolicy?view=azps-13.0.0#inputs

https://zcusa.951200.xyz/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.authorization.models.api20201001preview.irolemanagementpolicyapprovalrule?view=az-ps-latest

At the moment I have following code:

$approvers = @("user1@sbx.onmicrosoft.com", "user2@sbx.onmicrosoft.com")

Write-Host "Getting Role Management Policies:"

$roleManagementPoliciesAssignments = Get-AzRoleManagementPolicyAssignment -Scope $scopePimRoleAssignment | Where-Object { $_.Name -like "$($contributorRoleDefinition.Id)" }

$roleManagementPolicyId = ($roleManagementPoliciesAssignments.PolicyId -split "/")[8]

$approvalRule = [RoleManagementPolicyApprovalRule]@{

id = "Require_Approval_To_Activate";

ruleType = RoleManagementPolicyRuleType;

settingIsApprovalRequired = $true;

}

$rules = [IRoleManagementPolicyRule[]]@($approvalRule)

Update-AzRoleManagementPolicy -Scope $resourceGroup -Name $roleManagementPolicyId -Rule $rules As I see the rule definition in cmdlet Update-AzRoleManagementPolicy doesn't have "Approvers" in settings. If consider the MS Graph powershell command Update-MgPolicyRoleManagementPolicy from this page:

https://zcusa.951200.xyz/en-us/graph/api/unifiedrolemanagementpolicy-update?view=graph-rest-1.0&tabs=powershell#request there is possibility to set approvers. But with this solution I cannot get policy ID for Contributor role on resource groups scope. As I understand Graph cmdlet provides possibility to configure policies only for PIM for MS Entra ID roles and PIM for groups, not Azure resources. And it's difficult to convince Entra ID administrators in our organisation to use "RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory" permissions for App registrations to use MG Graph cmdlets. So, the main question is: How to set approvers in Role Management Policy approval rule for "Require approval to activate" possibility in PIM role settings by Powershell using Update-AzRoleManagementPolicy command? I will appreciate any assistance.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,708 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
{count} votes

Accepted answer
  1. Givary-MSFT 34,521 Reputation points Microsoft Employee
    2024-12-13T16:10:24.52+00:00

    @Ruslan Rahozhkin I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: need to configure "RoleManagementPolicyApprovalRule" rule for updating role management policy on resource group scope for Contributor role in PIM settings automatically from Powershell code. I'm following this documentation pages:

    https://zcusa.951200.xyz/en-us/powershell/module/az.resources/update-azrolemanagementpolicy?view=azps-13.0.0#inputs

    https://zcusa.951200.xyz/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.authorization.models.api20201001preview.irolemanagementpolicyapprovalrule?view=az-ps-latest

    At the moment I have following code:

    $approvers = @("user1@sbx.onmicrosoft.com", "user2@sbx.onmicrosoft.com")

    Write-Host "Getting Role Management Policies:"

    $roleManagementPoliciesAssignments = Get-AzRoleManagementPolicyAssignment -Scope $scopePimRoleAssignment | Where-Object { $_.Name -like "$($contributorRoleDefinition.Id)" }

    $roleManagementPolicyId = ($roleManagementPoliciesAssignments.PolicyId -split "/")[8]

    $approvalRule = [RoleManagementPolicyApprovalRule]@{

    id = "Require_Approval_To_Activate";

    ruleType = RoleManagementPolicyRuleType;

    settingIsApprovalRequired = $true;

    }

    $rules = [IRoleManagementPolicyRule[]]@($approvalRule)

    Update-AzRoleManagementPolicy -Scope $resourceGroup -Name $roleManagementPolicyId -Rule $rules As I see the rule definition in cmdlet Update-AzRoleManagementPolicy doesn't have "Approvers" in settings. If consider the MS Graph powershell command Update-MgPolicyRoleManagementPolicy from this page:

    https://zcusa.951200.xyz/en-us/graph/api/unifiedrolemanagementpolicy-update?view=graph-rest-1.0&tabs=powershell#request there is possibility to set approvers. But with this solution I cannot get policy ID for Contributor role on resource groups scope. As I understand Graph cmdlet provides possibility to configure policies only for PIM for MS Entra ID roles and PIM for groups, not Azure resources. And it's difficult to convince Entra ID administrators in our organisation to use "RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory" permissions for App registrations to use MG Graph cmdlets. So, the main question is: How to set approvers in Role Management Policy approval rule for "Require approval to activate" possibility in PIM role settings by Powershell using Update-AzRoleManagementPolicy command? I will appreciate any assistance.

    Resolution: Resolved by @Ruslan Rahozhkin by following the below steps

    "RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory" permissions for App registrations to use MG Graph cmdlets as I mentioned in my post. Because of organisation policy restrictions.

    In my case I set approvers by configuring PATCH API request.

    I followed to links: https://zcusa.951200.xyz/en-us/rest/api/authorization/privileged-role-policy-rest-sample#update-a-role-management-policy

    This example of the solution was useful to configure the body for the request. https://github.com/thedevopsjedi/azure-pim/blob/main/PIMConfigureEligibleAzureResource.ps1#L452

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Ruslan Rahozhkin 25 Reputation points
    2024-12-13T09:53:26.05+00:00

    Hi Marti,

    Thank you for your suggestion! It can work but I cannot provide "RoleManagementPolicy.ReadWrite.Directory, RoleManagement.ReadWrite.Directory" permissions for App registrations to use MG Graph cmdlets as I mentioned in my post. Because of organisation policy restrictions.

    In my case I set approvers by configuring PATCH API request.

    I followed to links:
    https://zcusa.951200.xyz/en-us/rest/api/authorization/privileged-role-policy-rest-sample#update-a-role-management-policy

    This example of the solution was useful to configure the body for the request.
    https://github.com/thedevopsjedi/azure-pim/blob/main/PIMConfigureEligibleAzureResource.ps1#L452

    1 person found this answer helpful.

  2. Marti Peig 610 Reputation points Microsoft Employee
    2024-12-09T13:23:36.16+00:00

    Hi Ruslan,

    Check Update rules in PIM using Microsoft Graph in there you have section Example 3: Require approval to activate where explains how to structure params section to be used with Update-MgPolicyRoleManagementPolicyRule

    I hope it helps.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.