Comments on: Retrieving Azure AD (Entra ID) Privileged Identity Management Role Assignments

By: Tony Redmond

Tony Redmond — Fri, 12 Apr 2024 20:04:03 +0000

Is this something covered by Azure Resource Graph? https://learn.microsoft.com/en-us/azure/governance/resource-graph/overview

I have no idea because I have never worked with this code.

By: Marcin R.

Marcin R. — Fri, 12 Apr 2024 13:44:16 +0000

Hi Tony,

I know how to retrieve Entra ID Roles using Graph but I can not retrieve Azure Resource Roles. I know it is possible via AzureAD module but as you know it got depreciated. Seems like ARM API is the way as described here: https://learn.microsoft.com/en-us/rest/api/authorization/privileged-role-eligibility-rest-sample but I am struggling to fetch this data. I am basically interested in pulling out all users with eligible roles per each subscription. Any advise on this?

By: Tony Redmond

Tony Redmond — Wed, 12 Jul 2023 17:45:53 +0000

In reply to Nuno Mota.

Or use Search-UnifiedAuditLog to detect when people are added to a role:

$records = Search-UnifiedAuditLog -StartDate 12-jul-2023 -EndDate 13-jul-2023 -Formatted -ResultSize 5000 -Operations “Add member to role”

By: Nuno Mota

Nuno Mota — Wed, 12 Jul 2023 13:40:23 +0000

Great article and script as always, thank you! I am doing something similar, although in a slightly different way, but I’m also monitoring the Azure AD logs for changes in assignments using Get-MgAuditLogDirectoryAudit (https://github.com/NunoFilipeMota/PublicScripts/blob/main/Monitor-PIMRoles.ps1). This is so we get alerted when someone is assigned a key PIM role, such as Exchange Admin or Global Admin for example. Just in case someone sneaky manages to get added to a role, does something, and then removes him/herself from that role, which a script monitoring the members wouldn’t catch.