Feature: List Groups available for activation

Question

Feature: List Groups available for activation

Closed this issue 9 months ago · 5 comments

az-pim-cli list now returns the list of Azure Resources it is possible to activate. I am missing the list of Groups that i am able to activate. Are you able to point me in a direction of where in the code this can be added?

Originally posted by @Trulsaa in #5 (comment)

Answer 1 · 2024-05-10T20:47:55.000Z

@netr0m Seems like group cannot be reached with the ARM API
You have to use the graph API

https://learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0

Answer 2 · 2024-05-21T12:18:47.000Z

@netr0m Seems like group cannot be reached with the ARM API You have to use the graph API

learn.microsoft.com/en-us/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview?view=graph-rest-1.0

Thanks for the heads up @rodcloutier . I'll have a look at this next week.

Answer 3 · 2024-05-22T09:55:57.000Z

Wanted to add a note that before I stumbled upon your repository, I gave this a try i.e. using the Microsoft Graph API to list/activate PIM Entra Roles & PIM Groups.

Unfortunately, using the Graph API requires app registration with significant number of permissions (For e.g. List eligibilityScheduleInstances) that require Admin Consent. In most cases, the documented Least privileged permissions aren't enough. I eventually gave up. Perhaps you may have better luck

Answer 4 · 2024-05-30T13:12:46.000Z

Did some testing by issuing the same API requests as those made in the browser at portal.azure.com when listing eligible PIM Groups, but I was unable to retrieve a token with the necessary permissions when attempting to reproduce it with this software.

The only [relevant] differences between the token used in the browser, and the token I acquired using the GetPIMAccessTokenAzureCLI function, was the appid claim, which according to the docs may impact authorization:

The application ID of the client using the token. The application can act as itself or on behalf of a user. The application ID typically represents an application object, but it can also represent a service principal object in Microsoft Entra ID.
appid may be used in authorization decisions.

As of now, it seems that the only means of activating PIM groups with this tool is by copying the Bearer token issued to the browser, and passing that as the token used for calls by the az-pim-cli list / az-pim-cli activate commands (though this is not supported at this time). There is the option of the app registration, as @x418 mentioned, but this is not really a viable option IMO.

The code for listing groups has been pushed to a separate branch for future reference/experimenting, see https://github.com/netr0m/az-pim-cli/tree/feat/pim-groups-experiment

Answer 5 · 2024-05-31T13:33:06.000Z

Found an approach, however it is not exactly ideal. It requires that you manually retrieve the Bearer token from an authenticated browser session on portal.azure.com (which has the correct permissions to list and activate Entra groups). I've documented the necessary steps in the README in the branch https://github.com/netr0m/az-pim-cli/tree/feat/pim-groups. Would appreciate it if someone could have a look to see if they're able to follow the steps 😄

TLDR: New subcommand for activate and list, e.g. activate group [group name] / list group. Requires a token which must be manually provided due to special permissions (and old endpoints).