Scripting the process of granting privilege identity management in Azure

Question

I am trying to script out the process of setting up Azure PIM. I have got the script below but it doesnt work correctly. As the B2C doesnt work when tested.

Not sure where its going wrong here, but I believe its possible to automate the process and that of assigning and configuring PIM on Azure entra roles also.

# Login to Azure
Connect-AzAccount

# Variables
$subscriptionId = "xxx"
$resourceGroupName = "my-rg"
$azureAdGroupName = "RG_OWNER_GROUP"

# Set the subscription context
Set-AzContext -SubscriptionId $subscriptionId

# Get the Resource Group
$resourceGroup = Get-AzResourceGroup -Name $resourceGroupName

if (-not $resourceGroup) {
    Write-Host "Resource group '$resourceGroupName' not found."
    exit
}

# Enable PIM for the role assignment
# Note: This step requires the AzureAD module and the correct permissions to enable PIM.
# Install the AzureAD module if not already installed
if (-not (Get-Module -ListAvailable -Name AzureAD)) {
    Install-Module -Name AzureAD -Force -AllowClobber
}

# Connect to AzureAD
Connect-AzureAD

# Get the Azure AD Group
$azureAdGroup = Get-AzureADGroup -SearchString $azureAdGroupName

if (-not $azureAdGroup) {
    Write-Host "Azure AD Group '$azureAdGroupName' not found."
    exit
}

# Get the resource group ID
$resourceGroupId = $resourceGroup.ResourceId

# Get the role definition for the Contributor role
$roleDefinition = Get-AzRoleDefinition -Name "Owner"

# Assign the role to the Azure AD group
New-AzRoleAssignment -ObjectId $azureAdGroup.ObjectId -RoleDefinitionName $roleDefinition.Name -Scope $resourceGroupId


# Get the PIM role settings for the resource group
$roleSettings = Get-AzureADMSPrivilegedRoleSetting -ProviderId "aadRoles" -ResourceId $resourceGroupId

if (-not $roleSettings) {
    Write-Host "No PIM role settings found for resource group '$resourceGroupName'."
    exit
}

# Enable PIM for the Azure AD group on the resource group
$roleSetting = $roleSettings | Where-Object { $_.DisplayName -eq "Contributor" }

if (-not $roleSetting) {
    Write-Host "PIM role setting for 'Contributor' role not found."
    exit
}

# Update the role setting to enable PIM
Set-AzureADMSPrivilegedRoleSetting -Id $roleSetting.Id -RoleMemberSettings @{ PermanentAssignment = $false; EligibleAssignment = $true; ApproverIdList = @($azureAdGroup.ObjectId) }

Write-Host "PIM configured for resource group '$resourceGroupName' and Azure AD group '$azureAdGroupName'."

Answer 1

To assign the owner role to the Azure AD group at resource group scope, make use of below PowerShell script:

# Login to Azure
Connect-AzAccount

# Variables
$subscriptionId = "SubID"
$resourceGroupName = "Ruk"
$azureAdGroupName = "DemoGroup03"
$roleName = "Owner" 

Set-AzContext -SubscriptionId $subscriptionId

# Get the Resource Group
$resourceGroup = Get-AzResourceGroup -Name $resourceGroupName

if (-not $resourceGroup) {
    Write-Host "Resource group '$resourceGroupName' not found."
    exit
}

# Install and import the AzureAD module (if not installed)
if (-not (Get-Module -ListAvailable -Name AzureAD)) {
    Install-Module -Name AzureAD -Force -AllowClobber
}

# Connect to Azure AD
Connect-AzureAD

# Get the Azure AD Group
$azureAdGroup = Get-AzureADGroup -SearchString $azureAdGroupName

if (-not $azureAdGroup) {
    Write-Host "Azure AD Group '$azureAdGroupName' not found."
    exit
}

# Get the Resource Group ID
$resourceGroupId = $resourceGroup.ResourceId

# Get the Role Definition for the "Owner" role
$roleDefinition = Get-AzRoleDefinition -Name $roleName

# Assign the role to the Azure AD group at the resource group scope
New-AzRoleAssignment -ObjectId $azureAdGroup.ObjectId -RoleDefinitionName $roleDefinition.Name -Scope $resourceGroupId

The owner role is assigned to Azure AD group at resource group scope:

Note that: PIM roles are different than the IAM roles or Azure RBAC roles. Refer this blog for PIM roles.

Reference:

Assign eligibility for a group in Privileged Identity Management - Microsoft Entra ID Governance | Microsoft