AzureRoleEligibilityScheduleSettings¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| RoleDefinitionDisplayName | Key | String | Display name of the role definition being governed by this policy. | |
| ScopeId | Key | String | The scope of the role management policy. Supports subscriptions/{id}, subscriptions/{id}/resourceGroups/{name}, and providers/Microsoft.Management/managementGroups/{name} scopes. | |
| PolicyId | Write | String | Specifies the internal Policy Id. | |
| ActivationMaxDuration | Write | String | Activation maximum duration (hours). | |
| ActivationReqJustification | Write | Boolean | Require justification on activation (True/False). | |
| ActivationReqTicket | Write | Boolean | Require ticket information on activation (True/False). | |
| ActivationReqMFA | Write | Boolean | Require MFA on activation (True/False). | |
| ApprovaltoActivate | Write | Boolean | Require approval to activate (True/False). | |
| ActivateApprover | Write | StringArray[] | List of approvers by name. Provide the UserPrincipalName for users (e.g., 'john@contoso.com') or the DisplayName for groups (e.g., 'PIM Approvers'). The resource tries to resolve as a user first, then as a group. | |
| ActivationReqAuthContext | Write | Boolean | Require authentication context on activation (True/False). | |
| ActivationAuthContextId | Write | String | Authentication context claim value (Conditional Access policy id) for activation. | |
| PermanentEligibleAssignmentisExpirationRequired | Write | Boolean | Allow permanent eligible assignment (True/False). | |
| ExpireEligibleAssignment | Write | String | Expire eligible assignments after (Days). | |
| PermanentActiveAssignmentisExpirationRequired | Write | Boolean | Allow permanent active assignment (True/False). | |
| ExpireActiveAssignment | Write | String | Expire active assignments after (Days). | |
| AssignmentReqMFA | Write | Boolean | Require Azure Multi-Factor Authentication on active assignment (True/False). | |
| AssignmentReqJustification | Write | Boolean | Require justification on active assignment (True/False). | |
| EligibilityAssignmentReqMFA | Write | Boolean | Require Azure Multi-Factor Authentication on eligible assignment (True/False). | |
| EligibilityAssignmentReqJustification | Write | Boolean | Require justification on eligible assignment (True/False). | |
| EligibleAlertNotificationDefaultRecipient | Write | Boolean | Send notifications when members are assigned as eligible to this role: Role assignment alert, default recipient (True/False). | |
| EligibleAlertNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when members are assigned as eligible to this role: Role assignment alert, additional recipient (UPN). | |
| EligibleAlertNotificationOnlyCritical | Write | Boolean | Send notifications when members are assigned as eligible to this role: Role assignment alert, only critical Email (True/False). | |
| EligibleAssigneeNotificationDefaultRecipient | Write | Boolean | Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee), default recipient (True/False). | |
| EligibleAssigneeNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee), additional recipient (UPN). | |
| EligibleAssigneeNotificationOnlyCritical | Write | Boolean | Send notifications when members are assigned as eligible to this role: Notification to the assigned user (assignee), only critical Email (True/False). | |
| EligibleApproveNotificationDefaultRecipient | Write | Boolean | Send notifications when members are assigned as eligible to this role: Request to approve a role assignment renewal/extension, default recipient (True/False). | |
| EligibleApproveNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when members are assigned as eligible to this role: Request to approve a role assignment renewal/extension, additional recipient (UPN). | |
| EligibleApproveNotificationOnlyCritical | Write | Boolean | Send notifications when members are assigned as eligible to this role: Request to approve a role assignment renewal/extension, only critical Email (True/False). | |
| ActiveAlertNotificationDefaultRecipient | Write | Boolean | Send notifications when members are assigned as active to this role: Role assignment alert, default recipient (True/False). | |
| ActiveAlertNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when members are assigned as active to this role: Role assignment alert, additional recipient (UPN). | |
| ActiveAlertNotificationOnlyCritical | Write | Boolean | Send notifications when members are assigned as active to this role: Role assignment alert, only critical Email (True/False). | |
| ActiveAssigneeNotificationDefaultRecipient | Write | Boolean | Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee), default recipient (True/False). | |
| ActiveAssigneeNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee), additional recipient (UPN). | |
| ActiveAssigneeNotificationOnlyCritical | Write | Boolean | Send notifications when members are assigned as active to this role: Notification to the assigned user (assignee), only critical Email (True/False). | |
| ActiveApproveNotificationDefaultRecipient | Write | Boolean | Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension, default recipient (True/False). | |
| ActiveApproveNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension, additional recipient (UPN). | |
| ActiveApproveNotificationOnlyCritical | Write | Boolean | Send notifications when members are assigned as active to this role: Request to approve a role assignment renewal/extension, only critical Email (True/False). | |
| ActivationAlertNotificationDefaultRecipient | Write | Boolean | Send notifications when eligible members activate this role: Role activation alert, default recipient (True/False). | |
| ActivationAlertNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when eligible members activate this role: Role activation alert, additional recipient (UPN). | |
| ActivationAlertNotificationOnlyCritical | Write | Boolean | Send notifications when eligible members activate this role: Role activation alert, only critical Email (True/False). | |
| ActivationAssigneeNotificationDefaultRecipient | Write | Boolean | Send notifications when eligible members activate this role: Notification to activated user (requestor), default recipient (True/False). | |
| ActivationAssigneeNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when eligible members activate this role: Notification to activated user (requestor), additional recipient (UPN). | |
| ActivationAssigneeNotificationOnlyCritical | Write | Boolean | Send notifications when eligible members activate this role: Notification to activated user (requestor), only critical Email (True/False). | |
| ActivationApproveNotificationDefaultRecipient | Write | Boolean | Send notifications when eligible members activate this role: Notification to approvers, default recipient (True/False). | |
| ActivationApproveNotificationAdditionalRecipient | Write | StringArray[] | Send notifications when eligible members activate this role: Notification to approvers, additional recipient (UPN). | |
| ActivationApproveNotificationOnlyCritical | Write | Boolean | Send notifications when eligible members activate this role: Notification to approvers, only critical Email (True/False). | |
| Credential | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
Configures Azure PIM (Privileged Identity Management) role policy settings including activation duration, activation requirements (MFA, justification, ticketing), approval workflows, email notification settings for eligible/active assignments and activations, expiration settings for eligible and active assignments, and enablement requirements for Azure roles at Management Group, Subscription, and Resource Group scopes.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions¶
- Read
-
User.Read.All, Group.Read.All
-
Update
- None
Application permissions¶
- Read
-
User.Read.All, Group.Read.All
-
Update
- None
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AzureRoleEligibilityScheduleSettings "Owner-SubscriptionSettings"
{
RoleDefinitionDisplayName = "Owner"
ScopeId = "subscriptions/00000000-0000-0000-0000-000000000000"
ActivationMaxDuration = "PT4H"
ActivationReqJustification = $True
ActivationReqTicket = $True
ActivationReqMFA = $False
ApprovaltoActivate = $True
ActivateApprover = @()
PermanentEligibleAssignmentisExpirationRequired = $True
ExpireEligibleAssignment = "P180D"
PermanentActiveAssignmentisExpirationRequired = $True
ExpireActiveAssignment = "P90D"
AssignmentReqMFA = $False
AssignmentReqJustification = $True
EligibilityAssignmentReqMFA = $False
EligibilityAssignmentReqJustification = $False
EligibleAlertNotificationDefaultRecipient = $True
EligibleAlertNotificationAdditionalRecipient = @("eligibility-admin@contoso.com")
EligibleAlertNotificationOnlyCritical = $True
EligibleAssigneeNotificationDefaultRecipient = $True
EligibleAssigneeNotificationAdditionalRecipient = @()
EligibleAssigneeNotificationOnlyCritical = $False
EligibleApproveNotificationDefaultRecipient = $True
EligibleApproveNotificationAdditionalRecipient = @()
EligibleApproveNotificationOnlyCritical = $False
ActiveAlertNotificationDefaultRecipient = $True
ActiveAlertNotificationAdditionalRecipient = @("assignment-admin@contoso.com")
ActiveAlertNotificationOnlyCritical = $False
ActiveAssigneeNotificationDefaultRecipient = $True
ActiveAssigneeNotificationAdditionalRecipient = @()
ActiveAssigneeNotificationOnlyCritical = $False
ActiveApproveNotificationDefaultRecipient = $True
ActiveApproveNotificationAdditionalRecipient = @()
ActiveApproveNotificationOnlyCritical = $False
ActivationAlertNotificationDefaultRecipient = $True
ActivationAlertNotificationAdditionalRecipient = @("admin@contoso.com")
ActivationAlertNotificationOnlyCritical = $False
ActivationAssigneeNotificationDefaultRecipient = $True
ActivationAssigneeNotificationAdditionalRecipient = @()
ActivationAssigneeNotificationOnlyCritical = $False
ActivationApproveNotificationDefaultRecipient = $True
ActivationApproveNotificationAdditionalRecipient = @()
ActivationApproveNotificationOnlyCritical = $False
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}