Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PIM active role assignments #232

Closed
neok-g opened this issue May 8, 2024 · 6 comments
Closed

PIM active role assignments #232

neok-g opened this issue May 8, 2024 · 6 comments

Comments

@neok-g
Copy link

neok-g commented May 8, 2024

AzGovViz version
6.4.5.

CodeRunPlatform
Azure DevOps

Describe the bug
I am examining the report 'Role assignment related entries' and specially looking for active role assignments managed in PIM. They seem to be missing in this report.

First scenario is a securitygroup ACL_PG_AzureCostManagement which has 2 role assignments for roles 'Cost Management Reader' and 'Billing Reader' on scope tenant root group managed in PIM see first screenshot. These are active PIM role assignments with both a start and end date since they are managed within PIM. In second screenshot you see the output for these role assignments in the AzGovViz report. As you can see the PIM related columns are empty. For simplicity's sake I have hidden irrelevant columns.

Second scenario are some service principals that belong to managed identities created by Azure for some Azure policies with a remediation task see screenshot 3. As you can see these identities have an active role assignment with a permanent end date since they are created by Azure policy outside PIM.

Screenshots
Screenshot 1 - PIM - Active PIM role assignments securitygroup
image

Screenshot 2 - AzGovViz Active PIM role assignments securitygroup
image

Screenshot 3 - PIM - Active role assignments service principal
image

Screenshot 4 - AzGovViz Role assignments service principals
image

Additional context
Add any other context about the problem here.
@JulianHayward
Copy link
Owner

@neok-g can you check the createdBy/updatedBy columns for the role assignments in doubt? (*_roleAssignments.csv)

@neok-g
Copy link
Author

neok-g commented May 8, 2024

@JulianHayward Thanks for your response.

There is no updatedBy column, only createdOn and createdBy.

For the first scenario (group ACL_PG_AzureCostManagement) both columns are empty.

For second scenario (serviceprincipals/ managed identities) the createdOn contains a datetime and createdBy contains ObjectType: SP APP INT

@JulianHayward
Copy link
Owner

hmm can you please verify for scenario1:

$roleAssignmentId = "roleAssignmentIdGoesHere" #e.g. $roleAssignmentId = "/subscriptions/f8226644-2a08-4229-9ade-5e1e93e3dca3/providers/Microsoft.Authorization/RoleAssignments/b672efac-42bd-4377-908b-d573f81657e9"
$uri = "https://management.azure.com/$($roleAssignmentId)?api-version=2022-04-01"
$res = invoke-azrestmethod -uri $uri -method GET
($res.content | convertfrom-json) | convertto-json -depth 99

scenario2 seems that it was not created by PIM (expect: ObjectType: SP APP EXT)

@neok-g
Copy link
Author

neok-g commented May 13, 2024
edited
Loading

@JulianHayward The output for scenario 1 (role assignment cost management reader):

image

But this API call is for a regular role assignment and it does not request any PIM details correct? And these information seems to be missing in the report.

@neok-g
Copy link
Author

neok-g commented May 16, 2024

Could you give an update?

@JulianHayward
Copy link
Owner

@neok-g unfortunately, currently I am not able to repro the issue. With regards to issue217 I would not invest troubleshooting this one further but keep it in backlog as test for the migration to the ARM APIs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neok-g @JulianHayward